Updated contributing guidelines

dbarkol · dbarkol · commit e68a4d34a8dc · 2026-01-30T08:34:12.000-08:00
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,180 +1,73 @@
-# Contributing to MCP Security Summit Workshop
+# Contributing
 
-Thank you for your interest in improving this workshop! This guide explains the repository structure and how to contribute effectively.
+Thank you for your interest in improving this workshop!
 
-## Repository Structure
-
-```
-/
-├── camps/                  # Workshop modules (Base Camp → Summit)
-│   ├── base-camp/         # Fundamentals + basic authentication
-│   ├── camp1-identity/    # OAuth, Managed Identity, Key Vault
-│   ├── camp2-gateway/     # API/MCP Gateway, Network Security
-│   ├── camp3-io-security/ # Content Safety, Input Validation
-│   └── camp4-monitoring/  # Logging, Monitoring, Alerts
-├── infra/                 # Shared Bicep templates
-│   ├── shared/           # Common Azure resources
-│   └── README.md
-├── scripts/              # Deployment automation helpers
-│   └── README.md
-├── docs/                 # GitHub Pages documentation
-│   └── index.md
-└── README.md             # Workshop overview
-```
-
-## How to Add a New Camp
+## Quick Links
 
-Each camp follows the **vulnerable → secure** pattern established in Base Camp. Use this template:
+- **📚 Workshop:** [azure-samples.github.io/sherpa](https://azure-samples.github.io/sherpa/)
+- **🔒 Security Guide:** [microsoft.github.io/mcp-azure-security-guide](https://microsoft.github.io/mcp-azure-security-guide/)
 
-### Camp Directory Structure
+## Repository Structure
 
 ```
-camps/your-camp/
-├── README.md              # Participant guide (5-phase format)
-├── pyproject.toml         # Dependencies (managed by uv)
-├── vulnerable-server/     # Insecure implementation
-│   ├── src/
-│   │   ├── server.py     # MCP server with vulnerabilities
-│   │   └── ...
-│   ├── pyproject.toml    # Package metadata
-│   ├── Dockerfile
-│   └── .env.example
-├── secure-server/         # Fixed implementation
-│   ├── src/
-│   │   ├── server.py     # MCP server with security controls
-│   │   └── ...
-│   ├── pyproject.toml    # Package metadata
-│   ├── Dockerfile
-│   └── .env.example
-├── exploits/              # Demonstration scripts
-│   └── test_exploit.py
-├── infra/                 # Camp-specific Bicep
-│   └── main.bicep
-└── vscode-config/         # Example MCP client configs
-    └── mcp-settings.json
+sherpa/
+├── camps/                    # Workshop modules
+│   ├── base-camp/            # Local-only, MCP fundamentals
+│   ├── camp1-identity/       # Azure: OAuth, Managed Identity
+│   ├── camp2-gateway/        # Azure: APIM, Content Safety
+│   ├── camp3-io-security/    # Azure: Input validation, PII
+│   └── camp4-monitoring/     # Azure: Logging, alerts
+├── docs/                     # MkDocs documentation
+│   └── camps/                # Workshop guides
+└── mkdocs.yml
 ```
 
-**Note:** Camps use `uv` for fast, reliable dependency management. Run `uv sync` in the camp root to set up the environment.
-
-### Camp README.md Format
-
-```markdown
-# Camp [N]: [Theme Name]
-
-*"[Mountain metaphor subtitle]"*
-
-**Duration:** [X] minutes  
-**OWASP Risks:** [MCP0X, MCP0Y]  
-**Azure Services:** [Service A, Service B]  
-**Guide Reference:** [Link to microsoft.github.io/mcp-azure-security-guide]
+## Workshop Pattern
 
-## Learning Objectives
-- Objective 1
-- Objective 2
+All camps follow **exploit → fix → validate**:
 
-## Route Map
-| Phase | Activity | Duration | Type |
-|:-----:|----------|:--------:|:----:|
-| **1** | Deploy Vulnerable System | [X] min | Setup |
-| **2** | Exploit Vulnerabilities | [X] min | Hands-on |
-| **3** | Implement Security Fixes | [X] min | Hands-on |
-| **4** | Validate Fixes | [X] min | Verification |
-| **5** | Summary & Teaching Points | [X] min | Discussion |
+1. Start with a vulnerable or incomplete configuration
+2. Demonstrate the security risk
+3. Apply the fix
+4. Validate the fix works
 
-[... detailed phase instructions ...]
-```
-
-## Code Style Guidelines
+## Camp Types
 
-### Python MCP Servers
+| Type | Example | Deployment | Key Files |
+|------|---------|------------|-----------|
+| **Local** | Base Camp | `uv run python -m src.server` | `vulnerable-server/`, `secure-server/` |
+| **Azure** | Camps 1-4 | `azd up` | `azure.yaml`, `infra/`, `scripts/` |
 
-- Use the official `mcp` Python package (not FastMCP)
-- Python 3.10+ with type hints
-- Clear comments explaining vulnerabilities and fixes
-- Follow PEP 8 style guidelines
+## Running Docs Locally
 
-**Example vulnerability comment:**
-```python
-# VULNERABILITY: No authentication check!
-# This allows ANY client to access ANY user's data.
-# Maps to OWASP MCP07: Insufficient Authentication
-@server.list_resources()
-async def list_resources() -> list[Resource]:
-    # Should check authentication here but doesn't
-    return [Resource(...)]
+```bash
+pip install -r requirements-docs.txt
+mkdocs serve
 ```
 
-**Example security fix comment:**
-```python
-# SECURITY FIX: Validate authentication on every request
-# This addresses OWASP MCP07 by ensuring only authorized
-# clients can access resources.
-def require_auth(func):
-    async def wrapper(*args, **kwargs):
-        token = get_token_from_context()
-        if not validate_token(token):
-            raise PermissionError("Unauthorized")
-        return await func(*args, **kwargs)
-    return wrapper
-```
-
-### Bicep Templates
-
-- Use consistent naming conventions: `{resource-type}-{camp-name}`
-- Include comments explaining security controls
-- Output important values (endpoints, resource IDs)
-- Follow Azure naming best practices
-
-### Documentation
-
-- Use clear, action-oriented headings
-- Include code snippets with explanations
-- Provide expected outputs for validation steps
-- Link to relevant OWASP MCP Top 10 sections
-- Use callout boxes for important notes
-
-## Testing Your Contribution
-
-Before submitting a pull request:
-
-1. **Set up the environment:**
-   ```bash
-   cd camps/your-camp
-   uv sync  # Install dependencies
-   ```
+## Code Guidelines
 
-2. **Test the vulnerable version:**
-   - Deploy and run the vulnerable server
-   - Verify the exploit works as documented
-   - Ensure the vulnerability is clear to participants
+- **Python:** 3.11+, type hints, `uv` for dependencies
+- **Bicep:** Consistent naming, security comments
+- **Scripts:** Bash, `set -e`, clear progress output
 
-3. **Test the secure version:**
-   - Deploy and run the secure server
-   - Verify the exploit now fails appropriately
-   - Ensure security controls work as documented
+## Testing Changes
 
-4. **Validate documentation:**
-   - Follow your own instructions step-by-step
-   - Verify all commands work
-   - Check all links are valid
+1. Run through the workshop guide yourself
+2. Verify exploit scripts demonstrate the vulnerability
+3. Verify fix scripts resolve the issue
+4. Check documentation renders correctly
 
-## Submission Guidelines
+## Submitting Changes
 
-1. Fork the repository
-2. Create a feature branch: `git checkout -b camp-feature-name`
-3. Make your changes following the guidelines above
-4. Test thoroughly (see Testing section)
-5. Commit with clear messages: `git commit -m "Add Camp X: [Feature]"`
-6. Push to your fork: `git push origin camp-feature-name`
-7. Open a Pull Request with:
-   - Clear description of what was added/changed
-   - Which OWASP MCP risks are addressed
-   - Testing steps you performed
+1. Fork and create a branch
+2. Make changes and test thoroughly
+3. Submit a Pull Request with a clear description
 
 ## Questions?
 
-Open an issue or discussion in the repository. We're here to help!
+Open an [issue](https://github.com/Azure-Samples/sherpa/issues).
 
 ---
 
-*Thank you for helping others scale the summit safely! 🏔️*
+*Thank you for helping others reach the summit safely! 🏔️*
diff --git a/docs/resources/contributing.md b/docs/resources/contributing.md
@@ -1,106 +1,73 @@
-# Contributing to MCP Security Summit Workshop
+# Contributing
 
-Thank you for your interest in improving this workshop! This guide explains the repository structure and how to contribute effectively.
+Thank you for your interest in improving this workshop!
+
+## Quick Links
+
+- **📚 Workshop:** [azure-samples.github.io/sherpa](https://azure-samples.github.io/sherpa/)
+- **🔒 Security Guide:** [microsoft.github.io/mcp-azure-security-guide](https://microsoft.github.io/mcp-azure-security-guide/)
 
 ## Repository Structure
 
 ```
-/
-├── camps/                  # Workshop modules (Base Camp → Summit)
-│   ├── base-camp/         # Fundamentals + basic authentication
-│   ├── camp1-identity/    # OAuth, Managed Identity, Key Vault
-│   ├── camp2-gateway/     # API/MCP Gateway, Network Security
-│   ├── camp3-io-security/ # Content Safety, Input Validation
-│   └── camp4-monitoring/  # Logging, Monitoring, Alerts
-├── infra/                 # Shared Bicep templates
-│   ├── shared/           # Common Azure resources
-│   └── README.md
-├── scripts/              # Deployment automation helpers
-│   └── README.md
-├── docs/                 # GitHub Pages documentation
-│   └── index.md
-└── README.md             # Workshop overview
+sherpa/
+├── camps/                    # Workshop modules
+│   ├── base-camp/            # Local-only, MCP fundamentals
+│   ├── camp1-identity/       # Azure: OAuth, Managed Identity
+│   ├── camp2-gateway/        # Azure: APIM, Content Safety
+│   ├── camp3-io-security/    # Azure: Input validation, PII
+│   └── camp4-monitoring/     # Azure: Logging, alerts
+├── docs/                     # MkDocs documentation
+│   └── camps/                # Workshop guides
+└── mkdocs.yml
 ```
 
-## How to Add a New Camp
+## Workshop Pattern
 
-Each camp follows the **vulnerable → secure** pattern established in Base Camp. Use this template:
+All camps follow **exploit → fix → validate**:
 
-### Camp Directory Structure
+1. Start with a vulnerable or incomplete configuration
+2. Demonstrate the security risk
+3. Apply the fix
+4. Validate the fix works
 
-```
-camps/your-camp/
-├── README.md              # Participant guide (5-phase format)
-├── pyproject.toml         # Dependencies (managed by uv)
-├── vulnerable-server/     # Insecure implementation
-│   ├── src/
-│   │   ├── server.py     # MCP server with vulnerabilities
-│   │   └── ...
-│   ├── pyproject.toml    # Package metadata
-│   ├── Dockerfile
-│   └── .env.example
-├── secure-server/         # Fixed implementation
-│   ├── src/
-│   │   ├── server.py     # MCP server with security controls
-│   │   └── ...
-│   ├── pyproject.toml    # Package metadata
-│   ├── Dockerfile
-│   └── .env.example
-├── exploits/              # Demonstration scripts
-│   └── test_exploit.py
-├── infra/                 # Camp-specific Bicep
-│   └── main.bicep
-└── vscode-config/         # Example MCP client configs
-    └── mcp-settings.json
-```
+## Camp Types
 
-**Note:** Camps use `uv` for fast, reliable dependency management. Run `uv sync` in the camp root to set up the environment.
+| Type | Example | Deployment | Key Files |
+|------|---------|------------|-----------|
+| **Local** | Base Camp | `uv run python -m src.server` | `vulnerable-server/`, `secure-server/` |
+| **Azure** | Camps 1-4 | `azd up` | `azure.yaml`, `infra/`, `scripts/` |
 
-## Code Style Guidelines
+## Running Docs Locally
 
-### Python MCP Servers
-
-- Use the official `mcp` Python package (not FastMCP)
-- Python 3.10+ with type hints
-- Clear comments explaining vulnerabilities and fixes
-- Follow PEP 8 style guidelines
-
-**Example vulnerability comment:**
-```python
-# VULNERABILITY: No authentication check!
-# This allows ANY client to access ANY user's data.
-# Maps to OWASP MCP07: Insufficient Authentication
+```bash
+pip install -r requirements-docs.txt
+mkdocs serve
 ```
 
-## Documentation
-
-### GitHub Pages
+## Code Guidelines
 
-Documentation lives in the `docs/` directory:
-- Keep docs separate from code README files
-- Use clear headings and navigation
-- Include code examples and screenshots
-- Link to relevant Azure documentation
+- **Python:** 3.11+, type hints, `uv` for dependencies
+- **Bicep:** Consistent naming, security comments
+- **Scripts:** Bash, `set -e`, clear progress output
 
-### README Files
+## Testing Changes
 
-README files in each camp serve as:
-- Quick reference for workshop participants
-- Navigation within GitHub repository
-- Detailed step-by-step instructions
+1. Run through the workshop guide yourself
+2. Verify exploit scripts demonstrate the vulnerability
+3. Verify fix scripts resolve the issue
+4. Check documentation renders correctly
 
 ## Submitting Changes
 
-1. **Fork the repository**
-2. **Create a feature branch**: `git checkout -b feature/your-feature`
-3. **Make your changes** with clear commit messages
-4. **Test thoroughly** - ensure all exploits and fixes work
-5. **Submit a pull request** with description of changes
+1. Fork and create a branch
+2. Make changes and test thoroughly
+3. Submit a Pull Request with a clear description
 
 ## Questions?
 
-Open an issue on GitHub if you have questions or suggestions!
+Open an [issue](https://github.com/Azure-Samples/sherpa/issues).
 
 ---
 
-**Thank you for helping make this workshop better! 🏔️**
+*Thank you for helping others reach the summit safely! 🏔️*
