Skip to main content

Agentic AI Security

The neonto MCP server confines file access to your open workspace by default and requires an authenticated session before it will respond to any request.

Workspace confinement

File-touching tools resolve every path argument an agent supplies and reject any path that falls outside the currently open workspace folders. This protects against an agent (or content injected into a prompt) trying to read or overwrite files outside your project via .. traversal or an absolute path.

The following tools are subject to this check:

  • shacl_validation
  • sparql_query
  • vocabulary_lookup
  • validate_turtle_syntax
  • validate_yarrrml
  • run_yarrrml
  • yarrrml_inspect_source
  • get_diagnostics

The remaining tools — SPARQL endpoint discovery, vocabulary domain lookup, YARRRML function listing, and the agent guides — never touch the local filesystem.

neonto.mcp.allowExternalPaths

The neonto.mcp.allowExternalPaths setting controls this confinement:

  • Default: false. Paths outside every open workspace folder are rejected with an error. If no workspace folder is open, there is no boundary to confine to, so all file access fails closed.
  • true. Opts out of the check entirely, allowing the listed tools to read and write any path on disk that the extension process can reach.

Only enable neonto.mcp.allowExternalPaths if you genuinely need an agent to work on files outside your workspace, and understand that doing so removes the workspace boundary for every tool in the list above.

Authentication

Every request to the MCP server is authenticated before it is processed. An unauthenticated request — for example, before you have logged in, or if your license has expired — receives an HTTP 401 response and is rejected before its body is even read. This means an agent cannot use the MCP server at all until you have a valid neonto license and are logged in.

Request size limit

The server enforces a maximum request body size (10 MB). Requests larger than this are rejected with an HTTP 413 response, which bounds the memory the server buffers for any single request.

Guidance for running autonomous agents

  • Keep neonto.mcp.allowExternalPaths off unless you have a specific, temporary need for it, and turn it back off afterward.
  • Review what workspace folders are open before granting an autonomous agent broad tool access — confinement is scoped to whichever folders are currently open in VS Code.
  • Treat run_yarrrml and sparql_query's outputFilePath as write operations: an agent can create or overwrite files within the workspace boundary. Use source control so unwanted changes are easy to spot and revert.
  • Prefer endpointId over raw endpoint URLs for authenticated endpoints. Stored credentials are never exposed to the agent; with an endpointId, the extension applies them itself, so the agent can query the endpoint without you handing it anything. With a raw endpointUrl, an authenticated endpoint only works if you paste credentials into the agent's context yourself.