Security: deep scan makes outbound HTTP calls to URLs from scanned configs

[jonathansantilli]

Description

During Layer 3 deep scan, CodeGate makes outbound HTTP requests to MCP server URLs discovered in scanned configuration files. This is a security risk — the URLs come from untrusted sources (the files being scanned for malicious content) and connecting to them exposes the scanner to:

• Malicious server responses (crafted payloads, malformed JSON, content-length attacks)
• IP address logging (the server learns who is scanning)
• SSRF if CodeGate runs in a cloud/internal network
• Browser tab opening (observed in practice during batch scanning)

Affected Code

• src/cli.ts — executeDeepResource default implementation
• src/layer3-dynamic/resource-fetcher.ts — fetchResourceMetadata() calls fetch() on untrusted URLs
• src/layer3-dynamic/tool-description-acquisition.ts — acquireToolDescriptions() connects to MCP servers

Fix Applied

The executeDeepResource in cli.ts has been changed to never make outbound HTTP calls. Instead it records the URL as metadata for the meta-agent to analyze without connecting.

Remaining Work

• The resource-fetcher.ts and tool-description-acquisition.ts modules still contain the HTTP-calling code — not removed since other integrations may use them with explicit opt-in
• Consider whether any legitimate use case requires connecting to MCP endpoints during scan, and if so, add explicit user consent with clear warnings
• Add tests verifying that no outbound calls are made during codegate scan --deep

[jonathansantilli]

All remaining work addressed:

1. Tests added (tests/layer3/no-outbound-calls.test.ts): Verifies the compiled CLI does not call acquireToolDescriptions or fetchResourceMetadata, contains the no-outbound guard, and executeDeepResource returns metadata with zero attempts.

2. The resource-fetcher.ts and tool-description-acquisition.ts modules remain in the codebase but are not invoked from the default CLI path. They can be used by future opt-in integrations where the user explicitly consents to outbound calls. The tests enforce this boundary.

3. Decision on legitimate use cases: For now, no outbound calls during scan. If a future use case requires it, it should be gated behind explicit user consent (not just --force) with clear warnings about what endpoints will be contacted.