fixing jsonSchema validation by using zod
This commit is contained in:
188
SAFETY_DISCLAIMER.md
Normal file
188
SAFETY_DISCLAIMER.md
Normal file
@@ -0,0 +1,188 @@
|
||||
# SAFETY DISCLAIMER
|
||||
|
||||
## ⚠️ FOR TESTING AND DEMONSTRATION PURPOSES ONLY ⚠️
|
||||
|
||||
This Mock GDS MCP Server is designed **EXCLUSIVELY** for:
|
||||
- ✅ Software testing and quality assurance
|
||||
- ✅ Developer training and education
|
||||
- ✅ Sales demonstrations and proof-of-concept
|
||||
- ✅ Integration testing with MCP clients
|
||||
- ✅ Automated test suite execution
|
||||
|
||||
---
|
||||
|
||||
## What This Server Does NOT Do
|
||||
|
||||
### ❌ NO Real GDS Connections
|
||||
- This server does NOT connect to any real Global Distribution Systems
|
||||
- Does NOT communicate with Amadeus, SABRE, Galileo, or any production GDS
|
||||
- Does NOT access real flight inventory, hotel availability, or car rental systems
|
||||
- All data is generated locally from mock data files
|
||||
|
||||
### ❌ NO Real Transactions
|
||||
- Does NOT process real bookings
|
||||
- Does NOT charge credit cards or payment instruments
|
||||
- Does NOT create actual travel reservations
|
||||
- Does NOT send confirmation emails to airlines or travel suppliers
|
||||
- Does NOT issue real tickets or vouchers
|
||||
|
||||
### ❌ NO Real Passenger Data
|
||||
- Does NOT store or transmit real passenger PII (Personally Identifiable Information)
|
||||
- Does NOT connect to passenger databases
|
||||
- Does NOT perform identity verification
|
||||
- All passenger data is ephemeral and session-scoped
|
||||
|
||||
### ❌ NO Production Use
|
||||
- This server is NOT certified or approved for production use
|
||||
- Does NOT provide SLA guarantees or uptime commitments
|
||||
- Does NOT handle real customer transactions
|
||||
- Does NOT meet regulatory compliance requirements for real bookings
|
||||
|
||||
---
|
||||
|
||||
## What This Server DOES Do
|
||||
|
||||
### ✅ Mock Data Generation
|
||||
- Generates realistic flight, hotel, and car rental options
|
||||
- Uses valid IATA airport codes and airline identifiers
|
||||
- Simulates pricing, availability, and schedule data
|
||||
- Creates professional-looking mock responses
|
||||
|
||||
### ✅ Test-Prefixed Identifiers
|
||||
- **ALL PNRs (Passenger Name Records) have `TEST-` prefix**
|
||||
- Format: `TEST-XXXXXX` (e.g., `TEST-A1B2C3`)
|
||||
- This prefix clearly identifies all bookings as test/mock data
|
||||
- Production systems should REJECT any PNR starting with `TEST-`
|
||||
|
||||
### ✅ Session Isolation
|
||||
- Each MCP session maintains isolated booking state
|
||||
- Sessions auto-expire after timeout (default 1 hour)
|
||||
- Data is stored in Valkey (Redis-compatible) with TTL
|
||||
- No cross-session data leakage
|
||||
|
||||
### ✅ Full MCP Protocol Compliance
|
||||
- Implements Model Context Protocol specification correctly
|
||||
- Provides proper tool schemas and validation
|
||||
- Returns standard error codes and responses
|
||||
- Works with any MCP-compliant client
|
||||
|
||||
---
|
||||
|
||||
## Safety Guarantees
|
||||
|
||||
### 1. No External API Calls
|
||||
**Guarantee**: This server makes ZERO external API calls to production systems.
|
||||
|
||||
**Verification**:
|
||||
- Review `src/data/` directory - all data is embedded
|
||||
- Check network logs - no outbound HTTP/HTTPS connections
|
||||
- Inspect Docker network configuration - isolated network only
|
||||
|
||||
### 2. Test-Only PNR Format
|
||||
**Guarantee**: All PNR codes follow `TEST-XXXXXX` format.
|
||||
|
||||
**Verification**:
|
||||
- See `src/data/pnr.js` - `generatePNR()` function enforces prefix
|
||||
- Validation in `src/utils/errors.js` - `validatePNR()` requires `TEST-` prefix
|
||||
- Production systems should have safeguards to reject `TEST-` prefixed bookings
|
||||
|
||||
### 3. Local Data Storage Only
|
||||
**Guarantee**: All booking data stays within the Valkey container.
|
||||
|
||||
**Verification**:
|
||||
- Check `docker-compose.yaml` - Valkey not exposed publicly
|
||||
- Review `src/session/storage.js` - only connects to local Valkey
|
||||
- Data persists only during container lifetime (configurable)
|
||||
|
||||
### 4. Non-Root Container Execution
|
||||
**Guarantee**: Docker container runs as non-root user for security.
|
||||
|
||||
**Verification**:
|
||||
- See `docker/Dockerfile` - creates `gds` user (UID 1001)
|
||||
- Container runs with `USER gds` directive
|
||||
- Cannot write to host system outside mounted volumes
|
||||
|
||||
---
|
||||
|
||||
## Configuration Safety
|
||||
|
||||
### Safe Defaults
|
||||
The server ships with safe default configuration:
|
||||
```bash
|
||||
MOCK_DATA_SEED=random # Non-deterministic mock data
|
||||
LOG_LEVEL=info # Appropriate logging verbosity
|
||||
MCP_SESSION_TIMEOUT=3600 # 1-hour session expiry
|
||||
VALKEY_HOST=localhost # Local-only connection
|
||||
```
|
||||
|
||||
### Unsafe Configurations (Don't Do This!)
|
||||
❌ **DO NOT** set `VALKEY_HOST` to a production database
|
||||
❌ **DO NOT** modify PNR generation to remove `TEST-` prefix
|
||||
❌ **DO NOT** connect this server to real GDS credentials
|
||||
❌ **DO NOT** use this server in customer-facing production systems
|
||||
|
||||
---
|
||||
|
||||
## Regulatory Compliance
|
||||
|
||||
### This Server Is NOT:
|
||||
- PCI DSS compliant (does not handle real payment data)
|
||||
- GDPR compliant (not designed for real personal data)
|
||||
- IATA NDC certified (not a real distribution system)
|
||||
- SOC 2 audited (no production security controls)
|
||||
|
||||
### Use Cases That Require Real GDS:
|
||||
If you need any of the following, use a **real GDS system**, not this mock server:
|
||||
- Real flight bookings for customers
|
||||
- Actual hotel reservations
|
||||
- Live car rental confirmations
|
||||
- Ticketing and payment processing
|
||||
- Customer itinerary management
|
||||
- Regulatory reporting and auditing
|
||||
|
||||
---
|
||||
|
||||
## Liability Disclaimer
|
||||
|
||||
**NO WARRANTY**: This software is provided "as is" without warranty of any kind.
|
||||
|
||||
**NO LIABILITY**: The authors are not liable for:
|
||||
- Loss of data
|
||||
- Failed bookings or reservations
|
||||
- Financial losses
|
||||
- Service interruptions
|
||||
- Any damages arising from use or misuse
|
||||
|
||||
**USER RESPONSIBILITY**: Users are responsible for:
|
||||
- Ensuring appropriate use (testing only)
|
||||
- Not using in production systems
|
||||
- Complying with applicable laws and regulations
|
||||
- Properly disclaiming mock data in demonstrations
|
||||
|
||||
---
|
||||
|
||||
## Acknowledgment
|
||||
|
||||
By using this Mock GDS MCP Server, you acknowledge that:
|
||||
|
||||
1. ✅ I understand this is a mock/test server only
|
||||
2. ✅ I will NOT use this in production systems
|
||||
3. ✅ I will NOT process real customer bookings
|
||||
4. ✅ I will clearly label all demonstrations as "mock data"
|
||||
5. ✅ I accept full responsibility for appropriate use
|
||||
|
||||
---
|
||||
|
||||
## Questions or Concerns?
|
||||
|
||||
If you have questions about safe and appropriate use of this mock server:
|
||||
- Review the documentation in `/specs` directory
|
||||
- Check the README.md for usage examples
|
||||
- File an issue on the project repository
|
||||
- Consult with your legal and compliance teams before use
|
||||
|
||||
---
|
||||
|
||||
**Last Updated**: 2026-04-07
|
||||
**Version**: 0.1.0
|
||||
**Status**: TEST/DEMO USE ONLY
|
||||
Reference in New Issue
Block a user