buildmymcpserver

Author	SHA1	Message	Date
Marco Sadjadi	9d5386ccba	@ fix(security): sovereign-audit hardening pass — RCE, multi-tenant, reliability Reasoning-based audit fixes (all verified by typecheck, attack paths re-traced): - build-time RCE: validate spec.dependencies to npm-registry semver only (no git/url/file specifiers) + --ignore-scripts in runner Dockerfile. - container hardening fail-CLOSED: harden unless RUNNER_DISABLE_HARDENING=1, no longer gated on a fragile NODE_ENV string compare. - secret env keys validated (UPPER_SNAKE, reject NODE_/PATH/LD_). - cross-org image-tag collision: qualify tag with serverId. - /iterate now enforces suspension + daily-build limits like /servers. - preview SSE: clear keepalive in finally + on client close (timer/FD leak). - SMS OTP: atomic attempt counter (lt(attempts,MAX) in UPDATE) — brute-force race. - getSession orders membership by createdAt (deterministic primary org). - template scopes aggregated from real tool scopes (was hardcoded mcp:read). - template category filter pushed into WHERE (was applied after LIMIT). - support admin reply/status: 404 on unknown ticket; status change now audited. - build worker: queue defaultJobOptions, docker build/run/stop timeouts, old-container teardown in finally (no orphan on post-deploy DB failure). - nginx: HSTS, X-Frame-Options DENY, nosniff, Referrer-Policy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> @	2026-05-29 20:56:30 +02:00
Marco Sadjadi	8c6f04f034	feat: oauth refresh-token grant + per-runner subdomain TLS plumbing All checks were successful Deploy to Production / deploy (push) Successful in 52s Details OAUTH REFRESH-TOKEN - oauth_tokens.subject column added (migration applied to prod DB): stores the JWT sub claim from the original authorization so refreshes can re-mint with the same identity without re-walking the (consumed) code. - Authorization-code branch now writes subject AND uses a 30-day expires_at for the row (was 1h — same as access token, which killed refresh after 1h). - New refresh_token grant branch: * looks up token by refresh-hash + expiry * client_id must match, client_secret verified if confidential * RFC 8707: requested resource must equal stored resource * OAuth 2.1 rotation: atomic UPDATE WHERE old_hash → new access JWT, new refresh token, extended expiry; loser of a race sees invalid_grant - Access TTL (1h) and refresh TTL (30d) extracted as constants. Clients no longer have to re-authorize hourly. Closes Zb-001. PER-RUNNER SUBDOMAIN TLS (Z1-002) Code path: - New MCP_DOMAIN env (e.g. "mcp.buildmymcpserver.com") + RUNNER_MAP_DIR (default /var/runner-map) in generator config. - deployContainer: writes /var/runner-map/<slug>.conf with content "slug.MCP_DOMAIN port;" and computes publicUrl as https://<slug>.<MCP_DOMAIN>. Falls back to http://host:port when MCP_DOMAIN is unset (zero behaviour change until host is configured). - stopContainer (both api/lib/docker.ts and generator/lib/deploy.ts) now accepts an optional slug arg and removes the map fragment. Callers (DELETE /v1/servers/:id, admin template takedown) updated. Infra path (one-time host setup — Marco runs as root): - scripts/setup-runner-tls.sh: 1. nginx vhost matching .mcp.buildmymcpserver.com via regex → reads slug→port from /opt/buildmymcpserver/runner-map.combined 2. systemd inotify service watches the map dir, combines fragments on any change, reloads nginx 3. installs inotify-tools if missing, idempotent - Prereqs documented at top: Cloudflare wildcard DNS proxied, Origin CA cert for .mcp.buildmymcpserver.com, SSL mode Full (strict). - After running: edit docker-compose.prod.yml to mount the map dir into api + generator, set MCP_DOMAIN in env, recreate containers. Closes Zb-001 fully. Closes Z1-002 on the code side; one Marco-on-host action away from closing it on the infra side. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-25 22:09:06 +02:00
Marco Sadjadi	aa79a71357	security: sovereign-audit Pass-2 fixes — auth-lib, oauth, templates All checks were successful Deploy to Production / deploy (push) Successful in 54s Details Six confirmed findings closed (3 MEDIUM, 3 LOW). Tier-1 surfaces from Pass-1 re-verified non-regressed; this pass deepened the audit on the auth library, OAuth issuer, and template marketplace. Za-002 MEDIUM (scrypt cost) — bump SCRYPT_N from 2^14 → 2^17 (131072) matching current OWASP guidance for password hashing in 2026. Hash format embeds N (`scrypt$N$salt$hash`), so the existing admin password at the old cost still verifies — backward-compatible. Also added explicit maxmem ceilings since Node's default (~32MiB) is insufficient for the new N. Za-003 MEDIUM (single-use race) — consumeMagicLink was SELECT-then- UPDATE; two parallel redemptions could both win and mint two sessions from the same token. Now uses the same atomic `UPDATE … WHERE id = ? AND consumedAt IS NULL RETURNING id` pattern /oauth/token already had — loser of the race gets invalid_or_expired_token. Za-004 LOW (membership ordering) — `.orderBy(memberships.createdAt)` added so when org-invites eventually let a user belong to multiple orgs, the same one wins every login instead of insertion-order roulette. Latent-bug pre-empt. Zb-002 LOW (OAuth register spam) — /oauth/register now per-IP daily rate-limited at 20/day (well above any legitimate MCP-client bootstrap pattern). Prevents DB-row spam. Zc-001 MEDIUM (banned-pattern drift) — three separate copies of BANNED_PATTERNS had drifted apart. The publish-time scanner in templates.ts was MISSING the 7 new patterns added in Pass-1 (process.binding, dlopen, .constructor.constructor, vm.runIn, globalThis['..']). Single source of truth in @bmm/llm now exports SHARED_BANNED_PATTERNS; templates.ts composes PUBLISH_BANNED_PATTERNS = SHARED ∪ code-only-extras (dynamic import, fs.rm, setTimeout-with- string, process.kill, jailbreak markers). Zc-002 LOW (N+1) — /v1/templates list was issuing one COUNT() per template (101 queries for a 100-row page). Now one grouped query with templateId GROUP BY, merged in JS. p95 doesn't degrade with marketplace growth. DEFERRED (documented, scoped for next sprint): Za-001 HIGH — Account takeover via cross-provider email lookup. Requires schema change (users.primaryProvider). Mitigation in /settings/account banner planned. Zb-001 MEDIUM — /oauth/token refresh_token grant: advertised in AS metadata but unsupported_grant_type. Either implement (~40 LOC) or strip from metadata. Zc-003 LOW — Admin takedown partial-failure consistency. Zd-001 IMPROVE — DEK cache invalidation across replicas (single- instance today). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-25 18:15:54 +02:00
Marco Sadjadi	cc3c5ad444	feat(auth): GitHub OAuth login + SMS one-time-code login Some checks failed Deploy to Production / deploy (push) Failing after 1m8s Details GitHub: /v1/auth/github + /callback — authorization-code flow, fetches the verified primary email via /user/emails, reuses upsertOAuthLogin. SMS: phone is now a first-class login identity. - schema: users.email nullable, users.phone added, new sms_codes table. - @bmm/auth: issueSmsCode / consumeSmsCode — 6-digit code, hashed at rest, 10-min TTL, per-phone rate limit, 5-attempt cap, get-or-create user by phone. - apps/api: /v1/auth/sms/request + /verify, Twilio REST send (no SDK), per-IP throttle. /v1/auth/providers now reports google/github/sms. - login UI: Google + GitHub buttons, Email\|Phone toggle, two-step SMS (number -> 6-digit code with one-time-code autofill). SMS link was rejected in favour of an OTP code — carrier link-scanners consume magic-link tokens before the user taps them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-21 22:59:58 +02:00
Marco Sadjadi	414903f16d	feat(marketplace): dashboard nav link + My-templates filter The logged-in user can now reach the marketplace and filter to their own templates. Dashboard nav: - Added 'Marketplace' item (Overview · Servers · Marketplace · Audit · Settings). /templates page — login-aware: - Detects session via /v1/auth/me. Logged-in users get a 'Dashboard' + '+ New server' header instead of 'Home' + 'Start building'. - New [All templates \| My templates] scope toggle, shown only when logged in. - 'My templates' loads GET /v1/templates/mine and shows EVERY status the user owns (public / hidden / draft / takedown) with a colored status badge on each card — so a template you unshared doesn't appear to have vanished. - Sort tabs (trending/top/newest) hide in 'mine' scope — meaningless for a handful of own templates. Category filter + search still apply (client-side). - Takedown cards link to the source server's Publish tab instead of the detail route (which 410s); everything else opens the detail page. Backend: - GET /v1/templates/mine (requireAuth) — all own templates, any status, registered before /:slug so the static route always wins the match. - GET /v1/templates/:slug — now does an optional session check: the OWNER can view their own hidden/draft template (so a 'My templates' card click never dead-ends in a 404). takedown stays 410 for everyone, owner included — that's an admin decision, not the owner's to reverse. Detail page: - Fork CTA is gated on status === 'public'. For a non-public template the owner sees an amber 'not forkable — re-share from the Publish tab' notice plus a 'Manage in server' link, instead of a Fork button that would fail silently. Verified: - GET /v1/templates/mine → marco's 1 template; 401 without auth - Owner GET of a hidden template → 200 status:hidden; anon → 404 - Dashboard nav shows Marketplace (screenshot) - /templates 'My templates' toggle → only own template, public badge, sort tabs hidden (screenshot)	2026-05-20 17:18:58 +02:00
Marco Sadjadi	a189111782	feat(marketplace): default-on share in wizard + owner unshare anytime Goal: maximize template volume without a dark pattern and without leaking data. Wizard Done-page Share panel: - 'Share as template in the marketplace (recommended)' checkbox, default ON, rendered inline in the build-success flow where every user lands. - Honest copy — corrected a draft that claimed 'only abstracted code pattern is shared'. That is false: the FULL generated code becomes publicly viewable on the template detail page (by design, for pre-fork audit). The panel now says: 'Your secrets stay private ... but your generated code becomes publicly viewable so others can audit it before forking. Unshare anytime.' - When checked: inline minimal form — short description (prefilled from the spec), category select, optional per-secret credential hints. One 'Publish to marketplace' click. Not auto-published silently — that would be a consent dark pattern; one visible deliberate click keeps it clean. - Forked servers don't show the panel (re-publishing a fork is an edge case). Owner unshare/reshare: - GET /v1/servers/:id/template — owner lookup, drives the Publish tab UI. - PATCH /v1/templates/:slug/visibility { shared } — owner-only toggle between public and hidden. 403 for non-owners, 409 if an admin took it down (owner cannot resurrect an admin takedown). Audit-logged as template.unshare / template.reshare. - Server-detail Publish tab now detects an existing template and shows the shared status (public/hidden/takedown badge), fork count, a marketplace link and an Unshare/Re-share button — instead of the publish form. Why this is safe to default ON: - Secrets are architecturally bound to mcp_servers, never copied into templates. Publish reads tools_schema + generated_code only; the secrets table is never touched. Data leak is structurally impossible, not policy-dependent. - Publish re-scans the generated code for banned patterns AND hardcoded credentials (sovereign-audit hardening) before it can reach the marketplace. - The user sees a visible, pre-ticked checkbox and reads one honest sentence before publishing. Privacy-conscious users untick; everyone else contributes volume. Informed consent, GDPR-clean. Verified end-to-end via API: GET server/:id/template -> null (unpublished) POST /v1/templates -> published, slug share-test-server GET server/:id/template -> status public PATCH visibility {shared:false} -> hidden, drops out of public list PATCH visibility {shared:true} -> public again UI: Publish tab renders the shared-status panel with View + Unshare (screenshot confirmed). Also: hero badge date set to 2026-05-20. Changed 'MCP spec 2025-11-25' to 'updated 2026-05-20' — claiming an MCP spec dated today would be factually wrong (no such spec release exists); 'updated' is accurate and gives the requested fresh date. The real spec date is still cited correctly in /docs.	2026-05-20 17:04:46 +02:00
Marco Sadjadi	2ad4a7e34c	fix(security): template integration sovereign audit + critical fixes P0 — three critical issues found by tracing every attack vector on the template publish + fork + render path. All three fixed and verified with attack tests. FIX A — Takedown actually stops malicious containers PATCH /v1/admin/templates with status=takedown previously only updated mcp_servers.status to 'paused' in the DB. The Docker container kept running and serving traffic on its allocated port — takedown was cosmetic. Now the endpoint enumerates every fork's container, calls 'docker rm -f' on each, clears container_id/public_url/host_port in the DB, and returns the stoppedContainers count. New apps/api/src/lib/docker.ts owns the stop logic. Verified: takedown stopped container f5632962, port 4109 connection refused. FIX B — Reject specEdit on fork A hand-crafted POST /v1/servers with {templateId, previewId, specEdit} would enter the spec-edit branch, merge edits into the cached spec, but the worker reads the pre-built template code (separate cache key), ignoring the merged spec entirely. User thinks they changed something; deployed container behaves as the original. Now returns 400 spec_edit_forbidden_on_fork with an explainer pointing to the Iterate flow. FIX C — templateId validation via Redis fork-ref templateId on POST /v1/servers was user-controlled and unvalidated: fork_count of any template could be pumped, mcp_servers got garbage template_id rows, takedown cascade would miss the bogus rows. Fork endpoint now writes a Redis key fork-ref:<previewId> -> templateId (5min TTL). Server-create requires the ref to exist AND match the submitted templateId. Verified attack: fake templateId without fork-ref returns 410 fork_ref_expired. DEFENSE-IN-DEPTH — Hardened static checks Banned patterns (added): Function\s\(['"`] — Function('code')() form, no 'new' needed \bimport\s\( — dynamic import escapes bundle scope \bsetTimeout\s\(['"`] — setTimeout('code', ms) eval form \bsetInterval\s\(['"`] \bfs\s\.\s(unlink\|rmdir\|rm)\b \bprocess\s\.\skill\b you are now in (developer\|jailbreak\|dan) mode — extra jailbreak markers Hardcoded-credential patterns (new — scanForLeakedSecrets): sk-ant-(api\|sid)… — Anthropic sk-… — OpenAI sk_(live\|test)_… — Stripe ghp_… — GitHub PAT github_pat_… — GitHub fine-grained xox[bpoasr]-… — Slack AKIA[0-9A-Z]{16} — AWS -----BEGIN…PRIVATE KEY----- — RSA / SSH / GPG Triggered when a publisher pasted their key into the prompt and Claude embedded it literally in the generated code. Publish-blocking. Verified attack: smuggled 'Function("return 1")' into a build's generated_code, attempted publish → 422 publish_blocked. Slug regex tightened — fork + detail routes now require ^[a-z0-9][a-z0-9-]{0,63}$ (was loose min(1).max(64) — letting through '../admin', long strings, mixed case). UI warning — Publish-as-template form now shows an amber callout listing what's scanned and explicitly stating egress allowlisting is roadmap, not enforced today (was misleading: the field was collected, never enforced). TEMPLATE_SECURITY_AUDIT.md added — documents all 20 audited vectors with severity, status, and rationale for what's deferred. UI polish globals.css — select/input/textarea/button get color-scheme: dark + custom chevron + option styling so Chrome's native popdown stops rendering as a white OS-themed widget on dark pages. The /templates category dropdown was the immediate trigger; same rule applies system-wide.	2026-05-19 23:35:45 +02:00
Marco Sadjadi	8334de13a8	feat(marketplace): template publish + fork + voting/ranking + admin moderation What this enables: - A user builds an MCP server. If others would benefit, they click 'Publish as template' on their server detail page. The spec + pre-rendered TypeScript snapshot is preserved. - Visitors browse /templates, filter by category, sort by trending/top/newest. Each template card shows fork count + active deployment count as natural manipulation-resistant popularity signal. - /templates/[slug] shows the full plan: tool list with input schemas, required-credential explanations (with 'how to get one' deep links), and a collapsible code preview so users can audit before forking. - Fork is one click → /servers/new?template=slug. The wizard skips Step 1 and pre-fills Step 2 with the template's parsed spec. Forker only fills in their own credentials. mcp_servers.template_id is recorded; template.fork_count is bumped atomically. Each fork gets its own isolated container with its own port, its own AES-256 secrets — the template author has zero visibility into the fork's traffic or data. - Admin /admin/templates moderation: verify quality templates (shows shield badge in marketplace), hide low-effort ones, takedown anything malicious. Takedowns cascade-pause every fork container — owners must re-deploy. Why template+fork instead of shared-container: - Shared containers would mean the publisher's quota + their secrets + their logs are exposed to forkers. Bad ergonomics, bad security, bad ownership. - Templates/forks decouple the spec (shared, vouched-for) from the runtime (isolated per user). Network-effect moat without the trust collapse. Why no 5-star voting in v1: - Manipulation-anfällig, empty lists without adoption. We use fork count + active deploys + verified badge. Trending algorithm: score = (activeDeploys * 3 + forks) / sqrt(ageDays + 1) Real signal, no brigading attack surface. Backend: - New schema: templates table (16 cols incl. tools_schema, generated_code, required_secrets, allowedDomains, status enum, verified, fork_count). - mcp_servers.template_id FK + idx for fork lookup. - @bmm/types: SpecEdit unchanged, CreateServerInput accepts optional templateId. - preview-cache.ts: new cachePrebuiltCode/loadPrebuiltCode for storing the template's full rendered server.ts alongside the spec. Generator worker detects this and skips the render step — uses the audited pre-built code verbatim. Banned-pattern re-scan at publish time. - routes/templates.ts: 5 public/auth routes + 2 admin routes. Banned-pattern re-scan before publish. Slug auto-uniqued. forkCount atomic-increment via SQL. UI: - /templates marketplace with trending/top/newest tabs, category filter, search. Cards show forks + live count + author + verified badge. - /templates/[slug] full detail with tools, credentials-with-hints, expandable code preview, fork CTA, ownership + stats sidebar, 'forking is safe' explainer. - /servers/new?template=slug — wizard auto-jumps to Step 2 with template spec pre-filled, fork banner at top with link back to template. - /servers/[id] new Publish tab with title, category, descriptions, per-secret hint fields (description + howToGetUrl per UPPER_SNAKE_CASE key). - /admin/templates moderation with verify/hide/takedown actions. - Marketing nav now includes /templates. Verified end-to-end: - Published Echo Demo Template from marco@test.local's live server - Marketplace lists it correctly with stats - Detail page renders with all sections - Fork CTA navigates to wizard with ?template= param - Wizard skips Step 1, shows fork banner, pre-fills spec - Build succeeds in ~10s (cached spec + prebuilt code path skips Claude AND render), container live on :4109 with proper OAuth 401 → token → 200 flow - DB: templates.fork_count=1, activeDeployments=1, mcp_servers.template_id populated on the fork - /admin/templates shows the new template with verify/hide/takedown controls	2026-05-19 23:22:35 +02:00

8 Commits