Skip to content

fix: COD-29 harden network auth and downloads#107

Merged
Ark0N merged 5 commits into
Ark0N:masterfrom
aakhter:cod-29-network-auth-downloads
Jun 8, 2026
Merged

fix: COD-29 harden network auth and downloads#107
Ark0N merged 5 commits into
Ark0N:masterfrom
aakhter:cod-29-network-auth-downloads

Conversation

@aakhter

@aakhter aakhter commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • fail closed when binding non-loopback hosts without CODEMAN_PASSWORD unless explicitly overridden
  • add host binding support and extract reusable network auth policy helpers
  • scope downloads to session working directories and force SVG raw files to download with nosniff
  • relax auth lockout so valid sessions or correct credentials can recover safely

Verification

  • npm test -- test/auth-security.test.ts test/cli-commands.test.ts test/routes/file-routes.test.ts test/network-auth-policy.test.ts
  • npm run typecheck

Jira: COD-29

@aakhter aakhter force-pushed the cod-29-network-auth-downloads branch from ef020ff to da00fa6 Compare June 8, 2026 15:02
@Ark0N @claude
test: fix title tests for new host constructor arg + async renderInde…
6ee88be 
…xHtml

The WebServer constructor now takes `host` as the 4th positional arg
(titleHostname shifted to 5th), and renderIndexHtml became async (it
reads settings.json for the gesture bundle) and cache-busts asset URLs.
Update the two title tests accordingly:
- pass '127.0.0.1' as the bind host so the title value lands in the
  5th titleHostname slot (server-index-title + push-payload-host-title)
- await renderIndexHtml and make the cases async
- strip ?v=<mtime> cache-bust params before the byte-identical assertion

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Ark0N Ark0N merged commit e6b18fd into Ark0N:master Jun 8, 2026
1 check passed
Ark0N added a commit that referenced this pull request Jun 8, 2026
@Ark0N @claude
chore: release 0.9.0 — security hardening + warn-don't-block network …
a8e0e2a 
…policy

Release 0.9.0 covering the merged security/reliability PRs (#106 deps/
supply-chain, #107 auth/network, #108 test stability, #110 tmux cwd) plus:

- Network policy: a non-loopback bind without CODEMAN_PASSWORD now STARTS
  with a loud warning (3 ways to secure) instead of refusing to start.
  Loopback stays the safe default. --allow-unauthenticated-network just
  acknowledges (terser note). (src/web/server.ts start())
- Post-install security note explaining the loopback default + safe exposure.
- New docs/security-architecture.md documenting the full model (binding,
  auth pipeline, tunnel req.ip caveat, file-serving, supply-chain, isolation,
  recommended setups). CLAUDE.md Security section + gotcha updated.
- Updated auth-security test: asserts warn-and-start (not throw).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aakhter @Ark0N