@jlongo78/agent-spaces 0.9.6 → 0.9.8

package/.next/standalone/docs/plans/2026-03-02-security-audit.md

@@ -1,229 +1,229 @@
-# Spaces Security Audit — Consolidated Report
-
-**Date:** 2026-03-02
-**Auditors:** Spaces (core), Spaces Pro (auth/federation), Spaces Teams (collaboration)
-**Scope:** Full codebase — terminal server, API routes, middleware, database, auth, federation, collaboration, dependencies
-
----
-
-## Executive Summary
-
-Four parallel security audits identified **7 CRITICAL**, **10 HIGH**, **12 MEDIUM**, and **9 LOW** findings across the Spaces codebase. The most urgent issues are:
-
-1. **Federation routes bypass authentication** — the middleware passes any `Bearer` header through without validation
-2. **Session secret leaked to terminal processes** — every PTY inherits `SPACES_SESSION_SECRET`, allowing token forgery
-3. **Supply chain risk** — `@spaces/pro` and `@spaces/teams` use `"*"` version constraints and are loaded without integrity checks
-4. **Timing-unsafe token comparison** in middleware enables byte-by-byte signature brute-forcing
-5. **No rate limiting** on login and TOTP endpoints enables brute-force attacks
-
----
-
-## Findings by Severity
-
-### CRITICAL (7 findings)
-
-#### C1. Federation `/api/network/*` routes bypass auth in middleware
-**File:** `src/middleware.ts:62-64`
-**Auditors:** Spaces (API audit), Spaces Pro, Spaces (DB/deps audit)
-```typescript
-if (pathname.startsWith('/api/network/') && request.headers.get('authorization')?.startsWith('Bearer ')) {
-    return NextResponse.next();
-}
-```
-**Impact:** Any request with `Authorization: Bearer anything` passes middleware for all 18+ network API routes. Individual handlers may validate tokens, but any handler that forgets is completely unprotected. Routes for node management, discovery, proxy, search, and terminal token generation are exposed.
-**Remediation:** Validate the bearer token in middleware (check against `network.db` API keys with scrypt), or remove the bypass and require each handler to validate.
-
-#### C2. Session secret leaked to all terminal processes via `process.env`
-**File:** `bin/terminal-server.js:573-574`, `src/app/api/chat/route.ts:31`
-```javascript
-const env = { ...process.env };
-delete env.CLAUDECODE;
-```
-**Impact:** Every terminal session inherits `SPACES_SESSION_SECRET`. Any user can run `echo $SPACES_SESSION_SECRET` and forge session cookies for any user, including admins. Also leaks `NODE_PATH`, `GH_PAT`, and any other server secrets.
-**Remediation:** Build a minimal allowlist: `{ HOME, USER, SHELL, PATH, TERM, LANG }`. Strip all `SPACES_*` variables and any known secrets.
-
-#### C3. Supply chain — `@spaces/pro` and `@spaces/teams` loaded without integrity checks
-**Files:** `src/lib/pro.ts:7-18`, `src/lib/teams.ts:7-18`, `package.json:84-86`
-```json
-"optionalDependencies": {
-  "@spaces/pro": "*",
-  "@spaces/teams": "*"
-}
-```
-**Impact:** Any package published to the `@spaces` npm scope (or installed locally) is loaded automatically and receives: the raw SQLite database handle, the SSE event manager, delegation of all auth API routes, and the full `process.env`. Version constraint `"*"` accepts anything.
-**Remediation:** Pin to specific versions with known hashes. Validate loaded module structure. Consider a private registry or package provenance checks.
-
-#### C4. Timing-unsafe token comparison in middleware
-**File:** `src/middleware.ts:23`
-```typescript
-if (expectedSig !== sig) return null;
-```
-**Impact:** String `!==` comparison leaks timing information. An attacker can brute-force the HMAC signature byte-by-byte by measuring response times. The terminal server correctly uses `crypto.timingSafeEqual` — the middleware does not.
-**Remediation:** Implement constant-time comparison. Since middleware runs in Edge Runtime (no `crypto.timingSafeEqual`), use XOR-based comparison:
-```typescript
-const a = new TextEncoder().encode(expectedSig);
-const b = new TextEncoder().encode(sig);
-if (a.length !== b.length) return null;
-let result = 0;
-for (let i = 0; i < a.length; i++) result |= a[i] ^ b[i];
-if (result !== 0) return null;
-```
-
-#### C5. TLS verification disabled globally for federation
-**File:** `@spaces/pro client.ts:18-19`
-```typescript
-NODE_TLS_REJECT_UNAUTHORIZED = '0'
-```
-**Impact:** Process-level env var disables TLS certificate verification for ALL outbound connections, not just the federation request. Race condition: concurrent requests can interfere with the flag. Enables MITM attacks on federation traffic, including API key interception.
-**Remediation:** Use per-request TLS configuration via the `https.Agent` `rejectUnauthorized` option instead of a global env var. Or use a custom CA bundle for self-signed federation certs.
-
-#### C6. Command injection via `customCommand` — incomplete blocklist
-**File:** `bin/terminal-server.js:425-427`
-```javascript
-const customCommand = /[;&|`$(){}]/.test(rawCustomCommand) ? '' : rawCustomCommand;
-```
-**Impact:** The blocklist misses: newlines (`\n`, `\r`) which inject additional commands via `term.write(command + '\r')`, redirect operators (`<`, `>`), and backslashes. A payload like `legitimate\nmalicious` passes the regex and executes two commands.
-**Remediation:** Switch to an allowlist: `/^[a-zA-Z0-9._\-/ ]+$/`. Reject embedded newlines/carriage returns explicitly.
-
-#### C7. `/api/chat` route missing `withUser()` auth wrapper
-**File:** `src/app/api/chat/route.ts:8-10`
-```typescript
-export async function POST(request: NextRequest) {
-  const user = getAuthUser(request);
-  const body = await request.json();
-```
-**Impact:** No `withUser()` wrapper means no user context in AsyncLocalStorage. In community mode (no auth), any network client can spawn `claude` processes via this endpoint with arbitrary `cwd`.
-**Remediation:** Wrap handler body in `withUser(user, async () => { ... })`.
-
----
-
-### HIGH (10 findings)
-
-#### H1. Overly broad `isLocal` IP check trusts public internet addresses
-**File:** `bin/terminal-server.js:448`
-```javascript
-remoteIp.startsWith('172.')
-```
-Matches `172.0.0.0/8` instead of just `172.16.0.0/12` (RFC 1918). Public IPs in `172.1.x.x`-`172.15.x.x` are treated as local and can use magic tokens `desktop-local`/`session-auth` for unauthenticated shell access.
-**Fix:** Restrict to `172.16.`-`172.31.` or the specific Docker bridge subnet.
-
-#### H2. No rate limiting on login or TOTP endpoints
-**Files:** `@spaces/pro login.ts`, `@spaces/pro totpVerify.ts`, `src/middleware.ts:48`
-TOTP codes are 6 digits (1M possibilities). At 100 req/s, brute-force takes ~3.3 hours. No account lockout, no exponential backoff.
-**Fix:** Add rate limiting (5 failed attempts → 5-minute lockout). Implement account lockout after repeated failures.
-
-#### H3. TOTP secrets stored in plaintext in SQLite
-**File:** `src/lib/db/schema.ts:110-115`
-The `totp.secret` column is unencrypted. Combined with lax database file permissions (see M3), any system user can extract TOTP secrets.
-**Fix:** Encrypt at rest using a key derived from the session secret. Set database file permissions to `0o600`.
-
-#### H4. Internal API auth uses truncated secret + spoofable Host header
-**File:** `src/middleware.ts:67-70`
-```typescript
-request.headers.get('x-spaces-internal') === (process.env.SPACES_SESSION_SECRET || '').slice(0, 16)
-```
-Only 16 hex chars (64 bits) of the secret are used. `Host` header is client-controlled. An attacker who guesses 64 bits can bypass all auth.
-**Fix:** Use the full secret. Check actual source IP, not the Host header.
-
-#### H5. No concurrent session limits — resource exhaustion
-**File:** `bin/terminal-server.js:308`
-No limit on PTY sessions per user or globally. Leads to memory, CPU, PID, and file descriptor exhaustion.
-**Fix:** Implement `MAX_SESSIONS_PER_USER = 20` and `MAX_SESSIONS_TOTAL = 100`.
-
-#### H6. Cross-pane session takeover via known `paneId`
-**File:** `bin/terminal-server.js:507-539`
-Reattaching to an existing session does not verify the reconnecting user matches the original session owner. Anyone who knows a `paneId` can hijack another user's terminal.
-**Fix:** Add `if (existing.username !== username) { ws.close(); return; }` on reattach.
-
-#### H7. @spaces/teams migration hook receives raw database handle
-**File:** `src/lib/db/schema.ts:188-193`
-`teams.db.runMigrations(db)` passes the unrestricted `better-sqlite3` Database object. A malicious package can execute arbitrary SQL including `DROP TABLE`.
-**Fix:** Run migrations in a transaction. Log all SQL. Validate package integrity.
-
-#### H8. Node management APIs lack auth checks behind bearer bypass
-**Files:** `@spaces/pro nodes.ts`, `nodesById.ts`, `nodesCheck.ts`, `identity.ts`, `discovered.ts`
-These routes don't call `requireNetworkAuth()` and rely on middleware session auth — but the middleware passes any Bearer token through (C1). Result: these endpoints may be accessible with `Authorization: Bearer fake`.
-**Fix:** Resolved by fixing C1, or add `requireNetworkAuth()` to each handler.
-
-#### H9. TOTP setup secret sent to client during login flow
-**File:** `@spaces/pro login.ts:23-29`
-The client submits the `setupSecret` back to the server. An attacker who intercepts the initial response can register their own TOTP device on the victim's account.
-**Fix:** Store the pending secret server-side (keyed by session), not client-side.
-
-#### H10. API key in WebSocket URL query string
-**File:** `bin/terminal-server.js:947-954`
-Federation proxy passes the decrypted API key as a URL query parameter. Appears in server logs, proxy logs, and browser DevTools.
-**Fix:** Pass via WebSocket subprotocol or HTTP header during upgrade handshake.
-
----
-
-### MEDIUM (12 findings)
-
-| ID | Finding | File | Remediation |
-|----|---------|------|-------------|
-| M1 | No WebSocket message size limits (default 100MB) | `terminal-server.js` | Set `maxPayload: 64 * 1024` on WebSocketServer |
-| M2 | No rate limiting on WebSocket connections/messages | `terminal-server.js` | Token bucket per connection, connection rate limit per IP |
-| M3 | Database files created with default umask (not `0o600`) | `schema.ts:16`, `config.ts:61` | `fs.chmodSync(dbPath, 0o600)` after creation |
-| M4 | FTS5 MATCH passes raw user input (DoS via complex queries) | `queries.ts:428` | Escape FTS5 special chars or wrap in double quotes |
-| M5 | `updatePane` accepts arbitrary fields including `nodeId` | `queries.ts:606`, `api/panes/[id]/route.ts:29` | Destructure only allowed fields from request body |
-| M6 | `/api/events` SSE does not scope events by user | `api/events/route.ts:6` | Add user-scoped SSE channels |
-| M7 | Community mode binds to `0.0.0.0` — all routes unprotected | `spaces.js:219`, `middleware.ts:36` | Bind to `127.0.0.1` in community mode |
-| M8 | Session tokens have no revocation mechanism | `@spaces/pro session.ts` | Add token revocation list or reduce TTL |
-| M9 | No CSRF protection beyond SameSite=lax | middleware.ts | Add SameSite=Strict or CSRF tokens |
-| M10 | Password hashing uses scrypt with default params (N=16384) | `@spaces/pro db.ts:66` | Increase to N=32768+ per current recommendations |
-| M11 | API key validation is O(n) — scrypt against every key | `@spaces/pro db.ts:250-263` | Add key prefix lookup to narrow candidates |
-| M12 | `cwd` parameter allows path traversal to sensitive dirs | `terminal-server.js:421`, `chat/route.ts:20` | Validate `cwd` is within user's home or configured devDirectories |
-
----
-
-### LOW (9 findings)
-
-| ID | Finding | File |
-|----|---------|------|
-| L1 | Auth credentials in WebSocket URL query strings (logged) | `terminal-server.js:444` |
-| L2 | Console logs show partial token/key material | `terminal-server.js:437,470` |
-| L3 | Sync error response leaks internal error details | `api/sync/route.ts:20` |
-| L4 | `/api/tier` exposes deployment config without auth | `api/tier/route.ts:6` |
-| L5 | Raw WebSocket fallback writes unstructured data to PTY | `terminal-server.js:750` |
-| L6 | `cols`/`rows` not validated for resize messages | `terminal-server.js:525` |
-| L7 | `addCol` uses string interpolation in ALTER TABLE (hardcoded, safe) | `schema.ts:119` |
-| L8 | Error messages reveal user TOTP enrollment status | `@spaces/pro login.ts:18` |
-| L9 | Silent catch blocks in login audit logging | `@spaces/pro login.ts:45,60` |
-
----
-
-## Positive Findings (Done Well)
-
-- **SQL injection prevention** — All queries in `queries.ts` use parameterized statements consistently
-- **Sort column allowlist** — `ORDER BY` uses a hardcoded allowlist, not user input
-- **Folders endpoint path validation** — `/api/folders` validates paths against `devDirectories`
-- **Agent session ID validation** — UUID regex validation prevents injection
-- **Secret file permissions** — `session_secret` and `terminal_secret` use `0o600`
-- **Terminal server token comparison** — Uses `crypto.timingSafeEqual` (unlike middleware)
-- **SSH path escaping** — Properly escapes single quotes in CWD for SSH sessions
-- **Config update allowlist** — `/api/config` PUT only accepts `telemetryOptOut` and `devDirectories`
-
----
-
-## Priority Remediation Roadmap
-
-### Immediate (this week)
-1. **C2** — Strip `SPACES_SESSION_SECRET` from terminal process environment
-2. **C1** — Validate bearer tokens in middleware, not just check for existence
-3. **C4** — Constant-time token comparison in middleware
-4. **H1** — Fix `172.x` IP range to only match RFC 1918 private space
-5. **C6** — Switch customCommand to allowlist regex
-
-### Short-term (next 2 weeks)
-6. **H2** — Rate limiting on login and TOTP endpoints
-7. **H3** — Encrypt TOTP secrets at rest, restrict DB file permissions
-8. **H5** — Session count limits (per-user and global)
-9. **H6** — Username verification on session reattach
-10. **C5** — Per-request TLS config instead of global env var
-
-### Medium-term (next month)
-11. **C3** — Package integrity verification for optional dependencies
-12. **M7** — Bind community mode to localhost
-13. **M9** — CSRF protection
-14. **H4** — Full secret for internal API auth, source IP verification
-15. **M1-M2** — WebSocket size limits and rate limiting
+# Spaces Security Audit — Consolidated Report
+
+**Date:** 2026-03-02
+**Auditors:** Spaces (core), Spaces Pro (auth/federation), Spaces Teams (collaboration)
+**Scope:** Full codebase — terminal server, API routes, middleware, database, auth, federation, collaboration, dependencies
+
+---
+
+## Executive Summary
+
+Four parallel security audits identified **7 CRITICAL**, **10 HIGH**, **12 MEDIUM**, and **9 LOW** findings across the Spaces codebase. The most urgent issues are:
+
+1. **Federation routes bypass authentication** — the middleware passes any `Bearer` header through without validation
+2. **Session secret leaked to terminal processes** — every PTY inherits `SPACES_SESSION_SECRET`, allowing token forgery
+3. **Supply chain risk** — `@spaces/pro` and `@spaces/teams` use `"*"` version constraints and are loaded without integrity checks
+4. **Timing-unsafe token comparison** in middleware enables byte-by-byte signature brute-forcing
+5. **No rate limiting** on login and TOTP endpoints enables brute-force attacks
+
+---
+
+## Findings by Severity
+
+### CRITICAL (7 findings)
+
+#### C1. Federation `/api/network/*` routes bypass auth in middleware
+**File:** `src/middleware.ts:62-64`
+**Auditors:** Spaces (API audit), Spaces Pro, Spaces (DB/deps audit)
+```typescript
+if (pathname.startsWith('/api/network/') && request.headers.get('authorization')?.startsWith('Bearer ')) {
+    return NextResponse.next();
+}
+```
+**Impact:** Any request with `Authorization: Bearer anything` passes middleware for all 18+ network API routes. Individual handlers may validate tokens, but any handler that forgets is completely unprotected. Routes for node management, discovery, proxy, search, and terminal token generation are exposed.
+**Remediation:** Validate the bearer token in middleware (check against `network.db` API keys with scrypt), or remove the bypass and require each handler to validate.
+
+#### C2. Session secret leaked to all terminal processes via `process.env`
+**File:** `bin/terminal-server.js:573-574`, `src/app/api/chat/route.ts:31`
+```javascript
+const env = { ...process.env };
+delete env.CLAUDECODE;
+```
+**Impact:** Every terminal session inherits `SPACES_SESSION_SECRET`. Any user can run `echo $SPACES_SESSION_SECRET` and forge session cookies for any user, including admins. Also leaks `NODE_PATH`, `GH_PAT`, and any other server secrets.
+**Remediation:** Build a minimal allowlist: `{ HOME, USER, SHELL, PATH, TERM, LANG }`. Strip all `SPACES_*` variables and any known secrets.
+
+#### C3. Supply chain — `@spaces/pro` and `@spaces/teams` loaded without integrity checks
+**Files:** `src/lib/pro.ts:7-18`, `src/lib/teams.ts:7-18`, `package.json:84-86`
+```json
+"optionalDependencies": {
+  "@spaces/pro": "*",
+  "@spaces/teams": "*"
+}
+```
+**Impact:** Any package published to the `@spaces` npm scope (or installed locally) is loaded automatically and receives: the raw SQLite database handle, the SSE event manager, delegation of all auth API routes, and the full `process.env`. Version constraint `"*"` accepts anything.
+**Remediation:** Pin to specific versions with known hashes. Validate loaded module structure. Consider a private registry or package provenance checks.
+
+#### C4. Timing-unsafe token comparison in middleware
+**File:** `src/middleware.ts:23`
+```typescript
+if (expectedSig !== sig) return null;
+```
+**Impact:** String `!==` comparison leaks timing information. An attacker can brute-force the HMAC signature byte-by-byte by measuring response times. The terminal server correctly uses `crypto.timingSafeEqual` — the middleware does not.
+**Remediation:** Implement constant-time comparison. Since middleware runs in Edge Runtime (no `crypto.timingSafeEqual`), use XOR-based comparison:
+```typescript
+const a = new TextEncoder().encode(expectedSig);
+const b = new TextEncoder().encode(sig);
+if (a.length !== b.length) return null;
+let result = 0;
+for (let i = 0; i < a.length; i++) result |= a[i] ^ b[i];
+if (result !== 0) return null;
+```
+
+#### C5. TLS verification disabled globally for federation
+**File:** `@spaces/pro client.ts:18-19`
+```typescript
+NODE_TLS_REJECT_UNAUTHORIZED = '0'
+```
+**Impact:** Process-level env var disables TLS certificate verification for ALL outbound connections, not just the federation request. Race condition: concurrent requests can interfere with the flag. Enables MITM attacks on federation traffic, including API key interception.
+**Remediation:** Use per-request TLS configuration via the `https.Agent` `rejectUnauthorized` option instead of a global env var. Or use a custom CA bundle for self-signed federation certs.
+
+#### C6. Command injection via `customCommand` — incomplete blocklist
+**File:** `bin/terminal-server.js:425-427`
+```javascript
+const customCommand = /[;&|`$(){}]/.test(rawCustomCommand) ? '' : rawCustomCommand;
+```
+**Impact:** The blocklist misses: newlines (`\n`, `\r`) which inject additional commands via `term.write(command + '\r')`, redirect operators (`<`, `>`), and backslashes. A payload like `legitimate\nmalicious` passes the regex and executes two commands.
+**Remediation:** Switch to an allowlist: `/^[a-zA-Z0-9._\-/ ]+$/`. Reject embedded newlines/carriage returns explicitly.
+
+#### C7. `/api/chat` route missing `withUser()` auth wrapper
+**File:** `src/app/api/chat/route.ts:8-10`
+```typescript
+export async function POST(request: NextRequest) {
+  const user = getAuthUser(request);
+  const body = await request.json();
+```
+**Impact:** No `withUser()` wrapper means no user context in AsyncLocalStorage. In community mode (no auth), any network client can spawn `claude` processes via this endpoint with arbitrary `cwd`.
+**Remediation:** Wrap handler body in `withUser(user, async () => { ... })`.
+
+---
+
+### HIGH (10 findings)
+
+#### H1. Overly broad `isLocal` IP check trusts public internet addresses
+**File:** `bin/terminal-server.js:448`
+```javascript
+remoteIp.startsWith('172.')
+```
+Matches `172.0.0.0/8` instead of just `172.16.0.0/12` (RFC 1918). Public IPs in `172.1.x.x`-`172.15.x.x` are treated as local and can use magic tokens `desktop-local`/`session-auth` for unauthenticated shell access.
+**Fix:** Restrict to `172.16.`-`172.31.` or the specific Docker bridge subnet.
+
+#### H2. No rate limiting on login or TOTP endpoints
+**Files:** `@spaces/pro login.ts`, `@spaces/pro totpVerify.ts`, `src/middleware.ts:48`
+TOTP codes are 6 digits (1M possibilities). At 100 req/s, brute-force takes ~3.3 hours. No account lockout, no exponential backoff.
+**Fix:** Add rate limiting (5 failed attempts → 5-minute lockout). Implement account lockout after repeated failures.
+
+#### H3. TOTP secrets stored in plaintext in SQLite
+**File:** `src/lib/db/schema.ts:110-115`
+The `totp.secret` column is unencrypted. Combined with lax database file permissions (see M3), any system user can extract TOTP secrets.
+**Fix:** Encrypt at rest using a key derived from the session secret. Set database file permissions to `0o600`.
+
+#### H4. Internal API auth uses truncated secret + spoofable Host header
+**File:** `src/middleware.ts:67-70`
+```typescript
+request.headers.get('x-spaces-internal') === (process.env.SPACES_SESSION_SECRET || '').slice(0, 16)
+```
+Only 16 hex chars (64 bits) of the secret are used. `Host` header is client-controlled. An attacker who guesses 64 bits can bypass all auth.
+**Fix:** Use the full secret. Check actual source IP, not the Host header.
+
+#### H5. No concurrent session limits — resource exhaustion
+**File:** `bin/terminal-server.js:308`
+No limit on PTY sessions per user or globally. Leads to memory, CPU, PID, and file descriptor exhaustion.
+**Fix:** Implement `MAX_SESSIONS_PER_USER = 20` and `MAX_SESSIONS_TOTAL = 100`.
+
+#### H6. Cross-pane session takeover via known `paneId`
+**File:** `bin/terminal-server.js:507-539`
+Reattaching to an existing session does not verify the reconnecting user matches the original session owner. Anyone who knows a `paneId` can hijack another user's terminal.
+**Fix:** Add `if (existing.username !== username) { ws.close(); return; }` on reattach.
+
+#### H7. @spaces/teams migration hook receives raw database handle
+**File:** `src/lib/db/schema.ts:188-193`
+`teams.db.runMigrations(db)` passes the unrestricted `better-sqlite3` Database object. A malicious package can execute arbitrary SQL including `DROP TABLE`.
+**Fix:** Run migrations in a transaction. Log all SQL. Validate package integrity.
+
+#### H8. Node management APIs lack auth checks behind bearer bypass
+**Files:** `@spaces/pro nodes.ts`, `nodesById.ts`, `nodesCheck.ts`, `identity.ts`, `discovered.ts`
+These routes don't call `requireNetworkAuth()` and rely on middleware session auth — but the middleware passes any Bearer token through (C1). Result: these endpoints may be accessible with `Authorization: Bearer fake`.
+**Fix:** Resolved by fixing C1, or add `requireNetworkAuth()` to each handler.
+
+#### H9. TOTP setup secret sent to client during login flow
+**File:** `@spaces/pro login.ts:23-29`
+The client submits the `setupSecret` back to the server. An attacker who intercepts the initial response can register their own TOTP device on the victim's account.
+**Fix:** Store the pending secret server-side (keyed by session), not client-side.
+
+#### H10. API key in WebSocket URL query string
+**File:** `bin/terminal-server.js:947-954`
+Federation proxy passes the decrypted API key as a URL query parameter. Appears in server logs, proxy logs, and browser DevTools.
+**Fix:** Pass via WebSocket subprotocol or HTTP header during upgrade handshake.
+
+---
+
+### MEDIUM (12 findings)
+
+| ID | Finding | File | Remediation |
+|----|---------|------|-------------|
+| M1 | No WebSocket message size limits (default 100MB) | `terminal-server.js` | Set `maxPayload: 64 * 1024` on WebSocketServer |
+| M2 | No rate limiting on WebSocket connections/messages | `terminal-server.js` | Token bucket per connection, connection rate limit per IP |
+| M3 | Database files created with default umask (not `0o600`) | `schema.ts:16`, `config.ts:61` | `fs.chmodSync(dbPath, 0o600)` after creation |
+| M4 | FTS5 MATCH passes raw user input (DoS via complex queries) | `queries.ts:428` | Escape FTS5 special chars or wrap in double quotes |
+| M5 | `updatePane` accepts arbitrary fields including `nodeId` | `queries.ts:606`, `api/panes/[id]/route.ts:29` | Destructure only allowed fields from request body |
+| M6 | `/api/events` SSE does not scope events by user | `api/events/route.ts:6` | Add user-scoped SSE channels |
+| M7 | Community mode binds to `0.0.0.0` — all routes unprotected | `spaces.js:219`, `middleware.ts:36` | Bind to `127.0.0.1` in community mode |
+| M8 | Session tokens have no revocation mechanism | `@spaces/pro session.ts` | Add token revocation list or reduce TTL |
+| M9 | No CSRF protection beyond SameSite=lax | middleware.ts | Add SameSite=Strict or CSRF tokens |
+| M10 | Password hashing uses scrypt with default params (N=16384) | `@spaces/pro db.ts:66` | Increase to N=32768+ per current recommendations |
+| M11 | API key validation is O(n) — scrypt against every key | `@spaces/pro db.ts:250-263` | Add key prefix lookup to narrow candidates |
+| M12 | `cwd` parameter allows path traversal to sensitive dirs | `terminal-server.js:421`, `chat/route.ts:20` | Validate `cwd` is within user's home or configured devDirectories |
+
+---
+
+### LOW (9 findings)
+
+| ID | Finding | File |
+|----|---------|------|
+| L1 | Auth credentials in WebSocket URL query strings (logged) | `terminal-server.js:444` |
+| L2 | Console logs show partial token/key material | `terminal-server.js:437,470` |
+| L3 | Sync error response leaks internal error details | `api/sync/route.ts:20` |
+| L4 | `/api/tier` exposes deployment config without auth | `api/tier/route.ts:6` |
+| L5 | Raw WebSocket fallback writes unstructured data to PTY | `terminal-server.js:750` |
+| L6 | `cols`/`rows` not validated for resize messages | `terminal-server.js:525` |
+| L7 | `addCol` uses string interpolation in ALTER TABLE (hardcoded, safe) | `schema.ts:119` |
+| L8 | Error messages reveal user TOTP enrollment status | `@spaces/pro login.ts:18` |
+| L9 | Silent catch blocks in login audit logging | `@spaces/pro login.ts:45,60` |
+
+---
+
+## Positive Findings (Done Well)
+
+- **SQL injection prevention** — All queries in `queries.ts` use parameterized statements consistently
+- **Sort column allowlist** — `ORDER BY` uses a hardcoded allowlist, not user input
+- **Folders endpoint path validation** — `/api/folders` validates paths against `devDirectories`
+- **Agent session ID validation** — UUID regex validation prevents injection
+- **Secret file permissions** — `session_secret` and `terminal_secret` use `0o600`
+- **Terminal server token comparison** — Uses `crypto.timingSafeEqual` (unlike middleware)
+- **SSH path escaping** — Properly escapes single quotes in CWD for SSH sessions
+- **Config update allowlist** — `/api/config` PUT only accepts `telemetryOptOut` and `devDirectories`
+
+---
+
+## Priority Remediation Roadmap
+
+### Immediate (this week)
+1. **C2** — Strip `SPACES_SESSION_SECRET` from terminal process environment
+2. **C1** — Validate bearer tokens in middleware, not just check for existence
+3. **C4** — Constant-time token comparison in middleware
+4. **H1** — Fix `172.x` IP range to only match RFC 1918 private space
+5. **C6** — Switch customCommand to allowlist regex
+
+### Short-term (next 2 weeks)
+6. **H2** — Rate limiting on login and TOTP endpoints
+7. **H3** — Encrypt TOTP secrets at rest, restrict DB file permissions
+8. **H5** — Session count limits (per-user and global)
+9. **H6** — Username verification on session reattach
+10. **C5** — Per-request TLS config instead of global env var
+
+### Medium-term (next month)
+11. **C3** — Package integrity verification for optional dependencies
+12. **M7** — Bind community mode to localhost
+13. **M9** — CSRF protection
+14. **H4** — Full secret for internal API auth, source IP verification
+15. **M1-M2** — WebSocket size limits and rate limiting