agim-cli 1.2.142 → 1.2.144

package/dist/web/server.d.ts

@@ -1,3 +1,25 @@
+import { type IncomingMessage } from 'node:http';
+declare function isTrustedLoopbackPeer(req: IncomingMessage): boolean;
+/** Resolve whether the request's actor has admin role. Used to gate
+ *  mutation + privileged-read endpoints so a stolen viewer-role token
+ *  can't elevate to control plane (R13 A1).
+ *
+ *  Trust order:
+ *    1. IMHUB_WEB_AUTH=off  → admin (operator explicitly disabled auth)
+ *    2. Trusted loopback    → admin (operator on the host)
+ *    3. Bearer token        → token.role === 'admin'
+ *    4. Otherwise           → not admin
+ *
+ *  Note: when no token has been created yet (pre-bootstrap), the
+ *  trusted-loopback branch still grants admin so the CLI bootstrap flow
+ *  works. Disable it with IMHUB_TRUST_LOOPBACK=off. Reverse-proxied
+ *  requests with Forwarded / X-Forwarded-* peer headers never qualify. */
+declare function isRequestAdmin(req: IncomingMessage): boolean;
+export declare const __webAuthForTesting: {
+    isTrustedLoopbackPeer: typeof isTrustedLoopbackPeer;
+    isRequestAdmin: typeof isRequestAdmin;
+    setTokenModule(mod: typeof import("../core/access-token.js") | null): void;
+};
 export declare function createSerialQueue(): (fn: () => Promise<void>) => void;
 /**
  * Start the web chat server
@@ -9,4 +31,5 @@ export declare function startWebServer(options: {
     close: () => void;
     port: number;
 }>;
+export {};
 //# sourceMappingURL=server.d.ts.map

package/dist/web/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/web/server.ts"],"names":[],"mappings":"AA8QA,wBAAgB,iBAAiB,IAAI,CAAC,EAAE,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAOrE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;CACrB,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CA0tC/C"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/web/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAgB,KAAK,eAAe,EAAuB,MAAM,WAAW,CAAA;AA4GnF,iBAAS,qBAAqB,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAQ5D;AAyID;;;;;;;;;;;;;0EAa0E;AAC1E,iBAAS,cAAc,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAcrD;AAWD,eAAO,MAAM,mBAAmB;;;wBAGV,cAAc,yBAAyB,CAAC,GAAG,IAAI,GAAG,IAAI;CAG3E,CAAA;AAED,wBAAgB,iBAAiB,IAAI,CAAC,EAAE,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAOrE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;CACrB,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAkvC/C"}

package/dist/web/server.js

@@ -75,6 +75,29 @@ function isLoopbackPeer(req) {
     const ip = (req.socket.remoteAddress || '').replace(/^::ffff:/, '');
     return ip === '127.0.0.1' || ip === '::1';
 }
+function isEnvOff(name) {
+    const v = (process.env[name] || '').trim().toLowerCase();
+    return v === 'off' || v === '0' || v === 'false' || v === 'no';
+}
+function hasForwardedPeerHeaders(req) {
+    return req.headers.forwarded !== undefined
+        || req.headers['x-forwarded-for'] !== undefined
+        || req.headers['x-forwarded-host'] !== undefined
+        || req.headers['x-real-ip'] !== undefined
+        || req.headers['cf-connecting-ip'] !== undefined;
+}
+function isTrustedLoopbackPeer(req) {
+    if (!isLoopbackPeer(req))
+        return false;
+    if (isEnvOff('IMHUB_TRUST_LOOPBACK'))
+        return false;
+    // A reverse proxy on the same host makes remote users appear as
+    // 127.0.0.1. Treat forwarded requests as network traffic and require
+    // the normal token path instead of granting the local bootstrap bypass.
+    if (hasForwardedPeerHeaders(req))
+        return false;
+    return true;
+}
 /** R13 A5 — track once-per-process whether the deprecated `?token=`
  *  URL fallback has been used, so we warn at most once per service
  *  lifetime instead of spamming the journal. Cleared by tests via
@@ -142,8 +165,8 @@ function checkAuth(req, res, url) {
     // 1. Disabled by env → pass through.
     if ((process.env.IMHUB_WEB_AUTH || '').toLowerCase() === 'off')
         return true;
-    // 2. Loopback → pass through (local CLI / browser-on-same-host).
-    if (isLoopbackPeer(req))
+    // 2. Trusted loopback → pass through (local CLI / browser-on-same-host).
+    if (isTrustedLoopbackPeer(req))
         return true;
     // 3. Public-by-design path → pass through.
     if (isPublicPath(url.pathname, req.method || 'GET'))
@@ -201,7 +224,7 @@ function verifyTokenSync(raw) {
 function getRequestActor(req) {
     if ((process.env.IMHUB_WEB_AUTH || '').toLowerCase() === 'off')
         return 'web:auth-off';
-    if (isLoopbackPeer(req))
+    if (isTrustedLoopbackPeer(req))
         return 'web:loopback';
     let url;
     try {
@@ -224,17 +247,18 @@ function getRequestActor(req) {
  *
  *  Trust order:
  *    1. IMHUB_WEB_AUTH=off  → admin (operator explicitly disabled auth)
- *    2. Loopback peer       → admin (operator on the host)
+ *    2. Trusted loopback    → admin (operator on the host)
  *    3. Bearer token        → token.role === 'admin'
  *    4. Otherwise           → not admin
  *
  *  Note: when no token has been created yet (pre-bootstrap), the
- *  loopback-peer branch still grants admin so the CLI bootstrap flow
- *  works. */
+ *  trusted-loopback branch still grants admin so the CLI bootstrap flow
+ *  works. Disable it with IMHUB_TRUST_LOOPBACK=off. Reverse-proxied
+ *  requests with Forwarded / X-Forwarded-* peer headers never qualify. */
 function isRequestAdmin(req) {
     if ((process.env.IMHUB_WEB_AUTH || '').toLowerCase() === 'off')
         return true;
-    if (isLoopbackPeer(req))
+    if (isTrustedLoopbackPeer(req))
         return true;
     let url;
     try {
@@ -265,6 +289,13 @@ function requireAdmin(req, res) {
     res.end(JSON.stringify({ error: 'forbidden', message: 'admin role required' }));
     return false;
 }
+export const __webAuthForTesting = {
+    isTrustedLoopbackPeer,
+    isRequestAdmin,
+    setTokenModule(mod) {
+        _tokenModule = mod;
+    },
+};
 export function createSerialQueue() {
     let queue = Promise.resolve();
     return (fn) => {
@@ -357,6 +388,7 @@ export async function startWebServer(options) {
         event: 'web.auth_mode',
         bind: bindHost,
         enabled: isAuthEnabled(),
+        trustLoopback: !isEnvOff('IMHUB_TRUST_LOOPBACK'),
     }, `Web console auth: ${isAuthEnabled() ? 'token-gated' : 'disabled (IMHUB_WEB_AUTH=off)'}`);
     // HTTP request handler — static files + REST API
     const httpServer = createServer(async (req, res) => {
@@ -643,21 +675,31 @@ export async function startWebServer(options) {
         }
         // Jobs
         if (url.pathname === '/api/jobs' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleListJobs(req, res, url);
         }
         const jobIdMatch = url.pathname.match(/^\/api\/jobs\/(\d+)$/);
         if (jobIdMatch && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleGetJob(req, res, parseInt(jobIdMatch[1], 10));
         }
         const jobCancelMatch = url.pathname.match(/^\/api\/jobs\/(\d+)\/cancel$/);
         if (jobCancelMatch && req.method === 'POST') {
+            if (!requireAdmin(req, res))
+                return;
             return handleCancelJob(req, res, parseInt(jobCancelMatch[1], 10));
         }
         const jobRunMatch = url.pathname.match(/^\/api\/jobs\/(\d+)\/run$/);
         if (jobRunMatch && req.method === 'POST') {
+            if (!requireAdmin(req, res))
+                return;
             return handleRunJob(req, res, parseInt(jobRunMatch[1], 10));
         }
         if (url.pathname === '/api/jobs' && req.method === 'POST') {
+            if (!requireAdmin(req, res))
+                return;
             return handleCreateJob(req, res);
         }
         // bgjobs (read-only view of ~/.claude/bgjobs, ~/.config/opencode/bgjobs, ~/.codex/bgjobs)
@@ -677,34 +719,46 @@ export async function startWebServer(options) {
             return handleListSchedules(req, res, url);
         }
         // Reminders — list / cancel / snooze. Web-only path (the IM-side path
-        // is /remind slash command). Auth via the same web session cookie as
-        // every other /api/* endpoint above; no per-user filtering yet, so
-        // single-operator deployments only.
+        // is /remind slash command). This exposes global reminders, so it is
+        // admin-only until a per-user mobile scope exists.
         if (url.pathname === '/api/reminders' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleListReminders(req, res, url);
         }
         const reminderCancelMatch = url.pathname.match(/^\/api\/reminders\/(\d+)\/cancel$/);
         if (reminderCancelMatch && req.method === 'POST') {
+            if (!requireAdmin(req, res))
+                return;
             return handleCancelReminderApi(req, res, Number.parseInt(reminderCancelMatch[1], 10));
         }
         const reminderSnoozeMatch = url.pathname.match(/^\/api\/reminders\/(\d+)\/snooze$/);
         if (reminderSnoozeMatch && req.method === 'POST') {
+            if (!requireAdmin(req, res))
+                return;
             return handleSnoozeReminderApi(req, res, Number.parseInt(reminderSnoozeMatch[1], 10));
         }
         // /api/memos — search / list / delete. List uses the same searchMemos
         // function the MCP tool exposes; query/who/what/has_location/limit
         // come through as URL params.
         if (url.pathname === '/api/memos' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleListMemos(req, res, url);
         }
         const memoIdMatch = url.pathname.match(/^\/api\/memos\/(\d+)$/);
         if (memoIdMatch && req.method === 'DELETE') {
+            if (!requireAdmin(req, res))
+                return;
             return handleDeleteMemo(req, res, Number.parseInt(memoIdMatch[1], 10));
         }
         // /api/env — read/write SMTP + Baidu AK + IMHUB_WEB_BIND. Values
         // sensitive enough that GET returns them masked (only the last 4 chars
-        // visible) unless an explicit ?reveal=1 is passed (still auth-gated).
+        // visible) unless an explicit ?reveal=1 is passed. Keep the settings
+        // surface admin-only: even masked values disclose configured providers.
         if (url.pathname === '/api/env' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleGetEnv(req, res, url);
         }
         if (url.pathname === '/api/env' && req.method === 'PUT') {
@@ -866,9 +920,13 @@ export async function startWebServer(options) {
         // v1.5 — Memory admin: enumerate users, list / delete facts, view /
         // edit / delete persona, export. Backs the Memory tab in /tasks.
         if (url.pathname === '/api/memory/users' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleMemoryUsers(req, res);
         }
         if (url.pathname === '/api/memory/facts' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleMemoryFacts(req, res, url);
         }
         if (url.pathname === '/api/memory/facts' && req.method === 'DELETE') {
@@ -878,9 +936,13 @@ export async function startWebServer(options) {
         }
         const memFactIdMatch = url.pathname.match(/^\/api\/memory\/facts\/(\d+)$/);
         if (memFactIdMatch && req.method === 'DELETE') {
+            if (!requireAdmin(req, res))
+                return;
             return handleMemoryDeleteOne(req, res, url, parseInt(memFactIdMatch[1], 10));
         }
         if (url.pathname === '/api/memory/persona' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleMemoryPersona(req, res, url);
         }
         if (url.pathname === '/api/memory/persona' && req.method === 'PUT') {
@@ -894,6 +956,8 @@ export async function startWebServer(options) {
             return handleMemoryPersonaDelete(req, res, url);
         }
         if (url.pathname === '/api/memory/export' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleMemoryExport(req, res, url);
         }
         // v1.6 — vector backend control + index ops.
@@ -928,6 +992,8 @@ export async function startWebServer(options) {
             return handleMemoryConsolidate(req, res);
         }
         if (url.pathname === '/api/memory/consolidate/status' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleMemoryConsolidateStatus(req, res);
         }
         // v1.2.3 — Skills browser. Lists locally-installed claude/opencode
@@ -944,10 +1010,14 @@ export async function startWebServer(options) {
         }
         // PR-B: HITL approvals — global pending list + per-reqId resolve.
         if (url.pathname === '/api/approvals' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleListApprovals(req, res);
         }
         const approvalResolveMatch = url.pathname.match(/^\/api\/approvals\/([^/]+)\/resolve$/);
         if (approvalResolveMatch && req.method === 'POST') {
+            if (!requireAdmin(req, res))
+                return;
             return handleResolveApproval(req, res, approvalResolveMatch[1]);
         }
         // PR-D: Agent workspace file browser. Read-only inspection of
@@ -955,6 +1025,8 @@ export async function startWebServer(options) {
         // text files. PUT path supports inline editing (annotate CLAUDE.md,
         // AGENTS.md, etc.) — same traversal/size guards as GET.
         if (url.pathname === '/api/workspace-files' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleWorkspaceFiles(req, res, url);
         }
         if (url.pathname === '/api/workspace-files' && req.method === 'PUT') {
@@ -976,9 +1048,12 @@ export async function startWebServer(options) {
             return handleBatchJob(req, res, 'run', getDefaultAgent(options.defaultAgent));
         }
         // PR-C: SSE event stream — audit / approval / job / metrics events
-        // pushed real-time so the dashboard stops polling. Open access; same
-        // trust model as the REST API.
+        // pushed real-time so the dashboard stops polling. Global control-plane
+        // telemetry is admin-only; user/mobile-scoped streams should use a
+        // separate endpoint when added.
         if (url.pathname === '/events' && req.method === 'GET') {
+            if (!requireAdmin(req, res))
+                return;
             return handleEventsSSE(req, res);
         }
         if (url.pathname === '/api/notify' && req.method === 'POST') {
@@ -1110,11 +1185,11 @@ export async function startWebServer(options) {
                 }, 'WS upgrade refused (per-IP rate limit)');
                 return cb(false, 429, 'rate limited');
             }
-            // Auth-off / loopback bypass — mirror checkAuth's two short-circuits
+            // Auth-off / trusted-loopback bypass — mirror checkAuth's two short-circuits
             // so dev / local CLI sessions still work without a token.
             if ((process.env.IMHUB_WEB_AUTH || '').toLowerCase() === 'off')
                 return cb(true);
-            if (isLoopbackPeer(info.req))
+            if (isTrustedLoopbackPeer(info.req))
                 return cb(true);
             // Origin check: cookie SameSite=Lax handles most of the CSWSH
             // surface, but defence-in-depth — reject when Origin's host
@@ -1168,8 +1243,9 @@ export async function startWebServer(options) {
     //   IMHUB_WS_MAX_PER_IP            active connections per IP (default 20)
     //   IMHUB_WS_MAX_NEW_PER_IP_PER_MIN  new connections per IP per minute (default 30)
     //
-    // Loopback bypasses both — local dev / CLI tooling makes many
-    // short connections legitimately.
+    // Trusted loopback bypasses both — local dev / CLI tooling makes many
+    // short connections legitimately. Reverse-proxied loopback traffic is
+    // still counted as network traffic.
     const wsMaxPerIp = (() => {
         const raw = process.env.IMHUB_WS_MAX_PER_IP;
         if (raw) {
@@ -1198,7 +1274,7 @@ export async function startWebServer(options) {
     }
     /** Returns {ok:true} when the IP may open a new WS, else {ok:false, reason}. */
     function checkWsIpRateLimit(req) {
-        if (isLoopbackPeer(req))
+        if (isTrustedLoopbackPeer(req))
             return { ok: true };
         const ip = peerIp(req);
         if (!ip)
@@ -1216,7 +1292,7 @@ export async function startWebServer(options) {
         return { ok: true };
     }
     function recordWsIpOpen(req) {
-        if (isLoopbackPeer(req))
+        if (isTrustedLoopbackPeer(req))
             return;
         const ip = peerIp(req);
         if (!ip)
@@ -1227,7 +1303,7 @@ export async function startWebServer(options) {
         wsPerIp.set(ip, slot);
     }
     function recordWsIpClose(req) {
-        if (isLoopbackPeer(req))
+        if (isTrustedLoopbackPeer(req))
             return;
         const ip = peerIp(req);
         if (!ip)
@@ -4655,6 +4731,13 @@ function readBody(req, res) {
                 aborted = true;
                 if (res && !res.headersSent) {
                     sendJson(res, 413, { error: 'Request body too large' });
+                    res.once('finish', () => {
+                        if (!req.destroyed)
+                            req.destroy();
+                    });
+                }
+                else if (!req.destroyed) {
+                    req.destroy();
                 }
                 const err = new Error('Request body too large');
                 err.statusCode = 413;