MCP security
MCP isolation baseline: 31 strict runs, 4 confirmed symlink failures
MCP security baseline covering cross-HOME isolation, symlinks, migrations and destructive behavior.
Verdict
25 PASS, 6 strict FAIL. Four failures are confirmed symlink/cross-profile isolation issues; two are harness exception failures.
What the baseline tries to break
This suite attacks the boundary between profiles: symlinked HOME, symlinked `.sibyl-memory`, DB outside HOME, dangerous backup path, repeated migration and setup errors.
The goal is simple: verify that one profile cannot write to or read from another profile storage through a filesystem detour.
What actually breaks
The product-relevant failures show writes into another database when `.sibyl-memory`, HOME, a HOME ancestor, or the SIBYL_MEMORY_DB parent path is symlinked across profile boundaries.
Two additional strict failures are runner exceptions. They stay visible in the raw report, but I do not count them as confirmed product vulnerabilities by themselves.
How I read the 0.4.17 retest
The 0.4.17 retest is mixed: the prompt-injection fence improved, but the symlink cross-profile family still appears open.
I will treat this page as a transparency record until a later patch can be rerun and compared cleanly.
Rerun the test
docker run --rm --network none --cap-drop ALL --security-opt no-new-privileges --pids-limit 192 --memory 768m --cpus 1 --tmpfs /tmp:rw,nosuid,nodev,size=128m --tmpfs /data:rw,nosuid,nodev,size=512m,mode=1777 -v "$PWD:/work" -w /work -e SIBYL_SECURITY_DATA_ROOT=/data sibyl-memory:local python scripts/run_mcp_security_isolation_migration_suite.py