# Sibyl MCP Security Round 3 2026-06-02

Focused checks for cap bypass and SQLite sidecar filesystem boundary behavior.

## How to run

```bash
docker run --rm --network none --cap-drop ALL --security-opt no-new-privileges --pids-limit 192 --memory 768m --cpus 1 --tmpfs /tmp:rw,nosuid,nodev,size=128m --tmpfs /data:rw,nosuid,nodev,size=512m,mode=1777 -v "$PWD:/work" -w /work -e SIBYL_SECURITY_DATA_ROOT=/data sibyl-memory:local python scripts/run_mcp_security_round3_suite.py
```

## Summary

| Metric | Count |
|---|---:|
| Total | 5 |
| PASS | 3 |
| FAIL | 2 |

## Runs

| Run | Status | Checks | Reason |
|---|---:|---:|---|
| run-2026-06-02-mcp-run222-cap-control-no-cache-oversized-write | PASS | 2 / 2 | none |
| run-2026-06-02-mcp-run223-cap-overshoot-many-small-writes | FAIL | 1 / 2 | total_storage_not_far_over_cap; Many small writes can push SQLite storage well beyond the 2 MB free-tier cap because cap accounting underestimates SQLite on-disk growth across repeated writes. |
| run-2026-06-02-mcp-run219-cap-bypass-forged-null-account-cache | PASS | 2 / 2 | none |
| run-2026-06-02-mcp-run220-cap-bypass-forged-credentials-and-cache | FAIL | 0 / 2 | oversized_write_blocked; not_persisted; Forged credentials.json plus matching tier_cache.json bypasses server verification and the 2 MB free-tier cap offline. |
| run-2026-06-02-mcp-run221-sqlite-wal-symlink-outside-home | PASS | 1 / 1 | none |
