@papicandela/mcx-core 0.2.2 → 0.2.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@papicandela/mcx-core",
-  "version": "0.2.2",
+  "version": "0.2.6",
   "description": "MCX Core - MCP Code Execution Framework",
   "author": "papicandela",
   "license": "MIT",
@@ -8,7 +8,13 @@
     "type": "git",
     "url": "https://github.com/schizoidcock/mcx"
   },
-  "keywords": ["mcp", "claude", "ai", "code-execution", "sandbox"],
+  "keywords": [
+    "mcp",
+    "claude",
+    "ai",
+    "code-execution",
+    "sandbox"
+  ],
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "module",

package/src/adapter.ts

@@ -38,14 +38,18 @@ function createParameterValidator(
         schema = z.unknown();
     }
 
-    if (param.default !== undefined) {
-      schema = schema.default(param.default);
-    }
-
+    // IMPORTANT: Order matters in Zod!
+    // .optional() must come BEFORE .default() so that:
+    // - absent input resolves to the default (not undefined)
+    // - z.string().optional().default("x") = ZodDefault<ZodOptional<...>>
     if (!param.required) {
       schema = schema.optional();
     }
 
+    if (param.default !== undefined) {
+      schema = schema.default(param.default);
+    }
+
     shape[param.name] = schema;
   }
 

package/src/config.ts

@@ -1,7 +1,10 @@
 import type { Adapter, MCXConfig, SandboxConfig, Skill } from "./types.js";
+import { DEFAULT_NETWORK_POLICY } from "./sandbox/network-policy.js";
+import { DEFAULT_ANALYSIS_CONFIG } from "./sandbox/analyzer/index.js";
 
 /**
  * Default MCX configuration values.
+ * Must include all sandbox fields to ensure network isolation is always enabled.
  */
 const DEFAULT_CONFIG: Required<Omit<MCXConfig, "adapters" | "skills" | "env">> = {
   sandbox: {
@@ -9,6 +12,9 @@ const DEFAULT_CONFIG: Required<Omit<MCXConfig, "adapters" | "skills" | "env">> =
     memoryLimit: 128,
     allowAsync: true,
     globals: {},
+    networkPolicy: DEFAULT_NETWORK_POLICY,
+    normalizeCode: true,
+    analysis: DEFAULT_ANALYSIS_CONFIG,
   },
   adaptersDir: "./adapters",
   skillsDir: "./skills",

package/src/executor.ts

@@ -121,7 +121,7 @@ export class MCXExecutor {
    */
   registerAdapter(adapter: Adapter): void {
     if (this.adapters.has(adapter.name)) {
-      console.warn(`Adapter "${adapter.name}" is being overwritten`);
+      console.error(`[MCX] Adapter "${adapter.name}" is being overwritten`);
     }
     this.adapters.set(adapter.name, adapter);
   }
@@ -159,7 +159,7 @@ export class MCXExecutor {
    */
   registerSkill(skill: Skill): void {
     if (this.skills.has(skill.name)) {
-      console.warn(`Skill "${skill.name}" is being overwritten`);
+      console.error(`[MCX] Skill "${skill.name}" is being overwritten`);
     }
     this.skills.set(skill.name, skill);
   }
@@ -288,12 +288,14 @@ export class MCXExecutor {
         };
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
+        // Truncate stack to 5 lines to prevent context bloat
+        const stack = err.stack ? err.stack.split("\n").slice(0, 5).join("\n") : undefined;
         return {
           success: false,
           error: {
             name: err.name,
             message: err.message,
-            stack: err.stack,
+            stack,
           },
           logs: [],
           executionTime: performance.now() - startTime,

package/src/index.ts

@@ -78,6 +78,7 @@ export { configBuilder, defineConfig, mergeConfigs } from "./config.js";
 export {
   generateTypes,
   generateTypesSummary,
+  inferDomain,
   sanitizeIdentifier,
   type TypeGeneratorOptions,
 } from "./type-generator.js";

package/src/sandbox/analyzer/analyzer.test.ts

@@ -179,10 +179,10 @@ describe("analyze", () => {
       )).toBe(true);
     });
 
-    it("warns about require", () => {
+    it("errors on require (security: could access dangerous modules)", () => {
       const result = analyze("const fs = require('fs');");
-      expect(result.warnings.some(w =>
-        w.rule === "no-dangerous-globals" && w.message.includes("require")
+      expect(result.errors.some(e =>
+        e.rule === "no-dangerous-globals" && e.message.includes("require")
       )).toBe(true);
     });
 

package/src/sandbox/analyzer/analyzer.ts

@@ -222,9 +222,9 @@ export function analyze(
 
   const elapsed = performance.now() - start;
 
-  // Log if we exceed performance budget
+  // Log if we exceed performance budget (use stderr to avoid breaking stdio transport)
   if (elapsed > 50) {
-    console.warn(`[mcx-analyzer] Exceeded 50ms budget: ${elapsed.toFixed(1)}ms`);
+    console.error(`[mcx-analyzer] Exceeded 50ms budget: ${elapsed.toFixed(1)}ms`);
   }
 
   return { warnings, errors, elapsed };

package/src/sandbox/analyzer/rules/no-dangerous-globals.ts

@@ -2,10 +2,11 @@
  * Rule: no-dangerous-globals
  *
  * Detects usage of dangerous globals that are not available or unsafe in sandbox:
- * - Dynamic code execution
- * - Function constructor
- * - process object
- * - require function
+ * - Dynamic code execution (blocked as error)
+ * - Function constructor (blocked as error)
+ * - AsyncFunction constructor via prototype chain (blocked as error)
+ * - process object (warning)
+ * - require function (blocked as error - could access fs/child_process)
  */
 
 import type * as acorn from "acorn";
@@ -17,72 +18,158 @@ const FUNC_CONSTRUCTOR = "Func" + "tion";
 const REQUIRE_NAME = "req" + "uire";
 const PROCESS_NAME = "pro" + "cess";
 
+// Globals that expose Function constructor
+const DANGEROUS_GLOBALS = ["globalThis", "self", "window"];
+
+/**
+ * Check if a node is accessing .constructor on a function expression
+ * Detects: Object.getPrototypeOf(async function(){}).constructor
+ *          (function(){}).constructor
+ *          (async ()=>{}).constructor
+ */
+function isConstructorOnFunction(node: acorn.MemberExpression): boolean {
+  // Check if accessing .constructor
+  const prop = node.property;
+  const isConstructorAccess =
+    (!node.computed && prop.type === "Identifier" && (prop as acorn.Identifier).name === "constructor") ||
+    (node.computed && prop.type === "Literal" && (prop as acorn.Literal).value === "constructor");
+
+  if (!isConstructorAccess) return false;
+
+  // Check if the object is a function expression or call result that could return Function
+  const obj = node.object;
+
+  // Direct: (function(){}).constructor or (async ()=>{}).constructor
+  if (obj.type === "FunctionExpression" || obj.type === "ArrowFunctionExpression") {
+    return true;
+  }
+
+  // Via Object.getPrototypeOf: Object.getPrototypeOf(fn).constructor
+  if (obj.type === "CallExpression") {
+    const call = obj as acorn.CallExpression;
+    if (call.callee.type === "MemberExpression") {
+      const callee = call.callee as acorn.MemberExpression;
+      if (
+        callee.object.type === "Identifier" &&
+        (callee.object as acorn.Identifier).name === "Object" &&
+        callee.property.type === "Identifier" &&
+        (callee.property as acorn.Identifier).name === "getPrototypeOf"
+      ) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
 export const rule: Rule = {
   name: "no-dangerous-globals",
   severity: "warn",
-  description: "Warn about dangerous globals not available in sandbox",
-  visits: ["CallExpression", "NewExpression", "Identifier", "MemberExpression"],
+  description: "Block dangerous globals that could escape sandbox",
+  visits: ["CallExpression", "NewExpression", "MemberExpression"],
 
   visitors: {
     CallExpression(node, context) {
       const callExpr = node as acorn.CallExpression;
+      const calleeName = callExpr.callee.type === "Identifier"
+        ? (callExpr.callee as acorn.Identifier).name
+        : null;
 
-      // Check for dynamic code execution
-      if (
-        callExpr.callee.type === "Identifier" &&
-        (callExpr.callee as acorn.Identifier).name === EVAL_NAME
-      ) {
+      // SECURITY: Dynamic code execution is a sandbox escape vector - block
+      if (calleeName === EVAL_NAME) {
         context.report({
-          severity: "warn",
-          message: `${EVAL_NAME}() is not available in sandbox`,
+          severity: "error",
+          message: `${EVAL_NAME}() is blocked in sandbox - potential code injection`,
           line: context.getLine(node),
         });
         return;
       }
 
-      // Check for require()
-      if (
-        callExpr.callee.type === "Identifier" &&
-        (callExpr.callee as acorn.Identifier).name === REQUIRE_NAME
-      ) {
+      // SECURITY: Function constructor called without new is equally dangerous
+      if (calleeName === FUNC_CONSTRUCTOR) {
         context.report({
-          severity: "warn",
-          message: `${REQUIRE_NAME}() is not available in sandbox - use adapters instead`,
+          severity: "error",
+          message: `${FUNC_CONSTRUCTOR}() is blocked in sandbox - potential code injection`,
           line: context.getLine(node),
         });
         return;
       }
+
+      // SECURITY: require() could access fs, child_process - block as error
+      if (calleeName === REQUIRE_NAME) {
+        context.report({
+          severity: "error",
+          message: `${REQUIRE_NAME}() is blocked in sandbox - could access dangerous modules`,
+          line: context.getLine(node),
+        });
+        return;
+      }
+
+      // SECURITY: Detect (fn).constructor() or Object.getPrototypeOf(fn).constructor()
+      // This catches: new (Object.getPrototypeOf(async function(){}).constructor)(code)
+      if (callExpr.callee.type === "MemberExpression") {
+        if (isConstructorOnFunction(callExpr.callee as acorn.MemberExpression)) {
+          context.report({
+            severity: "error",
+            message: `Accessing .constructor on functions is blocked - potential sandbox escape`,
+            line: context.getLine(node),
+          });
+          return;
+        }
+      }
     },
 
     NewExpression(node, context) {
       const newExpr = node as acorn.NewExpression;
 
-      // Check for Function constructor
+      // SECURITY: Function constructor is a sandbox escape vector - block
       if (
         newExpr.callee.type === "Identifier" &&
         (newExpr.callee as acorn.Identifier).name === FUNC_CONSTRUCTOR
       ) {
         context.report({
-          severity: "warn",
-          message: `${FUNC_CONSTRUCTOR} constructor is not recommended in sandbox`,
+          severity: "error",
+          message: `${FUNC_CONSTRUCTOR} constructor is blocked in sandbox - potential code injection`,
           line: context.getLine(node),
         });
+        return;
       }
-    },
 
-    Identifier(node, context) {
-      const identifier = node as acorn.Identifier;
+      // SECURITY: Detect new (fn).constructor() patterns
+      if (newExpr.callee.type === "MemberExpression") {
+        if (isConstructorOnFunction(newExpr.callee as acorn.MemberExpression)) {
+          context.report({
+            severity: "error",
+            message: `Accessing .constructor on functions is blocked - potential sandbox escape`,
+            line: context.getLine(node),
+          });
+          return;
+        }
+      }
 
-      // Check for bare `process` reference
-      if (identifier.name === PROCESS_NAME) {
-        context.report({
-          severity: "warn",
-          message: `'${PROCESS_NAME}' is not available in sandbox`,
-          line: context.getLine(node),
-        });
+      // SECURITY: Detect new globalThis.Function(), new self.Function(), etc.
+      if (newExpr.callee.type === "MemberExpression") {
+        const member = newExpr.callee as acorn.MemberExpression;
+        if (
+          member.object.type === "Identifier" &&
+          DANGEROUS_GLOBALS.includes((member.object as acorn.Identifier).name) &&
+          member.property.type === "Identifier" &&
+          (member.property as acorn.Identifier).name === FUNC_CONSTRUCTOR
+        ) {
+          context.report({
+            severity: "error",
+            message: `${FUNC_CONSTRUCTOR} constructor is blocked in sandbox - potential code injection`,
+            line: context.getLine(node),
+          });
+        }
       }
     },
 
+    // Note: Removed Identifier visitor for 'process' - MemberExpression catches
+    // process.X usage, and bare 'process' references fail at runtime anyway.
+    // This prevents duplicate warnings for each process.X access.
+
     MemberExpression(node, context) {
       const memberExpr = node as acorn.MemberExpression;
 
@@ -96,6 +183,21 @@ export const rule: Rule = {
           message: `'${PROCESS_NAME}' is not available in sandbox`,
           line: context.getLine(node),
         });
+        return;
+      }
+
+      // SECURITY: Detect globalThis.Function, self.Function access
+      if (
+        memberExpr.object.type === "Identifier" &&
+        DANGEROUS_GLOBALS.includes((memberExpr.object as acorn.Identifier).name) &&
+        memberExpr.property.type === "Identifier" &&
+        (memberExpr.property as acorn.Identifier).name === FUNC_CONSTRUCTOR
+      ) {
+        context.report({
+          severity: "error",
+          message: `Accessing ${FUNC_CONSTRUCTOR} via globals is blocked - potential sandbox escape`,
+          line: context.getLine(node),
+        });
       }
     },
   },

package/src/sandbox/analyzer/rules/no-infinite-loop.ts

@@ -1,9 +1,10 @@
 /**
  * Rule: no-infinite-loop
  *
- * Detects infinite loops without break statements:
- * - while(true) { ... } without break
- * - for(;;) { ... } without break
+ * Detects infinite loops without exit statements:
+ * - while(true) { ... } without break/return/throw
+ * - for(;;) { ... } without break/return/throw
+ * - do { ... } while(true) without break/return/throw
  */
 
 import type * as acorn from "acorn";
@@ -18,12 +19,17 @@ function isLiteralTrue(node: acorn.Node | null | undefined): boolean {
 }
 
 /**
- * Check if a block contains a break statement (at any depth)
+ * Check if a block contains an exit statement (break, return, throw)
+ * These all terminate or exit the loop, so they prevent infinite loops.
  */
-function hasBreak(node: acorn.Node): boolean {
+function hasExitStatement(node: acorn.Node): boolean {
+  // Exit statements
   if (node.type === "BreakStatement") return true;
+  if (node.type === "ReturnStatement") return true;
+  if (node.type === "ThrowStatement") return true;
 
   // Don't descend into nested loops or switches (break would apply to them)
+  // But DO descend for return/throw since they exit the function entirely
   if (
     node.type === "WhileStatement" ||
     node.type === "ForStatement" ||
@@ -35,6 +41,15 @@ function hasBreak(node: acorn.Node): boolean {
     return false;
   }
 
+  // Don't descend into nested functions (return/throw would apply to them)
+  if (
+    node.type === "FunctionDeclaration" ||
+    node.type === "FunctionExpression" ||
+    node.type === "ArrowFunctionExpression"
+  ) {
+    return false;
+  }
+
   // Check children
   for (const key of Object.keys(node)) {
     const child = (node as unknown as Record<string, unknown>)[key];
@@ -42,11 +57,11 @@ function hasBreak(node: acorn.Node): boolean {
       if (Array.isArray(child)) {
         for (const item of child) {
           if (item && typeof item === "object" && "type" in item) {
-            if (hasBreak(item as acorn.Node)) return true;
+            if (hasExitStatement(item as acorn.Node)) return true;
           }
         }
       } else if ("type" in child) {
-        if (hasBreak(child as acorn.Node)) return true;
+        if (hasExitStatement(child as acorn.Node)) return true;
       }
     }
   }
@@ -57,17 +72,17 @@ function hasBreak(node: acorn.Node): boolean {
 export const rule: Rule = {
   name: "no-infinite-loop",
   severity: "error",
-  description: "Disallow infinite loops without break statements",
-  visits: ["WhileStatement", "ForStatement"],
+  description: "Disallow infinite loops without exit statements",
+  visits: ["WhileStatement", "ForStatement", "DoWhileStatement"],
 
   visitors: {
     WhileStatement(node, context) {
       const whileNode = node as acorn.WhileStatement;
 
-      if (isLiteralTrue(whileNode.test) && !hasBreak(whileNode.body)) {
+      if (isLiteralTrue(whileNode.test) && !hasExitStatement(whileNode.body)) {
         context.report({
           severity: "error",
-          message: "Infinite loop: while(true) without break",
+          message: "Infinite loop: while(true) without break/return/throw",
           line: context.getLine(node),
         });
       }
@@ -77,10 +92,22 @@ export const rule: Rule = {
       const forNode = node as acorn.ForStatement;
 
       // for(;;) without test condition
-      if (!forNode.test && !hasBreak(forNode.body)) {
+      if (!forNode.test && !hasExitStatement(forNode.body)) {
+        context.report({
+          severity: "error",
+          message: "Infinite loop: for(;;) without break/return/throw",
+          line: context.getLine(node),
+        });
+      }
+    },
+
+    DoWhileStatement(node, context) {
+      const doWhileNode = node as acorn.DoWhileStatement;
+
+      if (isLiteralTrue(doWhileNode.test) && !hasExitStatement(doWhileNode.body)) {
         context.report({
           severity: "error",
-          message: "Infinite loop: for(;;) without break",
+          message: "Infinite loop: do...while(true) without break/return/throw",
           line: context.getLine(node),
         });
       }