llm-cli-gateway 2.8.0 → 2.10.0

package/CHANGELOG.md

@@ -4,6 +4,91 @@ All notable changes to the llm-cli-gateway project.
 
 ## Unreleased
 
+## [2.10.0] - 2026-06-15: Per-principal isolation on the request handlers
+
+A follow-up to the 2.9.0 per-principal isolation (F3): the ownership model was
+enforced on the `session_*` / `llm_*` bookkeeping tools but **not** on the
+`*_request` execution handlers, the workspace/worktree resolvers, or the
+`sessions://*` resources. An adversarial multi-LLM review of the 2.9.0 surface
+found two HIGH cross-principal bugs reachable in the opt-in remote/OAuth
+multi-tenant modes; this release closes them. The default local-stdio and shared
+static-bearer paths collapse to a single principal and are unaffected (no
+behaviour change). Provider CLI release targets are unchanged from 2.8.0/2.9.0
+(see `docs/upstream/release-targets.md`).
+
+### Security
+
+- Cross-principal session takeover (F3b, request handlers):
+  `getExistingSessionForProvider` now rejects a caller-supplied session id owned
+  by a different principal — the ownership check is ordered before the
+  provider-type comparison, so a foreign session never leaks its provider. This
+  is the choke point for every `*_request` / `*_request_async` handler (claude,
+  codex, gemini, grok, mistral, grok-api) and `codex_fork_session`. Previously a
+  remote principal could resume or read another principal's conversation by
+  supplying its session id.
+- Global active-session pointer is now owner-filtered at every request-handler
+  adoption site (and in the codex async path, which bypassed the choke point),
+  so a no-`sessionId` request can no longer adopt and resume another principal's
+  active session.
+- Workspace-isolation bypass (F3b, resolvers): `resolveWorktreeForRequest` and
+  `resolveWorkspaceAndWorktreeForRequest` ignore a referenced session the caller
+  does not own, so a foreign session's metadata can no longer select the
+  workspace/worktree working directory or satisfy the remote "registered
+  workspace" gate.
+- `sessions://*` resources are now owner-filtered: `sessions://all` and the five
+  per-provider session resources return only the caller's own rows and active
+  pointer, closing the session-id/metadata enumeration vector.
+
+### Tests
+
+- Adds `src/__tests__/f3b-request-handler-isolation.test.ts` (cross-principal
+  deny-path coverage for the request handlers and the `sessions://*` resources).
+
+## [2.9.0] - 2026-06-14: MCP-surface red-team remediation
+
+This release remediates all 17 findings of a multi-LLM red-team of the gateway's
+external and internal MCP surface. Every change is material only in the opt-in
+remote/OAuth/multi-tenant modes or under `approvalStrategy:"mcp_managed"`; the
+default local-stdio path is unaffected. Provider CLI release targets are
+unchanged from 2.8.0 (see `docs/upstream/release-targets.md`).
+
+### Security
+
+- Per-principal isolation (F3): `session_*`, `llm_job_*`, and
+  `llm_request_result` now resolve a calling owner principal and enforce
+  own-or-not-found access, so one OAuth client can no longer read or mutate
+  another client's sessions, jobs, or persisted request results. Owner columns
+  are additive and nullable; legacy unowned rows remain accessible to local
+  callers. The shared static bearer is one principal by design.
+- Built-in OAuth server hardening (F14): the authorization-code flow gains an
+  opt-in human-consent gate (dedicated consent password, default off) and a
+  trusted-principal-header seam so a proxy front door can attribute requests
+  without the gateway shipping any identity-provider configuration.
+- Approval-gate hard boundary (F15): under `approvalStrategy:"mcp_managed"` a
+  full permission/sandbox bypass request is now denied by default regardless of
+  heuristic score, and the managed strategy no longer force-sets each provider's
+  most-permissive mode. See "Changed" for the per-provider defaults.
+- Secret redaction (F4): prompts and responses are redacted before they are
+  written to the flight-recorder database.
+- Remote-exposure fail-closed (F17): a remotely-exposed open OAuth configuration
+  refuses to start, and the `Host` header is no longer trusted for loopback
+  determination.
+- MCP surface hardening (F1/F2/F10): request bodies are capped to prevent a
+  memory DoS, `cli_upgrade` targets are clamped to block arbitrary-package
+  installation, and a committed NUL byte in `config.ts` (which rendered the file
+  binary and invisible to gitleaks/SAST/grep) was removed.
+
+### Changed
+
+- Under `approvalStrategy:"mcp_managed"`, every provider now defaults to an
+  accept-edits-level mode (auto-accept file edits, dangerous tools still gated)
+  instead of full auto-approve: Claude `--permission-mode acceptEdits`, Grok
+  `--permission-mode acceptEdits`, Mistral `--agent accept-edits`, and Gemini
+  prompted `default` (the `agy` CLI has no accept-edits rung, so without the
+  opt-in Gemini cannot auto-approve mutating tools under `mcp_managed`). Each
+  escalates to its full auto-approve mode only when the operator sets
+  `LLM_GATEWAY_APPROVAL_ALLOW_BYPASS`. The `legacy` strategy is unchanged.
+
 ## [2.8.0] - 2026-06-14: HTTP workspace gating and ACP transport
 
 ### Added

package/README.md

@@ -1160,6 +1160,24 @@ await callTool("session_delete", {
   ```bash
   LLM_GATEWAY_APPROVAL_POLICY=strict node dist/index.js
   ```
+- `LLM_GATEWAY_APPROVAL_ALLOW_BYPASS`: Under `approvalStrategy:"mcp_managed"`, a full permission / sandbox bypass request (e.g. `dangerouslyBypassApprovalsAndSandbox`, `dangerouslySkipPermissions`) is **denied by default** regardless of approval score, **and** `mcp_managed` no longer force-bypasses any provider — each defaults to an auto-accept-edits-level mode (auto-accept file edits, still gate Bash and other dangerous tools) instead of full auto-approve:
+  - **Claude** → `--permission-mode acceptEdits` (was `bypassPermissions`)
+  - **Grok** → `--permission-mode acceptEdits` (was `--always-approve`)
+  - **Mistral (Vibe)** → `--agent accept-edits` (was `--agent auto-approve`)
+  - **Gemini (Antigravity)** → `default` / prompted, i.e. **no** `--dangerously-skip-permissions` (the `agy` CLI has no accept-edits middle rung, so the safe default is prompted execution; without the opt-in, Gemini cannot auto-approve mutating tools under `mcp_managed`)
+
+  Set to `1`/`true` to let the operator opt back in: this permits bypass requests through the approval gate **and** restores each provider's full auto-approve mode under `mcp_managed` (Claude `bypassPermissions`, Grok `--always-approve`, Mistral `--agent auto-approve`, Gemini `--dangerously-skip-permissions`). Sandboxed auto modes (e.g. codex `--sandbox workspace-write`) are unaffected.
+  ```bash
+  LLM_GATEWAY_APPROVAL_ALLOW_BYPASS=1 node dist/index.js
+  ```
+- `LLM_GATEWAY_TRUSTED_PRINCIPAL_HEADER`: Name of an HTTP header carrying the authenticated user identity asserted by a **trusted front door** (any identity-aware reverse proxy / IdP). When set, the gateway adopts that header value as the request's ownership principal — but **only** for requests authenticated with the gateway's own static bearer token (i.e. the trusted upstream proxy), never from an arbitrary remote client. Off by default; IdP-agnostic. Lets a proxy-fronted multi-user deployment carry per-user identity into the gateway.
+  ```bash
+  LLM_GATEWAY_TRUSTED_PRINCIPAL_HEADER=x-gateway-principal node dist/index.js
+  ```
+- `LLM_GATEWAY_OAUTH_REQUIRE_CONSENT` / `LLM_GATEWAY_OAUTH_CONSENT_SECRET`: Opt-in human-consent gate for the built-in OAuth server. When enabled (`REQUIRE_CONSENT=1`, or implied by setting `CONSENT_SECRET`), `/oauth/authorize` renders an operator approval page (CSRF-protected) and issues an authorization code **only** after the dedicated consent password is entered — instead of auto-issuing. `CONSENT_SECRET` is the plaintext password (hashed in memory; or persist a `consent_secret_hash` in `[http.oauth]`). Off by default; remote OAuth refuses to enable consent without a secret to verify.
+  ```bash
+  LLM_GATEWAY_OAUTH_REQUIRE_CONSENT=1 LLM_GATEWAY_OAUTH_CONSENT_SECRET='choose-a-strong-code' node dist/index.js
+  ```
 - `LLM_GATEWAY_CONFIG`: Path to the gateway TOML config (default: `~/.llm-cli-gateway/config.toml`). See **Persistence configuration** above for the `[persistence]` schema.
 - `LLM_GATEWAY_LOGS_DB`: **Deprecated** — overrides `[persistence].path` and selects `backend = "sqlite"` (or `backend = "none"` when set to `none`). Emits a deprecation warning at startup; migrate to `config.toml`.
   ```bash
@@ -1168,6 +1186,11 @@ await callTool("session_delete", {
   # Disable durable persistence (also disables *_request_async tools)
   LLM_GATEWAY_LOGS_DB=none node dist/index.js
   ```
+- `LLM_GATEWAY_REDACT_LOGGED_SECRETS`: Redact recognisable secrets (provider/cloud/VCS keys, bearer tokens, JWTs, PEM private keys, `key=value` secret assignments) from the prompt/system/response copies written to the flight-recorder log. **Enabled by default**; set to `0`/`false`/`off`/`no` to store content verbatim. Only the audit log is affected — live sync responses and async `llm_job_result` output are never altered.
+  ```bash
+  # Opt out of flight-recorder secret redaction
+  LLM_GATEWAY_REDACT_LOGGED_SECRETS=0 node dist/index.js
+  ```
 
 ### CLI-Specific Settings
 

package/dist/approval-manager.d.ts

@@ -34,6 +34,7 @@ export interface ApprovalRecord {
     metadata?: Record<string, unknown>;
     reviewIntegrity?: ReviewIntegrityResult;
 }
+export declare function bypassAllowedByOperator(env?: NodeJS.ProcessEnv): boolean;
 export declare class ApprovalManager {
     private logger;
     private readonly logPath;

package/dist/approval-manager.js

@@ -14,6 +14,10 @@ function parsePolicy(policy) {
     }
     return "balanced";
 }
+export function bypassAllowedByOperator(env = process.env) {
+    const raw = (env.LLM_GATEWAY_APPROVAL_ALLOW_BYPASS || "").trim().toLowerCase();
+    return raw === "1" || raw === "true" || raw === "yes" || raw === "on";
+}
 function promptPreview(prompt) {
     if (process.env.APPROVAL_LOG_PROMPTS === "1") {
         return prompt.replace(/\s+/g, " ").trim().slice(0, 280);
@@ -106,8 +110,17 @@ export class ApprovalManager {
                 reasons.push(`Review integrity: ${violation.detail}`);
             }
         }
+        const bypassDeniedByDefault = request.bypassRequested && !bypassAllowedByOperator();
+        if (bypassDeniedByDefault) {
+            reasons.push("Full permission/sandbox bypass denied by default under MCP-managed approval " +
+                "(set LLM_GATEWAY_APPROVAL_ALLOW_BYPASS=1 to permit)");
+        }
         const threshold = policy === "strict" ? 2 : policy === "balanced" ? 5 : 7;
-        const status = score <= threshold ? "approved" : "denied";
+        const status = bypassDeniedByDefault
+            ? "denied"
+            : score <= threshold
+                ? "approved"
+                : "denied";
         const record = {
             id: randomUUID(),
             ts: new Date().toISOString(),

package/dist/async-job-manager.d.ts

@@ -81,6 +81,7 @@ export declare class AsyncJobManager {
     private maybeFlushOutput;
     private persistComplete;
     private hydrateFromStore;
+    getJobOwner(jobId: string): string | null | undefined;
     startJob(cli: LlmCli, args: string[], correlationId: string, cwd?: string, idleTimeoutMs?: number, outputFormat?: string, forceRefresh?: boolean, env?: Record<string, string>, onComplete?: () => void, flightRecorderEntry?: AsyncJobFlightRecorderEntry, extractUsage?: AsyncJobUsageExtractor, writeFlightStart?: boolean, stdin?: string): AsyncJobSnapshot;
     startJobWithDedup(cli: LlmCli, args: string[], correlationId: string, opts?: StartJobOptions): StartJobOutcome;
     getJobSnapshot(jobId: string): AsyncJobSnapshot | null;

package/dist/async-job-manager.js

@@ -5,6 +5,7 @@ import { ProcessMonitor } from "./process-monitor.js";
 import { computeRequestKey } from "./job-store.js";
 import { NoopFlightRecorder, } from "./flight-recorder.js";
 import { codexFrResponse } from "./codex-json-parser.js";
+import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
 const MAX_OUTPUT_SIZE = 50 * 1024 * 1024;
 const JOB_TTL_MS = 60 * 60 * 1000;
 const EVICTION_INTERVAL_MS = 5 * 60 * 1000;
@@ -406,12 +407,19 @@ export class AsyncJobManager {
             exited: row.status !== "running",
             metricsRecorded: true,
             outputFormat: row.outputFormat ?? undefined,
+            ownerPrincipal: row.ownerPrincipal,
             outputDirty: false,
             lastOutputFlushAt: Date.now(),
         };
         this.jobs.set(jobId, reconstituted);
         return reconstituted;
     }
+    getJobOwner(jobId) {
+        let job = this.jobs.get(jobId);
+        if (!job)
+            job = this.hydrateFromStore(jobId) ?? undefined;
+        return job?.ownerPrincipal;
+    }
     startJob(cli, args, correlationId, cwd, idleTimeoutMs, outputFormat, forceRefresh, env, onComplete, flightRecorderEntry, extractUsage, writeFlightStart, stdin) {
         return this.startJobWithDedup(cli, args, correlationId, {
             cwd,
@@ -489,9 +497,11 @@ export class AsyncJobManager {
             if (child.pid)
                 unregisterProcessGroup(child.pid);
         };
+        const ownerPrincipal = resolveOwnerPrincipal(getRequestContext());
         const job = {
             id,
             cli,
+            ownerPrincipal,
             args: [...args],
             requestKey,
             correlationId,
@@ -528,6 +538,7 @@ export class AsyncJobManager {
             outputFormat,
             startedAt,
             pid: child.pid ?? null,
+            ownerPrincipal,
         }));
         if (writeFlightStart && flightRecorderEntry) {
             try {

package/dist/auth.d.ts

@@ -32,6 +32,8 @@ export interface RemoteOAuthConfig {
     registrationPolicy: OAuthRegistrationPolicy;
     allowPublicClients: boolean;
     tokenTtlSeconds: number;
+    requireConsent: boolean;
+    consentSecretHash: string | null;
     clients: RemoteOAuthClientConfig[];
     sharedSecret: RemoteOAuthSharedSecretConfig | null;
     sources: {
@@ -53,6 +55,8 @@ export declare function issueOAuthAccessToken(args: {
     scope: string;
 };
 export declare function authorizeBearerRequest(req: IncomingMessage, token?: string | null): AuthResult;
+export declare function trustedPrincipalHeaderName(env?: NodeJS.ProcessEnv): string | null;
+export declare function resolveTrustedPrincipal(req: IncomingMessage, auth: AuthResult, env?: NodeJS.ProcessEnv): string | undefined;
 export declare function writeAuthFailure(res: ServerResponse, result: AuthResult, options?: {
     resourceMetadataUrl?: string;
 }): void;

package/dist/auth.js

@@ -79,6 +79,22 @@ export function authorizeBearerRequest(req, token = getRequiredBearerToken()) {
     }
     return { ok: false, status: 401, message: "Unauthorized" };
 }
+const TRUSTED_PRINCIPAL_PATTERN = /^[A-Za-z0-9._@:+=/-]{1,256}$/;
+export function trustedPrincipalHeaderName(env = process.env) {
+    const raw = (env.LLM_GATEWAY_TRUSTED_PRINCIPAL_HEADER || "").trim().toLowerCase();
+    return raw || null;
+}
+export function resolveTrustedPrincipal(req, auth, env = process.env) {
+    const headerName = trustedPrincipalHeaderName(env);
+    if (!headerName || auth.kind !== "gateway_bearer")
+        return undefined;
+    const raw = req.headers[headerName];
+    const value = Array.isArray(raw) ? raw[0] : raw;
+    if (!value)
+        return undefined;
+    const trimmed = value.trim();
+    return TRUSTED_PRINCIPAL_PATTERN.test(trimmed) ? trimmed : undefined;
+}
 export function writeAuthFailure(res, result, options = {}) {
     const status = result.status ?? 401;
     let wwwAuthenticate = 'Bearer realm="llm-cli-gateway"';

package/dist/cache-stats.d.ts

@@ -90,6 +90,7 @@ export interface PersistedRequestRecord {
     response: string | null;
     prompt?: string;
     thinkingBlocks: string[] | null;
+    ownerPrincipal: string | null;
 }
 export interface ReadPersistedRequestOptions {
     maxChars?: number;

package/dist/cache-stats.js

@@ -263,7 +263,7 @@ export function readPersistedRequest(db, correlationId, opts = {}) {
     const maxChars = opts.maxChars ?? PERSISTED_REQUEST_DEFAULT_MAX_CHARS;
     const rows = db.queryRequests(`SELECT r.id, r.cli, r.model, r.prompt, r.response, r.session_id,
             r.datetime_utc, r.duration_ms, r.input_tokens, r.output_tokens,
-            r.cache_read_tokens, r.cache_creation_tokens,
+            r.cache_read_tokens, r.cache_creation_tokens, r.owner_principal,
             m.retry_count, m.circuit_breaker_state, m.cost_usd,
             m.exit_code, m.error_message, m.async_job_id, m.status,
             m.thinking_blocks
@@ -301,6 +301,7 @@ export function readPersistedRequest(db, correlationId, opts = {}) {
         responseTruncated,
         response,
         thinkingBlocks: parseThinkingBlocks(row.thinking_blocks),
+        ownerPrincipal: row.owner_principal,
     };
     if (opts.includePrompt) {
         record.prompt = row.prompt ?? "";

package/dist/cli-updater.js

@@ -237,10 +237,13 @@ export async function runCliUpgrade(params) {
         exitCode: result.code,
     };
 }
+const UPGRADE_TARGET_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/;
 function normalizeTarget(target) {
     const normalized = target.trim();
-    if (!normalized || normalized.startsWith("-") || /[\u0000-\u001f\u007f\s]/.test(normalized)) {
-        throw new Error("Upgrade target must be a non-empty package tag or version without whitespace and cannot start with '-'");
+    if (!UPGRADE_TARGET_PATTERN.test(normalized)) {
+        throw new Error("Upgrade target must be a bare version or dist-tag (letters, digits, '.', '_', '-'; " +
+            "1-64 chars; must start alphanumeric). Package specifiers, aliases, URLs, and paths " +
+            "(containing ':', '/', or '@') are not allowed.");
     }
     return normalized;
 }

package/dist/config.js

@@ -353,7 +353,7 @@ export const DEFAULT_ACP_PROCESS_IDLE_TIMEOUT_MS = 600000;
 export const DEFAULT_ACP_INITIALIZE_TIMEOUT_MS = 10000;
 export const DEFAULT_ACP_SESSION_NEW_TIMEOUT_MS = 10000;
 export const DEFAULT_ACP_PROMPT_TIMEOUT_MS = 600000;
-const SHELL_METACHARACTERS = /[\s|&;<>(){}$`"'\\*?[\]~#!]/;
+const SHELL_METACHARACTERS = /[\s|&;<>(){}$`"'\\*?[\]~#!\0]/;
 function isSafeExecutable(value) {
     if (value.length === 0)
         return false;
@@ -492,6 +492,8 @@ const OAuthConfigSchema = z
     registration_policy: OAuthRegistrationPolicySchema.default("static_clients"),
     allow_public_clients: z.boolean().default(false),
     token_ttl_seconds: z.number().int().positive().default(3600),
+    require_consent: z.boolean().default(false),
+    consent_secret_hash: z.string().optional(),
     clients: z.array(OAuthClientSchema).default([]),
     shared_secret: OAuthSharedSecretSchema.optional(),
 })
@@ -505,6 +507,8 @@ function disabledOAuthConfig(sourcePath = null, envOverrides = []) {
         registrationPolicy: "static_clients",
         allowPublicClients: false,
         tokenTtlSeconds: 3600,
+        requireConsent: false,
+        consentSecretHash: null,
         clients: [],
         sharedSecret: null,
         sources: { configFile: sourcePath, envOverrides },
@@ -536,6 +540,15 @@ export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
             ? "LLM_GATEWAY_OAUTH_REGISTRATION_SECRET"
             : "LLM_GATEWAY_OAUTH_SHARED_SECRET");
     }
+    if (env.LLM_GATEWAY_OAUTH_REQUIRE_CONSENT !== undefined) {
+        merged.require_consent = env.LLM_GATEWAY_OAUTH_REQUIRE_CONSENT === "1";
+        envOverrides.push("LLM_GATEWAY_OAUTH_REQUIRE_CONSENT");
+    }
+    if (env.LLM_GATEWAY_OAUTH_CONSENT_SECRET) {
+        merged.consent_secret_hash = hashSecret(env.LLM_GATEWAY_OAUTH_CONSENT_SECRET);
+        merged.require_consent = merged.require_consent ?? true;
+        envOverrides.push("LLM_GATEWAY_OAUTH_CONSENT_SECRET");
+    }
     const parsed = OAuthConfigSchema.safeParse(merged);
     if (!parsed.success) {
         logWarn(logger, "Invalid [http.oauth] config; remote OAuth disabled", {
@@ -578,6 +591,12 @@ export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
     if (data.registration_policy === "open_dev" && env.LLM_GATEWAY_OAUTH_OPEN_DEV !== "1") {
         logWarn(logger, "[http.oauth].registration_policy='open_dev' is intended for localhost/dev only");
     }
+    if (data.require_consent) {
+        if (!data.consent_secret_hash || !isSecretHash(data.consent_secret_hash)) {
+            logWarn(logger, "[http.oauth].require_consent is set but consent_secret_hash is missing/invalid; remote OAuth disabled");
+            return disabledOAuthConfig(sourcePath, envOverrides);
+        }
+    }
     return {
         enabled: data.enabled,
         issuer: data.issuer,
@@ -586,6 +605,8 @@ export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
         registrationPolicy: data.registration_policy,
         allowPublicClients: data.allow_public_clients,
         tokenTtlSeconds: data.token_ttl_seconds,
+        requireConsent: data.require_consent,
+        consentSecretHash: data.consent_secret_hash ?? null,
         clients: data.clients.map(client => ({
             clientId: client.client_id,
             clientSecretHash: client.client_secret_hash ?? null,

package/dist/flight-recorder.d.ts

@@ -11,6 +11,7 @@ export interface FlightLogStart {
     stablePrefixTokens?: number;
     cacheControlBlocks?: number;
     cacheControlTtlSeconds?: number;
+    ownerPrincipal?: string | null;
 }
 export interface FlightLogResult {
     response: string;
@@ -39,11 +40,16 @@ export declare class FlightRecorder {
     private readOnlyDb;
     private closed;
     private readonly dbPath;
+    private readonly redactEnabled;
     private insertStartTxn;
     private updateCompleteTxn;
-    constructor(dbPath: string);
+    constructor(dbPath: string, options?: {
+        redactSecrets?: boolean;
+    });
     logStart(entry: FlightLogStart): void;
     logComplete(correlationId: string, result: FlightLogResult): void;
+    private redactStart;
+    private redactResult;
     queryRequests<T = Record<string, unknown>>(sql: string, ...params: unknown[]): T[];
     flush(): void;
     close(): void;

package/dist/flight-recorder.js

@@ -2,6 +2,8 @@ import { chmodSync } from "fs";
 import os from "os";
 import path from "path";
 import { openDatabase, openReadOnly } from "./sqlite-driver.js";
+import { redactSecrets, isRedactionEnabled } from "./secret-redaction.js";
+import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
 const MAX_THINKING_BYTES = 1_000_000;
 function ensureRequestsCacheColumns(db) {
     const rows = db.prepare("PRAGMA table_info(requests)").all();
@@ -13,6 +15,13 @@ function ensureRequestsCacheColumns(db) {
         db.exec("ALTER TABLE requests ADD COLUMN cache_creation_tokens INTEGER");
     }
 }
+function ensureRequestsOwnerColumn(db) {
+    const rows = db.prepare("PRAGMA table_info(requests)").all();
+    const names = new Set(rows.map((row) => (row && typeof row.name === "string" ? row.name : "")));
+    if (!names.has("owner_principal")) {
+        db.exec("ALTER TABLE requests ADD COLUMN owner_principal TEXT");
+    }
+}
 function ensureStablePrefixColumns(db) {
     const rows = db.prepare("PRAGMA table_info(requests)").all();
     const names = new Set(rows.map((row) => (row && typeof row.name === "string" ? row.name : "")));
@@ -87,10 +96,12 @@ export class FlightRecorder {
     readOnlyDb = null;
     closed = false;
     dbPath;
+    redactEnabled;
     insertStartTxn;
     updateCompleteTxn;
-    constructor(dbPath) {
+    constructor(dbPath, options = {}) {
         this.dbPath = dbPath;
+        this.redactEnabled = options.redactSecrets ?? isRedactionEnabled();
         this.db = openDatabase(dbPath);
         this.db.exec("PRAGMA journal_mode = WAL");
         this.db.exec("PRAGMA foreign_keys = ON");
@@ -113,7 +124,8 @@ export class FlightRecorder {
         input_tokens INTEGER,
         output_tokens INTEGER,
         cache_read_tokens INTEGER,
-        cache_creation_tokens INTEGER
+        cache_creation_tokens INTEGER,
+        owner_principal TEXT
       );
 
       CREATE TABLE IF NOT EXISTS gateway_metadata (
@@ -155,6 +167,10 @@ export class FlightRecorder {
         this.db
             .prepare("INSERT OR IGNORE INTO _migrations(version, applied_at) VALUES(5, ?)")
             .run(new Date().toISOString());
+        ensureRequestsOwnerColumn(this.db);
+        this.db
+            .prepare("INSERT OR IGNORE INTO _migrations(version, applied_at) VALUES(6, ?)")
+            .run(new Date().toISOString());
         if (process.platform !== "win32") {
             try {
                 chmodSync(dbPath, 0o600);
@@ -165,10 +181,10 @@ export class FlightRecorder {
         const insertRequest = this.db.prepare(`
       INSERT INTO requests (id, cli, model, prompt, system, session_id, datetime_utc,
                             stable_prefix_hash, stable_prefix_tokens,
-                            cache_control_blocks, cache_control_ttl_seconds)
+                            cache_control_blocks, cache_control_ttl_seconds, owner_principal)
       VALUES (@id, @cli, @model, @prompt, @system, @session_id, @datetime_utc,
               @stable_prefix_hash, @stable_prefix_tokens,
-              @cache_control_blocks, @cache_control_ttl_seconds)
+              @cache_control_blocks, @cache_control_ttl_seconds, @owner_principal)
     `);
         const insertMetadata = this.db.prepare(`
       INSERT INTO gateway_metadata (request_id, async_job_id, status)
@@ -187,6 +203,7 @@ export class FlightRecorder {
                 stable_prefix_tokens: entry.stablePrefixTokens ?? null,
                 cache_control_blocks: entry.cacheControlBlocks ?? null,
                 cache_control_ttl_seconds: entry.cacheControlTtlSeconds ?? null,
+                owner_principal: entry.ownerPrincipal ?? resolveOwnerPrincipal(getRequestContext()),
             });
             insertMetadata.run({
                 request_id: entry.correlationId,
@@ -244,10 +261,20 @@ export class FlightRecorder {
         });
     }
     logStart(entry) {
-        this.insertStartTxn(entry);
+        this.insertStartTxn(this.redactEnabled ? this.redactStart(entry) : entry);
     }
     logComplete(correlationId, result) {
-        this.updateCompleteTxn(correlationId, result);
+        this.updateCompleteTxn(correlationId, this.redactEnabled ? this.redactResult(result) : result);
+    }
+    redactStart(entry) {
+        return {
+            ...entry,
+            prompt: redactSecrets(entry.prompt),
+            system: entry.system ? redactSecrets(entry.system) : entry.system,
+        };
+    }
+    redactResult(result) {
+        return { ...result, response: redactSecrets(result.response) };
     }
     queryRequests(sql, ...params) {
         if (this.closed) {

package/dist/http-transport.js

@@ -2,10 +2,11 @@ import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
-import { authorizeBearerRequest, getRequiredBearerToken, writeAuthFailure } from "./auth.js";
+import { authorizeBearerRequest, getRequiredBearerToken, resolveTrustedPrincipal, writeAuthFailure, } from "./auth.js";
 import { loadRemoteOAuthConfig } from "./config.js";
 import { OAuthServer, oauthBaseUrlFromRequest } from "./oauth.js";
 import { runWithRequestContext } from "./request-context.js";
+import { readCappedRawBody, maxHttpBodyBytes } from "./request-limits.js";
 const noopLogger = {
     info: (..._args) => { },
     error: (..._args) => { },
@@ -14,22 +15,8 @@ const noopLogger = {
 function firstHeader(value) {
     return Array.isArray(value) ? value[0] : value;
 }
-function readRawBody(req) {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        req.on("data", chunk => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
-        req.on("error", reject);
-        req.on("end", () => {
-            if (chunks.length === 0) {
-                resolve("");
-                return;
-            }
-            resolve(Buffer.concat(chunks).toString("utf8"));
-        });
-    });
-}
 async function readBody(req) {
-    const raw = await readRawBody(req);
+    const raw = await readCappedRawBody(req, maxHttpBodyBytes());
     if (!raw)
         return undefined;
     try {
@@ -94,6 +81,13 @@ export async function startHttpGateway(options) {
     const sessions = new Map();
     const token = getRequiredBearerToken();
     const oauthConfig = loadRemoteOAuthConfig(logger);
+    if (oauthConfig.enabled &&
+        (oauthConfig.allowPublicClients || oauthConfig.registrationPolicy === "open_dev") &&
+        !isLocalHost(host)) {
+        throw new Error(`Refusing to start: remote OAuth with ${oauthConfig.allowPublicClients ? "public clients" : "open_dev registration"} is exposed on a non-loopback bind (host=${host}). Bind LLM_GATEWAY_HTTP_HOST to 127.0.0.1 ` +
+            `and front the gateway with an authenticating proxy, or switch to ` +
+            `registration_policy=static_clients with confidential client secrets.`);
+    }
     const oauthServer = oauthConfig.enabled
         ? new OAuthServer({ protectedPath: path, config: oauthConfig, logger })
         : null;
@@ -162,11 +156,13 @@ export async function startHttpGateway(options) {
                     writeAuthFailure(res, auth, resourceMetadataUrl ? { resourceMetadataUrl } : {});
                     return;
                 }
+                const trustedPrincipal = resolveTrustedPrincipal(req, auth);
                 requestContext = {
                     transport: "http",
                     authKind: auth.kind,
                     authScopes: auth.scopes ?? [],
                     authClientId: auth.clientId,
+                    authPrincipal: trustedPrincipal ?? auth.clientId,
                 };
             }
             if (req.method !== "GET" && req.method !== "POST" && req.method !== "DELETE") {
@@ -214,7 +210,13 @@ export async function startHttpGateway(options) {
         catch (error) {
             logger.error("HTTP transport request failed", error);
             if (!res.headersSent) {
-                jsonError(res, 500, "Internal server error");
+                const statusCode = error?.statusCode;
+                if (statusCode === 413) {
+                    jsonError(res, 413, "Payload too large");
+                }
+                else {
+                    jsonError(res, 500, "Internal server error");
+                }
             }
             else {
                 res.end();