docs: add MCP token injection threat model (#816)

Sergio Sisternes · Copilot · Sergio Sisternes · commit 548dced2a8cd · 2026-05-10T11:52:32.000+01:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/src/content/docs/enterprise/security.md b/docs/src/content/docs/enterprise/security.md
@@ -301,6 +301,10 @@ When `ADO_APM_PAT` is unset, APM can authenticate to Azure DevOps with a Microso
 
 See [Authentication: AAD bearer tokens](../../getting-started/authentication/#authenticating-with-microsoft-entra-id-aad-bearer-tokens) for the resolution precedence and CI patterns.
 
+### MCP server token injection
+
+When APM configures a GitHub MCP server for a client adapter, it automatically injects a GitHub authentication token into the request headers. To prevent token exfiltration via a poisoned registry entry (a server that uses a recognised GitHub name but points at a non-GitHub URL), APM requires **both** a name-allowlist match **and** a verified GitHub hostname before injecting a token. A name match alone is never sufficient. Recognised hostnames include `github.com`, `*.ghe.com` (GitHub Enterprise), and `*.githubcopilot.com` (Copilot API).
+
 ## Attack surface comparison
 
 | Vector | Traditional package manager | APM |
