aegis-bridge 2.6.1 → 2.6.2

package/dist/dashboard/index.html

@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Aegis Dashboard</title>
     <link rel="icon" type="image/svg+xml" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🛡️</text></svg>" />
-    <script type="module" crossorigin src="/dashboard/assets/index-4UlRaqol.js"></script>
+    <script type="module" crossorigin src="/dashboard/assets/index-Bfabq3q-.js"></script>
     <link rel="stylesheet" crossorigin href="/dashboard/assets/index-9Hkkvm_I.css">
   </head>
   <body class="bg-[#0a0a0f] text-gray-200 antialiased">

package/dist/server.js

@@ -40,7 +40,7 @@ import { execFileSync } from 'node:child_process';
 import { negotiate } from './handshake.js';
 import { diagnosticsBus } from './diagnostics.js';
 import { setStructuredLogSink } from './logger.js';
-import { authKeySchema, sendMessageSchema, commandSchema, bashSchema, screenshotSchema, permissionHookSchema, stopHookSchema, batchSessionSchema, pipelineSchema, handshakeRequestSchema, parseIntSafe, isValidUUID, } from './validation.js';
+import { authKeySchema, sendMessageSchema, commandSchema, bashSchema, screenshotSchema, permissionHookSchema, stopHookSchema, batchSessionSchema, pipelineSchema, handshakeRequestSchema, parseIntSafe, isValidUUID, compareSemver, extractCCVersion, MIN_CC_VERSION, } from './validation.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 // ── Configuration ────────────────────────────────────────────────────
@@ -167,6 +167,31 @@ function checkIpRateLimit(ip, isMaster) {
     const limit = isMaster ? IP_LIMIT_MASTER : IP_LIMIT_NORMAL;
     return activeCount > limit;
 }
+const authFailLimits = new Map();
+const AUTH_FAIL_WINDOW_MS = 60_000;
+const AUTH_FAIL_MAX = 5;
+function checkAuthFailRateLimit(ip) {
+    const now = Date.now();
+    const cutoff = now - AUTH_FAIL_WINDOW_MS;
+    const bucket = authFailLimits.get(ip) || { timestamps: [] };
+    // Prune expired entries
+    bucket.timestamps = bucket.timestamps.filter(t => t >= cutoff);
+    bucket.timestamps.push(now);
+    authFailLimits.set(ip, bucket);
+    return bucket.timestamps.length > AUTH_FAIL_MAX;
+}
+function recordAuthFailure(ip) {
+    checkAuthFailRateLimit(ip);
+}
+/** #632: Prune stale auth-failure buckets. */
+function pruneAuthFailLimits() {
+    const cutoff = Date.now() - AUTH_FAIL_WINDOW_MS;
+    for (const [ip, bucket] of authFailLimits) {
+        bucket.timestamps = bucket.timestamps.filter(t => t >= cutoff);
+        if (bucket.timestamps.length === 0)
+            authFailLimits.delete(ip);
+    }
+}
 /** #357: Prune IPs whose timestamp arrays are entirely outside the rate-limit window. */
 function pruneIpRateLimits() {
     const cutoff = Date.now() - IP_WINDOW_MS;
@@ -242,15 +267,23 @@ function setupAuth(authManager) {
         if (!token) {
             return reply.status(401).send({ error: 'Unauthorized — Bearer token required' });
         }
+        // #633: Only use req.ip — trustProxy controls whether X-Forwarded-For is considered
+        const clientIp = req.ip ?? 'unknown';
+        // #632: Block IPs that exceeded auth failure rate limit (5 attempts/min)
+        if (checkAuthFailRateLimit(clientIp)) {
+            return reply.status(429).send({ error: 'Too many auth failures — try again later' });
+        }
         // #297: Check if this is a short-lived SSE token first
         if (isSSERoute && token.startsWith('sse_')) {
             if (await authManager.validateSSEToken(token)) {
                 return; // authenticated via short-lived SSE token
             }
+            recordAuthFailure(clientIp);
             return reply.status(401).send({ error: 'Unauthorized — SSE token invalid or expired' });
         }
         const result = authManager.validate(token);
         if (!result.valid) {
+            recordAuthFailure(clientIp);
             return reply.status(401).send({ error: 'Unauthorized — invalid API key' });
         }
         if (result.rateLimited) {
@@ -262,7 +295,6 @@ function setupAuth(authManager) {
         req.authKeyId = result.keyId;
         // #228: Per-IP rate limiting (applies to all authenticated requests)
         // #633: Only use req.ip — trustProxy controls whether X-Forwarded-For is considered
-        const clientIp = req.ip ?? 'unknown';
         const isMaster = result.keyId === 'master';
         if (checkIpRateLimit(clientIp, isMaster)) {
             return reply.status(429).send({ error: 'Rate limit exceeded — IP throttled' });
@@ -521,6 +553,21 @@ async function createSessionHandler(req, reply) {
     const { workDir, name, prompt, resumeSessionId, claudeCommand, env, stallThresholdMs, permissionMode, autoApprove } = parsed.data;
     if (!workDir)
         return reply.status(400).send({ error: 'workDir is required' });
+    // Issue #564: Validate installed Claude Code version
+    try {
+        const raw = execFileSync('claude', ['--version'], { encoding: 'utf-8', timeout: 5000 });
+        const ccVer = extractCCVersion(raw);
+        if (ccVer !== null && compareSemver(ccVer, MIN_CC_VERSION) < 0) {
+            return reply.status(422).send({
+                error: `Claude Code version ${ccVer} is below minimum supported version ${MIN_CC_VERSION}. Please upgrade.`,
+                code: 'CC_VERSION_TOO_OLD',
+                upgrade: 'Run: claude update  or  npm install -g @anthropic-ai/claude-code@latest',
+            });
+        }
+    }
+    catch {
+        // claude CLI not found or timed out — skip version check (fails open)
+    }
     const safeWorkDir = await validateWorkDirWithConfig(workDir);
     if (typeof safeWorkDir === 'object')
         return reply.status(400).send({ error: safeWorkDir.error, code: safeWorkDir.code });
@@ -544,6 +591,8 @@ async function createSessionHandler(req, reply) {
     const session = await sessions.createSession({ workDir: safeWorkDir, name, resumeSessionId, claudeCommand, env, stallThresholdMs, permissionMode, autoApprove });
     console.timeEnd("POST_CREATE_SESSION");
     console.time("POST_CHANNEL_CREATED");
+    // Issue #625: Track session in metrics so sessionsCreated counter is accurate
+    metrics.sessionCreated(session.id);
     // Issue #46: Create Telegram topic BEFORE sending prompt.
     // The monitor starts polling immediately after createSession().
     // If we wait for sendInitialPrompt (up to 15s), the monitor may find
@@ -1410,6 +1459,8 @@ async function main() {
     const metricsSaveInterval = setInterval(() => { void metrics.save(); }, 5 * 60 * 1000);
     // #357: Prune stale IP rate-limit entries every minute
     const ipPruneInterval = setInterval(pruneIpRateLimits, 60_000);
+    // #632: Prune stale auth failure rate-limit buckets every minute
+    const authFailPruneInterval = setInterval(pruneAuthFailLimits, 60_000);
     // #398: Sweep stale API key rate limit buckets every 5 minutes
     const authSweepInterval = setInterval(() => auth.sweepStaleRateLimits(), 5 * 60_000);
     // Issue #361: Graceful shutdown handler
@@ -1431,6 +1482,7 @@ async function main() {
         clearInterval(zombieReaperInterval);
         clearInterval(metricsSaveInterval);
         clearInterval(ipPruneInterval);
+        clearInterval(authFailPruneInterval);
         clearInterval(authSweepInterval);
         // Issue #569: Kill all CC sessions and tmux windows before exit
         try {

package/dist/validation.d.ts

@@ -270,6 +270,17 @@ export declare const ccSettingsSchema: z.ZodObject<{
 }, z.core.$loose>;
 /** Helper: extract error message from unknown catch value. */
 export declare function getErrorMessage(e: unknown): string;
+/** Minimum supported Claude Code version. */
+export declare const MIN_CC_VERSION = "2.1.80";
+/** Parse a semver string into [major, minor, patch], or null if invalid. */
+export declare function parseSemver(v: string): [number, number, number] | null;
+/**
+ * Compare two semver strings.
+ * Returns -1 if a < b, 0 if equal or either is unparseable (fails open), 1 if a > b.
+ */
+export declare function compareSemver(a: string, b: string): number;
+/** Extract version number from `claude --version` output. */
+export declare function extractCCVersion(output: string): string | null;
 /** Validate workDir to prevent path traversal attacks (Issue #435).
  *  1. Reject raw strings containing ".." before any normalization.
  *  2. Resolve to absolute path and resolve symlinks via fs.realpath().

package/dist/validation.js

@@ -245,6 +245,38 @@ export function getErrorMessage(e) {
         return e;
     return String(e);
 }
+// ── CC version validation (Issue #564) ─────────────────────────────────
+/** Minimum supported Claude Code version. */
+export const MIN_CC_VERSION = '2.1.80';
+/** Parse a semver string into [major, minor, patch], or null if invalid. */
+export function parseSemver(v) {
+    const match = v.trim().match(/^(\d+)\.(\d+)\.(\d+)/);
+    if (!match)
+        return null;
+    return [Number(match[1]), Number(match[2]), Number(match[3])];
+}
+/**
+ * Compare two semver strings.
+ * Returns -1 if a < b, 0 if equal or either is unparseable (fails open), 1 if a > b.
+ */
+export function compareSemver(a, b) {
+    const pa = parseSemver(a);
+    const pb = parseSemver(b);
+    if (!pa || !pb)
+        return 0;
+    for (let i = 0; i < 3; i++) {
+        if (pa[i] < pb[i])
+            return -1;
+        if (pa[i] > pb[i])
+            return 1;
+    }
+    return 0;
+}
+/** Extract version number from `claude --version` output. */
+export function extractCCVersion(output) {
+    const match = output.match(/(\d+\.\d+\.\d+)/);
+    return match ? match[1] : null;
+}
 /** Default safe base directories used when allowedWorkDirs is not configured.
  *  Prevents sessions from running in system-critical directories. */
 function getDefaultSafeDirs() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegis-bridge",
-  "version": "2.6.1",
+  "version": "2.6.2",
   "type": "module",
   "description": "Orchestrate Claude Code sessions via API. Create, brief, monitor, refine, ship.",
   "main": "dist/server.js",