@thotischner/observability-mcp 3.0.1 → 3.1.0

package/dist/index.js

@@ -19,6 +19,10 @@ import { buildSessionAttacher, buildRequireSession, } from "./auth/middleware.js
 import { buildRequirePermissionFromEngine, hasPermission, listGrantedPermissions, DEFAULT_POLICY, } from "./auth/rbac.js";
 import { resolveOidcConfig, buildOidcRuntime } from "./auth/oidc/runtime.js";
 import { registerOidcRoutes } from "./auth/oidc/endpoints.js";
+import { RevocationStore } from "./auth/revocation.js";
+import { AccountLockout, lockoutConfigFromEnv, lockoutDisabledFromEnv, } from "./auth/lockout.js";
+import { resolveSessionStore } from "./transport/sessionStore.js";
+import { generateNonce, enforcedCsp, reportOnlyCsp, reportingEndpointsHeader, reportToHeader, summariseViolation, cspStrictReportFromEnv, CSP_NONCE_PLACEHOLDER, } from "./security/csp.js";
 import { createScimStore } from "./scim/store.js";
 import { registerScimRoutes } from "./scim/routes.js";
 import { BuiltinPolicyEngine } from "./auth/policy/engine.js";
@@ -723,7 +727,19 @@ async function main() {
     else if (requestedAuthMode !== "anonymous") {
         authMisconfig(`unknown OMCP_AUTH=${requestedAuthMode}`);
     }
-    const authRuntime = { mode: authMode, session: sessionCfg, secretEphemeral, oidc: oidcRuntime };
+    // Session revocation blocklist (Q17). Only meaningful when sessions
+    // exist (basic / oidc); anonymous mode leaves it undefined so the
+    // middleware check is a pure no-op. OMCP_AUTH_REVOCATION_FILE persists
+    // the blocklist across restarts and shares it across replicas when it
+    // points at shared storage; unset = in-memory only.
+    let revocationStore;
+    if (authMode !== "anonymous") {
+        revocationStore = await RevocationStore.create({
+            path: process.env.OMCP_AUTH_REVOCATION_FILE?.trim() || undefined,
+        });
+        console.log(`[auth] session revocation blocklist active — backend=${revocationStore.persistent ? `file (${revocationStore.filePath})` : "memory"}, ${revocationStore.size} existing entr${revocationStore.size === 1 ? "y" : "ies"}`);
+    }
+    const authRuntime = { mode: authMode, session: sessionCfg, secretEphemeral, oidc: oidcRuntime, revocation: revocationStore };
     // --- HTTP server ---
     const app = express();
     // Trust-proxy: when set, Express will read req.ip / req.secure from
@@ -757,13 +773,38 @@ async function main() {
     // without the wildcard the body silently arrives empty and every
     // SCIM POST/PATCH 400s. The wildcard also future-proofs other
     // structured-suffix JSON content types.
-    app.use(express.json({ limit: "1mb", type: ["application/json", "application/*+json"] }));
+    // application/csp-report is the legacy media type browsers use for CSP
+    // violation reports (the modern Reporting API uses application/reports+json,
+    // already covered by the wildcard). Without it the report body arrives empty.
+    app.use(express.json({ limit: "1mb", type: ["application/json", "application/*+json", "application/csp-report"] }));
+    // Q20 — resolve the opt-in strict Report-Only CSP toggle once at boot.
+    // Default off: with ~200 inline handlers the report-only policy would
+    // emit a [Report Only] console message per handler on every page load.
+    const cspStrictReport = cspStrictReportFromEnv();
+    if (cspStrictReport) {
+        console.log("[csp] strict report-only policy ON (OMCP_CSP_STRICT_REPORT) — inline-handler violations will be reported to /api/csp-violations");
+    }
     // Security headers
     app.use((req, res, next) => {
         res.setHeader("X-Content-Type-Options", "nosniff");
         res.setHeader("X-Frame-Options", "DENY");
         res.setHeader("X-XSS-Protection", "1; mode=block");
         res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+        // Q20 — Content-Security-Policy. A per-request nonce is minted and
+        // stashed on res.locals so the UI handler can stamp it into the two
+        // inline <script> blocks. The enforced policy keeps the UI working
+        // (script-src 'unsafe-inline' for the ~200 inline handlers) and is
+        // always on; the strict report-only policy is opt-in (it surfaces the
+        // inline-handler debt but is console-noisy). Both report to
+        // /api/csp-violations.
+        const nonce = generateNonce();
+        res.locals.cspNonce = nonce;
+        res.setHeader("Content-Security-Policy", enforcedCsp());
+        if (cspStrictReport) {
+            res.setHeader("Content-Security-Policy-Report-Only", reportOnlyCsp(nonce));
+        }
+        res.setHeader("Reporting-Endpoints", reportingEndpointsHeader());
+        res.setHeader("Report-To", reportToHeader());
         // Dynamic API responses must never be served from the browser/proxy
         // cache: after a mutation (e.g. installing a connector) the UI
         // re-fetches these GETs immediately, and a heuristically-cached stale
@@ -814,6 +855,11 @@ async function main() {
     const csrfCfg = {
         bypassBearer: csrfBypassFromEnv(),
         secureCookie: (r) => r.secure || r.headers["x-forwarded-proto"] === "https",
+        // CSP violation reports are unauthenticated browser POSTs that by
+        // construction carry no cookie + no custom header — exempt them from
+        // CSRF. The endpoint only records a sanitised summary, so accepting it
+        // cross-site is harmless.
+        skip: (r) => r.method === "POST" && (r.path === "/api/csp-violations" || r.originalUrl.split("?")[0] === "/api/csp-violations"),
     };
     app.use(buildCsrfIssuer(csrfCfg));
     app.use("/api", buildCsrfEnforcer(csrfCfg));
@@ -944,6 +990,36 @@ async function main() {
             .catch((err) => console.warn("AuditLog flushSinks failed:", err));
     });
     const audit = (resource, action) => buildAuditMiddleware({ audit: mgmtAudit, resource, action });
+    // Q20 — CSP violation report sink. Unauthenticated browser POST (exempt
+    // from CSRF via csrfCfg.skip), tightly rate-limited so a misbehaving or
+    // hostile client can't flood the audit log, and only a sanitised summary
+    // (directive / blocked-uri / document-uri) is recorded. Always 204 so the
+    // browser never retries. The report-only strict policy is what drives most
+    // of these today (the inline-handler debt) — they roll into mgmtAudit so an
+    // operator can watch the migration surface shrink.
+    const cspReportRateLimit = rateLimit({
+        windowMs: 60_000,
+        max: 60,
+        standardHeaders: true,
+        legacyHeaders: false,
+        message: { error: "rate limited" },
+    });
+    app.post("/api/csp-violations", cspReportRateLimit, (req, res) => {
+        const summary = summariseViolation(req.body);
+        if (summary) {
+            void mgmtAudit.record({
+                actor: { sub: "browser:csp" },
+                tenant: "default",
+                resource: "settings",
+                action: "read",
+                method: "POST",
+                path: "/api/csp-violations",
+                status: 204,
+                target: `${summary.directive} blocked ${summary.blockedUri}`.slice(0, 256),
+            }).catch(() => { });
+        }
+        res.status(204).end();
+    });
     // Plugin lifecycle hook registry — populated by the loader at boot
     // (one entry per manifest `hooks[]` entry) and mutable at runtime
     // when a connector is installed via /api/connectors/install. Each
@@ -1106,7 +1182,29 @@ async function main() {
             res.end(await selfRegistry.metrics());
         });
     }
-    // Serve Web UI
+    // Serve Web UI. The index page is served dynamically so the per-request
+    // CSP nonce can be stamped into its inline <script> blocks (the rest of
+    // ui/ stays on express.static). Read once at boot; if the file is
+    // missing we fall through to static, which 404s like before.
+    let uiHtmlTemplate = null;
+    try {
+        uiHtmlTemplate = readFileSync(join(__dirname, "ui", "index.html"), "utf8");
+    }
+    catch {
+        uiHtmlTemplate = null;
+    }
+    if (uiHtmlTemplate) {
+        const template = uiHtmlTemplate;
+        const serveIndex = (_req, res) => {
+            const nonce = res.locals.cspNonce ?? "";
+            res.setHeader("Content-Type", "text/html; charset=utf-8");
+            // Index is identity/nonce-specific — never let a proxy cache it.
+            res.setHeader("Cache-Control", "no-store");
+            res.send(template.split(CSP_NONCE_PLACEHOLDER).join(nonce));
+        };
+        app.get("/", serveIndex);
+        app.get("/index.html", serveIndex);
+    }
     app.use(express.static(join(__dirname, "ui")));
     // --- API endpoints for Web UI ---
     // List sources with health status — tenant-scoped.
@@ -1286,6 +1384,10 @@ async function main() {
             },
             permissions: listGrantedPermissions(sess.roles, policyEngineToMap(policyEngine)),
             exp: sess.exp,
+            // The current session's revocation id. Surfaced so an admin can
+            // copy it into POST /api/auth/revocations to kill a specific
+            // session. Absent for legacy cookies issued before sid existed.
+            sid: sess.sid,
             // When the user signed in via OIDC, surface the IdP issuer
             // URL so the UI can render an appropriate badge or link to
             // an IdP-side profile page. Empty / absent in basic mode.
@@ -1810,6 +1912,19 @@ async function main() {
             catch { /* ignore — first login will pick it up */ }
         }
     }
+    // Q18 — per-username failed-login lockout with progressive backoff.
+    // Complements the per-IP loginRateLimit above: that bounds a noisy
+    // single source, this bounds a slow / distributed grind on one
+    // account. Backed by the shared SessionStore so a Redis deployment
+    // locks consistently across replicas (and self-cleans via TTL).
+    // Basic mode only — OIDC delegates auth (and lockout) to the IdP.
+    let lockout;
+    if (authRuntime.mode === "basic" && !lockoutDisabledFromEnv()) {
+        const lockoutStore = await resolveSessionStore();
+        const lockoutCfg = lockoutConfigFromEnv();
+        lockout = new AccountLockout(lockoutStore, lockoutCfg);
+        console.log(`[auth] account lockout active — ${lockoutCfg.maxFailures} failures / ${lockoutCfg.windowSeconds}s → lock ${lockoutCfg.baseLockSeconds}s (×2 up to ${lockoutCfg.maxLockSeconds}s), backend=${lockoutStore.backend}`);
+    }
     app.post("/api/auth/login", loginRateLimit, async (req, res) => {
         if (authRuntime.mode !== "basic" || !sessionCfg || !usersStore) {
             res.status(503).json({ error: "auth mode does not accept logins" });
@@ -1823,11 +1938,57 @@ async function main() {
             res.status(400).json({ error: "username and password are required" });
             return;
         }
+        // Gate on the lock BEFORE the (expensive) scrypt verify so a locked
+        // account can't be used to burn CPU. A locked account is a 429 with
+        // Retry-After, never a credential oracle — the response is identical
+        // whether or not the username exists.
+        if (lockout) {
+            const status = await lockout.check(username);
+            if (status.locked) {
+                res.setHeader("Retry-After", String(status.retryAfterSeconds ?? 0));
+                res.status(429).json({
+                    error: "account temporarily locked due to repeated failed logins",
+                    retryAfterSeconds: status.retryAfterSeconds,
+                });
+                void mgmtAudit.record({
+                    actor: { sub: username },
+                    tenant: "default",
+                    resource: "users",
+                    action: "write",
+                    method: "POST",
+                    path: "/api/auth/login",
+                    status: 429,
+                }).catch(() => { });
+                return;
+            }
+        }
         const user = authenticate(username, password, usersStore);
         if (!user) {
+            if (lockout) {
+                const after = await lockout.recordFailure(username);
+                if (after.locked) {
+                    res.setHeader("Retry-After", String(after.retryAfterSeconds ?? 0));
+                    res.status(429).json({
+                        error: "account temporarily locked due to repeated failed logins",
+                        retryAfterSeconds: after.retryAfterSeconds,
+                    });
+                    void mgmtAudit.record({
+                        actor: { sub: username },
+                        tenant: "default",
+                        resource: "users",
+                        action: "write",
+                        method: "POST",
+                        path: "/api/auth/login",
+                        status: 429,
+                    }).catch(() => { });
+                    return;
+                }
+            }
             res.status(401).json({ error: "invalid credentials" });
             return;
         }
+        if (lockout)
+            await lockout.recordSuccess(user.username);
         const { cookie } = issueSession({ sub: user.username, name: user.name, roles: user.roles, tenant: user.tenant }, sessionCfg);
         const secure = req.secure || (req.headers["x-forwarded-proto"] === "https");
         res.setHeader("Set-Cookie", setCookieHeader(cookie, sessionCfg, { secure }));
@@ -1855,6 +2016,34 @@ async function main() {
         registerOidcRoutes(app, { sessionCfg, oidc: oidcRuntime });
         console.log("[auth] OIDC endpoints registered: /api/auth/oidc/{login,callback,logout}");
     }
+    // Q17 — session revocation blocklist. Admin-gated (same role tier as
+    // user/role management). A revoked-but-unexpired cookie is rejected by
+    // buildSessionAttacher on the next request. Revoke a single session by
+    // `sid` (read it from /api/me or the audit log) or every current
+    // session for a `sub` ("log this user out everywhere"). The blocklist
+    // is the stateful complement to the otherwise-stateless cookie.
+    app.post("/api/auth/revocations", need("users", "delete"), audit("users", "write"), async (req, res) => {
+        if (!revocationStore) {
+            res.status(503).json({ error: "revocation requires an auth mode (basic|oidc)" });
+            return;
+        }
+        const body = (req.body || {});
+        const sid = typeof body.sid === "string" && body.sid.trim() ? body.sid.trim() : undefined;
+        const sub = typeof body.sub === "string" && body.sub.trim() ? body.sub.trim() : undefined;
+        const reason = typeof body.reason === "string" ? body.reason.slice(0, 500) : undefined;
+        if ((sid ? 1 : 0) + (sub ? 1 : 0) !== 1) {
+            res.status(400).json({ error: "exactly one of `sid` or `sub` is required" });
+            return;
+        }
+        const by = req.session?.sub;
+        const entry = sid
+            ? await revocationStore.revokeSession(sid, { reason, by })
+            : await revocationStore.revokeSubject(sub, { reason, by });
+        res.status(201).json({ ok: true, revocation: entry });
+    });
+    app.get("/api/auth/revocations", need("users", "delete"), (_req, res) => {
+        res.json({ revocations: revocationStore ? revocationStore.list() : [] });
+    });
     // Phase F21 / Q6: SCIM 2.0 — opt-in. OMCP_SCIM_TOKEN gates access.
     // The store backend is chosen by createScimStore from
     // OMCP_SCIM_BACKEND (file | redis). file (default) → OMCP_SCIM_STORE
@@ -2618,6 +2807,31 @@ async function main() {
             tools: filteredTools,
         });
     });
+    // Q21 — per-service anomaly-score sparklines for the Health tab. Reads
+    // the in-process ring of the anomaly-history sink (last hour), tenant-
+    // scoped. MUST be registered before "/api/health/:service" so the
+    // literal path isn't captured as a service name. `enabled` is true once
+    // any score exists; the UI falls back to its client-side trend otherwise.
+    app.get("/api/health/anomaly-sparklines", (req, res) => {
+        const sess = req.session;
+        const callerTenant = sess?.tenant || "default";
+        // Anonymous (single-tenant) mode: no tenant filter, see everything.
+        const tenant = sess ? callerTenant : undefined;
+        const records = anomalyHistory.recent({ tenant });
+        const series = {};
+        for (const r of records) {
+            const t = Date.parse(r.ts);
+            if (!Number.isFinite(t))
+                continue;
+            (series[r.service] ??= []).push({ t, score: r.score });
+        }
+        res.json({
+            enabled: records.length > 0,
+            remoteWrite: anomalyHistory.isEnabled(),
+            windowMs: anomalyHistory.windowMs,
+            series,
+        });
+    });
     // Health endpoint for UI dashboard
     app.get("/api/health/:service", async (req, res) => {
         try {

package/dist/openapi.js

@@ -394,6 +394,45 @@ export function buildOpenApiSpec(version) {
                     responses: { "204": { description: "Cookie cleared." } },
                 },
             },
+            "/api/auth/revocations": {
+                get: {
+                    tags: ["auth"],
+                    summary: "List session revocations (admin).",
+                    description: "Returns the current revocation blocklist. Admin-gated (users:delete). Empty in anonymous mode.",
+                    responses: {
+                        "200": { description: "Array of revocation entries." },
+                        "401": { description: "Authentication required." },
+                        "403": { description: "Caller lacks the admin permission." },
+                    },
+                },
+                post: {
+                    tags: ["auth"],
+                    summary: "Revoke a session or all of a subject's sessions (admin).",
+                    description: "Adds an entry to the on-disk blocklist. Provide exactly one of `sid` (revoke one session — copy it from /api/me) or `sub` (log a user out everywhere — revokes every session issued so far; a fresh login afterwards is unaffected). The next request bearing a revoked cookie is treated as logged out.",
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    properties: {
+                                        sid: { type: "string", description: "Session id to revoke (from /api/me)." },
+                                        sub: { type: "string", description: "Subject whose current sessions to revoke." },
+                                        reason: { type: "string", description: "Optional free-text reason (truncated to 500 chars)." },
+                                    },
+                                },
+                            },
+                        },
+                    },
+                    responses: {
+                        "201": { description: "Revocation recorded; the entry is returned." },
+                        "400": { description: "Neither or both of sid/sub supplied." },
+                        "401": { description: "Authentication required." },
+                        "403": { description: "Caller lacks the admin permission." },
+                        "503": { description: "Server is in anonymous mode (no sessions to revoke)." },
+                    },
+                },
+            },
             "/api/auth/oidc/login": {
                 get: {
                     tags: ["auth"],

package/dist/openapi.test.js

@@ -19,6 +19,7 @@ test("openapi — every user-visible /api path is documented", () => {
         "/api/me",
         "/api/auth/login",
         "/api/auth/logout",
+        "/api/auth/revocations",
         "/api/auth/oidc/login",
         "/api/auth/oidc/callback",
         "/api/auth/oidc/logout",

package/dist/security/csp.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Content-Security-Policy for the management-plane Web UI.
+ *
+ * Two policies ship together, by design:
+ *
+ *  - **Enforced** (`Content-Security-Policy`): a real, non-breaking policy.
+ *    It locks down everything the UI doesn't need — no remote scripts
+ *    (`script-src 'self'`), no plugins (`object-src 'none'`), no `<base>`
+ *    hijack (`base-uri 'self'`), no framing (`frame-ancestors 'none'`),
+ *    and same-origin-only XHR via `connect-src 'self'`. It keeps
+ *    `'unsafe-inline'` for `script-src` because the single-file UI uses
+ *    ~200 inline event-handler attributes (`onclick=`, …) that a nonce
+ *    cannot cover — a nonce in `script-src` would *disable* `'unsafe-inline'`
+ *    in CSP3 and break every button. So the enforced policy is a genuine
+ *    improvement over no CSP without regressing the UI.
+ *
+ *  - **Report-Only** (`Content-Security-Policy-Report-Only`): the strict
+ *    target policy — `script-src 'self' 'nonce-…'`, no `'unsafe-inline'`.
+ *    The two legitimate inline `<script>` blocks carry the per-request
+ *    nonce, so this policy flags ONLY the inline event-handler debt. It
+ *    blocks nothing; it just reports, giving an actionable migration list
+ *    (move the handlers to addEventListener) before a future slice can
+ *    promote the strict policy to enforced.
+ *
+ *    It is **opt-in** (`OMCP_CSP_STRICT_REPORT=true`): with ~200 inline
+ *    handlers it would otherwise emit a `[Report Only]` console message
+ *    per handler on every page load — noise an operator with devtools
+ *    open shouldn't eat by default. Enable it when you're actively
+ *    working the migration. The enforced policy + reporting endpoint are
+ *    always on regardless.
+ *
+ * Both policies report to `/api/csp-violations` via the modern Reporting
+ * API (`Reporting-Endpoints` + `report-to`) and the legacy `report-uri`.
+ */
+/** Placeholder substituted with the per-request nonce when serving the UI HTML. */
+export declare const CSP_NONCE_PLACEHOLDER = "__CSP_NONCE__";
+/** The named reporting group used in the Report-To / Reporting-Endpoints headers. */
+export declare const CSP_REPORT_GROUP = "omcp-csp";
+/** Where violation reports are POSTed. */
+export declare const CSP_REPORT_PATH = "/api/csp-violations";
+/** Fresh base64 nonce (128 bits). */
+export declare function generateNonce(): string;
+/** The enforced policy — non-breaking, keeps the UI working. */
+export declare function enforcedCsp(): string;
+/** The strict target policy, run in report-only mode against the nonce. */
+export declare function reportOnlyCsp(nonce: string): string;
+/** Whether the strict Report-Only policy is enabled. Default off — see
+ *  the module header for why (console noise from ~200 inline handlers). */
+export declare function cspStrictReportFromEnv(env?: NodeJS.ProcessEnv): boolean;
+/** Value for the modern `Reporting-Endpoints` header. */
+export declare function reportingEndpointsHeader(): string;
+/** Value for the legacy `Report-To` header (Reporting API v0). */
+export declare function reportToHeader(): string;
+/**
+ * Normalise a posted CSP violation (either the legacy
+ * `application/csp-report` `{ "csp-report": {...} }` envelope or a modern
+ * Reporting-API `application/reports+json` array element) into a compact,
+ * log-safe summary. Returns null when the body isn't a recognisable report.
+ */
+export declare function summariseViolation(body: unknown): {
+    directive: string;
+    blockedUri: string;
+    documentUri: string;
+} | null;

package/dist/security/csp.js

@@ -0,0 +1,135 @@
+/**
+ * Content-Security-Policy for the management-plane Web UI.
+ *
+ * Two policies ship together, by design:
+ *
+ *  - **Enforced** (`Content-Security-Policy`): a real, non-breaking policy.
+ *    It locks down everything the UI doesn't need — no remote scripts
+ *    (`script-src 'self'`), no plugins (`object-src 'none'`), no `<base>`
+ *    hijack (`base-uri 'self'`), no framing (`frame-ancestors 'none'`),
+ *    and same-origin-only XHR via `connect-src 'self'`. It keeps
+ *    `'unsafe-inline'` for `script-src` because the single-file UI uses
+ *    ~200 inline event-handler attributes (`onclick=`, …) that a nonce
+ *    cannot cover — a nonce in `script-src` would *disable* `'unsafe-inline'`
+ *    in CSP3 and break every button. So the enforced policy is a genuine
+ *    improvement over no CSP without regressing the UI.
+ *
+ *  - **Report-Only** (`Content-Security-Policy-Report-Only`): the strict
+ *    target policy — `script-src 'self' 'nonce-…'`, no `'unsafe-inline'`.
+ *    The two legitimate inline `<script>` blocks carry the per-request
+ *    nonce, so this policy flags ONLY the inline event-handler debt. It
+ *    blocks nothing; it just reports, giving an actionable migration list
+ *    (move the handlers to addEventListener) before a future slice can
+ *    promote the strict policy to enforced.
+ *
+ *    It is **opt-in** (`OMCP_CSP_STRICT_REPORT=true`): with ~200 inline
+ *    handlers it would otherwise emit a `[Report Only]` console message
+ *    per handler on every page load — noise an operator with devtools
+ *    open shouldn't eat by default. Enable it when you're actively
+ *    working the migration. The enforced policy + reporting endpoint are
+ *    always on regardless.
+ *
+ * Both policies report to `/api/csp-violations` via the modern Reporting
+ * API (`Reporting-Endpoints` + `report-to`) and the legacy `report-uri`.
+ */
+import { randomBytes } from "node:crypto";
+/** Placeholder substituted with the per-request nonce when serving the UI HTML. */
+export const CSP_NONCE_PLACEHOLDER = "__CSP_NONCE__";
+/** The named reporting group used in the Report-To / Reporting-Endpoints headers. */
+export const CSP_REPORT_GROUP = "omcp-csp";
+/** Where violation reports are POSTed. */
+export const CSP_REPORT_PATH = "/api/csp-violations";
+/** Fresh base64 nonce (128 bits). */
+export function generateNonce() {
+    return randomBytes(16).toString("base64");
+}
+/** The enforced policy — non-breaking, keeps the UI working. */
+export function enforcedCsp() {
+    return [
+        "default-src 'self'",
+        "base-uri 'self'",
+        "object-src 'none'",
+        "frame-ancestors 'none'",
+        "form-action 'self'",
+        "script-src 'self' 'unsafe-inline'",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data:",
+        "font-src 'self' data:",
+        "connect-src 'self'",
+        `report-uri ${CSP_REPORT_PATH}`,
+        `report-to ${CSP_REPORT_GROUP}`,
+    ].join("; ");
+}
+/** The strict target policy, run in report-only mode against the nonce. */
+export function reportOnlyCsp(nonce) {
+    return [
+        "default-src 'self'",
+        "base-uri 'self'",
+        "object-src 'none'",
+        "frame-ancestors 'none'",
+        "form-action 'self'",
+        `script-src 'self' 'nonce-${nonce}'`,
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data:",
+        "font-src 'self' data:",
+        "connect-src 'self'",
+        `report-uri ${CSP_REPORT_PATH}`,
+        `report-to ${CSP_REPORT_GROUP}`,
+    ].join("; ");
+}
+/** Whether the strict Report-Only policy is enabled. Default off — see
+ *  the module header for why (console noise from ~200 inline handlers). */
+export function cspStrictReportFromEnv(env = process.env) {
+    const v = env.OMCP_CSP_STRICT_REPORT?.trim().toLowerCase();
+    return v === "1" || v === "true" || v === "yes";
+}
+/** Value for the modern `Reporting-Endpoints` header. */
+export function reportingEndpointsHeader() {
+    return `${CSP_REPORT_GROUP}="${CSP_REPORT_PATH}"`;
+}
+/** Value for the legacy `Report-To` header (Reporting API v0). */
+export function reportToHeader() {
+    return JSON.stringify({
+        group: CSP_REPORT_GROUP,
+        max_age: 10886400,
+        endpoints: [{ url: CSP_REPORT_PATH }],
+    });
+}
+/**
+ * Normalise a posted CSP violation (either the legacy
+ * `application/csp-report` `{ "csp-report": {...} }` envelope or a modern
+ * Reporting-API `application/reports+json` array element) into a compact,
+ * log-safe summary. Returns null when the body isn't a recognisable report.
+ */
+export function summariseViolation(body) {
+    if (!body || typeof body !== "object")
+        return null;
+    // Reporting API delivers an array of { type, body: {...} }.
+    if (Array.isArray(body)) {
+        for (const item of body) {
+            const s = summariseViolation(item);
+            if (s)
+                return s;
+        }
+        return null;
+    }
+    const o = body;
+    // Reporting-API single report: { type: "csp-violation", body: {...} }.
+    const report = (o["csp-report"] ?? o.body ?? o);
+    if (!report || typeof report !== "object")
+        return null;
+    const pick = (...keys) => {
+        for (const k of keys) {
+            const v = report[k];
+            if (typeof v === "string" && v)
+                return v.slice(0, 256);
+        }
+        return "";
+    };
+    const directive = pick("effective-directive", "effectiveDirective", "violated-directive", "violatedDirective");
+    const blockedUri = pick("blocked-uri", "blockedURL", "blockedURI");
+    const documentUri = pick("document-uri", "documentURL", "documentURI");
+    if (!directive && !blockedUri && !documentUri)
+        return null;
+    return { directive, blockedUri, documentUri };
+}

package/dist/security/csp.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/csp.test.js

@@ -0,0 +1,97 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { generateNonce, enforcedCsp, reportOnlyCsp, reportingEndpointsHeader, reportToHeader, summariseViolation, cspStrictReportFromEnv, CSP_NONCE_PLACEHOLDER, CSP_REPORT_GROUP, CSP_REPORT_PATH, } from "./csp.js";
+test("generateNonce returns a fresh base64 value each call", () => {
+    const a = generateNonce();
+    const b = generateNonce();
+    assert.notEqual(a, b);
+    assert.match(a, /^[A-Za-z0-9+/]+=*$/);
+    // 16 bytes → 24 base64 chars (with padding).
+    assert.ok(a.length >= 22);
+});
+test("enforced policy keeps the UI working but locks the rest down", () => {
+    const csp = enforcedCsp();
+    // Inline handlers survive: unsafe-inline present, NO nonce (which would disable it).
+    assert.match(csp, /script-src 'self' 'unsafe-inline'/);
+    assert.ok(!csp.includes("nonce-"), "enforced policy must not carry a nonce");
+    // Hard locks.
+    assert.match(csp, /object-src 'none'/);
+    assert.match(csp, /base-uri 'self'/);
+    assert.match(csp, /frame-ancestors 'none'/);
+    assert.match(csp, /default-src 'self'/);
+    assert.match(csp, /connect-src 'self'/);
+    // Reporting wired both ways.
+    assert.match(csp, new RegExp(`report-uri ${CSP_REPORT_PATH}`));
+    assert.match(csp, new RegExp(`report-to ${CSP_REPORT_GROUP}`));
+});
+test("report-only policy is strict and nonce-bound, no unsafe-inline on scripts", () => {
+    const nonce = generateNonce();
+    const csp = reportOnlyCsp(nonce);
+    assert.match(csp, new RegExp(`script-src 'self' 'nonce-${nonce.replace(/[+/]/g, "\\$&")}'`));
+    // Strict: the script directive must NOT allow unsafe-inline.
+    const scriptDirective = csp.split(";").find((d) => d.trim().startsWith("script-src"));
+    assert.ok(!scriptDirective.includes("unsafe-inline"));
+    assert.match(csp, /object-src 'none'/);
+});
+test("reporting headers name the same group + endpoint", () => {
+    assert.equal(reportingEndpointsHeader(), `${CSP_REPORT_GROUP}="${CSP_REPORT_PATH}"`);
+    const parsed = JSON.parse(reportToHeader());
+    assert.equal(parsed.group, CSP_REPORT_GROUP);
+    assert.equal(parsed.endpoints[0].url, CSP_REPORT_PATH);
+    assert.ok(parsed.max_age > 0);
+});
+test("the nonce placeholder is a stable token", () => {
+    assert.equal(CSP_NONCE_PLACEHOLDER, "__CSP_NONCE__");
+});
+test("strict report-only is opt-in (default off)", () => {
+    assert.equal(cspStrictReportFromEnv({}), false);
+    assert.equal(cspStrictReportFromEnv({ OMCP_CSP_STRICT_REPORT: "true" }), true);
+    assert.equal(cspStrictReportFromEnv({ OMCP_CSP_STRICT_REPORT: "1" }), true);
+    assert.equal(cspStrictReportFromEnv({ OMCP_CSP_STRICT_REPORT: "no" }), false);
+    assert.equal(cspStrictReportFromEnv({ OMCP_CSP_STRICT_REPORT: "false" }), false);
+});
+test("summariseViolation parses the legacy csp-report envelope", () => {
+    const s = summariseViolation({
+        "csp-report": {
+            "effective-directive": "script-src-attr",
+            "blocked-uri": "inline",
+            "document-uri": "https://gw.example/",
+            "extra": "ignored",
+        },
+    });
+    assert.deepEqual(s, {
+        directive: "script-src-attr",
+        blockedUri: "inline",
+        documentUri: "https://gw.example/",
+    });
+});
+test("summariseViolation parses a modern Reporting-API array", () => {
+    const s = summariseViolation([
+        {
+            type: "csp-violation",
+            body: {
+                effectiveDirective: "script-src-elem",
+                blockedURL: "https://evil.example/x.js",
+                documentURL: "https://gw.example/",
+            },
+        },
+    ]);
+    assert.equal(s?.directive, "script-src-elem");
+    assert.equal(s?.blockedUri, "https://evil.example/x.js");
+});
+test("summariseViolation falls back to violated-directive", () => {
+    const s = summariseViolation({ "csp-report": { "violated-directive": "img-src", "blocked-uri": "data" } });
+    assert.equal(s?.directive, "img-src");
+});
+test("summariseViolation returns null for junk", () => {
+    assert.equal(summariseViolation(null), null);
+    assert.equal(summariseViolation("nope"), null);
+    assert.equal(summariseViolation({}), null);
+    assert.equal(summariseViolation({ random: "field" }), null);
+});
+test("summariseViolation truncates over-long fields", () => {
+    const long = "a".repeat(5000);
+    const s = summariseViolation({ "csp-report": { "blocked-uri": long } });
+    assert.ok(s);
+    assert.ok((s.blockedUri).length <= 256);
+});