lintai docs

Appearance

Rule Reference

SEC322lintai-ai-securitycompatqualitystableserver_jsonwarn

server.json remotes: undefined header variable

server.json remotes header value references an undefined template variable

Public lane
compat
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
server_json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Config, schema, and policy contract review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

compatsidecar lane
mcpsurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks auth-like remotes[].headers[].value placeholders against variables defined on the same header object so registry consumers do not ship broken header templates.

Deterministic signal basis

ServerJsonSignals placeholder extraction over remotes[].headers[].value compared with headers[].variables keys.

Malicious corpus
server-json-unresolved-header-variable
Benign corpus
server-json-header-variable-defined
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC320server.json remotes: undefined template variableserver.json remotes URL references an undefined template variablecompatqualityserver_json
SEC323server.json auth: missing explicit secret flagserver.json auth header carries material without an explicit secret flagcompatqualityserver_json
SEC319server.json remotes: insecure or private URLserver.json remotes entry uses an insecure or non-public remote URLsupply-chainhardeningserver_json
SEC321server.json remotes: literal auth headerserver.json remotes header commits literal authentication materialthreat-reviewsecurityserver_json

Why It Matters

An undefined auth-header placeholder in server.json means the registry document is incomplete: consumers cannot reliably resolve the intended secret input for the remote.

What Triggers

SEC322 applies to server.json auth-like header values and triggers when a placeholder in headers[].value is not defined under the same header object's variables map.

Example that triggers:

json
{
  "headers": [
    {
      "name": "Authorization",
      "value": "Bearer {TOKEN}"
    }
  ]
}

Example that stays clean:

json
{
  "headers": [
    {
      "name": "Authorization",
      "value": "Bearer {TOKEN}",
      "variables": {
        "TOKEN": { "description": "API token", "isSecret": true }
      }
    }
  ]
}

False Positives

This is a deterministic structural check over parsed placeholders and local variable definitions. It does not depend on prose interpretation or remote reachability.

Remediation

Define every auth-header placeholder under the same headers[].variables object or remove the unresolved placeholder from the header value.