npm - @apitap/core - Versions diffs - 1.4.0 → 1.4.2 - Mend

@apitap/core 1.4.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

package/README.md +4 -2
package/dist/auth/crypto.d.ts +10 -0
package/dist/auth/crypto.js +30 -6
package/dist/auth/crypto.js.map +1 -1
package/dist/auth/handoff.js +20 -1
package/dist/auth/handoff.js.map +1 -1
package/dist/auth/manager.d.ts +1 -0
package/dist/auth/manager.js +35 -9
package/dist/auth/manager.js.map +1 -1
package/dist/capture/monitor.js +4 -0
package/dist/capture/monitor.js.map +1 -1
package/dist/capture/scrubber.js +10 -0
package/dist/capture/scrubber.js.map +1 -1
package/dist/capture/session.js +7 -17
package/dist/capture/session.js.map +1 -1
package/dist/cli.js +74 -17
package/dist/cli.js.map +1 -1
package/dist/discovery/fetch.js +3 -3
package/dist/discovery/fetch.js.map +1 -1
package/dist/mcp.d.ts +2 -0
package/dist/mcp.js +59 -33
package/dist/mcp.js.map +1 -1
package/dist/native-host.js +2 -2
package/dist/native-host.js.map +1 -1
package/dist/orchestration/browse.js +13 -4
package/dist/orchestration/browse.js.map +1 -1
package/dist/plugin.d.ts +1 -1
package/dist/plugin.js +14 -4
package/dist/plugin.js.map +1 -1
package/dist/read/decoders/reddit.js +4 -0
package/dist/read/decoders/reddit.js.map +1 -1
package/dist/replay/engine.js +60 -17
package/dist/replay/engine.js.map +1 -1
package/dist/serve.d.ts +2 -0
package/dist/serve.js +8 -1
package/dist/serve.js.map +1 -1
package/dist/skill/generator.d.ts +5 -0
package/dist/skill/generator.js +30 -4
package/dist/skill/generator.js.map +1 -1
package/dist/skill/search.js +1 -1
package/dist/skill/search.js.map +1 -1
package/dist/skill/signing.js +19 -1
package/dist/skill/signing.js.map +1 -1
package/dist/skill/ssrf.js +71 -2
package/dist/skill/ssrf.js.map +1 -1
package/dist/skill/store.d.ts +2 -0
package/dist/skill/store.js +23 -10
package/dist/skill/store.js.map +1 -1
package/dist/skill/validate.d.ts +10 -0
package/dist/skill/validate.js +106 -0
package/dist/skill/validate.js.map +1 -0
package/package.json +1 -1
package/src/auth/crypto.ts +14 -6
package/src/auth/handoff.ts +19 -1
package/src/auth/manager.ts +22 -5
package/src/capture/monitor.ts +4 -0
package/src/capture/scrubber.ts +12 -0
package/src/capture/session.ts +5 -14
package/src/cli.ts +215 -12
package/src/discovery/fetch.ts +2 -2
package/src/index/reader.ts +65 -0
package/src/mcp.ts +64 -31
package/src/native-host.ts +29 -2
package/src/orchestration/browse.ts +13 -4
package/src/plugin.ts +17 -5
package/src/read/decoders/reddit.ts +3 -3
package/src/replay/engine.ts +65 -15
package/src/serve.ts +10 -1
package/src/skill/generator.ts +32 -4
package/src/skill/search.ts +1 -1
package/src/skill/signing.ts +20 -1
package/src/skill/ssrf.ts +69 -2
package/src/skill/store.ts +29 -11
package/src/skill/validate.ts +48 -0

package/src/native-host.ts CHANGED Viewed

@@ -27,10 +27,11 @@ async function signSkillJson(skillJson: string): Promise<string> {
 }
 export interface NativeRequest {
-  action: 'save_skill' | 'save_batch' | 'ping' | 'capture_request';
+  action: 'save_skill' | 'save_batch' | 'ping' | 'capture_request' | 'save_index';
   domain?: string;
   skillJson?: string;
   skills?: Array<{ domain: string; skillJson: string }>;
+  indexJson?: string;
 }
 export interface NativeResponse {
@@ -115,6 +116,32 @@ export async function handleNativeMessage(
       return { success: true, paths };
     }
+    if (request.action === 'save_index') {
+      if (!request.indexJson) {
+        return { success: false, error: 'Missing indexJson' };
+      }
+      if (request.indexJson.length > 5 * 1024 * 1024) {
+        return { success: false, error: 'Index too large (max 5MB)' };
+      }
+      try {
+        JSON.parse(request.indexJson);
+      } catch {
+        return { success: false, error: 'Invalid JSON in indexJson' };
+      }
+      // index.json lives in ~/.apitap/ (parent of skills dir)
+      const apitapDir = path.dirname(skillsDir);
+      await fs.mkdir(apitapDir, { recursive: true });
+      const indexPath = path.join(apitapDir, 'index.json');
+      // Atomic write: temp file + rename
+      const tmpPath = indexPath + '.tmp.' + process.pid;
+      await fs.writeFile(tmpPath, request.indexJson, { mode: 0o600 });
+      await fs.rename(tmpPath, indexPath);
+      return { success: true, path: indexPath };
+    }
     return { success: false, error: `Unknown action: ${request.action}` };
   } catch (err) {
     return { success: false, error: String(err) };
@@ -124,7 +151,7 @@ export async function handleNativeMessage(
 // --- Relay handler ---
 // Actions handled locally by the native host (filesystem operations)
-const LOCAL_ACTIONS = new Set(['save_skill', 'save_batch', 'ping']);
+const LOCAL_ACTIONS = new Set(['save_skill', 'save_batch', 'ping', 'save_index']);
 // Actions relayed to the extension (browser operations)
 const EXTENSION_ACTIONS = new Set(['capture_request']);

package/src/orchestration/browse.ts CHANGED Viewed

@@ -4,6 +4,9 @@ import { replayEndpoint } from '../replay/engine.js';
 import { SessionCache } from './cache.js';
 import { read } from '../read/index.js';
 import { bridgeAvailable, requestBridgeCapture, DEFAULT_SOCKET } from '../bridge/client.js';
+import { signSkillFile } from '../skill/signing.js';
+import { deriveSigningKey } from '../auth/crypto.js';
+import { getMachineId } from '../auth/manager.js';
 export interface BrowseOptions {
   skillsDir?: string;
@@ -61,11 +64,14 @@ async function tryBridgeCapture(
   if (result.success && result.skillFiles && result.skillFiles.length > 0) {
     const skillFiles = result.skillFiles;
-    // Save each skill file to disk
+    // Sign and save each skill file to disk
     try {
       const { writeSkillFile: writeSF } = await import('../skill/store.js');
-      for (const skill of skillFiles) {
-        await writeSF(skill, options.skillsDir);
+      const mid = await getMachineId();
+      const sk = deriveSigningKey(mid);
+      for (let i = 0; i < skillFiles.length; i++) {
+        skillFiles[i] = signSkillFile(skillFiles[i], sk);
+        await writeSF(skillFiles[i], options.skillsDir);
       }
     } catch {
       // Saving failed — still have the data in memory
@@ -202,7 +208,10 @@ export async function browse(
         skill = discovery.skillFile;
         source = 'discovered';
-        // Save to disk
+        // Sign and save to disk (H1: skill files must be signed for verification)
+        const machineId = await getMachineId();
+        const sigKey = deriveSigningKey(machineId);
+        skill = signSkillFile(skill, sigKey);
         const { writeSkillFile: writeSF } = await import('../skill/store.js');
         await writeSF(skill, skillsDir);
         cache?.set(domain, skill, 'discovered');

package/src/plugin.ts CHANGED Viewed

@@ -21,12 +21,17 @@ export interface Plugin {
 export interface PluginOptions {
   skillsDir?: string;
-  /** @internal Skip SSRF check — for testing only */
+  /** @internal Testing only — never expose to external callers (M14) */
   _skipSsrfCheck?: boolean;
 }
 const APITAP_DIR = join(homedir(), '.apitap');
+/** M20: Mark plugin responses as untrusted external content */
+function wrapUntrusted(data: unknown): unknown {
+  return { ...data as Record<string, unknown>, _meta: { externalContent: { untrusted: true } } };
+}
 export function createPlugin(options: PluginOptions = {}): Plugin {
   const skillsDir = options.skillsDir;
@@ -53,7 +58,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
     },
     execute: async (args) => {
       const query = args.query as string;
-      return searchSkills(query, skillsDir);
+      return wrapUntrusted(await searchSkills(query, skillsDir));
     },
   };
@@ -88,7 +93,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
       const endpointId = args.endpointId as string;
       const params = args.params as Record<string, string> | undefined;
-      const skill = await readSkillFile(domain, skillsDir);
+      const skill = await readSkillFile(domain, skillsDir, { trustUnsigned: true });
       if (!skill) {
         return {
           error: `No skill file found for "${domain}". Use apitap_capture to capture it first.`,
@@ -104,7 +109,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
           domain,
           _skipSsrfCheck: options._skipSsrfCheck,
         });
-        return { status: result.status, data: result.data };
+        return wrapUntrusted({ status: result.status, data: result.data });
       } catch (err: any) {
         return { error: err.message };
       }
@@ -142,6 +147,13 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
       const duration = (args.duration as number) ?? 30;
       const allDomains = (args.allDomains as boolean) ?? false;
+      // M19: SSRF validation before capture
+      const { resolveAndValidateUrl } = await import('./skill/ssrf.js');
+      const ssrfCheck = await resolveAndValidateUrl(url);
+      if (!ssrfCheck.safe) {
+        return { error: `Blocked: ${ssrfCheck.reason}` };
+      }
       // Shell out to CLI for capture (it handles browser lifecycle, signing, etc.)
       const { execFile } = await import('node:child_process');
       const { promisify } = await import('node:util');
@@ -155,7 +167,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
           timeout: (duration + 30) * 1000,
           env: { ...process.env, ...(skillsDir ? { APITAP_SKILLS_DIR: skillsDir } : {}) },
         });
-        return JSON.parse(stdout);
+        return wrapUntrusted(JSON.parse(stdout));
       } catch (err: any) {
         return { error: `Capture failed: ${err.message}` };
       }

package/src/read/decoders/reddit.ts CHANGED Viewed

@@ -58,9 +58,9 @@ async function recoverDeletedComments(
   const recovered = new Map<string, { author: string; body: string }>();
   if (commentIds.length === 0) return recovered;
-  // Third-party disclosure: PullPush is an external service.
-  // Users can opt out via APITAP_NO_THIRD_PARTY=1.
-  if (process.env.APITAP_NO_THIRD_PARTY === '1') return recovered;
+  // M21: Third-party requests are opt-in, not opt-out.
+  // PullPush is an external service — only contact it if explicitly enabled.
+  if (process.env.APITAP_THIRD_PARTY !== '1') return recovered;
   try {
     const ids = commentIds.join(',');

package/src/replay/engine.ts CHANGED Viewed

@@ -139,6 +139,41 @@ function normalizeOptions(
   return { params: optionsOrParams as Record<string, string> };
 }
+/**
+ * Check if redirect host is safe to send auth to.
+ * Allows exact match or single-level subdomain only (H4 fix).
+ */
+function isSafeAuthRedirectHost(originalHost: string, redirectHost: string): boolean {
+  if (redirectHost === originalHost) return true;
+  if (redirectHost.endsWith('.' + originalHost)) {
+    const prefix = redirectHost.slice(0, -(originalHost.length + 1));
+    // Only allow single-level subdomain (no dots in prefix)
+    return !prefix.includes('.');
+  }
+  return false;
+}
+/**
+ * Strip auth headers from redirect request if cross-domain (H4 fix).
+ * Shared between initial and retry redirect paths.
+ */
+function stripAuthForRedirect(
+  headers: Record<string, string>,
+  originalHost: string,
+  redirectHost: string,
+): Record<string, string> {
+  const redirectHeaders = { ...headers };
+  if (!isSafeAuthRedirectHost(originalHost, redirectHost)) {
+    delete redirectHeaders['authorization'];
+    for (const key of Object.keys(redirectHeaders)) {
+      if (key.toLowerCase() === 'authorization' || redirectHeaders[key] === '[stored]') {
+        delete redirectHeaders[key];
+      }
+    }
+  }
+  return redirectHeaders;
+}
 /**
  * Wrap a 401/403 response with structured auth guidance.
  */
@@ -209,7 +244,7 @@ export async function replayEndpoint(
   // SSRF validation — resolve DNS and check the IP isn't private/internal.
   // We do NOT substitute the IP into the URL because that breaks TLS/SNI
   // for sites behind CDNs (Cloudflare, etc.) where the cert is for the hostname.
-  // The DNS check still prevents rebinding attacks by validating at request time.
+  // M15: We re-validate DNS after fetch to narrow the TOCTOU window.
   const fetchUrl = url.toString();
   if (!options._skipSsrfCheck) {
     const ssrfCheck = await resolveAndValidateUrl(url.toString());
@@ -237,6 +272,19 @@ export async function replayEndpoint(
     }
   }
+  // Domain-lock: verify request URL matches skill domain before injecting auth (C1 fix).
+  // validateSkillFile() enforces baseUrl-domain consistency at load time.
+  // This is defense-in-depth for manually-constructed SkillFile objects.
+  if (authManager && domain && !options._skipSsrfCheck) {
+    const fetchHost = url.hostname;
+    if (fetchHost !== skill.domain && !fetchHost.endsWith('.' + skill.domain)) {
+      throw new Error(
+        `Domain-lock violation: request host "${fetchHost}" does not match skill domain "${skill.domain}". ` +
+        `Auth injection blocked to prevent credential exfiltration.`
+      );
+    }
+  }
   // Inject auth header from auth manager (if available)
   if (authManager && domain) {
     const auth = endpoint.isolatedAuth
@@ -376,6 +424,16 @@ export async function replayEndpoint(
     redirect: 'manual',  // Don't auto-follow redirects
   });
+  // M15: Post-fetch DNS re-validation to narrow TOCTOU window.
+  // Re-resolves DNS and checks if the hostname now points to a private IP
+  // (indicates DNS rebinding attack between our pre-check and the actual connection).
+  if (!options._skipSsrfCheck && url.hostname && !url.hostname.match(/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/)) {
+    const postCheck = await resolveAndValidateUrl(fetchUrl);
+    if (!postCheck.safe) {
+      throw new Error(`DNS rebinding detected (post-fetch): ${postCheck.reason}`);
+    }
+  }
   // Handle redirects with SSRF validation (single hop only)
   if (response.status >= 300 && response.status < 400) {
     const location = response.headers.get('location');
@@ -388,18 +446,8 @@ export async function replayEndpoint(
           throw new Error(`Redirect blocked (SSRF): ${redirectCheck.reason}`);
         }
       }
-      // Strip auth headers before cross-domain redirect
-      const redirectHeaders = { ...headers };
-      const originalHost = url.hostname;
-      const redirectHost = redirectUrl.hostname;
-      if (redirectHost !== originalHost && !redirectHost.endsWith('.' + originalHost)) {
-        delete redirectHeaders['authorization'];
-        for (const key of Object.keys(redirectHeaders)) {
-          if (key.toLowerCase() === 'authorization' || redirectHeaders[key] === '[stored]') {
-            delete redirectHeaders[key];
-          }
-        }
-      }
+      // Strip auth headers before cross-domain redirect (uses shared function)
+      const redirectHeaders = stripAuthForRedirect(headers, url.hostname, redirectUrl.hostname);
       // Follow the redirect manually (single hop to prevent chains)
       response = await fetch(redirectFetchUrl, {
         method: 'GET',  // Redirects typically become GET
@@ -437,7 +485,7 @@ export async function replayEndpoint(
         redirect: 'manual',
       });
-      // Handle redirects on retry (single hop)
+      // Handle redirects on retry (single hop) — with auth stripping (H4 fix)
       if (retryResponse.status >= 300 && retryResponse.status < 400) {
         const location = retryResponse.headers.get('location');
         if (location) {
@@ -449,9 +497,11 @@ export async function replayEndpoint(
               throw new Error(`Redirect blocked (SSRF): ${redirectCheck.reason}`);
             }
           }
+          // Strip auth headers on cross-domain redirect (same logic as initial path)
+          const retryRedirectHeaders = stripAuthForRedirect(headers, url.hostname, redirectUrl.hostname);
           retryResponse = await fetch(retryRedirectFetchUrl, {
             method: 'GET',
-            headers,
+            headers: retryRedirectHeaders,
             signal: AbortSignal.timeout(30_000),
             redirect: 'manual',
           });

package/src/serve.ts CHANGED Viewed

@@ -75,6 +75,8 @@ export function buildServeTools(skill: SkillFile): ServeTool[] {
 export interface ServeOptions {
   skillsDir?: string;
   noAuth?: boolean;
+  /** Allow loading unsigned skill files */
+  trustUnsigned?: boolean;
   /** @internal Skip SSRF validation — for testing only */
   _skipSsrfCheck?: boolean;
 }
@@ -87,7 +89,7 @@ export async function createServeServer(
   domain: string,
   options: ServeOptions = {},
 ): Promise<McpServer> {
-  const skill = await readSkillFile(domain, options.skillsDir);
+  const skill = await readSkillFile(domain, options.skillsDir, { trustUnsigned: options.trustUnsigned });
   if (!skill) {
     throw new Error(`No skill file found for "${domain}". Run: apitap capture ${domain}`);
   }
@@ -146,11 +148,18 @@ export async function createServeServer(
             _skipSsrfCheck: options._skipSsrfCheck,
           });
+          // M22: Mark responses as untrusted external content
           return {
             content: [{
               type: 'text' as const,
               text: JSON.stringify({ status: result.status, data: result.data }),
             }],
+            _meta: {
+              externalContent: {
+                untrusted: true,
+                source: `apitap-serve-${domain}`,
+              },
+            },
           };
         } catch (err: any) {
           console.error('Replay failed:', err instanceof Error ? err.message : String(err));

package/src/skill/generator.ts CHANGED Viewed

@@ -316,10 +316,10 @@ export class SkillGenerator {
     this.totalNetworkBytes += exchange.response.body.length;
     if (this.endpoints.has(key)) {
-      // Store duplicate body for cross-request diffing (Strategy 1)
+      // Store duplicate body for cross-request diffing (Strategy 1) — scrubbed (H3 fix)
       if (exchange.request.postData) {
         const bodies = this.exchangeBodies.get(key);
-        if (bodies) bodies.push(exchange.request.postData);
+        if (bodies) bodies.push(this.scrubBodyString(exchange.request.postData));
       }
       return null;
     }
@@ -455,9 +455,17 @@ export class SkillGenerator {
     this.endpoints.set(key, endpoint);
-    // Store first body for cross-request diffing
+    // Store first body for cross-request diffing (scrub sensitive fields — H3 fix)
     if (exchange.request.postData) {
-      this.exchangeBodies.set(key, [exchange.request.postData]);
+      this.exchangeBodies.set(key, [this.scrubBodyString(exchange.request.postData)]);
+    }
+    // Clear auth values from exchange to reduce credential exposure window (H3 fix)
+    for (const key of Object.keys(exchange.request.headers)) {
+      const lower = key.toLowerCase();
+      if (AUTH_HEADERS.has(lower) || lower === 'cookie') {
+        exchange.request.headers[key] = '[scrubbed]';
+      }
     }
     return endpoint;
@@ -513,6 +521,23 @@ export class SkillGenerator {
     this.totalNetworkBytes += bytes;
   }
+  /**
+   * Scrub sensitive fields from a POST body string for intermediate storage (H3 fix).
+   * Preserves structure for cross-request diffing while removing credentials.
+   */
+  private scrubBodyString(bodyStr: string): string {
+    try {
+      const parsed = JSON.parse(bodyStr);
+      if (typeof parsed === 'object' && parsed !== null) {
+        const scrubbed = scrubBody(parsed, true) as Record<string, unknown>;
+        return JSON.stringify(scrubbed);
+      }
+    } catch {
+      // Non-JSON body — apply PII scrubber
+    }
+    return scrubPII(bodyStr);
+  }
   /** Generate the complete skill file for a domain. */
   toSkillFile(domain: string, options?: { domBytes?: number; totalRequests?: number }): SkillFile {
     // Apply cross-request diffing (Strategy 1) to endpoints with multiple bodies
@@ -559,6 +584,9 @@ export class SkillGenerator {
       };
     }
+    // Clear intermediate body storage to reduce credential exposure window (H3 fix)
+    this.exchangeBodies.clear();
     return skill;
   }
 }

package/src/skill/search.ts CHANGED Viewed

@@ -37,7 +37,7 @@ export async function searchSkills(
   const results: SearchResult[] = [];
   for (const summary of summaries) {
-    const skill = await readSkillFile(summary.domain, skillsDir);
+    const skill = await readSkillFile(summary.domain, skillsDir, { trustUnsigned: true });
     if (!skill) continue;
     const domainLower = skill.domain.toLowerCase();

package/src/skill/signing.ts CHANGED Viewed

@@ -9,7 +9,26 @@ import type { SkillFile } from '../types.js';
  */
 export function canonicalize(skill: SkillFile): string {
   const { signature: _sig, provenance: _prov, ...rest } = skill;
-  return JSON.stringify(rest, Object.keys(rest).sort());
+  return JSON.stringify(sortKeysDeep(rest));
+}
+/**
+ * Recursively sort all object keys for stable canonicalization (M10 fix).
+ * Ensures identical skill files always produce the same canonical string
+ * regardless of key insertion order at any nesting level.
+ */
+function sortKeysDeep(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sortKeysDeep);
+  }
+  if (value !== null && typeof value === 'object') {
+    const sorted: Record<string, unknown> = {};
+    for (const key of Object.keys(value as Record<string, unknown>).sort()) {
+      sorted[key] = sortKeysDeep((value as Record<string, unknown>)[key]);
+    }
+    return sorted;
+  }
+  return value;
 }
 /**

package/src/skill/ssrf.ts CHANGED Viewed

@@ -73,8 +73,12 @@ export function validateUrl(urlString: string): ValidationResult {
     return { safe: false, reason: `URL targets IPv6 unique-local address: ${hostname}` };
   }
-  // IPv4 private ranges
-  const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  // Normalize IP representations: decimal integer, octal, hex → dotted-decimal (M17 fix)
+  const normalizedIp = normalizeIpv4(hostname);
+  const ipToCheck = normalizedIp ?? hostname;
+  // IPv4 private/reserved ranges (M16: added CGNAT, IETF, benchmarking, reserved)
+  const ipv4Match = ipToCheck.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
   if (ipv4Match) {
     const [, a, b] = ipv4Match.map(Number);
     const first = Number(a);
@@ -104,11 +108,70 @@ export function validateUrl(urlString: string): ValidationResult {
     if (first === 169 && second === 254) {
       return { safe: false, reason: `URL targets link-local address: ${hostname}` };
     }
+    // 100.64.0.0/10 — CGNAT (RFC 6598), used in cloud/Tailscale
+    if (first === 100 && second >= 64 && second <= 127) {
+      return { safe: false, reason: `URL targets CGNAT address: ${hostname}` };
+    }
+    // 192.0.0.0/24 — IETF Protocol Assignments (RFC 6890)
+    if (first === 192 && second === 0 && Number(ipv4Match[3]) === 0) {
+      return { safe: false, reason: `URL targets IETF reserved address: ${hostname}` };
+    }
+    // 198.18.0.0/15 — Benchmarking (RFC 2544)
+    if (first === 198 && (second === 18 || second === 19)) {
+      return { safe: false, reason: `URL targets benchmarking address: ${hostname}` };
+    }
+    // 240.0.0.0/4 — Reserved/future use
+    if (first >= 240) {
+      return { safe: false, reason: `URL targets reserved address: ${hostname}` };
+    }
   }
   return { safe: true };
 }
+/**
+ * Normalize alternative IPv4 representations to dotted-decimal.
+ * Handles decimal integer (2130706433), octal (0177.0.0.1), and hex (0x7f.0.0.1).
+ * Returns null if hostname is not an IP address or can't be parsed.
+ */
+function normalizeIpv4(hostname: string): string | null {
+  // Already standard dotted-decimal
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return hostname;
+  }
+  // Pure decimal integer (e.g. 2130706433 = 127.0.0.1)
+  if (/^\d+$/.test(hostname)) {
+    const num = parseInt(hostname, 10);
+    if (num >= 0 && num <= 0xFFFFFFFF) {
+      return `${(num >>> 24) & 0xFF}.${(num >>> 16) & 0xFF}.${(num >>> 8) & 0xFF}.${num & 0xFF}`;
+    }
+  }
+  // Dotted with octal (0-prefixed) or hex (0x-prefixed) octets
+  const parts = hostname.split('.');
+  if (parts.length === 4) {
+    const octets: number[] = [];
+    for (const part of parts) {
+      let val: number;
+      if (/^0x[0-9a-f]+$/i.test(part)) {
+        val = parseInt(part, 16);
+      } else if (/^0[0-7]+$/.test(part)) {
+        val = parseInt(part, 8);
+      } else if (/^\d+$/.test(part)) {
+        val = parseInt(part, 10);
+      } else {
+        return null; // Not an IP
+      }
+      if (val < 0 || val > 255) return null;
+      octets.push(val);
+    }
+    return octets.join('.');
+  }
+  return null;
+}
 /**
  * Check if a resolved IP address is in a private/reserved range.
  */
@@ -148,6 +211,10 @@ function isPrivateIp(ip: string): string | null {
   if (first === 192 && second === 168) return 'private (192.168.x)';
   if (first === 169 && second === 254) return 'link-local';
   if (first === 0) return 'unspecified';
+  // M16: additional reserved ranges
+  if (first === 100 && second >= 64 && second <= 127) return 'CGNAT (100.64/10)';
+  if (first === 198 && (second === 18 || second === 19)) return 'benchmarking (198.18/15)';
+  if (first >= 240) return 'reserved (240/4)';
   return null;
 }

package/src/skill/store.ts CHANGED Viewed

@@ -37,7 +37,7 @@ export async function writeSkillFile(
   skill: SkillFile,
   skillsDir: string = DEFAULT_SKILLS_DIR,
 ): Promise<string> {
-  await mkdir(skillsDir, { recursive: true });
+  await mkdir(skillsDir, { recursive: true, mode: 0o700 });
   await ensureGitignore(skillsDir);
   const filePath = skillPath(skill.domain, skillsDir);
   await writeFile(filePath, JSON.stringify(skill, null, 2) + '\n', { mode: 0o600 });
@@ -47,7 +47,12 @@ export async function writeSkillFile(
 export async function readSkillFile(
   domain: string,
   skillsDir: string = DEFAULT_SKILLS_DIR,
-  options?: { verifySignature?: boolean; signingKey?: Buffer }
+  options?: {
+    verifySignature?: boolean;
+    signingKey?: Buffer;
+    /** Allow loading unsigned files without throwing. Tampered signed files still reject. */
+    trustUnsigned?: boolean;
+  }
 ): Promise<SkillFile | null> {
   // Validate domain before file I/O — path traversal should throw, not return null
   const path = skillPath(domain, skillsDir);
@@ -56,18 +61,31 @@ export async function readSkillFile(
     const raw = JSON.parse(content);
     const skill = validateSkillFile(raw);
-    // If verification requested, check signature
-    if (options?.verifySignature && options.signingKey) {
+    // Signature verification is ON by default (H1 fix)
+    const shouldVerify = options?.verifySignature !== false;
+    if (shouldVerify) {
+      // Auto-derive signing key if not provided
+      let signingKey = options?.signingKey;
+      if (!signingKey) {
+        const { deriveSigningKey } = await import('../auth/crypto.js');
+        const { getMachineId } = await import('../auth/manager.js');
+        const machineId = await getMachineId();
+        signingKey = deriveSigningKey(machineId);
+      }
       if (skill.provenance === 'imported') {
-        // Imported files had foreign signature stripped — can't verify, warn only
-        // Future: re-sign on import with local key
+        // Imported files had foreign signature stripped — can't verify
       } else if (!skill.signature) {
-        // Phase 2: warn for unsigned files, don't reject
-        // (user-created or pre-signing files are legitimately unsigned)
-        console.error(`[apitap] Warning: skill file for ${domain} is unsigned`);
+        // Unsigned files are rejected unless trustUnsigned is set
+        if (!options?.trustUnsigned) {
+          throw new Error(
+            `Skill file for ${domain} is unsigned and cannot be verified. ` +
+            `Re-capture or re-import the skill file, or use --trust-unsigned to load it.`
+          );
+        }
       } else {
         const { verifySignature } = await import('./signing.js');
-        if (!verifySignature(skill, options.signingKey)) {
+        if (!verifySignature(skill, signingKey)) {
           throw new Error(`Skill file signature verification failed for ${domain} — file may be tampered`);
         }
       }
@@ -96,7 +114,7 @@ export async function listSkillFiles(
     if (!file.endsWith('.json')) continue;
     const domain = file.replace(/\.json$/, '');
     if (!DOMAIN_RE.test(domain)) continue; // skip non-conforming filenames
-    const skill = await readSkillFile(domain, skillsDir);
+    const skill = await readSkillFile(domain, skillsDir, { trustUnsigned: true });
     if (skill) {
       summaries.push({
         domain: skill.domain,