MokoConsulting/mcp-mokocrm-api

Fork 0

Files

T

Jonathan Miller 73c7d5554f

Changelog Validation / Validate CHANGELOG.md (push) Failing after 3s

Details

Standards Compliance / Secret Scanning (push) Successful in 3s

Details

Standards Compliance / License Header Validation (push) Failing after 3s

Details

Standards Compliance / Repository Structure Validation (push) Failing after 3s

Details

Standards Compliance / Coding Standards Check (push) Failing after 3s

Details

Standards Compliance / Workflow Configuration Check (push) Failing after 2s

Details

Standards Compliance / Documentation Quality Check (push) Successful in 2s

Details

Standards Compliance / README Completeness Check (push) Failing after 3s

Details

Standards Compliance / Git Repository Hygiene (push) Successful in 3s

Details

Standards Compliance / Script Integrity Validation (push) Successful in 6s

Details

Standards Compliance / Line Length Check (push) Failing after 4s

Details

Standards Compliance / File Naming Standards (push) Successful in 3s

Details

Standards Compliance / Insecure Code Pattern Detection (push) Successful in 2s

Details

Standards Compliance / Version Consistency Check (push) Successful in 35s

Details

CodeQL Security Scanning / Analyze (actions) (push) Failing after 1m12s

Details

Standards Compliance / Dead Code Detection (push) Successful in 4s

Details

Standards Compliance / File Size Limits (push) Successful in 3s

Details

Standards Compliance / Binary File Detection (push) Successful in 2s

Details

Standards Compliance / TODO/FIXME Tracking (push) Successful in 2s

Details

Standards Compliance / Code Complexity Analysis (push) Successful in 32s

Details

Standards Compliance / Code Duplication Detection (push) Successful in 33s

Details

Standards Compliance / Broken Link Detection (push) Successful in 2s

Details

Standards Compliance / API Documentation Coverage (push) Successful in 2s

Details

Standards Compliance / Accessibility Check (push) Successful in 3s

Details

Standards Compliance / Performance Metrics (push) Successful in 2s

Details

CodeQL Security Scanning / Analyze (javascript) (push) Failing after 1m36s

Details

Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 37s

Details

Standards Compliance / Unused Dependencies Check (push) Successful in 37s

Details

Standards Compliance / Terraform Configuration Validation (push) Successful in 5s

Details

CodeQL Security Scanning / Security Scan Summary (push) Successful in 1s

Details

Standards Compliance / Enterprise Readiness Check (push) Successful in 33s

Details

Standards Compliance / Repository Health Check (push) Successful in 33s

Details

Standards Compliance / Compliance Summary (push) Failing after 1s

Details

Sync Version from README / Propagate README version (push) Failing after 38s

Details

docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder

Add all required MokoStandards documentation files. Refactor inline
sqlfilters strings to use buildSqlFilter() and searchFilter() helpers
for safe query construction with proper escaping.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-05-07 14:15:27 -05:00

3.3 KiB

Raw Permalink Blame History

Security Policy

Purpose and Scope

This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.

Supported Versions

Version	Supported
1.x.x	✅
< 1.0	❌

Only the current major version receives security updates.

Reporting a Vulnerability

Report security vulnerabilities via Gitea issue (preferred): https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml

Or email: hello@mokoconsulting.tech

Where to Report

DO NOT create public issues for security vulnerabilities.

Report security vulnerabilities privately to:

Email: hello@mokoconsulting.tech

Subject Line: [SECURITY] Brief Description

What to Include

Description: Clear explanation of the vulnerability
Impact: Potential security impact and severity assessment
Affected Versions: Which versions are vulnerable
Reproduction Steps: Detailed steps to reproduce the issue
Proof of Concept: Code or demonstration (if applicable)
Suggested Fix: Proposed remediation (if known)

Response Timeline

Initial Response: Within 3 business days
Assessment Complete: Within 7 business days
Fix Timeline: Depends on severity (see below)

Severity Classification

Critical

API key exposure or leakage
Remote code execution via API parameters
Authentication bypass
Fix Timeline: 7 days

High

SQL injection via sqlfilters parameter
Unauthorized access to Dolibarr data
Fix Timeline: 14 days

Medium

Information disclosure (limited scope)
Configuration file exposure
Fix Timeline: 30 days

Low

Security best practice violations
Minor information leaks
Fix Timeline: 60 days or next release

Security Considerations

API Key Storage

API keys are stored in ~/.dolibarr-api-mcp.json with user-only file permissions
Never commit API keys to version control
The .gitignore excludes .mcp.json and environment files

SQL Filter Safety

The buildSqlFilter() helper escapes single quotes to prevent SQL injection via the sqlfilters parameter
All user-provided search terms are wrapped with the helper before being sent to Dolibarr

TLS Verification

The insecure connection option disables TLS certificate verification
This should only be used for local development with self-signed certificates
Production connections should always use valid TLS certificates

Attribution and Recognition

We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.

Revision History

Date	Version	Author	Notes
2026-05-07	0.0.1	jmiller	Initial security policy

3.3 KiB Raw Permalink Blame History

Security Policy

Purpose and Scope

Supported Versions

Reporting a Vulnerability

Where to Report

What to Include

Response Timeline

Severity Classification

Critical

High

Medium

Low

Security Considerations

API Key Storage

SQL Filter Safety

TLS Verification

Attribution and Recognition

Revision History

3.3 KiB

Raw Permalink Blame History