Rule Reference
This page is generated from nw rules list --json.
| Rule | Severity | Docs | Fix | Summary |
|---|---|---|---|---|
mcp_secret_env | critical | docs | externalize-secret | MCP server stores a sensitive environment variable inline |
mcp_secret_header | critical | docs | externalize-secret | MCP server stores a sensitive header inline |
mcp_unpinned_package | high | docs | pin-package | MCP server runs a package executor without an obvious pin |
mcp_shell_wrapper | high | docs | replace-shell-wrapper | MCP server runs through a shell wrapper |
mcp_local_endpoint | medium | docs | manual-review | MCP server references a machine-local endpoint |
mcp_broad_filesystem | medium | docs | narrow-filesystem | MCP server can access a broad filesystem path |
mcp_local_token_path | high | docs | manual-review | MCP server references a local credential path |
mcp_server_review | info | docs | manual-review | MCP server should be reviewed |
mcp_unknown_command | info | docs | manual-review | MCP server has an unsupported command shape |
config_parse_failed | medium | docs | manual-review | Nightward could not parse a config file |
config_symlink | info | docs | manual-review | Config file is a symbolic link |