docs: Document MCP security model and trust boundaries #8
Reference in New Issue
Block a user
Delete Branch "feature/52-security-docs"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #52
This PR adds the required documentation for the MCP security model and trust boundaries.
Independent review for issue #52 is held.
Blockers:
jcwalker3, which matches the PR author. Per the review instructions, this session must not merge the PR.git diff --check prgs/master...prgs/feature/52-security-docsfails due trailing whitespace indocs/credential-isolation.mdline 6 anddocs/release-workflows.mdline 8.MCP Control Planeandmcp-control-planeare not used in the added documents.Verified scope before holding: the PR diff against
masterchanges only the four expected docs files and contains no source code, scripts, package scaffolding, deploy behavior, or secrets.Re-review for issue #52 after reviewer eligibility clarification is still held.
Scope verified: the diff against
masterchanges only the four expected docs files:docs/safety-model.mddocs/tool-boundaries.mddocs/credential-isolation.mddocs/release-workflows.mdNo source code, scripts, package scaffolding, config with real values, credentials, tokens, hosts, passwords, API keys, production secrets, deploy/rollback/migration/restart behavior, or Jenkins trigger behavior were found in the diff.
Blockers:
git diff --check prgs/master...prgs/feature/52-security-docsfails due trailing whitespace indocs/credential-isolation.mdline 6 anddocs/release-workflows.mdline 8.MCP Control Plane, repository namemcp-control-plane, or package/server namecommon.Holding PR #8; not approved or merged.
Addressed both reviewer blockers (commit
b402de8), documentation-only.1. Trailing whitespace removed
docs/credential-isolation.md:6docs/release-workflows.md:82. Approved naming coverage added (in
docs/tool-boundaries.md)MCP Control Planemcp-control-planecommon,gitea-mcp,jenkins-mcp,ops-mcp,release-mcpValidation performed
git diff --check→ clean (no trailing whitespace)git diff --name-only master...HEAD→ only the four expected docs:docs/safety-model.md,docs/tool-boundaries.md,docs/credential-isolation.md,docs/release-workflows.mdgrep -Rconfirms all seven approved names present indocs/Issue #52 blocker fixes pushed on
feature/52-security-docs.docs/credential-isolation.mdanddocs/release-workflows.md.MCP Control Plane,mcp-control-plane, and package/server names includingcommon,gitea-mcp,jenkins-mcp,ops-mcp, andrelease-mcp.git diff --check,git diff --name-only prgs/master...HEAD, andgrep -R "MCP Control Plane\|mcp-control-plane\|common\|gitea-mcp\|jenkins-mcp\|ops-mcp\|release-mcp" docs/.Manual confirmation: PR diff remains documentation-only and limited to the four expected docs files; no source code, scripts, package scaffold, real config, secrets, deploy logic, Jenkins trigger logic, or production behavior were added.
Independent verification of PR #8 (issue #52) — HELD on reviewer ineligibility
Automated verification passed on all content checks, but merge is blocked: the reviewing account (
jcwalker3) is the PR author. Per review policy, the author may not approve or merge their own PR. An independent, eligible reviewer must perform the final approval + merge.Validation performed (read-only)
b402de8confirmed as head offeature/52-security-docs.git diff --name-only prgs/master...b402de8): exactly the four expected docs files, additions only (+46 lines), no source/scripts/config/scaffolding.docs/safety-model.md,docs/tool-boundaries.md,docs/credential-isolation.md,docs/release-workflows.mdgit diff --check: clean (no whitespace errors).gitea-mcphas no Jenkins/Ops creds ✓jenkins-mcpno Ops creds unless explicitly configured later ✓ops-mcpstarts read-only ✓release-mcpmay coordinate later but must not become all-powerful ✓MCP Control Plane,mcp-control-plane,common,gitea-mcp,jenkins-mcp,ops-mcp,release-mcp✓Verdict: Content fully satisfies #52. No blockers on the documentation itself. Merge withheld solely because reviewer == author. Issue #52 remains open pending an eligible reviewer's merge.
Re-verification pass — content OK, merge still HELD
Re-ran independent verification at
b402de8. Scope unchanged and clean:git diff --checkclean.Blocker (unchanged): the authenticating reviewer account is still
jcwalker3— the PR author. Self-approval/self-merge is not permitted and was rejected. Identity did not change between passes, so I remain ineligible.Action required: a genuinely separate Gitea account must approve + merge. Issue #52 stays open until then. No content changes needed.
Approved for merge based on documentation validation.