chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 13:04:05 +08:00
commit 54d5556870
373 changed files with 47482 additions and 0 deletions
+38
View File
@@ -0,0 +1,38 @@
---
title: Authentication and Access Control
---
This guide covers the authentication mechanisms and access controls available in Context7, including API key handling and enterprise identity features.
## API Key Security
- API keys use cryptographic random generation
- Keys are hashed and encrypted in our database
- Keys can be rotated at any time from your dashboard
- Rate limiting prevents abuse and unauthorized access
## Enterprise SSO
**Single Sign-On (SSO) is available for Enterprise plans.**
### Supported SSO Providers
- SAML 2.0
- OAuth 2.0
- OpenID Connect (OIDC)
### Enterprise Features
- Centralized user management
- Teamspace access controls
- Audit logs for compliance
- Custom authentication policies
### Setup Guides
For step-by-step configuration on self-hosted deployments, see:
- [Microsoft Entra ID (SSO)](/enterprise/security/entra-sso) — wire up Entra ID sign-in for an On-Premise instance
- [Microsoft Entra ID](/enterprise/enterprise-managed-auth/entra) — proxy the Context7 MCP server through Azure APIM with Entra authentication
Contact our sales team at [context7.com/contact](https://context7.com/contact) for Enterprise plan details.
+31
View File
@@ -0,0 +1,31 @@
---
title: Best Practices for Users
sidebarTitle: Best Practices
description: Recommendations for using Context7 securely across credentials, repository access, and network usage
---
These recommendations cover how to use Context7 securely across credentials, repository access, and network usage.
## Secure Your API Keys
- Never commit API keys to version control
- Use environment variables for key storage
- Rotate keys regularly
- Use different keys for different environments
- Revoke unused or compromised keys immediately
## Private Repositories
For private repository access:
- Only grant minimum required permissions
- Use dedicated API keys for private repos
- Regularly audit access permissions
- Consider using GitHub Apps with fine-grained permissions
## Network Security
- Use HTTPS for all API communications (enforced)
- Configure proxy settings securely if behind a firewall
- Monitor API usage for unusual patterns
- Implement request timeouts and retries
@@ -0,0 +1,35 @@
---
title: Compliance and Reporting
description: How Context7 handles security reporting, transparency, and compliance certifications
---
How Context7 handles security reporting, transparency, and compliance.
## Reporting Security Issues
If you discover a security vulnerability:
1. **Do not** publicly disclose the issue
2. Report via [GitHub Security](https://github.com/upstash/context7/security)
3. Include detailed steps to reproduce the issue
4. Allow reasonable time for us to address the issue
We take all security reports seriously and will respond promptly.
## Open Source
The Context7 MCP server is open source:
- Code is publicly available on GitHub
- Community can audit and contribute
- Transparent implementation and practices
Repository: [github.com/upstash/context7](https://github.com/upstash/context7)
## Compliance Certifications
Context7 benefits from Upstash's compliance certifications:
- SOC 2 Type II
- GDPR compliant
- ISO 27001 (in progress)
+148
View File
@@ -0,0 +1,148 @@
---
title: Data Privacy
description: How Context7 handles query storage, retrieval scope, and your data
---
How Context7 handles privacy, retrieval scope, and data.
## Query Privacy
**Your original prompts and code stay with your AI assistant.**
When you use Context7 through an MCP client, the AI assistant (not the user directly) formulates search queries to retrieve relevant documentation. Here is what happens:
1. Your prompt is processed locally by your AI assistant (e.g., Cursor, Claude Code)
2. The AI assistant formulates a search query and library name based on your request
3. Only these formulated queries are sent to the Context7 API — your full prompt, source code, and conversation history are never transmitted
4. The MCP tool descriptions explicitly instruct the AI assistant to strip sensitive information (API keys, passwords, credentials, personal data, and proprietary code) from queries before sending
### What is sent to the Context7 API
- `query` — a search query formulated by the MCP client (not your original prompt)
- `libraryName` or `libraryId` — the library to look up
- API key (if provided, for authentication)
- MCP client name and version (e.g., IDE info, for analytics)
- Transport type (`stdio` or `http`)
- Client IP address, encrypted with AES-256-CBC (HTTP transport only, for rate limiting)
<Note>
The MCP client formulates search queries on your behalf and is instructed not to include
sensitive or confidential information. Your full prompts, code, and conversation context
remain with your AI assistant and are never sent to Context7.
</Note>
### Use of MCP Queries
The search queries formulated by the MCP client (not your original prompts) are used server-side in two ways:
**Documentation Reranking**
MCP-formulated queries are passed to LLMs to rerank and select the most relevant documentation for your request. Context7 uses well-known, trusted LLM providers for this purpose — including **OpenAI**, **Google Gemini**, and **Anthropic**.
**Benchmarking and Quality Improvement**
MCP-formulated queries are anonymously stored and used to benchmark retrieval accuracy and improve the documentation matching pipeline over time.
### Enterprise Controls
- On-premise Enterprise plans can use their own LLM provider for code extraction and private library ranking
- On-premise Enterprise plans can disable public documentation usage, limiting context retrieval to privately indexed documentation only
- Enterprise plans can disable query storage for benchmarking — however, this may affect the quality of context retrieval over time
Contact our sales team at [context7.com/contact](https://context7.com/contact) for Enterprise and on-premise plan details.
## Customizing What Is Shared
The Context7 MCP server is [open source](https://github.com/upstash/context7). If you want full control over what is sent as the `query` parameter, you can:
1. Fork the [Context7 MCP repository](https://github.com/upstash/context7)
2. Edit the tool input descriptions in [`packages/mcp/src/index.ts`](https://github.com/upstash/context7/blob/master/packages/mcp/src/index.ts) — these descriptions instruct the AI assistant on how to formulate the query
3. Build and run your custom MCP server locally
<Warning>
The `query` parameter is used server-side for LLM-based reranking of documentation results. Modifying, redacting, or omitting the query can significantly reduce the relevance and quality of returned documentation.
</Warning>
## Customizing What Is Retrieved
You can control retrieval scope from the **Policies** tab on your teamspace dashboard.
### Source Type Access
Toggle which types of documentation sources are accessible to your teamspace:
- **Public Repositories** — open-source repositories from GitHub, GitLab, and Bitbucket
- **Websites** — documentation crawled from websites
- **llms.txt** — documentation from llms.txt files
- **Confluence** — Atlassian Confluence workspace pages and documentation
- **Uploaded Files** — uploaded OpenAPI specifications and PDFs
- **Private Sources** — private sources connected to this teamspace
<Frame>
![Source Type Access card showing toggles for each documentation source type](/images/dashboard/source-type-access.png)
</Frame>
### Library Filters
Restrict which libraries are accessible to your teamspace. You can choose between two modes:
- **Filter by Quality** — set criteria like verification status, minimum trust score, recency, blocked libraries, and more
- **Select Manually** — pick specific libraries or organizations
<Frame>
![Library Filters card showing quality filters and blocked libraries](/images/dashboard/public-repository-filters.png)
</Frame>
## Data Handling
### Data Storage
**Context7 does not store your source files.**
- We only index and store **documentation** and **code examples** from repositories
- Your code, and source files are not stored or shared
- All indexed content is stored in a secure vector database optimized for retrieval
**What we store:**
- Library documentation
- Code examples from documentation
- Metadata about indexed libraries
- Queries formulated by the MCP client
**What we don't store:**
- Your source code
- Your original prompts or conversations
- Your conversations with AI assistants
### Privacy by Design
- **Data Minimization**: We only collect and store what's necessary
- **Purpose Limitation**: Documentation data is used only for documentation retrieval
- **Storage Limitation**: Automated cleanup of outdated data
- **Transparency**: Clear documentation of what we collect and why
### GDPR Compliance
Context7 provides:
- The right to access your data
- The right to delete your data
- Data portability options
- Clear consent mechanisms
- Privacy-first data processing
### Data Residency
All indexed documentation and metadata are stored within Upstash's SOC 2 compliant infrastructure in the United States and the European Union.
Cross-border data transfers comply with the EU General Data Protection Regulation (GDPR) and the EU-U.S. Data Privacy Framework (DPF), and enterprise customers can request region-specific data residency to meet local regulatory requirements.
### Data Retention
- **Library Documentation**: Retained while the library is active and public
- **API Logs**: Retained for 30 days for debugging and analytics
- **User Data**: Retained according to your account status
- **Deleted Data**: Permanently removed within 30 days of deletion request
+19
View File
@@ -0,0 +1,19 @@
---
title: Data Safety
description: How Context7 detects prompt injection and malicious content in indexed documentation
---
## Prompt Injection and Malware Pattern Detection
Context7 indexes documentation from public and private sources. To prevent malicious content from reaching AI assistants, Context7 employs a **layered malicious content detection system**.
<Frame>
![How our detection system works](/images/security/classifier_pipeline.png)
</Frame>
- **Robust Detection** — Content is analyzed using a classifier tailored for Context7 to identify prompt injection attempts and malware-related patterns
- **Targeted Validation** — Suspicious content is subjected to additional checks
- **Continuous Monitoring** — Flagged content is tracked and reviewed on an ongoing basis
- **Regular Updates** — Detection logic is updated to address evolving attack methods and new injection techniques
This ensures that documentation retrieved through Context7 is safe to consume by both human developers and AI coding agents.
+56
View File
@@ -0,0 +1,56 @@
---
title: Infrastructure Security
sidebarTitle: Infrastructure
description: The platform-level protections behind Context7, including hosting, abuse prevention, and secure development
---
The operational and platform-level protections behind Context7, including hosted infrastructure, abuse prevention, and secure development practices.
## Platform Infrastructure
### SOC 2 Compliance
Context7 runs on **SOC 2 compliant infrastructure** provided by Upstash.
- Type II SOC 2 certified infrastructure
- Regular security audits and assessments
- Continuous monitoring and compliance checks
- Industry-standard security controls
### Managed by Upstash
Context7's infrastructure is managed by the experienced Upstash team:
- 24/7 infrastructure monitoring
- Automated security patching
- DDoS protection and mitigation
- Redundant backups and disaster recovery
- Enterprise-grade reliability and uptime
### Upstash Security Practices
All security practices and certificates of Upstash apply to Context7 products:
- **Data Encryption**: Encryption at rest and in transit (TLS 1.2+)
- **Network Security**: VPC isolation, firewall rules, and network segmentation
- **Access Control**: Role-based access control (RBAC) and least privilege principles
- **Audit Logging**: Comprehensive logging of all system activities
- **Incident Response**: Documented incident response procedures
- **Vulnerability Management**: Regular security scanning and penetration testing
## Rate Limiting and Abuse Prevention
- IP-based rate limiting for anonymous requests
- API key-based rate limiting with tiered limits
- Automatic detection and blocking of abusive patterns
- Protection against DDoS and scraping attacks
## Secure Development Practices
- Regular security code reviews
- Automated dependency scanning
- Secure CI/CD pipelines
- Principle of least privilege for all systems
- Security testing in development lifecycle
+59
View File
@@ -0,0 +1,59 @@
---
title: Security
sidebarTitle: Overview
description: An overview of Context7's security practices, data handling, and compliance measures
---
Context7 takes security and privacy seriously. This page outlines our security practices, data handling, and compliance measures.
## Highlights
- Your original prompts stay with your AI assistant; Context7 only receives search queries formulated by the MCP client, which is instructed to strip sensitive data before sending them
- Documentation is indexed inside SOC 2 compliant infrastructure operated by Upstash
- API keys are encrypted, rate limited, and easy to rotate from your dashboard
- Enterprise customers can enable SSO (SAML, OAuth, OIDC) and receive dedicated audit trails
- The [Context7 Addendum](https://upstash.com/trust/context7addendum.pdf), [Upstash Terms and Privacy Policy](https://upstash.com/docs/common/help/legal) applies to all users; see [trust.upstash.com](https://trust.upstash.com/) for full infrastructure compliance details, certifications
## Security Areas
Explore the main security topics in Context7:
<CardGroup cols={2}>
<Card title="Data Privacy" icon="shield" href="/security/data-privacy">
Learn how Context7 handles privacy, retrieval scope, and data.
</Card>
<Card title="Infrastructure" icon="server" href="/security/infrastructure">
Review platform protections, operational controls, abuse prevention, and secure development practices.
</Card>
<Card title="Authentication and Access Control" icon="key" href="/security/auth-and-access-control">
See how API keys, SSO, and enterprise access controls are handled.
</Card>
<Card title="Data Safety" icon="magnifying-glass" href="/security/data-safety">
Understand how Context7 detects malicious content and prevents it from reaching AI assistants.
</Card>
<Card title="Compliance and Reporting" icon="badge-check" href="/security/compliance-and-reporting">
Find reporting guidance, transparency commitments, and compliance details.
</Card>
<Card title="Best Practices" icon="book-open" href="/security/best-practices">
Follow practical recommendations for using Context7 securely.
</Card>
</CardGroup>
Context7 also uses verification badges to help signal trusted libraries. For full verification details, see [Library Verification](/howto/verification).
For more details on how Context7 handles quality and safety, see the [Quality and Safety in Context7](https://upstash.com/blog/context7-quality-and-safety) blog post.
## Questions and Support
For security-related questions:
- Contact us through [GitHub Issues](https://github.com/upstash/context7/issues)
- Join our [Discord Community](https://upstash.com/discord)
- Enterprise customers: Contact your dedicated support team
For privacy policy details, visit: [context7.com/privacy](https://context7.com/privacy)
---
**Last Updated**: March 2026
We continuously improve our security practices. Check this page regularly for updates.