db-access-security-protocol
| ID |
8 |
| UUID |
fa19a7ba-5106-4feb-be67-660132e207ce |
| Version |
2.0 |
| Status |
active |
| Scope |
Blockiert direkte mysql/mariadb-Befehle via Bash |
| Erstellt |
2025-12-20 17:59:06 von mcp-contracts |
| Aktualisiert |
2025-12-22 09:45:11 |
YAML-Inhalt
contract:
name: "db-access-security-protocol"
version: "2.0"
status: "active"
description: "Mehrstufiges Sicherheitsprotokoll gegen direkte DB-Zugriffe"
created: "2025-12-20"
author: "mcp-contracts"
scope:
paths:
- "/src/**/*.php"
- "/app/**/*.php"
- "/opt/scripts/**/*.py"
- "/opt/scripts/**/*.sh"
excludes:
- "/tests/**"
rules:
# Bash-Befehle blockieren
- id: "no-mysql-user"
check_type: "forbidden_pattern"
patterns:
- "mysql -u"
- "mysql -p"
- "mysql --user"
- "mysql --password"
in_files: "**/*.sh"
severity: "critical"
description: "Keine direkten mysql-Befehle mit User/Passwort"
- id: "no-mariadb-user"
check_type: "forbidden_pattern"
patterns:
- "mariadb -u"
- "mariadb -p"
- "mariadb --user"
- "mariadb --password"
in_files: "**/*.sh"
severity: "critical"
description: "Keine direkten mariadb-Befehle mit User/Passwort"
- id: "no-mysqldump"
check_type: "forbidden_pattern"
patterns:
- "mysqldump"
- "mysqlimport"
- "mysqladmin"
in_files: "**/*.sh"
severity: "critical"
description: "Keine mysql-Admin-Tools direkt ausführen"
- id: "no-password-in-command"
check_type: "forbidden_pattern"
patterns:
- "--password="
- "-p'"
- '-p"'
in_files: "**/*"
severity: "critical"
description: "Niemals Passwörter in Befehlen"
# PHP-Zugriffe
- id: "no-pdo-in-controller"
check_type: "forbidden_pattern"
patterns:
- "new PDO("
- "->query("
- "->prepare("
in_files: "Controller/**/*.php"
severity: "critical"
description: "Controller dürfen kein direktes PDO verwenden"
- id: "pdo-only-in-infrastructure"
check_type: "dependency_check"
forbidden_imports:
- "PDO"
in_files: "Domain/**/*.php"
severity: "critical"
description: "Domain-Layer darf keine PDO-Abhängigkeit haben"
enforcement:
on_violation: "block"
hook: "/var/www/tools/ki-protokoll/claude-hook/block_direct_db.py"
alternatives:
mcp_tools:
- tool: "mcp__mcp-db__db_select"
use_for: "SELECT-Abfragen"
- tool: "mcp__mcp-db__db_schema"
use_for: "Tabellenstruktur"
- tool: "mcp__mcp-db__db_insert"
use_for: "INSERT-Operationen"
- tool: "mcp__mcp-db__db_update"
use_for: "UPDATE-Operationen"
- tool: "mcp__mcp-db__db_delete"
use_for: "DELETE-Operationen"
allowed_databases:
- ki_dev
- ki_content
pass_threshold:
critical_max: 0
major_max: 0
minor_max: 0
Aktionen
Versionshistorie
| Version |
Geändert am |
Von |
Beschreibung |
| 2.0 (aktuell) |
2025-12-22 09:45:11 |
- |
- |
| 1.0 |
2025-12-22 09:45:11 |
claude |
Migration auf Meta-Schema v2.0: identity/prevention/detection → contract mit scope.paths und rules im check_type-Format |
Letzte Validierungen
| Datum |
Ergebnis |
Critical |
Major |
Minor |
Dauer |
| 2025-12-23 04:36:05 |
passed |
0 |
0 |
0 |
8ms |
| 2025-12-22 17:44:37 |
passed |
0 |
0 |
0 |
9ms |
← Zurück zur Übersicht