multicorn-shield 0.9.0 → 0.11.0

package/dist/shield-extension.js

@@ -22359,11 +22359,117 @@ async function writeExtensionBackup(claudeDesktopConfigPath, mcpServers) {
 
 // package.json
 var package_default = {
-  version: "0.9.0"};
+  version: "0.11.0"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;
 
+// src/extension/proxy-url-validator.ts
+var ProxyUrlValidationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ProxyUrlValidationError";
+  }
+};
+function isPrivateOrReservedIpv4(hostname3) {
+  const parts = hostname3.split(".");
+  if (parts.length !== 4) {
+    return false;
+  }
+  const octets = [];
+  for (const p of parts) {
+    if (!/^\d{1,3}$/.test(p)) {
+      return false;
+    }
+    const n = Number.parseInt(p, 10);
+    if (Number.isNaN(n) || n < 0 || n > 255) {
+      return false;
+    }
+    octets.push(n);
+  }
+  const [a, b] = octets;
+  if (a === void 0 || b === void 0) {
+    return false;
+  }
+  if (a === 127) {
+    return true;
+  }
+  if (a === 10) {
+    return true;
+  }
+  if (a === 172 && b >= 16 && b <= 31) {
+    return true;
+  }
+  if (a === 192 && b === 168) {
+    return true;
+  }
+  if (a === 169 && b === 254) {
+    return true;
+  }
+  if (a === 0 && b === 0 && octets[2] === 0 && octets[3] === 0) {
+    return true;
+  }
+  return false;
+}
+function isBlockedIpv6(host) {
+  const h = host.split("%")[0]?.toLowerCase() ?? host.toLowerCase();
+  if (h === "::1") {
+    return true;
+  }
+  if (h.startsWith("fe80:")) {
+    return true;
+  }
+  if (h.startsWith("fc") || h.startsWith("fd")) {
+    return true;
+  }
+  return false;
+}
+function hostForValidation(hostname3) {
+  if (hostname3.startsWith("[") && hostname3.endsWith("]")) {
+    return hostname3.slice(1, -1);
+  }
+  return hostname3;
+}
+function assertSafeProxyUrl(raw, options) {
+  let url2;
+  try {
+    url2 = new URL(raw);
+  } catch {
+    throw new ProxyUrlValidationError(`Invalid proxy URL: ${raw}`);
+  }
+  if (url2.protocol !== "https:" && url2.protocol !== "http:") {
+    throw new ProxyUrlValidationError(
+      `Unsupported proxy URL scheme: ${url2.protocol} - only https: and http: are allowed`
+    );
+  }
+  const hostname3 = url2.hostname;
+  if (hostname3.length === 0) {
+    throw new ProxyUrlValidationError(`Proxy URL has no hostname: ${raw}`);
+  }
+  if (options?.allowPrivateNetworks === true) {
+    return;
+  }
+  const host = hostForValidation(hostname3);
+  if (host.toLowerCase() === "localhost") {
+    throw new ProxyUrlValidationError(
+      `Proxy URL points to a private/reserved network address: ${url2.hostname}`
+    );
+  }
+  if (host.includes(":")) {
+    if (isBlockedIpv6(host)) {
+      throw new ProxyUrlValidationError(
+        `Proxy URL points to a private/reserved network address: ${url2.hostname}`
+      );
+    }
+    return;
+  }
+  if (isPrivateOrReservedIpv4(host)) {
+    throw new ProxyUrlValidationError(
+      `Proxy URL points to a private/reserved network address: ${url2.hostname}`
+    );
+  }
+}
+
 // src/extension/proxy-client.ts
 var MCP_PROTOCOL_VERSION = "2024-11-05";
 var ProxyConfigFetchError = class extends Error {
@@ -22404,8 +22510,12 @@ function isProxyConfigRow(v) {
   const o = v;
   return typeof o["proxy_url"] === "string" && o["proxy_url"].length > 0 && typeof o["server_name"] === "string" && typeof o["target_url"] === "string";
 }
-async function fetchProxyConfigs(baseUrl, apiKey, timeoutMs) {
+async function fetchProxyConfigs(baseUrl, apiKey, timeoutMs, options) {
   const url2 = `${normalizeBaseUrl(baseUrl)}/api/v1/proxy/config`;
+  assertSafeProxyUrl(
+    url2,
+    options?.allowPrivateNetworks === true ? { allowPrivateNetworks: true } : void 0
+  );
   let response;
   try {
     response = await fetch(url2, {
@@ -22563,6 +22673,10 @@ var ProxySession = class {
     this.nextId = 1;
     this.sessionId = null;
     this.closed = false;
+    assertSafeProxyUrl(
+      proxyUrl,
+      options?.allowPrivateNetworks === true ? { allowPrivateNetworks: true } : void 0
+    );
     this.proxyUrl = proxyUrl.replace(/\/+$/, "") + "/mcp";
     this.apiKey = apiKey;
     this.requestTimeoutMs = options?.requestTimeoutMs ?? 6e4;
@@ -23554,6 +23668,8 @@ async function autoCreateProxyConfig(baseUrl, apiKey, serverName, entry, agentNa
   const targetUrl = `stdio://${entry.command}/${entry.args.join("/")}`;
   const url2 = `${baseUrl.replace(/\/+$/, "")}/api/v1/proxy/config`;
   debugLog2(`[SHIELD] Auto-creating proxy config for "${serverName}".`);
+  const allowPrivateNetworks = process.env["MULTICORN_ALLOW_PRIVATE_PROXY_HOSTS"] === "1";
+  assertSafeProxyUrl(url2, { allowPrivateNetworks });
   let response;
   try {
     response = await fetch(url2, {
@@ -23686,6 +23802,7 @@ async function runShieldExtension() {
         `[SHIELD] Config read; ${String(serverCount)} MCP server(s) discovered (excluding Shield).`
       );
       debugLog2("[SHIELD] Resolving proxy configs (local config or API).");
+      const allowPrivateNetworks = process.env["MULTICORN_ALLOW_PRIVATE_PROXY_HOSTS"] === "1";
       let configs;
       const localConfigs = await readProxyConfigsFromLocalMulticornConfig();
       if (localConfigs.length > 0) {
@@ -23694,7 +23811,9 @@ async function runShieldExtension() {
       } else {
         debugLog2("[SHIELD] No local proxy configs; fetching from API.");
         try {
-          configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS);
+          configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS, {
+            allowPrivateNetworks
+          });
         } catch (e) {
           clearTimeout(setupTimeout);
           if (e instanceof ProxyConfigFetchError) {
@@ -23728,7 +23847,9 @@ async function runShieldExtension() {
               `[SHIELD] Auto-created ${String(createdCount)} proxy config(s); re-fetching from API.`
             );
             try {
-              configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS);
+              configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS, {
+                allowPrivateNetworks
+              });
             } catch (e) {
               const message = e instanceof Error ? e.message : String(e);
               debugLog2(`[SHIELD] Re-fetch after auto-creation failed: ${message}`);
@@ -23766,7 +23887,7 @@ async function runShieldExtension() {
       const toolsByProxy = /* @__PURE__ */ new Map();
       const sessionByProxyUrl = /* @__PURE__ */ new Map();
       for (const cfg of configs) {
-        const session = new ProxySession(cfg.proxy_url, apiKey);
+        const session = new ProxySession(cfg.proxy_url, apiKey, { allowPrivateNetworks });
         try {
           debugLog2(`[SHIELD] Initializing proxy session for ${cfg.server_name}.`);
           await session.initialize();

package/package.json

@@ -1,8 +1,9 @@
 {
   "name": "multicorn-shield",
-  "version": "0.9.0",
+  "version": "0.11.0",
   "description": "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
   "license": "MIT",
+  "author": "Multicorn AI Pty Ltd",
   "type": "module",
   "main": "./dist/index.cjs",
   "module": "./dist/index.js",
@@ -37,15 +38,25 @@
     "dist",
     "plugins/windsurf",
     "LICENSE",
-    "README.md"
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "sideEffects": [
+    "dist/index.js",
+    "dist/index.cjs",
+    "dist/badge.js",
+    "src/badge/multicorn-badge.ts"
   ],
-  "sideEffects": false,
   "engines": {
     "node": ">=20"
   },
   "lint-staged": {
     "*.ts": [
-      "eslint --fix",
+      "eslint --fix --no-warn-ignored",
       "prettier --write"
     ],
     "*.{json,md}": [
@@ -91,6 +102,11 @@
       "path": "dist/index.cjs",
       "limit": "50 kB",
       "gzip": true
+    },
+    {
+      "path": "dist/badge.js",
+      "limit": "5 kB",
+      "gzip": true
     }
   ],
   "keywords": [
@@ -117,8 +133,8 @@
   "scripts": {
     "build": "tsup",
     "dev": "tsup --watch",
-    "lint": "eslint . && prettier --check .",
-    "lint:fix": "eslint --fix . && prettier --write .",
+    "lint": "eslint . --no-warn-ignored && prettier --check .",
+    "lint:fix": "eslint --fix . --no-warn-ignored && prettier --write .",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",