Expand description
MCP server setup and lifecycle.
Implements an rmcp-based MCP server over stdio or HTTP transport.
§Transport Security Model (COMP-CRIT-003)
§Stdio Transport (Default)
The stdio transport is the default and recommended transport for local use with Claude Desktop and other MCP-compatible clients. Its security model is based on:
Trust Assumptions:
- Process isolation: The parent process (Claude Desktop) spawns subcog as a child process. Communication happens exclusively over stdin/stdout pipes.
- No network exposure: Stdio transport never binds to a network port, eliminating remote attack vectors entirely.
- Same-user execution: The spawned process inherits the parent’s user context, meaning file system and secret access is limited to what the invoking user can access.
- No authentication required: Since only the parent process can communicate over the pipes, authentication is implicit through OS process isolation.
Security Properties:
- Confidentiality: Data never leaves the local machine unless explicitly requested (e.g., git sync to remote).
- Integrity: OS guarantees pipe integrity; no MITM attacks possible.
- Availability: Process lifecycle is controlled by the parent.
Threat Mitigations:
- Malicious input: Content is sanitized before storage (secrets detection, PII redaction).
- Resource exhaustion: Rate limits and memory caps protect against
DoS. - Privilege escalation: Subcog runs with user privileges, never elevated.
§HTTP Transport (Optional)
The HTTP transport exposes subcog over a network socket and requires explicit security:
- JWT bearer token authentication (SEC-H1): All requests must include a valid JWT.
Requires
SUBCOG_MCP_JWT_SECRETenvironment variable (min 32 characters). - Per-client rate limiting (ARCH-H1): Prevents abuse via configurable request limits.
- CORS protection (HIGH-SEC-006): Restrictive by default; origins must be explicitly allowed.
- Security headers: X-Content-Type-Options, X-Frame-Options, CSP, no-cache directives.
When to use HTTP transport:
- Remote access to subcog server (e.g., from containerized environments)
- Shared team server with multi-user access
- Integration with web-based MCP clients
Configuration:
# Required for HTTP transport
export SUBCOG_MCP_JWT_SECRET="your-32-char-minimum-secret-key"
# Optional: customize rate limits
export SUBCOG_MCP_RATE_LIMIT_MAX_REQUESTS=1000
export SUBCOG_MCP_RATE_LIMIT_WINDOW_SECS=60
# Optional: configure CORS for web clients
export SUBCOG_MCP_CORS_ALLOWED_ORIGINS="https://your-app.com"Structs§
- Cors
Config - CORS configuration (HIGH-SEC-006).
- Http
Auth 🔒State - McpHandler 🔒
- McpServer
- MCP server for subcog.
- McpState 🔒
- Rate
Limit Config - Rate limit configuration (ARCH-H1).
- Rate
Limit 🔒Entry
Enums§
- Transport
- Transport type for the MCP server.
Constants§
- DEFAULT_
CORS_ 🔒ALLOWED_ ORIGIN - Default allowed CORS origin (none by default for security).
- DEFAULT_
RATE_ 🔒LIMIT_ MAX_ REQUESTS - Default maximum requests per rate limit window.
- DEFAULT_
RATE_ 🔒LIMIT_ WINDOW_ SECS - Default rate limit window duration (1 minute).
Statics§
- SHUTDOWN_
REQUESTED 🔒 - Global shutdown flag for graceful termination (RES-M4).
Functions§
- auth_
middleware 🔒 - await_
shutdown 🔒 - build_
cors_ 🔒layer - ensure_
tool_ 🔒authorized - execute_
call_ 🔒tool - init_
request_ 🔒context - is_
shutdown_ requested - Checks if shutdown has been requested.
- join_
error_ 🔒to_ mcp - Converts a task join error to an MCP internal error.
- map_
notification_ 🔒status - prompt_
definition_ 🔒to_ rmcp - prompt_
message_ 🔒to_ rmcp - record_
mcp_ 🔒metrics - request_
shutdown - Requests a graceful shutdown.
- resolve_
prompt 🔒 - Resolves a prompt by name and arguments into a
GetPromptResult. - resource_
content_ 🔒to_ rmcp - resource_
definition_ 🔒to_ rmcp - run_
mcp_ 🔒with_ context - setup_
signal_ handler - Sets up the signal handler for graceful shutdown (RES-M4).
- tool_
content_ 🔒to_ rmcp - tool_
definition_ 🔒to_ rmcp - tool_
result_ 🔒to_ rmcp