fullstackgtm 0.25.1 → 0.26.0

package/src/enrichApollo.ts

@@ -78,9 +78,12 @@ export function createApolloClient(options: ApolloClientOptions): ApolloClient {
       }
       if (response.status === 404) return null;
       if (!response.ok) {
-        const body = await response.text();
+        // Status line only — never interpolate the response body. It can echo
+        // the submitted query (contact emails / company domains) or the API key,
+        // and these errors are persisted verbatim into scheduled-run records.
+        await response.text().catch(() => undefined);
         const exhausted = response.status === 429 ? ` (rate limited; ${maxRetries} retries exhausted)` : "";
-        throw new Error(`Apollo API error ${response.status}${exhausted}: ${body}`);
+        throw new Error(`Apollo API error ${response.status}${exhausted}. Check the API key and request.`);
       }
       const text = await response.text();
       return text ? (JSON.parse(text) as Record<string, unknown>) : null;

package/src/index.ts

@@ -115,6 +115,14 @@ export {
   type MergeSuggestion,
 } from "./merge.ts";
 export { createFilePlanStore, type PlanStore, type StoredPlan } from "./planStore.ts";
+export {
+  computeApprovalDigests,
+  loadOrCreateSigningKey,
+  loadSigningKey,
+  signApproval,
+  verifyApprovalDigests,
+  type ApprovalVerification,
+} from "./integrity.ts";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
 export { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 export {

package/src/integrity.ts

@@ -0,0 +1,146 @@
+import { createHmac, randomBytes } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { credentialsDir, ensureSecureHomeDir, writeSecureFile } from "./credentials.ts";
+import type { PatchOperation } from "./types.ts";
+
+/**
+ * Approval integrity.
+ *
+ * The plan store records WHICH operation ids a human approved, but the apply
+ * path re-reads the operation BODIES fresh from the (user-editable) plan file.
+ * Nothing bound the approval to the content: an approved op's afterValue or
+ * objectId could be changed on disk between `plans approve` and `apply` — by a
+ * compromised dependency, a co-tenant, or a plan file synced/edited on another
+ * machine — and the changed value would be written under the prior approval.
+ *
+ * Fix: at approval time, HMAC-sign each approved operation's security-relevant
+ * content (including the approved value override) with a per-install secret key
+ * stored 0600 alongside the credentials. At apply time, recompute and verify.
+ * Any post-approval edit to the operations or the approved overrides changes the
+ * signature; a tamper must now also forge an HMAC it cannot compute without the
+ * key. The key never leaves the machine, so a plan approved here and applied
+ * elsewhere fails closed ("re-approve on this machine") rather than open.
+ *
+ * This raises the bar from "trust the plan JSON" to "trust the plan JSON only
+ * insofar as it still matches what was signed with the local key." It is not a
+ * defense against an attacker who already holds the signing key (same-dir, same
+ * permissions as the credential store) — that is the documented boundary.
+ */
+
+const SIGNING_KEY_FILE = ".plan-signing-key";
+
+function signingKeyPath(): string {
+  return join(credentialsDir(), SIGNING_KEY_FILE);
+}
+
+/** Read the signing key, or null if it has not been created yet. */
+export function loadSigningKey(): Buffer | null {
+  const path = signingKeyPath();
+  if (!existsSync(path)) return null;
+  try {
+    return Buffer.from(readFileSync(path, "utf8").trim(), "hex");
+  } catch {
+    return null;
+  }
+}
+
+/** Read the signing key, creating a fresh 32-byte one (0600) on first use. */
+export function loadOrCreateSigningKey(): Buffer {
+  const existing = loadSigningKey();
+  if (existing && existing.length >= 32) return existing;
+  ensureSecureHomeDir();
+  const key = randomBytes(32);
+  writeSecureFile(signingKeyPath(), `${key.toString("hex")}\n`);
+  return key;
+}
+
+/**
+ * Canonical, stable string of the operation content an approval binds to. Only
+ * the fields that determine WHAT gets written: changing any of them must
+ * invalidate the approval. `override` is the approved value override for this op
+ * (the value actually written when set), so tampering with stored overrides is
+ * caught too.
+ */
+function canonicalApprovalContent(operation: PatchOperation, override: unknown): string {
+  return JSON.stringify([
+    operation.id,
+    operation.operation,
+    operation.objectType,
+    operation.objectId,
+    operation.field ?? null,
+    operation.beforeValue ?? null,
+    operation.afterValue ?? null,
+    operation.groupId ?? null,
+    // Safety-relevant fields too: editing a precondition could relax a drift
+    // guard, and forging forceArchiveDuplicate could suppress the archive-of-
+    // duplicate refusal — the signed approval must pin apply BEHAVIOR, not just
+    // the written value. `reason` is human-reviewed AND written verbatim into
+    // create_task bodies (afterValue ?? reason fallback in the connectors), so a
+    // create_task with a null afterValue would otherwise let a disk edit to
+    // reason write unapproved text under a still-valid digest.
+    operation.preconditions ?? null,
+    operation.forceArchiveDuplicate ?? false,
+    operation.reason ?? null,
+    override === undefined ? null : ["__override__", override],
+  ]);
+}
+
+/** HMAC-SHA256 signature of one operation's approved content. */
+export function signApproval(operation: PatchOperation, override: unknown, key: Buffer): string {
+  return createHmac("sha256", key).update(canonicalApprovalContent(operation, override)).digest("hex");
+}
+
+/**
+ * Compute the approval signature map for a set of approved operation ids,
+ * resolving each op from the plan and its (approved) value override.
+ */
+export function computeApprovalDigests(
+  operations: PatchOperation[],
+  approvedOperationIds: string[],
+  valueOverrides: Record<string, unknown>,
+  key: Buffer,
+): Record<string, string> {
+  const byId = new Map(operations.map((operation) => [operation.id, operation]));
+  const digests: Record<string, string> = {};
+  for (const id of approvedOperationIds) {
+    const operation = byId.get(id);
+    if (!operation) continue;
+    digests[id] = signApproval(operation, valueOverrides[id], key);
+  }
+  return digests;
+}
+
+export type ApprovalVerification =
+  | { ok: true }
+  | { ok: false; reason: "no_key"; tampered: string[] }
+  | { ok: false; reason: "mismatch"; tampered: string[] };
+
+/**
+ * Verify that every approved operation still matches what was signed. Returns
+ * ok:true when there are no stored digests (a pre-integrity plan — nothing to
+ * verify), when all match, or fails with the list of operation ids whose
+ * content changed since approval.
+ */
+export function verifyApprovalDigests(
+  operations: PatchOperation[],
+  approvedOperationIds: string[],
+  valueOverrides: Record<string, unknown>,
+  storedDigests: Record<string, string> | undefined,
+): ApprovalVerification {
+  if (!storedDigests || Object.keys(storedDigests).length === 0) return { ok: true };
+  const key = loadSigningKey();
+  if (!key) return { ok: false, reason: "no_key", tampered: approvedOperationIds };
+  const byId = new Map(operations.map((operation) => [operation.id, operation]));
+  const tampered: string[] = [];
+  for (const id of approvedOperationIds) {
+    const operation = byId.get(id);
+    const expected = storedDigests[id];
+    if (!operation || !expected) {
+      tampered.push(id);
+      continue;
+    }
+    if (signApproval(operation, valueOverrides[id], key) !== expected) tampered.push(id);
+  }
+  return tampered.length === 0 ? { ok: true } : { ok: false, reason: "mismatch", tampered };
+}

package/src/market.ts

@@ -1,5 +1,7 @@
 import { createHash } from "node:crypto";
+import { lookup } from "node:dns/promises";
 import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { isIP } from "node:net";
 import { join } from "node:path";
 import { credentialsDir } from "./credentials.ts";
 import type { GtmEvidence } from "./types.ts";
@@ -309,15 +311,129 @@ export function extractReadableText(html: string): string {
 
 export type FetchPage = (url: string) => Promise<{ status: number; body: string }>;
 
+/**
+ * SSRF guard. market.config.json URLs are operator-authored, but configs are
+ * shared/templated in consulting/team use and `market capture|refresh` is on
+ * the cron allowlist — an unguarded fetch is an unattended internal-network
+ * and cloud-metadata probe. We therefore (1) allow only http/https, (2) refuse
+ * any host that is or resolves to a private/loopback/link-local/metadata
+ * address, and (3) follow redirects manually, re-validating each hop.
+ *
+ * Residual gap (documented, not defended here): TOCTOU DNS rebinding between
+ * our lookup and fetch's own resolution. Out of scope for fetching public
+ * competitor pages; a hardened deployment should fetch through an egress proxy.
+ */
+const MAX_REDIRECTS = 5;
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_BODY_BYTES = 5_000_000;
+
+function ipv4IsPrivate(ip: string): boolean {
+  const parts = ip.split(".").map((n) => Number(n));
+  if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  if (a === 0 || a === 127) return true; // this-host, loopback
+  if (a === 10) return true; // private
+  if (a === 172 && b >= 16 && b <= 31) return true; // private
+  if (a === 192 && b === 168) return true; // private
+  if (a === 169 && b === 254) return true; // link-local incl. 169.254.169.254 metadata
+  if (a === 100 && b >= 64 && b <= 127) return true; // CGNAT
+  if (a >= 224) return true; // multicast / reserved
+  return false;
+}
+
+function ipIsPrivate(ip: string): boolean {
+  const family = isIP(ip);
+  if (family === 4) return ipv4IsPrivate(ip);
+  if (family === 6) {
+    const lower = ip.toLowerCase();
+    if (lower === "::1" || lower === "::") return true; // loopback / unspecified
+    // IPv4-mapped (::ffff:…) — Node normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1,
+    // so accept both the dotted and the hex-pair forms, unwrap, check the v4.
+    const mapped = lower.match(/^::ffff:(.+)$/);
+    if (mapped) {
+      const rest = mapped[1];
+      if (rest.includes(".")) return ipv4IsPrivate(rest);
+      const groups = rest.split(":");
+      if (groups.length === 2) {
+        const hi = parseInt(groups[0], 16);
+        const lo = parseInt(groups[1], 16);
+        if (Number.isNaN(hi) || Number.isNaN(lo)) return true;
+        return ipv4IsPrivate(`${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`);
+      }
+      return true; // unrecognized mapped form → refuse
+    }
+    if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb")) return true; // link-local fe80::/10
+    if (lower.startsWith("fc") || lower.startsWith("fd")) return true; // unique-local fc00::/7
+    return false;
+  }
+  return true; // not a recognizable IP literal → refuse
+}
+
+export async function assertPublicUrl(rawUrl: string): Promise<URL> {
+  let url: URL;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    throw new Error(`market capture: "${rawUrl}" is not a valid URL.`);
+  }
+  if (url.protocol !== "http:" && url.protocol !== "https:") {
+    throw new Error(`market capture refuses ${url.protocol} URLs (only http/https): ${rawUrl}`);
+  }
+  const host = url.hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+  if (isIP(host)) {
+    if (ipIsPrivate(host)) throw new Error(`market capture refuses private/loopback address ${host} (SSRF guard).`);
+    return url;
+  }
+  // Hostname: resolve and refuse if ANY address is private.
+  const addrs = await lookup(host, { all: true });
+  for (const { address } of addrs) {
+    if (ipIsPrivate(address)) {
+      throw new Error(`market capture refuses ${host} — it resolves to private/internal address ${address} (SSRF guard).`);
+    }
+  }
+  return url;
+}
+
 const defaultFetchPage: FetchPage = async (url) => {
-  const response = await fetch(url, {
-    headers: {
-      "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
-      "Accept-Language": "en-US",
-    },
-    redirect: "follow",
-  });
-  return { status: response.status, body: await response.text() };
+  let current = url;
+  for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+    await assertPublicUrl(current);
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+    let response: Response;
+    try {
+      response = await fetch(current, {
+        headers: {
+          "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
+          "Accept-Language": "en-US",
+        },
+        redirect: "manual",
+        signal: controller.signal,
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+    if (response.status >= 300 && response.status < 400 && response.headers.get("location")) {
+      current = new URL(response.headers.get("location") as string, current).toString();
+      continue; // re-validate the redirect target on the next iteration
+    }
+    const reader = response.body?.getReader();
+    if (!reader) return { status: response.status, body: await response.text() };
+    const chunks: Uint8Array[] = [];
+    let total = 0;
+    for (;;) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      total += value.length;
+      if (total > MAX_BODY_BYTES) {
+        await reader.cancel();
+        break;
+      }
+      chunks.push(value);
+    }
+    return { status: response.status, body: Buffer.concat(chunks).toString("utf8") };
+  }
+  throw new Error(`market capture: too many redirects (>${MAX_REDIRECTS}) for ${url}`);
 };
 
 export type CaptureOptions = {
@@ -478,6 +594,11 @@ export function validateObservationSet(config: MarketConfig, set: ObservationSet
     if (!INTENSITY_RANK[obs.intensity] && obs.intensity !== "unobservable") {
       problems.push(`${cell}: invalid intensity "${obs.intensity}"`);
     }
+    // confidence is rendered into the HTML report; only the enum is allowed, so
+    // an `observe --from` file can't smuggle markup through a free-text value.
+    if (obs.confidence !== "high" && obs.confidence !== "medium" && obs.confidence !== "low") {
+      problems.push(`${cell}: invalid confidence "${String(obs.confidence)}" (expected high, medium, or low)`);
+    }
     if ((obs.intensity === "loud" || obs.intensity === "quiet") && obs.evidence.length === 0) {
       problems.push(`${cell}: ${obs.intensity} reading with no quoted evidence`);
     }

package/src/marketReport.ts

@@ -40,6 +40,23 @@ function escapeHtml(value: string): string {
     .replace(/"/g, """);
 }
 
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export function safeJsonForScript(value: unknown): string {
+  return JSON.stringify(value)
+    .replace(/</g, "\\u003c")
+    .replace(/>/g, "\\u003e")
+    .replace(/&/g, "\\u0026")
+    .replace(/\u2028/g, "\\u2028")
+    .replace(/\u2029/g, "\\u2029");
+}
+
 type MapModel = {
   config: MarketConfig;
   set: ObservationSet;
@@ -374,7 +391,7 @@ function axisSectionsHtml(
       <table class="legend"><thead><tr><th></th><th>vendor</th><th class="num">${legendMeasureHead}</th></tr></thead><tbody>${legendRows}</tbody></table>
     </div>
     <div class="map-tip" id="map-tip" hidden></div>
-    <script type="application/json" id="map-data">${JSON.stringify(tipData)}</script>
+    <script type="application/json" id="map-data">${safeJsonForScript(tipData)}</script>
     <script>
     (function () {
       var data = JSON.parse(document.getElementById("map-data").textContent);
@@ -385,7 +402,16 @@ function axisSectionsHtml(
       function show(v, evt) {
         var d = data[v];
         if (!d) return;
-        tip.innerHTML = "<b>" + d.n + " · " + d.name + "</b>" + d.lines.map(function (l) { return "<div>" + l + "</div>"; }).join("");
+        // textContent only — vendor names / axis labels are untrusted (competitor-controlled).
+        tip.textContent = "";
+        var head = document.createElement("b");
+        head.textContent = d.n + " · " + d.name;
+        tip.appendChild(head);
+        d.lines.forEach(function (l) {
+          var div = document.createElement("div");
+          div.textContent = l;
+          tip.appendChild(div);
+        });
         tip.hidden = false;
         var box = fig.getBoundingClientRect();
         tip.style.left = Math.min(evt.clientX - box.left + 14, box.width - tip.offsetWidth - 8) + "px";
@@ -481,7 +507,7 @@ export function marketMapToHtml(config: MarketConfig, set: ObservationSet): stri
     const anchorLoud = anchor
       ? claimIds.filter((claimId) => model.cell(anchor, claimId)?.intensity === "loud").length
       : 0;
-    const anchorNote = anchor ? ` · ${vendorNamesById.get(anchor) ?? anchor} loud on ${anchorLoud}` : "";
+    const anchorNote = anchor ? ` · ${e(vendorNamesById.get(anchor) ?? anchor)} loud on ${anchorLoud}` : "";
     return `<details class="claim-group"><summary><b>${e(group.title)}</b> — ${claimIds.length} claim${claimIds.length === 1 ? "" : "s"} <span class="sum-soft">(${e(group.blurb)}${anchorNote})</span></summary>
       <table><thead><tr><th></th>${vendorHeads}<th></th></tr></thead><tbody>${claimIds.map(matrixRow).join("")}</tbody></table>
     </details>`;
@@ -543,7 +569,7 @@ export function marketMapToHtml(config: MarketConfig, set: ObservationSet): stri
         if (!obs || obs.evidence.length === 0) return [];
         return obs.evidence.map(
           (evidence) =>
-            `<div class="ev"><span class="ev-head">${e(claimId)} · ${obs.intensity.toUpperCase()} (${obs.confidence})</span>` +
+            `<div class="ev"><span class="ev-head">${e(claimId)} · ${e(obs.intensity.toUpperCase())} (${e(String(obs.confidence ?? ""))})</span>` +
             `<blockquote>“${e(evidence.text)}”</blockquote>` +
             `<span class="ev-src">${e(String(evidence.metadata?.url ?? ""))} · capture ${e(String(evidence.metadata?.captureHash ?? "").slice(0, 12))}</span></div>`,
         );