一键导入
mcp-gateway-security
MCP gateway security patterns, token management, request validation, and audit logging for parliamentary data access
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
MCP gateway security patterns, token management, request validation, and audit logging for parliamentary data access
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
C4 architecture model, security architecture, Mermaid diagrams, SECURITY_ARCHITECTURE.md, and comprehensive documentation per Hack23 Secure Development Policy
AI-augmented development controls, GitHub Copilot governance, LLM security, AI-generated code review per Hack23 Secure Development Policy
EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications
Enforce code quality with ESLint, TypeScript strict mode, Knip unused detection, and quality gates for MCP servers
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
Contribution process with PR workflow, code review standards, commit conventions, and open source best practices
| name | mcp-gateway-security |
| description | MCP gateway security patterns, token management, request validation, and audit logging for parliamentary data access |
| license | MIT |
This skill applies when:
MCP gateways are a critical security boundary. All parliamentary data requests flow through the gateway, making it the primary enforcement point for authentication, authorization, input validation, and audit logging.
import { z } from 'zod';
const AuthHeaderSchema = z.string().regex(/^Bearer [A-Za-z0-9\-._~+/]+=*$/, 'Invalid bearer token format');
async function validateMCPClient(authHeader: string | undefined) {
if (!authHeader) throw new Error('Authentication required');
const bearerToken = AuthHeaderSchema.parse(authHeader).replace('Bearer ', '');
const client = await tokenStore.validate(bearerToken);
if (!client) throw new Error('Invalid or expired token');
return client; // { clientId, tier, allowedTools }
}
const MCPRequestSchema = z.object({
jsonrpc: z.literal('2.0'),
id: z.union([z.string(), z.number()]),
method: z.enum(['tools/call', 'tools/list', 'resources/read', 'resources/list']),
params: z.record(z.unknown()).optional(),
}).strict();
function validateMCPRequest(request: unknown): void {
const result = MCPRequestSchema.safeParse(request);
if (!result.success) throw new Error(`Invalid MCP request: ${result.error.message}`);
}
interface AuditLogEntry {
timestamp: string;
clientId: string;
toolName: string;
responseStatus: 'success' | 'error' | 'denied';
durationMs: number;
// Never log: argument values, personal data, token values
}
function logToolInvocation(entry: AuditLogEntry): void {
console.log(JSON.stringify({ level: 'audit', ...entry, timestamp: new Date().toISOString() }));
}
function validateSecrets(): void {
const required = ['EP_API_KEY', 'GATEWAY_TOKEN_SECRET', 'AUDIT_LOG_ENDPOINT'];
const missing = required.filter(key => !process.env[key]);
if (missing.length > 0) {
throw new Error(`Missing required secrets: ${missing.join(', ')}`);
}
}
// NEVER allow unauthenticated MCP access
server.onRequest(async (request) => {
return await forwardToBackend(request); // No auth check!
});
// NEVER log token values or personal data
console.log(`Client token: ${token}, query: ${JSON.stringify(args)}`);
// Leaks credentials and potentially personal MEP queries
// NEVER embed credentials in source code
const EP_API_KEY = "ep-key-a1b2c3d4e5f6";
const TOKEN_SECRET = "super-secret-signing-key";
Primary:
Related: