ladder-mcp 1.0.1 → 1.0.2

package/CHANGELOG.md

@@ -4,6 +4,32 @@ All notable changes to Ladder_mcp are documented here. Format loosely follows
 [Keep a Changelog](https://keepachangelog.com/); this project uses
 [Semantic Versioning](https://semver.org/).
 
+## [1.0.2] - 2026-06-28
+
+Security and robustness patch release addressing findings from an external
+adversarial review of `src/`.
+
+### Fixed
+
+- **`isAuthenticated` false-positive on corrupt credentials** (`environment.ts`):
+  a credentials file that exists but is unreadable or invalid JSON was previously
+  reported as authenticated. It now fails closed and returns `false`, satisfying
+  NFR-5 honest diagnostics.
+- **Unbounded `stdout`/`stderr` capture in `runKimi`** (`kimi-runner.ts`): CLI
+  output is now accumulated through `appendCapped` with a hard ceiling
+  (`MAX_CAPTURE_CHARS`), preventing memory exhaustion on runaway output.
+- **Unvalidated `max_output_tokens` and `work_dir`** (`input-validation.ts`):
+  non-finite, zero, or negative token counts are clamped to the default budget;
+  `work_dir` must be an absolute path to an existing directory before Kimi is
+  spawned. Used by `kimi_analyze` and `kimi_resume`.
+
+### Security
+
+- **Arbitrary command persisted to `mcp.json`** (`kimi-mcp-config.ts`):
+  `kimi_generate_mcp_config` now validates `command` against an allow-list of
+  `node`, `npx`, or an absolute path to an existing file. Other values (e.g.
+  `powershell`) are rejected and nothing is written.
+
 ## [1.0.1] - 2026-06-28
 
 Bug-fix release. Issues found by exercising all 20 tools live against a real

package/dist/environment.js

@@ -126,7 +126,10 @@ export function isAuthenticated(options) {
         return Boolean(data.access_token || data.refresh_token || data.id_token || data.token);
     }
     catch {
-        return true;
+        // A corrupt or unreadable credentials file is NOT proof of authentication.
+        // Returning true here produced a false-positive "authenticated" status that
+        // misled diagnostics (NFR-5). Fail closed.
+        return false;
     }
 }
 export function isKimiInstalled(options) {

package/dist/index.js

@@ -2,6 +2,7 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { z } from 'zod';
+import { maxChars, validateWorkDir } from './input-validation.js';
 import { getKimiStatus } from './environment.js';
 import { runKimiApi, isApiConfigured } from './kimi-api.js';
 import { runKimi } from './kimi-runner.js';
@@ -13,9 +14,8 @@ import { generateMcpConfig } from './kimi-mcp-config.js';
 import { buildBudgetProbeGuide, getDesktopStatus } from './desktop-work.js';
 const server = new McpServer({
     name: 'kimi-code',
-    version: '1.0.0',
+    version: '1.0.2',
 });
-const DEFAULT_MAX_OUTPUT_CHARS = 60_000;
 const FORMAT_INSTRUCTIONS = {
     summary: `
 OUTPUT FORMAT CONSTRAINTS:
@@ -42,9 +42,6 @@ IMPORTANT: Your response will be consumed by another AI model with limited conte
 function wrapPrompt(prompt, detailLevel) {
     return `${prompt}\n${FORMAT_INSTRUCTIONS[detailLevel]}\n${AI_CONSUMER_NOTICE}`;
 }
-function maxChars(maxOutputTokens) {
-    return maxOutputTokens ? maxOutputTokens * 4 : DEFAULT_MAX_OUTPUT_CHARS;
-}
 function textResponse(text, isError = false) {
     return { content: [{ type: 'text', text }], isError };
 }
@@ -60,6 +57,9 @@ server.tool('kimi_analyze', 'Send a prompt to Kimi Code for codebase analysis. D
     max_output_tokens: z.number().optional(),
     include_thinking: z.boolean().optional(),
 }, async ({ prompt, work_dir, session_id, new_session, detail_level, max_output_tokens, include_thinking }) => {
+    const workDirError = validateWorkDir(work_dir);
+    if (workDirError)
+        return textResponse(`Error: ${workDirError}`, true);
     const result = await runKimi({
         prompt: wrapPrompt(prompt, detail_level ?? 'normal'),
         workDir: work_dir,
@@ -107,6 +107,9 @@ server.tool('kimi_resume', 'Resume an explicit Kimi Code session with a new prom
     max_output_tokens: z.number().optional(),
     include_thinking: z.boolean().optional(),
 }, async ({ session_id, prompt, work_dir, detail_level, max_output_tokens, include_thinking }) => {
+    const workDirError = validateWorkDir(work_dir);
+    if (workDirError)
+        return textResponse(`Error: ${workDirError}`, true);
     const result = await runKimi({
         prompt: wrapPrompt(prompt, detail_level ?? 'normal'),
         workDir: work_dir,

package/dist/input-validation.js

@@ -0,0 +1,29 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+export const DEFAULT_MAX_OUTPUT_CHARS = 60_000;
+// Convert an untrusted max_output_tokens into a character budget. NaN/Infinity/zero/
+// negative/non-integer would otherwise produce a nonsensical budget (e.g. NaN) handed
+// to truncation, so clamp those to the default.
+export function maxChars(maxOutputTokens) {
+    if (typeof maxOutputTokens !== 'number' || !Number.isFinite(maxOutputTokens) || maxOutputTokens <= 0) {
+        return DEFAULT_MAX_OUTPUT_CHARS;
+    }
+    return Math.floor(maxOutputTokens) * 4;
+}
+// Reject a work_dir before spawning Kimi: a relative or non-existent directory would
+// otherwise be passed to the CLI as cwd and fail opaquely. Returns an error string when
+// invalid, or undefined when the path is an existing absolute directory.
+export function validateWorkDir(workDir) {
+    if (!path.isAbsolute(workDir))
+        return 'work_dir must be an absolute path.';
+    let stat;
+    try {
+        stat = fs.statSync(workDir);
+    }
+    catch {
+        return `work_dir does not exist: ${workDir}`;
+    }
+    if (!stat.isDirectory())
+        return `work_dir is not a directory: ${workDir}`;
+    return undefined;
+}

package/dist/kimi-mcp-config.js

@@ -44,6 +44,19 @@ function assertWritableProjectTarget(projectDir) {
         throw new Error('Refusing to write MCP config under read-only kimi-code-mcp reference tree.');
     }
 }
+const ALLOWED_BARE_COMMANDS = new Set(['node', 'npx']);
+// Constrain the launcher written into mcp.json. Without this, an arbitrary `command`
+// (e.g. "powershell") would be persisted and later executed when Kimi loads the
+// server config. Allow only the known Node launchers by bare name, or an absolute
+// path to an existing file (a vetted local binary).
+function assertSafeCommand(command) {
+    const value = command.trim();
+    if (ALLOWED_BARE_COMMANDS.has(value))
+        return;
+    if (path.isAbsolute(value) && fs.existsSync(value) && fs.statSync(value).isFile())
+        return;
+    throw new Error(`command must be one of [${[...ALLOWED_BARE_COMMANDS].join(', ')}] or an absolute path to an existing file; got "${command}".`);
+}
 function readMcpServers(existing) {
     const value = existing.mcpServers;
     if (value === undefined || value === null)
@@ -66,8 +79,10 @@ export function generateMcpConfig(options = {}) {
         throw new Error('server_name must contain only letters, digits, underscores, and hyphens.');
     }
     const defaults = defaultServerCommand();
+    const command = options.command ?? defaults.command;
+    assertSafeCommand(command);
     const serverConfig = {
-        command: options.command ?? defaults.command,
+        command,
         args: options.args ?? defaults.args,
         env: {},
     };

package/dist/kimi-runner.js

@@ -1,6 +1,16 @@
 import { spawn } from 'node:child_process';
 import * as path from 'node:path';
 import { buildKimiEnv, resolveKimiPaths } from './environment.js';
+const MAX_CAPTURE_CHARS = 16 * 1024 * 1024;
+// Append to a captured stream while enforcing a hard ceiling so a runaway CLI cannot
+// grow the buffer without bound. Once the cap is reached, further data is dropped (the
+// stream is still drained by Node, just not stored).
+export function appendCapped(current, addition, max) {
+    if (current.length >= max)
+        return current;
+    const next = current + addition;
+    return next.length > max ? next.slice(0, max) : next;
+}
 export function buildKimiArgs(config) {
     const args = ['-p', config.prompt, '--output-format', 'stream-json'];
     if (config.sessionId) {
@@ -120,8 +130,8 @@ export function runKimi(config) {
             killProcessTree(proc.pid);
             finish({ ok: false, text: '', error: `Kimi timed out after ${Math.round(timeoutMs / 1000)}s` });
         }, timeoutMs);
-        proc.stdout?.on('data', (chunk) => { stdout += chunk.toString('utf-8'); });
-        proc.stderr?.on('data', (chunk) => { stderr += chunk.toString('utf-8'); });
+        proc.stdout?.on('data', (chunk) => { stdout = appendCapped(stdout, chunk.toString('utf-8'), MAX_CAPTURE_CHARS); });
+        proc.stderr?.on('data', (chunk) => { stderr = appendCapped(stderr, chunk.toString('utf-8'), MAX_CAPTURE_CHARS); });
         proc.on('error', (err) => {
             finish({ ok: false, text: '', error: err instanceof Error ? err.message : String(err) });
         });

package/dist/transports/acp.js

@@ -221,7 +221,7 @@ export class AcpClient extends EventEmitter {
     async initialize() {
         return this.request('initialize', {
             protocolVersion: 1,
-            clientInfo: { name: 'ladder-mcp', version: '1.0.0' },
+            clientInfo: { name: 'ladder-mcp', version: '1.0.2' },
             capabilities: {},
         }, 30_000);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ladder-mcp",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Windows-first MCP bridge for Kimi Code CLI v24",
   "license": "MIT",
   "type": "module",