Implement SEP-1024: MCP Client Security Requirements #415
Description
This is a tracking issue for implementation of SEP-1024.
Summary
This SEP addresses critical security vulnerabilities in MCP client implementations that support installation and execution of local MCP servers. It requires explicit user consent before executing any local server installation or launch commands, and complete command transparency to prevent arbitrary code execution, data exfiltration, and system compromise through malicious server configurations.
The Kotlin SDK is a low-level library that does not provide UI components or built-in server installation flows. However, client applications built with the SDK (such as the sample in samples/kotlin-mcp-client/) directly execute server processes using ProcessBuilder without any consent mechanisms or command visibility. This implementation will focus on providing security guidance, best practices documentation, and optional helper utilities to assist SDK users in building secure client applications that comply with SEP-1024 requirements. Applications using the SDK to launch local servers will need to implement consent dialogs, command display, and explicit user approval before process execution.