mstro-app 0.3.7 → 0.3.8

package/dist/server/mcp/bouncer-sandbox.d.ts

@@ -0,0 +1,60 @@
+export interface SandboxExecResult {
+    /** The sandboxed command that was actually run */
+    wrappedCommand: string;
+    /** Whether sandbox-runtime is available on this platform */
+    sandboxAvailable: boolean;
+    /** Whether the sandbox contained the operation (no violations) */
+    contained: boolean;
+    /** List of violation descriptions if any escaped the sandbox */
+    violations: string[];
+}
+export interface CanaryCheckResult {
+    /** Whether the canary file still exists (should be true if sandbox contained the write) */
+    canaryIntact: boolean;
+    /** Whether a file was written outside the sandbox (should be false) */
+    escapeDetected: boolean;
+}
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export declare class BouncerSandboxHarness {
+    private sandboxManager;
+    private sandboxAvailable;
+    private tempDir;
+    private canaryDir;
+    constructor();
+    /**
+     * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+     */
+    initialize(): Promise<{
+        available: boolean;
+        reason?: string;
+    }>;
+    /**
+     * Execute a command inside the sandbox. Returns containment results.
+     * If sandbox is not available, validates the bouncer decision only (no actual execution).
+     */
+    executeInSandbox(command: string): Promise<SandboxExecResult>;
+    /**
+     * Place a canary file and return a checker to verify containment.
+     * If a sandboxed command can delete or modify the canary, containment failed.
+     */
+    placeCanary(name: string): {
+        path: string;
+        check: () => CanaryCheckResult;
+    };
+    /**
+     * Get the temp directory where sandboxed commands can write.
+     */
+    getSandboxWriteDir(): string;
+    /**
+     * Whether the sandbox is actually available and initialized.
+     */
+    isAvailable(): boolean;
+    /**
+     * Clean up temp dirs and reset sandbox state.
+     */
+    cleanup(): Promise<void>;
+}
+//# sourceMappingURL=bouncer-sandbox.d.ts.map

package/dist/server/mcp/bouncer-sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bouncer-sandbox.d.ts","sourceRoot":"","sources":["../../../server/mcp/bouncer-sandbox.ts"],"names":[],"mappings":"AAuBA,MAAM,WAAW,iBAAiB;IAChC,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;IACvB,4DAA4D;IAC5D,gBAAgB,EAAE,OAAO,CAAC;IAC1B,kEAAkE;IAClE,SAAS,EAAE,OAAO,CAAC;IACnB,gEAAgE;IAChE,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,2FAA2F;IAC3F,YAAY,EAAE,OAAO,CAAC;IACtB,uEAAuE;IACvE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;GAGG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,cAAc,CAA0F;IAChH,OAAO,CAAC,gBAAgB,CAAS;IACjC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;;IAQ1B;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAiDpE;;;OAGG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAmDnE;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,iBAAiB,CAAA;KAAE;IAc3E;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAI5B;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAc/B"}

package/dist/server/mcp/bouncer-sandbox.js

@@ -0,0 +1,182 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Sandbox Harness for Bouncer Testing
+ *
+ * Wraps command execution in Anthropic's sandbox-runtime (bubblewrap on Linux,
+ * sandbox-exec on macOS) to safely test what happens when the bouncer FAILS —
+ * i.e., when a malicious tool call gets through.
+ *
+ * Usage in tests:
+ *   const harness = new BouncerSandboxHarness();
+ *   await harness.initialize();
+ *   const result = await harness.executeInSandbox('rm -rf /tmp/test-canary');
+ *   expect(result.violations).toContain(...)
+ *   await harness.cleanup();
+ */
+import { execSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export class BouncerSandboxHarness {
+    sandboxManager = null;
+    sandboxAvailable = false;
+    tempDir;
+    canaryDir;
+    constructor() {
+        this.tempDir = mkdtempSync(join(tmpdir(), 'bouncer-sandbox-'));
+        this.canaryDir = join(this.tempDir, 'canaries');
+        mkdirSync(this.canaryDir, { recursive: true });
+    }
+    /**
+     * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+     */
+    async initialize() {
+        try {
+            const { SandboxManager } = await import('@anthropic-ai/sandbox-runtime');
+            if (!SandboxManager.isSupportedPlatform()) {
+                return { available: false, reason: 'Platform not supported by sandbox-runtime' };
+            }
+            const deps = SandboxManager.checkDependencies();
+            if (deps.errors.length > 0) {
+                return {
+                    available: false,
+                    reason: `Missing dependencies: ${deps.errors.join(', ')}`,
+                };
+            }
+            await SandboxManager.initialize({
+                network: {
+                    allowedDomains: [], // Block ALL network access
+                    deniedDomains: ['*'],
+                },
+                filesystem: {
+                    denyRead: [
+                        '/home/*/.ssh',
+                        '/home/*/.aws',
+                        '/home/*/.gnupg',
+                        '/etc/shadow',
+                        '/etc/passwd',
+                    ],
+                    allowWrite: [this.tempDir], // Only allow writes to our temp dir
+                    denyWrite: [
+                        '/',
+                        '/home',
+                        '/etc',
+                        '/usr',
+                        '/var',
+                    ],
+                },
+            });
+            this.sandboxManager = SandboxManager;
+            this.sandboxAvailable = true;
+            return { available: true };
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            return { available: false, reason: `Failed to initialize sandbox: ${msg}` };
+        }
+    }
+    /**
+     * Execute a command inside the sandbox. Returns containment results.
+     * If sandbox is not available, validates the bouncer decision only (no actual execution).
+     */
+    async executeInSandbox(command) {
+        if (!this.sandboxAvailable || !this.sandboxManager) {
+            return {
+                wrappedCommand: command,
+                sandboxAvailable: false,
+                contained: true,
+                violations: ['Sandbox not available — decision-only testing mode'],
+            };
+        }
+        const violations = [];
+        try {
+            const wrappedCommand = await this.sandboxManager.wrapWithSandbox(command);
+            // Execute the wrapped command and capture violations
+            try {
+                execSync(wrappedCommand, {
+                    timeout: 5000,
+                    stdio: 'pipe',
+                    cwd: this.tempDir,
+                });
+            }
+            catch {
+                // Command failure inside sandbox is expected for malicious ops
+            }
+            // Check violation store
+            const stderr = this.sandboxManager.annotateStderrWithSandboxFailures(command, '');
+            if (stderr) {
+                violations.push(stderr);
+            }
+            this.sandboxManager.cleanupAfterCommand();
+            return {
+                wrappedCommand,
+                sandboxAvailable: true,
+                contained: violations.length === 0,
+                violations,
+            };
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            violations.push(`Sandbox execution error: ${msg}`);
+            return {
+                wrappedCommand: command,
+                sandboxAvailable: true,
+                contained: true, // Error means the command didn't execute
+                violations,
+            };
+        }
+    }
+    /**
+     * Place a canary file and return a checker to verify containment.
+     * If a sandboxed command can delete or modify the canary, containment failed.
+     */
+    placeCanary(name) {
+        const canaryPath = join(this.canaryDir, name);
+        const escapePath = join(this.canaryDir, `${name}.escaped`);
+        writeFileSync(canaryPath, `canary-${Date.now()}`, 'utf-8');
+        return {
+            path: canaryPath,
+            check: () => ({
+                canaryIntact: existsSync(canaryPath),
+                escapeDetected: existsSync(escapePath),
+            }),
+        };
+    }
+    /**
+     * Get the temp directory where sandboxed commands can write.
+     */
+    getSandboxWriteDir() {
+        return this.tempDir;
+    }
+    /**
+     * Whether the sandbox is actually available and initialized.
+     */
+    isAvailable() {
+        return this.sandboxAvailable;
+    }
+    /**
+     * Clean up temp dirs and reset sandbox state.
+     */
+    async cleanup() {
+        try {
+            if (this.sandboxManager) {
+                await this.sandboxManager.reset();
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+        try {
+            rmSync(this.tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+//# sourceMappingURL=bouncer-sandbox.js.map

package/dist/server/mcp/bouncer-sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bouncer-sandbox.js","sourceRoot":"","sources":["../../../server/mcp/bouncer-sandbox.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACpF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAoBjC;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IACxB,cAAc,GAAqF,IAAI,CAAC;IACxG,gBAAgB,GAAG,KAAK,CAAC;IACzB,OAAO,CAAS;IAChB,SAAS,CAAS;IAE1B;QACE,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAChD,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;YAEzE,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,EAAE,CAAC;gBAC1C,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;YACnF,CAAC;YAED,MAAM,IAAI,GAAG,cAAc,CAAC,iBAAiB,EAAE,CAAC;YAChD,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACL,SAAS,EAAE,KAAK;oBAChB,MAAM,EAAE,yBAAyB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC1D,CAAC;YACJ,CAAC;YAED,MAAM,cAAc,CAAC,UAAU,CAAC;gBAC9B,OAAO,EAAE;oBACP,cAAc,EAAE,EAAE,EAAE,2BAA2B;oBAC/C,aAAa,EAAE,CAAC,GAAG,CAAC;iBACrB;gBACD,UAAU,EAAE;oBACV,QAAQ,EAAE;wBACR,cAAc;wBACd,cAAc;wBACd,gBAAgB;wBAChB,aAAa;wBACb,aAAa;qBACd;oBACD,UAAU,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,oCAAoC;oBAChE,SAAS,EAAE;wBACT,GAAG;wBACH,OAAO;wBACP,MAAM;wBACN,MAAM;wBACN,MAAM;qBACP;iBACF;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;YACrC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC7B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,GAAG,EAAE,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACnD,OAAO;gBACL,cAAc,EAAE,OAAO;gBACvB,gBAAgB,EAAE,KAAK;gBACvB,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,CAAC,oDAAoD,CAAC;aACnE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YAE1E,qDAAqD;YACrD,IAAI,CAAC;gBACH,QAAQ,CAAC,cAAc,EAAE;oBACvB,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,MAAM;oBACb,GAAG,EAAE,IAAI,CAAC,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,+DAA+D;YACjE,CAAC;YAED,wBAAwB;YACxB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iCAAiC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAClF,IAAI,MAAM,EAAE,CAAC;gBACX,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,CAAC;YAE1C,OAAO;gBACL,cAAc;gBACd,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;gBAClC,UAAU;aACX,CAAC;QACJ,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,UAAU,CAAC,IAAI,CAAC,4BAA4B,GAAG,EAAE,CAAC,CAAC;YACnD,OAAO;gBACL,cAAc,EAAE,OAAO;gBACvB,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,IAAI,EAAE,yCAAyC;gBAC1D,UAAU;aACX,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,UAAU,CAAC,CAAC;QAC3D,aAAa,CAAC,UAAU,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QAE3D,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACZ,YAAY,EAAE,UAAU,CAAC,UAAU,CAAC;gBACpC,cAAc,EAAE,UAAU,CAAC,UAAU,CAAC;aACvC,CAAC;SACH,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;CACF"}

package/dist/server/mcp/security-patterns.d.ts

@@ -1,15 +1,3 @@
-/**
- * Security Patterns - Single Source of Truth
- *
- * Consolidated pattern definitions for fast-path security checks.
- * All pattern-based security decisions use this module to avoid duplication.
- *
- * PHILOSOPHY:
- * - Most operations should be evaluated by CONTEXT, not by path or extension
- * - Only truly catastrophic operations (rm -rf /, fork bombs) are auto-denied
- * - Sensitive operations (system paths, credentials) get AI review with context
- * - The question is: "Does this operation make sense given user intent?"
- */
 export interface SecurityPattern {
     pattern: RegExp;
     reason?: string;
@@ -50,6 +38,12 @@ export declare const NEEDS_AI_REVIEW: SecurityPattern[];
  * Check if operation matches any pattern in array
  */
 export declare function matchesPattern(operation: string, patterns: SecurityPattern[]): SecurityPattern | null;
+/**
+ * Normalize file paths in Write/Edit/Read operations to resolve .. traversal.
+ * Prevents path traversal attacks like "Write: /home/user/../../etc/passwd"
+ * from matching safe home-directory patterns.
+ */
+export declare function normalizeOperation(operation: string): string;
 export declare function requiresAIReview(operation: string): boolean;
 /**
  * Check if operation targets a sensitive path

package/dist/server/mcp/security-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-patterns.d.ts","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAiB5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,EAAE,eAAe,EAiC7C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAoC5C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAyB5C,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,GAAG,eAAe,GAAG,IAAI,CAOrG;AAoBD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAe3D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAEzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CA2DA"}
+{"version":3,"file":"security-patterns.d.ts","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAiB5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,EAAE,eAAe,EA0C7C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAoC5C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAqH5C,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,GAAG,eAAe,GAAG,IAAI,CAOrG;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAQ5D;AAgED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CA8C3D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAEzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CA8DA"}

package/dist/server/mcp/security-patterns.js

@@ -1,5 +1,18 @@
 // Copyright (c) 2025-present Mstro, Inc. All rights reserved.
 // Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Security Patterns - Single Source of Truth
+ *
+ * Consolidated pattern definitions for fast-path security checks.
+ * All pattern-based security decisions use this module to avoid duplication.
+ *
+ * PHILOSOPHY:
+ * - Most operations should be evaluated by CONTEXT, not by path or extension
+ * - Only truly catastrophic operations (rm -rf /, fork bombs) are auto-denied
+ * - Sensitive operations (system paths, credentials) get AI review with context
+ * - The question is: "Does this operation make sense given user intent?"
+ */
+import { resolve } from 'node:path';
 /**
  * Sensitive paths that require AI context review
  * These aren't auto-denied - they need context analysis to determine intent
@@ -61,7 +74,16 @@ export const CRITICAL_THREATS = [
     {
         pattern: /chmod\s+000\s+\//i,
         reason: 'Attempting to make system directories inaccessible'
-    }
+    },
+    // Reverse shells - never legitimate in a dev workflow
+    {
+        pattern: /\/dev\/tcp\//i,
+        reason: 'Reverse shell via /dev/tcp - classic backdoor technique'
+    },
+    {
+        pattern: /\bnc\b.*-[elp].*\b\d+\b/i,
+        reason: 'Netcat listener/reverse shell - common backdoor technique'
+    },
     // NOTE: curl|bash is NOT here - it goes to Haiku for context review
     // The question is "did a bad actor inject this?" not "is curl|bash dangerous?"
 ];
@@ -126,12 +148,96 @@ export const NEEDS_AI_REVIEW = [
         pattern: /rm\s+-rf/i,
         reason: 'Recursive deletion - verify target matches user intent'
     },
+    // Data exfiltration patterns — piping data to network tools
+    {
+        pattern: /\|\s*(nc|netcat|ncat)\b/i,
+        reason: 'Pipe to netcat - potential data exfiltration'
+    },
+    {
+        pattern: /\bscp\b.*@/i,
+        reason: 'SCP to remote host - potential data exfiltration'
+    },
+    {
+        pattern: /\|\s*curl\b/i,
+        reason: 'Pipe to curl - potential data exfiltration'
+    },
+    {
+        pattern: /curl\b.*-d\s*@/i,
+        reason: 'Curl with file upload - potential data exfiltration'
+    },
     // ALL Write/Edit operations that aren't to /tmp go through context review
     // This is the key change: we review based on context, not blanket allow/deny
     {
         pattern: /^(Write|Edit):\s*(?!\/tmp\/|\/var\/tmp\/)/i,
         reason: 'File modification - verify aligns with user request'
     },
+    // Reverse shells and bind shells — network-connected interactive shells
+    {
+        pattern: /\/dev\/tcp\//i,
+        reason: 'Potential reverse shell via /dev/tcp'
+    },
+    {
+        pattern: /\b(nc|netcat|ncat)\b.*-e\s/i,
+        reason: 'Netcat with -e flag - potential reverse shell'
+    },
+    {
+        pattern: /\bsocket\b.*\bconnect\b.*\b(dup2|subprocess|exec)\b/i,
+        reason: 'Programmatic reverse shell pattern (socket+connect+exec)'
+    },
+    {
+        pattern: /\bperl\b.*\bsocket\b.*\bexec\b/i,
+        reason: 'Perl reverse shell pattern'
+    },
+    // Encoded/obfuscated payloads piped to shell or eval
+    {
+        pattern: /\b(base64|base32)\b.*-d.*\|\s*(bash|sh)\b/i,
+        reason: 'Decoded payload piped to shell - obfuscated command execution'
+    },
+    {
+        pattern: /\\x[0-9a-f]{2}.*\|\s*(bash|sh)\b/i,
+        reason: 'Hex-encoded payload piped to shell'
+    },
+    {
+        pattern: /\bexec\b.*\b(base64|b64decode)\b/i,
+        reason: 'Exec with base64 decoding - obfuscated code execution'
+    },
+    {
+        pattern: /\bprintf\b.*\\x[0-9a-f].*\|\s*(bash|sh)\b/i,
+        reason: 'Printf hex payload piped to shell'
+    },
+    // Cloud metadata / SSRF — accessing cloud instance credentials
+    {
+        pattern: /169\.254\.169\.254/i,
+        reason: 'AWS/Azure IMDS access - potential credential theft'
+    },
+    {
+        pattern: /metadata\.google\.internal/i,
+        reason: 'GCP metadata access - potential credential theft'
+    },
+    // Persistence — writing to shell profiles, cron, authorized_keys via echo/append
+    {
+        pattern: />>\s*~?\/?.*\/(authorized_keys|\.bashrc|\.bash_profile|\.zshrc|\.profile)/i,
+        reason: 'Appending to sensitive file - potential persistence mechanism'
+    },
+    {
+        pattern: /\bld\.so\.preload\b/i,
+        reason: 'LD_PRELOAD injection - shared library hijacking'
+    },
+    // wget with file upload
+    {
+        pattern: /wget\b.*--post-file/i,
+        reason: 'wget file upload - potential data exfiltration'
+    },
+    // pip install from custom index (supply chain attack)
+    {
+        pattern: /pip\b.*--index-url\s+https?:\/\/(?!pypi\.org)/i,
+        reason: 'pip install from non-PyPI index - potential supply chain attack'
+    },
+    // MCP server manipulation
+    {
+        pattern: /\bclaude\b.*\bmcp\b.*\badd\b/i,
+        reason: 'Adding MCP server - verify source is trusted'
+    },
 ];
 /**
  * Check if operation matches any pattern in array
@@ -144,11 +250,64 @@ export function matchesPattern(operation, patterns) {
     }
     return null;
 }
+/**
+ * Normalize file paths in Write/Edit/Read operations to resolve .. traversal.
+ * Prevents path traversal attacks like "Write: /home/user/../../etc/passwd"
+ * from matching safe home-directory patterns.
+ */
+export function normalizeOperation(operation) {
+    const match = operation.match(/^(Write|Edit|Read):\s*(\S+)/i);
+    if (match?.[2].includes('..')) {
+        const [, tool, rawPath] = match;
+        const normalizedPath = resolve(rawPath);
+        return `${tool}: ${normalizedPath}`;
+    }
+    return operation;
+}
+/** Check if a Bash command contains chain operators that could hide dangerous ops after a safe prefix. */
+function containsChainOperators(operation) {
+    const commandPart = operation.replace(/^Bash:\s*/i, '');
+    return /;|&&|\|\||\n/.test(commandPart);
+}
+/** Check if a Bash command pipes output to known exfiltration/network tools or shells. */
+function containsDangerousPipe(operation) {
+    const commandPart = operation.replace(/^Bash:\s*/i, '');
+    return /\|\s*(nc|netcat|ncat|curl|wget|scp|bash|sh)\b/i.test(commandPart);
+}
+/** Check if a Bash command redirects output to sensitive paths (append or overwrite). */
+function containsSensitiveRedirect(operation) {
+    const commandPart = operation.replace(/^Bash:\s*/i, '');
+    return />>?\s*~?\/?.*\/(authorized_keys|\.bashrc|\.bash_profile|\.zshrc|\.profile|\.ssh\/|\.aws\/|\.gnupg\/|ld\.so\.preload|crontab|sudoers)/i.test(commandPart)
+        || />>?\s*\/etc\//i.test(commandPart);
+}
+/** Check if a Bash command contains subshell or backtick expansion (not simple ${VAR}). */
+function containsBashExpansion(operation) {
+    const commandPart = operation.replace(/^Bash:\s*/i, '');
+    return /`[^`]+`/.test(commandPart) || /\$\([^)]+\)/.test(commandPart);
+}
+/** Check if a Bash command contains any form of shell expansion: ${VAR}, $(...), or backticks. */
+function containsAnyExpansion(operation) {
+    const cmd = operation.replace(/^Bash:\s*/i, '');
+    return /\$\{[^}]+\}/.test(cmd) || /\$\([^)]+\)/.test(cmd) || /`[^`]+`/.test(cmd);
+}
+/** Check if expansion is safely used as an argument to a known-safe command prefix.
+ *  e.g., "echo ${HOME}" or "cat ${FILE}" — the expansion can't change the command itself. */
+function isSafeExpansionUse(operation) {
+    const cmd = operation.replace(/^Bash:\s*/i, '').trim();
+    // If the expansion IS the command (first token), it's never safe
+    if (/^(\$\{|\$\(|`)/.test(cmd))
+        return false;
+    // Safe command prefixes where expansion as an argument is harmless
+    const safePrefix = /^(echo|printf|cat|ls|pwd|whoami|date|env|printenv|test|true|false)\s/i;
+    return safePrefix.test(cmd);
+}
 /**
  * Determine if operation requires AI context review
  *
  * The philosophy here is:
- * - SAFE_OPERATIONS: No review needed (read-only, temp files, build artifact cleanup)
+ * - SENSITIVE_PATHS: Always require review (credentials, system configs)
+ * - SAFE_OPERATIONS: No review needed, UNLESS the bash command contains
+ *   chain operators, dangerous pipes, or subshell/backtick expansion
  * - CRITICAL_THREATS: Auto-deny, no review (catastrophic operations)
  * - Everything else: AI reviews context to determine if it matches user intent
  */
@@ -162,18 +321,43 @@ const SAFE_RM_PATTERNS = [
     /rm\s+-rf\s+(\.\/)?__pycache__($|\s)/i,
 ];
 export function requiresAIReview(operation) {
-    if (matchesPattern(operation, SAFE_OPERATIONS))
+    // Normalize paths to prevent .. traversal bypass
+    const op = normalizeOperation(operation);
+    // Check sensitive paths BEFORE safe operations — prevents home-dir
+    // safe pattern from masking .ssh, .aws, .bashrc, etc.
+    if (matchesPattern(op, SENSITIVE_PATHS))
+        return true;
+    // Bash commands with any shell expansion (${VAR}, $(...), backticks) are
+    // opaque — the bouncer can't predict what they expand to at runtime.
+    // Route to AI review BEFORE checking CRITICAL_THREATS or SAFE_OPERATIONS,
+    // UNLESS the command is clearly safe (expansion is just an argument to a
+    // known-safe prefix like "echo ${HOME}").
+    if (/^Bash:/i.test(op) && containsAnyExpansion(op) && !isSafeExpansionUse(op)) {
+        return true;
+    }
+    if (matchesPattern(op, SAFE_OPERATIONS)) {
+        // Safe bash commands must not contain chain operators, dangerous pipes,
+        // or subshell/backtick expansion that could hide dangerous operations.
+        // A safe prefix (e.g., "git clone") with chain operators (&&, ;, ||)
+        // means the full command isn't necessarily safe — route to AI review.
+        if (/^Bash:/i.test(op) && (containsChainOperators(op) ||
+            containsDangerousPipe(op) ||
+            containsBashExpansion(op) ||
+            containsSensitiveRedirect(op))) {
+            return true;
+        }
         return false;
-    if (matchesPattern(operation, CRITICAL_THREATS))
+    }
+    if (matchesPattern(op, CRITICAL_THREATS))
         return false;
-    if (matchesPattern(operation, NEEDS_AI_REVIEW)) {
-        return !SAFE_RM_PATTERNS.some(p => p.test(operation));
+    if (matchesPattern(op, NEEDS_AI_REVIEW)) {
+        return !SAFE_RM_PATTERNS.some(p => p.test(op));
     }
-    // Variable expansion and glob patterns are only concerning in Bash commands
-    if (/^Bash:/.test(operation)) {
-        if (/\$\{.*\}|\$\(.*\)/.test(operation) || /\*\*?/.test(operation))
+    // Glob patterns and script execution are concerning in Bash commands
+    if (/^Bash:/.test(op)) {
+        if (/\*\*?/.test(op))
             return true;
-        if (/^Bash:\s*\.\//.test(operation))
+        if (/^Bash:\s*\.\//.test(op))
             return true;
     }
     return false;
@@ -220,6 +404,9 @@ export function classifyRisk(operation) {
         { pattern: /chmod\s+777/i, reason: 'Dangerous permissions' },
         { pattern: /(curl|wget).*\|.*(bash|sh)/i, reason: 'Remote code execution' },
         { pattern: /pkill|killall/i, reason: 'Process termination' },
+        { pattern: /\|\s*(nc|netcat|ncat)\b/i, reason: 'Data exfiltration via netcat' },
+        { pattern: /\bscp\b.*@/i, reason: 'Data exfiltration via SCP' },
+        { pattern: /curl\b.*-d\s*@/i, reason: 'Data exfiltration via curl file upload' },
     ];
     for (const pattern of elevatedPatterns) {
         if (pattern.pattern.test(operation)) {

package/dist/server/mcp/security-patterns.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-patterns.js","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAoBhE;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,qFAAqF;IACrF,EAAE,OAAO,EAAE,2BAA2B,EAAE,MAAM,EAAE,2CAA2C,EAAE;IAC7F,EAAE,OAAO,EAAE,qDAAqD,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAClH,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,qCAAqC,EAAE;IACxF,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,gCAAgC,EAAE;IACnF,EAAE,OAAO,EAAE,8BAA8B,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACxF,EAAE,OAAO,EAAE,6DAA6D,EAAE,MAAM,EAAE,4CAA4C,EAAE;IAEhI,uEAAuE;IACvE,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,wCAAwC,EAAE;IAC9F,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACvF,EAAE,OAAO,EAAE,mDAAmD,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAChH,EAAE,OAAO,EAAE,+DAA+D,EAAE,MAAM,EAAE,0CAA0C,EAAE;IAEhI,kEAAkE;IAClE,EAAE,OAAO,EAAE,+EAA+E,EAAE,MAAM,EAAE,oCAAoC,EAAE;CAC3I,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAsB;IACjD,+DAA+D;IAC/D,qEAAqE;IACrE;QACE,OAAO,EAAE,0BAA0B;QACnC,MAAM,EAAE,wEAAwE;KACjF;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,yBAAyB;QAClC,MAAM,EAAE,iEAAiE;KAC1E;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,oDAAoD;KAC7D;IACD,oEAAoE;IACpE,+EAA+E;CAChF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,oDAAoD;IACpD,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IAEtB,iFAAiF;IACjF,gEAAgE;IAChE,EAAE,OAAO,EAAE,6BAA6B,EAAE,EAAG,0BAA0B;IACvE,EAAE,OAAO,EAAE,4BAA4B,EAAE,EAAI,yBAAyB;IACtE,EAAE,OAAO,EAAE,4BAA4B,EAAE,EAAI,0BAA0B;IACvE,EAAE,OAAO,EAAE,2BAA2B,EAAE,EAAK,yBAAyB;IAEtE,oDAAoD;IACpD,qEAAqE;IACrE,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,6DAA6D,EAAE;IAC1E,EAAE,OAAO,EAAE,mFAAmF,EAAE;IAChG,EAAE,OAAO,EAAE,uFAAuF,EAAE;IAEpG,+DAA+D;IAC/D,EAAE,OAAO,EAAE,gDAAgD,EAAE;IAC7D,EAAE,OAAO,EAAE,wCAAwC,EAAE;IACrD,EAAE,OAAO,EAAE,yCAAyC,EAAE;IACtD,EAAE,OAAO,EAAE,2CAA2C,EAAE;IACxD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAE5D,uDAAuD;IACvD,EAAE,OAAO,EAAE,2BAA2B,EAAE;IACxC,EAAE,OAAO,EAAE,gCAAgC,EAAE;IAE7C,4DAA4D;IAC5D,EAAE,OAAO,EAAE,2DAA2D,EAAE;CACzE,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,iCAAiC;IACjC;QACE,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,iEAAiE;KAC1E;IAED,sBAAsB;IACtB;QACE,OAAO,EAAE,OAAO;QAChB,MAAM,EAAE,wDAAwD;KACjE;IAED,8DAA8D;IAC9D;QACE,OAAO,EAAE,WAAW;QACpB,MAAM,EAAE,wDAAwD;KACjE;IAED,0EAA0E;IAC1E,6EAA6E;IAC7E;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,qDAAqD;KAC9D;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,QAA2B;IAC3E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,gBAAgB,GAAG;IACvB,uCAAuC;IACvC,+BAA+B;IAC/B,gCAAgC;IAChC,kCAAkC;IAClC,iCAAiC;IACjC,iCAAiC;IACjC,sCAAsC;CACvC,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7D,IAAI,cAAc,CAAC,SAAS,EAAE,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9D,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,4EAA4E;IAC5E,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;QAChF,IAAI,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;IACnD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB;IAK5C,mCAAmC;IACnC,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IACnE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,SAAS,EAAE,UAAU;YACrB,OAAO,EAAE,CAAC,cAAc,CAAC,MAAM,IAAI,0BAA0B,CAAC;SAC/D,CAAC;IACJ,CAAC;IAED,4DAA4D;IAC5D,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO;YACL,aAAa,EAAE,KAAK,EAAE,6CAA6C;YACnE,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,CAAC,aAAa,CAAC,MAAM,IAAI,6CAA6C,CAAC;SACjF,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,MAAM,gBAAgB,GAAsB;QAC1C,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,+BAA+B,EAAE;QAC7D,EAAE,OAAO,EAAE,0BAA0B,EAAE,MAAM,EAAE,mBAAmB,EAAE;QACpE,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,uBAAuB,EAAE;QAC5D,EAAE,OAAO,EAAE,6BAA6B,EAAE,MAAM,EAAE,uBAAuB,EAAE;QAC3E,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE;KAC7D,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,yBAAyB,CAAC;aACvD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,4EAA4E;IAC5E,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,sDAAsD;QACtD,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,CAAC;QACD,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE,CAAC,oBAAoB,CAAC;SAChC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,aAAa,EAAE,KAAK;QACpB,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,EAAE;KACZ,CAAC;AACJ,CAAC"}
+{"version":3,"file":"security-patterns.js","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAOpC;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,qFAAqF;IACrF,EAAE,OAAO,EAAE,2BAA2B,EAAE,MAAM,EAAE,2CAA2C,EAAE;IAC7F,EAAE,OAAO,EAAE,qDAAqD,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAClH,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,qCAAqC,EAAE;IACxF,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,gCAAgC,EAAE;IACnF,EAAE,OAAO,EAAE,8BAA8B,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACxF,EAAE,OAAO,EAAE,6DAA6D,EAAE,MAAM,EAAE,4CAA4C,EAAE;IAEhI,uEAAuE;IACvE,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,wCAAwC,EAAE;IAC9F,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACvF,EAAE,OAAO,EAAE,mDAAmD,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAChH,EAAE,OAAO,EAAE,+DAA+D,EAAE,MAAM,EAAE,0CAA0C,EAAE;IAEhI,kEAAkE;IAClE,EAAE,OAAO,EAAE,+EAA+E,EAAE,MAAM,EAAE,oCAAoC,EAAE;CAC3I,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAsB;IACjD,+DAA+D;IAC/D,qEAAqE;IACrE;QACE,OAAO,EAAE,0BAA0B;QACnC,MAAM,EAAE,wEAAwE;KACjF;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,yBAAyB;QAClC,MAAM,EAAE,iEAAiE;KAC1E;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,oDAAoD;KAC7D;IACD,sDAAsD;IACtD;QACE,OAAO,EAAE,eAAe;QACxB,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,OAAO,EAAE,0BAA0B;QACnC,MAAM,EAAE,2DAA2D;KACpE;IACD,oEAAoE;IACpE,+EAA+E;CAChF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,oDAAoD;IACpD,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IAEtB,iFAAiF;IACjF,gEAAgE;IAChE,EAAE,OAAO,EAAE,6BAA6B,EAAE,EAAG,0BAA0B;IACvE,EAAE,OAAO,EAAE,4BAA4B,EAAE,EAAI,yBAAyB;IACtE,EAAE,OAAO,EAAE,4BAA4B,EAAE,EAAI,0BAA0B;IACvE,EAAE,OAAO,EAAE,2BAA2B,EAAE,EAAK,yBAAyB;IAEtE,oDAAoD;IACpD,qEAAqE;IACrE,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,6DAA6D,EAAE;IAC1E,EAAE,OAAO,EAAE,mFAAmF,EAAE;IAChG,EAAE,OAAO,EAAE,uFAAuF,EAAE;IAEpG,+DAA+D;IAC/D,EAAE,OAAO,EAAE,gDAAgD,EAAE;IAC7D,EAAE,OAAO,EAAE,wCAAwC,EAAE;IACrD,EAAE,OAAO,EAAE,yCAAyC,EAAE;IACtD,EAAE,OAAO,EAAE,2CAA2C,EAAE;IACxD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAE5D,uDAAuD;IACvD,EAAE,OAAO,EAAE,2BAA2B,EAAE;IACxC,EAAE,OAAO,EAAE,gCAAgC,EAAE;IAE7C,4DAA4D;IAC5D,EAAE,OAAO,EAAE,2DAA2D,EAAE;CACzE,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,iCAAiC;IACjC;QACE,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,iEAAiE;KAC1E;IAED,sBAAsB;IACtB;QACE,OAAO,EAAE,OAAO;QAChB,MAAM,EAAE,wDAAwD;KACjE;IAED,8DAA8D;IAC9D;QACE,OAAO,EAAE,WAAW;QACpB,MAAM,EAAE,wDAAwD;KACjE;IAED,4DAA4D;IAC5D;QACE,OAAO,EAAE,0BAA0B;QACnC,MAAM,EAAE,8CAA8C;KACvD;IACD;QACE,OAAO,EAAE,aAAa;QACtB,MAAM,EAAE,kDAAkD;KAC3D;IACD;QACE,OAAO,EAAE,cAAc;QACvB,MAAM,EAAE,4CAA4C;KACrD;IACD;QACE,OAAO,EAAE,iBAAiB;QAC1B,MAAM,EAAE,qDAAqD;KAC9D;IAED,0EAA0E;IAC1E,6EAA6E;IAC7E;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,qDAAqD;KAC9D;IAED,wEAAwE;IACxE;QACE,OAAO,EAAE,eAAe;QACxB,MAAM,EAAE,sCAAsC;KAC/C;IACD;QACE,OAAO,EAAE,6BAA6B;QACtC,MAAM,EAAE,+CAA+C;KACxD;IACD;QACE,OAAO,EAAE,sDAAsD;QAC/D,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,MAAM,EAAE,4BAA4B;KACrC;IAED,qDAAqD;IACrD;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,+DAA+D;KACxE;IACD;QACE,OAAO,EAAE,mCAAmC;QAC5C,MAAM,EAAE,oCAAoC;KAC7C;IACD;QACE,OAAO,EAAE,mCAAmC;QAC5C,MAAM,EAAE,uDAAuD;KAChE;IACD;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,mCAAmC;KAC5C;IAED,+DAA+D;IAC/D;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,OAAO,EAAE,6BAA6B;QACtC,MAAM,EAAE,kDAAkD;KAC3D;IAED,iFAAiF;IACjF;QACE,OAAO,EAAE,4EAA4E;QACrF,MAAM,EAAE,+DAA+D;KACxE;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,MAAM,EAAE,iDAAiD;KAC1D;IAED,wBAAwB;IACxB;QACE,OAAO,EAAE,sBAAsB;QAC/B,MAAM,EAAE,gDAAgD;KACzD;IAED,sDAAsD;IACtD;QACE,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,iEAAiE;KAC1E;IAED,0BAA0B;IAC1B;QACE,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,8CAA8C;KACvD;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,QAA2B;IAC3E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC9D,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;QAChC,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,GAAG,IAAI,KAAK,cAAc,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,0GAA0G;AAC1G,SAAS,sBAAsB,CAAC,SAAiB;IAC/C,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IACxD,OAAO,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AAC1C,CAAC;AAED,0FAA0F;AAC1F,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IACxD,OAAO,gDAAgD,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AAC5E,CAAC;AAED,yFAAyF;AACzF,SAAS,yBAAyB,CAAC,SAAiB;IAClD,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IACxD,OAAO,uIAAuI,CAAC,IAAI,CAAC,WAAW,CAAC;WAC3J,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AAC1C,CAAC;AAED,2FAA2F;AAC3F,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IACxD,OAAO,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AACxE,CAAC;AAED,kGAAkG;AAClG,SAAS,oBAAoB,CAAC,SAAiB;IAC7C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAChD,OAAO,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACnF,CAAC;AAED;6FAC6F;AAC7F,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACvD,iEAAiE;IACjE,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,mEAAmE;IACnE,MAAM,UAAU,GAAG,uEAAuE,CAAC;IAC3F,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,gBAAgB,GAAG;IACvB,uCAAuC;IACvC,+BAA+B;IAC/B,gCAAgC;IAChC,kCAAkC;IAClC,iCAAiC;IACjC,iCAAiC;IACjC,sCAAsC;CACvC,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,iDAAiD;IACjD,MAAM,EAAE,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAEzC,mEAAmE;IACnE,sDAAsD;IACtD,IAAI,cAAc,CAAC,EAAE,EAAE,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,yEAAyE;IACzE,qEAAqE;IACrE,0EAA0E;IAC1E,yEAAyE;IACzE,0CAA0C;IAC1C,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,oBAAoB,CAAC,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,cAAc,CAAC,EAAE,EAAE,eAAe,CAAC,EAAE,CAAC;QACxC,wEAAwE;QACxE,uEAAuE;QACvE,qEAAqE;QACrE,sEAAsE;QACtE,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CACxB,sBAAsB,CAAC,EAAE,CAAC;YAC1B,qBAAqB,CAAC,EAAE,CAAC;YACzB,qBAAqB,CAAC,EAAE,CAAC;YACzB,yBAAyB,CAAC,EAAE,CAAC,CAC9B,EAAE,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,cAAc,CAAC,EAAE,EAAE,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAEvD,IAAI,cAAc,CAAC,EAAE,EAAE,eAAe,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,qEAAqE;IACrE,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QACtB,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;QAClC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB;IAK5C,mCAAmC;IACnC,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IACnE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,SAAS,EAAE,UAAU;YACrB,OAAO,EAAE,CAAC,cAAc,CAAC,MAAM,IAAI,0BAA0B,CAAC;SAC/D,CAAC;IACJ,CAAC;IAED,4DAA4D;IAC5D,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO;YACL,aAAa,EAAE,KAAK,EAAE,6CAA6C;YACnE,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,CAAC,aAAa,CAAC,MAAM,IAAI,6CAA6C,CAAC;SACjF,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,MAAM,gBAAgB,GAAsB;QAC1C,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,+BAA+B,EAAE;QAC7D,EAAE,OAAO,EAAE,0BAA0B,EAAE,MAAM,EAAE,mBAAmB,EAAE;QACpE,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,uBAAuB,EAAE;QAC5D,EAAE,OAAO,EAAE,6BAA6B,EAAE,MAAM,EAAE,uBAAuB,EAAE;QAC3E,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE;QAC5D,EAAE,OAAO,EAAE,0BAA0B,EAAE,MAAM,EAAE,8BAA8B,EAAE;QAC/E,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE;QAC/D,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,wCAAwC,EAAE;KACjF,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,yBAAyB,CAAC;aACvD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,4EAA4E;IAC5E,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,sDAAsD;QACtD,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,CAAC;QACD,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE,CAAC,oBAAoB,CAAC;SAChC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,aAAa,EAAE,KAAK;QACpB,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,EAAE;KACZ,CAAC;AACJ,CAAC"}

package/dist/server/services/websocket/handler.d.ts

@@ -41,6 +41,5 @@ export declare class WebSocketImproviseHandler implements HandlerContext {
     broadcastToOthers(sender: WSContext, response: WebSocketResponse): void;
     broadcastToAll(response: WebSocketResponse): void;
     cleanupSession(sessionId: string): void;
-    cleanupStaleSessions(): void;
 }
 //# sourceMappingURL=handler.d.ts.map

package/dist/server/services/websocket/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../../server/services/websocket/handler.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIvD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,4CAA4C,CAAC;AAE9F,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAE7D,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE1E,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAIxD,OAAO,KAAK,EAAkC,iBAAiB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE/F,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEvE,qBAAa,yBAA0B,YAAW,cAAc;IAC9D,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAa;IAC/D,WAAW,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAa;IAC7D,mBAAmB,EAAE,mBAAmB,CAAC;IACzC,OAAO,CAAC,YAAY,CAAS;IAC7B,aAAa,EAAE,aAAa,GAAG,IAAI,CAAQ;IAC3C,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAa;IAChD,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAa;IAC7C,OAAO,CAAC,eAAe,CAAgC;IACvD,cAAc,EAAE,GAAG,CAAC,SAAS,CAAC,CAAa;IAC3C,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAa;IACtD,wBAAwB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAa;IAC9D,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAa;IAC7D,iBAAiB,EAAE,iBAAiB,GAAG,IAAI,CAAQ;;IAQnD,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe;IAOhD,gBAAgB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI;IAI/C,OAAO,CAAC,gBAAgB;IAYxB,OAAO,CAAC,gBAAgB;IAYxB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAK3C,gBAAgB,CAAC,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAKpD,aAAa,CACjB,EAAE,EAAE,SAAS,EACb,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;YAkBF,eAAe;IAwH7B,OAAO,CAAC,uBAAuB;IAuB/B,WAAW,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IAMhC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAQtD,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAQvE,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAMjD,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIvC,oBAAoB,IAAI,IAAI;CAE7B"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../../server/services/websocket/handler.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIvD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,4CAA4C,CAAC;AAE9F,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAE7D,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAG1E,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAIxD,OAAO,KAAK,EAAkC,iBAAiB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE/F,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEvE,qBAAa,yBAA0B,YAAW,cAAc;IAC9D,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAa;IAC/D,WAAW,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAa;IAC7D,mBAAmB,EAAE,mBAAmB,CAAC;IACzC,OAAO,CAAC,YAAY,CAAS;IAC7B,aAAa,EAAE,aAAa,GAAG,IAAI,CAAQ;IAC3C,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAa;IAChD,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAa;IAC7C,OAAO,CAAC,eAAe,CAAgC;IACvD,cAAc,EAAE,GAAG,CAAC,SAAS,CAAC,CAAa;IAC3C,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAa;IACtD,wBAAwB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAa;IAC9D,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAa;IAC7D,iBAAiB,EAAE,iBAAiB,GAAG,IAAI,CAAQ;;IAQnD,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe;IAOhD,gBAAgB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI;IAI/C,OAAO,CAAC,gBAAgB;IAYxB,OAAO,CAAC,gBAAgB;IAYxB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAK3C,gBAAgB,CAAC,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAKpD,aAAa,CACjB,EAAE,EAAE,SAAS,EACb,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;YAkBF,eAAe;IA8H7B,OAAO,CAAC,uBAAuB;IAuB/B,WAAW,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IAMhC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAQtD,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAQvE,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAMjD,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;CAIxC"}

package/dist/server/services/websocket/handler.js

@@ -8,6 +8,7 @@ import { AutocompleteService } from './autocomplete.js';
 import { handleFileExplorerMessage, handleFileMessage } from './file-explorer-handlers.js';
 import { FileUploadHandler } from './file-upload-handler.js';
 import { handleGitMessage } from './git-handlers.js';
+import { handleQualityMessage } from './quality-handlers.js';
 import { handleHistoryMessage, handleSessionMessage, initializeTab, resumeHistoricalSession } from './session-handlers.js';
 import { SessionRegistry } from './session-registry.js';
 import { generateNotificationSummary, handleGetSettings, handleUpdateSettings } from './settings-handlers.js';
@@ -196,6 +197,12 @@ export class WebSocketImproviseHandler {
                 return handleRemoveTab(this, ws, tabId, workingDir);
             case 'markTabViewed':
                 return handleMarkTabViewed(this, ws, tabId, workingDir);
+            // Quality messages
+            case 'qualityDetectTools':
+            case 'qualityScan':
+            case 'qualityInstallTools':
+            case 'qualityCodeReview':
+                return handleQualityMessage(this, ws, msg, tabId, workingDir);
             // Settings messages
             case 'getSettings':
                 return handleGetSettings(this, ws);
@@ -260,7 +267,5 @@ export class WebSocketImproviseHandler {
     cleanupSession(sessionId) {
         this.sessions.delete(sessionId);
     }
-    cleanupStaleSessions() {
-    }
 }
 //# sourceMappingURL=handler.js.map