thumbgate 1.23.2 → 1.25.0

package/scripts/mcp-oauth.js

@@ -0,0 +1,293 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * mcp-oauth.js — OAuth 2.1 (PKCE) authorization-server machinery for the remote
+ * ThumbGate MCP connector, required by the Claude Connectors Directory
+ * ("Use OAuth 2.0 for authenticated services").
+ *
+ * Pure, dependency-free, IO-free functions + an injectable store, so the full
+ * flow is unit-testable without a network. The HTTP wiring (in src/api/server.js)
+ * is a thin shell over these.
+ *
+ * Implements:
+ *   - RFC 9728 protected-resource metadata
+ *   - RFC 8414 authorization-server metadata
+ *   - RFC 7591 dynamic client registration (open registration)
+ *   - Authorization-code grant with mandatory PKCE S256 (RFC 7636)
+ *   - Bearer access tokens bound to a ThumbGate API key (so existing gating is unchanged)
+ *
+ * SECURITY NOTES:
+ *   - PKCE S256 is mandatory; the plain method is rejected.
+ *   - Auth codes are single-use and short-lived (60s); access tokens TTL-bound.
+ *   - redirect_uri is matched exactly against the registered set.
+ *   - The token never exposes the bound ThumbGate key; it maps server-side only.
+ */
+
+const crypto = require('crypto');
+
+const AUTH_CODE_TTL_MS = 60 * 1000; // 1 minute
+const ACCESS_TOKEN_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_SCOPE = 'mcp:read mcp:write';
+
+// Upper bounds on the in-memory store. The registration and authorization
+// endpoints are reachable pre-auth, so without a cap a malicious caller could
+// grow these Maps unboundedly and exhaust server memory. When a Map is full we
+// evict the oldest entry (FIFO) rather than deny service to legitimate clients.
+const MAX_CLIENTS = 10000;
+const MAX_CODES = 10000;
+const MAX_TOKENS = 50000;
+
+function now() {
+  return Date.now();
+}
+
+function randomToken(bytes = 32) {
+  return crypto.randomBytes(bytes).toString('base64url');
+}
+
+function base64UrlSha256(input) {
+  return crypto.createHash('sha256').update(String(input)).digest('base64url');
+}
+
+/**
+ * Create a fresh in-memory store.
+ *
+ * DURABILITY (known limitation): this uses plain Maps, so a process restart or a
+ * multi-instance / load-balanced deployment will drop issued tokens and
+ * registered clients (clients see 401s, in-flight authorizations break). For
+ * single-instance use this is fine; production multi-tenancy needs a durable,
+ * shared backing (Redis/DB) — tracked as the per-user-data-scoping follow-up.
+ * Entry counts are bounded (see MAX_* and capInsert) to prevent memory
+ * exhaustion from anonymous calls to the registration/authorization endpoints.
+ */
+function createStore() {
+  return {
+    clients: new Map(),
+    codes: new Map(),
+    tokens: new Map(),
+  };
+}
+
+/** Insert into a Map, evicting the oldest entry (FIFO) once `max` is reached. */
+function capInsert(map, key, value, max) {
+  if (map.size >= max && !map.has(key)) {
+    const oldest = map.keys().next().value;
+    if (oldest !== undefined) map.delete(oldest);
+  }
+  map.set(key, value);
+}
+
+// ---------------------------------------------------------------------------
+// Metadata (RFC 9728 / RFC 8414)
+// ---------------------------------------------------------------------------
+
+function trimSlash(u) {
+  // Non-regex trailing-slash strip (avoids a SonarCloud S5852 false-positive on a
+  // provably-linear pattern).
+  let s = String(u || '');
+  while (s.endsWith('/')) s = s.slice(0, -1);
+  return s;
+}
+
+function buildProtectedResourceMetadata(baseUrl) {
+  const base = trimSlash(baseUrl);
+  return {
+    resource: `${base}/mcp`,
+    authorization_servers: [base],
+    bearer_methods_supported: ['header'],
+    scopes_supported: ['mcp:read', 'mcp:write'],
+    resource_documentation: `${base}/docs/connectors`,
+  };
+}
+
+function buildAuthServerMetadata(baseUrl) {
+  const base = trimSlash(baseUrl);
+  return {
+    issuer: base,
+    authorization_endpoint: `${base}/oauth/authorize`,
+    token_endpoint: `${base}/oauth/token`,
+    registration_endpoint: `${base}/oauth/register`,
+    scopes_supported: ['mcp:read', 'mcp:write'],
+    response_types_supported: ['code'],
+    grant_types_supported: ['authorization_code'],
+    code_challenge_methods_supported: ['S256'],
+    token_endpoint_auth_methods_supported: ['none'],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Dynamic client registration (RFC 7591)
+// ---------------------------------------------------------------------------
+
+// The MCP authorization spec is explicit: "All redirect URIs MUST be either
+// `localhost` or use HTTPS." We therefore accept only HTTPS and loopback
+// (http://localhost | http://127.0.0.1) and reject every other scheme —
+// including native-app custom schemes (myapp://, intent://, etc.), which the MCP
+// profile does not sanction and the real client (Claude) does not use.
+function isAllowedRedirectUri(uri) {
+  const u = String(uri || '');
+  if (/^https:\/\//i.test(u)) return true;
+  if (/^http:\/\/(localhost|127\.0\.0\.1)(:\d+)?(\/|$)/i.test(u)) return true;
+  return false;
+}
+
+function registerClient(store, body = {}) {
+  const redirectUris = Array.isArray(body.redirect_uris) ? body.redirect_uris.filter(Boolean) : [];
+  if (redirectUris.length === 0) {
+    return { error: 'invalid_redirect_uri', error_description: 'redirect_uris is required' };
+  }
+  for (const uri of redirectUris) {
+    if (!isAllowedRedirectUri(uri)) {
+      return { error: 'invalid_redirect_uri', error_description: `unsupported redirect_uri: ${uri}` };
+    }
+  }
+  const clientId = `tg_${randomToken(16)}`;
+  const record = {
+    client_id: clientId,
+    redirect_uris: redirectUris,
+    token_endpoint_auth_method: 'none',
+    grant_types: ['authorization_code'],
+    response_types: ['code'],
+    client_name: typeof body.client_name === 'string' ? body.client_name.slice(0, 200) : 'mcp-client',
+    created_at: now(),
+  };
+  capInsert(store.clients, clientId, record, MAX_CLIENTS);
+  return record;
+}
+
+function getClient(store, clientId) {
+  return store.clients.get(clientId) || null;
+}
+
+// ---------------------------------------------------------------------------
+// Authorization code (PKCE S256)
+// ---------------------------------------------------------------------------
+
+/**
+ * Issue an auth code. `boundKey` is the ThumbGate API key the resulting access
+ * token will act as (resolved by the authorize step once the user consents).
+ */
+function createAuthorizationCode(store, {
+  clientId, redirectUri, codeChallenge, codeChallengeMethod, scope, boundKey, state, resource,
+} = {}) {
+  const client = getClient(store, clientId);
+  if (!client) return { error: 'invalid_client' };
+  if (!client.redirect_uris.includes(redirectUri)) return { error: 'invalid_request', error_description: 'redirect_uri mismatch' };
+  if (codeChallengeMethod !== 'S256') return { error: 'invalid_request', error_description: 'code_challenge_method must be S256' };
+  if (!codeChallenge || String(codeChallenge).length < 16) return { error: 'invalid_request', error_description: 'code_challenge required' };
+
+  const code = randomToken(24);
+  capInsert(store.codes, code, {
+    clientId,
+    redirectUri,
+    codeChallenge,
+    scope: scope || DEFAULT_SCOPE,
+    boundKey: boundKey || '',
+    resource: resource || '', // RFC 8707 resource indicator (the MCP server URL)
+    expiresAt: now() + AUTH_CODE_TTL_MS,
+    used: false,
+  }, MAX_CODES);
+  return { code, state };
+}
+
+function verifyPkce(codeChallenge, codeVerifier) {
+  if (!codeChallenge || !codeVerifier) return false;
+  // RFC 7636: verifier 43–128 chars.
+  if (String(codeVerifier).length < 43 || String(codeVerifier).length > 128) return false;
+  try {
+    return crypto.timingSafeEqual(
+      Buffer.from(base64UrlSha256(codeVerifier)),
+      Buffer.from(String(codeChallenge)),
+    );
+  } catch {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Token exchange + validation
+// ---------------------------------------------------------------------------
+
+function exchangeCode(store, { code, codeVerifier, clientId, redirectUri, resource } = {}) {
+  const entry = store.codes.get(code);
+  if (!entry) return { error: 'invalid_grant', error_description: 'unknown code' };
+  // Single-use + expiry: consume regardless of outcome.
+  store.codes.delete(code);
+  if (entry.used) return { error: 'invalid_grant', error_description: 'code already used' };
+  if (now() > entry.expiresAt) return { error: 'invalid_grant', error_description: 'code expired' };
+  if (entry.clientId !== clientId) return { error: 'invalid_grant', error_description: 'client mismatch' };
+  if (entry.redirectUri !== redirectUri) return { error: 'invalid_grant', error_description: 'redirect_uri mismatch' };
+  if (!verifyPkce(entry.codeChallenge, codeVerifier)) return { error: 'invalid_grant', error_description: 'PKCE verification failed' };
+  // RFC 8707: the resource at token time must match the one bound at authorize time.
+  if (entry.resource && resource && entry.resource !== resource) {
+    return { error: 'invalid_target', error_description: 'resource indicator mismatch' };
+  }
+
+  const accessToken = `tgat_${randomToken(32)}`;
+  capInsert(store.tokens, accessToken, {
+    boundKey: entry.boundKey,
+    scope: entry.scope,
+    clientId,
+    aud: entry.resource || resource || '',
+    expiresAt: now() + ACCESS_TOKEN_TTL_MS,
+  }, MAX_TOKENS);
+  return {
+    access_token: accessToken,
+    token_type: 'Bearer',
+    expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1000),
+    scope: entry.scope,
+  };
+}
+
+/** Resolve an access token to its session, or null if invalid/expired. */
+function resolveAccessToken(store, token) {
+  if (!token) return null;
+  const entry = store.tokens.get(token);
+  if (!entry) return null;
+  if (now() > entry.expiresAt) {
+    store.tokens.delete(token);
+    return null;
+  }
+  return { boundKey: entry.boundKey, scope: entry.scope, clientId: entry.clientId, aud: entry.aud };
+}
+
+/**
+ * RFC 8707 audience validation: a token is valid for `expectedResource` only if it
+ * was issued for it (or carries no audience, for back-compat). MCP servers MUST
+ * reject tokens minted for a different resource.
+ */
+function tokenAudienceValid(session, expectedResource) {
+  if (!session) return false;
+  if (!session.aud) return true; // no audience recorded — accept (back-compat)
+  return session.aud === expectedResource;
+}
+
+/** Best-effort GC of expired codes/tokens (call opportunistically). */
+function pruneExpired(store) {
+  const t = now();
+  for (const [k, v] of store.codes) if (t > v.expiresAt) store.codes.delete(k);
+  for (const [k, v] of store.tokens) if (t > v.expiresAt) store.tokens.delete(k);
+}
+
+module.exports = {
+  createStore,
+  buildProtectedResourceMetadata,
+  buildAuthServerMetadata,
+  registerClient,
+  getClient,
+  createAuthorizationCode,
+  verifyPkce,
+  exchangeCode,
+  resolveAccessToken,
+  tokenAudienceValid,
+  pruneExpired,
+  isAllowedRedirectUri,
+  base64UrlSha256,
+  AUTH_CODE_TTL_MS,
+  ACCESS_TOKEN_TTL_MS,
+  DEFAULT_SCOPE,
+  MAX_CLIENTS,
+  MAX_CODES,
+  MAX_TOKENS,
+};

package/scripts/security-scanner.js

@@ -1,6 +1,9 @@
 #!/usr/bin/env node
 'use strict';
 
+const { loadOptionalModule } = require("./private-core-boundary");
+
+
 /**
  * Security Scanner — OWASP-aware static analysis for PreToolUse checks.
  *
@@ -16,6 +19,10 @@
 const fs = require('fs');
 const path = require('path');
 const { recordAuditEvent, auditToFeedback } = require('./audit-trail');
+const { scanInstallCommand, detectSlopsquat } = loadOptionalModule('./slopsquat-guard', () => ({
+  scanInstallCommand: () => ({ detected: false, findings: [] }),
+  detectSlopsquat: () => null,
+}));
 
 // ---------------------------------------------------------------------------
 // Vulnerability pattern definitions (OWASP Top 10 + supply chain)
@@ -277,6 +284,18 @@ function scanDependencyChange(oldContent, newContent) {
             path: 'package.json',
           });
         }
+
+        // Tier 3: Slopsquat Guard — deterministic typosquat detection
+        const slopsquatFinding = detectSlopsquat(pkg, 'npm');
+        if (slopsquatFinding) {
+          findings.push({
+            id: slopsquatFinding.id,
+            category: 'supply-chain',
+            severity: slopsquatFinding.severity,
+            label: slopsquatFinding.label,
+            path: 'package.json',
+          });
+        }
       }
     }
   }
@@ -313,27 +332,68 @@ function scanDependencyChange(oldContent, newContent) {
  * @param {Object} input - Hook input { tool_name, tool_input }
  * @returns {Object|null} Gate result or null if clean
  */
+
+/**
+ * Evaluate slopsquat guard for a Bash command.
+ * @param {string} toolName 
+ * @param {Object} toolInput 
+ * @returns {Object|null}
+ */
+function evaluateSlopsquatScan(toolName, toolInput) {
+  if (toolName !== "Bash") return null;
+  const command = toolInput.command || "";
+  if (!command) return null;
+
+  const { resolveMode, scanInstallCommand } = loadOptionalModule("./slopsquat-guard", () => ({
+    resolveMode: () => "block",
+    scanInstallCommand: () => ({ detected: false, findings: [] }),
+  }));
+
+  const mode = resolveMode();
+  if (mode === "off") return null;
+
+  const result = scanInstallCommand(command);
+  if (!result.detected) return null;
+
+  const hasCritical = result.findings.some(f => f.severity === "critical");
+  const decision = (mode === "block" && hasCritical) ? "deny" : "warn";
+
+  return {
+    decision,
+    gate: "slopsquat-guard",
+    message: "✗ THUMBGATE: " + result.findings[0].label,
+    severity: hasCritical ? "critical" : "high",
+    reasoning: result.findings.map(f => f.label),
+  };
+}
+
 function evaluateSecurityScan(input = {}) {
   const toolName = input.tool_name || input.toolName || '';
   const toolInput = input.tool_input || {};
 
-  // Only scan write-type operations
+  // Only scan write-type operations and Bash commands
   const WRITE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit']);
-  if (!WRITE_TOOLS.has(toolName)) {
+  const IS_BASH = toolName === 'Bash';
+  
+  if (!WRITE_TOOLS.has(toolName) && !IS_BASH) {
     return null;
   }
 
   const filePath = toolInput.file_path || toolInput.path || '';
   const content = toolInput.content || toolInput.new_string || '';
+  const command = toolInput.command || '';
 
-  if (!content) return null;
+  if (!content && !command) return null;
 
-  // Tier 1: Code vulnerability scan
-  const codeResult = scanCode(content, filePath);
+  // Tier 1: Code vulnerability scan (for Edits)
+  let codeResult = { detected: false, findings: [] };
+  if (content) {
+    codeResult = scanCode(content, filePath);
+  }
 
   // Tier 2: Supply chain scan for package.json changes
   let supplyChainResult = { detected: false, findings: [] };
-  if (filePath && path.basename(filePath) === 'package.json') {
+  if (filePath && path.basename(filePath) === 'package.json' && content) {
     let oldContent = '';
     try {
       const absPath = path.isAbsolute(filePath) ? filePath : path.resolve(filePath);
@@ -344,7 +404,14 @@ function evaluateSecurityScan(input = {}) {
     supplyChainResult = scanDependencyChange(oldContent, content);
   }
 
-  const allFindings = [...codeResult.findings, ...supplyChainResult.findings];
+  // Tier 3: Slopsquat Guard for Bash commands
+  let slopsquatResult = { detected: false, findings: [] };
+  if (IS_BASH && command) {
+    const slopsquatGate = evaluateSlopsquatScan(toolName, toolInput);
+    if (slopsquatGate) return slopsquatGate;
+  }
+
+  const allFindings = [...codeResult.findings, ...supplyChainResult.findings, ...slopsquatResult.findings];
   if (allFindings.length === 0) return null;
 
   // Determine overall severity
@@ -359,16 +426,18 @@ function evaluateSecurityScan(input = {}) {
     `[${f.severity.toUpperCase()}] ${f.label}${f.line ? ` (line ${f.line})` : ''}`
   ).join('; ');
 
-  const message = `Security scan detected ${allFindings.length} issue(s) in ${filePath || 'code'}: ${summary}`;
+  const message = `Security scan detected ${allFindings.length} issue(s) in ${filePath || (IS_BASH ? 'command' : 'code')}: ${summary}`;
 
   const reasoning = [
-    `Scanned ${content.length} bytes of content being written to ${filePath || 'unknown file'}`,
+    IS_BASH 
+      ? `Scanned Bash command for slopsquat/typosquat risk: "${command.slice(0, 100)}..."`
+      : `Scanned ${content.length} bytes of content being written to ${filePath || 'unknown file'}`,
     ...allFindings.map(f => `${f.category}/${f.id}: ${f.label}${f.match ? ` — matched: ${f.match.slice(0, 60)}` : ''}`),
   ];
 
   recordAuditEvent({
     toolName,
-    toolInput: { file_path: filePath, content_length: content.length },
+    toolInput: { file_path: filePath, content_length: content.length, command: IS_BASH ? command : undefined },
     decision,
     gateId,
     message,
@@ -439,6 +508,7 @@ function scanGitDiff(diffContent) {
 // ---------------------------------------------------------------------------
 
 module.exports = {
+  evaluateSlopsquatScan,
   VULN_PATTERNS,
   SUPPLY_CHAIN_PATTERNS,
   scanCode,

package/scripts/tool-registry.js

@@ -1,10 +1,23 @@
 #!/usr/bin/env node
 'use strict';
 
+// Human-readable display title from a snake_case tool name.
+// e.g. "capture_feedback" -> "Capture Feedback". The Claude Connectors Directory
+// requires every tool to carry BOTH a title and a readOnlyHint/destructiveHint.
+function humanizeTitle(name) {
+  return String(name || '')
+    .split(/[_-]+/)
+    .filter(Boolean)
+    .map((w) => w.charAt(0).toUpperCase() + w.slice(1))
+    .join(' ');
+}
+
 function readOnlyTool(tool) {
   return {
     ...tool,
+    title: tool.title || humanizeTitle(tool.name),
     annotations: {
+      title: tool.title || humanizeTitle(tool.name),
       readOnlyHint: true,
     },
   };
@@ -13,7 +26,9 @@ function readOnlyTool(tool) {
 function destructiveTool(tool) {
   return {
     ...tool,
+    title: tool.title || humanizeTitle(tool.name),
     annotations: {
+      title: tool.title || humanizeTitle(tool.name),
       destructiveHint: true,
     },
   };
@@ -1396,6 +1411,25 @@ const TOOLS = [
   }),
 ];
 
+// Normalize at export: guarantee EVERY tool carries a human-readable title and a
+// readOnlyHint/destructiveHint annotation (both required by the Connectors
+// Directory; the #1 rejection cause is missing annotations). Tools defined as
+// plain objects (not via readOnlyTool/destructiveTool) are backfilled here:
+// title from the name, and a conservative destructiveHint when no hint is set
+// (so an un-hinted tool is gated rather than silently treated as read-only).
+const NORMALIZED_TOOLS = TOOLS.map((tool) => {
+  const title = tool.title || humanizeTitle(tool.name);
+  const existing = tool.annotations || {};
+  const hasHint = existing.readOnlyHint === true || existing.destructiveHint === true;
+  const annotations = {
+    title,
+    ...existing,
+    ...(hasHint ? {} : { destructiveHint: true }),
+  };
+  return { ...tool, title, annotations };
+});
+
 module.exports = {
-  TOOLS,
+  TOOLS: NORMALIZED_TOOLS,
+  humanizeTitle,
 };

package/scripts/vector-store.js

@@ -312,6 +312,7 @@ function setGeminiEmbedderForTests(loader) {
 module.exports = {
   upsertFeedback,
   searchSimilar,
+  embed,
   TABLE_NAME,
   getEmbeddingConfig,
   getLastEmbeddingProfile,