@luanpdd/kit-mcp 1.12.1 → 1.14.0

package/src/core/replays.js

@@ -14,21 +14,70 @@
 
 import path from 'node:path';
 import fs from 'node:fs/promises';
+import { redactSecrets } from './error-redaction.js';
 
 const REPLAY_DIR_REL = path.join('.planning', 'replays');
 
+// SEC-13-02: replayId path traversal guard. The MCP forensics tool exposes
+// load-replay/annotate-replay/record-replay actions; without sanitization,
+// a malicious replayId like '../../../etc/passwd' would read/write files
+// outside .planning/replays/.
+//
+// Strategy: allowlist regex (no slashes, no '..', no NUL) + post-resolve assertion
+// that the final path stays inside REPLAY_DIR_REL.
+const REPLAY_ID_RE = /^[A-Za-z0-9_.-]+$/;
+
+function validateReplayId(id) {
+  if (typeof id !== 'string' || !id) {
+    throw new Error('invalid replay id: must be a non-empty string');
+  }
+  if (id === '.' || id === '..' || id.includes('..')) {
+    throw new Error('invalid replay id: traversal sequences not allowed');
+  }
+  if (!REPLAY_ID_RE.test(id)) {
+    throw new Error(`invalid replay id: only [A-Za-z0-9_.-] allowed, got ${JSON.stringify(id)}`);
+  }
+  return id;
+}
+
+function assertPathInside(filePath, baseDir) {
+  const resolved = path.resolve(filePath);
+  const base = path.resolve(baseDir);
+  // Ensure resolved is base or a child of base (handle trailing-sep edge case).
+  if (resolved !== base && !resolved.startsWith(base + path.sep)) {
+    throw new Error('invalid replay id: resolved path escapes replay directory');
+  }
+  return resolved;
+}
+
 export async function recordReplay(payload, opts = {}) {
   const projectRoot = path.resolve(opts.projectRoot ?? process.cwd());
   const dir = path.join(projectRoot, REPLAY_DIR_REL);
   await fs.mkdir(dir, { recursive: true });
 
   const ts   = new Date().toISOString().replace(/[:.]/g, '-');
-  const slug = [payload.phase, payload.plan, payload.agent].filter(Boolean).join('-') || 'unknown';
+  // SEC-13-02: validate each slug component independently before concat
+  const slugParts = [payload.phase, payload.plan, payload.agent].filter(Boolean);
+  for (const part of slugParts) {
+    validateReplayId(String(part));
+  }
+  const slug = slugParts.join('-') || 'unknown';
   const id   = `${ts}-${slug}`;
+  // Re-validate the full id (defense in depth — ts is well-formed but cheap to check)
+  validateReplayId(id);
   const file = path.join(dir, `${id}.json`);
+  assertPathInside(file, dir);
 
   const record = { id, recorded_at: new Date().toISOString(), ...payload };
-  await fs.writeFile(file, JSON.stringify(record, null, 2), 'utf8');
+  // SEC-14-06: scrub the serialized form before writing. We redact AFTER
+  // JSON.stringify (rather than deep-mapping the payload tree) so the regex
+  // walks the entire structure including nested args/headers/env, and so
+  // the in-memory `record` returned to the caller stays unmutated. Only the
+  // on-disk artifact is scrubbed; readers of the file via loadReplay see
+  // the redacted form, which is the desired outcome — secrets must not be
+  // re-loaded into memory either.
+  const json = redactSecrets(JSON.stringify(record, null, 2));
+  await fs.writeFile(file, json, 'utf8');
   return { id, file, record };
 }
 
@@ -49,15 +98,21 @@ export async function listReplays(opts = {}) {
 }
 
 export async function loadReplay(id, opts = {}) {
+  validateReplayId(id);
   const projectRoot = path.resolve(opts.projectRoot ?? process.cwd());
-  const file = path.join(projectRoot, REPLAY_DIR_REL, `${id}.json`);
+  const dir = path.join(projectRoot, REPLAY_DIR_REL);
+  const file = path.join(dir, `${id}.json`);
+  assertPathInside(file, dir);
   const raw  = await fs.readFile(file, 'utf8');
   return JSON.parse(raw);
 }
 
 export async function annotateReplay(id, outcome, opts = {}) {
+  validateReplayId(id);
   const projectRoot = path.resolve(opts.projectRoot ?? process.cwd());
-  const file = path.join(projectRoot, REPLAY_DIR_REL, `${id}.json`);
+  const dir = path.join(projectRoot, REPLAY_DIR_REL);
+  const file = path.join(dir, `${id}.json`);
+  assertPathInside(file, dir);
   const r = JSON.parse(await fs.readFile(file, 'utf8'));
   r.outcome = { ...(r.outcome ?? {}), ...outcome, annotated_at: new Date().toISOString() };
   await fs.writeFile(file, JSON.stringify(r, null, 2), 'utf8');

package/src/core/sync.js

@@ -13,6 +13,7 @@ import path from 'node:path';
 import fs from 'node:fs/promises';
 import { getTarget } from './registry.js';
 import { listKit, resolveKitRoot } from './kit.js';
+import { verifyManifest } from './manifest-verify.js';
 
 const STUB_MARKER = '<!-- kit-mcp:reference -->';
 const MANAGED_MARKER_FILE = '.kit-mcp-managed';
@@ -26,6 +27,18 @@ export async function syncTo(targetId, opts = {}) {
   const dryRun      = !!opts.dryRun;
   const onProgress  = opts.onProgress ?? (() => {});
 
+  // SEC-14-05: verify kit integrity before projecting. Refuses tampered kit/.
+  // Opt-out via KIT_MCP_SKIP_MANIFEST_CHECK=1 (handled inside verifyManifest).
+  // Only runs on install path (syncTo); removeFrom/statusOf/applyReverse don't
+  // call this — see plan 83-03 for rationale (apply path is the introduction
+  // vector, not the trust point; stale-but-intact kits in dev are skipped).
+  const manifestCheck = await verifyManifest(kitRoot);
+  if (!manifestCheck.ok) {
+    const err = new Error(manifestCheck.reason);
+    err.code = 'EMANIFESTMISMATCH';
+    throw err;
+  }
+
   // PERF-03: accept a pre-loaded kit to avoid re-walking the disk when callers
   // already have one in hand (CLI sync that follows reverse-sync detect, etc).
   // PERF-S1: in mode=reference (default), read just frontmatter — body/content
@@ -257,8 +270,10 @@ See: [\`${rel}\`](${rel})
 // own file under kit/ — duplicating them here costs tokens in every Claude
 // Code session. Cap each line at ~80 chars; users can `kit get <name>` for the
 // full description.
-const SUMMARY_MAX_CHARS = 80;
-function summarize(desc) {
+// PERF-13-01: exported so slim() in src/mcp-server/index.js and src/cli/index.js
+// can reuse the same cap (single source of truth — no duplicated constants).
+export const SUMMARY_MAX_CHARS = 80;
+export function summarize(desc) {
   if (!desc) return '';
   const flat = desc.replace(/\s+/g, ' ').trim();
   if (flat.length <= SUMMARY_MAX_CHARS) return flat;

package/src/mcp-server/index.js

@@ -12,10 +12,16 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { CallToolRequestSchema, ListToolsRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+
 import { listKit, searchKit, findItem } from '../core/kit.js';
 import { listTargets } from '../core/registry.js';
-import { syncTo, statusOf, removeFrom } from '../core/sync.js';
+import { syncTo, statusOf, removeFrom, summarize } from '../core/sync.js';
 import { detectReverse, applyReverse } from '../core/reverse-sync.js';
+import { validateProjectRoot } from '../core/path-safety.js';
+import { sanitizeMcpError } from '../core/error-redaction.js';
 import { listGates, getGate, gatesForStage } from '../core/gates.js';
 import { runGate } from '../core/gate-runner.js';
 import { collectFailures, summarizeByAgent, writeLearnings } from '../core/failures.js';
@@ -125,6 +131,23 @@ const TOOLS = [
   },
 ];
 
+// DRIFT-13-03: read version from package.json at module load (NOT inside
+// createServer — re-reading on every call adds zero value). Same pattern as
+// bin/cli.js:43-51. Both files are 2 levels deep from repo root, so the
+// '..', '..' resolution works identically. Falls back to 'unknown' if the
+// package.json lookup fails (unusual install layout).
+function readPkgVersion() {
+  try {
+    const here = path.dirname(fileURLToPath(import.meta.url));
+    const pkgPath = path.resolve(here, '..', '..', 'package.json');
+    return JSON.parse(readFileSync(pkgPath, 'utf8')).version;
+  } catch {
+    return 'unknown';
+  }
+}
+
+export const PKG_VERSION = readPkgVersion();
+
 // --- handlers ---
 
 async function handleKit(args) {
@@ -171,25 +194,45 @@ async function withAutoSpawn(args, tool, run) {
 async function handleSync(args) {
   switch (args.action) {
     case 'targets': return listTargets();
-    case 'status':  return statusOf(args.target, { projectRoot: args.projectRoot });
+    case 'status':
     case 'install':
-      return withAutoSpawn(args, 'sync.install', (onProgress) =>
-        syncTo(args.target, { projectRoot: args.projectRoot, mode: args.mode, dryRun: args.dryRun, onProgress }));
-    case 'remove':  return removeFrom(args.target, { projectRoot: args.projectRoot });
+    case 'remove': {
+      // SEC-14-03: MCP message must specify a path inside a git workspace.
+      // CLI bypasses this — bin/cli.js trusts whoever invoked it (same trust
+      // model as Phase 79.01's gates.run guard). status is read-only but
+      // included for defense-in-depth and a single uniform error surface.
+      const guard = await validateProjectRoot(args.projectRoot);
+      if (!guard.ok) return { error: guard.reason };
+      const projectRoot = guard.resolvedPath;
+      if (args.action === 'status') return statusOf(args.target, { projectRoot });
+      if (args.action === 'install')
+        return withAutoSpawn({ ...args, projectRoot }, 'sync.install', (onProgress) =>
+          syncTo(args.target, { projectRoot, mode: args.mode, dryRun: args.dryRun, onProgress }));
+      // action === 'remove'
+      return removeFrom(args.target, { projectRoot });
+    }
     default: return { error: `Unknown action: ${args.action}` };
   }
 }
 
 async function handleReverseSync(args) {
   switch (args.action) {
-    case 'detect': return detectReverse(args.target, { projectRoot: args.projectRoot });
-    case 'apply':
-      return withAutoSpawn(args, 'reverse-sync.apply', (onProgress) =>
+    case 'detect':
+    case 'apply': {
+      // SEC-14-03: same guard as handleSync — reverse-sync apply also writes
+      // to disk (kit/<file>) so it must be on the same allowlist as sync.
+      const guard = await validateProjectRoot(args.projectRoot);
+      if (!guard.ok) return { error: guard.reason };
+      const projectRoot = guard.resolvedPath;
+      if (args.action === 'detect') return detectReverse(args.target, { projectRoot });
+      // action === 'apply'
+      return withAutoSpawn({ ...args, projectRoot }, 'reverse-sync.apply', (onProgress) =>
         applyReverse(args.target, {
-          projectRoot: args.projectRoot,
+          projectRoot,
           strategy: args.strategy, only: args.only, dryRun: args.dryRun,
           onProgress,
         }));
+    }
     default: return { error: `Unknown action: ${args.action}` };
   }
 }
@@ -200,12 +243,14 @@ async function handleGates(args) {
     case 'get':       return getGate(args.id);
     case 'for-stage': return gatesForStage(args.stage);
     case 'run':
-      return withAutoSpawn(args, 'gates.run', () =>
-        runGate(args.id, {
-          projectRoot: args.projectRoot,
-          yes: true,            // MCP context: never prompt
-          interactive: false,   // MCP never prompts
-        }));
+      // SEC-13-01: MCP transport must never execute shell — runGate spawns bash with
+      // arbitrary content from gates/*.md (which reverse-sync can rewrite). Even with
+      // {yes: true}, this skips the interactive "y/N before exec" promise. The CLI
+      // entry point (`kit gates run <id>` via bin/cli.js) preserves the prompt and
+      // remains the only path to executing gates.
+      return {
+        error: 'MCP gates.run requires interactive TTY confirmation; use `kit gates run` from CLI instead.',
+      };
     default: return { error: `Unknown action: ${args.action}` };
   }
 }
@@ -255,14 +300,16 @@ const HANDLERS = {
 function slim(x) {
   // absPath omitted by design — list-* tools are AI-consumed in tight context budgets.
   // Use action=get to fetch the absPath (and content) for a specific item.
-  return { kind: x.kind, name: x.name, description: x.description };
+  // PERF-13-01 (TOK-02): truncate description via SUMMARY_MAX_CHARS (80) cap shared
+  // with src/core/sync.js — full description lives in each item's file under kit/.
+  return { kind: x.kind, name: x.name, description: summarize(x.description) };
 }
 
 // --- server bootstrap ---
 
 export async function createServer() {
   const server = new Server(
-    { name: 'kit-mcp', version: '0.1.0' },
+    { name: 'kit-mcp', version: PKG_VERSION },
     { capabilities: { tools: {} } }
   );
 
@@ -278,8 +325,12 @@ export async function createServer() {
       const result = await handler(args ?? {});
       return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
     } catch (e) {
+      // SEC-14-06: full stack stays in stderr for operator debug; client envelope is sanitized.
+      // sanitizeMcpError redacts secrets/paths from e.message, preserves e.code (Phase 83
+      // EMANIFESTMISMATCH invariant), and emits NO stack field.
+      console.error('[mcp-server] error in handler:', e?.stack ?? e);
       return {
-        content: [{ type: 'text', text: JSON.stringify({ error: e.message, stack: e.stack }, null, 2) }],
+        content: [{ type: 'text', text: JSON.stringify(sanitizeMcpError(e), null, 2) }],
         isError: true,
       };
     }

package/src/ui/auto-spawn.js

@@ -97,7 +97,12 @@ export async function ensureSidecar({ projectRoot, openBrowserOnSpawn = true } =
 
   let opened = false;
   if (openBrowserOnSpawn) {
-    const url = `http://127.0.0.1:${lock.port}/`;
+    // SEC-14-02: propagate auth token via query param so browser can self-authenticate
+    // without user interaction. EventSource cannot send custom headers; ?t= is the
+    // canonical pattern. The browser scrubs ?t= from the address bar via
+    // history.replaceState immediately on boot to avoid leak via screenshare.
+    const tokenSuffix = lock.token ? `?t=${encodeURIComponent(lock.token)}` : '';
+    const url = `http://127.0.0.1:${lock.port}/${tokenSuffix}`;
     const r = await openBrowser(url);
     opened = r.opened === true;
   }

package/src/ui/client.js

@@ -8,34 +8,43 @@ import http from 'node:http';
 import { readLock } from './lockfile.js';
 import { validateEvent } from './events.js';
 
-// Cache the resolved port across calls in a single process.
-const portCache = new Map(); // projectRoot -> port (or 0 = no sidecar)
-const PORT_CACHE_TTL_MS = 5_000;
+// Cache the resolved sidecar (port + token) across calls in a single process.
+// SEC-14-02: token is needed for Authorization on every publish() — read from
+// the same lockfile read as port to avoid double I/O.
+const sidecarCache = new Map(); // projectRoot -> { port, token } | { port: 0, token: null }
+const SIDECAR_CACHE_TTL_MS = 5_000;
 const cacheTimestamps = new Map();
 
-function readCachedPort(projectRoot) {
+function readCachedSidecar(projectRoot) {
   const ts = cacheTimestamps.get(projectRoot);
-  if (!ts || Date.now() - ts > PORT_CACHE_TTL_MS) return undefined;
-  return portCache.get(projectRoot);
+  if (!ts || Date.now() - ts > SIDECAR_CACHE_TTL_MS) return undefined;
+  return sidecarCache.get(projectRoot);
 }
 
-function writeCachedPort(projectRoot, port) {
-  portCache.set(projectRoot, port);
+function writeCachedSidecar(projectRoot, sidecar) {
+  sidecarCache.set(projectRoot, sidecar);
   cacheTimestamps.set(projectRoot, Date.now());
 }
 
+// Backward-compat name; clears port + token cache. Tests + callers using
+// clearPortCache continue to work without code change.
 export function clearPortCache() {
-  portCache.clear();
+  sidecarCache.clear();
   cacheTimestamps.clear();
 }
 
-function resolvePort(projectRoot) {
-  const cached = readCachedPort(projectRoot);
+function resolveSidecar(projectRoot) {
+  const cached = readCachedSidecar(projectRoot);
   if (cached !== undefined) return cached;
   const lock = readLock(projectRoot);
-  const port = lock?.port ?? 0;
-  writeCachedPort(projectRoot, port);
-  return port;
+  const sidecar = {
+    port: lock?.port ?? 0,
+    // SEC-14-02: null if missing (lockfile from older sidecar version pre-v1.14).
+    // Triggers degraded path: no Authorization header → server 401 → soft-fail.
+    token: typeof lock?.token === 'string' ? lock.token : null,
+  };
+  writeCachedSidecar(projectRoot, sidecar);
+  return sidecar;
 }
 
 // publish(event, { projectRoot, timeoutMs }): always resolves. Returns
@@ -47,7 +56,7 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
   const validationErr = validateEvent(event);
   if (validationErr) return { sent: false, reason: `invalid_event: ${validationErr.message}` };
 
-  const port = resolvePort(projectRoot);
+  const { port, token } = resolveSidecar(projectRoot);
   if (!port) return { sent: false, reason: 'no_sidecar' };
 
   const body = JSON.stringify(event);
@@ -65,6 +74,10 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
         'content-length': Buffer.byteLength(body, 'utf8'),
         'origin': `http://127.0.0.1:${port}`,
         'connection': 'close',
+        // SEC-14-02: attach Bearer token if lockfile has one. If not (older
+        // sidecar pre-v1.14), server returns 401 → resolves as { sent: false,
+        // reason: 'http_401' } via the soft-fail flow below.
+        ...(token ? { 'authorization': `Bearer ${token}` } : {}),
       },
     }, (res) => {
       // Drain — we don't actually care about the body, just the status.
@@ -73,9 +86,11 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
         if (res.statusCode >= 200 && res.statusCode < 300) {
           resolve({ sent: true, status: res.statusCode });
         } else {
-          // Stale lockfile? Drop the cache so the next call re-reads.
-          if (res.statusCode === 403 || res.statusCode === 404) {
-            portCache.delete(projectRoot);
+          // Stale lockfile or rotated token? Drop cache so next call re-reads.
+          // SEC-14-02: invalidate on 401 too — token may have rotated after
+          // sidecar restart; cache TTL of 5s would otherwise prolong recovery.
+          if (res.statusCode === 401 || res.statusCode === 403 || res.statusCode === 404) {
+            sidecarCache.delete(projectRoot);
             cacheTimestamps.delete(projectRoot);
           }
           resolve({ sent: false, reason: `http_${res.statusCode}` });
@@ -86,7 +101,7 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
     req.on('error', (err) => {
       // Most common: ECONNREFUSED (lockfile points at a dead port).
       if (err.code === 'ECONNREFUSED' || err.code === 'ECONNRESET') {
-        portCache.delete(projectRoot);
+        sidecarCache.delete(projectRoot);
         cacheTimestamps.delete(projectRoot);
       }
       resolve({ sent: false, reason: `error: ${err.code || err.message}` });

package/src/ui/lockfile.js

@@ -6,7 +6,7 @@
 //   1. process.kill(pid, 0) — ESRCH/EPERM means the holder is gone
 //   2. optional HTTP healthz probe (injected by caller; keeps this module pure of net)
 
-import { createHash } from 'node:crypto';
+import { createHash, randomBytes } from 'node:crypto';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
@@ -55,6 +55,10 @@ export function acquireLock({ projectRoot, port, version, startedAt }) {
     version: version ?? null,
     startedAt: startedAt ?? Date.now(),
     lockSchema: LOCK_VERSION,
+    // SEC-14-02: per-process auth token. 32 random bytes hex-encoded = 64 chars.
+    // Required by /publish, /shutdown, /events, /state. Lifetime = process lifetime;
+    // not logged, not telemetered. See docs/sidecar-security.md.
+    token: randomBytes(32).toString('hex'),
   };
   let fd;
   try {

package/src/ui/server.js

@@ -22,6 +22,7 @@ import { readFileSync } from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import process from 'node:process';
+import { createHash } from 'node:crypto';
 
 import { findFreePortOrThrow } from './port.js';
 import { acquireLockOrReclaim, releaseLock } from './lockfile.js';
@@ -42,19 +43,70 @@ const SSE_HEADERS = {
   'X-Accel-Buffering': 'no',
 };
 
-const CSP =
-  "default-src 'self'; " +
-  "connect-src 'self'; " +
-  "script-src 'self' 'unsafe-inline'; " +
-  "style-src 'self' 'unsafe-inline'; " +
-  "img-src 'self' data:; " +
-  "frame-ancestors 'none'";
+// SEC-14-01: CSP without 'unsafe-inline' in script-src. The single inline
+// <script> block in index.html is allowed via SHA-256 hash injected at boot.
+// 'unsafe-inline' kept ONLY for style-src (the entire <style> block is intentional;
+// CSS injection has no script execution vector with connect-src 'self').
+function buildCsp(scriptHash) {
+  const scriptSrc = scriptHash ? `'self' ${scriptHash}` : "'self'";
+  return (
+    "default-src 'self'; " +
+    "connect-src 'self'; " +
+    `script-src ${scriptSrc}; ` +
+    "style-src 'self' 'unsafe-inline'; " +
+    "img-src 'self' data:; " +
+    "frame-ancestors 'none'"
+  );
+}
+
+// Computes the SHA-256 hash of the inline <script> block in the static HTML.
+// Returns the CSP-formatted source expression: "'sha256-<base64>='".
+// Returns empty string if no <script> block found (graceful — caller falls back to "'self'" alone).
+function computeScriptHashFromHtml(html) {
+  if (typeof html !== 'string') return '';
+  const m = html.match(/<script>([\s\S]*?)<\/script>/);
+  if (!m) return '';
+  const hash = createHash('sha256').update(m[1], 'utf8').digest('base64');
+  return `'sha256-${hash}'`;
+}
 
 function logErr(...args) {
   // Strict stderr discipline — never stdout (collides with MCP JSON-RPC if running in same process).
   process.stderr.write(args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
 }
 
+// SEC-14-02: per-process auth token. Set during start() from acquireLock result.
+// Cleared on shutdown(). Never logged in full.
+let authToken = null;
+
+// requireAuth: returns true if request has a valid token via either:
+//   - Authorization: Bearer <token>      (preferred for fetch from same-origin browser)
+//   - ?t=<token> query param             (required for EventSource — browser API can't set headers)
+// Caller is responsible for sending 401 when this returns false.
+function requireAuth(req, url) {
+  if (!authToken) return false; // server didn't init token — fail closed
+  const auth = req.headers.authorization;
+  if (typeof auth === 'string' && auth.startsWith('Bearer ')) {
+    const provided = auth.slice('Bearer '.length).trim();
+    if (timingSafeEqual(provided, authToken)) return true;
+  }
+  const qp = url?.searchParams?.get('t');
+  if (typeof qp === 'string' && timingSafeEqual(qp, authToken)) return true;
+  return false;
+}
+
+// Constant-time string comparison to prevent timing-leak side channel.
+// Walks the longer of the two strings even when lengths differ to keep timing flat.
+function timingSafeEqual(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false;
+  const max = Math.max(a.length, b.length);
+  let diff = a.length ^ b.length;
+  for (let i = 0; i < max; i++) {
+    diff |= (a.charCodeAt(i) || 0) ^ (b.charCodeAt(i) || 0);
+  }
+  return diff === 0;
+}
+
 // Validate Host header against allowed hostnames (REQ SEC-01).
 // Allow 127.0.0.1 and localhost on whatever port we're on.
 function isHostAllowed(req, port) {
@@ -122,15 +174,22 @@ function readBody(req, maxBytes = 64 * 1024) {
   });
 }
 
+let _cachedIndex = null; // { html, scriptHash }
 function loadStaticIndex() {
   // src/ui/static/index.html — written in Phase 14. We tolerate it missing in
   // unit tests by serving a placeholder so the server module is testable in isolation.
+  if (_cachedIndex) return _cachedIndex;
+  let html;
   try {
-    return readFileSync(path.join(STATIC_DIR, 'index.html'), 'utf8');
+    html = readFileSync(path.join(STATIC_DIR, 'index.html'), 'utf8');
   } catch {
-    return `<!doctype html><meta charset="utf-8"><title>kit-mcp sidecar</title>
+    html = `<!doctype html><meta charset="utf-8"><title>kit-mcp sidecar</title>
 <body><pre>UI not yet packaged. Run \`kit ui\` after Phase 14 is shipped.</pre></body>`;
   }
+  // SEC-14-01: hash inline <script> for CSP whitelist. Cache per-process.
+  const scriptHash = computeScriptHashFromHtml(html);
+  _cachedIndex = { html, scriptHash };
+  return _cachedIndex;
 }
 
 export function createServer({
@@ -224,9 +283,14 @@ export function createServer({
       try { releaseLock(projectRoot); } catch { /* noop */ }
       lockMeta = null;
     }
+    authToken = null; // SEC-14-02: clear so a re-start gets a fresh one
   }
 
-  function handleEvents(req, res) {
+  function handleEvents(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (subscribers.size >= maxSubscribers) {
       sendJson(res, 503, { error: 'too_many_subscribers', max: maxSubscribers });
       return;
@@ -269,7 +333,11 @@ export function createServer({
     res.on('error', cleanup);
   }
 
-  async function handlePublish(req, res) {
+  async function handlePublish(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (!isOriginAllowed(req, listeningPort)) {
       sendJson(res, 403, { error: 'origin_not_allowed' });
       return;
@@ -313,7 +381,11 @@ export function createServer({
 
   // PERF-05: optional pagination via ?offset=N&limit=M. No query → ring inteiro
   // (back-compat preservada). Out-of-range values clamp to bounds rather than 4xx.
-  function handleState(res, url) {
+  function handleState(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     let events = ring;
     const offsetRaw = url?.searchParams?.get('offset');
     const limitRaw  = url?.searchParams?.get('limit');
@@ -338,7 +410,11 @@ export function createServer({
     });
   }
 
-  async function handleShutdownRequest(req, res) {
+  async function handleShutdownRequest(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (!isOriginAllowed(req, listeningPort)) {
       sendJson(res, 403, { error: 'origin_not_allowed' });
       return;
@@ -350,10 +426,16 @@ export function createServer({
   }
 
   function handleIndex(res) {
-    const html = staticHtml ?? loadStaticIndex();
+    let html, scriptHash;
+    if (typeof staticHtml === 'string') {
+      html = staticHtml;
+      scriptHash = computeScriptHashFromHtml(staticHtml);
+    } else {
+      ({ html, scriptHash } = loadStaticIndex());
+    }
     res.writeHead(200, {
       'Content-Type': 'text/html; charset=utf-8',
-      'Content-Security-Policy': CSP,
+      'Content-Security-Policy': buildCsp(scriptHash),
       'X-Content-Type-Options': 'nosniff',
       'Referrer-Policy': 'no-referrer',
     });
@@ -374,15 +456,15 @@ export function createServer({
         case 'GET /index.html':
           return handleIndex(res);
         case 'GET /events':
-          return handleEvents(req, res);
+          return handleEvents(req, res, url);
         case 'GET /healthz':
           return handleHealthz(res);
         case 'GET /state':
-          return handleState(res, url);
+          return handleState(req, res, url);
         case 'POST /publish':
-          return handlePublish(req, res);
+          return handlePublish(req, res, url);
         case 'POST /shutdown':
-          return handleShutdownRequest(req, res);
+          return handleShutdownRequest(req, res, url);
         default:
           return sendJson(res, 404, { error: 'not_found', route });
       }
@@ -400,6 +482,11 @@ export function createServer({
       version,
       startedAt,
     });
+    // SEC-14-02: copy per-process token from lockfile into closure for requireAuth.
+    authToken = lockMeta.token;
+    if (typeof authToken !== 'string' || authToken.length !== 64) {
+      throw new Error('SEC-14-02: lockMeta.token missing or malformed; refusing to start');
+    }
     server = http.createServer(handleRequest);
     server.on('connection', (sock) => {
       activeSockets.add(sock);
@@ -449,6 +536,12 @@ export const __test = {
   MAX_SSE_SUBSCRIBERS,
   DEFAULT_IDLE_MS,
   HEARTBEAT_INTERVAL_MS,
-  CSP,
+  // SEC-14-01: CSP is now built dynamically with sha256 hash of inline <script>.
+  // The constant CSP no longer exists; tests should use buildCsp(scriptHash).
+  buildCsp,
+  computeScriptHashFromHtml,
   EVENT_TYPES,
+  // SEC-14-02: timingSafeEqual exposed for unit tests; requireAuth depends on
+  // closure state (authToken) so end-to-end HTTP tests verify behavior.
+  timingSafeEqual,
 };