stagent 0.6.0 → 0.6.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "stagent",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "AI Business Operating System — run your business with AI agents. Local-first, multi-provider, governed.",
   "keywords": [
     "ai",

package/src/app/api/channels/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import { channelConfigs } from "@/lib/db/schema";
 import { eq } from "drizzle-orm";
+import { maskChannelRow } from "@/lib/channels/types";
 
 export async function GET(
   _req: NextRequest,
@@ -18,7 +19,7 @@ export async function GET(
     return NextResponse.json({ error: "Channel not found" }, { status: 404 });
   }
 
-  return NextResponse.json(channel);
+  return NextResponse.json(maskChannelRow(channel));
 }
 
 export async function PATCH(
@@ -79,7 +80,7 @@ export async function PATCH(
     .from(channelConfigs)
     .where(eq(channelConfigs.id, id));
 
-  return NextResponse.json(updated);
+  return NextResponse.json(maskChannelRow(updated));
 }
 
 export async function DELETE(

package/src/app/api/channels/inbound/slack/route.ts

@@ -56,8 +56,15 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: "Invalid channel config" }, { status: 500 });
   }
 
-  // Only verify signature if signingSecret is configured
-  if (parsedConfig.signingSecret && slackAdapter.verifySignature) {
+  // Require signingSecret — refuse to process inbound messages without signature verification
+  if (!parsedConfig.signingSecret) {
+    return NextResponse.json(
+      { error: "Channel config missing signingSecret — cannot verify request" },
+      { status: 401 }
+    );
+  }
+
+  if (slackAdapter.verifySignature) {
     const headers: Record<string, string> = {};
     req.headers.forEach((value, key) => {
       headers[key] = value;

package/src/app/api/channels/inbound/telegram/poll/route.ts

@@ -15,6 +15,13 @@ import { handleInboundMessage } from "@/lib/channels/gateway";
  * Returns the number of updates processed.
  */
 export async function POST(req: NextRequest) {
+  // Guard: only accept requests from the internal poller.
+  // The internal scheduler sets this header; external callers won't have it.
+  const internalToken = req.headers.get("x-stagent-internal");
+  if (internalToken !== "poll") {
+    return NextResponse.json({ error: "Unauthorized — internal use only" }, { status: 401 });
+  }
+
   const configId = req.nextUrl.searchParams.get("configId");
   if (!configId) {
     return NextResponse.json({ error: "Missing configId" }, { status: 400 });
@@ -30,6 +37,11 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: "Channel not found" }, { status: 404 });
   }
 
+  // Refuse to poll disabled channels
+  if (config.status !== "active") {
+    return NextResponse.json({ error: "Channel is not active" }, { status: 403 });
+  }
+
   let parsedConfig: Record<string, unknown>;
   try {
     parsedConfig = JSON.parse(config.config) as Record<string, unknown>;

package/src/app/api/channels/inbound/telegram/route.ts

@@ -39,8 +39,19 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: "Invalid channel config" }, { status: 500 });
   }
 
+  // Require webhookSecret — refuse to process inbound messages without authentication
   const expectedSecret = parsedConfig.webhookSecret as string | undefined;
-  if (expectedSecret && secret !== expectedSecret) {
+  if (!expectedSecret) {
+    return NextResponse.json(
+      { error: "Channel config missing webhookSecret — cannot verify request" },
+      { status: 401 }
+    );
+  }
+
+  // NOTE: The secret is passed as a query-string parameter. This is Telegram's recommended
+  // webhook verification design (https://core.telegram.org/bots/api#setwebhook secret_token).
+  // Query strings may appear in server access logs — ensure logs are access-controlled.
+  if (secret !== expectedSecret) {
     return NextResponse.json({ error: "Invalid secret" }, { status: 403 });
   }
 

package/src/app/api/channels/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import { channelConfigs } from "@/lib/db/schema";
 import { desc, eq } from "drizzle-orm";
+import { maskChannelRow } from "@/lib/channels/types";
 
 const VALID_CHANNEL_TYPES = ["slack", "telegram", "webhook"] as const;
 
@@ -11,7 +12,7 @@ export async function GET() {
     .from(channelConfigs)
     .orderBy(desc(channelConfigs.createdAt));
 
-  return NextResponse.json(result);
+  return NextResponse.json(result.map(maskChannelRow));
 }
 
 export async function POST(req: NextRequest) {
@@ -67,5 +68,5 @@ export async function POST(req: NextRequest) {
     .from(channelConfigs)
     .where(eq(channelConfigs.id, id));
 
-  return NextResponse.json(created, { status: 201 });
+  return NextResponse.json(maskChannelRow(created), { status: 201 });
 }

package/src/app/api/data/clear/route.ts

@@ -2,6 +2,10 @@ import { NextResponse } from "next/server";
 import { clearAllData } from "@/lib/data/clear";
 
 export async function POST() {
+  if (process.env.NODE_ENV === "production") {
+    return NextResponse.json(null, { status: 404 });
+  }
+
   try {
     const deleted = clearAllData();
     return NextResponse.json({ success: true, deleted });

package/src/app/api/data/seed/route.ts

@@ -2,6 +2,10 @@ import { NextResponse } from "next/server";
 import { seedSampleData } from "@/lib/data/seed";
 
 export async function POST() {
+  if (process.env.NODE_ENV === "production") {
+    return NextResponse.json(null, { status: 404 });
+  }
+
   try {
     const seeded = await seedSampleData();
     return NextResponse.json({ success: true, seeded });

package/src/app/api/documents/route.ts

@@ -1,9 +1,10 @@
 import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import { documents, tasks, projects } from "@/lib/db/schema";
-import { eq, and, like, or, desc, sql } from "drizzle-orm";
+import { eq, and, like, or, desc } from "drizzle-orm";
 import { access, stat, copyFile, mkdir } from "fs/promises";
-import { basename, extname, join } from "path";
+import path, { basename, extname, join } from "path";
+import { homedir } from "os";
 import crypto from "crypto";
 import { getStagentUploadsDir } from "@/lib/utils/stagent-paths";
 import { processDocument } from "@/lib/documents/processor";
@@ -120,18 +121,47 @@ export async function POST(req: NextRequest) {
 
   const body = parsed.data;
 
+  // Path traversal protection: resolve and validate the file path
+  const resolvedPath = path.resolve(body.file_path);
+  const home = homedir();
+  const SENSITIVE_PREFIXES = ["/etc", "/var", "/proc", "/sys", "/dev", "/root"];
+  const SENSITIVE_HOME_DIRS = [".ssh", ".gnupg", ".aws", ".config", ".env"];
+
+  if (SENSITIVE_PREFIXES.some((prefix) => resolvedPath.startsWith(prefix))) {
+    return NextResponse.json(
+      { error: "Access denied: path points to a restricted system directory" },
+      { status: 403 }
+    );
+  }
+
+  if (resolvedPath.startsWith(home)) {
+    const relativeToHome = resolvedPath.slice(home.length + 1);
+    if (SENSITIVE_HOME_DIRS.some((dir) => relativeToHome.startsWith(dir))) {
+      return NextResponse.json(
+        { error: "Access denied: path points to a sensitive home directory" },
+        { status: 403 }
+      );
+    }
+  } else if (!resolvedPath.startsWith("/tmp")) {
+    // Outside home and not /tmp — reject
+    return NextResponse.json(
+      { error: "Access denied: path must be under the user's home directory or /tmp" },
+      { status: 403 }
+    );
+  }
+
   try {
-    await access(body.file_path);
+    await access(resolvedPath);
   } catch {
     return NextResponse.json({ error: `File not found: ${body.file_path}` }, { status: 400 });
   }
 
-  const stats = await stat(body.file_path);
+  const stats = await stat(resolvedPath);
   if (!stats.isFile()) {
     return NextResponse.json({ error: `Not a file: ${body.file_path}` }, { status: 400 });
   }
 
-  const originalName = basename(body.file_path);
+  const originalName = basename(resolvedPath);
   const ext = extname(originalName).toLowerCase();
   const mimeType = MIME_TYPES[ext] ?? "application/octet-stream";
   const id = crypto.randomUUID();
@@ -140,7 +170,7 @@ export async function POST(req: NextRequest) {
   const uploadsDir = getStagentUploadsDir();
   await mkdir(uploadsDir, { recursive: true });
   const storagePath = join(uploadsDir, filename);
-  await copyFile(body.file_path, storagePath);
+  await copyFile(resolvedPath, storagePath);
 
   const now = new Date();
   await db.insert(documents).values({

package/src/app/api/tasks/[id]/respond/route.ts

@@ -43,8 +43,30 @@ export async function POST(
     return NextResponse.json({ error: "Already responded" }, { status: 409 });
   }
 
+  // Validate updatedInput keys against the original tool input to prevent injection
+  let sanitizedUpdatedInput = updatedInput;
+  if (updatedInput !== undefined && updatedInput !== null && typeof updatedInput === "object" && !Array.isArray(updatedInput)) {
+    try {
+      const originalToolInput = typeof notification.toolInput === "string" ? JSON.parse(notification.toolInput) : (notification.toolInput ?? {});
+      if (typeof originalToolInput === "object" && originalToolInput !== null) {
+        const allowedKeys = new Set(Object.keys(originalToolInput));
+        const inputRecord = updatedInput as Record<string, unknown>;
+        const extraKeys = Object.keys(inputRecord).filter((k) => !allowedKeys.has(k));
+        if (extraKeys.length > 0) {
+          return NextResponse.json(
+            { error: `updatedInput contains disallowed keys: ${extraKeys.join(", ")}` },
+            { status: 400 }
+          );
+        }
+      }
+    } catch {
+      // If we can't parse the original notification data, reject updatedInput entirely
+      sanitizedUpdatedInput = undefined;
+    }
+  }
+
   // Write response — the polling loop in claude-agent.ts will detect this
-  const responseData = { behavior, message, updatedInput, alwaysAllow };
+  const responseData = { behavior, message, updatedInput: sanitizedUpdatedInput, alwaysAllow };
   await db
     .update(notifications)
     .set({

package/src/lib/agents/claude-agent.ts

@@ -372,7 +372,7 @@ export async function buildTaskQueryContext(
   const outputInstructions = buildTaskOutputInstructions(task.id);
   const learnedCtx = getActiveLearnedContext(profileId);
   const learnedCtxBlock = learnedCtx
-    ? `## Learned Context\nPatterns and insights learned from previous tasks:\n\n${learnedCtx}`
+    ? `## Learned Context\n<learned-context>\n${learnedCtx}\n</learned-context>`
     : "";
 
   // Resolve working directory: project's workingDirectory > launch cwd

package/src/lib/channels/types.ts

@@ -30,6 +30,38 @@ export interface ChannelDeliveryResult {
   error?: string;
 }
 
+// ── Credential masking ───────────────────────────────────────────────
+
+/** Fields in channel config JSON that contain secrets and must be masked in API responses. */
+const SENSITIVE_CONFIG_KEYS = ["botToken", "signingSecret", "webhookSecret"];
+
+/**
+ * Mask sensitive fields in a channel config JSON string.
+ * Returns a new JSON string with secrets replaced by "****<last4>".
+ */
+export function maskChannelConfig(configJson: string): string {
+  try {
+    const parsed = JSON.parse(configJson) as Record<string, unknown>;
+    for (const key of SENSITIVE_CONFIG_KEYS) {
+      const val = parsed[key];
+      if (typeof val === "string" && val.length > 0) {
+        const last4 = val.slice(-4);
+        parsed[key] = `****${last4}`;
+      }
+    }
+    return JSON.stringify(parsed);
+  } catch {
+    return configJson;
+  }
+}
+
+/**
+ * Mask sensitive fields in a channel config row before returning from API.
+ */
+export function maskChannelRow<T extends { config: string }>(row: T): T {
+  return { ...row, config: maskChannelConfig(row.config) };
+}
+
 /** Normalized inbound message from any channel. */
 export interface InboundMessage {
   text: string;

package/src/lib/db/schema.ts

@@ -604,7 +604,10 @@ export const channelConfigs = sqliteTable(
     id: text("id").primaryKey(),
     channelType: text("channel_type", { enum: ["slack", "telegram", "webhook"] }).notNull(),
     name: text("name").notNull(),
-    config: text("config").notNull(), // JSON: { webhookUrl?, botToken?, chatId?, channelId?, signingSecret? }
+    // SECURITY: The config JSON contains credentials (botToken, signingSecret, webhookSecret)
+    // stored as plaintext. A future improvement should encrypt these at rest.
+    // All API responses MUST mask sensitive fields via maskChannelConfig() before returning.
+    config: text("config").notNull(), // JSON: { webhookUrl?, botToken?, chatId?, channelId?, signingSecret?, webhookSecret? }
     status: text("status", { enum: ["active", "disabled"] }).default("active").notNull(),
     testStatus: text("test_status", { enum: ["untested", "ok", "failed"] }).default("untested").notNull(),
     direction: text("direction", { enum: ["outbound", "bidirectional"] }).default("outbound").notNull(),