npm - @agent-e/server - Versions diffs - 1.6.0 → 1.6.3 - Mend

@agent-e/server 1.6.0 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/AgentEServer-DT6ETPR6.mjs +7 -0
package/dist/{chunk-OALXQFKY.mjs → chunk-53EPMEWX.mjs} +55 -31
package/dist/chunk-53EPMEWX.mjs.map +1 -0
package/dist/cli.js +54 -30
package/dist/cli.js.map +1 -1
package/dist/cli.mjs +1 -1
package/dist/index.js +55 -31
package/dist/index.js.map +1 -1
package/dist/index.mjs +2 -2
package/package.json +2 -2
package/dist/AgentEServer-H3FWDCYM.mjs +0 -7
package/dist/chunk-OALXQFKY.mjs.map +0 -1
/package/dist/{AgentEServer-H3FWDCYM.mjs.map → AgentEServer-DT6ETPR6.mjs.map} +0 -0

package/dist/index.js CHANGED Viewed

@@ -569,6 +569,7 @@ function getDashboardHtml() {
   const $app = document.getElementById('app');
   // \u2500\u2500 Helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  function esc(s) { return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;'); }
   function pad(n, w) { return String(n).padStart(w || 4, ' '); }
   function fmt(n) { return typeof n === 'number' ? n.toFixed(3) : '\u2014'; }
   function pct(n) { return typeof n === 'number' ? (n * 100).toFixed(0) + '%' : '\u2014'; }
@@ -674,15 +675,15 @@ function getDashboardHtml() {
     let advisorBtns = '';
     if (isAdvisor && d.result === 'skipped_override') {
       advisorBtns = '<span class="advisor-actions">'
-        + '<button class="advisor-btn approve" onclick="window._approve(\\'' + d.id + '\\')">[Approve]</button>'
-        + '<button class="advisor-btn reject" onclick="window._reject(\\'' + d.id + '\\')">[Reject]</button>'
+        + '<button class="advisor-btn approve" onclick="window._approve(\\'' + esc(d.id) + '\\')">[Approve]</button>'
+        + '<button class="advisor-btn reject" onclick="window._reject(\\'' + esc(d.id) + '\\')">[Reject]</button>'
         + '</span>';
     }
     return '<span class="t-tick">[Tick ' + pad(d.tick) + ']</span> '
       + resultIcon
-      + '<span class="t-principle">[' + (principle.id || '?') + '] ' + (principle.name || '') + ':</span> '
-      + '<span class="t-param">' + (plan.parameter || '\u2014') + ' </span>'
+      + '<span class="t-principle">[' + esc(principle.id || '?') + '] ' + esc(principle.name || '') + ':</span> '
+      + '<span class="t-param">' + esc(plan.parameter || '\u2014') + ' </span>'
       + '<span class="t-old">' + fmt(plan.currentValue) + '</span>'
       + '<span class="t-arrow"> \\u2192 </span>'
       + '<span class="t-new">' + fmt(plan.targetValue) + '</span>'
@@ -706,8 +707,8 @@ function getDashboardHtml() {
       return '<div class="alert-card">'
         + '<span class="alert-severity ' + sc + '">' + sev + '/10</span>'
         + '<div class="alert-body">'
-        + '<div class="alert-principle">[' + pid + '] ' + name + '</div>'
-        + '<div class="alert-reason">' + reason + '</div>'
+        + '<div class="alert-principle">[' + esc(pid) + '] ' + esc(name) + '</div>'
+        + '<div class="alert-reason">' + esc(reason) + '</div>'
         + '</div></div>';
     }).join('');
   }
@@ -735,10 +736,10 @@ function getDashboardHtml() {
     $violationsBody.innerHTML = sorted.map(function(v) {
       return '<tr>'
         + '<td>' + v.tick + '</td>'
-        + '<td style="color:var(--text-primary);font-family:var(--font-sans)">' + v.principle + '</td>'
+        + '<td style="color:var(--text-primary);font-family:var(--font-sans)">' + esc(v.principle) + '</td>'
         + '<td><span class="alert-severity ' + sevClass(v.severity) + '">' + v.severity + '</span></td>'
-        + '<td>' + v.parameter + '</td>'
-        + '<td>' + v.result + '</td>'
+        + '<td>' + esc(v.parameter) + '</td>'
+        + '<td>' + esc(v.result) + '</td>'
         + '</tr>';
     }).join('');
   }
@@ -764,7 +765,7 @@ function getDashboardHtml() {
     $personaBars.innerHTML = entries.map(function(e) {
       const pctVal = total > 0 ? (e[1] / total * 100) : 0;
       return '<div class="persona-row">'
-        + '<div class="persona-label">' + e[0] + '</div>'
+        + '<div class="persona-label">' + esc(e[0]) + '</div>'
         + '<div class="persona-bar-track"><div class="persona-bar-fill" style="width:' + pctVal + '%"></div></div>'
         + '<div class="persona-pct">' + pctVal.toFixed(0) + '%</div>'
         + '</div>';
@@ -777,12 +778,10 @@ function getDashboardHtml() {
       $registryList.innerHTML = '<div class="empty-state">No parameters registered</div>';
       return;
     }
-    // Show unique parameters from principles
-    const params = new Set();
     $registryList.innerHTML = principles.slice(0, 30).map(function(p) {
       return '<div class="registry-item">'
-        + '<span class="registry-key">[' + p.id + ']</span>'
-        + '<span class="registry-val">' + p.name + '</span>'
+        + '<span class="registry-key">[' + esc(p.id) + ']</span>'
+        + '<span class="registry-val">' + esc(p.name) + '</span>'
         + '</div>';
     }).join('');
   }
@@ -973,7 +972,13 @@ var init_dashboard = __esm({
 });
 // src/routes.ts
+function setSecurityHeaders(res) {
+  res.setHeader("X-Content-Type-Options", "nosniff");
+  res.setHeader("X-Frame-Options", "DENY");
+  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+}
 function setCorsHeaders(res, origin) {
+  setSecurityHeaders(res);
   res.setHeader("Access-Control-Allow-Origin", origin);
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
   res.setHeader("Access-Control-Allow-Headers", "Content-Type");
@@ -1029,21 +1034,19 @@ function createRouteHandler(server) {
         const payload = parsed;
         const state = payload["state"] ?? parsed;
         const events = payload["events"];
-        if (server.validateState) {
-          const validation = (0, import_core.validateEconomyState)(state);
-          if (!validation.valid) {
-            json(res, 400, {
-              error: "invalid_state",
-              validationErrors: validation.errors
-            }, cors);
-            return;
-          }
+        const validation = server.validateState ? (0, import_core.validateEconomyState)(state) : null;
+        if (validation && !validation.valid) {
+          json(res, 400, {
+            error: "invalid_state",
+            validationErrors: validation.errors
+          }, cors);
+          return;
         }
         const result = await server.processTick(
           state,
           Array.isArray(events) ? events : void 0
         );
-        const warnings = server.validateState ? (0, import_core.validateEconomyState)(state).warnings : [];
+        const warnings = validation?.warnings ?? [];
         json(res, 200, {
           adjustments: result.adjustments,
           alerts: result.alerts.map((a) => ({
@@ -1071,12 +1074,18 @@ function createRouteHandler(server) {
         return;
       }
       if (path === "/decisions" && method === "GET") {
-        const limit = parseInt(url.searchParams.get("limit") ?? "100", 10);
-        const since = url.searchParams.get("since");
+        const rawLimit = parseInt(url.searchParams.get("limit") ?? "100", 10);
+        const limit = Math.min(Math.max(isNaN(rawLimit) ? 100 : rawLimit, 1), 1e3);
+        const sinceParam = url.searchParams.get("since");
         const agentE = server.getAgentE();
         let decisions;
-        if (since) {
-          decisions = agentE.getDecisions({ since: parseInt(since, 10) });
+        if (sinceParam) {
+          const since = parseInt(sinceParam, 10);
+          if (isNaN(since)) {
+            json(res, 400, { error: 'Invalid "since" parameter \u2014 must be a number' }, cors);
+            return;
+          }
+          decisions = agentE.getDecisions({ since });
         } else {
           decisions = agentE.log.latest(limit);
         }
@@ -1107,6 +1116,14 @@ function createRouteHandler(server) {
           for (const c of config["constrain"]) {
             if (c && typeof c === "object" && typeof c["param"] === "string" && typeof c["min"] === "number" && typeof c["max"] === "number") {
               const constraint = c;
+              if (!isFinite(constraint.min) || !isFinite(constraint.max)) {
+                json(res, 400, { error: "Constraint bounds must be finite numbers" }, cors);
+                return;
+              }
+              if (constraint.min > constraint.max) {
+                json(res, 400, { error: "Constraint min cannot exceed max" }, cors);
+                return;
+              }
               server.constrain(constraint.param, { min: constraint.min, max: constraint.max });
             }
           }
@@ -1163,6 +1180,7 @@ function createRouteHandler(server) {
       }
       if (path === "/" && method === "GET" && server.serveDashboard) {
         setCorsHeaders(res, cors);
+        res.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; connect-src 'self' ws: wss:; img-src 'self' data:");
         res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
         res.end(getDashboardHtml());
         return;
@@ -1290,7 +1308,7 @@ function send(ws, data) {
   }
 }
 function createWebSocketHandler(httpServer, server) {
-  const wss = new import_ws.WebSocketServer({ server: httpServer });
+  const wss = new import_ws.WebSocketServer({ server: httpServer, maxPayload: MAX_WS_PAYLOAD });
   const aliveMap = /* @__PURE__ */ new WeakMap();
   const heartbeatInterval = setInterval(() => {
     for (const ws of wss.clients) {
@@ -1305,6 +1323,10 @@ function createWebSocketHandler(httpServer, server) {
     }
   }, 3e4);
   wss.on("connection", (ws) => {
+    if (wss.clients.size > MAX_WS_CONNECTIONS) {
+      ws.close(1013, "Server at capacity");
+      return;
+    }
     console.log("[AgentE Server] Client connected");
     aliveMap.set(ws, true);
     ws.on("pong", () => {
@@ -1426,12 +1448,14 @@ function createWebSocketHandler(httpServer, server) {
     broadcast
   };
 }
-var import_ws, import_core2;
+var import_ws, import_core2, MAX_WS_PAYLOAD, MAX_WS_CONNECTIONS;
 var init_websocket = __esm({
   "src/websocket.ts"() {
     "use strict";
     import_ws = require("ws");
     import_core2 = require("@agent-e/core");
+    MAX_WS_PAYLOAD = 1048576;
+    MAX_WS_CONNECTIONS = 100;
   }
 });
@@ -1458,7 +1482,7 @@ var init_AgentEServer = __esm({
         this.port = config.port ?? 3100;
         this.host = config.host ?? "0.0.0.0";
         this.validateState = config.validateState ?? true;
-        this.corsOrigin = config.corsOrigin ?? "*";
+        this.corsOrigin = config.corsOrigin ?? "http://localhost:3100";
         this.serveDashboard = config.serveDashboard ?? true;
         const adapter = {
           getState: () => {