MokoConsulting/mcp-mokocrm-api
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity
389 Commits 4 Branches 0 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jmiller c096ad6f83 chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]
2026-06-04 15:58:15 +00:00
.mokogitea
chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]
2026-06-04 15:58:15 +00:00
automation
chore(ci): add CI issue reporter for auto-filing gate failures
2026-06-02 20:37:04 +00:00
scripts
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
src
chore: rename config to .mcp_mokocrm.json (underscore convention)
2026-05-19 14:12:00 -05:00
.gitattributes
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
.gitignore
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
.gitmessage
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
CHANGELOG.md
docs: add infrastructure changes to CHANGELOG [skip ci]
2026-05-27 05:46:16 +00:00
CLAUDE.md
chore: update CLAUDE.md to reference .mokogitea/ [skip ci]
2026-05-21 20:09:14 +00:00
config.example.json
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
CONTRIBUTING.md
chore: sync CONTRIBUTING.md from moko-platform [skip ci]
2026-05-31 01:10:07 +00:00
Makefile
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
package.json
chore: rename package to @mokoconsulting/mcp-mokocrm-api
2026-05-16 08:18:58 -05:00
README.md
docs: comprehensive README with badges, tool list, config, and examples
2026-05-10 19:23:36 +00:00
SECURITY.md
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder
2026-05-07 14:15:27 -05:00
tsconfig.json
feat: initial MCP server for Dolibarr ERP/CRM REST API
2026-05-07 14:13:52 -05:00
Readme Contributing Security Changelog

SECURITY.md

Security Policy

Purpose and Scope

This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.

Supported Versions

Version Supported
1.x.x
< 1.0

Only the current major version receives security updates.

Reporting a Vulnerability

Report security vulnerabilities via Gitea issue (preferred): https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml

Or email: hello@mokoconsulting.tech

Where to Report

DO NOT create public issues for security vulnerabilities.

Report security vulnerabilities privately to:

Email: hello@mokoconsulting.tech

Subject Line: [SECURITY] Brief Description

What to Include

  1. Description: Clear explanation of the vulnerability
  2. Impact: Potential security impact and severity assessment
  3. Affected Versions: Which versions are vulnerable
  4. Reproduction Steps: Detailed steps to reproduce the issue
  5. Proof of Concept: Code or demonstration (if applicable)
  6. Suggested Fix: Proposed remediation (if known)

Response Timeline

  • Initial Response: Within 3 business days
  • Assessment Complete: Within 7 business days
  • Fix Timeline: Depends on severity (see below)

Severity Classification

Critical

  • API key exposure or leakage
  • Remote code execution via API parameters
  • Authentication bypass
  • Fix Timeline: 7 days

High

  • SQL injection via sqlfilters parameter
  • Unauthorized access to Dolibarr data
  • Fix Timeline: 14 days

Medium

  • Information disclosure (limited scope)
  • Configuration file exposure
  • Fix Timeline: 30 days

Low

  • Security best practice violations
  • Minor information leaks
  • Fix Timeline: 60 days or next release

Security Considerations

API Key Storage

  • API keys are stored in ~/.dolibarr-api-mcp.json with user-only file permissions
  • Never commit API keys to version control
  • The .gitignore excludes .mcp.json and environment files

SQL Filter Safety

  • The buildSqlFilter() helper escapes single quotes to prevent SQL injection via the sqlfilters parameter
  • All user-provided search terms are wrapped with the helper before being sent to Dolibarr

TLS Verification

  • The insecure connection option disables TLS certificate verification
  • This should only be used for local development with self-signed certificates
  • Production connections should always use valid TLS certificates

Attribution and Recognition

We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.

Revision History

Date Version Author Notes
2026-05-07 0.0.1 jmiller Initial security policy
Reference in New Issue View Git Blame Copy Permalink
S
Description
MCP server for Dolibarr ERP/CRM REST API operations
Readme
707 KiB
Languages
TypeScript 53.1%
Markdown 34.7%
Shell 5.9%
JavaScript 2.6%
Makefile 1.8%
Other 1.9%