ADR-002: Risk Classification - dacli-mcp (Tier 2) #282
Description
ADR-002: Risk Classification - dacli-mcp
Date: 2026-02-11
Status: Accepted
Deciders: Development Team + Claude Code
Technical Story: Risk Radar Assessment via /risk-assess
Context
Risk assessment using vibe-coding Risk Radar framework for the dacli-mcp module (MCP server for LLM integration):
| Dimension | Score | Level | Reasoning |
|---|---|---|---|
| Code Type | 2 | Business Logic | MCP tools exposing service layer operations, handles document manipulation via protocol (src/dacli/mcp_app.py, src/dacli/services/) |
| Language | 2 | Dynamically typed | Python 3.12+ — 100% .py files (no static type checking) |
| Deployment | 1 | Internal tool | MCP server for LLM integration in internal workflows, not public-facing |
| Data Sensitivity | 1 | Internal business data | Operates on internal documentation files (AsciiDoc/Markdown) |
| Blast Radius | 2 | Data loss (recoverable) | Could corrupt documentation files, but recoverable from git version control |
Calculated Tier: max(2, 2, 1, 1, 2) = Tier 2 — Extended Assurance
Decision
Classify dacli-mcp as Tier 2 — Extended Assurance.
This tier requires:
- Tier 1: Automated Gates (linter, pre-commit, dependency check, CI/tests)
- Tier 2: Extended Assurance (SAST, AI review, property-based tests, quality gate, sampling review)
See ADR-003 for mitigation implementation details.
Consequences
Positive
- Clear security baseline established for MCP server module
- Appropriate protection level for protocol-exposed business logic
- Shared security benefits with CLI module (same codebase)
Negative
- Additional CI pipeline duration (~2-3 minutes for extended checks)
- Developer onboarding overhead (pre-commit hooks, Hypothesis tests)
Neutral
- Most mitigations are repository-wide and apply to both CLI and MCP modules
- Shares implementation with dacli CLI module (same codebase, different entry point:
dacli.main:mainvsdacli.cli:cli)
Alternatives Considered
Tier 1: Basic Gates Only
- Would mean: No SAST, no property-based tests, no code quality gate
- Rejected because:
- Code Type (Business Logic, score 2) requires extended assurance
- Language (Dynamically typed Python, score 2) benefits from additional testing
- Blast Radius (Data loss, score 2) justifies comprehensive quality measures
- Initially considered Code Type score 3 (API) because MCP exposes tools, but user confirmed score 2 (business logic layer, not direct API/DB)
Tier 3: Mandatory Measures
- Would mean: Mandatory human review on all PRs, sandbox/isolation, fuzzing, pen testing
- Rejected because:
- Deployment is internal tool (score 1), not public-facing or regulated
- Data sensitivity is internal business data (score 1), not PII/PHI
- MCP protocol usage is for internal LLM integration, not external API exposure
- Overkill for current risk profile
Note: Language dimension (Python) is a factual constraint, not a choice. No alternatives exist for this dimension.
Related
- ADR-001: Risk Classification - dacli CLI (Tier 2)
- ADR-003: Security Mitigations - Tier 2 Implementation
- PR docs: improve C4 diagrams + implement complete Tier 2 security mitigations #279: Tier 2 mitigation implementation
- CLAUDE.md: Risk Radar Assessment section
This ADR documents a decision already implemented. Status set to "Accepted" as mitigations are in place (100% Tier 2 completion as of 2026-02-11).