Skip to content

fix: tighten MCP and resume privacy boundaries#85

Open
ManintheCrowds wants to merge 1 commit into
Gsync:devfrom
ManintheCrowds:career-bridge-privacy-seams
Open

fix: tighten MCP and resume privacy boundaries#85
ManintheCrowds wants to merge 1 commit into
Gsync:devfrom
ManintheCrowds:career-bridge-privacy-seams

Conversation

@ManintheCrowds

Copy link
Copy Markdown

Summary

  • resolve resume downloads by an owned resume ID and constrain file paths to the uploads root
  • stop add_job from returning default resume content; keep autoMatch fail-closed
  • split job creation, match persistence, and resume access scopes; exclude resume scopes from default tokens
  • add structured MCP results for job creation and match persistence

Closes #68.

Test plan

  • npm run lint
  • npm test (97 files, 1,248 tests)
  • npm run build
  • targeted MCP auth/rate-limit/privacy tests
  • loopback synthetic MCP pilot: job create, match persist, cross-user denial, token expiry, no resume rows, canary-clean rollback

Prevent implicit resume disclosure, require granular MCP scopes, and resolve downloads through owned resume records so external career adapters can operate without profile leakage.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant