@luanpdd/kit-mcp 1.13.0 → 1.15.0

package/src/mcp-server/index.js

@@ -20,6 +20,8 @@ import { listKit, searchKit, findItem } from '../core/kit.js';
 import { listTargets } from '../core/registry.js';
 import { syncTo, statusOf, removeFrom, summarize } from '../core/sync.js';
 import { detectReverse, applyReverse } from '../core/reverse-sync.js';
+import { validateProjectRoot } from '../core/path-safety.js';
+import { sanitizeMcpError } from '../core/error-redaction.js';
 import { listGates, getGate, gatesForStage } from '../core/gates.js';
 import { runGate } from '../core/gate-runner.js';
 import { collectFailures, summarizeByAgent, writeLearnings } from '../core/failures.js';
@@ -40,6 +42,7 @@ const TOOLS = [
         kind:   { type: 'string', enum: ['agent', 'command', 'skill'], description: 'For action=get' },
         name:   { type: 'string', description: 'For action=get' },
         query:  { type: 'string', description: 'For action=search' },
+        terse:  { type: 'boolean', description: 'For action=list-*: omit description, return only {kind, name}. Default false (PERF-15-01).' },
       },
       required: ['action'],
     },
@@ -150,10 +153,13 @@ export const PKG_VERSION = readPkgVersion();
 
 async function handleKit(args) {
   const kit = await listKit();
+  // PERF-15-01: terse mode skips description payload entirely. Backward-compat:
+  // args.terse undefined/false preserves slim()+summarize() cap-80 behavior.
+  const variant = args.terse === true ? slimTerse : slim;
   switch (args.action) {
-    case 'list-agents':   return kit.agents.map(slim);
-    case 'list-commands': return kit.commands.map(slim);
-    case 'list-skills':   return [...kit.skills, ...kit.skillsExtras].map(slim);
+    case 'list-agents':   return kit.agents.map(variant);
+    case 'list-commands': return kit.commands.map(variant);
+    case 'list-skills':   return [...kit.skills, ...kit.skillsExtras].map(variant);
     case 'get': {
       const item = findItem(kit, args.kind, args.name);
       if (!item) return { error: `Not found: ${args.kind}/${args.name}` };
@@ -192,25 +198,45 @@ async function withAutoSpawn(args, tool, run) {
 async function handleSync(args) {
   switch (args.action) {
     case 'targets': return listTargets();
-    case 'status':  return statusOf(args.target, { projectRoot: args.projectRoot });
+    case 'status':
     case 'install':
-      return withAutoSpawn(args, 'sync.install', (onProgress) =>
-        syncTo(args.target, { projectRoot: args.projectRoot, mode: args.mode, dryRun: args.dryRun, onProgress }));
-    case 'remove':  return removeFrom(args.target, { projectRoot: args.projectRoot });
+    case 'remove': {
+      // SEC-14-03: MCP message must specify a path inside a git workspace.
+      // CLI bypasses this — bin/cli.js trusts whoever invoked it (same trust
+      // model as Phase 79.01's gates.run guard). status is read-only but
+      // included for defense-in-depth and a single uniform error surface.
+      const guard = await validateProjectRoot(args.projectRoot);
+      if (!guard.ok) return { error: guard.reason };
+      const projectRoot = guard.resolvedPath;
+      if (args.action === 'status') return statusOf(args.target, { projectRoot });
+      if (args.action === 'install')
+        return withAutoSpawn({ ...args, projectRoot }, 'sync.install', (onProgress) =>
+          syncTo(args.target, { projectRoot, mode: args.mode, dryRun: args.dryRun, onProgress }));
+      // action === 'remove'
+      return removeFrom(args.target, { projectRoot });
+    }
     default: return { error: `Unknown action: ${args.action}` };
   }
 }
 
 async function handleReverseSync(args) {
   switch (args.action) {
-    case 'detect': return detectReverse(args.target, { projectRoot: args.projectRoot });
-    case 'apply':
-      return withAutoSpawn(args, 'reverse-sync.apply', (onProgress) =>
+    case 'detect':
+    case 'apply': {
+      // SEC-14-03: same guard as handleSync — reverse-sync apply also writes
+      // to disk (kit/<file>) so it must be on the same allowlist as sync.
+      const guard = await validateProjectRoot(args.projectRoot);
+      if (!guard.ok) return { error: guard.reason };
+      const projectRoot = guard.resolvedPath;
+      if (args.action === 'detect') return detectReverse(args.target, { projectRoot });
+      // action === 'apply'
+      return withAutoSpawn({ ...args, projectRoot }, 'reverse-sync.apply', (onProgress) =>
         applyReverse(args.target, {
-          projectRoot: args.projectRoot,
+          projectRoot,
           strategy: args.strategy, only: args.only, dryRun: args.dryRun,
           onProgress,
         }));
+    }
     default: return { error: `Unknown action: ${args.action}` };
   }
 }
@@ -283,6 +309,13 @@ function slim(x) {
   return { kind: x.kind, name: x.name, description: summarize(x.description) };
 }
 
+// PERF-15-01: terse variant — omits description entirely. Used when MCP client
+// only needs name discovery (e.g. populating UI lists, validating slug references).
+// Default action=list-* still returns description capped via slim()/summarize().
+function slimTerse(x) {
+  return { kind: x.kind, name: x.name };
+}
+
 // --- server bootstrap ---
 
 export async function createServer() {
@@ -303,8 +336,12 @@ export async function createServer() {
       const result = await handler(args ?? {});
       return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
     } catch (e) {
+      // SEC-14-06: full stack stays in stderr for operator debug; client envelope is sanitized.
+      // sanitizeMcpError redacts secrets/paths from e.message, preserves e.code (Phase 83
+      // EMANIFESTMISMATCH invariant), and emits NO stack field.
+      console.error('[mcp-server] error in handler:', e?.stack ?? e);
       return {
-        content: [{ type: 'text', text: JSON.stringify({ error: e.message, stack: e.stack }, null, 2) }],
+        content: [{ type: 'text', text: JSON.stringify(sanitizeMcpError(e), null, 2) }],
         isError: true,
       };
     }

package/src/ui/auto-spawn.js

@@ -97,7 +97,12 @@ export async function ensureSidecar({ projectRoot, openBrowserOnSpawn = true } =
 
   let opened = false;
   if (openBrowserOnSpawn) {
-    const url = `http://127.0.0.1:${lock.port}/`;
+    // SEC-14-02: propagate auth token via query param so browser can self-authenticate
+    // without user interaction. EventSource cannot send custom headers; ?t= is the
+    // canonical pattern. The browser scrubs ?t= from the address bar via
+    // history.replaceState immediately on boot to avoid leak via screenshare.
+    const tokenSuffix = lock.token ? `?t=${encodeURIComponent(lock.token)}` : '';
+    const url = `http://127.0.0.1:${lock.port}/${tokenSuffix}`;
     const r = await openBrowser(url);
     opened = r.opened === true;
   }

package/src/ui/client.js

@@ -8,34 +8,43 @@ import http from 'node:http';
 import { readLock } from './lockfile.js';
 import { validateEvent } from './events.js';
 
-// Cache the resolved port across calls in a single process.
-const portCache = new Map(); // projectRoot -> port (or 0 = no sidecar)
-const PORT_CACHE_TTL_MS = 5_000;
+// Cache the resolved sidecar (port + token) across calls in a single process.
+// SEC-14-02: token is needed for Authorization on every publish() — read from
+// the same lockfile read as port to avoid double I/O.
+const sidecarCache = new Map(); // projectRoot -> { port, token } | { port: 0, token: null }
+const SIDECAR_CACHE_TTL_MS = 5_000;
 const cacheTimestamps = new Map();
 
-function readCachedPort(projectRoot) {
+function readCachedSidecar(projectRoot) {
   const ts = cacheTimestamps.get(projectRoot);
-  if (!ts || Date.now() - ts > PORT_CACHE_TTL_MS) return undefined;
-  return portCache.get(projectRoot);
+  if (!ts || Date.now() - ts > SIDECAR_CACHE_TTL_MS) return undefined;
+  return sidecarCache.get(projectRoot);
 }
 
-function writeCachedPort(projectRoot, port) {
-  portCache.set(projectRoot, port);
+function writeCachedSidecar(projectRoot, sidecar) {
+  sidecarCache.set(projectRoot, sidecar);
   cacheTimestamps.set(projectRoot, Date.now());
 }
 
+// Backward-compat name; clears port + token cache. Tests + callers using
+// clearPortCache continue to work without code change.
 export function clearPortCache() {
-  portCache.clear();
+  sidecarCache.clear();
   cacheTimestamps.clear();
 }
 
-function resolvePort(projectRoot) {
-  const cached = readCachedPort(projectRoot);
+function resolveSidecar(projectRoot) {
+  const cached = readCachedSidecar(projectRoot);
   if (cached !== undefined) return cached;
   const lock = readLock(projectRoot);
-  const port = lock?.port ?? 0;
-  writeCachedPort(projectRoot, port);
-  return port;
+  const sidecar = {
+    port: lock?.port ?? 0,
+    // SEC-14-02: null if missing (lockfile from older sidecar version pre-v1.14).
+    // Triggers degraded path: no Authorization header → server 401 → soft-fail.
+    token: typeof lock?.token === 'string' ? lock.token : null,
+  };
+  writeCachedSidecar(projectRoot, sidecar);
+  return sidecar;
 }
 
 // publish(event, { projectRoot, timeoutMs }): always resolves. Returns
@@ -47,7 +56,7 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
   const validationErr = validateEvent(event);
   if (validationErr) return { sent: false, reason: `invalid_event: ${validationErr.message}` };
 
-  const port = resolvePort(projectRoot);
+  const { port, token } = resolveSidecar(projectRoot);
   if (!port) return { sent: false, reason: 'no_sidecar' };
 
   const body = JSON.stringify(event);
@@ -65,6 +74,10 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
         'content-length': Buffer.byteLength(body, 'utf8'),
         'origin': `http://127.0.0.1:${port}`,
         'connection': 'close',
+        // SEC-14-02: attach Bearer token if lockfile has one. If not (older
+        // sidecar pre-v1.14), server returns 401 → resolves as { sent: false,
+        // reason: 'http_401' } via the soft-fail flow below.
+        ...(token ? { 'authorization': `Bearer ${token}` } : {}),
       },
     }, (res) => {
       // Drain — we don't actually care about the body, just the status.
@@ -73,9 +86,11 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
         if (res.statusCode >= 200 && res.statusCode < 300) {
           resolve({ sent: true, status: res.statusCode });
         } else {
-          // Stale lockfile? Drop the cache so the next call re-reads.
-          if (res.statusCode === 403 || res.statusCode === 404) {
-            portCache.delete(projectRoot);
+          // Stale lockfile or rotated token? Drop cache so next call re-reads.
+          // SEC-14-02: invalidate on 401 too — token may have rotated after
+          // sidecar restart; cache TTL of 5s would otherwise prolong recovery.
+          if (res.statusCode === 401 || res.statusCode === 403 || res.statusCode === 404) {
+            sidecarCache.delete(projectRoot);
             cacheTimestamps.delete(projectRoot);
           }
           resolve({ sent: false, reason: `http_${res.statusCode}` });
@@ -86,7 +101,7 @@ export async function publish(event, { projectRoot, timeoutMs = 1500 } = {}) {
     req.on('error', (err) => {
       // Most common: ECONNREFUSED (lockfile points at a dead port).
       if (err.code === 'ECONNREFUSED' || err.code === 'ECONNRESET') {
-        portCache.delete(projectRoot);
+        sidecarCache.delete(projectRoot);
         cacheTimestamps.delete(projectRoot);
       }
       resolve({ sent: false, reason: `error: ${err.code || err.message}` });

package/src/ui/lockfile.js

@@ -6,7 +6,7 @@
 //   1. process.kill(pid, 0) — ESRCH/EPERM means the holder is gone
 //   2. optional HTTP healthz probe (injected by caller; keeps this module pure of net)
 
-import { createHash } from 'node:crypto';
+import { createHash, randomBytes } from 'node:crypto';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
@@ -55,6 +55,10 @@ export function acquireLock({ projectRoot, port, version, startedAt }) {
     version: version ?? null,
     startedAt: startedAt ?? Date.now(),
     lockSchema: LOCK_VERSION,
+    // SEC-14-02: per-process auth token. 32 random bytes hex-encoded = 64 chars.
+    // Required by /publish, /shutdown, /events, /state. Lifetime = process lifetime;
+    // not logged, not telemetered. See docs/sidecar-security.md.
+    token: randomBytes(32).toString('hex'),
   };
   let fd;
   try {

package/src/ui/server.js

@@ -22,6 +22,7 @@ import { readFileSync } from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import process from 'node:process';
+import { createHash } from 'node:crypto';
 
 import { findFreePortOrThrow } from './port.js';
 import { acquireLockOrReclaim, releaseLock } from './lockfile.js';
@@ -42,19 +43,70 @@ const SSE_HEADERS = {
   'X-Accel-Buffering': 'no',
 };
 
-const CSP =
-  "default-src 'self'; " +
-  "connect-src 'self'; " +
-  "script-src 'self' 'unsafe-inline'; " +
-  "style-src 'self' 'unsafe-inline'; " +
-  "img-src 'self' data:; " +
-  "frame-ancestors 'none'";
+// SEC-14-01: CSP without 'unsafe-inline' in script-src. The single inline
+// <script> block in index.html is allowed via SHA-256 hash injected at boot.
+// 'unsafe-inline' kept ONLY for style-src (the entire <style> block is intentional;
+// CSS injection has no script execution vector with connect-src 'self').
+function buildCsp(scriptHash) {
+  const scriptSrc = scriptHash ? `'self' ${scriptHash}` : "'self'";
+  return (
+    "default-src 'self'; " +
+    "connect-src 'self'; " +
+    `script-src ${scriptSrc}; ` +
+    "style-src 'self' 'unsafe-inline'; " +
+    "img-src 'self' data:; " +
+    "frame-ancestors 'none'"
+  );
+}
+
+// Computes the SHA-256 hash of the inline <script> block in the static HTML.
+// Returns the CSP-formatted source expression: "'sha256-<base64>='".
+// Returns empty string if no <script> block found (graceful — caller falls back to "'self'" alone).
+function computeScriptHashFromHtml(html) {
+  if (typeof html !== 'string') return '';
+  const m = html.match(/<script>([\s\S]*?)<\/script>/);
+  if (!m) return '';
+  const hash = createHash('sha256').update(m[1], 'utf8').digest('base64');
+  return `'sha256-${hash}'`;
+}
 
 function logErr(...args) {
   // Strict stderr discipline — never stdout (collides with MCP JSON-RPC if running in same process).
   process.stderr.write(args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
 }
 
+// SEC-14-02: per-process auth token. Set during start() from acquireLock result.
+// Cleared on shutdown(). Never logged in full.
+let authToken = null;
+
+// requireAuth: returns true if request has a valid token via either:
+//   - Authorization: Bearer <token>      (preferred for fetch from same-origin browser)
+//   - ?t=<token> query param             (required for EventSource — browser API can't set headers)
+// Caller is responsible for sending 401 when this returns false.
+function requireAuth(req, url) {
+  if (!authToken) return false; // server didn't init token — fail closed
+  const auth = req.headers.authorization;
+  if (typeof auth === 'string' && auth.startsWith('Bearer ')) {
+    const provided = auth.slice('Bearer '.length).trim();
+    if (timingSafeEqual(provided, authToken)) return true;
+  }
+  const qp = url?.searchParams?.get('t');
+  if (typeof qp === 'string' && timingSafeEqual(qp, authToken)) return true;
+  return false;
+}
+
+// Constant-time string comparison to prevent timing-leak side channel.
+// Walks the longer of the two strings even when lengths differ to keep timing flat.
+function timingSafeEqual(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false;
+  const max = Math.max(a.length, b.length);
+  let diff = a.length ^ b.length;
+  for (let i = 0; i < max; i++) {
+    diff |= (a.charCodeAt(i) || 0) ^ (b.charCodeAt(i) || 0);
+  }
+  return diff === 0;
+}
+
 // Validate Host header against allowed hostnames (REQ SEC-01).
 // Allow 127.0.0.1 and localhost on whatever port we're on.
 function isHostAllowed(req, port) {
@@ -122,15 +174,22 @@ function readBody(req, maxBytes = 64 * 1024) {
   });
 }
 
+let _cachedIndex = null; // { html, scriptHash }
 function loadStaticIndex() {
   // src/ui/static/index.html — written in Phase 14. We tolerate it missing in
   // unit tests by serving a placeholder so the server module is testable in isolation.
+  if (_cachedIndex) return _cachedIndex;
+  let html;
   try {
-    return readFileSync(path.join(STATIC_DIR, 'index.html'), 'utf8');
+    html = readFileSync(path.join(STATIC_DIR, 'index.html'), 'utf8');
   } catch {
-    return `<!doctype html><meta charset="utf-8"><title>kit-mcp sidecar</title>
+    html = `<!doctype html><meta charset="utf-8"><title>kit-mcp sidecar</title>
 <body><pre>UI not yet packaged. Run \`kit ui\` after Phase 14 is shipped.</pre></body>`;
   }
+  // SEC-14-01: hash inline <script> for CSP whitelist. Cache per-process.
+  const scriptHash = computeScriptHashFromHtml(html);
+  _cachedIndex = { html, scriptHash };
+  return _cachedIndex;
 }
 
 export function createServer({
@@ -224,9 +283,14 @@ export function createServer({
       try { releaseLock(projectRoot); } catch { /* noop */ }
       lockMeta = null;
     }
+    authToken = null; // SEC-14-02: clear so a re-start gets a fresh one
   }
 
-  function handleEvents(req, res) {
+  function handleEvents(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (subscribers.size >= maxSubscribers) {
       sendJson(res, 503, { error: 'too_many_subscribers', max: maxSubscribers });
       return;
@@ -269,7 +333,11 @@ export function createServer({
     res.on('error', cleanup);
   }
 
-  async function handlePublish(req, res) {
+  async function handlePublish(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (!isOriginAllowed(req, listeningPort)) {
       sendJson(res, 403, { error: 'origin_not_allowed' });
       return;
@@ -313,7 +381,11 @@ export function createServer({
 
   // PERF-05: optional pagination via ?offset=N&limit=M. No query → ring inteiro
   // (back-compat preservada). Out-of-range values clamp to bounds rather than 4xx.
-  function handleState(res, url) {
+  function handleState(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     let events = ring;
     const offsetRaw = url?.searchParams?.get('offset');
     const limitRaw  = url?.searchParams?.get('limit');
@@ -338,7 +410,11 @@ export function createServer({
     });
   }
 
-  async function handleShutdownRequest(req, res) {
+  async function handleShutdownRequest(req, res, url) {
+    if (!requireAuth(req, url)) {
+      sendJson(res, 401, { error: 'auth_required' });
+      return;
+    }
     if (!isOriginAllowed(req, listeningPort)) {
       sendJson(res, 403, { error: 'origin_not_allowed' });
       return;
@@ -350,10 +426,16 @@ export function createServer({
   }
 
   function handleIndex(res) {
-    const html = staticHtml ?? loadStaticIndex();
+    let html, scriptHash;
+    if (typeof staticHtml === 'string') {
+      html = staticHtml;
+      scriptHash = computeScriptHashFromHtml(staticHtml);
+    } else {
+      ({ html, scriptHash } = loadStaticIndex());
+    }
     res.writeHead(200, {
       'Content-Type': 'text/html; charset=utf-8',
-      'Content-Security-Policy': CSP,
+      'Content-Security-Policy': buildCsp(scriptHash),
       'X-Content-Type-Options': 'nosniff',
       'Referrer-Policy': 'no-referrer',
     });
@@ -374,15 +456,15 @@ export function createServer({
         case 'GET /index.html':
           return handleIndex(res);
         case 'GET /events':
-          return handleEvents(req, res);
+          return handleEvents(req, res, url);
         case 'GET /healthz':
           return handleHealthz(res);
         case 'GET /state':
-          return handleState(res, url);
+          return handleState(req, res, url);
         case 'POST /publish':
-          return handlePublish(req, res);
+          return handlePublish(req, res, url);
         case 'POST /shutdown':
-          return handleShutdownRequest(req, res);
+          return handleShutdownRequest(req, res, url);
         default:
           return sendJson(res, 404, { error: 'not_found', route });
       }
@@ -400,6 +482,11 @@ export function createServer({
       version,
       startedAt,
     });
+    // SEC-14-02: copy per-process token from lockfile into closure for requireAuth.
+    authToken = lockMeta.token;
+    if (typeof authToken !== 'string' || authToken.length !== 64) {
+      throw new Error('SEC-14-02: lockMeta.token missing or malformed; refusing to start');
+    }
     server = http.createServer(handleRequest);
     server.on('connection', (sock) => {
       activeSockets.add(sock);
@@ -449,6 +536,12 @@ export const __test = {
   MAX_SSE_SUBSCRIBERS,
   DEFAULT_IDLE_MS,
   HEARTBEAT_INTERVAL_MS,
-  CSP,
+  // SEC-14-01: CSP is now built dynamically with sha256 hash of inline <script>.
+  // The constant CSP no longer exists; tests should use buildCsp(scriptHash).
+  buildCsp,
+  computeScriptHashFromHtml,
   EVENT_TYPES,
+  // SEC-14-02: timingSafeEqual exposed for unit tests; requireAuth depends on
+  // closure state (authToken) so end-to-end HTTP tests verify behavior.
+  timingSafeEqual,
 };

package/src/ui/static/index.html

@@ -1175,11 +1175,51 @@ button { font: inherit; color: inherit; background: none; border: 0; cursor: poi
 
 <script>
 /* ──────────────────────────────────────────────────────────
-   kit-mcp sidecar — prototype
-   This is a faithful mock of what the production HTML will do.
-   In production, replace the MockSource with a real EventSource('/events').
+   kit-mcp sidecar — production client
+   SEC-14-01 (Phase 82): All event-derived content rendered via escapeHtml()
+   before insertion into innerHTML. CSP without 'unsafe-inline' in script-src
+   is primary defense; escapeHtml() is defense-in-depth.
+   When adding new innerHTML sites, always escape dynamic fields.
    ────────────────────────────────────────────────────────── */
 
+/* ──────────────────────────────────────────────────────────
+   SEC-14-02 (Phase 82 / Plan 02): auth token from URL query param.
+   Server (Plan 01) requires Bearer token on /publish, /shutdown, /state
+   and ?t= on /events. This block extracts ?t= once at boot, scrubs it
+   from the address bar (so it doesn't leak via screen-share / browser
+   history copy-paste), and exposes helpers for fetch + EventSource.
+   Variable scoped to closure (not sessionStorage) — reload re-handshakes.
+   ────────────────────────────────────────────────────────── */
+const __sidecarToken = (() => {
+  try {
+    const params = new URLSearchParams(window.location.search);
+    const t = params.get("t");
+    if (t && /^[0-9a-f]{64}$/.test(t)) {
+      // Scrub from URL so re-share / screenshot doesn't leak it.
+      params.delete("t");
+      const newSearch = params.toString();
+      const newUrl = window.location.pathname + (newSearch ? "?" + newSearch : "") + window.location.hash;
+      window.history.replaceState(null, "", newUrl);
+      return t;
+    }
+  } catch (_) { /* fall through */ }
+  return null;
+})();
+
+function authedFetch(input, init = {}) {
+  const opts = { ...init, headers: { ...(init.headers || {}) } };
+  if (__sidecarToken) {
+    opts.headers["Authorization"] = "Bearer " + __sidecarToken;
+  }
+  return fetch(input, opts);
+}
+
+function authedEventSourceUrl(path) {
+  if (!__sidecarToken) return path;
+  const sep = path.includes("?") ? "&" : "?";
+  return path + sep + "t=" + encodeURIComponent(__sidecarToken);
+}
+
 /* ---------- humanize helpers (preserved API) ---------- */
 const TYPE_LABELS = {
   "run.start":      "INICIADO",
@@ -1433,16 +1473,21 @@ function historyRowHtml(h) {
       return `<div class="hist-detail-row"><span class="pct">${escapeHtml(pct)}</span><span class="lbl">${escapeHtml(lbl)}</span>${tk ? `<span class="tok">${tk}t</span>` : ""}</div>`;
     })
     .join("");
+  // SEC-14-01: every dynamic field escaped before injection into the
+  // history-row template. status/statusGlyph/dur/when/tokens are computed
+  // locally (string enum or pre-built HTML literal) so are safe by construction;
+  // h.runId and h.eventsCount cross the publisher boundary and MUST be escaped
+  // even though they should normally be benign — defense in depth.
   return `
-    <div class="hist-row" data-status="${status}" data-runid="${h.runId}">
+    <div class="hist-row" data-status="${escapeHtml(status)}" data-runid="${escapeHtml(h.runId)}">
       <div class="hist-status">${statusGlyph}</div>
       <div class="hist-title">${escapeHtml(title)}</div>
       <div class="hist-when">${when}</div>
       <div class="hist-meta-row">
         <span><span class="num">${dur}</span> dur</span>
         <span>${tokens}</span>
-        <span><span class="num">${h.eventsCount || 0}</span> eventos</span>
-        <span class="num">id ${h.runId.slice(0,8)}</span>
+        <span><span class="num">${escapeHtml(String(h.eventsCount || 0))}</span> eventos</span>
+        <span class="num">id ${escapeHtml(String(h.runId).slice(0,8))}</span>
       </div>
       <div class="hist-detail">${detailRows || '<div class="hist-detail-row"><span class="lbl">(sem progresso registrado)</span></div>'}</div>
     </div>
@@ -1534,10 +1579,14 @@ function activeCardHtml(run) {
   const longRunning = elapsed > 30_000;
   const stepCount = run.total ? `${run.current}/${run.total}` : "";
   const showTokens = run.tokens > 0;
+  // SEC-14-01: family/iconHref/title/stepLabel/stepCount/percent are computed
+  // locally; runId crosses the publisher boundary and is escaped before any
+  // injection (data-attribute or text). Defense in depth: even string enums
+  // (family) get escaped to ensure regression resistance.
   return `
-    <article class="run-card" data-runid="${run.runId}">
+    <article class="run-card" data-runid="${escapeHtml(run.runId)}">
       <div class="rc-head">
-        <div class="rc-icon" data-tool="${family}"><svg><use href="${iconHref}"/></svg></div>
+        <div class="rc-icon" data-tool="${escapeHtml(family)}"><svg><use href="${escapeHtml(iconHref)}"/></svg></div>
         <div class="rc-title-block">
           <div class="rc-tool">${escapeHtml(safeStr(run.tool) || "processo")}</div>
           <div class="rc-title">${escapeHtml(title)}</div>
@@ -1556,7 +1605,7 @@ function activeCardHtml(run) {
       <div class="rc-step">
         <span class="glyph"><svg><use href="#i-spin"/></svg></span>
         <span class="rc-step-text">${escapeHtml(stepLabel)}</span>
-        ${stepCount ? `<span class="rc-step-count">${stepCount}</span>` : ""}
+        ${stepCount ? `<span class="rc-step-count">${escapeHtml(stepCount)}</span>` : ""}
       </div>
 
       <div class="rc-tokens" ${showTokens ? "" : "style=\"display:none\""}>
@@ -1565,7 +1614,7 @@ function activeCardHtml(run) {
       </div>
 
       <div class="rc-foot">
-        <span class="rc-runid">id ${run.runId.slice(0, 8)}</span>
+        <span class="rc-runid">id ${escapeHtml(String(run.runId).slice(0, 8))}</span>
         <span class="sep">·</span>
         <span>${escapeHtml(safeStr(run.tool) || "")}</span>
       </div>
@@ -1708,8 +1757,11 @@ function rowHtml(evt, idx, prev) {
       msg = `<span class="ident">${escapeHtml(badge.toLowerCase())}</span>`;
   }
   const sourcePill = renderSourcePill(evt.payload?.source);
+  // SEC-14-01: evt.type and evt.runId cross publisher boundary → escape.
+  // msg/tokenChip/sourcePill are pre-built HTML literals where each interpolation
+  // already used escapeHtml() — safe by construction.
   return `
-    <div class="tl-row" data-type="${evt.type}" data-ok="${ok}" data-grouped="${grouped}">
+    <div class="tl-row" data-type="${escapeHtml(evt.type)}" data-ok="${ok}" data-grouped="${grouped}">
       <div class="tl-time" title="${time}">${rel}</div>
       <div class="tl-rail"><div class="tl-node"></div></div>
       <div class="tl-content">
@@ -1717,7 +1769,7 @@ function rowHtml(evt, idx, prev) {
         <span class="tl-msg">${msg}</span>
         ${tokenChip}
         ${sourcePill}
-        ${evt.runId ? `<span class="tl-runid">${evt.runId.slice(0,6)}</span>` : ""}
+        ${evt.runId ? `<span class="tl-runid">${escapeHtml(String(evt.runId).slice(0,6))}</span>` : ""}
       </div>
     </div>
   `;
@@ -1917,7 +1969,7 @@ function applyConnState(s) {
 
 async function hydrateFromState() {
   try {
-    const res = await fetch("/state", { credentials: "omit" });
+    const res = await authedFetch("/state", { credentials: "omit" });
     if (!res.ok) return;
     const j = await res.json();
     if (j.port && document.querySelector(".brand-sub")) {
@@ -1938,7 +1990,7 @@ function connectRealSource() {
   applyConnState("connecting");
   if (evtSource) try { evtSource.close(); } catch (_) {}
 
-  evtSource = new EventSource("/events");
+  evtSource = new EventSource(authedEventSourceUrl("/events"));
 
   evtSource.addEventListener("open", () => {
     lastConnectedAt = Date.now();