@i4ctime/q-ring 0.9.6 → 0.9.8

package/dist/mcp.js

@@ -3,6 +3,7 @@ import {
   checkDecay,
   checkExecPolicy,
   checkKeyReadPolicy,
+  checkSSRF,
   checkToolPolicy,
   collapseEnvironment,
   deleteSecret,
@@ -32,7 +33,7 @@ import {
   tunnelList,
   tunnelRead,
   verifyAuditChain
-} from "./chunk-5JBU7TWN.js";
+} from "./chunk-ZV7LRKBA.js";
 
 // src/mcp.ts
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -411,7 +412,10 @@ async function execCommand(opts2) {
     throw new Error(`Policy Denied: ${policyDecision.reason}`);
   }
   if (profile.denyCommands) {
-    const denied = profile.denyCommands.find((d) => fullCommand.includes(d));
+    const denied = profile.denyCommands.find((d) => {
+      const pattern = new RegExp(`(^|[\\s/])${d.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}(\\s|$)`, "i");
+      return pattern.test(fullCommand);
+    });
     if (denied) {
       throw new Error(`Exec profile "${profile.name}" denies command containing "${denied}"`);
     }
@@ -900,6 +904,10 @@ var httpProvider = {
     if (!url) {
       return { valid: false, status: "unknown", message: "No validation URL configured", latencyMs: 0, provider: "http" };
     }
+    const ssrfBlock = await checkSSRF(url);
+    if (ssrfBlock) {
+      return { valid: false, status: "error", message: `SSRF blocked: ${ssrfBlock}`, latencyMs: Date.now() - start, provider: "http" };
+    }
     try {
       const { statusCode } = await makeRequest(url, {
         Authorization: `Bearer ${value}`,
@@ -1044,7 +1052,10 @@ import { existsSync as existsSync2, readFileSync as readFileSync4, writeFileSync
 import { join as join2 } from "path";
 import { homedir, hostname, userInfo } from "os";
 import { createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2, createHash, randomBytes as randomBytes3 } from "crypto";
+import { Entry } from "@napi-rs/keyring";
 var MEMORY_FILE = "agent-memory.enc";
+var KEYRING_SERVICE = "qring-memory-key";
+var KEYRING_ACCOUNT = "encryption-key";
 function getMemoryDir() {
   const dir = join2(homedir(), ".config", "q-ring");
   if (!existsSync2(dir)) {
@@ -1055,29 +1066,54 @@ function getMemoryDir() {
 function getMemoryPath() {
   return join2(getMemoryDir(), MEMORY_FILE);
 }
-function deriveKey2() {
+function deriveLegacyKey() {
   const fingerprint = `qring-memory:${hostname()}:${userInfo().username}`;
   return createHash("sha256").update(fingerprint).digest();
 }
-function encrypt(data) {
-  const key = deriveKey2();
+function getOrCreateKey() {
+  try {
+    const entry = new Entry(KEYRING_SERVICE, KEYRING_ACCOUNT);
+    const stored = entry.getPassword();
+    if (stored) return Buffer.from(stored, "base64");
+    const key = randomBytes3(32);
+    entry.setPassword(key.toString("base64"));
+    return key;
+  } catch {
+    console.warn("[q-ring] OS keyring unavailable for memory key \u2014 falling back to machine-derived key");
+    return deriveLegacyKey();
+  }
+}
+function encryptWith(data, key) {
   const iv = randomBytes3(12);
   const cipher = createCipheriv2("aes-256-gcm", key, iv);
   const encrypted = Buffer.concat([cipher.update(data, "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
   return `${iv.toString("base64")}:${tag.toString("base64")}:${encrypted.toString("base64")}`;
 }
-function decrypt(blob) {
+function decryptWith(blob, key) {
   const parts = blob.split(":");
   if (parts.length !== 3) throw new Error("Invalid encrypted format");
   const iv = Buffer.from(parts[0], "base64");
   const tag = Buffer.from(parts[1], "base64");
   const encrypted = Buffer.from(parts[2], "base64");
-  const key = deriveKey2();
   const decipher = createDecipheriv2("aes-256-gcm", key, iv);
   decipher.setAuthTag(tag);
   return decipher.update(encrypted) + decipher.final("utf8");
 }
+function encrypt(data) {
+  return encryptWith(data, getOrCreateKey());
+}
+function decrypt(blob) {
+  const key = getOrCreateKey();
+  try {
+    return decryptWith(blob, key);
+  } catch {
+    const legacy = deriveLegacyKey();
+    const plain = decryptWith(blob, legacy);
+    writeFileSync2(getMemoryPath(), encryptWith(plain, key), "utf8");
+    return plain;
+  }
+}
 function loadStore() {
   const path = getMemoryPath();
   if (!existsSync2(path)) {
@@ -1217,10 +1253,8 @@ function createMcpServer() {
         );
       }
       if (params.filter) {
-        const regex = new RegExp(
-          "^" + params.filter.replace(/\*/g, ".*") + "$",
-          "i"
-        );
+        const escaped = params.filter.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+        const regex = new RegExp("^" + escaped + "$", "i");
         entries = entries.filter((e) => regex.test(e.key));
       }
       if (entries.length === 0) return text("No secrets found");
@@ -2191,7 +2225,7 @@ ${result.stderr}`);
       if (dashboardInstance) {
         return text(`Dashboard already running at http://127.0.0.1:${dashboardInstance.port}`);
       }
-      const { startDashboardServer } = await import("./dashboard-Q5OQRQCX.js");
+      const { startDashboardServer } = await import("./dashboard-4H474M2N.js");
       dashboardInstance = startDashboardServer({ port: params.port });
       return text(`Dashboard started at http://127.0.0.1:${dashboardInstance.port}
 Open this URL in a browser to see live quantum status.`);