npm - mlgym-deploy - Versions diffs - 2.3.6 → 2.4.1 - Mend

mlgym-deploy 2.3.6 → 2.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/SECURITY-UPDATE-v2.4.0.md +104 -0
package/index.js +464 -6267
package/package.json +1 -1
package/index-v2.js +0 -1062
package/index-v3-explicit.js +0 -129

package/SECURITY-UPDATE-v2.4.0.md ADDED Viewed

@@ -0,0 +1,104 @@
+# Security Update: MLGym MCP Server v2.4.0
+## Critical Security Fix
+### Vulnerability Fixed
+- **Email Enumeration Attack**: The previous `mlgym_auth_check` tool allowed attackers to check if email addresses exist in the system without authentication
+- **Security Risk Level**: HIGH - Exposed user privacy and enabled targeted attacks
+### Changes Made
+#### Removed Insecure Tools
+- ❌ **Removed `mlgym_auth_check`**: This tool revealed whether accounts exist
+- ❌ **Removed `mlgym_user_create`**: Replaced with secure consolidated flow
+#### Added Secure Authentication
+- ✅ **New `mlgym_authenticate` tool**: Consolidated secure authentication that:
+  - Never reveals if an account exists without valid credentials
+  - Handles both login and account creation in one secure flow
+  - Returns generic error messages for failed authentication
+  - Automatically sets up SSH keys on successful auth
+### Security Improvements
+1. **No Email Enumeration**: Login failures return generic "Authentication failed. Invalid credentials." regardless of whether account exists
+2. **Consolidated Flow**: Single tool handles both scenarios:
+   - Existing users: Login with email/password
+   - New users: Set `create_if_not_exists=true` with full_name and accept_terms
+3. **Automatic SSH Setup**: SSH keys are automatically generated and registered on first login
+### Migration Guide
+#### Old Flow (INSECURE - DO NOT USE)
+```javascript
+// Step 1: Check if user exists (SECURITY VULNERABILITY!)
+mlgym_auth_check({ email: "user@example.com" })
+// Step 2: Create or login based on response
+if (exists) {
+  mlgym_auth_login({ email, password })
+} else {
+  mlgym_user_create({ email, name, password })
+}
+```
+#### New Flow (SECURE)
+```javascript
+// For existing users
+mlgym_authenticate({
+  email: "user@example.com",
+  password: "SecurePass123!"
+})
+// For new users
+mlgym_authenticate({
+  email: "user@example.com",
+  password: "SecurePass123!",
+  create_if_not_exists: true,
+  full_name: "John Doe",
+  accept_terms: true
+})
+```
+### Update Instructions
+1. **Update the npm package**:
+   ```bash
+   npm install -g mlgym-deploy@2.4.0
+   ```
+2. **Restart Cursor** to load the updated MCP server
+3. **Update any scripts** that use the old tools
+### Testing
+The update includes comprehensive security tests to verify:
+- Insecure tools are removed
+- Authentication doesn't reveal account existence
+- Generic error messages are returned
+- SSH keys are properly configured
+### Backward Compatibility
+⚠️ **Breaking Changes**:
+- `mlgym_auth_check` is completely removed
+- `mlgym_user_create` is replaced by `mlgym_authenticate`
+- `mlgym_auth_login` is replaced by `mlgym_authenticate`
+All functionality is preserved through the new `mlgym_authenticate` tool with enhanced security.
+### Support
+If you encounter any issues with the update:
+1. Check that you're using v2.4.0: `npm list -g mlgym-deploy`
+2. Clear MCP cache: `rm ~/.mlgym/mcp_config.json`
+3. Restart Cursor and try again
+---
+**Version**: 2.4.0
+**Release Date**: October 30, 2025
+**Security Advisory**: HIGH - All users should update immediately