▸ Verification evidence · Public-facing

NSA CSI MCP — Control → Test Matrix

The NSA CSI MCP compliance mapping claims structural coverage of every NSA-enumerated concern and recommendation (U/OO/6030316-26, May 2026) and anchors each claim to a substrate feature. This page answers the follow-up question a reviewer should ask: what automated check actually exercises each control? Every cell below names the exact test (file::test_name), the CI workflow job, and/or the do-1461 live-fleet harness check id. Where no automated check exists, the cell says so — honestly.

19 controls (10 concerns + 7 recommendations + 2 meta) 18 / 19 cite at least one named automated check 9 controls carry do-1461 live-fleet PASS rows 7 mitigations config-asserted — no harness PASS row
▸ How to read this matrix

Three evidence classes, one honesty bar.

Each control row carries up to three independent evidence columns. A control is only as verified as the strongest check you can run yourself.

Evidence sources

  • Unit / integration tests — named tests in tests/ or in-module #[cfg(test)] blocks, run by AI_MEMORY_NO_CONFIG=1 cargo test. Cited as file::test_name; reproduce any single row with cargo test <test_name>.
  • CI gate — the GitHub Actions workflow · job that runs the check on every PR / push. Job names are read directly from .github/workflows/*.yml: CI · check (full test suite + the Security audit cargo audit step), Fuzz Testing · fuzz, token-budget · budget, Bench · bench, Batman Mode acceptance gate · rust-integration / bash-integration / surface-stability.
  • do-1461 live-fleet harness — black-box probes against the live 15-node, 3-region reference fleet over the real TLS+mTLS path. Check ids come from deploy/do-1461/test/run.sh (groups regression / crypto / federation / zerotouch / a2a / ai_nhi / nsa_gaps / curator), deploy/do-1461/validate/run.sh, and deploy/do-1461/test/encrypted_legs.sh. Cited rows reference the run artifacts test-20260609T161203Z.tsv (150/150 PASS), verify-20260609T133956Z.tsv (119/119 PASS), and encrypted-legs-20260608T205716Z.tsv under .local-runs/do-1461/reports/. See the reference architecture page for the fleet itself.
Honesty bar.

No coverage is claimed that cannot be cited by name. Some mitigations are deployed on the reference fleet purely by configuration (named constants and env battery in deploy/do-1461/provision/lib.sh + provision/46_batman.sh) but have no live-fleet harness PASS row exercising them end-to-end. Those cells say config-asserted — the control is wired and unit-tested, but the fleet harness does not (yet) prove it over the wire. The seven such mitigations are listed in full below the matrix.

19
NSA controls in scope (concerns a–j, recommendations a–g, 2 meta)
18
Controls with ≥1 named automated check (test, CI job, or harness row)
9
Controls with do-1461 live-fleet PASS rows
7
Mitigations config-asserted — no harness PASS row (stated per cell)
▸ Concerns a–j

NSA concerns → automated checks.

NSA concern Unit / integration tests (file::test_name) CI gate (workflow · job) do-1461 live-fleet harness check
a · Access control
  • tests/export_memories_admin_gate_957.rs::non_admin_caller_gets_403_957
  • tests/export_memories_admin_gate_957.rs::admin_caller_gets_full_corpus_957
  • tests/export_memories_admin_gate_957.rs::missing_agent_id_header_gets_403_957
 CI · check harness PASS
  • crypto::admin_gated (403 as non-admin)
  • regression::private_isolation (non-owner cannot read private row)
  • regression::ns_cross_isolation
  • test-20260609T161203Z.tsv
b · Insecure context or data serialization
  • tests/capabilities_v3.rs::cap_v3_response_carries_schema_version_and_summary
  • tests/capabilities_v3.rs::cap_v3_legacy_entry_point_refuses_v3
  • fuzz targets fuzz/fuzz_targets/fuzz_validate.rs, fuzz_namespace.rs
 Fuzz Testing · fuzz
CI · check		 harness PASS
  • nsa_gaps::provenance_envelope[peer] ×9 peers — typed provenance envelope (citations / ConfidenceTier / MemoryKind) returned over the live wire
  • test-20260609T161203Z.tsv
c · Poor approval workflows
  • tests/k10_approval_security.rs::hmac_replay_rejected
  • tests/k10_approval_security.rs::hmac_in_window_replay_rejected
  • tests/k10_approval_security.rs::hmac_cross_method_binding_rejected
  • tests/k10_approval_security.rs::hmac_cross_pending_id_binding_rejected
  • tests/k7_hmac.rs::k7_hmac_unset_refuses_dispatch_when_no_per_sub_secret
 CI · check config-asserted
Pending-actions HMAC-mandatory dispatch — config-asserted (provision/lib.sh) — no harness PASS row.
d · Token or session security
  • src/tls.rs::tests::test_load_mtls_rustls_config_happy_path
  • src/tls.rs::tests::test_allowlist_empty_file_errors
  • tests/federation_nonce_replay_922.rs::replay_922_repeated_nonce_returns_401_with_replay_tag
  • tests/federation_nonce_replay_922.rs::replay_922_fresh_nonce_after_replay_is_accepted
 CI · check harness PASS
  • crypto::no_client_cert / crypto::rogue_client_cert / crypto::wrong_server_ca (handshake refused, 000)
  • crypto::apikey_required (401) / crypto::apikey_accepted (200)
  • nsa_gaps::sync_push_replay_refused[peer] ×9
  • leg1_api_mtls::* ×5 checks × 9 peers — encrypted-legs-20260608T205716Z.tsv
e · Misconfigurations and poor implementation
  • tests/config_precedence.rs::test_secret_not_in_capabilities
  • src/subscriptions.rs::tests::test_validate_url_dns_fails_closed_on_dns_failure_1053
  • src/subscriptions.rs::tests::test_validate_url_dns_fail_open_env_overrides_1053
 Batman Mode acceptance gate · rust-integration / bash-integration / surface-stability
CI · check		 harness PASS
  • nsa_gaps::unsigned_write_403[peer] ×9 (attestation gate live)
  • zerotouch::unenrolled_status[peer] + zerotouch::unenrolled_reason[peer] ×9 (#1088 fail-closed, peer_not_enrolled)
  • config-asserted fail-closed posture surfaced in the capabilities envelope — config-asserted (provision/lib.sh) — no harness PASS row
f · Inconsistent behaviors
  • tests/http_if_match_concurrency.rs::http_put_with_stale_if_match_returns_409_with_envelope
  • tests/http_if_match_concurrency.rs::http_put_with_matching_if_match_succeeds
  • tests/http_if_match_concurrency.rs::http_put_without_if_match_preserves_legacy_last_write_wins (+2 siblings in the same file)
 CI · check config-asserted
409 optimistic-concurrency conflict — config-asserted (provision/lib.sh) — no harness PASS row.
g · Poor or missing audit logs
  • src/cli/verify_signed_events.rs::tests::populated_db_reports_chain_ok
  • src/cli/verify_signed_events.rs::tests::broken_chain_text_format_reports_fail_with_sequence
  • src/cli/verify_signed_events.rs::tests::broken_chain_json_format_carries_chain_break
  • src/signed_events.rs::tests::payload_hash_is_sha256_32_bytes
 CI · check harness PASS
  • nsa_gaps::signed_events_chain_ok[peer] ×9 — SQL chain-integrity verdict per peer schema. Honest scope: structural integrity (contiguous sequence, genesis prev_hash, no NULLs), not the byte-exact cross-row hash recompute; the first-party postgres verifier is tracked as #1541.
  • test-20260609T161203Z.tsv
h · Denial of service and fatigue-based techniques
  • tests/token_budget_guard.rs::issue_829_trimmed_full_profile_total_under_ceiling
  • tests/k8_daily_reset.rs::k8_daily_reset_zeros_stale_rows_only
  • tests/per_namespace_quota.rs::per_namespace_memories_isolation (+7 siblings)
  • tests/federation_dlq_replay.rs::replay_drains_dlq_when_peer_recovers
  • tests/federation_dlq_replay.rs::dlq_dedupes_repeated_failures_via_unique_index
  • src/subscriptions.rs::tests::test_validate_url_dns_rejects_aws_metadata, ::test_validate_url_dns_rejects_rfc1918_private_ranges (SSRF guard)
  • 2 MB body cap: code anchor src/lib.rs DefaultBodyLimit::max(HTTP_BODY_LIMIT_BYTES) — no dedicated named test found; not claimed as test-covered.
 token-budget · budget
CI · check		 config-asserted
K8 quota surface / 2 MB body cap / bounded federation DLQ — config-asserted (provision/lib.sh) — no harness PASS row.
i · Tool parameter injection (real-world)
  • src/validate.rs::tests::test_namespace_rejects_dot_segments_redteam_240
  • src/validate.rs::tests::test_validate_id_rejects_path_traversal_1051
  • src/validate.rs::tests::test_agent_id_rejects_path_traversal_1251
  • src/validate.rs::tests::prop_validate_title_rejects_empty_strings_only_when_actually_empty (property test)
  • fuzz targets fuzz_validate.rs / fuzz_namespace.rs
 Fuzz Testing · fuzz
CI · check		 config-asserted
Malformed-payload RequestValidator rejection — config-asserted (provision/lib.sh) — no harness PASS row.
j · Tool invocation path confusion (real-world)
  • tests/mcp_initialize_server_signing.rs::signed_identity_block_signature_verifies_round_trip
  • tests/mcp_initialize_server_signing.rs::tampered_daemon_id_field_breaks_signature_verification
  • tests/mcp_initialize_server_signing.rs::bit_flipped_signature_breaks_verification
  • tests/mcp_initialize_server_signing.rs::client_tofu_pin_detects_keypair_rotation
  • tests/mcp_initialize_server_signing.rs::legacy_no_keypair_handshake_shape_is_unchanged (27 integration tests in that file + 20 module tests in src/mcp/server_identity.rs)
  • tests/harness_integration.rs::d4_claude_code_initialize_round_trip (+3 host siblings)
 CI · check config-asserted
MCP TOFU Ed25519-signed serverInfo at initialize — config-asserted (provision/lib.sh) — no harness PASS row (the fleet harness probes the HTTP surface; MCP stdio initialize is not exercised by run.sh).
▸ Recommendations a–g + 2 meta

NSA recommendations → automated checks.

NSA recommendation Unit / integration tests (file::test_name) CI gate (workflow · job) do-1461 live-fleet harness check
a · Choose supported MCP projects when possible Process control (maintenance + advisory channel), not a test target. Dependency hygiene is mechanically gated: the Security audit step runs cargo audit against the RustSec advisory DB. CI · check (Security audit step) not harness-applicable
Release/registry process — no fleet probe.
b · Design for boundaries
  • tests/per_namespace_quota.rs::per_namespace_memories_isolation
  • tests/per_namespace_quota.rs::per_namespace_storage_bytes_isolation
  • tests/per_namespace_quota.rs::per_namespace_links_isolation
 CI · check harness PASS
  • regression::ns_cross_isolation / regression::private_isolation
  • zerotouch::cred_ca_chain[peer] ×9 (trust-domain-scoped CA chain)
  • zerotouch::unenrolled_status[peer] ×9
  • test-20260609T161203Z.tsv
c · Validate parameters Same named tests as concern (i): src/validate.rs::tests::test_validate_id_rejects_path_traversal_1051, ::test_namespace_rejects_dot_segments_redteam_240, ::test_agent_id_rejects_path_traversal_1251; plus tests/per_namespace_quota.rs::global_sentinel_is_backwards_compat_landing_zone (schema-v50 quota dimension, #1156). Fuzz Testing · fuzz
CI · check		 config-asserted
Malformed-payload RequestValidator rejection — config-asserted (provision/lib.sh) — no harness PASS row.
d · Constrain and sandbox tool execution
  • tests/hooks_timeout_budget.rs::chain_fire_fail_closed_yields_deny_503_on_timeout
  • tests/hooks_timeout_budget.rs::chain_fire_spawn_error_fail_closed_yields_deny_503
 CI · check no harness row
The Track G hook pipeline is default-off and is not enabled on the do-1461 fleet — no harness PASS row; not claimed.
e · Sign and verify MCP messages
  • tests/capture_turn_security_integrity.rs::rejects_signature_without_pubkey
  • tests/federation_nonce_replay_922.rs::replay_922_repeated_nonce_returns_401_with_replay_tag
  • tests/mcp_initialize_server_signing.rs::signed_identity_block_signature_verifies_round_trip (see concern j for the full battery)
 CI · check harness PASS
  • nsa_gaps::unsigned_write_403[peer] + nsa_gaps::unsigned_write_reason[peer] ×9 (403 ATTESTATION_FAILED)
  • nsa_gaps::sync_push_missing_sig_401[peer] ×9
  • nsa_gaps::sync_push_replay_refused[peer] ×9 (sig+nonce gate)
  • test-20260609T161203Z.tsv
f · Filter and monitor output pipelines and chained execution
  • tests/accept_provenance_http.rs::verbose_header_resolves_to_verbose
  • tests/accept_provenance_http.rs::absent_header_resolves_to_minimal
  • tests/accept_provenance_http.rs::minimal_is_not_verbose
 CI · check harness PASS
  • nsa_gaps::provenance_envelope[peer] ×9 — Accept-Provenance: verbose recall returns citations / ConfidenceTier / MemoryKind over the live wire
  • test-20260609T161203Z.tsv
g · Instrument for logging and detection
  • tests/serve_integration.rs::serve_metrics_endpoint_at_root_path
  • tests/serve_integration.rs::serve_metrics_endpoint_at_v1_path
  • tests/l07_3_chunk_d_http_surface.rs::http_metrics_returns_prom_text
 CI · check harness PASS nsa_gaps::signed_events_chain_ok[peer] ×9 (audit chain live).
config-asserted /metrics reachability — config-asserted (provision/lib.sh) — no harness PASS row.
meta · Track and patch MCP-related vulnerabilities cargo audit against the RustSec advisory database (Security audit step, .github/workflows/ci.yml), Cargo.lock dependency pinning. CI · check (Security audit step) not harness-applicable
Process control — no fleet probe.
meta · Scan local network for open or vulnerable MCP servers no automated check Operator-side network scanning is out of substrate scope (per the honest boundaries). The substrate-side mitigation (first-party verify-* CLI family, not MCP-Inspector) is exercised by the concern-(g) tests above. not harness-applicable
▸ Honest gap register

The seven config-asserted mitigations.

These mitigations are wired into the reference fleet by configuration (named constants + env battery in deploy/do-1461/provision/lib.sh and provision/46_batman.sh) and are unit-/integration-tested in the repo, but the do-1461 live-fleet harness has no PASS row that exercises them end-to-end over the wire. Listing them here is the point: a reviewer should not have to discover an evidence gap by grepping TSVs.

Each carries the named unit/integration tests cited in its matrix row — the gap is specifically the absence of a live-fleet harness probe, not the absence of any automated check.

▸ Reproduce

Re-derive any cell yourself.

Every citation on this page is reproducible from a fresh checkout of release/v0.7.0:

Feature-level mapping (what addresses each control, with capability_id + file anchors) lives on the companion page: NSA CSI MCP Security Compliance. Reproducibility contracts for the fleet, bench, and full-suite baselines live at Reproducible baselines.