Marcus Security Systems#
Overview#
The Marcus Security Systems provide basic authentication and role-based access control (RBAC) for controlling access to Marcus MCP tools based on client type.
What the System Does#
The Security Systems provide:
Client Authentication: Clients identify themselves and establish their access level
Role-Based Access Control: Different client types (observer, developer, agent, admin) have access to different tool sets
Audit Logging: Registration and authentication events are logged for audit purposes
Session Management: Track registered clients and their access permissions
System Architecture#
Marcus Security Architecture
βββ Authentication Layer
β βββ Client Registration
β βββ Session Tracking
βββ Authorization Layer
βββ Role-Based Tool Access
βββ Permission Enforcement
Client Types and Tool Access#
Observer#
Read-only access for monitoring, analytics, and project management:
Project visibility (status, listing)
Agent monitoring
Board health checks
Analytics and metrics
Prediction tools
Pipeline monitoring (if enabled)
Developer#
Project creation and management capabilities:
All observer permissions
Project creation (NLP-based)
Feature addition
Project switching and updates
Task context viewing
Agent#
AI agent workflow tools:
Agent registration
Task assignment requests
Progress reporting
Blocker reporting
Decision and artifact logging
Experiment tracking
Admin#
Full access to all Marcus tools.
Technical Implementation#
Core Module#
Location: src/marcus_mcp/tools/auth.py
Key Functions:
authenticate(): Register client and establish role-based accessget_client_tools(): Get tools available to a specific clientget_tool_definitions_for_client(): Filter tool definitions by client access
Authentication Flow#
# 1. Client authenticates
result = await authenticate(
client_id="cato-001",
client_type="observer",
role="analytics",
metadata={"version": "2.0"}
)
# 2. Marcus assigns tool access based on client_type
# 3. Client receives list of available tools
# 4. Future tool calls are filtered by permission
Role Configuration#
Tool access is defined in ROLE_TOOLS dictionary mapping client types to allowed tools. Default tools (ping, authenticate) are available before registration.
Integration with Marcus Ecosystem#
MCP Server Integration#
The authentication system integrates with the MCP serverβs tool listing mechanism to filter tools shown to each client based on their permissions.
Audit Integration#
All authentication events are logged via the audit logger for compliance and debugging.
What This System Doesnβt Do#
The following security features are not currently implemented:
Code security scanning
Vulnerability detection
Workspace isolation/sandboxing
Threat detection and response
Encrypted communication channels
Multi-factor authentication
JWT token services
Dependency checking
Static code analysis
These may be added in future releases as security requirements evolve.
Implementation Status#
Implemented (~30%):
Basic client authentication
Role-based access control
Audit logging of auth events
Session tracking
Not Implemented (~70%):
Advanced security features listed above
Code scanning and vulnerability detection
Encryption and secure communication
Threat detection
Usage Example#
# Authenticate Cato as observer
result = await authenticate(
client_id="cato-prod",
client_type="observer",
role="analytics",
metadata={"environment": "production"}
)
# Result includes available tools
print(result["available_tools"]) # List of allowed tools
# Authenticate an AI agent
result = await authenticate(
client_id="agent-backend-01",
client_type="agent",
role="backend_developer",
metadata={"capabilities": ["python", "api"]}
)
Future Evolution#
Potential enhancements as requirements emerge:
Enhanced authentication mechanisms (API keys, tokens)
Fine-grained permissions beyond role-based access
Tool-level access control (e.g., read-only vs. read-write)
Security scanning for generated code
Workspace isolation for agent operations