Summary
OAuthConfigAnalyzer auto-discovers all local MCP configs during mcts scan, independent of inventory privacy flags.
Problem
src/mcts/analyzers/oauth_config.py:149 calls discover_config_paths() without user scoping. Inventory privacy controls (#87 / PR #279) apply only to mcts inventory, not scan-time analyzer discovery.
A user running mcts scan ./repo may still trigger reads of all well-known home-directory MCP configs via this analyzer.
Expected Behavior
Either:
- Scope discovery to scan target / explicit
--config when provided, or
- Document that OAuth config analysis always performs local config discovery and treat as accepted scan behavior.
Evidence
Impact
Privacy-conscious users may not expect scan of a repo path to read unrelated home MCP configs.
References
Acceptance Criteria
Summary
OAuthConfigAnalyzerauto-discovers all local MCP configs duringmcts scan, independent of inventory privacy flags.Problem
src/mcts/analyzers/oauth_config.py:149callsdiscover_config_paths()without user scoping. Inventory privacy controls (#87 / PR #279) apply only tomcts inventory, not scan-time analyzer discovery.A user running
mcts scan ./repomay still trigger reads of all well-known home-directory MCP configs via this analyzer.Expected Behavior
Either:
--configwhen provided, orEvidence
src/mcts/analyzers/oauth_config.py:13,:149—discover_config_paths()mcts inventoryreads local MCP configs without consent gate #87 — inventory CLI onlyImpact
Privacy-conscious users may not expect scan of a repo path to read unrelated home MCP configs.
References
mcts inventoryreads local MCP configs without consent gate #87, PR feat(inventory): add privacy controls for config discovery (#87) #279local/issue-87-pr-279-validation.mdAcceptance Criteria
docs/scanning/inventory.mdor security-checks if documented-only