monomind 1.7.0 → 1.9.0

package/packages/@monomind/cli/dist/src/services/container-worker-pool.js

@@ -16,11 +16,19 @@
  * - Network isolation per worker type
  */
 import { EventEmitter } from 'events';
-import { spawn, exec } from 'child_process';
+import { spawn, exec, execFile } from 'child_process';
 import { promisify } from 'util';
 import { existsSync, mkdirSync } from 'fs';
 import { join } from 'path';
 const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
+/** Allowlist: registry/name:tag with optional digest — no shell metacharacters */
+const DOCKER_IMAGE_RE = /^[a-zA-Z0-9][a-zA-Z0-9.\-_/:@]*$/;
+function validateDockerImage(image) {
+    if (!DOCKER_IMAGE_RE.test(image)) {
+        throw new Error(`Invalid Docker image name: "${image}"`);
+    }
+}
 // ============================================
 // Constants
 // ============================================
@@ -134,6 +142,10 @@ export class ContainerWorkerPool extends EventEmitter {
             }
         }
         // Queue the task
+        const MAX_TASK_QUEUE = 500;
+        if (this.taskQueue.length >= MAX_TASK_QUEUE) {
+            return this.createErrorResult(options.workerType, 'Task queue is full');
+        }
         return new Promise((resolve, reject) => {
             this.taskQueue.push({
                 options,
@@ -236,13 +248,14 @@ export class ContainerWorkerPool extends EventEmitter {
      */
     async ensureImage() {
         try {
-            await execAsync(`docker image inspect ${this.config.image}`, { timeout: 10000 });
+            validateDockerImage(this.config.image);
+            await execFileAsync('docker', ['image', 'inspect', this.config.image], { timeout: 10000 });
         }
         catch {
             // Image not found, try to pull
             this.emit('imagePull', { image: this.config.image });
             try {
-                await execAsync(`docker pull ${this.config.image}`, { timeout: 300000 });
+                await execFileAsync('docker', ['pull', this.config.image], { timeout: 300000 });
             }
             catch (error) {
                 this.emit('warning', { message: `Failed to pull image: ${error}` });
@@ -267,23 +280,48 @@ export class ContainerWorkerPool extends EventEmitter {
         this.containers.set(id, containerInfo);
         this.emit('containerCreating', { id, name });
         try {
-            // Build docker run command
+            // Build docker run command with hardening flags.
+            // Without these flags the container ran with default capabilities and
+            // privilege escalation enabled — combined with a writable host mount
+            // that is JSON-parsed by the daemon, this was a container-to-host RCE
+            // chain (claims.json/daemon-state.json could be rewritten from inside).
+            const stateMount = join(this.projectRoot, this.config.statePath);
             const args = [
                 'run', '-d',
                 '--name', name,
+                // Resource limits
                 '--cpus', this.config.resources.cpus,
                 '--memory', this.config.resources.memory,
+                '--pids-limit', '256',
+                // Privilege & capability hardening
+                '--security-opt', 'no-new-privileges:true',
+                '--cap-drop', 'ALL',
+                '--user', '1000:1000',
+                '--ipc', 'none',
+                // Mounts: workspace read-only, state read-only by default with a
+                // narrow rw output channel for the worker to write back results.
                 '-v', `${this.projectRoot}:${this.config.workspacePath}:ro`,
-                '-v', `${join(this.projectRoot, this.config.statePath)}:/root/.monomind`,
+                '-v', `${stateMount}:/root/.monomind:ro`,
+                '-v', `${join(stateMount, 'output')}:/output:rw`,
+                // tmpfs for /tmp without exec
+                '--tmpfs', '/tmp:rw,noexec,nosuid,size=64m',
                 '-w', this.config.workspacePath,
             ];
-            // Add environment variables
+            // Add environment variables.
+            // SECURITY: ANTHROPIC_API_KEY is intentionally NOT injected via -e here.
+            // Visible via `docker inspect` and process listings on the host, and
+            // exfiltrable by indirect prompt injection via process.env. Containers
+            // that need API access must use a host-side proxy. Set
+            // MONOMIND_CONTAINER_PASS_ANTHROPIC_KEY=1 to opt back in for trusted
+            // single-tenant deployments.
             const env = {
                 ...this.config.env,
-                ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY || '',
                 CLAUDE_CODE_HEADLESS: 'true',
                 CLAUDE_CODE_SANDBOX_MODE: this.config.defaultSandbox,
             };
+            if (process.env.MONOMIND_CONTAINER_PASS_ANTHROPIC_KEY === '1' && process.env.ANTHROPIC_API_KEY) {
+                env.ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
+            }
             for (const [key, value] of Object.entries(env)) {
                 if (value) {
                     args.push('-e', `${key}=${value}`);
@@ -296,7 +334,7 @@ export class ContainerWorkerPool extends EventEmitter {
             // Add image and entrypoint to keep container running
             args.push(this.config.image, 'tail', '-f', '/dev/null');
             // Create the container (async)
-            const { stdout } = await execAsync(`docker ${args.join(' ')}`, { timeout: 60000 });
+            const { stdout } = await execFileAsync('docker', args, { timeout: 60000 });
             const containerId = stdout.trim();
             containerInfo.state = 'ready';
             this.emit('containerCreated', { id, name, containerId });
@@ -317,7 +355,7 @@ export class ContainerWorkerPool extends EventEmitter {
             return;
         container.state = 'terminated';
         try {
-            await execAsync(`docker rm -f ${container.name}`, { timeout: 30000 });
+            await execFileAsync('docker', ['rm', '-f', container.name], { timeout: 30000 });
         }
         catch {
             // Ignore removal errors
@@ -410,11 +448,13 @@ export class ContainerWorkerPool extends EventEmitter {
             let stdout = '';
             let stderr = '';
             let timedOut = false;
+            let exited = false;
+            child.once('exit', () => { exited = true; });
             const timeout = setTimeout(() => {
                 timedOut = true;
                 child.kill('SIGTERM');
                 setTimeout(() => {
-                    if (!child.killed) {
+                    if (!exited) {
                         child.kill('SIGKILL');
                     }
                 }, 5000);
@@ -492,7 +532,7 @@ export class ContainerWorkerPool extends EventEmitter {
                 continue;
             try {
                 // Check if container is running (async)
-                const { stdout } = await execAsync(`docker inspect -f '{{.State.Running}}' ${container.name}`, { timeout: 10000 });
+                const { stdout } = await execFileAsync('docker', ['inspect', '-f', '{{.State.Running}}', container.name], { timeout: 10000 });
                 const output = stdout.trim();
                 if (output !== 'true') {
                     container.healthCheckFailures++;

package/packages/@monomind/cli/dist/src/services/headless-worker-executor.d.ts

@@ -205,7 +205,9 @@ export declare class HeadlessWorkerExecutor extends EventEmitter {
     private pendingQueue;
     private contextCache;
     private claudeCodeAvailable;
+    private claudeCodeAvailableCheckedAt;
     private claudeCodeVersion;
+    private activeReservations;
     constructor(projectRoot: string, options?: HeadlessExecutorConfig);
     /**
      * Check if Claude Code CLI is available
@@ -231,6 +233,11 @@ export declare class HeadlessWorkerExecutor extends EventEmitter {
      * Cancel a running execution
      */
     cancel(executionId: string): boolean;
+    /**
+     * Cancel all running executions for a specific worker type.
+     * Used by the timeout handler in worker-daemon to avoid killing unrelated workers.
+     */
+    cancelByType(workerType: string): boolean;
     /**
      * Cancel all running executions
      */

package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js

@@ -20,7 +20,7 @@
  */
 import { spawn, execSync } from 'child_process';
 import { EventEmitter } from 'events';
-import { existsSync, readFileSync, readdirSync, mkdirSync, writeFileSync } from 'fs';
+import { existsSync, readFileSync, readdirSync, mkdirSync, writeFileSync, renameSync } from 'fs';
 import { join } from 'path';
 // ============================================
 // Constants
@@ -91,7 +91,7 @@ Provide a JSON report with:
             sandbox: 'strict',
             model: 'haiku',
             outputFormat: 'json',
-            contextPatterns: ['**/*.ts', '**/*.js', '**/.env*', '**/package.json'],
+            contextPatterns: ['**/*.ts', '**/*.js', '**/package.json'],
             timeoutMs: 5 * 60 * 1000,
         },
     },
@@ -366,7 +366,13 @@ export class HeadlessWorkerExecutor extends EventEmitter {
     pendingQueue = [];
     contextCache = new Map();
     claudeCodeAvailable = null;
+    claudeCodeAvailableCheckedAt = null;
     claudeCodeVersion = null;
+    // SECURITY: synchronous reservation counter so processQueue() does not
+    // drain the entire pendingQueue before async pool insertions catch up.
+    // Without this, a single processQueue() iteration could spawn hundreds of
+    // claude child processes simultaneously (DoS amplifier: 1 dequeue → 500 spawns).
+    activeReservations = 0;
     constructor(projectRoot, options) {
         super();
         this.projectRoot = projectRoot;
@@ -390,8 +396,14 @@ export class HeadlessWorkerExecutor extends EventEmitter {
      * Check if Claude Code CLI is available
      */
     async isAvailable() {
-        if (this.claudeCodeAvailable !== null) {
-            return this.claudeCodeAvailable;
+        const NEGATIVE_CACHE_TTL_MS = 60_000; // re-check after 1 min on negative result
+        if (this.claudeCodeAvailable === true) {
+            return true;
+        }
+        if (this.claudeCodeAvailable === false && this.claudeCodeAvailableCheckedAt !== null) {
+            if (Date.now() - this.claudeCodeAvailableCheckedAt < NEGATIVE_CACHE_TTL_MS) {
+                return false;
+            }
         }
         try {
             const output = execSync('claude --version', {
@@ -401,12 +413,14 @@ export class HeadlessWorkerExecutor extends EventEmitter {
                 windowsHide: true, // Prevent phantom console windows on Windows
             });
             this.claudeCodeAvailable = true;
+            this.claudeCodeAvailableCheckedAt = Date.now();
             this.claudeCodeVersion = output.trim();
             this.emit('status', { available: true, version: this.claudeCodeVersion });
             return true;
         }
         catch {
             this.claudeCodeAvailable = false;
+            this.claudeCodeAvailableCheckedAt = Date.now();
             this.emit('status', { available: false });
             return false;
         }
@@ -433,9 +447,14 @@ export class HeadlessWorkerExecutor extends EventEmitter {
             this.emit('error', result);
             return result;
         }
-        // Check concurrent limit
-        if (this.processPool.size >= this.config.maxConcurrent) {
+        // Check concurrent limit using activeReservations (synchronous counter)
+        // rather than processPool.size (which is updated only after async setup).
+        if (this.activeReservations >= this.config.maxConcurrent) {
             // Queue the request
+            const MAX_PENDING = 500;
+            if (this.pendingQueue.length >= MAX_PENDING) {
+                return this.createErrorResult(workerType, 'Pending queue is full');
+            }
             return new Promise((resolve, reject) => {
                 const entry = {
                     workerType,
@@ -451,8 +470,16 @@ export class HeadlessWorkerExecutor extends EventEmitter {
                 });
             });
         }
-        // Execute immediately
-        return this.executeInternal(workerType, configOverrides);
+        // Reserve the slot synchronously and release it (regardless of success
+        // or failure) so processQueue can pull the next pending item.
+        this.activeReservations++;
+        try {
+            return await this.executeInternal(workerType, configOverrides);
+        }
+        finally {
+            this.activeReservations--;
+            this.processQueue();
+        }
     }
     /**
      * Get pool status
@@ -491,13 +518,63 @@ export class HeadlessWorkerExecutor extends EventEmitter {
             return false;
         }
         clearTimeout(entry.timeout);
-        entry.process.kill('SIGTERM');
+        let exited = false;
+        entry.process.once('exit', () => { exited = true; });
+        try {
+            entry.process.kill('SIGTERM');
+        }
+        catch { /* may already be dead */ }
+        const killTimer = setTimeout(() => {
+            if (!exited) {
+                try {
+                    entry.process.kill('SIGKILL');
+                }
+                catch { /* ignore */ }
+            }
+        }, 5000);
+        killTimer.unref();
+        entry.process.once('exit', () => clearTimeout(killTimer));
         this.processPool.delete(executionId);
         this.emit('cancelled', { executionId });
         // Process next in queue
         this.processQueue();
         return true;
     }
+    /**
+     * Cancel all running executions for a specific worker type.
+     * Used by the timeout handler in worker-daemon to avoid killing unrelated workers.
+     */
+    cancelByType(workerType) {
+        let cancelled = false;
+        const entries = Array.from(this.processPool.entries());
+        for (const [executionId, entry] of entries) {
+            if (entry.workerType !== workerType)
+                continue;
+            clearTimeout(entry.timeout);
+            let exited = false;
+            entry.process.once('exit', () => { exited = true; });
+            try {
+                entry.process.kill('SIGTERM');
+            }
+            catch { /* may already be dead */ }
+            const killTimer = setTimeout(() => {
+                if (!exited) {
+                    try {
+                        entry.process.kill('SIGKILL');
+                    }
+                    catch { /* ignore */ }
+                }
+            }, 5000);
+            killTimer.unref();
+            entry.process.once('exit', () => clearTimeout(killTimer));
+            this.processPool.delete(executionId);
+            this.emit('cancelled', { executionId });
+            cancelled = true;
+        }
+        if (cancelled)
+            this.processQueue();
+        return cancelled;
+    }
     /**
      * Cancel all running executions
      */
@@ -507,15 +584,26 @@ export class HeadlessWorkerExecutor extends EventEmitter {
         const entries = Array.from(this.processPool.entries());
         for (const [executionId, entry] of entries) {
             clearTimeout(entry.timeout);
-            entry.process.kill('SIGTERM');
-            // SIGKILL fallback after 5s to prevent orphan processes (#1395 Bug 6)
-            setTimeout(() => {
+            // Track exit so the SIGKILL fallback can't be sent to a recycled PID.
+            // entry.process.killed is set by Node when .kill() was called, NOT when
+            // the OS process actually exited — without an explicit 'exit' listener,
+            // a recycled PID can receive our SIGKILL.
+            let exited = false;
+            entry.process.once('exit', () => { exited = true; });
+            try {
+                entry.process.kill('SIGTERM');
+            }
+            catch { /* may already be dead */ }
+            const killTimer = setTimeout(() => {
+                if (exited)
+                    return;
                 try {
-                    if (!entry.process.killed)
-                        entry.process.kill('SIGKILL');
+                    entry.process.kill('SIGKILL');
                 }
                 catch { /* already dead */ }
-            }, 5000).unref();
+            }, 5000);
+            killTimer.unref();
+            entry.process.once('exit', () => clearTimeout(killTimer));
             this.emit('cancelled', { executionId });
             cancelled++;
         }
@@ -637,14 +725,21 @@ export class HeadlessWorkerExecutor extends EventEmitter {
      * Process the pending queue
      */
     processQueue() {
+        // Gate on activeReservations (synchronous counter) so we cannot
+        // accidentally drain the queue past maxConcurrent before async setup
+        // populates processPool.
         while (this.pendingQueue.length > 0 &&
-            this.processPool.size < this.config.maxConcurrent) {
+            this.activeReservations < this.config.maxConcurrent) {
             const next = this.pendingQueue.shift();
             if (!next)
                 break;
+            this.activeReservations++;
             this.executeInternal(next.workerType, next.config)
-                .then(next.resolve)
-                .catch(next.reject);
+                .then(next.resolve, next.reject)
+                .finally(() => {
+                this.activeReservations--;
+                this.processQueue();
+            });
         }
     }
     /**
@@ -670,13 +765,18 @@ export class HeadlessWorkerExecutor extends EventEmitter {
         // Deduplicate and limit
         const uniqueFiles = Array.from(new Set(files)).slice(0, this.config.maxContextFiles);
         // Build context
+        const { resolve: resolvePath, sep } = await import('path');
         const contextParts = [];
         for (const file of uniqueFiles) {
             try {
                 const fullPath = join(this.projectRoot, file);
-                if (!existsSync(fullPath))
+                const resolvedFull = resolvePath(fullPath);
+                const resolvedRoot = resolvePath(this.projectRoot);
+                if (!resolvedFull.startsWith(resolvedRoot + sep) && resolvedFull !== resolvedRoot)
+                    continue;
+                if (!existsSync(resolvedFull))
                     continue;
-                const content = readFileSync(fullPath, 'utf-8');
+                const content = readFileSync(resolvedFull, 'utf-8');
                 const truncated = content.slice(0, this.config.maxCharsPerFile);
                 const wasTruncated = content.length > this.config.maxCharsPerFile;
                 contextParts.push(`--- ${file}${wasTruncated ? ' (truncated)' : ''} ---\n${truncated}`);
@@ -686,8 +786,13 @@ export class HeadlessWorkerExecutor extends EventEmitter {
             }
         }
         const contextContent = contextParts.join('\n\n');
-        // Cache the result
+        // Cache the result (evict oldest when at capacity)
         if (this.config.cacheContext) {
+            if (this.contextCache.size >= 50) {
+                const oldestKey = this.contextCache.keys().next().value;
+                if (oldestKey !== undefined)
+                    this.contextCache.delete(oldestKey);
+            }
             this.contextCache.set(cacheKey, {
                 content: contextContent,
                 timestamp: Date.now(),
@@ -815,8 +920,45 @@ Analyze the above codebase context and provide your response following the forma
      */
     executeClaudeCode(prompt, options) {
         return new Promise((resolve) => {
+            // SECURITY: in strict sandbox mode, build a minimal env allowlist instead
+            // of forwarding the entire parent env. The previous spread also passed
+            // LD_PRELOAD, NODE_OPTIONS, DYLD_INSERT_LIBRARIES, PYTHONPATH, HTTP_PROXY,
+            // etc. — which means "strict" was a label, not a control. Now it actually
+            // strips dangerous loaders/proxies even when the parent has them set.
+            const STRICT_ENV_ALLOWLIST = new Set([
+                'PATH', 'HOME', 'USER', 'LOGNAME', 'LANG', 'LC_ALL', 'TZ', 'TERM', 'SHELL',
+                'TMPDIR', 'TMP', 'TEMP',
+                'ANTHROPIC_API_KEY', 'ANTHROPIC_MODEL', 'ANTHROPIC_BASE_URL',
+            ]);
+            const FORBIDDEN_ENV = new Set([
+                'LD_PRELOAD', 'LD_LIBRARY_PATH', 'LD_AUDIT',
+                'DYLD_INSERT_LIBRARIES', 'DYLD_LIBRARY_PATH', 'DYLD_FALLBACK_LIBRARY_PATH',
+                'NODE_OPTIONS', 'NODE_PATH',
+                'PYTHONPATH', 'PYTHONHOME', 'PYTHONSTARTUP',
+                'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY',
+                'BASH_ENV', 'ENV', 'CDPATH',
+                'PERL5OPT', 'RUBYOPT',
+                'JAVA_TOOL_OPTIONS', '_JAVA_OPTIONS', 'JDK_JAVA_OPTIONS',
+            ]);
+            const baseEnv = {};
+            if (options.sandbox === 'strict') {
+                for (const k of STRICT_ENV_ALLOWLIST) {
+                    const v = process.env[k];
+                    if (typeof v === 'string')
+                        baseEnv[k] = v;
+                }
+            }
+            else {
+                for (const [k, v] of Object.entries(process.env)) {
+                    if (typeof v !== 'string')
+                        continue;
+                    if (FORBIDDEN_ENV.has(k))
+                        continue; // always strip in any mode
+                    baseEnv[k] = v;
+                }
+            }
             const env = {
-                ...process.env,
+                ...baseEnv,
                 CLAUDE_CODE_HEADLESS: 'true',
                 CLAUDE_CODE_SANDBOX_MODE: options.sandbox,
                 // Fix #1395 Bug 2: Workers fail inside active Claude Code session.
@@ -831,23 +973,36 @@ Analyze the above codebase context and provide your response following the forma
             // Set model
             // Resolve model: user env override > config override > default alias
             env.ANTHROPIC_MODEL = process.env.ANTHROPIC_MODEL || MODEL_IDS[options.model];
-            // Spawn claude CLI process
-            const child = spawn('claude', ['--print', prompt], {
+            // Spawn claude CLI process — `--` terminates option parsing so prompt can't smuggle flags
+            const child = spawn('claude', ['--print', '--', prompt], {
                 cwd: this.projectRoot,
                 env,
                 stdio: ['ignore', 'pipe', 'pipe'], // 'ignore' closes stdin at spawn — fixes #1395 where claude --print blocks on EOF
                 windowsHide: true, // Prevent phantom console windows on Windows
             });
-            // Setup timeout
+            // Setup timeout — track real exit via 'exit' listener.
+            // child.killed is set by Node when .kill() is called (signal sent), NOT
+            // when the OS process exited. Without an explicit `exited` flag the
+            // SIGKILL fallback never fires for a process that ignores SIGTERM, and
+            // the slot leaks indefinitely.
+            let sigkillTimer;
+            let childExited = false;
+            child.once('exit', () => { childExited = true; });
             const timeoutHandle = setTimeout(() => {
                 if (this.processPool.has(options.executionId)) {
-                    child.kill('SIGTERM');
-                    // Give it a moment to terminate gracefully
-                    setTimeout(() => {
-                        if (!child.killed) {
+                    try {
+                        child.kill('SIGTERM');
+                    }
+                    catch { /* may already be dead */ }
+                    sigkillTimer = setTimeout(() => {
+                        if (childExited)
+                            return;
+                        try {
                             child.kill('SIGKILL');
                         }
+                        catch { /* already dead */ }
                     }, 5000);
+                    sigkillTimer.unref();
                 }
             }, options.timeoutMs);
             // Track in process pool
@@ -864,6 +1019,7 @@ Analyze the above codebase context and provide your response following the forma
             let resolved = false;
             const cleanup = () => {
                 clearTimeout(timeoutHandle);
+                clearTimeout(sigkillTimer);
                 this.processPool.delete(options.executionId);
             };
             child.stdout?.on('data', (data) => {
@@ -906,21 +1062,6 @@ Analyze the above codebase context and provide your response following the forma
                     error: error.message,
                 });
             });
-            // Handle timeout
-            setTimeout(() => {
-                if (resolved)
-                    return;
-                if (!this.processPool.has(options.executionId))
-                    return;
-                resolved = true;
-                child.kill('SIGTERM');
-                cleanup();
-                resolve({
-                    success: false,
-                    output: stdout || stderr,
-                    error: `Execution timed out after ${options.timeoutMs}ms`,
-                });
-            }, options.timeoutMs + 100); // Slightly after the kill timeout
         });
     }
     /**
@@ -1012,7 +1153,9 @@ Analyze the above codebase context and provide your response following the forma
             const timestamp = new Date().toISOString();
             const logFile = join(this.config.logDir, `${executionId}_${type}.log`);
             const logContent = `[${timestamp}] ${type.toUpperCase()}\n${'='.repeat(60)}\n${content}\n`;
-            writeFileSync(logFile, logContent);
+            const tmpLog = logFile + '.tmp';
+            writeFileSync(tmpLog, logContent);
+            renameSync(tmpLog, logFile);
         }
         catch {
             // Ignore log write errors

package/packages/@monomind/cli/dist/src/services/registry-api.js

@@ -9,12 +9,65 @@
  * - Input validation
  */
 const REGISTRY_API_URL = 'https://us-central1-monomind.cloudfunctions.net/publish-registry';
+/**
+ * Read a fetch response body with a hard byte cap. AbortSignal.timeout bounds
+ * time, NOT bytes — a hijacked endpoint or MITM (TLS without pinning) can
+ * stream a multi-GB body that the CLI buffers into memory and OOMs. Cap the
+ * read here so all downstream JSON.parse / .text() calls are bounded.
+ */
+async function readBoundedText(response, maxBytes) {
+    const lenHdr = response.headers.get('content-length');
+    if (lenHdr) {
+        const declared = parseInt(lenHdr, 10);
+        if (Number.isFinite(declared) && declared > maxBytes) {
+            throw new Error(`Response too large: ${declared} bytes (max ${maxBytes})`);
+        }
+    }
+    if (!response.body)
+        return '';
+    const reader = response.body.getReader();
+    const chunks = [];
+    let total = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        if (value) {
+            total += value.byteLength;
+            if (total > maxBytes) {
+                await reader.cancel();
+                throw new Error(`Response too large: exceeded ${maxBytes} bytes`);
+            }
+            chunks.push(value);
+        }
+    }
+    const buf = new Uint8Array(total);
+    let off = 0;
+    for (const c of chunks) {
+        buf.set(c, off);
+        off += c.byteLength;
+    }
+    return new TextDecoder('utf-8').decode(buf);
+}
+async function readBoundedJson(response, maxBytes = 1_048_576) {
+    const text = await readBoundedText(response, maxBytes);
+    return JSON.parse(text);
+}
+/**
+ * Strip control chars and cap length on attacker-controlled error body before
+ * inlining into a thrown Error.message. Without this, a malicious or
+ * compromised endpoint can deliver multi-MB error bodies that flow into log
+ * aggregators via unhandled-rejection traces.
+ */
+function safeErrText(s) {
+    return s.replace(/[\x00-\x1f\x7f]/g, '?').slice(0, 512);
+}
 /**
  * Validate item ID to prevent injection
  */
 function validateItemId(itemId) {
-    // Only allow alphanumeric, @, /, -, _
-    return /^[@a-zA-Z0-9\/_-]+$/.test(itemId) && itemId.length < 100;
+    // Scoped packages (@scope/name) or plain identifiers — no other slashes allowed
+    return /^(@[a-zA-Z0-9][a-zA-Z0-9_-]*\/[a-zA-Z0-9][a-zA-Z0-9_-]*|[a-zA-Z0-9][a-zA-Z0-9_-]*)$/.test(itemId) && itemId.length < 100;
 }
 /**
  * Validate rating value
@@ -44,10 +97,10 @@ export async function rateItem(itemId, rating, itemType = 'plugin', userId) {
         signal: AbortSignal.timeout(10000),
     });
     if (!response.ok) {
-        const error = await response.text();
-        throw new Error(`Rating failed: ${error}`);
+        const error = await readBoundedText(response, 64 * 1024).catch(() => 'unreadable');
+        throw new Error(`Rating failed: ${safeErrText(error)}`);
     }
-    return response.json();
+    return readBoundedJson(response);
 }
 /**
  * Get ratings for a single item
@@ -67,7 +120,7 @@ export async function getRating(itemId, itemType = 'plugin') {
     if (!response.ok) {
         throw new Error('Failed to get ratings');
     }
-    return response.json();
+    return readBoundedJson(response);
 }
 /**
  * Get ratings for multiple items (batch)
@@ -93,7 +146,7 @@ export async function getBulkRatings(itemIds, itemType = 'plugin') {
     if (!response.ok) {
         throw new Error('Failed to get bulk ratings');
     }
-    return response.json();
+    return readBoundedJson(response, 4 * 1024 * 1024);
 }
 /**
  * Get analytics data
@@ -105,7 +158,7 @@ export async function getAnalytics() {
     if (!response.ok) {
         throw new Error('Failed to get analytics');
     }
-    return response.json();
+    return readBoundedJson(response);
 }
 /**
  * Track a download event
@@ -134,7 +187,7 @@ export async function checkHealth() {
         const response = await fetch(`${REGISTRY_API_URL}?action=status`, {
             signal: AbortSignal.timeout(5000),
         });
-        return response.json();
+        return readBoundedJson(response, 64 * 1024);
     }
     catch (error) {
         return {