mcpfold logomcpfold

Security & trust

mcpfold manages configuration that lives next to your secrets, so its security posture is a feature, not an afterthought. This page summarizes what it guarantees in plain language and links the authoritative, test-backed docs for each claim — no overstatement.

Secrets are references, never values

Your canonical config stores secret references like ${env:GITHUB_PAT} or ${op:vault/item/field} — never the resolved value. The reference is the only thing committed to git. mcpfold resolves the real value in memory at fold/launch time and injects it into the server process; it is never cached to a temp file.

When mcpfold renders a client's config, it keeps the token off disk by rewriting the launch to go through mcpfold run, or by emitting the client's own secret indirection (for example VS Code's ${input:}). The one way a resolved value is ever written to a file is the explicitly opt-in inline strategy — and even then only if the target file is gitignored; otherwise mcpfold refuses and warns. This is the honest boundary, not a blanket “never touches disk”.

How secrets work

Nothing sensitive is synced to the cloud

The optional cloud stores only your canonical config with secret references — never values. A push is checked three times: a client-side guard, a server-side ref-only guard, and a database config_is_ref_only constraint as the final backstop. A non-reference in a secret position is rejected before it can be uploaded.

Read the documented audit

Local-first by default

init, import, sync, diff, doctor, scan, and run all work entirely offline with no account and no server. The cloud is opt-in and adds only cross-machine sync and team sharing — the entire CLI is free and MIT-licensed, and the cloud is self-hostable at no cost.

What the cloud adds

Diagnostics are redacted; telemetry is off by default

All CLI output — diff, doctor, --debug, and the diagnose bug-report bundle — flows through a redactor that masks reference paths, registered secrets, and token-shaped strings; the bundle is proven leak-free by test.

Telemetry collects nothing unless you explicitly set MCPFOLD_TELEMETRY=1. When enabled it sends only a small, fixed, allow-listed set of non-identifying fields (command name, CLI/Node version, OS, exit code, duration) — never config, paths, server names, or values. Both DO_NOT_TRACK=1 and MCPFOLD_TELEMETRY=0 disable it, and opt-out always wins.

Redaction & telemetry details

Supply-chain & integrity

doctor flags any unpinned @latest stdio server, and a declared pin rewrites @latest to a fixed version in the rendered client file, so a client launches a known version rather than a moving target. mcpfold scan is a security preflight that audits every detected client's on-disk config for the known 2025–26 MCP incident root causes (cleartext secrets, unpinned packages, vulnerable mcp-remote bridges).

The honest caveat: a server's command/args are executable code, so a tampered config is a code-execution vector — pinning bounds the supply-chain risk, and trust-on-first-use plus signed synced config harden this further.

Full threat model

Verified, not just asserted

The refs-only invariant is machine-verified on every relevant path: a leak harness injects a known sentinel and exercises sync/run/diff/doctor/push across every adapter and strategy, asserting the sentinel appears in zero artifacts (files, backups, temp dirs, stdout/stderr, push payloads). CI also runs gitleaks secret scanning and a production dependency audit on every push. A deliberately introduced leak fails the build.

Claims → evidence ledger

Reporting a vulnerability

Please report security issues privately — do not open a public issue. The preferred path is a GitHub private security advisory, or email [email protected]. We aim to acknowledge within 3 business days and to ship a fix before any public disclosure, coordinating a timeline with you. Full policy: SECURITY.md.