marco/buildmymcpserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: marco:cf423de3d5b58973041de912bf417def782b3875
Branches Tags
marco:main
..
compare: marco:092290bb38b422c44a798f90bdd3eb3c58b7ca38
Branches Tags
marco:main

No commits in common. "cf423de3d5b58973041de912bf417def782b3875" and "092290bb38b422c44a798f90bdd3eb3c58b7ca38" have entirely different histories.
cf423de3d5 ... 092290bb38

20 changed files with 156 additions and 594 deletions
Show Stats Expand all files Collapse all files

3
.env.example
View File

@ -1,8 +1,5 @@
# ---- Core ----
NODE_ENV=development
# Local dev only: skip runner container hardening (--read-only etc. break on
# Windows Docker Desktop). NEVER set this in .env.production. (GEN-002)
RUNNER_DISABLE_HARDENING=1
# ---- Database ----
DATABASE_URL=postgresql://bmm:bmm@localhost:5440/bmm

21
.env.production.example
View File

@ -46,9 +46,9 @@ OAUTH_ISSUER=https://api.buildmymcpserver.com
SECRETS_ENCRYPTION_KEY=CHANGE-ME-run-openssl-rand-hex-32
# ---- Admin bootstrap (upserted idempotently on API boot) ----
ADMIN_EMAIL=CHANGE-ME-admin@example.com
ADMIN_EMAIL=marco.frangiskatos@gmail.com
ADMIN_PASSWORD=CHANGE-ME-strong-admin-password
ADMIN_NAME=CHANGE-ME-Admin
ADMIN_NAME=Marco Frangiskatos
# ---- Anthropic (empty = mock generation; set for real Claude generation) ----
ANTHROPIC_API_KEY=
@ -75,23 +75,6 @@ RUNNER_HOST=buildmymcpserver.com
RUNNER_PORT_RANGE_START=4400
RUNNER_PORT_RANGE_END=4900
# ---- Stripe (billing) ----
# Secret key (server-side only — NEVER expose). From Stripe Dashboard → Developers → API keys.
STRIPE_SECRET_KEY=CHANGE-ME-sk_live_...
# Publishable key (safe to expose). Used by the embedded in-app checkout.
STRIPE_PUBLISHABLE_KEY=CHANGE-ME-pk_live_...
# Same publishable key, exposed to the web client bundle at BUILD time (the web
# image is rebuilt by the deploy, so this must be set before deploying or the
# in-app checkout shows "not configured"). Keep it identical to STRIPE_PUBLISHABLE_KEY.
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=CHANGE-ME-pk_live_...
# Webhook signing secret — from the endpoint you create at /v1/billing/webhook.
STRIPE_WEBHOOK_SECRET=CHANGE-ME-whsec_...
# Price IDs (price_… not prod_…) from each product's pricing in the Dashboard.
STRIPE_PRICE_PRO_MONTHLY=CHANGE-ME-price_...
STRIPE_PRICE_PRO_YEARLY=CHANGE-ME-price_...
STRIPE_PRICE_TEAM_MONTHLY=CHANGE-ME-price_...
STRIPE_PRICE_TEAM_YEARLY=CHANGE-ME-price_...
# ---- Observability (optional) ----
SENTRY_DSN=
OTEL_EXPORTER_OTLP_ENDPOINT=

9
apps/api/src/lib/queue.ts
View File

@ -17,14 +17,7 @@ let queue: Queue<BuildJobData> | null = null;
export function getBuildQueue(): Queue<BuildJobData> {
if (!queue) {
queue = new Queue<BuildJobData>('build', {
connection: getRedis(),
// Explicit job lifecycle. attempts:1 because a build is non-idempotent
// (allocates a host port, runs a container, spends an LLM call) — a blind
// BullMQ retry would double-spend; users re-run via /iterate instead.
// removeOnComplete/Fail caps Redis growth. (GEN-007)
defaultJobOptions: { attempts: 1, removeOnComplete: 100, removeOnFail: 500 },
});
queue = new Queue<BuildJobData>('build', { connection: getRedis() });
}
return queue;
}

11
apps/api/src/lib/stripe.ts
View File

@ -63,17 +63,6 @@ export async function isDuplicateEvent(eventId: string): Promise<boolean> {
return set === null;
}
/**
* Roll back the idempotency marker for an event whose handler FAILED, so
* Stripe's retry re-processes it. Without this, the marker set by the failed
* first attempt makes every retry look like a duplicate and the event is lost
* forever (e.g. a paid org that never gets upgraded). (BILL-003)
*/
export async function clearProcessedEvent(eventId: string): Promise<void> {
const redis = getRedis();
await redis.del(`stripe:event:${eventId}`);
}
/**
* Sanity-check that price-id env vars actually contain price ids a common
* setup mistake is to paste the product id (prod_) instead. Logs loudly on

62
apps/api/src/routes/billing.ts
View File

@ -6,7 +6,6 @@ import { config } from '../config.js';
import { audit } from '../lib/audit.js';
import {
type PriceTier,
clearProcessedEvent,
isDuplicateEvent,
planFromPriceId,
priceIdForTier,
@ -42,14 +41,6 @@ export async function billingRoutes(app: FastifyInstance): Promise<void> {
try {
const session = await stripe.checkout.sessions.create({
// Embedded UI: the payment form mounts INSIDE our dashboard via Stripe.js
// instead of redirecting to checkout.stripe.com. Keeps the flow in-app
// (critical for the installed PWA, which otherwise pops out to the
// system browser). Embedded mode uses return_url, not success/cancel_url.
// NOTE: stripe-node v22 / API 2025-10 renamed this enum 'embedded' →
// 'embedded_page'; it returns a client_secret for @stripe/react-stripe-js
// EmbeddedCheckout. ('hosted' is now 'hosted_page'.)
ui_mode: 'embedded_page',
mode: 'subscription',
payment_method_types: ['card', 'sepa_debit'],
line_items: [{ price: priceId, quantity: 1 }],
@ -63,7 +54,8 @@ export async function billingRoutes(app: FastifyInstance): Promise<void> {
subscription_data: {
metadata: { orgId: user.orgId, userId: user.userId },
},
return_url: `${config.NEXT_PUBLIC_APP_URL}/settings/billing?success=true&session_id={CHECKOUT_SESSION_ID}`,
success_url: `${config.NEXT_PUBLIC_APP_URL}/settings/billing?success=true`,
cancel_url: `${config.NEXT_PUBLIC_APP_URL}/settings/billing?cancelled=true`,
automatic_tax: { enabled: true },
tax_id_collection: { enabled: true },
billing_address_collection: 'required',
@ -79,8 +71,7 @@ export async function billingRoutes(app: FastifyInstance): Promise<void> {
ipAddress: req.ip,
});
// client_secret drives the embedded form; sessionId for optional verification.
return reply.send({ clientSecret: session.client_secret, sessionId: session.id });
return reply.send({ url: session.url, sessionId: session.id });
} catch (err) {
app.log.error({ err }, 'checkout session create failed');
const msg = err instanceof Error ? err.message : 'unknown_error';
@ -281,14 +272,6 @@ export async function billingRoutes(app: FastifyInstance): Promise<void> {
items: [{ id: itemId, price: newPriceId }],
proration_behavior: 'create_prorations',
});
// Reconcile the local plan immediately instead of waiting for the
// customer.subscription.updated webhook — otherwise quota enforcement
// reads a stale tier in the gap between this call and webhook delivery.
// Idempotent: the webhook will set the same value. (BILL-001)
await db
.update(organizations)
.set({ plan: planFromPriceId(newPriceId) })
.where(eq(organizations.id, user.orgId));
await audit({
orgId: user.orgId,
userId: user.userId,
@ -345,11 +328,6 @@ export async function billingRoutes(app: FastifyInstance): Promise<void> {
await handleStripeEvent(app, event);
return reply.send({ ok: true });
} catch (err) {
// Roll back the idempotency marker so the retry actually re-runs the
// handler instead of being skipped as a duplicate. Handlers are
// idempotent (they SET state, not increment), so a rare double-process
// on concurrent retries is safe. (BILL-003)
await clearProcessedEvent(event.id);
// Return 5xx so Stripe retries with exponential backoff.
app.log.error(
{ err, eventId: event.id, type: event.type },
@ -386,26 +364,11 @@ async function handleStripeEvent(app: FastifyInstance, event: Stripe.Event): Pro
}
async function findOrgIdForSubscription(sub: Stripe.Subscription): Promise<string | null> {
// Prefer the metadata we set at checkout — but DON'T blindly trust it. A
// webhook signature proves the event came from Stripe, not that
// sub.metadata.orgId is honest (metadata is editable in the dashboard/portal).
// Only honour the metadata orgId if the subscription's customer actually
// matches that org's stored stripeCustomerId; otherwise fall back to the
// customer lookup. This prevents a sub with a forged metadata.orgId from
// re-planning a victim org. (BILL-004)
const customerId = typeof sub.customer === 'string' ? sub.customer : sub.customer.id;
// Prefer the metadata we set at checkout — it's the most reliable mapping.
// Fallback: look the org up by stored customer id.
const metaOrgId = sub.metadata?.orgId;
if (typeof metaOrgId === 'string' && metaOrgId.length > 0) {
const [byMeta] = await db
.select({ id: organizations.id, customer: organizations.stripeCustomerId })
.from(organizations)
.where(eq(organizations.id, metaOrgId))
.limit(1);
if (byMeta && (byMeta.customer === null || byMeta.customer === customerId)) {
return byMeta.id;
}
// metadata orgId does not own this customer — ignore it and fall through.
}
if (typeof metaOrgId === 'string' && metaOrgId.length > 0) return metaOrgId;
const customerId = typeof sub.customer === 'string' ? sub.customer : sub.customer.id;
const [row] = await db
.select({ id: organizations.id })
.from(organizations)
@ -511,18 +474,15 @@ async function handleSubscriptionDeleted(
async function handleInvoicePaid(_app: FastifyInstance, invoice: Stripe.Invoice): Promise<void> {
const orgId = await findOrgIdForInvoice(invoice);
if (!orgId) return;
// Only the actual monthly renewal (`subscription_cycle`) resets the usage
// counter. Stripe also sends `invoice.paid` for proration/manual/one-off
// invoices (e.g. every plan up/downgrade); resetting on those would let a
// user zero their call quota on demand by churning plan changes. For
// non-cycle invoices we only clear a past-due suspension. (BILL-002)
const isRenewal = invoice.billing_reason === 'subscription_cycle';
// Successful renewal — clear any past-due suspension and reset the usage
// period (so the new month's call quota starts fresh).
await db
.update(organizations)
.set({
suspended: false,
suspendedReason: null,
...(isRenewal ? { callsThisPeriod: 0, periodStartsAt: new Date() } : {}),
callsThisPeriod: 0,
periodStartsAt: new Date(),
})
.where(eq(organizations.id, orgId));
await audit({

44
apps/api/src/routes/servers.ts
View File

@ -219,8 +219,7 @@ export async function serverRoutes(app: FastifyInstance): Promise<void> {
if (choice.provider !== 'anthropic' || !config.ANTHROPIC_API_KEY) {
return reply.code(409).send({
error: 'streaming_unavailable',
detail:
'Streaming preview is only available for Anthropic-backed tiers. Use POST /v1/servers/preview instead.',
detail: 'Streaming preview is only available for Anthropic-backed tiers. Use POST /v1/servers/preview instead.',
});
}
@ -255,10 +254,7 @@ export async function serverRoutes(app: FastifyInstance): Promise<void> {
// open as long as bytes flow; comments are SSE-noop but count as bytes.
const keepalive = setInterval(() => reply.raw.write(`: ping\n\n`), 15_000);
const abort = new AbortController();
req.raw.on('close', () => {
abort.abort();
clearInterval(keepalive);
});
req.raw.on('close', () => abort.abort());
// `resolved` is set inside the awaited handlers below — by the time
// streamSpecFromAnthropic returns, exactly one of onSpec/onError will
@ -267,7 +263,6 @@ export async function serverRoutes(app: FastifyInstance): Promise<void> {
// ended without either handler running (which would be a programming
// bug, not a runtime path).
let resolved = false;
try {
await streamSpecFromAnthropic(
parsed.data.prompt,
{
@ -355,17 +350,8 @@ export async function serverRoutes(app: FastifyInstance): Promise<void> {
app.log.error({ prompt: parsed.data.prompt.slice(0, 200) }, 'preview_stream_unresolved');
send('error', { error: 'preview_failed', detail: 'stream ended without a final event' });
}
} catch (err) {
// If the stream itself rejects (e.g. cacheSpec/Redis throws inside onSpec,
// or a network error before either handler runs) we must still tear down
// the keepalive timer and close the socket — otherwise the interval keeps
// writing to a dead connection forever, leaking a timer + FD per failure. (SRV-004)
app.log.error({ err, prompt: parsed.data.prompt.slice(0, 200) }, 'preview_stream_threw');
if (!resolved) send('error', { error: 'preview_failed', detail: 'spec generation failed' });
} finally {
clearInterval(keepalive);
reply.raw.end();
}
});
app.post('/v1/servers', { preHandler: requireAuth }, async (req, reply) => {
@ -588,32 +574,6 @@ export async function serverRoutes(app: FastifyInstance): Promise<void> {
.limit(1);
if (!server) return reply.code(404).send({ error: 'not_found' });
// iterate queues a full paid LLM build exactly like POST /v1/servers, so it
// must enforce the same suspension + daily-build gates. Without these a
// suspended (non-paying) or rate-capped org could generate unlimited builds
// by hitting iterate instead of create. (SRV-003)
const billing = await getOrgBilling(user.orgId);
if (billing.suspended) {
return reply.code(402).send({
error: 'subscription_suspended',
detail:
billing.suspendedReason === 'payment_failed'
? 'Your subscription is paused due to a payment issue. Update your payment method in /settings/billing.'
: 'Your subscription is paused. Visit /settings/billing for details.',
suspendedReason: billing.suspendedReason,
});
}
const iterateRl = await checkDailyLimit('build', user.userId, BUILD_DAILY_LIMIT[billing.plan]);
if (!iterateRl.ok) {
return reply.code(429).send({
error: 'rate_limited',
detail: `Daily build limit reached for plan "${billing.plan}" (${BUILD_DAILY_LIMIT[billing.plan]}/day). Resets in ${Math.ceil(iterateRl.resetIn / 3600)}h.`,
plan: billing.plan,
limit: BUILD_DAILY_LIMIT[billing.plan],
resetIn: iterateRl.resetIn,
});
}
const nextVersion = server.currentVersion + 1;
const [build] = await db
.insert(builds)

30
apps/api/src/routes/support.ts
View File

@ -250,15 +250,6 @@ export async function supportRoutes(app: FastifyInstance): Promise<void> {
const body = NewMessageBody.safeParse(req.body);
if (!body.success) return reply.code(400).send({ error: 'invalid_input' });
// Confirm the ticket exists first — otherwise the insert below hits a raw
// FK violation (500) instead of a clean 404. (SUP-002)
const [ticket] = await db
.select({ id: supportTickets.id })
.from(supportTickets)
.where(eq(supportTickets.id, parsed.data.id))
.limit(1);
if (!ticket) return reply.code(404).send({ error: 'not_found' });
await db.insert(supportMessages).values({
ticketId: parsed.data.id,
authorUserId: user.userId,
@ -291,22 +282,12 @@ export async function supportRoutes(app: FastifyInstance): Promise<void> {
'/v1/admin/support/tickets/:id/status',
{ preHandler: requireAdmin },
async (req, reply) => {
const user = req.user!;
const Params = z.object({ id: z.string().uuid() });
const parsed = Params.safeParse(req.params);
if (!parsed.success) return reply.code(400).send({ error: 'invalid_id' });
const body = StatusBody.safeParse(req.body);
if (!body.success) return reply.code(400).send({ error: 'invalid_input' });
// 404 on unknown ticket instead of a silent no-op `UPDATE ... WHERE id=?`
// that returns ok:true and masks the bad id. (SUP-002)
const [ticket] = await db
.select({ id: supportTickets.id })
.from(supportTickets)
.where(eq(supportTickets.id, parsed.data.id))
.limit(1);
if (!ticket) return reply.code(404).send({ error: 'not_found' });
await db
.update(supportTickets)
.set({
@ -316,17 +297,6 @@ export async function supportRoutes(app: FastifyInstance): Promise<void> {
})
.where(eq(supportTickets.id, parsed.data.id));
// Status changes were previously unaudited, unlike admin replies — close
// the compliance-trail gap. (SUP-002)
await audit({
orgId: user.orgId,
userId: user.userId,
action: 'support.status_changed',
resourceType: 'support_ticket',
resourceId: parsed.data.id,
metadata: { status: body.data.status },
});
return reply.send({ ok: true });
},
);

27
apps/api/src/routes/templates.ts
View File

@ -194,15 +194,10 @@ export async function templateRoutes(app: FastifyInstance): Promise<void> {
toolsSchema: server.toolsSchema,
generatedCode: build.generatedCode,
requiredSecrets: parsed.data.secretHints,
// Aggregate the distinct scopes actually declared by the server's tools
// (deduped), falling back to read-only. The previous reduce ignored its
// input and hardcoded ['mcp:read'] for every template regardless of what
// its tools did. (TPL-003)
scopes: (() => {
const tools = (server.toolsSchema as Array<{ scopes?: string[] }> | null) ?? [];
const all = [...new Set(tools.flatMap((t) => t.scopes ?? []))];
return all.length > 0 ? all : ['mcp:read'];
})(),
scopes: (server.toolsSchema as Array<{ scopes?: string[] }>).reduce<string[]>(
() => ['mcp:read'],
[],
),
allowedDomains: parsed.data.allowedDomains ?? null,
})
.returning();
@ -315,19 +310,13 @@ export async function templateRoutes(app: FastifyInstance): Promise<void> {
.from(templates)
.leftJoin(users, eq(users.id, templates.ownerUserId))
.leftJoin(organizations, eq(organizations.id, templates.ownerOrgId))
// Category filter belongs in the WHERE, BEFORE limit — filtering in JS
// after `.limit(50)` meant `?category=x` searched only the 50 newest
// public templates (any category), returning far fewer than `limit`. (TPL-008)
.where(
and(
eq(templates.status, 'public'),
parsed.data.category ? eq(templates.category, parsed.data.category) : undefined,
),
)
.where(eq(templates.status, 'public'))
.orderBy(desc(templates.createdAt))
.limit(parsed.data.limit);
const filtered = rows;
const filtered = parsed.data.category
? rows.filter((r) => r.template.category === parsed.data.category)
: rows;
// Single grouped query — was N+1 (one COUNT per template). On a 100-row
// listing that's 101 round-trips → p95 latency cliff once the marketplace

20
apps/generator/src/lib/build.ts
View File

@ -39,10 +39,7 @@ export async function prepareBuildContext(
pkg.dependencies = { ...pkg.dependencies, ...spec.dependencies };
await fs.writeFile(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`, 'utf8');
// Include serverId in the tag: `slug` is unique only per-org, so two orgs
// sharing a slug at the same version would otherwise collide on one global
// image tag and run each other's code. Matches the contextDir scheme. (GEN-009)
const imageTag = `bmm-mcp-${serverId.slice(0, 8)}-${slug}:v${version}`;
const imageTag = `bmm-mcp-${slug}:v${version}`;
return { contextDir, imageTag };
}
@ -73,21 +70,12 @@ export async function staticCheck(contextDir: string): Promise<void> {
}
}
// A hung `docker build` (stalled npm install, wedged daemon) must not pin a
// worker slot forever — concurrency is 2, so two stuck builds = zero throughput
// with no alarm. Kill and fail the build past this ceiling. (GEN-008)
const BUILD_TIMEOUT_MS = 10 * 60 * 1000;
export async function dockerBuild(contextDir: string, imageTag: string, onLog: (msg: string) => void): Promise<void> {
await new Promise<void>((resolve, reject) => {
const child = spawn('docker', ['build', '-t', imageTag, '.'], {
cwd: contextDir,
stdio: ['ignore', 'pipe', 'pipe'],
});
const timer = setTimeout(() => {
child.kill('SIGKILL');
reject(new Error(`docker_build_timeout (exceeded ${BUILD_TIMEOUT_MS / 1000}s)`));
}, BUILD_TIMEOUT_MS);
child.stdout.on('data', (d) => {
for (const line of d.toString().split(/\r?\n/)) {
if (line.trim()) onLog(line.trim());
@ -98,12 +86,8 @@ export async function dockerBuild(contextDir: string, imageTag: string, onLog: (
if (line.trim()) onLog(line.trim());
}
});
child.on('error', (e) => {
clearTimeout(timer);
reject(e);
});
child.on('error', (e) => reject(e));
child.on('close', (code) => {
clearTimeout(timer);
if (code === 0) resolve();
else reject(new Error(`docker_build_failed (exit ${code})`));
});

51
apps/generator/src/lib/deploy.ts
View File

@ -81,25 +81,12 @@ const HARDENING_FLAGS = [
];
function shouldHarden(): boolean {
// Fail-CLOSED: harden by default everywhere. The only opt-out is the explicit
// RUNNER_DISABLE_HARDENING=1 flag (local Windows Docker Desktop, where
// --read-only conflicts with how volumes bind). The previous NODE_ENV gate was
// fail-OPEN — a missing/typo'd NODE_ENV silently ran tenant containers as root
// with full caps on the shared host, which is the one defense the LLM
// static-check explicitly is NOT. (GEN-002)
if (process.env.RUNNER_DISABLE_HARDENING === '1') {
console.warn(
'[deploy] container hardening DISABLED via RUNNER_DISABLE_HARDENING=1 — never set this in production',
);
return false;
// Explicit opt-out for local dev on Windows where --read-only conflicts
// with how Docker Desktop binds volumes. Production must always harden.
if (process.env.RUNNER_DISABLE_HARDENING === '1') return false;
const env = process.env.NODE_ENV;
return env === 'production' || env === 'staging';
}
return true;
}
// docker run / rm should return in seconds; cap them so a wedged daemon can't
// hang a worker slot indefinitely. (GEN-008)
const DOCKER_RUN_TIMEOUT_MS = 60 * 1000;
const DOCKER_STOP_TIMEOUT_MS = 60 * 1000;
const db = createDb();
@ -170,24 +157,14 @@ export async function deployContainer(input: DeployInput): Promise<DeployHandle>
const child = spawn('docker', args, { stdio: ['ignore', 'pipe', 'pipe'] });
let out = '';
let err = '';
// `docker run -d` returns promptly; if it hangs (wedged daemon) don't pin a
// worker slot forever. (GEN-008)
const timer = setTimeout(() => {
child.kill('SIGKILL');
reject(new Error('docker_run_timeout'));
}, DOCKER_RUN_TIMEOUT_MS);
child.stdout.on('data', (d) => {
out += d.toString();
});
child.stderr.on('data', (d) => {
err += d.toString();
});
child.on('error', (e) => {
clearTimeout(timer);
reject(e);
});
child.on('error', (e) => reject(e));
child.on('close', async (code) => {
clearTimeout(timer);
if (code !== 0) {
reject(new Error(`docker_run_failed (exit ${code}): ${err.trim() || out.trim()}`));
return;
@ -230,21 +207,13 @@ export async function stopContainer(
stdio: ['ignore', 'pipe', 'pipe'],
});
let err = '';
const timer = setTimeout(() => {
child.kill('SIGKILL');
resolve({ ok: false, detail: 'stop_timeout' });
}, DOCKER_STOP_TIMEOUT_MS);
child.stderr?.on('data', (d: Buffer) => {
err += d.toString();
});
child.on('error', () => {
clearTimeout(timer);
resolve({ ok: false, detail: 'spawn_failed' });
});
child.on('close', (code) => {
clearTimeout(timer);
resolve(code === 0 ? { ok: true, detail: '' } : { ok: false, detail: err.trim() || `exit ${code}` });
});
child.on('error', () => resolve({ ok: false, detail: 'spawn_failed' }));
child.on('close', (code) =>
resolve(code === 0 ? { ok: true, detail: '' } : { ok: false, detail: err.trim() || `exit ${code}` }),
);
});
}

10
apps/generator/src/worker.ts
View File

@ -184,7 +184,6 @@ export const worker = new Worker<JobData>(
`Container ${handle.containerId.slice(0, 12)} running at ${handle.publicUrl}`,
);
try {
await db
.update(builds)
.set({ status: 'success', finishedAt: new Date() })
@ -198,11 +197,9 @@ export const worker = new Worker<JobData>(
updatedAt: new Date(),
})
.where(eq(mcpServers.id, serverId));
} finally {
// Rolling deploy: retire the previous container even if the success DB
// writes above threw — otherwise a DB hiccup after a healthy deploy
// leaves the old container orphaned, holding its host port. The new
// container is already live and its id is persisted in deployContainer. (GEN-007)
// Rolling deploy: the new container is live — now retire the previous one.
// Without this every iterate would leave an orphan holding a host port.
if (oldContainerId && oldContainerId !== handle.containerId) {
const stopped = await stopContainer(oldContainerId);
await log(
@ -212,7 +209,6 @@ export const worker = new Worker<JobData>(
: `Could not stop previous container ${oldContainerId.slice(0, 12)}: ${stopped.detail}`,
);
}
}
await emitStatus(buildId, 'success');
await emitDone(buildId, 'success', serverId, handle.publicUrl);

6
apps/runner-template/Dockerfile
View File

@ -1,11 +1,7 @@
FROM node:20-alpine AS deps
WORKDIR /app
COPY package.json ./
# --ignore-scripts: generated package.json carries LLM/user-chosen dependencies.
# Without this, a malicious dependency's postinstall lifecycle script would run
# at `docker build` time on the shared host. Specifiers are also validated to
# registry semver ranges at the API boundary (DependencyMap). (GEN-001)
RUN npm install --omit=dev --ignore-scripts --no-audit --no-fund && npm install --no-save --ignore-scripts tsx@4.19.2 typescript@5.7.2
RUN npm install --omit=dev --no-audit --no-fund && npm install --no-save tsx@4.19.2 typescript@5.7.2
FROM node:20-alpine AS runtime
WORKDIR /app

10
apps/web/Dockerfile
View File

@ -24,11 +24,6 @@ RUN pnpm install --frozen-lockfile
FROM deps AS build
ARG NEXT_PUBLIC_API_URL=http://localhost:4000
ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL
# Stripe publishable key — inlined into the client bundle so the embedded
# checkout can initialise. Safe to expose (publishable, not secret). Empty
# build = embedded checkout shows a "not configured" message until set.
ARG NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
ENV NEXT_TELEMETRY_DISABLED=1
COPY . .
RUN pnpm --filter @bmm/web build
@ -39,9 +34,4 @@ ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
WORKDIR /app/apps/web
EXPOSE 3001
# NOTE (INF-003): non-root `USER node` was reverted — `pnpm start` via corepack
# can't reach its root-owned cache as the node user and the deploy health-check
# doesn't cover web, so a broken web would deploy "green" but take the site down.
# Re-enable only after switching the runtime CMD to invoke next directly
# (node_modules/.bin/next) and smoke-testing the image locally.
CMD ["pnpm", "start"]

71
apps/web/app/(dashboard)/settings/billing/page.tsx
View File

@ -2,19 +2,11 @@
import { Button } from '@/components/ui/button';
import { apiFetch } from '@/lib/api';
import { EmbeddedCheckout, EmbeddedCheckoutProvider } from '@stripe/react-stripe-js';
import { loadStripe } from '@stripe/stripe-js';
import { Loader2, X } from 'lucide-react';
import { Loader2 } from 'lucide-react';
import Link from 'next/link';
import { useRouter, useSearchParams } from 'next/navigation';
import { Suspense, useCallback, useEffect, useState } from 'react';
// Load Stripe.js once at module scope (Stripe's recommendation). Null when the
// publishable key isn't baked into the build — the modal then shows a clear
// "not configured" message instead of throwing.
const STRIPE_PK = process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY;
const stripePromise = STRIPE_PK ? loadStripe(STRIPE_PK) : null;
type Plan = 'hobby' | 'pro' | 'team' | 'enterprise';
type Tier = 'pro_monthly' | 'pro_yearly' | 'team_monthly' | 'team_yearly';
@ -76,8 +68,6 @@ function BillingInner() {
const [status, setStatus] = useState<BillingStatus | null>(null);
const [error, setError] = useState<string | null>(null);
const [busy, setBusy] = useState<string | null>(null);
// When set, the in-app embedded Stripe checkout modal is open.
const [clientSecret, setClientSecret] = useState<string | null>(null);
const loadStatus = useCallback(() => {
apiFetch<BillingStatus>('/v1/billing/status')
@ -108,17 +98,15 @@ function BillingInner() {
setBusy(tier);
setError(null);
try {
const res = await apiFetch<{ clientSecret: string }>('/v1/billing/checkout-session', {
const res = await apiFetch<{ url: string }>('/v1/billing/checkout-session', {
method: 'POST',
body: JSON.stringify({ tier }),
});
// Open the embedded checkout in-app instead of redirecting to Stripe.
setClientSecret(res.clientSecret);
window.location.href = res.url;
} catch (e) {
setBusy(null);
const detail = (e as { detail?: { detail?: string; error?: string } }).detail;
setError(detail?.detail ?? detail?.error ?? (e as Error).message);
} finally {
setBusy(null);
}
}, []);
@ -195,15 +183,6 @@ function BillingInner() {
return (
<div className="mx-auto max-w-3xl px-6 py-10">
{clientSecret && (
<CheckoutModal
clientSecret={clientSecret}
onClose={() => {
setClientSecret(null);
setBusy(null);
}}
/>
)}
<div>
<h1 className="text-[22px] font-semibold tracking-tight">Billing</h1>
<p className="mt-1 text-[13px] text-[--color-fg-muted]">
@ -442,44 +421,6 @@ function BillingInner() {
);
}
function CheckoutModal({
clientSecret,
onClose,
}: {
clientSecret: string;
onClose: () => void;
}) {
return (
<div
className="fixed inset-0 z-50 flex items-start justify-center overflow-y-auto bg-black/60 p-4 backdrop-blur-sm sm:p-8"
role="dialog"
aria-modal="true"
>
<div className="relative my-auto w-full max-w-xl rounded-lg border border-[--color-border] bg-[--color-bg] p-1 shadow-xl">
<button
type="button"
onClick={onClose}
aria-label="Close checkout"
className="absolute right-2 top-2 z-10 rounded-md p-1.5 text-[--color-fg-muted] hover:bg-[--color-bg-subtle] hover:text-[--color-fg]"
>
<X size={18} />
</button>
{stripePromise ? (
<EmbeddedCheckoutProvider stripe={stripePromise} options={{ clientSecret }}>
<EmbeddedCheckout />
</EmbeddedCheckoutProvider>
) : (
<div className="p-6">
<Alert tone="error">
Payments arent configured (missing Stripe publishable key). Please contact support.
</Alert>
</div>
)}
</div>
</div>
);
}
function Alert({
tone,
children,
@ -544,7 +485,7 @@ function TierCard({
onClick={() => onSubscribe(monthlyTier)}
disabled={Boolean(busy)}
>
{busy === monthlyTier ? 'Loading…' : `Subscribe — €${monthly}/mo`}
{busy === monthlyTier ? 'Redirecting…' : `Subscribe — €${monthly}/mo`}
</Button>
<Button
variant="ghost"
@ -552,7 +493,7 @@ function TierCard({
onClick={() => onSubscribe(yearlyTier)}
disabled={Boolean(busy)}
>
{busy === yearlyTier ? 'Loading…' : `Or €${yearly}/year — 2 months free`}
{busy === yearlyTier ? 'Redirecting…' : `Or €${yearly}/year — 2 months free`}
</Button>
</div>
</div>

2
apps/web/package.json
View File

@ -11,8 +11,6 @@
},
"dependencies": {
"@bmm/types": "workspace:*",
"@stripe/react-stripe-js": "^6.4.0",
"@stripe/stripe-js": "^9.7.0",
"clsx": "2.1.1",
"framer-motion": "11.18.2",
"geist": "1.3.1",

46
docker-compose.prod.yml
View File

@ -54,36 +54,6 @@ services:
timeout: 5s
retries: 20
# Restricted Docker API gateway for the control plane. The API only needs to
# stop/remove generated containers (`docker rm -f`), so it talks to this proxy
# — which exposes ONLY the containers endpoints + write methods — instead of
# mounting the raw root-equivalent /var/run/docker.sock. A compromised API can
# no longer build images, create privileged containers, exec, or mount host
# paths. (INF-003) NOTE: the generator still mounts the raw socket because it
# legitimately builds+runs containers (an inherently privileged operation);
# that residual is tracked in the audit backlog (rootless buildkit / build VM).
docker-socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0
container_name: bmm-docker-proxy
restart: unless-stopped
environment:
CONTAINERS: 1
POST: 1
# everything else stays at the image default (0 = blocked)
IMAGES: 0
BUILD: 0
NETWORKS: 0
VOLUMES: 0
EXEC: 0
INFO: 0
AUTH: 0
SECRETS: 0
SWARM: 0
SYSTEM: 0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks: [bmm-network]
api:
build:
context: .
@ -91,13 +61,10 @@ services:
container_name: bmm-api
restart: unless-stopped
env_file: .env.production
environment:
# Route docker CLI calls through the restricted proxy instead of a raw
# socket mount. (INF-003)
DOCKER_HOST: tcp://docker-socket-proxy:2375
ports:
- "127.0.0.1:${API_PORT:-4000}:4000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- bmm_keys:/app/apps/api/keys
# Per-runner nginx snippets — written by the generator, deleted by the
# api when a server is removed. The host-side systemd watcher combines
@ -112,8 +79,6 @@ services:
condition: service_healthy
redis:
condition: service_healthy
docker-socket-proxy:
condition: service_started
web:
build:
@ -121,9 +86,6 @@ services:
dockerfile: apps/web/Dockerfile
args:
NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:?set NEXT_PUBLIC_API_URL in .env.production}
# Publishable (not secret) — baked into the client bundle for embedded
# checkout. Default empty so the build never fails when it's unset.
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY:-}
container_name: bmm-web
restart: unless-stopped
env_file: .env.production
@ -147,12 +109,6 @@ services:
DATABASE_URL: postgresql://${POSTGRES_USER:-bmm}:${POSTGRES_PASSWORD}@127.0.0.1:${POSTGRES_PORT:-5440}/${POSTGRES_DB:-bmm}
REDIS_URL: redis://127.0.0.1:${REDIS_PORT:-6390}
volumes:
# SECURITY (INF-003): the generator mounts the RAW docker socket because it
# builds images and runs containers — inherently root-equivalent on this
# host, and a socket-proxy can't filter that (container-create with host
# binds is the dangerous primitive it legitimately needs). It is NOT
# internet-facing (driven only by the Redis build queue). Real remediation
# = rootless buildkit or a dedicated build VM; tracked in the audit backlog.
- /var/run/docker.sock:/var/run/docker.sock
- bmm_build_context:/app/build-context
# Same runner-map mount as the api — generator drops the snippet on

15
infra/nginx/buildmymcpserver.conf
View File

@ -21,14 +21,6 @@ server {
client_max_body_size 12M;
# Security headers (INF-002). Cloudflare sits in front — if it also injects
# HSTS, drop that line here to avoid duplication. CSP intentionally omitted
# for now (a wrong policy breaks Next/Tailwind inline) — track separately.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
location / {
proxy_pass http://127.0.0.1:4001;
proxy_http_version 1.1;
@ -56,13 +48,6 @@ server {
client_max_body_size 12M;
# Security headers (INF-002). nosniff matters for the JSON API; XFO/HSTS are
# belt-and-suspenders for any HTML the API might ever serve.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Build-log WebSocket stream (/v1/builds/:id/stream) — needs the upgrade
# headers and a long read timeout; buffering off so frames are not held.
location /v1/builds/ {

24
packages/auth/src/index.ts
View File

@ -7,8 +7,6 @@ import {
eq,
gt,
isNull,
lt,
sql,
magicLinks,
memberships,
organizations,
@ -274,18 +272,12 @@ export async function consumeSmsCode(
.orderBy(desc(smsCodes.createdAt))
.limit(1);
if (!row || row.consumedAt) throw new Error('invalid_or_expired_code');
// Atomically claim one guess attempt. The increment is gated on
// `attempts < MAX` inside the same UPDATE, so the DB row-lock serialises
// concurrent verifies and at most MAX increments ever succeed for a code.
// The previous read-then-write (`row.attempts + 1`) let N parallel requests
// all pass a stale `attempts` read and brute-force the 6-digit code. (AUTH-001)
const slot = await db
.update(smsCodes)
.set({ attempts: sql`${smsCodes.attempts} + 1` })
.where(and(eq(smsCodes.id, row.id), lt(smsCodes.attempts, SMS_MAX_ATTEMPTS)))
.returning({ attempts: smsCodes.attempts });
if (slot.length === 0) throw new Error('too_many_attempts');
if (row.attempts >= SMS_MAX_ATTEMPTS) throw new Error('too_many_attempts');
if (sha256(`${phone}:${code}`) !== row.codeHash) {
await db
.update(smsCodes)
.set({ attempts: row.attempts + 1 })
.where(eq(smsCodes.id, row.id));
throw new Error('invalid_code');
}
await db.update(smsCodes).set({ consumedAt: new Date() }).where(eq(smsCodes.id, row.id));
@ -352,16 +344,10 @@ export async function getSession(
.where(eq(sessions.tokenHash, hash))
.limit(1);
if (!row || row.expiresAt < new Date()) return null;
// Deterministic primary-org selection — must match the login flows
// (consumeMagicLink / loginWithPassword order by oldest membership). Without
// this orderBy, a user with >1 membership (once org-invites land) would get a
// nondeterministic org per request, silently scoping their reads/writes to a
// different tenant than they logged in as. (SRV-001)
const [membership] = await db
.select({ orgId: memberships.orgId, role: memberships.role })
.from(memberships)
.where(eq(memberships.userId, row.userId))
.orderBy(memberships.createdAt)
.limit(1);
if (!membership) return null;
return {

33
packages/types/src/index.ts
View File

@ -68,33 +68,6 @@ export const PromptSpec = z.object({
});
export type PromptSpec = z.infer<typeof PromptSpec>;
// Dependency specifiers come from untrusted LLM output and are merged into the
// build's package.json, then `npm install`-ed inside `docker build` on the
// SHARED host. Restrict to npm-registry semver ranges only: no `git+`, `http(s):`,
// `file:` or tarball-URL specifiers (which fetch/checkout+run arbitrary code at
// install time), and valid (optionally-scoped) npm package names. Combined with
// `--ignore-scripts` in the runner Dockerfile this closes the build-time RCE. (GEN-001)
const DepName = z
.string()
.max(214)
.regex(/^(@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*$/i, 'invalid npm package name');
const DepRange = z
.string()
.max(64)
.regex(/^([\^~]?\d+(\.\d+){0,2}(-[\w.]+)?|\*|latest)$/, 'must be a plain semver range');
export const DependencyMap = z.record(DepName, DepRange);
// Secret KEYS become `-e KEY=VALUE` docker run args and the runtime env of the
// tenant container. Constrain to UPPER_SNAKE_CASE (matches requiredSecrets) and
// reject names that could hijack the Node runtime/loader if the container
// hardening ever regressed. Values stay free-form. (GEN-003)
const RESERVED_ENV = new Set(['PATH', 'LD_PRELOAD', 'LD_LIBRARY_PATH', 'NODE_ENV']);
const SecretKey = z
.string()
.regex(/^[A-Z][A-Z0-9_]*$/, 'UPPER_SNAKE_CASE env var name required')
.refine((k) => !RESERVED_ENV.has(k) && !k.startsWith('NODE_'), 'reserved env var name');
export const SecretMap = z.record(SecretKey, z.string());
export const GeneratorSpec = z.object({
name: z.string().min(1).max(128),
description: z.string().max(2000).optional(),
@ -103,7 +76,7 @@ export const GeneratorSpec = z.object({
prompts: z.array(PromptSpec).max(50).default([]),
requiredSecrets: z.array(z.string().regex(/^[A-Z][A-Z0-9_]*$/)).max(30).default([]),
scopes: z.array(z.string()).max(50).default([]),
dependencies: DependencyMap.default({}),
dependencies: z.record(z.string(), z.string()).default({}),
});
export type GeneratorSpec = z.infer<typeof GeneratorSpec>;
@ -163,7 +136,7 @@ export const CreateServerInput = z.object({
.max(64)
.regex(/^[a-z][a-z0-9-]*$/, 'lowercase, hyphenated'),
prompt: z.string().min(10).max(8000),
secrets: SecretMap.default({}),
secrets: z.record(z.string(), z.string()).default({}),
previewId: z.string().min(1).max(64).optional(),
specEdit: SpecEdit.optional(),
templateId: z.string().uuid().optional(),
@ -196,7 +169,7 @@ export type PreviewResult = z.infer<typeof PreviewResult>;
export const IterateServerInput = z.object({
prompt: z.string().min(10).max(8000),
secrets: SecretMap.default({}),
secrets: z.record(z.string(), z.string()).default({}),
});
export type IterateServerInput = z.infer<typeof IterateServerInput>;

53
pnpm-lock.yaml generated
View File

@ -137,12 +137,6 @@ importers:
'@bmm/types':
specifier: workspace:*
version: link:../../packages/types
'@stripe/react-stripe-js':
specifier: ^6.4.0
version: 6.4.0(@stripe/stripe-js@9.7.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
'@stripe/stripe-js':
specifier: ^9.7.0
version: 9.7.0
clsx:
specifier: 2.1.1
version: 2.1.1
@ -1250,17 +1244,6 @@ packages:
'@remotion/studio@4.0.220':
resolution: {integrity: sha512-97sb8ta+4cRmsntAWPgyNkAGo3i9/q/j+jLBvhbUF0njC+rFs3QVb/qx27mEI8/Avw3har7Nu7BR62eH8TNfcg==}
'@stripe/react-stripe-js@6.4.0':
resolution: {integrity: sha512-5cAf7GAqf8VHPoPLVnJQ2MHtDWLdiEPs5GW/loU7iDEue3xf620v11skrk5HICUraDOhODPYpttgFC5N579NxA==}
peerDependencies:
'@stripe/stripe-js': '>=9.5.0 <10.0.0'
react: '>=16.8.0 <20.0.0'
react-dom: '>=16.8.0 <20.0.0'
'@stripe/stripe-js@9.7.0':
resolution: {integrity: sha512-r1ElolvWXM4aYnZZVHvKW3EDL8JcwEuIgTuWxlB5lvC+YsvjkQ0gX35x9d8dTDubX395fViLVqkaolVs1PmIQQ==}
engines: {node: '>=12.16'}
'@swc/counter@0.1.3':
resolution: {integrity: sha512-e2BR4lsJkkRlKZ/qCHPw9ZaSxc0MVUd7gtbtaB7aMvHeJVYe8sOB8DBZkP2DtISHGSku9sCK6T6cnY0CtXrOCQ==}
@ -2120,9 +2103,6 @@ packages:
jose@6.2.3:
resolution: {integrity: sha512-YYVDInQKFJfR/xa3ojUTl8c2KoTwiL1R5Wg9YCydwH0x0B9grbzlg5HC7mMjCtUJjbQ/YnGEZIhI5tCgfTb4Hw==}
js-tokens@4.0.0:
resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
json-parse-even-better-errors@2.3.1:
resolution: {integrity: sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==}
@ -2237,10 +2217,6 @@ packages:
lodash.sortby@4.7.0:
resolution: {integrity: sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA==}
loose-envify@1.4.0:
resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==}
hasBin: true
lru-cache@6.0.0:
resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
engines: {node: '>=10'}
@ -2495,9 +2471,6 @@ packages:
resolution: {integrity: sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==}
engines: {node: '>= 6'}
prop-types@15.8.1:
resolution: {integrity: sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==}
proxy-addr@2.0.7:
resolution: {integrity: sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==}
engines: {node: '>= 0.10'}
@ -2529,9 +2502,6 @@ packages:
peerDependencies:
react: ^19.0.0
react-is@16.13.1:
resolution: {integrity: sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==}
react-refresh@0.9.0:
resolution: {integrity: sha512-Gvzk7OZpiqKSkxsQvO/mbTN1poglhmAV7gR/DdIrRrSMXraRQQlfikRJOr3Nb9GTMPC5kof948Zy6jJZIFtDvQ==}
engines: {node: '>=0.10.0'}
@ -3733,15 +3703,6 @@ snapshots:
- supports-color
- utf-8-validate
'@stripe/react-stripe-js@6.4.0(@stripe/stripe-js@9.7.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)':
dependencies:
'@stripe/stripe-js': 9.7.0
prop-types: 15.8.1
react: 19.0.0
react-dom: 19.0.0(react@19.0.0)
'@stripe/stripe-js@9.7.0': {}
'@swc/counter@0.1.3': {}
'@swc/helpers@0.5.15':
@ -4646,8 +4607,6 @@ snapshots:
jose@6.2.3: {}
js-tokens@4.0.0: {}
json-parse-even-better-errors@2.3.1: {}
json-schema-ref-resolver@3.0.0:
@ -4733,10 +4692,6 @@ snapshots:
lodash.sortby@4.7.0: {}
loose-envify@1.4.0:
dependencies:
js-tokens: 4.0.0
lru-cache@6.0.0:
dependencies:
yallist: 4.0.0
@ -4964,12 +4919,6 @@ snapshots:
kleur: 3.0.3
sisteransi: 1.0.5
prop-types@15.8.1:
dependencies:
loose-envify: 1.4.0
object-assign: 4.1.1
react-is: 16.13.1
proxy-addr@2.0.7:
dependencies:
forwarded: 0.2.0
@ -5002,8 +4951,6 @@ snapshots:
react: 19.0.0
scheduler: 0.25.0
react-is@16.13.1: {}
react-refresh@0.9.0: {}
react@19.0.0: {}