MCP security

MCP isolation baseline: 31 strict runs, 4 confirmed symlink failures

MCP security baseline covering cross-HOME isolation, symlinks, migrations and destructive behavior.

Total31
PASS25
Confirmed4
Harness2

Verdict

25 PASS, 6 strict FAIL. Four failures are confirmed symlink/cross-profile isolation issues; two are harness exception failures.

What the baseline tries to break

This suite attacks the boundary between profiles: symlinked HOME, symlinked `.sibyl-memory`, DB outside HOME, dangerous backup path, repeated migration and setup errors.

The goal is simple: verify that one profile cannot write to or read from another profile storage through a filesystem detour.

What actually breaks

The product-relevant failures show writes into another database when `.sibyl-memory`, HOME, a HOME ancestor, or the SIBYL_MEMORY_DB parent path is symlinked across profile boundaries.

Two additional strict failures are runner exceptions. They stay visible in the raw report, but I do not count them as confirmed product vulnerabilities by themselves.

How I read the 0.4.17 retest

The 0.4.17 retest is mixed: the prompt-injection fence improved, but the symlink cross-profile family still appears open.

I will treat this page as a transparency record until a later patch can be rerun and compared cleanly.

Rerun the test

docker run --rm --network none --cap-drop ALL --security-opt no-new-privileges --pids-limit 192 --memory 768m --cpus 1 --tmpfs /tmp:rw,nosuid,nodev,size=128m --tmpfs /data:rw,nosuid,nodev,size=512m,mode=1777 -v "$PWD:/work" -w /work -e SIBYL_SECURITY_DATA_ROOT=/data sibyl-memory:local python scripts/run_mcp_security_isolation_migration_suite.py

Evidence files