/MRS-Specification-RFC#17-security-considerations
Input Validation
Parsers MUST validate:| Limit | Recommended |
|---|---|
| Maximum document size | 100 MB |
| Maximum nesting depth | 100 levels |
| Maximum events per measure | 10,000 |
| Maximum spans | 100,000 |
| Maximum measures | 100,000 |
Denial of Service Protection
Implementations SHOULD protect against:- Deeply nested structures: Limit recursion depth
- Very large measure numbers: Validate integer bounds
- Excessive span counts: Limit span storage
- Malformed UTF-8: Validate string encoding
- Circular references: Detect reference cycles
Information Disclosure
Working Set Envelopes may expose:| Data | Risk |
|---|---|
| Source document hash | Reveals document identity |
| Creator/modifier identity | Reveals authorship |
| Agent names | Reveals workflow |
| Transaction history | Reveals edit patterns |
Mitigation
Implementations SHOULD:- Allow redaction of sensitive metadata
- Support anonymous agent identifiers
- Provide hash salting options
- Enable audit log access controls
Operation Safety
UUID Validation
Orchestrators MUST validate:- UUIDs are well-formed UUIDv7
- Referenced UUIDs exist (or are valid tmp-ids)
- No UUID collisions in minting
Scope Enforcement
Orchestrators MUST enforce:- Operations within granted scope
- Operations within granted lanes
- No unauthorized measure access
Transaction Integrity
Orchestrators MUST ensure:- Atomic application (all-or-nothing or explicit partial)
- Rollback capability
- Audit trail integrity
Agent Isolation
When running untrusted agents:| Protection | Description |
|---|---|
| Scope limiting | Grant minimal scope |
| Lane restriction | Grant minimal lanes |
| Operation filtering | Allow only needed op types |
| Output validation | Validate all ops before apply |
Best Practices
For Orchestrator Implementers
- Validate all input before processing
- Enforce resource limits
- Log security-relevant events
- Support authentication/authorization
- Enable audit trail
For Agent Implementers
- Respect granted permissions
- Don’t attempt out-of-scope access
- Handle rejection gracefully
- Don’t store sensitive data unnecessarily