thumbgate 1.23.1 → 1.25.0

package/scripts/mcp-oauth.js

@@ -0,0 +1,293 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * mcp-oauth.js — OAuth 2.1 (PKCE) authorization-server machinery for the remote
+ * ThumbGate MCP connector, required by the Claude Connectors Directory
+ * ("Use OAuth 2.0 for authenticated services").
+ *
+ * Pure, dependency-free, IO-free functions + an injectable store, so the full
+ * flow is unit-testable without a network. The HTTP wiring (in src/api/server.js)
+ * is a thin shell over these.
+ *
+ * Implements:
+ *   - RFC 9728 protected-resource metadata
+ *   - RFC 8414 authorization-server metadata
+ *   - RFC 7591 dynamic client registration (open registration)
+ *   - Authorization-code grant with mandatory PKCE S256 (RFC 7636)
+ *   - Bearer access tokens bound to a ThumbGate API key (so existing gating is unchanged)
+ *
+ * SECURITY NOTES:
+ *   - PKCE S256 is mandatory; the plain method is rejected.
+ *   - Auth codes are single-use and short-lived (60s); access tokens TTL-bound.
+ *   - redirect_uri is matched exactly against the registered set.
+ *   - The token never exposes the bound ThumbGate key; it maps server-side only.
+ */
+
+const crypto = require('crypto');
+
+const AUTH_CODE_TTL_MS = 60 * 1000; // 1 minute
+const ACCESS_TOKEN_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_SCOPE = 'mcp:read mcp:write';
+
+// Upper bounds on the in-memory store. The registration and authorization
+// endpoints are reachable pre-auth, so without a cap a malicious caller could
+// grow these Maps unboundedly and exhaust server memory. When a Map is full we
+// evict the oldest entry (FIFO) rather than deny service to legitimate clients.
+const MAX_CLIENTS = 10000;
+const MAX_CODES = 10000;
+const MAX_TOKENS = 50000;
+
+function now() {
+  return Date.now();
+}
+
+function randomToken(bytes = 32) {
+  return crypto.randomBytes(bytes).toString('base64url');
+}
+
+function base64UrlSha256(input) {
+  return crypto.createHash('sha256').update(String(input)).digest('base64url');
+}
+
+/**
+ * Create a fresh in-memory store.
+ *
+ * DURABILITY (known limitation): this uses plain Maps, so a process restart or a
+ * multi-instance / load-balanced deployment will drop issued tokens and
+ * registered clients (clients see 401s, in-flight authorizations break). For
+ * single-instance use this is fine; production multi-tenancy needs a durable,
+ * shared backing (Redis/DB) — tracked as the per-user-data-scoping follow-up.
+ * Entry counts are bounded (see MAX_* and capInsert) to prevent memory
+ * exhaustion from anonymous calls to the registration/authorization endpoints.
+ */
+function createStore() {
+  return {
+    clients: new Map(),
+    codes: new Map(),
+    tokens: new Map(),
+  };
+}
+
+/** Insert into a Map, evicting the oldest entry (FIFO) once `max` is reached. */
+function capInsert(map, key, value, max) {
+  if (map.size >= max && !map.has(key)) {
+    const oldest = map.keys().next().value;
+    if (oldest !== undefined) map.delete(oldest);
+  }
+  map.set(key, value);
+}
+
+// ---------------------------------------------------------------------------
+// Metadata (RFC 9728 / RFC 8414)
+// ---------------------------------------------------------------------------
+
+function trimSlash(u) {
+  // Non-regex trailing-slash strip (avoids a SonarCloud S5852 false-positive on a
+  // provably-linear pattern).
+  let s = String(u || '');
+  while (s.endsWith('/')) s = s.slice(0, -1);
+  return s;
+}
+
+function buildProtectedResourceMetadata(baseUrl) {
+  const base = trimSlash(baseUrl);
+  return {
+    resource: `${base}/mcp`,
+    authorization_servers: [base],
+    bearer_methods_supported: ['header'],
+    scopes_supported: ['mcp:read', 'mcp:write'],
+    resource_documentation: `${base}/docs/connectors`,
+  };
+}
+
+function buildAuthServerMetadata(baseUrl) {
+  const base = trimSlash(baseUrl);
+  return {
+    issuer: base,
+    authorization_endpoint: `${base}/oauth/authorize`,
+    token_endpoint: `${base}/oauth/token`,
+    registration_endpoint: `${base}/oauth/register`,
+    scopes_supported: ['mcp:read', 'mcp:write'],
+    response_types_supported: ['code'],
+    grant_types_supported: ['authorization_code'],
+    code_challenge_methods_supported: ['S256'],
+    token_endpoint_auth_methods_supported: ['none'],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Dynamic client registration (RFC 7591)
+// ---------------------------------------------------------------------------
+
+// The MCP authorization spec is explicit: "All redirect URIs MUST be either
+// `localhost` or use HTTPS." We therefore accept only HTTPS and loopback
+// (http://localhost | http://127.0.0.1) and reject every other scheme —
+// including native-app custom schemes (myapp://, intent://, etc.), which the MCP
+// profile does not sanction and the real client (Claude) does not use.
+function isAllowedRedirectUri(uri) {
+  const u = String(uri || '');
+  if (/^https:\/\//i.test(u)) return true;
+  if (/^http:\/\/(localhost|127\.0\.0\.1)(:\d+)?(\/|$)/i.test(u)) return true;
+  return false;
+}
+
+function registerClient(store, body = {}) {
+  const redirectUris = Array.isArray(body.redirect_uris) ? body.redirect_uris.filter(Boolean) : [];
+  if (redirectUris.length === 0) {
+    return { error: 'invalid_redirect_uri', error_description: 'redirect_uris is required' };
+  }
+  for (const uri of redirectUris) {
+    if (!isAllowedRedirectUri(uri)) {
+      return { error: 'invalid_redirect_uri', error_description: `unsupported redirect_uri: ${uri}` };
+    }
+  }
+  const clientId = `tg_${randomToken(16)}`;
+  const record = {
+    client_id: clientId,
+    redirect_uris: redirectUris,
+    token_endpoint_auth_method: 'none',
+    grant_types: ['authorization_code'],
+    response_types: ['code'],
+    client_name: typeof body.client_name === 'string' ? body.client_name.slice(0, 200) : 'mcp-client',
+    created_at: now(),
+  };
+  capInsert(store.clients, clientId, record, MAX_CLIENTS);
+  return record;
+}
+
+function getClient(store, clientId) {
+  return store.clients.get(clientId) || null;
+}
+
+// ---------------------------------------------------------------------------
+// Authorization code (PKCE S256)
+// ---------------------------------------------------------------------------
+
+/**
+ * Issue an auth code. `boundKey` is the ThumbGate API key the resulting access
+ * token will act as (resolved by the authorize step once the user consents).
+ */
+function createAuthorizationCode(store, {
+  clientId, redirectUri, codeChallenge, codeChallengeMethod, scope, boundKey, state, resource,
+} = {}) {
+  const client = getClient(store, clientId);
+  if (!client) return { error: 'invalid_client' };
+  if (!client.redirect_uris.includes(redirectUri)) return { error: 'invalid_request', error_description: 'redirect_uri mismatch' };
+  if (codeChallengeMethod !== 'S256') return { error: 'invalid_request', error_description: 'code_challenge_method must be S256' };
+  if (!codeChallenge || String(codeChallenge).length < 16) return { error: 'invalid_request', error_description: 'code_challenge required' };
+
+  const code = randomToken(24);
+  capInsert(store.codes, code, {
+    clientId,
+    redirectUri,
+    codeChallenge,
+    scope: scope || DEFAULT_SCOPE,
+    boundKey: boundKey || '',
+    resource: resource || '', // RFC 8707 resource indicator (the MCP server URL)
+    expiresAt: now() + AUTH_CODE_TTL_MS,
+    used: false,
+  }, MAX_CODES);
+  return { code, state };
+}
+
+function verifyPkce(codeChallenge, codeVerifier) {
+  if (!codeChallenge || !codeVerifier) return false;
+  // RFC 7636: verifier 43–128 chars.
+  if (String(codeVerifier).length < 43 || String(codeVerifier).length > 128) return false;
+  try {
+    return crypto.timingSafeEqual(
+      Buffer.from(base64UrlSha256(codeVerifier)),
+      Buffer.from(String(codeChallenge)),
+    );
+  } catch {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Token exchange + validation
+// ---------------------------------------------------------------------------
+
+function exchangeCode(store, { code, codeVerifier, clientId, redirectUri, resource } = {}) {
+  const entry = store.codes.get(code);
+  if (!entry) return { error: 'invalid_grant', error_description: 'unknown code' };
+  // Single-use + expiry: consume regardless of outcome.
+  store.codes.delete(code);
+  if (entry.used) return { error: 'invalid_grant', error_description: 'code already used' };
+  if (now() > entry.expiresAt) return { error: 'invalid_grant', error_description: 'code expired' };
+  if (entry.clientId !== clientId) return { error: 'invalid_grant', error_description: 'client mismatch' };
+  if (entry.redirectUri !== redirectUri) return { error: 'invalid_grant', error_description: 'redirect_uri mismatch' };
+  if (!verifyPkce(entry.codeChallenge, codeVerifier)) return { error: 'invalid_grant', error_description: 'PKCE verification failed' };
+  // RFC 8707: the resource at token time must match the one bound at authorize time.
+  if (entry.resource && resource && entry.resource !== resource) {
+    return { error: 'invalid_target', error_description: 'resource indicator mismatch' };
+  }
+
+  const accessToken = `tgat_${randomToken(32)}`;
+  capInsert(store.tokens, accessToken, {
+    boundKey: entry.boundKey,
+    scope: entry.scope,
+    clientId,
+    aud: entry.resource || resource || '',
+    expiresAt: now() + ACCESS_TOKEN_TTL_MS,
+  }, MAX_TOKENS);
+  return {
+    access_token: accessToken,
+    token_type: 'Bearer',
+    expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1000),
+    scope: entry.scope,
+  };
+}
+
+/** Resolve an access token to its session, or null if invalid/expired. */
+function resolveAccessToken(store, token) {
+  if (!token) return null;
+  const entry = store.tokens.get(token);
+  if (!entry) return null;
+  if (now() > entry.expiresAt) {
+    store.tokens.delete(token);
+    return null;
+  }
+  return { boundKey: entry.boundKey, scope: entry.scope, clientId: entry.clientId, aud: entry.aud };
+}
+
+/**
+ * RFC 8707 audience validation: a token is valid for `expectedResource` only if it
+ * was issued for it (or carries no audience, for back-compat). MCP servers MUST
+ * reject tokens minted for a different resource.
+ */
+function tokenAudienceValid(session, expectedResource) {
+  if (!session) return false;
+  if (!session.aud) return true; // no audience recorded — accept (back-compat)
+  return session.aud === expectedResource;
+}
+
+/** Best-effort GC of expired codes/tokens (call opportunistically). */
+function pruneExpired(store) {
+  const t = now();
+  for (const [k, v] of store.codes) if (t > v.expiresAt) store.codes.delete(k);
+  for (const [k, v] of store.tokens) if (t > v.expiresAt) store.tokens.delete(k);
+}
+
+module.exports = {
+  createStore,
+  buildProtectedResourceMetadata,
+  buildAuthServerMetadata,
+  registerClient,
+  getClient,
+  createAuthorizationCode,
+  verifyPkce,
+  exchangeCode,
+  resolveAccessToken,
+  tokenAudienceValid,
+  pruneExpired,
+  isAllowedRedirectUri,
+  base64UrlSha256,
+  AUTH_CODE_TTL_MS,
+  ACCESS_TOKEN_TTL_MS,
+  DEFAULT_SCOPE,
+  MAX_CLIENTS,
+  MAX_CODES,
+  MAX_TOKENS,
+};

package/scripts/plausible-server-events.js

@@ -25,7 +25,7 @@
 
 const https = require('node:https');
 
-const DEFAULT_PLAUSIBLE_DOMAIN = 'thumbgate-production.up.railway.app';
+const DEFAULT_PLAUSIBLE_DOMAIN = 'thumbgate.ai';
 const PLAUSIBLE_ENDPOINT = 'https://plausible.io/api/event';
 const REQUEST_TIMEOUT_MS = 2_000;
 
@@ -142,6 +142,7 @@ const CHECKOUT_EVENT_NAMES = Object.freeze({
   view: 'Checkout Pro Viewed',
   emailSubmitted: 'Checkout Pro Email Submitted',
   stripeRedirect: 'Checkout Pro Stripe Redirect Started',
+  purchase: 'Checkout Pro Purchase Completed',
 });
 
 function recordCheckoutFunnelEvent(stage, options = {}) {

package/scripts/rate-limiter.js

@@ -12,35 +12,37 @@ const {
 const USAGE_FILE = path.join(process.env.HOME || '/tmp', '.thumbgate', 'usage-limits.json');
 
 // ──────────────────────────────────────────────────────────
-// Free tier: generous on captures (habit formation) and rules
-// (5 active gates), gated on Pro-only features (recall, search,
-// exports). Dashboard, exports, and unlimited rules drive Pro.
+// Free tier: tight enough to create upgrade pressure after
+// real usage. Captures and rules are capped so heavy users
+// hit the wall within the first week, not the first quarter.
 // ──────────────────────────────────────────────────────────
 const FREE_TIER_LIMITS = {
-  capture_feedback:   { daily: Infinity, lifetime: Infinity, label: 'feedback captures' },
-  prevention_rules:   { daily: Infinity, lifetime: Infinity, label: 'prevention rules generated' },
+  capture_feedback:   { daily: 5,        lifetime: 25,       label: 'feedback captures (5/day, 25 total on free)' },
+  prevention_rules:   { daily: 2,        lifetime: 6,        label: 'prevention rules generated (2/day on free)' },
   recall:             { daily: 0,        lifetime: 0,        label: 'recall queries (Pro only)' },
   search_lessons:     { daily: 0,        lifetime: 0,        label: 'lesson searches (Pro only)' },
   search_thumbgate:   { daily: 0,        lifetime: 0,        label: 'ThumbGate searches (Pro only)' },
   commerce_recall:    { daily: 0,        lifetime: 0,        label: 'commerce recalls (Pro only)' },
   export_dpo:         { daily: 0,        lifetime: 0,        label: 'DPO exports (Pro only)' },
   export_databricks:  { daily: 0,        lifetime: 0,        label: 'Databricks exports (Pro only)' },
-  construct_context_pack: { daily: Infinity, lifetime: Infinity, label: 'context packs' },
+  construct_context_pack: { daily: 3,    lifetime: Infinity,  label: 'context packs (3/day on free)' },
 };
 
-const FREE_TIER_MAX_GATES = 5; // 5 active prevention rules on free; Pro is unlimited
-const FREE_TIER_DAILY_BLOCKS = 10; // 10 gate blocks/day on free; after limit, deny → warn + upgrade CTA
+const FREE_TIER_MAX_GATES = 3; // 3 active prevention rules on free; Pro is unlimited
+const FREE_TIER_DAILY_BLOCKS = 3; // 3 gate blocks/day on free; after limit, deny → warn + upgrade CTA
 
 const UPGRADE_MESSAGE = `Pro: ${PRO_PRICE_LABEL} — unlimited rules, recall, lesson search, dashboard, and exports: ${PRO_MONTHLY_PAYMENT_LINK}\n  Team: ${TEAM_PRICE_LABEL} after workflow qualification.`;
 
 const PAYWALL_MESSAGES = {
-  prevention_rules: 'Free tier includes 5 active prevention rules. Promote more or unlock unlimited rules with Pro.',
+  capture_feedback: 'Free tier: 5 captures/day (25 total). Your feedback is stored locally — upgrade to capture unlimited.',
+  prevention_rules: 'Free tier includes 3 active prevention rules and 2 rule generations/day. Upgrade to Pro for unlimited rules.',
   recall: 'Recall is a Pro feature. Your past feedback is stored locally — upgrade to search and reuse it.',
   search_lessons: 'Lesson search is a Pro feature. Upgrade to find patterns in your agent\'s mistakes.',
+  construct_context_pack: 'Free tier: 3 context packs/day. Upgrade to Pro for unlimited.',
   default: 'This feature requires Pro. Start Pro — card required; billed today.',
 };
 
-const TRIAL_DAYS = 14;
+const TRIAL_DAYS = 7;
 
 function getInstallAgeDays() {
   try {
@@ -91,7 +93,8 @@ function isProTier(authContext) {
     const { isProLicensed } = require('./license');
     if (isProLicensed()) return true;
   } catch (_) {}
-  // 14-day reverse trial: new installs get full Pro access
+  // 7-day reverse trial: new installs get full Pro access, then hit a clear
+  // hosted-sync/unlimited-rules pay moment while the product is still fresh.
   if (isInTrialPeriod()) return true;
   return false;
 }
@@ -164,9 +167,10 @@ function checkLimit(action, authContext) {
 
   // Check daily limit
   if (dailyLimit !== Infinity && dailyCurrent >= dailyLimit) {
+    const paywallMsg = PAYWALL_MESSAGES[action] || PAYWALL_MESSAGES.default;
     return {
       allowed: false,
-      message: `Daily limit reached. ${UPGRADE_MESSAGE}`,
+      message: `Daily limit reached. ${paywallMsg}\n\n${UPGRADE_MESSAGE}`,
       used: dailyCurrent,
       limit: dailyLimit,
       limitType: 'daily',

package/scripts/security-scanner.js

@@ -1,6 +1,9 @@
 #!/usr/bin/env node
 'use strict';
 
+const { loadOptionalModule } = require("./private-core-boundary");
+
+
 /**
  * Security Scanner — OWASP-aware static analysis for PreToolUse checks.
  *
@@ -16,6 +19,10 @@
 const fs = require('fs');
 const path = require('path');
 const { recordAuditEvent, auditToFeedback } = require('./audit-trail');
+const { scanInstallCommand, detectSlopsquat } = loadOptionalModule('./slopsquat-guard', () => ({
+  scanInstallCommand: () => ({ detected: false, findings: [] }),
+  detectSlopsquat: () => null,
+}));
 
 // ---------------------------------------------------------------------------
 // Vulnerability pattern definitions (OWASP Top 10 + supply chain)
@@ -277,6 +284,18 @@ function scanDependencyChange(oldContent, newContent) {
             path: 'package.json',
           });
         }
+
+        // Tier 3: Slopsquat Guard — deterministic typosquat detection
+        const slopsquatFinding = detectSlopsquat(pkg, 'npm');
+        if (slopsquatFinding) {
+          findings.push({
+            id: slopsquatFinding.id,
+            category: 'supply-chain',
+            severity: slopsquatFinding.severity,
+            label: slopsquatFinding.label,
+            path: 'package.json',
+          });
+        }
       }
     }
   }
@@ -313,27 +332,68 @@ function scanDependencyChange(oldContent, newContent) {
  * @param {Object} input - Hook input { tool_name, tool_input }
  * @returns {Object|null} Gate result or null if clean
  */
+
+/**
+ * Evaluate slopsquat guard for a Bash command.
+ * @param {string} toolName 
+ * @param {Object} toolInput 
+ * @returns {Object|null}
+ */
+function evaluateSlopsquatScan(toolName, toolInput) {
+  if (toolName !== "Bash") return null;
+  const command = toolInput.command || "";
+  if (!command) return null;
+
+  const { resolveMode, scanInstallCommand } = loadOptionalModule("./slopsquat-guard", () => ({
+    resolveMode: () => "block",
+    scanInstallCommand: () => ({ detected: false, findings: [] }),
+  }));
+
+  const mode = resolveMode();
+  if (mode === "off") return null;
+
+  const result = scanInstallCommand(command);
+  if (!result.detected) return null;
+
+  const hasCritical = result.findings.some(f => f.severity === "critical");
+  const decision = (mode === "block" && hasCritical) ? "deny" : "warn";
+
+  return {
+    decision,
+    gate: "slopsquat-guard",
+    message: "✗ THUMBGATE: " + result.findings[0].label,
+    severity: hasCritical ? "critical" : "high",
+    reasoning: result.findings.map(f => f.label),
+  };
+}
+
 function evaluateSecurityScan(input = {}) {
   const toolName = input.tool_name || input.toolName || '';
   const toolInput = input.tool_input || {};
 
-  // Only scan write-type operations
+  // Only scan write-type operations and Bash commands
   const WRITE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit']);
-  if (!WRITE_TOOLS.has(toolName)) {
+  const IS_BASH = toolName === 'Bash';
+  
+  if (!WRITE_TOOLS.has(toolName) && !IS_BASH) {
     return null;
   }
 
   const filePath = toolInput.file_path || toolInput.path || '';
   const content = toolInput.content || toolInput.new_string || '';
+  const command = toolInput.command || '';
 
-  if (!content) return null;
+  if (!content && !command) return null;
 
-  // Tier 1: Code vulnerability scan
-  const codeResult = scanCode(content, filePath);
+  // Tier 1: Code vulnerability scan (for Edits)
+  let codeResult = { detected: false, findings: [] };
+  if (content) {
+    codeResult = scanCode(content, filePath);
+  }
 
   // Tier 2: Supply chain scan for package.json changes
   let supplyChainResult = { detected: false, findings: [] };
-  if (filePath && path.basename(filePath) === 'package.json') {
+  if (filePath && path.basename(filePath) === 'package.json' && content) {
     let oldContent = '';
     try {
       const absPath = path.isAbsolute(filePath) ? filePath : path.resolve(filePath);
@@ -344,7 +404,14 @@ function evaluateSecurityScan(input = {}) {
     supplyChainResult = scanDependencyChange(oldContent, content);
   }
 
-  const allFindings = [...codeResult.findings, ...supplyChainResult.findings];
+  // Tier 3: Slopsquat Guard for Bash commands
+  let slopsquatResult = { detected: false, findings: [] };
+  if (IS_BASH && command) {
+    const slopsquatGate = evaluateSlopsquatScan(toolName, toolInput);
+    if (slopsquatGate) return slopsquatGate;
+  }
+
+  const allFindings = [...codeResult.findings, ...supplyChainResult.findings, ...slopsquatResult.findings];
   if (allFindings.length === 0) return null;
 
   // Determine overall severity
@@ -359,16 +426,18 @@ function evaluateSecurityScan(input = {}) {
     `[${f.severity.toUpperCase()}] ${f.label}${f.line ? ` (line ${f.line})` : ''}`
   ).join('; ');
 
-  const message = `Security scan detected ${allFindings.length} issue(s) in ${filePath || 'code'}: ${summary}`;
+  const message = `Security scan detected ${allFindings.length} issue(s) in ${filePath || (IS_BASH ? 'command' : 'code')}: ${summary}`;
 
   const reasoning = [
-    `Scanned ${content.length} bytes of content being written to ${filePath || 'unknown file'}`,
+    IS_BASH 
+      ? `Scanned Bash command for slopsquat/typosquat risk: "${command.slice(0, 100)}..."`
+      : `Scanned ${content.length} bytes of content being written to ${filePath || 'unknown file'}`,
     ...allFindings.map(f => `${f.category}/${f.id}: ${f.label}${f.match ? ` — matched: ${f.match.slice(0, 60)}` : ''}`),
   ];
 
   recordAuditEvent({
     toolName,
-    toolInput: { file_path: filePath, content_length: content.length },
+    toolInput: { file_path: filePath, content_length: content.length, command: IS_BASH ? command : undefined },
     decision,
     gateId,
     message,
@@ -439,6 +508,7 @@ function scanGitDiff(diffContent) {
 // ---------------------------------------------------------------------------
 
 module.exports = {
+  evaluateSlopsquatScan,
   VULN_PATTERNS,
   SUPPLY_CHAIN_PATTERNS,
   scanCode,