@luanpdd/kit-mcp 1.13.0 → 1.14.0

package/src/ui/server.js

@@ -22,6 +22,7 @@ import { readFileSync } from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import process from 'node:process';
+import { createHash } from 'node:crypto';
 
 import { findFreePortOrThrow } from './port.js';
 import { acquireLockOrReclaim, releaseLock } from './lockfile.js';
@@ -42,19 +43,70 @@ const SSE_HEADERS = {
   'X-Accel-Buffering': 'no',
 };
 
-const CSP =
-  "default-src 'self'; " +
-  "connect-src 'self'; " +
-  "script-src 'self' 'unsafe-inline'; " +
-  "style-src 'self' 'unsafe-inline'; " +
-  "img-src 'self' data:; " +
-  "frame-ancestors 'none'";
+// SEC-14-01: CSP without 'unsafe-inline' in script-src. The single inline
+// <script> block in index.html is allowed via SHA-256 hash injected at boot.
+// 'unsafe-inline' kept ONLY for style-src (the entire <style> block is intentional;
+// CSS injection has no script execution vector with connect-src 'self').
+function buildCsp(scriptHash) {
+  const scriptSrc = scriptHash ? `'self' ${scriptHash}` : "'self'";
+  return (
+    "default-src 'self'; " +
+    "connect-src 'self'; " +
+    `script-src ${scriptSrc}; ` +
+    "style-src 'self' 'unsafe-inline'; " +
+    "img-src 'self' data:; " +
+    "frame-ancestors 'none'"
+  );
+}
+
+// Computes the SHA-256 hash of the inline <script> block in the static HTML.
+// Returns the CSP-formatted source expression: "'sha256-<base64>='".
+// Returns empty string if no <script> block found (graceful — caller falls back to "'self'" alone).
+function computeScriptHashFromHtml(html) {
+  if (typeof html !== 'string') return '';
+  const m = html.match(/<script>([\s\S]*?)<\/script>/);
+  if (!m) return '';
+  const hash = createHash('sha256').update(m[1], 'utf8').digest('base64');
+  return `'sha256-${hash}'`;
+}
 
 function logErr(...args) {
   // Strict stderr discipline — never stdout (collides with MCP JSON-RPC if running in same process).
   process.stderr.write(args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
 }
 
+// SEC-14-02: per-process auth token. Set during start() from acquireLock result.
+// Cleared on shutdown(). Never logged in full.
+let authToken = null;
+
+// requireAuth: returns true if request has a valid token via either:
+//   - Authorization: Bearer <token>      (preferred for fetch from same-origin browser)
+//   - ?t=<token> query param             (required for EventSource — browser API can't set headers)
+// Caller is responsible for sending 401 when this returns false.
+function requireAuth(req, url) {
+  if (!authToken) return false; // server didn't init token — fail closed
+  const auth = req.headers.authorization;
+  if (typeof auth === 'string' && auth.startsWith('Bearer ')) {
+    const provided = auth.slice('Bearer '.length).trim();
+    if (timingSafeEqual(provided, authToken)) return true;
+  }
+  const qp = url?.searchParams?.get('t');
+  if (typeof qp === 'string' && timingSafeEqual(qp, authToken)) return true;
+  return false;
+}
+
+// Constant-time string comparison to prevent timing-leak side channel.
+// Walks the longer of the two strings even when lengths differ to keep timing flat.
+function timingSafeEqual(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false;
+  const max = Math.max(a.length, b.length);
+  let diff = a.length ^ b.length;
+  for (let i = 0; i < max; i++) {
+    diff |= (a.charCodeAt(i) || 0) ^ (b.charCodeAt(i) || 0);
+  }
+  return diff === 0;
+}
+
 // Validate Host header against allowed hostnames (REQ SEC-01).
 // Allow 127.0.0.1 and localhost on whatever port we're on.
 function isHostAllowed(req, port) {
@@ -122,15 +174,22 @@ function readBody(req, maxBytes = 64 * 1024) {
   });
 }
 
+let _cachedIndex = null; // { html, scriptHash }
 function loadStaticIndex() {
   // src/ui/static/index.html — written in Phase 14. We tolerate it missing in
   // unit tests by serving a placeholder so the server module is testable in isolation.
+  if (_cachedIndex) return _cachedIndex;
+  let html;
   try {
-    return readFileSync(path.join(STATIC_DIR, 'index.html'), 'utf8');
+    html = readFileSync(path.join(STATIC_DIR, 'index.html'), 'utf8');
   } catch {
-    return `<!doctype html><meta charset="utf-8"><title>kit-mcp sidecar</title>
+    html = `<!doctype html><meta charset="utf-8"><title>kit-mcp sidecar</title>
 <body><pre>UI not yet packaged. Run \`kit ui\` after Phase 14 is shipped.</pre></body>`;
   }
+  // SEC-14-01: hash inline <script> for CSP whitelist. Cache per-process.
+  const scriptHash = computeScriptHashFromHtml(html);
+  _cachedIndex = { html, scriptHash };
+  return _cachedIndex;
 }
 
 export function createServer({
@@ -224,9 +283,14 @@ export function createServer({
       try { releaseLock(projectRoot); } catch { /* noop */ }
       lockMeta = null;
     }
+    authToken = null; // SEC-14-02: clear so a re-start gets a fresh one
   }
 
-  function handleEvents(req, res) {
+  function handleEvents(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (subscribers.size >= maxSubscribers) {
       sendJson(res, 503, { error: 'too_many_subscribers', max: maxSubscribers });
       return;
@@ -269,7 +333,11 @@ export function createServer({
     res.on('error', cleanup);
   }
 
-  async function handlePublish(req, res) {
+  async function handlePublish(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (!isOriginAllowed(req, listeningPort)) {
       sendJson(res, 403, { error: 'origin_not_allowed' });
       return;
@@ -313,7 +381,11 @@ export function createServer({
 
   // PERF-05: optional pagination via ?offset=N&limit=M. No query → ring inteiro
   // (back-compat preservada). Out-of-range values clamp to bounds rather than 4xx.
-  function handleState(res, url) {
+  function handleState(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     let events = ring;
     const offsetRaw = url?.searchParams?.get('offset');
     const limitRaw  = url?.searchParams?.get('limit');
@@ -338,7 +410,11 @@ export function createServer({
     });
   }
 
-  async function handleShutdownRequest(req, res) {
+  async function handleShutdownRequest(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (!isOriginAllowed(req, listeningPort)) {
       sendJson(res, 403, { error: 'origin_not_allowed' });
       return;
@@ -350,10 +426,16 @@ export function createServer({
   }
 
   function handleIndex(res) {
-    const html = staticHtml ?? loadStaticIndex();
+    let html, scriptHash;
+    if (typeof staticHtml === 'string') {
+      html = staticHtml;
+      scriptHash = computeScriptHashFromHtml(staticHtml);
+    } else {
+      ({ html, scriptHash } = loadStaticIndex());
+    }
     res.writeHead(200, {
       'Content-Type': 'text/html; charset=utf-8',
-      'Content-Security-Policy': CSP,
+      'Content-Security-Policy': buildCsp(scriptHash),
       'X-Content-Type-Options': 'nosniff',
       'Referrer-Policy': 'no-referrer',
     });
@@ -374,15 +456,15 @@ export function createServer({
         case 'GET /index.html':
           return handleIndex(res);
         case 'GET /events':
-          return handleEvents(req, res);
+          return handleEvents(req, res, url);
         case 'GET /healthz':
           return handleHealthz(res);
         case 'GET /state':
-          return handleState(res, url);
+          return handleState(req, res, url);
         case 'POST /publish':
-          return handlePublish(req, res);
+          return handlePublish(req, res, url);
         case 'POST /shutdown':
-          return handleShutdownRequest(req, res);
+          return handleShutdownRequest(req, res, url);
         default:
           return sendJson(res, 404, { error: 'not_found', route });
       }
@@ -400,6 +482,11 @@ export function createServer({
       version,
       startedAt,
     });
+    // SEC-14-02: copy per-process token from lockfile into closure for requireAuth.
+    authToken = lockMeta.token;
+    if (typeof authToken !== 'string' || authToken.length !== 64) {
+      throw new Error('SEC-14-02: lockMeta.token missing or malformed; refusing to start');
+    }
     server = http.createServer(handleRequest);
     server.on('connection', (sock) => {
       activeSockets.add(sock);
@@ -449,6 +536,12 @@ export const __test = {
   MAX_SSE_SUBSCRIBERS,
   DEFAULT_IDLE_MS,
   HEARTBEAT_INTERVAL_MS,
-  CSP,
+  // SEC-14-01: CSP is now built dynamically with sha256 hash of inline <script>.
+  // The constant CSP no longer exists; tests should use buildCsp(scriptHash).
+  buildCsp,
+  computeScriptHashFromHtml,
   EVENT_TYPES,
+  // SEC-14-02: timingSafeEqual exposed for unit tests; requireAuth depends on
+  // closure state (authToken) so end-to-end HTTP tests verify behavior.
+  timingSafeEqual,
 };

package/src/ui/static/index.html

@@ -1175,11 +1175,51 @@ button { font: inherit; color: inherit; background: none; border: 0; cursor: poi
 
 <script>
 /* ──────────────────────────────────────────────────────────
-   kit-mcp sidecar — prototype
-   This is a faithful mock of what the production HTML will do.
-   In production, replace the MockSource with a real EventSource('/events').
+   kit-mcp sidecar — production client
+   SEC-14-01 (Phase 82): All event-derived content rendered via escapeHtml()
+   before insertion into innerHTML. CSP without 'unsafe-inline' in script-src
+   is primary defense; escapeHtml() is defense-in-depth.
+   When adding new innerHTML sites, always escape dynamic fields.
    ────────────────────────────────────────────────────────── */
 
+/* ──────────────────────────────────────────────────────────
+   SEC-14-02 (Phase 82 / Plan 02): auth token from URL query param.
+   Server (Plan 01) requires Bearer token on /publish, /shutdown, /state
+   and ?t= on /events. This block extracts ?t= once at boot, scrubs it
+   from the address bar (so it doesn't leak via screen-share / browser
+   history copy-paste), and exposes helpers for fetch + EventSource.
+   Variable scoped to closure (not sessionStorage) — reload re-handshakes.
+   ────────────────────────────────────────────────────────── */
+const __sidecarToken = (() => {
+  try {
+    const params = new URLSearchParams(window.location.search);
+    const t = params.get("t");
+    if (t && /^[0-9a-f]{64}$/.test(t)) {
+      // Scrub from URL so re-share / screenshot doesn't leak it.
+      params.delete("t");
+      const newSearch = params.toString();
+      const newUrl = window.location.pathname + (newSearch ? "?" + newSearch : "") + window.location.hash;
+      window.history.replaceState(null, "", newUrl);
+      return t;
+    }
+  } catch (_) { /* fall through */ }
+  return null;
+})();
+
+function authedFetch(input, init = {}) {
+  const opts = { ...init, headers: { ...(init.headers || {}) } };
+  if (__sidecarToken) {
+    opts.headers["Authorization"] = "Bearer " + __sidecarToken;
+  }
+  return fetch(input, opts);
+}
+
+function authedEventSourceUrl(path) {
+  if (!__sidecarToken) return path;
+  const sep = path.includes("?") ? "&" : "?";
+  return path + sep + "t=" + encodeURIComponent(__sidecarToken);
+}
+
 /* ---------- humanize helpers (preserved API) ---------- */
 const TYPE_LABELS = {
   "run.start":      "INICIADO",
@@ -1433,16 +1473,21 @@ function historyRowHtml(h) {
       return `<div class="hist-detail-row"><span class="pct">${escapeHtml(pct)}</span><span class="lbl">${escapeHtml(lbl)}</span>${tk ? `<span class="tok">${tk}t</span>` : ""}</div>`;
     })
     .join("");
+  // SEC-14-01: every dynamic field escaped before injection into the
+  // history-row template. status/statusGlyph/dur/when/tokens are computed
+  // locally (string enum or pre-built HTML literal) so are safe by construction;
+  // h.runId and h.eventsCount cross the publisher boundary and MUST be escaped
+  // even though they should normally be benign — defense in depth.
   return `
-    <div class="hist-row" data-status="${status}" data-runid="${h.runId}">
+    <div class="hist-row" data-status="${escapeHtml(status)}" data-runid="${escapeHtml(h.runId)}">
       <div class="hist-status">${statusGlyph}</div>
       <div class="hist-title">${escapeHtml(title)}</div>
       <div class="hist-when">${when}</div>
       <div class="hist-meta-row">
         <span><span class="num">${dur}</span> dur</span>
         <span>${tokens}</span>
-        <span><span class="num">${h.eventsCount || 0}</span> eventos</span>
-        <span class="num">id ${h.runId.slice(0,8)}</span>
+        <span><span class="num">${escapeHtml(String(h.eventsCount || 0))}</span> eventos</span>
+        <span class="num">id ${escapeHtml(String(h.runId).slice(0,8))}</span>
       </div>
       <div class="hist-detail">${detailRows || '<div class="hist-detail-row"><span class="lbl">(sem progresso registrado)</span></div>'}</div>
     </div>
@@ -1534,10 +1579,14 @@ function activeCardHtml(run) {
   const longRunning = elapsed > 30_000;
   const stepCount = run.total ? `${run.current}/${run.total}` : "";
   const showTokens = run.tokens > 0;
+  // SEC-14-01: family/iconHref/title/stepLabel/stepCount/percent are computed
+  // locally; runId crosses the publisher boundary and is escaped before any
+  // injection (data-attribute or text). Defense in depth: even string enums
+  // (family) get escaped to ensure regression resistance.
   return `
-    <article class="run-card" data-runid="${run.runId}">
+    <article class="run-card" data-runid="${escapeHtml(run.runId)}">
       <div class="rc-head">
-        <div class="rc-icon" data-tool="${family}"><svg><use href="${iconHref}"/></svg></div>
+        <div class="rc-icon" data-tool="${escapeHtml(family)}"><svg><use href="${escapeHtml(iconHref)}"/></svg></div>
         <div class="rc-title-block">
           <div class="rc-tool">${escapeHtml(safeStr(run.tool) || "processo")}</div>
           <div class="rc-title">${escapeHtml(title)}</div>
@@ -1556,7 +1605,7 @@ function activeCardHtml(run) {
       <div class="rc-step">
         <span class="glyph"><svg><use href="#i-spin"/></svg></span>
         <span class="rc-step-text">${escapeHtml(stepLabel)}</span>
-        ${stepCount ? `<span class="rc-step-count">${stepCount}</span>` : ""}
+        ${stepCount ? `<span class="rc-step-count">${escapeHtml(stepCount)}</span>` : ""}
       </div>
 
       <div class="rc-tokens" ${showTokens ? "" : "style=\"display:none\""}>
@@ -1565,7 +1614,7 @@ function activeCardHtml(run) {
       </div>
 
       <div class="rc-foot">
-        <span class="rc-runid">id ${run.runId.slice(0, 8)}</span>
+        <span class="rc-runid">id ${escapeHtml(String(run.runId).slice(0, 8))}</span>
         <span class="sep">·</span>
         <span>${escapeHtml(safeStr(run.tool) || "")}</span>
       </div>
@@ -1708,8 +1757,11 @@ function rowHtml(evt, idx, prev) {
       msg = `<span class="ident">${escapeHtml(badge.toLowerCase())}</span>`;
   }
   const sourcePill = renderSourcePill(evt.payload?.source);
+  // SEC-14-01: evt.type and evt.runId cross publisher boundary → escape.
+  // msg/tokenChip/sourcePill are pre-built HTML literals where each interpolation
+  // already used escapeHtml() — safe by construction.
   return `
-    <div class="tl-row" data-type="${evt.type}" data-ok="${ok}" data-grouped="${grouped}">
+    <div class="tl-row" data-type="${escapeHtml(evt.type)}" data-ok="${ok}" data-grouped="${grouped}">
       <div class="tl-time" title="${time}">${rel}</div>
       <div class="tl-rail"><div class="tl-node"></div></div>
       <div class="tl-content">
@@ -1717,7 +1769,7 @@ function rowHtml(evt, idx, prev) {
         <span class="tl-msg">${msg}</span>
         ${tokenChip}
         ${sourcePill}
-        ${evt.runId ? `<span class="tl-runid">${evt.runId.slice(0,6)}</span>` : ""}
+        ${evt.runId ? `<span class="tl-runid">${escapeHtml(String(evt.runId).slice(0,6))}</span>` : ""}
       </div>
     </div>
   `;
@@ -1917,7 +1969,7 @@ function applyConnState(s) {
 
 async function hydrateFromState() {
   try {
-    const res = await fetch("/state", { credentials: "omit" });
+    const res = await authedFetch("/state", { credentials: "omit" });
     if (!res.ok) return;
     const j = await res.json();
     if (j.port && document.querySelector(".brand-sub")) {
@@ -1938,7 +1990,7 @@ function connectRealSource() {
   applyConnState("connecting");
   if (evtSource) try { evtSource.close(); } catch (_) {}
 
-  evtSource = new EventSource("/events");
+  evtSource = new EventSource(authedEventSourceUrl("/events"));
 
   evtSource.addEventListener("open", () => {
     lastConnectedAt = Date.now();