marco/buildmymcpserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9d5386ccba
buildmymcpserver/.env.example
Marco Sadjadi 9d5386ccba @ 
fix(security): sovereign-audit hardening pass — RCE, multi-tenant, reliability

Reasoning-based audit fixes (all verified by typecheck, attack paths re-traced):

- build-time RCE: validate spec.dependencies to npm-registry semver only
  (no git/url/file specifiers) + --ignore-scripts in runner Dockerfile.
- container hardening fail-CLOSED: harden unless RUNNER_DISABLE_HARDENING=1,
  no longer gated on a fragile NODE_ENV string compare.
- secret env keys validated (UPPER_SNAKE, reject NODE_*/PATH/LD_*).
- cross-org image-tag collision: qualify tag with serverId.
- /iterate now enforces suspension + daily-build limits like /servers.
- preview SSE: clear keepalive in finally + on client close (timer/FD leak).
- SMS OTP: atomic attempt counter (lt(attempts,MAX) in UPDATE) — brute-force race.
- getSession orders membership by createdAt (deterministic primary org).
- template scopes aggregated from real tool scopes (was hardcoded mcp:read).
- template category filter pushed into WHERE (was applied after LIMIT).
- support admin reply/status: 404 on unknown ticket; status change now audited.
- build worker: queue defaultJobOptions, docker build/run/stop timeouts,
  old-container teardown in finally (no orphan on post-deploy DB failure).
- nginx: HSTS, X-Frame-Options DENY, nosniff, Referrer-Policy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@
2026-05-29 20:56:30 +02:00

75 lines
2.5 KiB
Plaintext
Raw Blame History

# ---- Core ----
NODE_ENV=development
# Local dev only: skip runner container hardening (--read-only etc. break on
# Windows Docker Desktop). NEVER set this in .env.production. (GEN-002)
RUNNER_DISABLE_HARDENING=1
# ---- Database ----
DATABASE_URL=postgresql://bmm:bmm@localhost:5440/bmm
REDIS_URL=redis://localhost:6390
# ---- Auth (Better-Auth) ----
BETTER_AUTH_SECRET=replace-me-with-32-bytes-of-random-hex-1234567890abcdef
BETTER_AUTH_URL=http://localhost:3001
NEXT_PUBLIC_APP_URL=http://localhost:3001
NEXT_PUBLIC_API_URL=http://localhost:4000
# ---- GitHub OAuth ("Continue with GitHub") ----
# Create at https://github.com/settings/applications/new
# Authorized callback URL: <CONTROL_PLANE_PUBLIC_URL>/v1/auth/github/callback
GITHUB_OAUTH_ID=
GITHUB_OAUTH_SECRET=
# ---- Twilio SMS (phone one-time-code login) ----
# Credentials + a verified sender number from the Twilio console.
TWILIO_ACCOUNT_SID=
TWILIO_AUTH_TOKEN=
TWILIO_SMS_FROM=
# ---- Google OAuth (optional — "Continue with Google") ----
# Create at https://console.cloud.google.com/apis/credentials
# Authorized redirect URI must be: <CONTROL_PLANE_PUBLIC_URL>/v1/auth/google/callback
# e.g. dev: http://localhost:4000/v1/auth/google/callback
# prod: https://api.buildmymcp.com/v1/auth/google/callback
GOOGLE_OAUTH_ID=
GOOGLE_OAUTH_SECRET=
# Public URL of this API, used to build the OAuth redirect URI.
CONTROL_PLANE_PUBLIC_URL=http://localhost:4000
# ---- Anthropic ----
ANTHROPIC_API_KEY=
# ---- Crypto ----
# 32-byte hex for AES-256-GCM; generate with: openssl rand -hex 32
SECRETS_ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000000
# ---- Admin bootstrap ----
# On API boot, an admin user is upserted with these credentials (idempotent).
ADMIN_EMAIL=
ADMIN_PASSWORD=
ADMIN_NAME=Admin
# ---- OAuth signing (RS256 JWKS) ----
# Path to PEM keypair; auto-generated on api boot if missing
OAUTH_KEY_DIR=./keys
# ---- Runner / Generator ----
# Where MCP runtime containers bind (host machine reachable from API)
RUNNER_HOST=localhost
# Range of host ports used for generated MCP containers
RUNNER_PORT_RANGE_START=4100
RUNNER_PORT_RANGE_END=4999
# Public URL template — $SLUG and $PORT are interpolated
RUNNER_PUBLIC_URL_TEMPLATE=http://localhost:$PORT
# Control plane URL reachable from runner containers
CONTROL_PLANE_URL=http://host.docker.internal:4000
# ---- Stripe (Sprint 4) ----
STRIPE_SECRET_KEY=
STRIPE_WEBHOOK_SECRET=
# ---- Observability (optional) ----
SENTRY_DSN=
OTEL_EXPORTER_OTLP_ENDPOINT=
Reference in New Issue View Git Blame Copy Permalink