Security model
GrantLock is a pre-runtime scanner. It analyzes static MCP server configurations and tool surfaces, then reports findings against an OWASP-mapped threat catalog. The scanner does not proxy live agent traffic, does not enforce policy at runtime, and does not require deploy-time credentials beyond what is needed to read your configuration files.
This page is the canonical short-form security model. The full whitepaper is
maintained in the open-source repository under docs/security.md and is rendered
here at build time once that file ships.
Threat model in one paragraph
GrantLock is run by developers, security engineers, and CI pipelines against MCP configurations they already have access to. The scanner reads YAML/JSON config, optionally connects to MCP servers in read-only mode to enumerate tools and resources, applies a deterministic rule set, and writes a report. The scanner is not in the runtime path of an agent and cannot exfiltrate data from servers it inspects beyond what the operator already grants.
Trust boundaries
- Scanner host trusts the operator. The scanner runs with the operator's privilege; it does not escalate.
- Scanner does not trust MCP servers. Server-supplied tool definitions and resource lists are treated as untrusted input — the rule engine reasons about them but does not execute them.
- Scanner does not trust the rule catalog beyond signature. Premium rules ship with detached cosign signatures verified before execution.
Cryptography
- Binaries are signed with cosign keyless OIDC and verifiable via Sigstore.
- SHA-256 + SHA-512 checksums are published per release at
/releases. - Signed download tokens issued by the website use HMAC-SHA256 and expire in 24 hours.
- TLS for
app.grantlock.aiis provisioned by Cloudflare; HSTS preload is enabled at the zone.
Reporting a vulnerability
Email security@grantlock.ai (encrypted at-rest, forwarded to the founder).
Coordinated disclosure timeline: 90 days from receipt unless severity warrants
faster public disclosure.
Open questions still being closed
- AARM v1 mapping is in flight — see the OSS repo's
framework/aarm-v1-map.md. - SBOM generation is automated for releases ≥ v0.1.0; older releases will be retroactively reproduced where source is reachable.
Stub — canonical source at https://raw.githubusercontent.com/grantlock-ai/grantlock/main/docs/security.md.