palaryn 0.3.7 → 0.4.4

package/src/dlp/regex-backend.ts

@@ -1,5 +1,6 @@
 import { DLPBackend, DLPDetection } from './interfaces';
 import { DLPPattern, SECRET_PATTERNS, PII_PATTERNS } from './patterns';
+import { normalizeText } from './text-normalizer';
 
 export interface RegexBackendConfig {
   /** Enable secret pattern detection. Default true. */
@@ -8,31 +9,6 @@ export interface RegexBackendConfig {
   pii_detection?: boolean;
 }
 
-/**
- * Zero-width and invisible Unicode characters that can be used to evade
- * regex-based secret detection (e.g. embedding \u200b inside "AKIA...").
- */
-const ZERO_WIDTH_RE = /[\u200B\u200C\u200D\u200E\u200F\uFEFF\u00AD\u034F\u061C\u180E\u2060\u2061\u2062\u2063\u2064\u2066\u2067\u2068\u2069\u206A\u206B\u206C\u206D\u206E\u206F]/g;
-
-/**
- * Common Unicode homoglyphs that look like ASCII characters but would bypass
- * regex patterns designed for ASCII. Maps Cyrillic/Greek/other lookalikes to
- * their ASCII equivalents.
- */
-const HOMOGLYPH_MAP: Record<string, string> = {
-  '\u0410': 'A', '\u0412': 'B', '\u0421': 'C', '\u0415': 'E', '\u041D': 'H',
-  '\u041A': 'K', '\u041C': 'M', '\u041E': 'O', '\u0420': 'P', '\u0422': 'T',
-  '\u0425': 'X', '\u0430': 'a', '\u0435': 'e', '\u043E': 'o', '\u0440': 'p',
-  '\u0441': 'c', '\u0443': 'y', '\u0445': 'x', '\u04BB': 'h',
-  '\u0391': 'A', '\u0392': 'B', '\u0395': 'E', '\u0397': 'H', '\u0399': 'I',
-  '\u039A': 'K', '\u039C': 'M', '\u039D': 'N', '\u039F': 'O', '\u03A1': 'P',
-  '\u03A4': 'T', '\u03A7': 'X', '\u03B1': 'a', '\u03BF': 'o',
-  '\u2010': '-', '\u2011': '-', '\u2012': '-', '\u2013': '-', '\u2014': '-',
-  '\uFF21': 'A', '\uFF22': 'B', '\uFF23': 'C', '\uFF24': 'D', '\uFF25': 'E',
-};
-
-const HOMOGLYPH_RE = new RegExp('[' + Object.keys(HOMOGLYPH_MAP).join('') + ']', 'g');
-
 /**
  * Regex to detect potential Base64-encoded strings.
  * Matches strings of at least 20 characters using the Base64 alphabet,
@@ -68,25 +44,6 @@ function decodeBase64Content(value: string): string {
   return decoded.join('\n');
 }
 
-/**
- * Normalize input to defeat common DLP evasion techniques:
- * 1. NFC Unicode normalization (canonical decomposition + composition)
- * 2. Strip zero-width / invisible characters
- * 3. Replace common Unicode homoglyphs with ASCII equivalents
- */
-function normalizeForDLP(value: string): string {
-  // Step 1: NFC normalization
-  let normalized = value.normalize('NFC');
-
-  // Step 2: Strip zero-width characters
-  normalized = normalized.replace(ZERO_WIDTH_RE, '');
-
-  // Step 3: Replace homoglyphs with ASCII equivalents
-  normalized = normalized.replace(HOMOGLYPH_RE, (ch) => HOMOGLYPH_MAP[ch] || ch);
-
-  return normalized;
-}
-
 /**
  * Regex-based DLP backend that uses the same patterns as the built-in DLPScanner.
  *
@@ -115,7 +72,7 @@ export class RegexDLPBackend implements DLPBackend {
    * testing to avoid state leaking between calls.
    */
   scanString(value: string): DLPDetection[] {
-    const normalized = normalizeForDLP(value);
+    const normalized = normalizeText(value);
     const detections: DLPDetection[] = [];
 
     if (this.secretsEnabled) {

package/src/dlp/scanner.ts

@@ -2,9 +2,10 @@ import { createHash } from 'crypto';
 import { DLPReport, DLPRedaction, RedactionMethod, DLPSeverity } from '../types/tool-result';
 import { DLPConfig } from '../types/config';
 import { SECRET_PATTERNS, PII_PATTERNS } from './patterns';
+import { normalizeText } from './text-normalizer';
 
 /** Maximum recursion depth to guard against circular or deeply nested structures. */
-const MAX_SCAN_DEPTH = 32;
+const MAX_SCAN_DEPTH = 64;
 
 /**
  * DLPScanner detects secrets and PII in tool call arguments and outputs,
@@ -60,15 +61,16 @@ export class DLPScanner {
   private scanString(value: string, path: string): { detected: string[]; redactions: DLPRedaction[] } {
     const detected: string[] = [];
     const redactions: DLPRedaction[] = [];
+    const normalized = normalizeText(value);
+    const useNormalized = normalized !== value;
 
     if (this.config.secrets_detection) {
       for (const pattern of SECRET_PATTERNS) {
-        // Reset before use to ensure a clean match
         pattern.pattern.lastIndex = 0;
         if (pattern.pattern.test(value)) {
-          // Extract the first match for masked preview
           pattern.pattern.lastIndex = 0;
           const match = pattern.pattern.exec(value);
+          pattern.pattern.lastIndex = 0;
           detected.push(pattern.name);
           redactions.push({
             path,
@@ -76,9 +78,22 @@ export class DLPScanner {
             original_type: pattern.name,
             masked_preview: match ? DLPScanner.maskValue(match[0]) : undefined,
           });
+        } else if (useNormalized) {
+          pattern.pattern.lastIndex = 0;
+          if (pattern.pattern.test(normalized)) {
+            pattern.pattern.lastIndex = 0;
+            const match = pattern.pattern.exec(normalized);
+            pattern.pattern.lastIndex = 0;
+            detected.push(pattern.name);
+            redactions.push({
+              path,
+              method: this.config.default_redaction_method,
+              original_type: pattern.name,
+              masked_preview: match ? DLPScanner.maskValue(match[0]) : undefined,
+            });
+          }
+          pattern.pattern.lastIndex = 0;
         }
-        // Reset after use so the next invocation starts fresh
-        pattern.pattern.lastIndex = 0;
       }
     }
 
@@ -88,6 +103,7 @@ export class DLPScanner {
         if (pattern.pattern.test(value)) {
           pattern.pattern.lastIndex = 0;
           const match = pattern.pattern.exec(value);
+          pattern.pattern.lastIndex = 0;
           detected.push(pattern.name);
           redactions.push({
             path,
@@ -95,8 +111,22 @@ export class DLPScanner {
             original_type: pattern.name,
             masked_preview: match ? DLPScanner.maskValue(match[0]) : undefined,
           });
+        } else if (useNormalized) {
+          pattern.pattern.lastIndex = 0;
+          if (pattern.pattern.test(normalized)) {
+            pattern.pattern.lastIndex = 0;
+            const match = pattern.pattern.exec(normalized);
+            pattern.pattern.lastIndex = 0;
+            detected.push(pattern.name);
+            redactions.push({
+              path,
+              method: this.config.default_redaction_method,
+              original_type: pattern.name,
+              masked_preview: match ? DLPScanner.maskValue(match[0]) : undefined,
+            });
+          }
+          pattern.pattern.lastIndex = 0;
         }
-        pattern.pattern.lastIndex = 0;
       }
     }
 

package/src/dlp/text-normalizer.ts

@@ -10,8 +10,12 @@
 // Zero-width character stripping
 // ---------------------------------------------------------------------------
 
-/** Regex matching zero-width and invisible Unicode characters. */
-export const ZERO_WIDTH_REGEX = /[\u200B\u200C\u200D\u00AD\uFEFF\u200E\u200F\u2060\u2061\u2062\u2063\u2064\u180E]/g;
+/** Regex matching zero-width and invisible Unicode characters.
+ *  Comprehensive list covering: zero-width spaces/joiners, soft hyphen, BOM,
+ *  directional marks/isolates, word joiners, invisible operators,
+ *  combining grapheme joiner, Arabic letter mark, and deprecated formatting chars.
+ */
+export const ZERO_WIDTH_REGEX = /[\u200B\u200C\u200D\u00AD\uFEFF\u200E\u200F\u034F\u061C\u180E\u2060\u2061\u2062\u2063\u2064\u2066\u2067\u2068\u2069\u206A\u206B\u206C\u206D\u206E\u206F]/g;
 
 // ---------------------------------------------------------------------------
 // Homoglyph map (visually similar characters -> ASCII equivalents)
@@ -75,6 +79,28 @@ export const HOMOGLYPH_MAP: Record<string, string> = {
   '\u0131': 'i', // ı (dotless i)
   '\u0237': 'j', // ȷ (dotless j)
   '\u01C0': 'l', // ǀ (dental click -> l)
+  // Arabic-Indic digits -> ASCII
+  '\u0660': '0',
+  '\u0661': '1',
+  '\u0662': '2',
+  '\u0663': '3',
+  '\u0664': '4',
+  '\u0665': '5',
+  '\u0666': '6',
+  '\u0667': '7',
+  '\u0668': '8',
+  '\u0669': '9',
+  // Fullwidth digits -> ASCII (belt-and-suspenders with NFKC)
+  '\uFF10': '0',
+  '\uFF11': '1',
+  '\uFF12': '2',
+  '\uFF13': '3',
+  '\uFF14': '4',
+  '\uFF15': '5',
+  '\uFF16': '6',
+  '\uFF17': '7',
+  '\uFF18': '8',
+  '\uFF19': '9',
 };
 
 // Build reverse lookup for efficiency
@@ -164,6 +190,45 @@ function decodeURLEncoding(input: string): string {
   }
 }
 
+// ---------------------------------------------------------------------------
+// Encoded-payload decoders
+// ---------------------------------------------------------------------------
+
+/** Decode \\xNN hex escapes to characters (printable ASCII only). */
+function decodeHexEscapes(input: string): string {
+  return input.replace(/\\x([0-9a-fA-F]{2})/g, (_m, hex) => {
+    const code = parseInt(hex, 16);
+    return code >= 0x20 && code <= 0x7e ? String.fromCharCode(code) : _m;
+  });
+}
+
+/** Decode \\uNNNN unicode escapes to characters. */
+function decodeUnicodeEscapes(input: string): string {
+  return input.replace(/\\u([0-9a-fA-F]{4})/g, (_m, hex) => {
+    const code = parseInt(hex, 16);
+    return code > 0 && code <= 0x10ffff ? String.fromCodePoint(code) : _m;
+  });
+}
+
+/** Decode String.fromCharCode(...) expressions to the resulting string. */
+function decodeStringFromCharCode(input: string): string {
+  return input.replace(/String\.fromCharCode\s*\(([0-9,\s]+)\)/gi, (_m, nums) => {
+    try {
+      const codes = nums.split(',').map((n: string) => parseInt(n.trim(), 10));
+      if (codes.some((c: number) => isNaN(c) || c < 0 || c > 0x10ffff)) return _m;
+      return String.fromCodePoint(...codes);
+    } catch {
+      return _m;
+    }
+  });
+}
+
+/** Strip emoji characters inserted between letters (e.g., i🔥g🔥n🔥o🔥r🔥e → ignore). */
+function stripEmojisBetweenLetters(input: string): string {
+  // \p{So} = Symbol, Other (includes most emoji); only strip when between letters
+  return input.replace(/(\p{L})\p{So}+(?=\p{L})/gu, '$1');
+}
+
 // ---------------------------------------------------------------------------
 // Main normalizer
 // ---------------------------------------------------------------------------
@@ -194,6 +259,14 @@ export function normalizeText(input: string): string {
   // 2. NFKC normalization (fullwidth -> ASCII, ligatures -> components, etc.)
   text = text.normalize('NFKC');
 
+  // 2.5 Decode hex/unicode/fromCharCode escapes
+  text = decodeHexEscapes(text);
+  text = decodeUnicodeEscapes(text);
+  text = decodeStringFromCharCode(text);
+
+  // 2.7 Strip emoji between letters
+  text = stripEmojisBetweenLetters(text);
+
   // 3. Decode HTML entities
   text = decodeHTMLEntities(text);
 
@@ -223,3 +296,58 @@ export function normalizeText(input: string): string {
 export function normalizeLeetspeak(normalizedInput: string): string {
   return normalizedInput.replace(leetspeakRegex, (ch) => LEETSPEAK_MAP[ch] || ch);
 }
+
+/**
+ * Decode encoded payloads found in text (atob, data URIs).
+ * Returns an array of decoded strings (printable ASCII only).
+ */
+export function decodeEncodedPayloads(input: string): string[] {
+  const results: string[] = [];
+
+  // Match atob("...") or atob('...')
+  const atobRegex = /atob\s*\(\s*["']([A-Za-z0-9+/=]+)["']\s*\)/g;
+  let m: RegExpExecArray | null;
+  while ((m = atobRegex.exec(input)) !== null) {
+    try {
+      const decoded = Buffer.from(m[1], 'base64').toString('utf-8');
+      // Only include if it's mostly printable ASCII
+      if (/^[\x20-\x7e\s]+$/.test(decoded)) {
+        results.push(decoded);
+      }
+    } catch { /* ignore decode failures */ }
+  }
+
+  // Match data:...;base64,DATA
+  const dataUriRegex = /data:[^;]*;base64,([A-Za-z0-9+/=]+)/g;
+  while ((m = dataUriRegex.exec(input)) !== null) {
+    try {
+      const decoded = Buffer.from(m[1], 'base64').toString('utf-8');
+      if (/^[\x20-\x7e\s]+$/.test(decoded)) {
+        results.push(decoded);
+      }
+    } catch { /* ignore decode failures */ }
+  }
+
+  // Bare base64 strings (min 20 chars, word-boundary-isolated)
+  // Skip regions already matched by atob() or data: URI patterns above.
+  const bareBase64Regex = /(?<![A-Za-z0-9+/=])([A-Za-z0-9+/]{20,}={0,2})(?![A-Za-z0-9+/=])/g;
+  while ((m = bareBase64Regex.exec(input)) !== null) {
+    // Skip if this is part of an atob("...") or data:;base64, context
+    const prefix = input.slice(Math.max(0, m.index - 10), m.index);
+    if (/atob\s*\(\s*["']$/i.test(prefix) || /base64,$/i.test(prefix)) {
+      continue;
+    }
+    try {
+      const decoded = Buffer.from(m[1], 'base64').toString('utf-8');
+      // Only include if decoded text is mostly printable ASCII (>=80%) and >=10 chars
+      if (decoded.length >= 10) {
+        const printableCount = (decoded.match(/[\x20-\x7e]/g) || []).length;
+        if (printableCount / decoded.length >= 0.8) {
+          results.push(decoded);
+        }
+      }
+    } catch { /* ignore decode failures */ }
+  }
+
+  return results;
+}

package/src/mcp/http-transport.ts

@@ -17,20 +17,37 @@ export interface MCPHttpConfig {
   platform?: string;
   /** Gateway's own base URL — when set, self-referencing requests get the OAuth token injected */
   gateway_base_url?: string;
+  /** Local port the app listens on — used to rewrite self-referencing URLs to localhost */
+  local_port?: number;
 }
 
 interface ResolvedMCPHttpConfig {
   platform: string;
   gateway_base_url?: string;
+  local_port?: number;
 }
 
 function resolveConfig(config?: MCPHttpConfig): ResolvedMCPHttpConfig {
   return {
     platform: config?.platform || 'mcp_http',
     gateway_base_url: config?.gateway_base_url,
+    local_port: config?.local_port,
   };
 }
 
+/**
+ * Rewrite self-referencing URLs to localhost to avoid circular requests
+ * through the reverse proxy (Caddy). E.g.:
+ *   https://app.palaryn.com/auth/register → http://localhost:3000/auth/register
+ */
+function rewriteSelfUrl(config: ResolvedMCPHttpConfig, url: string): string {
+  if (config.gateway_base_url && config.local_port && url.startsWith(config.gateway_base_url)) {
+    const path = url.slice(config.gateway_base_url.length);
+    return `http://localhost:${config.local_port}${path}`;
+  }
+  return url;
+}
+
 // ---------------------------------------------------------------------------
 // Auth identity resolution
 // ---------------------------------------------------------------------------
@@ -403,12 +420,14 @@ function createMCPServerInstance(gateway: Gateway, config: ResolvedMCPHttpConfig
       if (capError) return permissionDeniedError(capError);
 
       const { constraints, context } = extractCommon(a);
+      const originalUrl = a.url as string;
+      const resolvedUrl = rewriteSelfUrl(config, originalUrl);
       const toolCall = buildToolCall(config, {
         toolName: 'http.request',
         capability,
         args: {
           method,
-          url: a.url as string,
+          url: resolvedUrl,
           headers: a.headers as Record<string, string> | undefined,
           body: typeof a.body === 'string' ? parseBody(a.body) : undefined,
         },
@@ -416,7 +435,7 @@ function createMCPServerInstance(gateway: Gateway, config: ResolvedMCPHttpConfig
         context,
         identity,
       });
-      setInternalAuth(config, identity, toolCall, a.url as string);
+      setInternalAuth(config, identity, toolCall, originalUrl);
       return formatResult(await executeWithApprovalPolling(gateway, toolCall));
     },
   );
@@ -447,19 +466,21 @@ function createMCPServerInstance(gateway: Gateway, config: ResolvedMCPHttpConfig
       if (capError) return permissionDeniedError(capError);
 
       const { constraints, context } = extractCommon(a);
+      const originalUrl = a.url as string;
+      const resolvedUrl = rewriteSelfUrl(config, originalUrl);
       const toolCall = buildToolCall(config, {
         toolName: 'http.get',
         capability: 'read',
         args: {
           method: 'GET',
-          url: a.url as string,
+          url: resolvedUrl,
           headers: a.headers as Record<string, string> | undefined,
         },
         constraints,
         context,
         identity,
       });
-      setInternalAuth(config, identity, toolCall, a.url as string);
+      setInternalAuth(config, identity, toolCall, originalUrl);
       return formatResult(await executeWithApprovalPolling(gateway, toolCall));
     },
   );
@@ -491,12 +512,14 @@ function createMCPServerInstance(gateway: Gateway, config: ResolvedMCPHttpConfig
       if (capError) return permissionDeniedError(capError);
 
       const { constraints, context } = extractCommon(a);
+      const originalUrl = a.url as string;
+      const resolvedUrl = rewriteSelfUrl(config, originalUrl);
       const toolCall = buildToolCall(config, {
         toolName: 'http.post',
         capability: 'write',
         args: {
           method: 'POST',
-          url: a.url as string,
+          url: resolvedUrl,
           headers: a.headers as Record<string, string> | undefined,
           body: typeof a.body === 'string' ? parseBody(a.body) : undefined,
         },
@@ -504,7 +527,7 @@ function createMCPServerInstance(gateway: Gateway, config: ResolvedMCPHttpConfig
         context,
         identity,
       });
-      setInternalAuth(config, identity, toolCall, a.url as string);
+      setInternalAuth(config, identity, toolCall, originalUrl);
       return formatResult(await executeWithApprovalPolling(gateway, toolCall));
     },
   );

package/src/policy/engine.ts

@@ -12,6 +12,91 @@ import {
   PolicyTransformation,
 } from '../types/policy';
 
+/**
+ * Normalize non-standard IPv4 representations to standard dotted-decimal.
+ * Handles:
+ *   - Octal notation: 0177.0.0.01 → 127.0.0.1
+ *   - Hex notation: 0x7f.0.0.1 → 127.0.0.1
+ *   - Short forms: 127.1 → 127.0.0.1, 127.0.1 → 127.0.0.1
+ *   - 32-bit integer: 2130706433 → 127.0.0.1
+ *   - Percent-encoded dots: 127%2e0%2e0%2e1 → 127.0.0.1
+ * Returns normalized A.B.C.D string, or null if not a valid IPv4.
+ */
+function normalizeIPv4(hostname: string): string | null {
+  let decoded: string;
+  try {
+    decoded = decodeURIComponent(hostname);
+  } catch {
+    decoded = hostname;
+  }
+
+  const parts = decoded.split('.');
+
+  // Parse a single part: handles hex (0x...), octal (0...), and decimal
+  function parsePart(s: string): number | null {
+    if (s === '') return null;
+    let val: number;
+    if (/^0x[0-9a-fA-F]+$/i.test(s)) {
+      val = parseInt(s, 16);
+    } else if (/^0[0-9]+$/.test(s) && s.length > 1) {
+      // Octal: starts with 0 and has more than 1 digit
+      val = parseInt(s, 8);
+    } else if (/^[0-9]+$/.test(s)) {
+      val = parseInt(s, 10);
+    } else {
+      return null;
+    }
+    return isFinite(val) && val >= 0 ? val : null;
+  }
+
+  let a: number, b: number, c: number, d: number;
+
+  if (parts.length === 1) {
+    // Single 32-bit integer: 2130706433 → 127.0.0.1
+    const val = parsePart(parts[0]);
+    if (val === null || val > 0xffffffff) return null;
+    a = (val >>> 24) & 0xff;
+    b = (val >>> 16) & 0xff;
+    c = (val >>> 8) & 0xff;
+    d = val & 0xff;
+  } else if (parts.length === 2) {
+    // Two parts: a.b → a.0.0.b
+    const p0 = parsePart(parts[0]);
+    const p1 = parsePart(parts[1]);
+    if (p0 === null || p1 === null || p0 > 0xff || p1 > 0xffffff) return null;
+    a = p0;
+    b = (p1 >>> 16) & 0xff;
+    c = (p1 >>> 8) & 0xff;
+    d = p1 & 0xff;
+  } else if (parts.length === 3) {
+    // Three parts: a.b.c → a.b.0.c
+    const p0 = parsePart(parts[0]);
+    const p1 = parsePart(parts[1]);
+    const p2 = parsePart(parts[2]);
+    if (p0 === null || p1 === null || p2 === null || p0 > 0xff || p1 > 0xff || p2 > 0xffff) return null;
+    a = p0;
+    b = p1;
+    c = (p2 >>> 8) & 0xff;
+    d = p2 & 0xff;
+  } else if (parts.length === 4) {
+    // Standard four parts
+    const p0 = parsePart(parts[0]);
+    const p1 = parsePart(parts[1]);
+    const p2 = parsePart(parts[2]);
+    const p3 = parsePart(parts[3]);
+    if (p0 === null || p1 === null || p2 === null || p3 === null) return null;
+    if (p0 > 0xff || p1 > 0xff || p2 > 0xff || p3 > 0xff) return null;
+    a = p0;
+    b = p1;
+    c = p2;
+    d = p3;
+  } else {
+    return null;
+  }
+
+  return `${a}.${b}.${c}.${d}`;
+}
+
 /**
  * Check if a hostname resolves to a private/internal IP address or is a
  * well-known loopback/link-local name. Used for SSRF protection.
@@ -19,6 +104,17 @@ import {
 function isPrivateTarget(hostname: string): boolean {
   const lower = hostname.toLowerCase();
 
+  // URL-decode to catch percent-encoded dots (e.g., 127%2e0%2e0%2e1)
+  let effectiveHost: string;
+  try {
+    effectiveHost = decodeURIComponent(lower);
+  } catch {
+    effectiveHost = lower;
+  }
+  if (effectiveHost !== lower) {
+    return isPrivateTarget(effectiveHost);
+  }
+
   // Well-known private hostnames
   if (lower === 'localhost' || lower === '0.0.0.0') {
     return true;
@@ -81,6 +177,12 @@ function isPrivateTarget(hostname: string): boolean {
     return isPrivateTarget(compatMatch[1]);
   }
 
+  // Normalize non-standard IPv4 (octal, hex, short notation)
+  const normalizedIP = normalizeIPv4(bare);
+  if (normalizedIP && normalizedIP !== bare) {
+    return isPrivateTarget(normalizedIP);
+  }
+
   // Check if it's an IPv4 address
   if (net.isIPv4(bare)) {
     const parts = bare.split('.').map(Number);

package/src/saas/routes.ts

@@ -16,6 +16,11 @@ import { PlanEnforcer } from '../billing/plan-enforcer';
 import { PlanTier } from '../types/subscription';
 import { MODEL_PRICING, resolveModelPricing } from '../budget/model-pricing';
 
+/** Strip HTML tags from user-provided display strings to prevent stored XSS. */
+function stripHtmlTags(input: string): string {
+  return input.replace(/<[^>]*>/g, '').trim();
+}
+
 export interface SaaSRouteDeps {
   config: GatewayConfig;
   userStore: UserStore;
@@ -82,8 +87,14 @@ export function createSaaSRouter(deps: SaaSRouteDeps): Router {
       return;
     }
 
+    const sanitizedDisplayName = stripHtmlTags(display_name);
+    if (sanitizedDisplayName.length === 0) {
+      res.status(400).json({ error: 'display_name must not be empty after sanitization' });
+      return;
+    }
+
     const updated = userStore.update(user.id, {
-      display_name: display_name.trim(),
+      display_name: sanitizedDisplayName,
       updated_at: new Date().toISOString(),
     });
     res.json(updated);
@@ -124,6 +135,12 @@ export function createSaaSRouter(deps: SaaSRouteDeps): Router {
       return;
     }
 
+    const sanitizedName = stripHtmlTags(name);
+    if (sanitizedName.length === 0) {
+      res.status(400).json({ error: 'name must not be empty after sanitization' });
+      return;
+    }
+
     // Enforce workspace limit based on user's highest plan
     const userWorkspaces = workspaceMemberStore.getByUser(user.id)
       .filter(m => m.role === 'owner')
@@ -144,8 +161,8 @@ export function createSaaSRouter(deps: SaaSRouteDeps): Router {
       return;
     }
 
-    // Generate slug from name if not provided
-    const wsSlug = (slug || name).toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').slice(0, 63);
+    // Generate slug from sanitized name if not provided
+    const wsSlug = (slug || sanitizedName).toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').slice(0, 63);
 
     if (workspaceStore.getBySlug(wsSlug)) {
       res.status(409).json({ error: 'Workspace slug already taken' });
@@ -157,7 +174,7 @@ export function createSaaSRouter(deps: SaaSRouteDeps): Router {
 
     workspaceStore.create({
       id: workspaceId,
-      name: name.trim(),
+      name: sanitizedName,
       slug: wsSlug,
       owner_user_id: user.id,
       plan: 'free',
@@ -398,7 +415,7 @@ export function createSaaSRouter(deps: SaaSRouteDeps): Router {
       key_prefix: keyPrefix,
       user_id: user.id,
       workspace_id: workspaceId,
-      name: name.trim(),
+      name: stripHtmlTags(name),
       roles: Array.isArray(roles) ? roles : ['agent'],
       tags: parsedTags,
       revoked: false,

package/src/server/app.ts

@@ -265,6 +265,12 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
   // Register noop executors for non-HTTP tools (e.g. pre-flight validation from Android)
   gateway.registerExecutor('web_search', new NoopExecutor({ body: { validated: true, tool: 'web_search' } }));
   gateway.registerExecutor('chat.completion', new NoopExecutor({ body: { validated: true, tool: 'chat.completion' } }));
+  gateway.registerExecutor('browser.action', new NoopExecutor({ body: { validated: true, tool: 'browser.action' } }));
+  // Noop executors for Claude Code hook-based tools (policy eval + audit only)
+  gateway.registerExecutor('file.write', new NoopExecutor({ body: { validated: true, tool: 'file.write' } }));
+  gateway.registerExecutor('git.action', new NoopExecutor({ body: { validated: true, tool: 'git.action' } }));
+  gateway.registerExecutor('file.sensitive_write', new NoopExecutor({ body: { validated: true, tool: 'file.sensitive_write' } }));
+  gateway.registerExecutor('package.install', new NoopExecutor({ body: { validated: true, tool: 'package.install' } }));
 
   // Rate limiter for unauthenticated endpoints (60 requests per minute per IP)
   const publicLimitConfig = config.public_rate_limit || { max_per_window: 60, window_ms: 60000 };
@@ -860,6 +866,7 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
     || (isProduction ? 'https://app.palaryn.com' : `http://localhost:${config.port}`);
   const mcpHandler = createMCPHttpHandler(gateway, {
     gateway_base_url: config.mcp_oauth?.enabled ? mcpBaseUrl : undefined,
+    local_port: config.port,
   });
 
   if (config.mcp_oauth?.enabled) {