Skip to content

v1.1.0 — Adversarial audit hardening

Latest
Latest

Choose a tag to compare

View all tags
@thaleslaray thaleslaray released this 28 Apr 18:28
· 2 commits to main since this release
v1.1.0
fda04d9

Security & compliance hardening release

Resultado de 2 auditorias adversariais (/pesquisa Nível 3 + sweep manual).

Fixes (9 commits consolidados)

Setup & secrets

  • setup.sh: tokens lidos com read -s (silent) — não vaza em bash history
  • .env.example: warning contra APP_ID/SECRET compartilhado entre alunos (caso Cas Smith, nov/2025)
  • 3 ad account IDs hardcoded substituídos por placeholders

Dependências

  • fastmcp[code-mode]>=3.2.4 (CVE-2026-32871 SSRF patched)
  • Removidos streamlit, fastapi, uvicorn da dep core do MCP (~100MB)
  • pip-audit clean: 0 vulns conhecidas em 71 pacotes

Bugs

  • audit.py:get_write_count_today() agora filtra kind == "write" (antes inflava counter com leituras e bloqueava writes legítimos)

Supply chain

  • .github/workflows/audit.yml: pip-audit semanal + em PRs que tocam deps
  • actions/checkout pinado por SHA (defesa vs tag-rewrite, TeamPCP March 2026)

Documentação

  • SECURITY.md: threat model + CVE inventory + canal de reporte
  • README.md: requer Claude Code ≥2.0.65 (CVE-2025-59536 RCE, CVE-2026-21852 env override)
  • docs/auditoria-adversarial-2026-04-28.md: relatório completo da auditoria

CVEs cobertos no stack

CVE Componente Patched
CVE-2026-32871 FastMCP < 3.2.0 ≥ 3.2.4 ✓
CVE-2025-59536 Claude Code < 1.0.111 ≥ 2.0.65 documentado ✓
CVE-2026-21852 Claude Code env override ≥ 2.0.65 documentado ✓
CVE-2025-69196 FastMCP OAuth coberto pelo pin ✓

Smoke test

uvx --from ./mcp-server meta-ads-mcp --help — green

Assets 2
Loading