@agent-native/core 0.7.14 → 0.7.15

package/dist/tools/proxy-security.js

@@ -0,0 +1,158 @@
+const HEADER_NAME_RE = /^[!#$%&'*+.^_`|~0-9A-Za-z-]+$/;
+const BLOCKED_OUTBOUND_HEADERS = new Set([
+    "connection",
+    "content-length",
+    "cookie",
+    "forwarded",
+    "host",
+    "keep-alive",
+    "origin",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "referer",
+    "set-cookie",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+    "x-forwarded-for",
+    "x-forwarded-host",
+    "x-forwarded-proto",
+]);
+export const MAX_TOOL_PROXY_RESPONSE_SIZE = 1024 * 1024;
+const ALLOWED_METHODS = new Set([
+    "GET",
+    "POST",
+    "PUT",
+    "PATCH",
+    "DELETE",
+    "HEAD",
+]);
+export function normalizeToolProxyMethod(value) {
+    const method = String(value || "GET").toUpperCase();
+    return ALLOWED_METHODS.has(method) ? method : null;
+}
+export function sanitizeOutboundHeaders(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return {};
+    const headers = {};
+    for (const [name, rawValue] of Object.entries(value)) {
+        const lower = name.toLowerCase();
+        if (!HEADER_NAME_RE.test(name) || BLOCKED_OUTBOUND_HEADERS.has(lower)) {
+            continue;
+        }
+        if (rawValue === undefined || rawValue === null)
+            continue;
+        const headerValue = String(rawValue);
+        if (/[\r\n]/.test(headerValue))
+            continue;
+        headers[name] = headerValue;
+    }
+    return headers;
+}
+export function collectSecretValues(...groups) {
+    const values = new Set();
+    for (const group of groups) {
+        for (const value of group ?? []) {
+            if (value)
+                values.add(value);
+        }
+    }
+    return [...values].sort((a, b) => b.length - a.length);
+}
+export function redactSecrets(value, secretValues) {
+    if (secretValues.length === 0)
+        return value;
+    if (typeof value === "string") {
+        return redactString(value, secretValues);
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => redactSecrets(item, secretValues));
+    }
+    if (value && typeof value === "object") {
+        return Object.fromEntries(Object.entries(value).map(([key, entry]) => [
+            key,
+            redactSecrets(entry, secretValues),
+        ]));
+    }
+    return value;
+}
+export function redactString(text, secretValues) {
+    let out = text;
+    for (const secret of secretValues) {
+        for (const candidate of redactionCandidates(secret)) {
+            if (candidate)
+                out = out.split(candidate).join("[redacted]");
+        }
+    }
+    return out;
+}
+function redactionCandidates(secret) {
+    const candidates = new Set([secret]);
+    try {
+        candidates.add(encodeURIComponent(secret));
+    }
+    catch { }
+    try {
+        candidates.add(encodeURI(secret));
+    }
+    catch { }
+    return [...candidates].sort((a, b) => b.length - a.length);
+}
+export async function readResponseTextWithLimit(response, maxBytes = MAX_TOOL_PROXY_RESPONSE_SIZE) {
+    const contentLength = response.headers.get("content-length");
+    if (contentLength && Number(contentLength) > maxBytes) {
+        return {
+            text: `(response too large - ${contentLength} bytes, max ${maxBytes})`,
+            truncated: true,
+            size: Number(contentLength),
+        };
+    }
+    const reader = response.body?.getReader?.();
+    if (!reader) {
+        const buffer = await response.arrayBuffer();
+        if (buffer.byteLength > maxBytes) {
+            return {
+                text: `(response truncated - ${buffer.byteLength} bytes, max ${maxBytes})`,
+                truncated: true,
+                size: buffer.byteLength,
+            };
+        }
+        return {
+            text: new TextDecoder().decode(buffer),
+            truncated: false,
+            size: buffer.byteLength,
+        };
+    }
+    const chunks = [];
+    let total = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        if (!value)
+            continue;
+        total += value.byteLength;
+        if (total > maxBytes) {
+            await reader.cancel().catch(() => { });
+            return {
+                text: `(response truncated - ${total} bytes, max ${maxBytes})`,
+                truncated: true,
+                size: total,
+            };
+        }
+        chunks.push(value);
+    }
+    const buffer = new Uint8Array(total);
+    let offset = 0;
+    for (const chunk of chunks) {
+        buffer.set(chunk, offset);
+        offset += chunk.byteLength;
+    }
+    return {
+        text: new TextDecoder().decode(buffer),
+        truncated: false,
+        size: total,
+    };
+}
+//# sourceMappingURL=proxy-security.js.map

package/dist/tools/proxy-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-security.js","sourceRoot":"","sources":["../../src/tools/proxy-security.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAAG,+BAA+B,CAAC;AAEvD,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC;IACvC,YAAY;IACZ,gBAAgB;IAChB,QAAQ;IACR,WAAW;IACX,MAAM;IACN,YAAY;IACZ,QAAQ;IACR,oBAAoB;IACpB,qBAAqB;IACrB,SAAS;IACT,YAAY;IACZ,IAAI;IACJ,SAAS;IACT,mBAAmB;IACnB,SAAS;IACT,iBAAiB;IACjB,kBAAkB;IAClB,mBAAmB;CACpB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,IAAI,GAAG,IAAI,CAAC;AAExD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,KAAK;IACL,MAAM;IACN,KAAK;IACL,OAAO;IACP,QAAQ;IACR,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,UAAU,wBAAwB,CAAC,KAAc;IACrD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACpD,OAAO,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,KAAc;IAEd,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE3E,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACtE,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,IAAI;YAAE,SAAS;QAC1D,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC;YAAE,SAAS;QACzC,OAAO,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,GAAG,MAAwC;IAE3C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,KAAK,MAAM,KAAK,IAAI,KAAK,IAAI,EAAE,EAAE,CAAC;YAChC,IAAI,KAAK;gBAAE,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,aAAa,CAAI,KAAQ,EAAE,YAAsB;IAC/D,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,YAAY,CAAC,KAAK,EAAE,YAAY,CAAM,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,YAAY,CAAC,CAAM,CAAC;IACrE,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;YAC1C,GAAG;YACH,aAAa,CAAC,KAAK,EAAE,YAAY,CAAC;SACnC,CAAC,CACE,CAAC;IACT,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,YAAsB;IAC/D,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QAClC,KAAK,MAAM,SAAS,IAAI,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,IAAI,SAAS;gBAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc;IACzC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC;QACH,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,IAAI,CAAC;QACH,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,QAAkB,EAClB,QAAQ,GAAG,4BAA4B;IAEvC,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC7D,IAAI,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC,GAAG,QAAQ,EAAE,CAAC;QACtD,OAAO;YACL,IAAI,EAAE,yBAAyB,aAAa,eAAe,QAAQ,GAAG;YACtE,SAAS,EAAE,IAAI;YACf,IAAI,EAAE,MAAM,CAAC,aAAa,CAAC;SAC5B,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE,CAAC;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,UAAU,GAAG,QAAQ,EAAE,CAAC;YACjC,OAAO;gBACL,IAAI,EAAE,yBAAyB,MAAM,CAAC,UAAU,eAAe,QAAQ,GAAG;gBAC1E,SAAS,EAAE,IAAI;gBACf,IAAI,EAAE,MAAM,CAAC,UAAU;aACxB,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;YACtC,SAAS,EAAE,KAAK;YAChB,IAAI,EAAE,MAAM,CAAC,UAAU;SACxB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QAC5C,IAAI,IAAI;YAAE,MAAM;QAChB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC;QAC1B,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;YACrB,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACtC,OAAO;gBACL,IAAI,EAAE,yBAAyB,KAAK,eAAe,QAAQ,GAAG;gBAC9D,SAAS,EAAE,IAAI;gBACf,IAAI,EAAE,KAAK;aACZ,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC;IAC7B,CAAC;IAED,OAAO;QACL,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;QACtC,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,KAAK;KACZ,CAAC;AACJ,CAAC"}

package/dist/tools/routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/tools/routes.ts"],"names":[],"mappings":"AAkCA,wBAAgB,kBAAkB,2FAsBjC"}
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/tools/routes.ts"],"names":[],"mappings":"AA+CA,wBAAgB,kBAAkB,2FA8BjC"}

package/dist/tools/routes.js

@@ -7,9 +7,12 @@ import { runWithRequestContext, getRequestOrgId, } from "../server/request-conte
 import { getOrgContext } from "../org/context.js";
 import { getDbExec, isPostgres } from "../db/client.js";
 import { listTools, getTool, createTool, updateTool, updateToolContent, deleteTool, ensureToolsTables, } from "./store.js";
-import { buildToolHtml } from "./html-shell.js";
+import { buildToolHtml, TOOL_IFRAME_CSP } from "./html-shell.js";
 import { getThemeVars } from "./theme.js";
 import { resolveKeyReferences, validateUrlAllowlist, getKeyAllowlist, } from "../secrets/substitution.js";
+import { collectSecretValues, normalizeToolProxyMethod, readResponseTextWithLimit, redactSecrets, redactString, sanitizeOutboundHeaders, } from "./proxy-security.js";
+import { createSsrfSafeDispatcher, isBlockedToolUrlWithDns, } from "./url-safety.js";
+import { ForbiddenError, resolveAccess } from "../sharing/access.js";
 export function createToolsHandler() {
     return defineEventHandler(async (event) => {
         const method = getMethod(event);
@@ -25,7 +28,16 @@ export function createToolsHandler() {
         const orgCtx = await getOrgContext(event).catch(() => null);
         const userEmail = session.email;
         const orgId = orgCtx?.orgId ?? undefined;
-        return runWithRequestContext({ userEmail, orgId }, () => dispatch(event, method, parts, userEmail));
+        try {
+            return await runWithRequestContext({ userEmail, orgId }, () => dispatch(event, method, parts, userEmail));
+        }
+        catch (err) {
+            if (err instanceof ForbiddenError) {
+                setResponseStatus(event, 403);
+                return { error: err.message };
+            }
+            throw err;
+        }
     });
 }
 async function dispatch(event, method, parts, userEmail) {
@@ -77,7 +89,8 @@ async function dispatch(event, method, parts, userEmail) {
     }
     // GET /:id/render
     if (method === "GET" && parts.length === 2 && parts[1] === "render") {
-        const tool = await getTool(parts[0]);
+        const access = await resolveAccess("tool", parts[0]);
+        const tool = access?.resource;
         if (!tool) {
             setResponseStatus(event, 404);
             return { error: "Tool not found" };
@@ -85,8 +98,29 @@ async function dispatch(event, method, parts, userEmail) {
         const search = event.url?.search || "";
         const isDark = search.includes("dark=1") || search.includes("dark=true");
         const themeVars = getThemeVars(isDark);
-        const html = buildToolHtml(tool.content, themeVars, isDark, parts[0]);
+        // Compute viewer-vs-author binding so the iframe can warn when the
+        // viewer is NOT the author. This is the minimum-viable trust signal —
+        // a full consent flow is tracked as TODO C1 in audit 05-tools-sandbox.md.
+        // Resolved access role is plumbed through so future bridge gating can
+        // be conditional on owner/editor/viewer (audit H4 — scaffold only).
+        const isAuthor = tool.ownerEmail === userEmail;
+        const html = buildToolHtml(tool.content, themeVars, isDark, parts[0], {
+            authorEmail: tool.ownerEmail,
+            viewerEmail: userEmail,
+            isAuthor,
+            role: access.role,
+        });
+        // Security headers per render. We set these explicitly here (rather than
+        // rely on the global security-headers middleware) because:
+        //   - The global middleware sets X-Frame-Options: DENY which would break
+        //     the legitimate iframe usage of this route inside the app.
+        //   - frame-ancestors in the CSP must be set as an HTTP header to be
+        //     enforced; meta-CSP can't set it per spec.
         setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+        setResponseHeader(event, "Content-Security-Policy", TOOL_IFRAME_CSP);
+        setResponseHeader(event, "X-Frame-Options", "SAMEORIGIN");
+        setResponseHeader(event, "X-Content-Type-Options", "nosniff");
+        setResponseHeader(event, "Referrer-Policy", "no-referrer");
         return html;
     }
     // GET /:id
@@ -278,90 +312,6 @@ async function handleToolDataDelete(event, toolId, collection, itemId, userEmail
     });
     return { ok: true };
 }
-const METADATA_HOSTS = [
-    "metadata.google.internal",
-    "metadata.google.internal.",
-];
-function isPrivateIpv4(a, b) {
-    if (a === 127)
-        return true;
-    if (a === 10)
-        return true;
-    if (a === 172 && b >= 16 && b <= 31)
-        return true;
-    if (a === 192 && b === 168)
-        return true;
-    if (a === 169 && b === 254)
-        return true;
-    if (a === 0)
-        return true;
-    return false;
-}
-function isPrivateHost(hostname) {
-    const h = hostname.toLowerCase().replace(/^\[|\]$/g, "");
-    if (h === "localhost")
-        return true;
-    if (METADATA_HOSTS.includes(h))
-        return true;
-    // IPv6 forms
-    if (h === "::1" || h === "::0" || h === "::")
-        return true;
-    // IPv4-mapped IPv6: ::ffff:127.0.0.1
-    const v4mapped = h.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
-    if (v4mapped) {
-        const [a, b] = v4mapped[1].split(".").map(Number);
-        if (isPrivateIpv4(a, b))
-            return true;
-    }
-    // ULA (fc00::/7) and link-local (fe80::/10)
-    if (/^f[cd]/.test(h))
-        return true;
-    if (/^fe[89ab]/.test(h))
-        return true;
-    // Dotted IPv4
-    const raw = hostname.toLowerCase();
-    const parts = raw.split(".");
-    if (parts.length === 4 && parts.every((p) => /^\d+$/.test(p))) {
-        const [a, b] = parts.map(Number);
-        if (isPrivateIpv4(a, b))
-            return true;
-    }
-    // Decimal integer IPv4
-    if (/^\d+$/.test(raw)) {
-        const num = Number(raw);
-        if (num >= 0 && num <= 0xffffffff) {
-            const a = (num >>> 24) & 0xff;
-            const b = (num >>> 16) & 0xff;
-            if (isPrivateIpv4(a, b))
-                return true;
-        }
-    }
-    return false;
-}
-const DNS_REBIND_SUFFIXES = [
-    ".nip.io",
-    ".sslip.io",
-    ".xip.io",
-    ".localtest.me",
-    ".lvh.me",
-];
-function isBlockedUrl(url) {
-    try {
-        const parsed = new URL(url);
-        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-            return true;
-        }
-        const host = parsed.hostname.toLowerCase();
-        if (isPrivateHost(host))
-            return true;
-        if (DNS_REBIND_SUFFIXES.some((s) => host.endsWith(s)))
-            return true;
-    }
-    catch {
-        return true;
-    }
-    return false;
-}
 async function handleProxy(event, userEmail) {
     const body = await readBody(event);
     const rawUrl = body.url;
@@ -369,31 +319,42 @@ async function handleProxy(event, userEmail) {
         setResponseStatus(event, 400);
         return { error: "url is required" };
     }
-    const method = (body.method || "GET").toUpperCase();
+    const method = normalizeToolProxyMethod(body.method || "GET");
+    if (!method) {
+        setResponseStatus(event, 405);
+        return {
+            error: "Unsupported HTTP method. Allowed methods: GET, POST, PUT, PATCH, DELETE, HEAD.",
+        };
+    }
     const rawHeaders = body.headers || {};
     const rawBody = body.body;
     let resolvedUrl = rawUrl;
     let resolvedHeaders = JSON.stringify(rawHeaders);
     let resolvedBody = rawBody;
     const allUsedKeys = [];
+    const allSecretValues = [];
     try {
         const urlResult = await resolveKeyReferences(rawUrl, "user", userEmail);
         resolvedUrl = urlResult.resolved;
         allUsedKeys.push(...urlResult.usedKeys);
+        allSecretValues.push(...urlResult.secretValues);
         const headerResult = await resolveKeyReferences(resolvedHeaders, "user", userEmail);
         resolvedHeaders = headerResult.resolved;
         allUsedKeys.push(...headerResult.usedKeys);
+        allSecretValues.push(...headerResult.secretValues);
         if (rawBody) {
             const bodyResult = await resolveKeyReferences(typeof rawBody === "string" ? rawBody : JSON.stringify(rawBody), "user", userEmail);
             resolvedBody = bodyResult.resolved;
             allUsedKeys.push(...bodyResult.usedKeys);
+            allSecretValues.push(...bodyResult.secretValues);
         }
     }
     catch (err) {
         setResponseStatus(event, 400);
         return { error: `Key resolution failed: ${err?.message ?? err}` };
     }
-    if (isBlockedUrl(resolvedUrl)) {
+    const secretValues = collectSecretValues(allSecretValues);
+    if (await isBlockedToolUrlWithDns(resolvedUrl)) {
         setResponseStatus(event, 403);
         return { error: "Requests to private/internal addresses are not allowed" };
     }
@@ -408,13 +369,20 @@ async function handleProxy(event, userEmail) {
     }
     let headers;
     try {
-        headers = JSON.parse(resolvedHeaders);
+        headers = sanitizeOutboundHeaders(JSON.parse(resolvedHeaders));
     }
     catch {
-        headers = rawHeaders;
+        headers = sanitizeOutboundHeaders(rawHeaders);
     }
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 15_000);
+    // Best-effort connect-time SSRF guard. When undici is available (it ships
+    // with Node 18+ but is not always exposed as an importable module), the
+    // dispatcher re-checks the resolved IP at TCP-connect time, closing the
+    // TOCTOU between the pre-flight `isBlockedToolUrlWithDns` lookup and the
+    // actual fetch lookup. If undici is not importable, fall through to plain
+    // fetch — the pre-flight remains the primary protection.
+    const dispatcher = (await createSsrfSafeDispatcher()) ?? undefined;
     try {
         const fetchOpts = {
             method,
@@ -422,28 +390,56 @@ async function handleProxy(event, userEmail) {
             signal: controller.signal,
             redirect: "manual",
         };
+        if (dispatcher)
+            fetchOpts.dispatcher = dispatcher;
         if (resolvedBody && ["POST", "PUT", "PATCH"].includes(method)) {
-            fetchOpts.body =
-                typeof resolvedBody === "string"
-                    ? resolvedBody
-                    : JSON.stringify(resolvedBody);
-            if (!headers["content-type"] && !headers["Content-Type"]) {
-                headers["Content-Type"] = "application/json";
+            const isStringBody = typeof resolvedBody === "string";
+            fetchOpts.body = isStringBody
+                ? resolvedBody
+                : JSON.stringify(resolvedBody);
+            // Only inject Content-Type when (a) the caller didn't set one and
+            // (b) the body is actually JSON-shaped (object or stringified JSON).
+            // Otherwise leave it unset so the runtime fetch picks an appropriate
+            // default and we don't misrepresent text/plain bodies as JSON.
+            const hasContentType = Object.keys(headers).some((k) => k.toLowerCase() === "content-type");
+            if (!hasContentType) {
+                const isJsonShaped = !isStringBody ||
+                    (typeof resolvedBody === "string" &&
+                        /^\s*[{[]/.test(resolvedBody) &&
+                        isLikelyJson(resolvedBody));
+                if (isJsonShaped)
+                    headers["Content-Type"] = "application/json";
             }
         }
         const response = await fetch(resolvedUrl, fetchOpts);
         if (response.status >= 300 && response.status < 400) {
             const location = response.headers.get("location");
-            if (location && isBlockedUrl(new URL(location, resolvedUrl).href)) {
+            const redirectUrl = location ? new URL(location, resolvedUrl).href : null;
+            if (redirectUrl && (await isBlockedToolUrlWithDns(redirectUrl))) {
                 setResponseStatus(event, 403);
                 return { error: "Redirect to private/internal address blocked" };
             }
+            if (redirectUrl) {
+                for (const keyName of new Set(allUsedKeys)) {
+                    const allowlist = await getKeyAllowlist(keyName, "user", userEmail);
+                    if (!validateUrlAllowlist(redirectUrl, allowlist)) {
+                        setResponseStatus(event, 403);
+                        return {
+                            error: `Redirect URL is not allowed for key "${keyName}"`,
+                        };
+                    }
+                }
+            }
             return {
                 status: response.status,
-                body: { redirect: location },
+                body: {
+                    redirect: redirectUrl
+                        ? redactString(redirectUrl, secretValues)
+                        : location,
+                },
             };
         }
-        const text = await response.text();
+        const { text } = await readResponseTextWithLimit(response);
         let responseBody;
         try {
             responseBody = JSON.parse(text);
@@ -451,7 +447,10 @@ async function handleProxy(event, userEmail) {
         catch {
             responseBody = text;
         }
-        return { status: response.status, body: responseBody };
+        return {
+            status: response.status,
+            body: redactSecrets(responseBody, secretValues),
+        };
     }
     catch (err) {
         if (err?.name === "AbortError") {
@@ -459,7 +458,9 @@ async function handleProxy(event, userEmail) {
             return { error: "Upstream request timed out" };
         }
         setResponseStatus(event, 502);
-        return { error: `Proxy request failed: ${err?.message ?? err}` };
+        return {
+            error: `Proxy request failed: ${redactSecrets(err?.message ?? String(err), secretValues)}`,
+        };
     }
     finally {
         clearTimeout(timeout);
@@ -469,7 +470,14 @@ async function handleProxy(event, userEmail) {
  * Capture console output from a CLI script that uses console.log for results.
  * Same technique as wrapCliScript in agent-chat-plugin.ts.
  */
+let captureCliOutputQueue = Promise.resolve();
 async function captureCliOutput(fn, args) {
+    const previousCapture = captureCliOutputQueue;
+    let releaseCapture;
+    captureCliOutputQueue = new Promise((resolve) => {
+        releaseCapture = resolve;
+    });
+    await previousCapture;
     const logs = [];
     const origLog = console.log;
     const origError = console.error;
@@ -497,6 +505,7 @@ async function captureCliOutput(fn, args) {
         console.log = origLog;
         console.error = origError;
         process.stdout.write = origStdoutWrite;
+        releaseCapture();
     }
     return logs.join("\n") || "(no output)";
 }
@@ -521,6 +530,13 @@ async function handleSqlQuery(event) {
         const args = ["--sql", sql, "--format", "json"];
         if (body.limit)
             args.push("--limit", String(body.limit));
+        if (body.args !== undefined) {
+            if (!Array.isArray(body.args)) {
+                setResponseStatus(event, 400);
+                return { error: "args must be an array" };
+            }
+            args.push("--args", JSON.stringify(body.args));
+        }
         const output = await captureCliOutput(mod.default, args);
         try {
             return JSON.parse(output);
@@ -534,11 +550,35 @@ async function handleSqlQuery(event) {
         return { error: err?.message ?? "Query failed" };
     }
 }
-const DESTRUCTIVE_SQL_RE = /\b(CREATE\s+(?:(?:LOCAL|GLOBAL)\s+)?(?:TEMPORARY|TEMP)?\s*(TABLE|INDEX|VIEW|SCHEMA|DATABASE|TRIGGER)|DROP\s+(TABLE|INDEX|VIEW|SCHEMA|DATABASE|TRIGGER)|TRUNCATE|DELETE\s+FROM\s+(?!tool_data\b)|ALTER\s+TABLE\s+(?!tool_data\b)|ATTACH|DETACH|VACUUM|REINDEX|PRAGMA)\b/i;
-const SENSITIVE_SQL_RE = /\b(app_secrets|user|users|session|sessions|account|accounts|verification|oauth_tokens|tool_shares)\b/i;
+// TODO(security): replace this regex blocklist with a SQL parser + an explicit
+// allowlist of tables a tool may read/write (e.g. only `tool_data`, plus a
+// per-template list). The current blocklist is best-effort defense in depth
+// and is by design bypassable via SQL constructions that don't include the
+// blocklisted token literally (string concat, dynamic SQL, etc). The temp-
+// view scoping in scripts/db/scoping.ts is the actual ownership boundary.
+const DESTRUCTIVE_SQL_RE = /\b(CREATE\s+(?:(?:LOCAL|GLOBAL)\s+)?(?:TEMPORARY|TEMP)?\s*(TABLE|INDEX|VIEW|SCHEMA|DATABASE|TRIGGER|FUNCTION|EXTENSION|ROLE|TABLESPACE|PUBLICATION|SUBSCRIPTION)|DROP\s+(TABLE|INDEX|VIEW|SCHEMA|DATABASE|TRIGGER|FUNCTION|EXTENSION|ROLE)|TRUNCATE|DELETE\s+FROM\s+(?!tool_data\b)|ALTER\s+(TABLE|VIEW|SCHEMA|DATABASE|FUNCTION|ROLE|EXTENSION|PUBLICATION)\s+(?!tool_data\b)|ATTACH|DETACH|VACUUM|REINDEX|PRAGMA|GRANT|REVOKE|SET\s+ROLE|RESET\s+ROLE|COPY)\b/i;
+// Sensitive tables that tools must not touch directly. Includes Better Auth
+// identity tables, framework infrastructure (tracing, evals, automations,
+// integrations, notifications, scheduling, sharing/orgs), and Postgres
+// catalogs that would let a tool enumerate or read internals.
+const SENSITIVE_SQL_RE = /\b(app_secrets|user|users|session|sessions|account|accounts|verification|oauth_tokens|tools|tool_shares|tool_slots|tool_slot_installs|member|organization|invitation|jwks|agent_trace_spans|agent_trace_summaries|agent_feedback|agent_satisfaction_scores|agent_evals|agent_runs|agent_run_events|notifications|progress_runs|integration_configs|integration_pending_tasks|integration_thread_mappings|resources|org_members|org_invitations|bigquery_cache|dashboard_views|pg_catalog|information_schema|pg_class|pg_proc|pg_namespace|pg_user|pg_roles|pg_authid|pg_shadow)\b/i;
+// Refuses positional INSERTs (no column list). `INSERT INTO recordings VALUES
+// (...)` would let a tool stuff arbitrary owner_email values into a row.
+// `INSERT INTO recordings (col1, col2) VALUES (...)` is required so the
+// downstream injectOwnership helper can append owner_email.
+const POSITIONAL_INSERT_RE = /\bINSERT\s+INTO\s+["'`]?\w+["'`]?\s+VALUES\b/i;
 function stripSqlComments(sql) {
     return sql.replace(/\/\*[\s\S]*?\*\//g, " ").replace(/--[^\n]*/g, " ");
 }
+function isLikelyJson(text) {
+    try {
+        const parsed = JSON.parse(text);
+        return parsed !== null && typeof parsed === "object";
+    }
+    catch {
+        return false;
+    }
+}
 async function handleSqlExec(event) {
     const body = await readBody(event);
     const sql = body.sql;
@@ -557,9 +597,22 @@ async function handleSqlExec(event) {
         setResponseStatus(event, 403);
         return { error: "Sensitive framework tables are not writable from tools" };
     }
+    if (POSITIONAL_INSERT_RE.test(cleanSql)) {
+        setResponseStatus(event, 400);
+        return {
+            error: "INSERT must specify an explicit column list (e.g. INSERT INTO t (col1, col2) VALUES (?, ?)) so ownership can be injected.",
+        };
+    }
     try {
         const mod = await import("../scripts/db/exec.js");
         const args = ["--sql", sql, "--format", "json"];
+        if (body.args !== undefined) {
+            if (!Array.isArray(body.args)) {
+                setResponseStatus(event, 400);
+                return { error: "args must be an array" };
+            }
+            args.push("--args", JSON.stringify(body.args));
+        }
         const output = await captureCliOutput(mod.default, args);
         try {
             return JSON.parse(output);