Security & Privacy

How the MCP Server protects your data through sandbox isolation, ownership checks, and OAuth authentication.

The MCP Server is designed with security at every layer. Your racing data is protected by sandbox isolation, per-query ownership verification, and industry-standard authentication.

Sandbox Isolation

AI code runs in isolated-vm, a V8 isolate with no access to:

  • Network: Cannot make HTTP requests or connect to external services
  • Filesystem: Cannot read or write files
  • Environment: Cannot access environment variables or secrets
  • Modules: Cannot require() or import external packages

The sandbox is constrained to:

LimitValue
Execution timeout10 seconds
Memory32 MB
API calls per execution20
Code size10 KB
Output size100 KB

If any limit is exceeded, execution is terminated immediately.

Data Ownership

Every function verifies that the authenticated user owns the requested data:

  • assertSessionOwnership(userId, sessionId) before any session query
  • assertRaceOwnership(userId, raceEventId) before calendar operations
  • assertNotepadOwnership(userId, notepadId) before notepad access

There is no way to query another user’s data — even if you know their session IDs.

Input Validation

All functions use Zod schemas with strict validation:

  • MUTATING and CREATIVE functions use .strict() — unknown fields cause errors
  • Every parameter has a .describe() annotation explaining its purpose
  • Type coercion is disabled — the AI must pass the correct types
  • The _validateOnly: true flag lets AI dry-run mutations without writing

This prevents prompt injection attacks where an AI might try to pass unexpected parameters.

Authentication

The server uses OAuth 2.0 with PKCE (Proof Key for Code Exchange):

  1. Dynamic client registration — AI clients register automatically
  2. Authorization code flow — User explicitly grants access via consent page
  3. PKCE mandatory — Prevents authorization code interception
  4. JWT tokens — Access tokens are signed and verified on every request
  5. Refresh tokens — Automatic token renewal without re-authorization

Discovery Endpoints

The server follows RFC 8414 and RFC 9728 for automatic discovery:

EndpointStandardPurpose
/.well-known/oauth-authorization-serverRFC 8414OAuth metadata discovery
/.well-known/oauth-protected-resourceRFC 9728Resource metadata with 401 WWW-Authenticate

AI clients that follow these standards can connect without manual configuration.

CORS Policy

The server allows requests from known AI platforms:

  • https://claude.ai
  • https://chatgpt.com
  • https://chat.openai.com
  • Plus custom origins configured by the server operator

Data Handling

  • No training: Your telemetry data is never used to train AI models
  • No sharing: Data is scoped to your authenticated account
  • Soft deletes: Most data uses deleted_at timestamps — accidental deletions can be recovered
  • Null stripping: Output is cleaned of null values to reduce token usage

What We Don’t Store

The MCP Server does not store:

  • AI conversation history
  • The code that AI writes (executed and discarded)
  • AI model responses
  • Your AI client’s API keys or credentials