fraim 2.0.177 → 2.0.180

package/dist/src/middleware/security-headers.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.securityHeaders = securityHeaders;
+const DEFAULT_CSP = [
+    "default-src 'self'",
+    // Inline scripts are used by the analytics/installer dashboard; keep them.
+    // Third-party CDNs are explicitly listed rather than wildcarded.
+    "script-src 'self' 'unsafe-inline' https://js.stripe.com https://cdn.jsdelivr.net",
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+    "img-src 'self' data: https:",
+    "font-src 'self' https://fonts.gstatic.com data:",
+    "connect-src 'self' https://api.stripe.com",
+    "frame-src 'self' https://js.stripe.com https://hooks.stripe.com",
+    "frame-ancestors 'self'",
+    "base-uri 'self'",
+    "form-action 'self' https://checkout.stripe.com"
+].join('; ');
+function securityHeaders(options = {}) {
+    const enableHsts = options.enableHsts !== false;
+    const csp = options.contentSecurityPolicy === undefined
+        ? DEFAULT_CSP
+        : options.contentSecurityPolicy;
+    return function securityHeadersMiddleware(req, res, next) {
+        // Trust-proxy aware: req.secure is true if X-Forwarded-Proto is https
+        // and Express has been told to trust the upstream (see fraim-mcp-server.ts).
+        if (enableHsts && req.secure) {
+            res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+        res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+        res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
+        res.setHeader('Cross-Origin-Resource-Policy', 'same-site');
+        res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
+        res.setHeader('X-DNS-Prefetch-Control', 'off');
+        if (csp) {
+            res.setHeader('Content-Security-Policy', csp);
+        }
+        next();
+    };
+}

package/dist/src/middleware/telemetry.js

@@ -0,0 +1,134 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TelemetryMiddleware = void 0;
+class TelemetryMiddleware {
+    constructor(sessionManager) {
+        this.sessionManager = sessionManager;
+    }
+    parseSessionId(req) {
+        const fromHeader = Array.isArray(req.headers['x-fraim-session-id'])
+            ? req.headers['x-fraim-session-id'][0]
+            : req.headers['x-fraim-session-id'];
+        if (typeof fromHeader === 'string' && fromHeader.trim().length > 0) {
+            return fromHeader.trim();
+        }
+        const fromParams = req.body?.params?.sessionId;
+        if (typeof fromParams === 'string' && fromParams.trim().length > 0) {
+            return fromParams.trim();
+        }
+        const fromArgs = req.body?.params?.arguments?.sessionId;
+        if (typeof fromArgs === 'string' && fromArgs.trim().length > 0) {
+            return fromArgs.trim();
+        }
+        return undefined;
+    }
+    /**
+     * Middleware to enforce Session Handshake and track activity
+     */
+    async handle(req, res, next) {
+        try {
+            // 1. Standard MCP Lifecycle & Discovery methods (Initialize, List Tools/Resources/Prompts, etc.)
+            const exemptMethods = [
+                'initialize',
+                'notifications/initialized',
+                'tools/list',
+                'resources/list',
+                'prompts/list',
+                'prompts/get',
+                'logging/setLevel'
+            ];
+            if (req.body && exemptMethods.includes(req.body.method)) {
+                return next();
+            }
+            // 2. FRAIM Bootstrap/Discovery Tools that don't need an active session
+            if (req.body && req.body.method === 'tools/call') {
+                const toolName = req.body.params?.name;
+                const safeTools = [
+                    'fraim_connect',
+                    'list_fraim_jobs'
+                ];
+                if (toolName && safeTools.includes(toolName)) {
+                    return next();
+                }
+            }
+            // Skip for non-authenticated or exempt paths (GET only).
+            // Issue #359 - /api/auth/* and /api/account/* are human-session lifecycle
+            // endpoints (called by auth-bootstrap.js on every page load); they happen
+            // BEFORE any agent has fraim_connect'd, so they MUST be exempt from the
+            // telemetry session-active gate. Without this, /api/auth/session returns 400
+            // for every signed-in browser, which redirects users back to sign-in.
+            // Issue #563 - /api/org/* serves the org-cache sync performed by the
+            // `fraim sync` CLI, which runs outside any MCP session (same lifecycle
+            // position as /api/registry/sync). Auth still applies; only the
+            // session-active gate is exempted.
+            const exemptPaths = ['/health', '/admin', '/api/registry/sync', '/api/registry/github-workflows', '/api/registry/topology/personalized', '/api/registry/topology/usage-heatmap', '/api/org/', '/api/manager/', '/api/payment/', '/api/sales/', '/api/signup', '/api/providers', '/api/analytics', '/analytics', '/api/auth/', '/api/account/'];
+            if (exemptPaths.some(p => req.path.startsWith(p))) {
+                return next();
+            }
+            const apiKey = req.apiKeyData?.key;
+            if (!apiKey)
+                return next(); // Auth middleware handles 401 earlier
+            const sessionId = this.parseSessionId(req);
+            const localVersionFromHeader = Array.isArray(req.headers['x-fraim-local-version'])
+                ? req.headers['x-fraim-local-version'][0]
+                : req.headers['x-fraim-local-version'];
+            const localVersion = req.localMcpVersion ||
+                (typeof localVersionFromHeader === 'string' ? localVersionFromHeader : 'unknown');
+            const isProxiedAgentCall = typeof localVersion === 'string' && localVersion !== 'unknown';
+            // Enforce explicit session id for local proxy agent traffic.
+            if (isProxiedAgentCall && !sessionId) {
+                return res.status(400).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32600,
+                        message: `Missing Session ID. REQUIRED ACTION:
+1. Call 'fraim_connect' first
+2. Capture the returned sessionId
+3. Include that sessionId on every subsequent FRAIM tool call (params.sessionId or params.arguments.sessionId).`
+                    },
+                    id: req.body?.id || null
+                });
+            }
+            // Check Session
+            const isActive = await this.sessionManager.updateActivity(apiKey, sessionId);
+            if (!isActive) {
+                const sessionStartGuidance = isProxiedAgentCall
+                    ? `Session Not Started. REQUIRED ACTION: Call 'fraim_connect' tool first, then include the returned sessionId on every subsequent FRAIM tool call.`
+                    : `Session Not Started. REQUIRED ACTION: Call 'fraim_connect' tool first with these parameters:
+
+{
+  "agent": {
+    "name": "YourAgentName",
+    "model": "your-model-name"
+  },
+  "machine": {
+    "hostname": "use os.hostname()",
+    "platform": "use process.platform"
+  },
+  "repo": {
+    "url": "git remote URL",
+    "owner": "repo owner",
+    "name": "repo name"
+  }
+}
+
+After successful fraim_connect, all other FRAIM tools will work. This is required for telemetry and session management.`;
+                return res.status(400).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32600,
+                        message: sessionStartGuidance
+                    },
+                    id: req.body?.id || null
+                });
+            }
+            console.log(`Telemetry active for ${apiKey}`);
+            return next();
+        }
+        catch (error) {
+            console.error('Telemetry middleware error:', error);
+            return next(error);
+        }
+    }
+}
+exports.TelemetryMiddleware = TelemetryMiddleware;

package/dist/src/models/payment.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });