@saiteja1123/mcp-server 1.1.3 → 1.1.5

package/src/security/pathGuard.js

@@ -0,0 +1,170 @@
+import path from 'path';
+
+import { verifyInstallBinding } from '../api-scan.mjs';
+import { isRuntimeCompatibleLock, validateScanPath } from '../lock.mjs';
+import { resolveBindingForScanPath } from '../project-bindings.mjs';
+
+export function createBindingGuard({
+  boundRoot,
+  installToken,
+  authToken,
+  apiBase,
+  universalMode = false,
+  normalizePath = (requestedPath) => path.resolve(requestedPath),
+  validateScanPathImpl = validateScanPath,
+  isRuntimeCompatibleLockImpl = isRuntimeCompatibleLock,
+  verifyInstallBindingImpl = verifyInstallBinding,
+  resolveBindingForScanPathImpl = resolveBindingForScanPath,
+  debugLog = () => {},
+} = {}) {
+  const resolvedBoundRoot = boundRoot ? path.resolve(boundRoot) : null;
+  const isUniversal = universalMode || (!!authToken && !resolvedBoundRoot);
+
+  async function ensureLegacyServerBinding(lockedRootHash, activeInstallToken) {
+    const verify = await verifyInstallBindingImpl({
+      installToken: activeInstallToken,
+      lockedRootHash,
+      apiBase,
+    });
+    if (!verify.ok || !verify.json?.success) {
+      return {
+        ok: false,
+        httpStatus: verify.status || 403,
+        code: verify.json?.code || 'SERVER_BINDING_INVALID',
+        message: verify.json?.error || verify.error || 'Unable to verify server-issued MCP binding.',
+        rebindHint: `vibesecur-mcp rebind ${resolvedBoundRoot}`,
+      };
+    }
+    return { ok: true };
+  }
+
+  async function guardLegacy(requestedPath) {
+    const target = normalizePath(requestedPath);
+    debugLog('guardPath legacy', { requestedPath, normalizedTarget: target, resolvedBoundRoot });
+
+    if (!resolvedBoundRoot || !installToken) {
+      return {
+        ok: false,
+        httpStatus: 403,
+        code: 'BINDING_REQUIRED',
+        message:
+          'Missing MCP binding env. Use a universal config (VIBESECUR_AUTH_TOKEN) or bind one folder ' +
+          'with VIBESECUR_INSTALL_TOKEN + VIBESECUR_BOUND_ROOT.',
+      };
+    }
+
+    if (!target.startsWith(resolvedBoundRoot + path.sep) && target !== resolvedBoundRoot) {
+      return {
+        ok: false,
+        httpStatus: 403,
+        code: 'OUT_OF_FOLDER',
+        message:
+          `Path "${target}" is outside the locked project folder "${resolvedBoundRoot}". ` +
+          'Use a universal MCP config to manage multiple projects, or rebind to this folder.',
+        rebindHint: `vibesecur-mcp rebind ${target}`,
+      };
+    }
+
+    const result = await validateScanPathImpl(target, installToken);
+    if (!result.ok) return result;
+    if (!isRuntimeCompatibleLockImpl(result.lock)) {
+      return {
+        ok: false,
+        httpStatus: 403,
+        code: 'LOCAL_LOCK_NOT_RUNTIME_BINDING',
+        message:
+          'Local diagnostic lock found; runtime scans require a server-issued binding. ' +
+          'Run projectUpsert or vibesecur-mcp bind with VIBESECUR_AUTH_TOKEN set.',
+        rebindHint: `vibesecur-mcp bind ${result.boundRoot}`,
+      };
+    }
+
+    const lockedRootHash = result.lockedRootHash || result.lock?.lockedRootHash || result.lock?.rootHash;
+    const verify = await ensureLegacyServerBinding(lockedRootHash, installToken);
+    if (!verify.ok) return verify;
+
+    return {
+      ok: true,
+      resolvedRoot: target,
+      projectRoot: resolvedBoundRoot,
+      installToken,
+      lock: result.lock,
+    };
+  }
+
+  async function guardUniversal(requestedPath) {
+    const target = normalizePath(requestedPath);
+    debugLog('guardPath universal', { requestedPath, normalizedTarget: target });
+
+    if (!authToken) {
+      return {
+        ok: false,
+        httpStatus: 403,
+        code: 'AUTH_REQUIRED',
+        message:
+          'Universal MCP mode requires VIBESECUR_AUTH_TOKEN. ' +
+          'Generate config from the dashboard or set your login JWT in MCP env.',
+      };
+    }
+
+    const binding = await resolveBindingForScanPathImpl({
+      requestedPath: target,
+      authToken,
+      apiBase,
+      autoUpsert: true,
+    });
+    if (!binding.ok) {
+      return {
+        ok: false,
+        httpStatus: 403,
+        code: binding.code || 'PROJECT_BINDING_FAILED',
+        message: binding.message || 'Unable to resolve project binding for this path.',
+        rebindHint: 'projectUpsert rootPath="<codebase-folder>"',
+      };
+    }
+
+    const projectRoot = path.resolve(binding.projectRoot);
+    if (!target.startsWith(projectRoot + path.sep) && target !== projectRoot) {
+      return {
+        ok: false,
+        httpStatus: 403,
+        code: 'OUT_OF_FOLDER',
+        message: `Path "${target}" is outside registered project "${projectRoot}".`,
+      };
+    }
+
+    const lockCheck = await validateScanPathImpl(target, binding.installToken);
+    if (!lockCheck.ok) return lockCheck;
+
+    return {
+      ok: true,
+      resolvedRoot: target,
+      projectRoot,
+      installToken: binding.installToken,
+      lockedRootHash: binding.lockedRootHash,
+      projectHash: binding.projectHash,
+      projectId: binding.projectId,
+      lock: binding.lock || lockCheck.lock,
+      mode: 'universal',
+    };
+  }
+
+  return async function guardPath(requestedPath) {
+    if (isUniversal) return guardUniversal(requestedPath);
+    return guardLegacy(requestedPath);
+  };
+}
+
+export function formatGuardError(guard) {
+  const status = guard.httpStatus ? ` (${guard.httpStatus})` : '';
+  const text = JSON.stringify({
+    error: guard.code || 'SCAN_BLOCKED',
+    message: guard.message,
+    rebindHint: guard.rebindHint || null,
+    docs: 'https://vibesecur.com/docs/mcp-setup',
+  }, null, 2);
+  return {
+    content: [{ type: 'text', text: `Security Lock Error${status}:\n${text}` }],
+    isError: true,
+  };
+}