@luanpdd/kit-mcp 1.12.1 → 1.14.0

package/kit/hooks/post-apply-migration.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.4.0
+// hook-version: 1.4.1
+// SEC-13-05: flush-before-exit category = A (stderr.write + immediate exit)
+// Fix applied: process.stderr.write(summary, () => process.exit(0)) on success path.
 // kit-mcp · Post-apply Migration Hook (PostToolUse)
 //
 // Triggers automatically AFTER a successful Supabase MCP apply_migration call.
@@ -104,12 +106,18 @@ process.stdin.on('end', () => {
     }
 
     // The final advisory printed back to Claude (and to the user via stderr)
+    // SEC-13-05: aguardar flush do stderr antes do exit. Sem callback, o
+    // resumo final pode ser dropado em pipes lentos (CI/Windows). Os outros
+    // process.stderr.write intermediários (linhas ~71/87/93/100) NÃO precisam
+    // do callback porque o process continua executando após eles — o event
+    // loop drena o buffer naturalmente antes do próximo write.
     if (mirroredPath || stubPath) {
       const lines = ['[post-apply-migration] resumo:'];
       if (mirroredPath) lines.push(`  • SQL: ${path.relative(projectRoot, mirroredPath)}`);
       if (stubPath)     lines.push(`  • Stub: ${path.relative(vault, stubPath)}`);
       lines.push('  → cofre Obsidian: edite o stub e commite quando puder.');
-      process.stderr.write(lines.join('\n') + '\n');
+      process.stderr.write(lines.join('\n') + '\n', () => process.exit(0));
+      return;
     }
 
     process.exit(0);

package/kit/hooks/prompt-guard.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.30.0
+// hook-version: 1.30.1
+// SEC-13-05: flush-before-exit category = A (stdout.write + immediate exit)
+// Fix applied: process.stdout.write(payload, () => process.exit(0)) on warning path.
 // framework Prompt Injection Guard — PreToolUse hook
 // Scans file content being written to .planning/ for prompt injection patterns.
 // Defense-in-depth: catches injected instructions before they enter agent context.
@@ -88,7 +90,12 @@ process.stdin.on('end', () => {
       },
     };
 
-    process.stdout.write(JSON.stringify(output));
+    // SEC-13-05: aguardar flush do stdout antes do exit. Sem callback, em
+    // pipes lentos (CI/Windows/Git Bash) o JSON pode ser dropado quando o
+    // process termina antes do kernel drenar o buffer.
+    process.stdout.write(JSON.stringify(output), () => {
+      process.exit(0);
+    });
   } catch {
     // Silent fail — never block tool execution
     process.exit(0);

package/kit/hooks/sidecar-tool-publisher.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-// hook-version: 1.6.1
+// hook-version: 1.14.0
 // kit-mcp · Sidecar Tool Publisher (PostToolUse)
 //
 // Publishes every Claude Code tool invocation to the kit-mcp sidecar so the
@@ -52,12 +52,13 @@ process.stdin.on('end', () => {
     // kit-mcp-ui-*.lock files in tmpdir and pick one that healthz-responds.
     // This makes the hook resilient to projectRoot mismatch (case, separators,
     // trailing slash, parent-of-project edits, etc).
-    let port = readSidecarPort(projectRoot);
-    if (!port) port = scanAnyRunningSidecar();
-    if (!port) {
+    let sidecar = readSidecarLock(projectRoot);
+    if (!sidecar) sidecar = scanAnyRunningSidecar();
+    if (!sidecar) {
       debugLog({ phase: 'no_sidecar', projectRoot });
       process.exit(0);
     }
+    const { port, token } = sidecar;
 
     const payload = {
       tool: toolName,
@@ -74,29 +75,34 @@ process.stdin.on('end', () => {
       payload,
     };
 
-    publish(port, event).then(() => process.exit(0));
+    publish(port, token, event).then(() => process.exit(0));
   } catch (err) {
     process.stderr.write(`[sidecar-tool-publisher] ${err.message}\n`);
     process.exit(0);
   }
 });
 
-function readSidecarPort(projectRoot) {
+function readSidecarLock(projectRoot) {
   // Mirror src/ui/lockfile.js#lockPathFor (sha1(projectRoot).slice(0,16))
   try {
     const hash = crypto.createHash('sha1').update(projectRoot).digest('hex').slice(0, 16);
     const lockPath = path.join(os.tmpdir(), `kit-mcp-ui-${hash}.lock`);
     const raw = fs.readFileSync(lockPath, 'utf8');
     const lock = JSON.parse(raw);
-    return typeof lock.port === 'number' ? lock.port : null;
+    if (typeof lock.port !== 'number') return null;
+    return {
+      port: lock.port,
+      // SEC-14-02 (kit-mcp v1.14+): null for sidecars from v1.13 and earlier.
+      token: typeof lock.token === 'string' && /^[0-9a-f]{64}$/.test(lock.token) ? lock.token : null,
+    };
   } catch {
     return null;
   }
 }
 
-// Scan os.tmpdir() for any kit-mcp-ui-*.lock and return the first valid port.
-// Used as a fallback when projectRoot doesn't match any known lockfile (case
-// variants, separator differences, parent-dir edits, etc).
+// Scan os.tmpdir() for any kit-mcp-ui-*.lock and return the first { port, token }
+// of a live sidecar. Used as a fallback when projectRoot doesn't match any
+// known lockfile (case variants, separator differences, parent-dir edits, etc).
 function scanAnyRunningSidecar() {
   try {
     const dir = os.tmpdir();
@@ -107,8 +113,16 @@ function scanAnyRunningSidecar() {
         const raw = fs.readFileSync(path.join(dir, name), 'utf8');
         const lock = JSON.parse(raw);
         if (typeof lock.port === 'number' && typeof lock.pid === 'number') {
-          // Best-effort liveness check.
-          try { process.kill(lock.pid, 0); return lock.port; } catch { /* dead */ }
+          try {
+            process.kill(lock.pid, 0);
+            // SEC-14-02: return token from same lockfile so cross-project
+            // publishing can authenticate. If token missing (older sidecar),
+            // returns null → publish degrades to 401 silent-fail.
+            return {
+              port: lock.port,
+              token: typeof lock.token === 'string' && /^[0-9a-f]{64}$/.test(lock.token) ? lock.token : null,
+            };
+          } catch { /* dead */ }
         }
       } catch { /* skip unreadable */ }
     }
@@ -158,7 +172,7 @@ function detectIde() {
   return 'unknown';
 }
 
-function publish(port, event) {
+function publish(port, token, event) {
   return new Promise((resolve) => {
     const body = JSON.stringify(event);
     const req = http.request({
@@ -173,9 +187,17 @@ function publish(port, event) {
         'content-length': Buffer.byteLength(body, 'utf8'),
         origin: `http://127.0.0.1:${port}`,
         connection: 'close',
+        // SEC-14-02: token is null for sidecars from v1.13 and earlier; in that
+        // case we omit the header and the server returns 401, which the hook
+        // silent-fails on (matching pre-existing soft-fail discipline). A
+        // shipped hook v1.14 talking to a still-running sidecar v1.13 just
+        // loses the event — acceptable trade-off.
+        ...(token ? { authorization: `Bearer ${token}` } : {}),
       },
     }, (res) => {
-      // Drain response body to ensure server has fully processed before resolve
+      // Drain response body to ensure server has fully processed before resolve.
+      // v1.12.1 fix: await BOTH 'end' and 'close' to avoid premature exit before
+      // sidecar publishes via SSE. Preserve that pattern here.
       res.resume();
       res.on('end', resolve);
       res.on('close', resolve);

package/kit/hooks/statusline.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 // hook-version: 1.30.0
+// SEC-13-05: flush-before-exit category = C (no process.exit, natural termination flushes) — no fix needed
 // Claude Code Statusline - Edition
 // Shows: model | current task | directory | context usage
 
@@ -107,6 +108,11 @@ process.stdin.on('end', () => {
     }
 
     // Output
+    // SEC-13-05: statusline termina naturalmente após este write — Node
+    // garante o flush antes do process exit quando não há process.exit
+    // explícito. NÃO converter para process.stdout.write(x, callback) +
+    // process.exit() — isso introduziria um early-exit que poderia
+    // truncar saída em casos onde o write é maior que o buffer do pipe.
     const dirname = path.basename(dir);
     if (task) {
       process.stdout.write(`${updateNotice}\x1b[2m${model}\x1b[0m │ \x1b[1m${task}\x1b[0m │ \x1b[2m${dirname}\x1b[0m${ctx}`);

package/kit/hooks/workflow-guard.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.30.0
+// hook-version: 1.30.1
+// SEC-13-05: flush-before-exit category = A (stdout.write + immediate exit)
+// Fix applied: process.stdout.write(payload, () => process.exit(0)) on warning path.
 // framework Workflow Guard — PreToolUse hook
 // Detects when Claude attempts file edits outside a framework workflow context
 // (no active / command or Task subagent) and injects an advisory warning.
@@ -86,7 +88,12 @@ process.stdin.on('end', () => {
       }
     };
 
-    process.stdout.write(JSON.stringify(output));
+    // SEC-13-05: aguardar flush do stdout antes do exit. Sem callback, em
+    // pipes lentos (CI/Windows/Git Bash) o JSON pode ser dropado quando o
+    // process termina antes do kernel drenar o buffer.
+    process.stdout.write(JSON.stringify(output), () => {
+      process.exit(0);
+    });
   } catch (e) {
     // Silent fail — never block tool execution
     process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@luanpdd/kit-mcp",
-  "version": "1.12.1",
+  "version": "1.14.0",
   "description": "Generic infrastructure to ship YOUR personal kit of agents/commands/skills as an MCP server, with cross-IDE sync (Claude Code, Cursor, Codex, Gemini, Windsurf, Antigravity, Copilot, Trae).",
   "type": "module",
   "bin": {
@@ -16,7 +16,6 @@
     "kit/",
     "gates/",
     "README.md",
-    "CHANGELOG.md",
     "LICENSE"
   ],
   "keywords": [

package/src/cli/index.js

@@ -18,7 +18,7 @@ import { fileURLToPath } from 'node:url';
 import path from 'node:path';
 import { listKit, searchKit, findItem } from '../core/kit.js';
 import { listTargets } from '../core/registry.js';
-import { syncTo, statusOf, removeFrom } from '../core/sync.js';
+import { syncTo, statusOf, removeFrom, summarize } from '../core/sync.js';
 import { watchKit, detectExistingTargets } from '../core/watch.js';
 import { listGates, getGate, gatesForStage } from '../core/gates.js';
 import { runGate } from '../core/gate-runner.js';
@@ -148,7 +148,10 @@ function fail(msg) {
 }
 
 function slim(x) {
-  return { kind: x.kind, name: x.name, description: x.description };
+  // PERF-13-01: cap description at SUMMARY_MAX_CHARS via shared summarize()
+  // helper from src/core/sync.js — keeps cross-surface behavior identical
+  // (CLI listing == MCP listing). Full text remains in each item's source file.
+  return { kind: x.kind, name: x.name, description: summarize(x.description) };
 }
 
 // --- kit ---
@@ -426,7 +429,7 @@ ui.command('stop')
     const lock = readLock(projectRoot);
     if (!lock) return out({ ok: false, reason: 'no_sidecar' }, () => `${icons.warn} no sidecar running for this project\n`);
     try {
-      await postShutdown(lock.port);
+      await postShutdown(lock.port, lock.token);
       out({ ok: true, port: lock.port }, () => `${icons.check} sidecar at port ${lock.port} stopped\n`);
     } catch (err) {
       fail(`could not stop sidecar at port ${lock.port}: ${err.message}`);
@@ -637,15 +640,24 @@ async function runDoctorChecks(projectRoot) {
 }
 
 // Helpers for kit ui (live in cli/ — stdout/console allowed here)
-async function postShutdown(port) {
+// SEC-14-02: /shutdown now requires Authorization Bearer <token>. Caller must
+// pass the per-process token read from the lockfile (lock.token from readLock).
+async function postShutdown(port, token) {
   return new Promise((resolve, reject) => {
+    const headers = {
+      host: `127.0.0.1:${port}`,
+      origin: `http://127.0.0.1:${port}`,
+      'content-length': 0,
+      connection: 'close',
+    };
+    if (token) headers.authorization = `Bearer ${token}`;
     const req = http.request({
       method: 'POST',
       host: '127.0.0.1',
       port,
       path: '/shutdown',
       agent: false,
-      headers: { host: `127.0.0.1:${port}`, origin: `http://127.0.0.1:${port}`, 'content-length': 0, connection: 'close' },
+      headers,
     }, (res) => {
       res.resume();
       res.on('end', () => res.statusCode < 400 ? resolve() : reject(new Error(`http_${res.statusCode}`)));

package/src/core/error-redaction.js

@@ -0,0 +1,76 @@
+// SEC-14-06 — central redaction helpers shared by mcp-server, reflect, and replays.
+//
+// Pure module: no I/O, no globals other than the constant regex set.
+//
+// Why a single choke point: the threat model is "leakage of API keys, Bearer
+// tokens, and absolute filesystem paths through MCP error envelopes / persisted
+// replays". Scattering redaction across each call site invites drift. One file,
+// one regex set, three import sites — and a single grep proves coverage.
+//
+// Order rationale (PATTERNS array):
+//   1. sk-ant-* before sk-* — Anthropic prefix is more specific. (In practice
+//      the openai pattern's [A-Za-z0-9] character class would NOT swallow
+//      "sk-ant-" because of the dash, but ordering keeps intent legible.)
+//   2. x-api-key header before Bearer — both are distinct shapes; order is
+//      arbitrary but stable.
+//   3. Path patterns last — broadest character class, matched after specific
+//      secrets so a secret that contains slash-like characters has been
+//      stripped already.
+//
+// Non-false-positive contract (verified by test/unit/error-redaction.test.js):
+//   - "Compare A:B" stays unchanged          (no `\` or `/` after `:`)
+//   - "Modal: hello"  stays unchanged        (no `\` or `/` after `:`)
+//   - "Visit https://example.com/path" stays (lowercase scheme, no Drive: pattern)
+//   - "Bearer x"      stays unchanged        (1 char, below 20 minimum)
+//   - "sk-foo"        stays unchanged        (3 chars after sk-, below 20 minimum)
+//   - "see /etc/passwd" stays unchanged      (etc not in {home,Users,root} allowlist)
+//
+// Idempotency: redactSecrets(redactSecrets(x)) === redactSecrets(x). The
+// substitution strings ('[REDACTED:*]', '[PATH]', etc.) contain no characters
+// that match any of the patterns themselves.
+
+const PATTERNS = [
+  { re: /sk-ant-[A-Za-z0-9_\-]{20,}/g,        sub: '[REDACTED:anthropic_key]' },
+  { re: /sk-[A-Za-z0-9]{20,}/g,                sub: '[REDACTED:openai_key]' },
+  { re: /x-api-key\s*:\s*[^\s,;'"]+/gi,        sub: 'x-api-key: [REDACTED]' },
+  { re: /Bearer\s+[A-Za-z0-9._\-]{20,}/gi,     sub: 'Bearer [REDACTED]' },
+  { re: /[A-Z]:[\\\/][^\s'"`<>]+/g,            sub: '[PATH]' },
+  { re: /\/(home|Users|root)\/[^\s'"`<>]+/g,   sub: '[PATH]' },
+];
+
+/**
+ * Strip secrets and absolute filesystem paths from a string. Defensive: coerces
+ * non-string inputs via String(value); null/undefined return ''.
+ *
+ * @param {unknown} text
+ * @returns {string}
+ */
+export function redactSecrets(text) {
+  if (text == null) return '';
+  let s = String(text);
+  for (const { re, sub } of PATTERNS) {
+    s = s.replace(re, sub);
+  }
+  return s;
+}
+
+/**
+ * Build the public MCP error envelope for an arbitrary thrown value. The
+ * server-side stderr keeps the full trace for operator debugging; the
+ * JSON-RPC client receives only `{error, code}` — no trace field is emitted.
+ *
+ * Preserves err.code when present (Phase 83.03 added `EMANIFESTMISMATCH`;
+ * downstream callers can keep dispatching on that code).
+ *
+ * @param {unknown} err
+ * @returns {{ error: string, code: string }}
+ */
+export function sanitizeMcpError(err) {
+  const msg = err && typeof err === 'object' && 'message' in err
+    ? err.message
+    : err;
+  return {
+    error: redactSecrets(msg ?? 'unknown error'),
+    code:  (err && typeof err === 'object' && err.code) ? err.code : 'MCP_INTERNAL_ERROR',
+  };
+}

package/src/core/gate-runner.js

@@ -132,9 +132,17 @@ function extractCodeBlocks(text) {
 // --- exec ---
 
 async function execScript(script, cwd) {
-  // Write to a temp file and run with bash. We don't try to inline -c because
-  // the scripts can be multiline and contain quoting we'd have to escape.
-  const tmp = path.join(os.tmpdir(), `kit-gate-${Date.now()}-${Math.random().toString(36).slice(2)}.sh`);
+  // SEC-14-04: use mkdtemp for crypto-safe random directory naming, write the
+  // script INSIDE it, then cleanup recursive. Predictable timestamp+rand-suffix
+  // filenames are unsafe in multi-user /tmp — attacker can pre-create a symlink
+  // at the predicted path before fs.writeFile, and `spawn(bash, [tmp])` would
+  // execute the symlink target. mkdtemp uses the OS-level mkdtemp(3) syscall
+  // (POSIX) / equivalent (Windows) which atomically creates a directory with
+  // a random suffix and returns the actual path. The new dir gets 0700 from
+  // process umask on POSIX (umask 022 → 0700; default Node runtime). Even if
+  // umask is permissive, the script file inside is written with mode 0o700.
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'kit-gate-'));
+  const tmp = path.join(dir, 'gate.sh');
   await fs.writeFile(tmp, script, { encoding: 'utf8', mode: 0o700 });
   try {
     const child = spawn('bash', [tmp], { cwd, env: process.env });
@@ -151,7 +159,11 @@ async function execScript(script, cwd) {
       stderr: Buffer.concat(stderrOut).toString('utf8'),
     };
   } finally {
-    await fs.unlink(tmp).catch(() => {});
+    // Recursive cleanup — even if spawn errored above, the dir gets removed.
+    // force:true swallows ENOENT (e.g. if script self-deleted). recursive:true
+    // walks the dir; even if the gate body wrote temp files inside cwd, cwd is
+    // separate from `dir` so we won't blast user files.
+    await fs.rm(dir, { recursive: true, force: true }).catch(() => {});
   }
 }
 

package/src/core/manifest-verify.js

@@ -0,0 +1,103 @@
+// SEC-14-05: verify kit/file-manifest.json against actual file contents.
+// Called by syncTo() in install path, before any write — refuses to project
+// a tampered kit. Opt-out via KIT_MCP_SKIP_MANIFEST_CHECK=1 (warn on stderr).
+//
+// Manifest format (kit/file-manifest.json):
+//   { version, timestamp, files: { "<rel-to-kitRoot>": "<sha256-hex>", ... } }
+//
+// Returns:
+//   { ok: true } when all listed files exist + match.
+//   { ok: true, skipped: true } when KIT_MCP_SKIP_MANIFEST_CHECK=1.
+//   { ok: false, reason, mismatches, missing } otherwise.
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import crypto from 'node:crypto';
+
+const SKIP_ENV = 'KIT_MCP_SKIP_MANIFEST_CHECK';
+
+export async function verifyManifest(kitRoot) {
+  if (process.env[SKIP_ENV] === '1') {
+    process.stderr.write(
+      '[kit-mcp] WARNING: ' + SKIP_ENV + '=1 set — skipping kit/file-manifest.json verification (dev mode).\n'
+    );
+    return { ok: true, skipped: true };
+  }
+
+  const manifestPath = path.join(kitRoot, 'file-manifest.json');
+  let manifest;
+  try {
+    const raw = await fs.readFile(manifestPath, 'utf8');
+    manifest = JSON.parse(raw);
+  } catch (e) {
+    return {
+      ok: false,
+      reason: 'kit manifest unreadable at ' + manifestPath + ': ' + e.message,
+      mismatches: [],
+      missing: [],
+    };
+  }
+
+  if (!manifest.files || typeof manifest.files !== 'object') {
+    return {
+      ok: false,
+      reason: "kit manifest malformed at " + manifestPath + ": missing 'files' object",
+      mismatches: [],
+      missing: [],
+    };
+  }
+
+  const mismatches = [];
+  const missing = [];
+
+  for (const [rel, expected] of Object.entries(manifest.files)) {
+    const abs = path.join(kitRoot, rel);
+    let buf;
+    try {
+      buf = await fs.readFile(abs);
+    } catch {
+      missing.push(rel);
+      continue;
+    }
+    const actual = crypto.createHash('sha256').update(buf).digest('hex');
+    if (actual !== expected) {
+      mismatches.push({ path: rel, expected: expected.slice(0, 16), actual: actual.slice(0, 16) });
+    }
+  }
+
+  if (mismatches.length === 0 && missing.length === 0) {
+    return { ok: true };
+  }
+
+  // Build a concise reason — first 3 mismatches, plus counts.
+  const sample = mismatches
+    .slice(0, 3)
+    .map((m) => m.path + ' (expected ' + m.expected + ', got ' + m.actual + ')')
+    .join('; ');
+  const missingSample = missing.slice(0, 3).join(', ');
+  const reasonParts = [];
+  if (mismatches.length > 0) {
+    reasonParts.push(
+      mismatches.length +
+        ' file(s) tampered: ' +
+        sample +
+        (mismatches.length > 3 ? ', +' + (mismatches.length - 3) + ' more' : '')
+    );
+  }
+  if (missing.length > 0) {
+    reasonParts.push(
+      missing.length +
+        ' file(s) missing: ' +
+        missingSample +
+        (missing.length > 3 ? ', +' + (missing.length - 3) + ' more' : '')
+    );
+  }
+  reasonParts.push('set ' + SKIP_ENV + '=1 to bypass (dev only)');
+
+  return {
+    ok: false,
+    reason: 'kit manifest mismatch — ' + reasonParts.join('; '),
+    mismatches,
+    missing,
+  };
+}

package/src/core/path-safety.js

@@ -0,0 +1,111 @@
+// SEC-14-03: validate that a projectRoot supplied via MCP message points to a
+// real git workspace before any handler that writes to disk dispatches into
+// sync.js / reverse-sync.js.
+//
+// The helper is intentionally pure (no throw): MCP handlers package errors as
+// `{ error: <string> }` envelopes (see src/mcp-server/index.js handleSync,
+// handleGates, handleForensics — all use the same shape). Returning a discriminated
+// `{ ok, ...}` lets each caller decide between an envelope error or a CLI exit
+// without try/catch boilerplate.
+//
+// Why a directory-existence + walk-up `.git/` check (and not, say, spawning
+// `git rev-parse --show-toplevel`):
+//   - Heuristic is good enough for our threat model. The attacker we are blocking
+//     is "MCP message says projectRoot=\\evil-host\share or %APPDATA%". Both fail
+//     the existence-or-`.git`-ancestor test trivially.
+//   - No child_process means no dependency on `git` being on PATH at runtime, no
+//     spawn latency on the hot path of every tool call, and no risk of the spawned
+//     git itself reading config from an attacker-influenced cwd.
+//   - The walk-up loop is bounded — Windows roots terminate at `D:\`, POSIX at
+//     `/`, and `path.dirname(cur) === cur` is the universal fixed point. Typical
+//     workspaces have <8 levels to a `.git/`, so a stat per level is fine.
+//
+// CLI does NOT call this — `bin/cli.js` trusts whoever invoked it (same trust
+// model as Phase 79.01's gates.run guard).
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+
+// All rejection reasons embed the literal "git workspace" — MCP clients (and
+// our own regression tests) match on that single sentinel regardless of which
+// check fired. Keeping the wording uniform means callers don't have to maintain
+// six regexes; one suffices.
+const SENTINEL = 'MCP sync requires projectRoot to be a git workspace';
+
+export async function validateProjectRoot(projectRoot) {
+  // Reject empty / nullish up-front. We require an explicit projectRoot from
+  // MCP messages — falling back to `process.cwd()` of the MCP server would let
+  // an attacker probe wherever the server happened to be launched.
+  if (projectRoot === undefined || projectRoot === null || projectRoot === '') {
+    return {
+      ok: false,
+      reason: SENTINEL + '; got <empty> (pass an absolute path to a git workspace)',
+    };
+  }
+  if (typeof projectRoot !== 'string') {
+    return {
+      ok: false,
+      reason: SENTINEL + '; got non-string projectRoot of type ' + typeof projectRoot,
+    };
+  }
+
+  // path.resolve normalises separators and collapses `..` segments so a later
+  // attacker payload like `C:\Users\\..\evil` is reduced before the existence
+  // check happens. resolve() is also a no-op on already-absolute paths.
+  const resolved = path.resolve(projectRoot);
+
+  // Defensive — path.resolve should always return absolute, but if a future
+  // Node version changes that we still want to reject.
+  if (!path.isAbsolute(resolved)) {
+    return {
+      ok: false,
+      reason: SENTINEL + '; projectRoot did not resolve to an absolute path: ' + projectRoot,
+    };
+  }
+
+  // The stat doubles as an existence + reachability check. UNC paths to
+  // unreachable hosts (`\\evil-host\share`) reject here on Windows with ENOENT
+  // / EHOSTUNREACH within milliseconds; Node treats both as a rejection so we
+  // never proceed to write a single byte.
+  let stat;
+  try {
+    stat = await fs.stat(resolved);
+  } catch {
+    return {
+      ok: false,
+      reason: SENTINEL + '; projectRoot does not exist or is unreachable: ' + resolved,
+    };
+  }
+
+  if (!stat.isDirectory()) {
+    return {
+      ok: false,
+      reason: SENTINEL + '; projectRoot must be a directory: ' + resolved,
+    };
+  }
+
+  // Walk up looking for `.git` (file or directory — `git worktree` uses a file).
+  // Bounded by the dirname fixed-point check so this terminates on every OS.
+  let cur = resolved;
+  // eslint-disable-next-line no-constant-condition
+  while (true) {
+    try {
+      await fs.stat(path.join(cur, '.git'));
+      return { ok: true, resolvedPath: resolved };
+    } catch {
+      // not here — keep walking up
+    }
+    const parent = path.dirname(cur);
+    if (parent === cur) break;
+    cur = parent;
+  }
+
+  // No .git/ found anywhere in the chain — the canonical reject. The literal
+  // "git workspace" string is part of the public contract — tests
+  // (test/unit/mcp-projectroot-guard.test.js) and downstream MCP clients match
+  // on it. Don't rephrase without coordinating callers.
+  return {
+    ok: false,
+    reason: SENTINEL + '; got ' + projectRoot,
+  };
+}

package/src/core/reflect.js

@@ -19,6 +19,7 @@ import fs from 'node:fs/promises';
 import { createInterface } from 'node:readline/promises';
 import { stdin as input, stdout as output, stderr } from 'node:process';
 import { resolveKitRoot } from './kit.js';
+import { redactSecrets } from './error-redaction.js';
 
 const DEFAULT_MODEL      = process.env.KIT_REFLECT_MODEL ?? 'claude-sonnet-4-5-20250929';
 const DEFAULT_MAX_TOKENS = parseInt(process.env.KIT_REFLECT_MAX_TOKENS ?? '8000', 10);
@@ -169,7 +170,11 @@ async function callClaude(prompt) {
   });
   if (!res.ok) {
     const errBody = await res.text();
-    throw new Error(`Anthropic API ${res.status}: ${errBody}`);
+    // SEC-14-06: Anthropic error responses can echo the supplied API key
+    // (rare but observed in 401s). Strip secrets/paths before propagating
+    // to caller — the central MCP catch will sanitize again, but doing it
+    // here means CLI callers (which bypass the MCP catch) are also protected.
+    throw new Error(`Anthropic API ${res.status}: ${redactSecrets(errBody)}`);
   }
   const j = await res.json();
   return {