@luanpdd/kit-mcp 1.13.0 → 1.15.0

package/kit/hooks/sidecar-tool-publisher.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-// hook-version: 1.6.1
+// hook-version: 1.14.0
 // kit-mcp · Sidecar Tool Publisher (PostToolUse)
 //
 // Publishes every Claude Code tool invocation to the kit-mcp sidecar so the
@@ -52,12 +52,13 @@ process.stdin.on('end', () => {
     // kit-mcp-ui-*.lock files in tmpdir and pick one that healthz-responds.
     // This makes the hook resilient to projectRoot mismatch (case, separators,
     // trailing slash, parent-of-project edits, etc).
-    let port = readSidecarPort(projectRoot);
-    if (!port) port = scanAnyRunningSidecar();
-    if (!port) {
+    let sidecar = readSidecarLock(projectRoot);
+    if (!sidecar) sidecar = scanAnyRunningSidecar();
+    if (!sidecar) {
       debugLog({ phase: 'no_sidecar', projectRoot });
       process.exit(0);
     }
+    const { port, token } = sidecar;
 
     const payload = {
       tool: toolName,
@@ -74,29 +75,34 @@ process.stdin.on('end', () => {
       payload,
     };
 
-    publish(port, event).then(() => process.exit(0));
+    publish(port, token, event).then(() => process.exit(0));
   } catch (err) {
     process.stderr.write(`[sidecar-tool-publisher] ${err.message}\n`);
     process.exit(0);
   }
 });
 
-function readSidecarPort(projectRoot) {
+function readSidecarLock(projectRoot) {
   // Mirror src/ui/lockfile.js#lockPathFor (sha1(projectRoot).slice(0,16))
   try {
     const hash = crypto.createHash('sha1').update(projectRoot).digest('hex').slice(0, 16);
     const lockPath = path.join(os.tmpdir(), `kit-mcp-ui-${hash}.lock`);
     const raw = fs.readFileSync(lockPath, 'utf8');
     const lock = JSON.parse(raw);
-    return typeof lock.port === 'number' ? lock.port : null;
+    if (typeof lock.port !== 'number') return null;
+    return {
+      port: lock.port,
+      // SEC-14-02 (kit-mcp v1.14+): null for sidecars from v1.13 and earlier.
+      token: typeof lock.token === 'string' && /^[0-9a-f]{64}$/.test(lock.token) ? lock.token : null,
+    };
   } catch {
     return null;
   }
 }
 
-// Scan os.tmpdir() for any kit-mcp-ui-*.lock and return the first valid port.
-// Used as a fallback when projectRoot doesn't match any known lockfile (case
-// variants, separator differences, parent-dir edits, etc).
+// Scan os.tmpdir() for any kit-mcp-ui-*.lock and return the first { port, token }
+// of a live sidecar. Used as a fallback when projectRoot doesn't match any
+// known lockfile (case variants, separator differences, parent-dir edits, etc).
 function scanAnyRunningSidecar() {
   try {
     const dir = os.tmpdir();
@@ -107,8 +113,16 @@ function scanAnyRunningSidecar() {
         const raw = fs.readFileSync(path.join(dir, name), 'utf8');
         const lock = JSON.parse(raw);
         if (typeof lock.port === 'number' && typeof lock.pid === 'number') {
-          // Best-effort liveness check.
-          try { process.kill(lock.pid, 0); return lock.port; } catch { /* dead */ }
+          try {
+            process.kill(lock.pid, 0);
+            // SEC-14-02: return token from same lockfile so cross-project
+            // publishing can authenticate. If token missing (older sidecar),
+            // returns null → publish degrades to 401 silent-fail.
+            return {
+              port: lock.port,
+              token: typeof lock.token === 'string' && /^[0-9a-f]{64}$/.test(lock.token) ? lock.token : null,
+            };
+          } catch { /* dead */ }
         }
       } catch { /* skip unreadable */ }
     }
@@ -158,7 +172,7 @@ function detectIde() {
   return 'unknown';
 }
 
-function publish(port, event) {
+function publish(port, token, event) {
   return new Promise((resolve) => {
     const body = JSON.stringify(event);
     const req = http.request({
@@ -173,9 +187,17 @@ function publish(port, event) {
         'content-length': Buffer.byteLength(body, 'utf8'),
         origin: `http://127.0.0.1:${port}`,
         connection: 'close',
+        // SEC-14-02: token is null for sidecars from v1.13 and earlier; in that
+        // case we omit the header and the server returns 401, which the hook
+        // silent-fails on (matching pre-existing soft-fail discipline). A
+        // shipped hook v1.14 talking to a still-running sidecar v1.13 just
+        // loses the event — acceptable trade-off.
+        ...(token ? { authorization: `Bearer ${token}` } : {}),
       },
     }, (res) => {
-      // Drain response body to ensure server has fully processed before resolve
+      // Drain response body to ensure server has fully processed before resolve.
+      // v1.12.1 fix: await BOTH 'end' and 'close' to avoid premature exit before
+      // sidecar publishes via SSE. Preserve that pattern here.
       res.resume();
       res.on('end', resolve);
       res.on('close', resolve);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@luanpdd/kit-mcp",
-  "version": "1.13.0",
+  "version": "1.15.0",
   "description": "Generic infrastructure to ship YOUR personal kit of agents/commands/skills as an MCP server, with cross-IDE sync (Claude Code, Cursor, Codex, Gemini, Windsurf, Antigravity, Copilot, Trae).",
   "type": "module",
   "bin": {
@@ -44,7 +44,7 @@
     "test": "node test/run.mjs test/unit",
     "test:integration": "node test/run.mjs test/integration",
     "test:all": "node test/run.mjs test",
-    "prepublishOnly": "node test/run.mjs test/unit && node test/run.mjs test/integration"
+    "prepublishOnly": "node scripts/regen-manifest.js && node scripts/update-readme-counts.js && node test/run.mjs test/unit && node test/run.mjs test/integration"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.4.2",

package/src/cli/index.js

@@ -154,20 +154,36 @@ function slim(x) {
   return { kind: x.kind, name: x.name, description: summarize(x.description) };
 }
 
+// PERF-15-01: terse variant — paridade com mcp-server slimTerse. CLI flag --terse
+// controla seleção. Mantém o mesmo shape {kind, name} para programmatic consumers
+// que parseiam --json output (consistência cross-surface).
+function slimTerse(x) {
+  return { kind: x.kind, name: x.name };
+}
+
 // --- kit ---
 const kit = program.command('kit').description('Browse the canonical kit.');
-kit.command('list-agents').action(async () => {
-  const k = await withSpinner('Loading kit...', () => listKit());
-  out(k.agents.map(slim), v => render.renderKitList(v, 'agent'));
-});
-kit.command('list-commands').action(async () => {
-  const k = await withSpinner('Loading kit...', () => listKit());
-  out(k.commands.map(slim), v => render.renderKitList(v, 'command'));
-});
-kit.command('list-skills').action(async () => {
-  const k = await withSpinner('Loading kit...', () => listKit());
-  out([...k.skills, ...k.skillsExtras].map(slim), v => render.renderKitList(v, 'skill'));
-});
+kit.command('list-agents')
+  .option('--terse', 'Omit description; return only {kind, name} (PERF-15-01)')
+  .action(async (opts) => {
+    const k = await withSpinner('Loading kit...', () => listKit());
+    const variant = opts.terse ? slimTerse : slim;
+    out(k.agents.map(variant), v => render.renderKitList(v, 'agent'));
+  });
+kit.command('list-commands')
+  .option('--terse', 'Omit description; return only {kind, name} (PERF-15-01)')
+  .action(async (opts) => {
+    const k = await withSpinner('Loading kit...', () => listKit());
+    const variant = opts.terse ? slimTerse : slim;
+    out(k.commands.map(variant), v => render.renderKitList(v, 'command'));
+  });
+kit.command('list-skills')
+  .option('--terse', 'Omit description; return only {kind, name} (PERF-15-01)')
+  .action(async (opts) => {
+    const k = await withSpinner('Loading kit...', () => listKit());
+    const variant = opts.terse ? slimTerse : slim;
+    out([...k.skills, ...k.skillsExtras].map(variant), v => render.renderKitList(v, 'skill'));
+  });
 kit.command('get <kind> <name>').action(async (kind, name) => {
   const k = await listKit();
   const item = findItem(k, kind, name);
@@ -429,7 +445,7 @@ ui.command('stop')
     const lock = readLock(projectRoot);
     if (!lock) return out({ ok: false, reason: 'no_sidecar' }, () => `${icons.warn} no sidecar running for this project\n`);
     try {
-      await postShutdown(lock.port);
+      await postShutdown(lock.port, lock.token);
       out({ ok: true, port: lock.port }, () => `${icons.check} sidecar at port ${lock.port} stopped\n`);
     } catch (err) {
       fail(`could not stop sidecar at port ${lock.port}: ${err.message}`);
@@ -640,15 +656,24 @@ async function runDoctorChecks(projectRoot) {
 }
 
 // Helpers for kit ui (live in cli/ — stdout/console allowed here)
-async function postShutdown(port) {
+// SEC-14-02: /shutdown now requires Authorization Bearer <token>. Caller must
+// pass the per-process token read from the lockfile (lock.token from readLock).
+async function postShutdown(port, token) {
   return new Promise((resolve, reject) => {
+    const headers = {
+      host: `127.0.0.1:${port}`,
+      origin: `http://127.0.0.1:${port}`,
+      'content-length': 0,
+      connection: 'close',
+    };
+    if (token) headers.authorization = `Bearer ${token}`;
     const req = http.request({
       method: 'POST',
       host: '127.0.0.1',
       port,
       path: '/shutdown',
       agent: false,
-      headers: { host: `127.0.0.1:${port}`, origin: `http://127.0.0.1:${port}`, 'content-length': 0, connection: 'close' },
+      headers,
     }, (res) => {
       res.resume();
       res.on('end', () => res.statusCode < 400 ? resolve() : reject(new Error(`http_${res.statusCode}`)));

package/src/core/error-redaction.js

@@ -0,0 +1,76 @@
+// SEC-14-06 — central redaction helpers shared by mcp-server, reflect, and replays.
+//
+// Pure module: no I/O, no globals other than the constant regex set.
+//
+// Why a single choke point: the threat model is "leakage of API keys, Bearer
+// tokens, and absolute filesystem paths through MCP error envelopes / persisted
+// replays". Scattering redaction across each call site invites drift. One file,
+// one regex set, three import sites — and a single grep proves coverage.
+//
+// Order rationale (PATTERNS array):
+//   1. sk-ant-* before sk-* — Anthropic prefix is more specific. (In practice
+//      the openai pattern's [A-Za-z0-9] character class would NOT swallow
+//      "sk-ant-" because of the dash, but ordering keeps intent legible.)
+//   2. x-api-key header before Bearer — both are distinct shapes; order is
+//      arbitrary but stable.
+//   3. Path patterns last — broadest character class, matched after specific
+//      secrets so a secret that contains slash-like characters has been
+//      stripped already.
+//
+// Non-false-positive contract (verified by test/unit/error-redaction.test.js):
+//   - "Compare A:B" stays unchanged          (no `\` or `/` after `:`)
+//   - "Modal: hello"  stays unchanged        (no `\` or `/` after `:`)
+//   - "Visit https://example.com/path" stays (lowercase scheme, no Drive: pattern)
+//   - "Bearer x"      stays unchanged        (1 char, below 20 minimum)
+//   - "sk-foo"        stays unchanged        (3 chars after sk-, below 20 minimum)
+//   - "see /etc/passwd" stays unchanged      (etc not in {home,Users,root} allowlist)
+//
+// Idempotency: redactSecrets(redactSecrets(x)) === redactSecrets(x). The
+// substitution strings ('[REDACTED:*]', '[PATH]', etc.) contain no characters
+// that match any of the patterns themselves.
+
+const PATTERNS = [
+  { re: /sk-ant-[A-Za-z0-9_\-]{20,}/g,        sub: '[REDACTED:anthropic_key]' },
+  { re: /sk-[A-Za-z0-9]{20,}/g,                sub: '[REDACTED:openai_key]' },
+  { re: /x-api-key\s*:\s*[^\s,;'"]+/gi,        sub: 'x-api-key: [REDACTED]' },
+  { re: /Bearer\s+[A-Za-z0-9._\-]{20,}/gi,     sub: 'Bearer [REDACTED]' },
+  { re: /[A-Z]:[\\\/][^\s'"`<>]+/g,            sub: '[PATH]' },
+  { re: /\/(home|Users|root)\/[^\s'"`<>]+/g,   sub: '[PATH]' },
+];
+
+/**
+ * Strip secrets and absolute filesystem paths from a string. Defensive: coerces
+ * non-string inputs via String(value); null/undefined return ''.
+ *
+ * @param {unknown} text
+ * @returns {string}
+ */
+export function redactSecrets(text) {
+  if (text == null) return '';
+  let s = String(text);
+  for (const { re, sub } of PATTERNS) {
+    s = s.replace(re, sub);
+  }
+  return s;
+}
+
+/**
+ * Build the public MCP error envelope for an arbitrary thrown value. The
+ * server-side stderr keeps the full trace for operator debugging; the
+ * JSON-RPC client receives only `{error, code}` — no trace field is emitted.
+ *
+ * Preserves err.code when present (Phase 83.03 added `EMANIFESTMISMATCH`;
+ * downstream callers can keep dispatching on that code).
+ *
+ * @param {unknown} err
+ * @returns {{ error: string, code: string }}
+ */
+export function sanitizeMcpError(err) {
+  const msg = err && typeof err === 'object' && 'message' in err
+    ? err.message
+    : err;
+  return {
+    error: redactSecrets(msg ?? 'unknown error'),
+    code:  (err && typeof err === 'object' && err.code) ? err.code : 'MCP_INTERNAL_ERROR',
+  };
+}

package/src/core/gate-runner.js

@@ -132,9 +132,17 @@ function extractCodeBlocks(text) {
 // --- exec ---
 
 async function execScript(script, cwd) {
-  // Write to a temp file and run with bash. We don't try to inline -c because
-  // the scripts can be multiline and contain quoting we'd have to escape.
-  const tmp = path.join(os.tmpdir(), `kit-gate-${Date.now()}-${Math.random().toString(36).slice(2)}.sh`);
+  // SEC-14-04: use mkdtemp for crypto-safe random directory naming, write the
+  // script INSIDE it, then cleanup recursive. Predictable timestamp+rand-suffix
+  // filenames are unsafe in multi-user /tmp — attacker can pre-create a symlink
+  // at the predicted path before fs.writeFile, and `spawn(bash, [tmp])` would
+  // execute the symlink target. mkdtemp uses the OS-level mkdtemp(3) syscall
+  // (POSIX) / equivalent (Windows) which atomically creates a directory with
+  // a random suffix and returns the actual path. The new dir gets 0700 from
+  // process umask on POSIX (umask 022 → 0700; default Node runtime). Even if
+  // umask is permissive, the script file inside is written with mode 0o700.
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'kit-gate-'));
+  const tmp = path.join(dir, 'gate.sh');
   await fs.writeFile(tmp, script, { encoding: 'utf8', mode: 0o700 });
   try {
     const child = spawn('bash', [tmp], { cwd, env: process.env });
@@ -151,7 +159,11 @@ async function execScript(script, cwd) {
       stderr: Buffer.concat(stderrOut).toString('utf8'),
     };
   } finally {
-    await fs.unlink(tmp).catch(() => {});
+    // Recursive cleanup — even if spawn errored above, the dir gets removed.
+    // force:true swallows ENOENT (e.g. if script self-deleted). recursive:true
+    // walks the dir; even if the gate body wrote temp files inside cwd, cwd is
+    // separate from `dir` so we won't blast user files.
+    await fs.rm(dir, { recursive: true, force: true }).catch(() => {});
   }
 }
 

package/src/core/manifest-verify.js

@@ -0,0 +1,107 @@
+// SEC-14-05: verify kit/file-manifest.json against actual file contents.
+// Called by syncTo() in install path, before any write — refuses to project
+// a tampered kit. Opt-out via KIT_MCP_SKIP_MANIFEST_CHECK=1 (warn on stderr).
+//
+// Manifest format (kit/file-manifest.json):
+//   { version, timestamp, files: { "<rel-to-kitRoot>": "<sha256-hex>", ... } }
+//
+// Returns:
+//   { ok: true } when all listed files exist + match.
+//   { ok: true, skipped: true } when KIT_MCP_SKIP_MANIFEST_CHECK=1.
+//   { ok: false, reason, mismatches, missing } otherwise.
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import crypto from 'node:crypto';
+
+const SKIP_ENV = 'KIT_MCP_SKIP_MANIFEST_CHECK';
+
+export async function verifyManifest(kitRoot) {
+  if (process.env[SKIP_ENV] === '1') {
+    process.stderr.write(
+      '[kit-mcp] WARNING: ' + SKIP_ENV + '=1 set — skipping kit/file-manifest.json verification (dev mode).\n'
+    );
+    return { ok: true, skipped: true };
+  }
+
+  const manifestPath = path.join(kitRoot, 'file-manifest.json');
+  let manifest;
+  try {
+    const raw = await fs.readFile(manifestPath, 'utf8');
+    manifest = JSON.parse(raw);
+  } catch (e) {
+    return {
+      ok: false,
+      reason: 'kit manifest unreadable at ' + manifestPath + ': ' + e.message,
+      mismatches: [],
+      missing: [],
+    };
+  }
+
+  if (!manifest.files || typeof manifest.files !== 'object') {
+    return {
+      ok: false,
+      reason: "kit manifest malformed at " + manifestPath + ": missing 'files' object",
+      mismatches: [],
+      missing: [],
+    };
+  }
+
+  const mismatches = [];
+  const missing = [];
+
+  for (const [rel, expected] of Object.entries(manifest.files)) {
+    const abs = path.join(kitRoot, rel);
+    let buf;
+    try {
+      buf = await fs.readFile(abs);
+    } catch {
+      missing.push(rel);
+      continue;
+    }
+    // Normalize CRLF→LF before hashing so manifest is platform-stable.
+    // git checkout converts EOL on Windows but Linux CI checks out LF —
+    // hashing raw bytes would diverge across platforms.
+    const normalized = Buffer.from(buf.toString('binary').replace(/\r\n/g, '\n'), 'binary');
+    const actual = crypto.createHash('sha256').update(normalized).digest('hex');
+    if (actual !== expected) {
+      mismatches.push({ path: rel, expected: expected.slice(0, 16), actual: actual.slice(0, 16) });
+    }
+  }
+
+  if (mismatches.length === 0 && missing.length === 0) {
+    return { ok: true };
+  }
+
+  // Build a concise reason — first 3 mismatches, plus counts.
+  const sample = mismatches
+    .slice(0, 3)
+    .map((m) => m.path + ' (expected ' + m.expected + ', got ' + m.actual + ')')
+    .join('; ');
+  const missingSample = missing.slice(0, 3).join(', ');
+  const reasonParts = [];
+  if (mismatches.length > 0) {
+    reasonParts.push(
+      mismatches.length +
+        ' file(s) tampered: ' +
+        sample +
+        (mismatches.length > 3 ? ', +' + (mismatches.length - 3) + ' more' : '')
+    );
+  }
+  if (missing.length > 0) {
+    reasonParts.push(
+      missing.length +
+        ' file(s) missing: ' +
+        missingSample +
+        (missing.length > 3 ? ', +' + (missing.length - 3) + ' more' : '')
+    );
+  }
+  reasonParts.push('set ' + SKIP_ENV + '=1 to bypass (dev only)');
+
+  return {
+    ok: false,
+    reason: 'kit manifest mismatch — ' + reasonParts.join('; '),
+    mismatches,
+    missing,
+  };
+}

package/src/core/path-safety.js

@@ -0,0 +1,111 @@
+// SEC-14-03: validate that a projectRoot supplied via MCP message points to a
+// real git workspace before any handler that writes to disk dispatches into
+// sync.js / reverse-sync.js.
+//
+// The helper is intentionally pure (no throw): MCP handlers package errors as
+// `{ error: <string> }` envelopes (see src/mcp-server/index.js handleSync,
+// handleGates, handleForensics — all use the same shape). Returning a discriminated
+// `{ ok, ...}` lets each caller decide between an envelope error or a CLI exit
+// without try/catch boilerplate.
+//
+// Why a directory-existence + walk-up `.git/` check (and not, say, spawning
+// `git rev-parse --show-toplevel`):
+//   - Heuristic is good enough for our threat model. The attacker we are blocking
+//     is "MCP message says projectRoot=\\evil-host\share or %APPDATA%". Both fail
+//     the existence-or-`.git`-ancestor test trivially.
+//   - No child_process means no dependency on `git` being on PATH at runtime, no
+//     spawn latency on the hot path of every tool call, and no risk of the spawned
+//     git itself reading config from an attacker-influenced cwd.
+//   - The walk-up loop is bounded — Windows roots terminate at `D:\`, POSIX at
+//     `/`, and `path.dirname(cur) === cur` is the universal fixed point. Typical
+//     workspaces have <8 levels to a `.git/`, so a stat per level is fine.
+//
+// CLI does NOT call this — `bin/cli.js` trusts whoever invoked it (same trust
+// model as Phase 79.01's gates.run guard).
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+
+// All rejection reasons embed the literal "git workspace" — MCP clients (and
+// our own regression tests) match on that single sentinel regardless of which
+// check fired. Keeping the wording uniform means callers don't have to maintain
+// six regexes; one suffices.
+const SENTINEL = 'MCP sync requires projectRoot to be a git workspace';
+
+export async function validateProjectRoot(projectRoot) {
+  // Reject empty / nullish up-front. We require an explicit projectRoot from
+  // MCP messages — falling back to `process.cwd()` of the MCP server would let
+  // an attacker probe wherever the server happened to be launched.
+  if (projectRoot === undefined || projectRoot === null || projectRoot === '') {
+    return {
+      ok: false,
+      reason: SENTINEL + '; got <empty> (pass an absolute path to a git workspace)',
+    };
+  }
+  if (typeof projectRoot !== 'string') {
+    return {
+      ok: false,
+      reason: SENTINEL + '; got non-string projectRoot of type ' + typeof projectRoot,
+    };
+  }
+
+  // path.resolve normalises separators and collapses `..` segments so a later
+  // attacker payload like `C:\Users\\..\evil` is reduced before the existence
+  // check happens. resolve() is also a no-op on already-absolute paths.
+  const resolved = path.resolve(projectRoot);
+
+  // Defensive — path.resolve should always return absolute, but if a future
+  // Node version changes that we still want to reject.
+  if (!path.isAbsolute(resolved)) {
+    return {
+      ok: false,
+      reason: SENTINEL + '; projectRoot did not resolve to an absolute path: ' + projectRoot,
+    };
+  }
+
+  // The stat doubles as an existence + reachability check. UNC paths to
+  // unreachable hosts (`\\evil-host\share`) reject here on Windows with ENOENT
+  // / EHOSTUNREACH within milliseconds; Node treats both as a rejection so we
+  // never proceed to write a single byte.
+  let stat;
+  try {
+    stat = await fs.stat(resolved);
+  } catch {
+    return {
+      ok: false,
+      reason: SENTINEL + '; projectRoot does not exist or is unreachable: ' + resolved,
+    };
+  }
+
+  if (!stat.isDirectory()) {
+    return {
+      ok: false,
+      reason: SENTINEL + '; projectRoot must be a directory: ' + resolved,
+    };
+  }
+
+  // Walk up looking for `.git` (file or directory — `git worktree` uses a file).
+  // Bounded by the dirname fixed-point check so this terminates on every OS.
+  let cur = resolved;
+  // eslint-disable-next-line no-constant-condition
+  while (true) {
+    try {
+      await fs.stat(path.join(cur, '.git'));
+      return { ok: true, resolvedPath: resolved };
+    } catch {
+      // not here — keep walking up
+    }
+    const parent = path.dirname(cur);
+    if (parent === cur) break;
+    cur = parent;
+  }
+
+  // No .git/ found anywhere in the chain — the canonical reject. The literal
+  // "git workspace" string is part of the public contract — tests
+  // (test/unit/mcp-projectroot-guard.test.js) and downstream MCP clients match
+  // on it. Don't rephrase without coordinating callers.
+  return {
+    ok: false,
+    reason: SENTINEL + '; got ' + projectRoot,
+  };
+}

package/src/core/reflect.js

@@ -19,6 +19,7 @@ import fs from 'node:fs/promises';
 import { createInterface } from 'node:readline/promises';
 import { stdin as input, stdout as output, stderr } from 'node:process';
 import { resolveKitRoot } from './kit.js';
+import { redactSecrets } from './error-redaction.js';
 
 const DEFAULT_MODEL      = process.env.KIT_REFLECT_MODEL ?? 'claude-sonnet-4-5-20250929';
 const DEFAULT_MAX_TOKENS = parseInt(process.env.KIT_REFLECT_MAX_TOKENS ?? '8000', 10);
@@ -169,7 +170,11 @@ async function callClaude(prompt) {
   });
   if (!res.ok) {
     const errBody = await res.text();
-    throw new Error(`Anthropic API ${res.status}: ${errBody}`);
+    // SEC-14-06: Anthropic error responses can echo the supplied API key
+    // (rare but observed in 401s). Strip secrets/paths before propagating
+    // to caller — the central MCP catch will sanitize again, but doing it
+    // here means CLI callers (which bypass the MCP catch) are also protected.
+    throw new Error(`Anthropic API ${res.status}: ${redactSecrets(errBody)}`);
   }
   const j = await res.json();
   return {

package/src/core/replays.js

@@ -14,6 +14,7 @@
 
 import path from 'node:path';
 import fs from 'node:fs/promises';
+import { redactSecrets } from './error-redaction.js';
 
 const REPLAY_DIR_REL = path.join('.planning', 'replays');
 
@@ -68,7 +69,15 @@ export async function recordReplay(payload, opts = {}) {
   assertPathInside(file, dir);
 
   const record = { id, recorded_at: new Date().toISOString(), ...payload };
-  await fs.writeFile(file, JSON.stringify(record, null, 2), 'utf8');
+  // SEC-14-06: scrub the serialized form before writing. We redact AFTER
+  // JSON.stringify (rather than deep-mapping the payload tree) so the regex
+  // walks the entire structure including nested args/headers/env, and so
+  // the in-memory `record` returned to the caller stays unmutated. Only the
+  // on-disk artifact is scrubbed; readers of the file via loadReplay see
+  // the redacted form, which is the desired outcome — secrets must not be
+  // re-loaded into memory either.
+  const json = redactSecrets(JSON.stringify(record, null, 2));
+  await fs.writeFile(file, json, 'utf8');
   return { id, file, record };
 }
 

package/src/core/sync.js

@@ -13,6 +13,7 @@ import path from 'node:path';
 import fs from 'node:fs/promises';
 import { getTarget } from './registry.js';
 import { listKit, resolveKitRoot } from './kit.js';
+import { verifyManifest } from './manifest-verify.js';
 
 const STUB_MARKER = '<!-- kit-mcp:reference -->';
 const MANAGED_MARKER_FILE = '.kit-mcp-managed';
@@ -26,6 +27,18 @@ export async function syncTo(targetId, opts = {}) {
   const dryRun      = !!opts.dryRun;
   const onProgress  = opts.onProgress ?? (() => {});
 
+  // SEC-14-05: verify kit integrity before projecting. Refuses tampered kit/.
+  // Opt-out via KIT_MCP_SKIP_MANIFEST_CHECK=1 (handled inside verifyManifest).
+  // Only runs on install path (syncTo); removeFrom/statusOf/applyReverse don't
+  // call this — see plan 83-03 for rationale (apply path is the introduction
+  // vector, not the trust point; stale-but-intact kits in dev are skipped).
+  const manifestCheck = await verifyManifest(kitRoot);
+  if (!manifestCheck.ok) {
+    const err = new Error(manifestCheck.reason);
+    err.code = 'EMANIFESTMISMATCH';
+    throw err;
+  }
+
   // PERF-03: accept a pre-loaded kit to avoid re-walking the disk when callers
   // already have one in hand (CLI sync that follows reverse-sync detect, etc).
   // PERF-S1: in mode=reference (default), read just frontmatter — body/content