{
  "slug": "chroma",
  "tool_id": "pip/chroma-mcp",
  "tool_name": "chroma-mcp",
  "source_type": "pip",
  "source_ref": "chroma-mcp",
  "version": "0.2.6",
  "commit": "",
  "dist_shasum": "",
  "version_pin": "Pinned to chroma-mcp@0.2.6, published 2025-08-14. This verdict applies to that exact version; a newer release would require a re-scan.",
  "scanned_at": "2026-06-14T00:00:00Z",
  "method": "Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). A beacon self-test confirmed the capture was live.",
  "capture": "verified",
  "integrity": {
    "result": "honest",
    "note": "Observed behaviour matches its description; no undisclosed recipient."
  },
  "data_flow": {
    "egress_observed": false,
    "notable": false,
    "summary": "No network egress was observed: scanned with --client-type ephemeral (in-memory, local-only). Two facts of note, both verified against the source: (1) the PostHog usage-telemetry that chroma-mcp inherits from the chromadb dependency is a NO-OP as of chromadb 1.5.4 (removed upstream), so it does not phone home; (2) running instead with --client-type cloud would make functional calls to api.trychroma.com (Chroma Cloud, US) - that path was not exercised here.",
    "destinations": [],
    "jurisdiction_context": ""
  },
  "disclosure": {
    "status": "n/a",
    "evidence": {
      "read": [],
      "quote": "",
      "match": "No egress observed in local (ephemeral) mode. The inherited chromadb PostHog telemetry is a no-op since chromadb 1.5.4; cloud mode would egress functionally to api.trychroma.com. Both established from source, not just observed absence.",
      "residual_gap": ""
    }
  },
  "severity": {
    "grade": "none",
    "axis": "integrity axis (no undeclared exfiltration; no egress at all)."
  },
  "evidence": {
    "capture_self_test": "verified",
    "observed_request": {},
    "reproduce": {
      "scanner": "canary-sandbox (open methodology; Docker backend)",
      "command": "python -m canary.cli scan <target> --backend docker   # target: pip chroma-mcp@0.2.6",
      "note": "Re-run it yourself: a beacon self-test confirms the capture was live, so an empty result is trustworthy, not a blind spot."
    }
  },
  "scope_stamp": {
    "method": "declared-vs-observed",
    "subject_model": "cooperative-tool",
    "statement": "Compares the tool's declared destinations against what was observed in one sandbox run. Checks transparency / integrity for a cooperative tool, NOT resistance to deliberate evasion.",
    "out_of_scope": [
      "exfiltration split/chunked across requests",
      "tool-side encryption of the payload before egress",
      "input/time/state-triggered processing not triggered in the run",
      "--client-type cloud functional egress (api.trychroma.com), not exercised in this local-mode run"
    ],
    "interpretation": "\"honest\"/\"clean\" means \"observed without deviation within our reach\", NOT \"guaranteed no hidden egress\"."
  },
  "status": "provisional",
  "disclaimer": "AUTOMATED — forensic confirmation pending. A preliminary, fact-based result, not a judgment.",
  "content_hash": "sha256:d0a0184353804a26a45592d83824ba40e9330ad99366c6c2c901bc0eaeec60a7",
  "signature": "ed25519:2kcXlApMuN+dQVdBxSSnPYji0p2p3qBBRNvZxrDdXPkuijvUritKw9lB49wRcA6VwTM4DA2v4PxhAMYf4H/0Bg==",
  "signature_alg": "Ed25519 over content_hash",
  "public_key_url": "/pubkey.pem",
  "signed_by": "sha256:49cf8457b42a7048",
  "last_checked": "2026-06-14",
  "pin_status": "current",
  "categories": {
    "domain": "database",
    "data_flow": "no-egress",
    "jurisdiction": [],
    "status": "published",
    "source": "pip"
  },
  "observations": [
    {
      "scanned_at": "2026-06-14T00:00:00Z",
      "version": "0.2.6",
      "commit": "",
      "finding": "no-egress",
      "integrity": 100,
      "evidence_coverage": 100,
      "egress_hosts": [],
      "content_hash": "sha256:d0a0184353804a26a45592d83824ba40e9330ad99366c6c2c901bc0eaeec60a7"
    }
  ],
  "observation_count": 1,
  "first_seen": "2026-06-14T00:00:00Z",
  "claims": [
    {
      "basis": "observed",
      "statement": "No network egress to an external destination was observed during the scan.",
      "support": "Capture self-test: verified — a decoy beacon emitted from the tool's own network context appeared in the intercept, so the absence is a verified negative, not a blind spot.",
      "confidence": "high"
    },
    {
      "basis": "classified",
      "statement": "No telemetry, analytics or error-reporting side-channel was found.",
      "support": "Reviewed against the tool's observed behaviour in the run.",
      "confidence": "medium"
    }
  ],
  "tier": "evidence-backed",
  "schema_version": "claims-1.0"
}