fix: security hardening — auth, CORS, shell injection, SSRF, permissions

Review found 5 critical security issues. All fixed:

1. Auth + localhost binding: Bearer token auth on all endpoints (except health),
   server binds to 127.0.0.1 only, CORS restricted to localhost
2. Shell injection: mcp.ts uses execFileSync instead of execSync (no shell)
3. Permissions wired: PermissionManager.check() called before resource execution,
   destructive actions blocked by default read-only policy
4. Docker ID validation: container IDs validated against ^[a-zA-Z0-9][a-zA-Z0-9_.-]*$
5. SSRF protection: network provider validates URL scheme (http/https only),
   blocks metadata endpoints (169.254.169.254)
6. Error sanitization: internal errors logged server-side, generic message to client

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: FlexNetOS

ark-home/src/index.ts

@@ -51,8 +51,9 @@ async function main() {
   console.log('[ark-home] Initializing providers...');
   await resources.initAll();
 
-  const handle = startServer(conversation, config, resources);
-  console.log(`[ark-home] Daemon listening on http://localhost:${handle.port}`);
+  const handle = startServer(conversation, config, resources, permissions);
+  console.log(`[ark-home] Daemon listening on http://127.0.0.1:${handle.port}`);
+  console.log(`[ark-home] API token: ${handle.token.slice(0, 8)}...`);
   console.log('[ark-home] Providers:', resources.list().map(p => p.name).join(', '));
 
   const stats = conversation.stats();

ark-home/src/mcp.ts

@@ -7,7 +7,7 @@
 // since @ruvector/rvf-mcp-server is not installed. The CLI is the source
 // of truth and always available at ~/.cargo/bin/rvf.
 
-import { spawn, execSync } from 'child_process';
+import { spawn, execFileSync } from 'child_process';
 import { existsSync, writeFileSync, unlinkSync } from 'fs';
 import { join } from 'path';
 import { tmpdir } from 'os';
@@ -52,7 +52,7 @@ function defaultRvfBinary(): string {
 
 function runRvf(binary: string, args: string[]): string {
   try {
-    const result = execSync(`"${binary}" ${args.join(' ')}`, {
+    const result = execFileSync(binary, args, {
       encoding: 'utf-8',
       timeout: 30_000,
     });

ark-home/src/providers/docker.ts

@@ -80,12 +80,12 @@ export class DockerProvider implements ResourceProvider {
   }
 
   private async inspectContainer(args: Record<string, unknown>) {
-    const id = requireArg(args, 'id');
+    const id = requireContainerId(args);
     return this.dockerFetch(`/containers/${id}/json`);
   }
 
   private async containerLogs(args: Record<string, unknown>) {
-    const id = requireArg(args, 'id');
+    const id = requireContainerId(args);
     const tail = Number(args.tail) || 100;
     const resp = await this.dockerFetchRaw(`/containers/${id}/logs?stdout=true&stderr=true&tail=${tail}`);
     if (!resp) return { logs: '' };
@@ -96,24 +96,24 @@ export class DockerProvider implements ResourceProvider {
   }
 
   private async containerStats(args: Record<string, unknown>) {
-    const id = requireArg(args, 'id');
+    const id = requireContainerId(args);
     return this.dockerFetch(`/containers/${id}/stats?stream=false`);
   }
 
   private async startContainer(args: Record<string, unknown>) {
-    const id = requireArg(args, 'id');
+    const id = requireContainerId(args);
     await this.dockerFetchRaw(`/containers/${id}/start`, 'POST');
     return { action: 'started', container: id };
   }
 
   private async stopContainer(args: Record<string, unknown>) {
-    const id = requireArg(args, 'id');
+    const id = requireContainerId(args);
     await this.dockerFetchRaw(`/containers/${id}/stop`, 'POST');
     return { action: 'stopped', container: id };
   }
 
   private async restartContainer(args: Record<string, unknown>) {
-    const id = requireArg(args, 'id');
+    const id = requireContainerId(args);
     await this.dockerFetchRaw(`/containers/${id}/restart`, 'POST');
     return { action: 'restarted', container: id };
   }
@@ -158,3 +158,11 @@ function requireArg(args: Record<string, unknown>, name: string): string {
   if (!val || typeof val !== 'string') throw new Error(`Missing required arg: ${name}`);
   return val;
 }
+
+function requireContainerId(args: Record<string, unknown>): string {
+  const id = requireArg(args, 'id');
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/.test(id)) {
+    throw new Error(`Invalid container ID format: ${id}`);
+  }
+  return id;
+}

ark-home/src/providers/network.ts

@@ -103,6 +103,21 @@ export class NetworkProvider implements ResourceProvider {
     const url = String(args.url || '');
     if (!url) throw new Error('Missing required arg: url');
 
+    // SSRF protection: restrict to http/https, block metadata and private ranges
+    try {
+      const parsed = new URL(url);
+      if (!['http:', 'https:'].includes(parsed.protocol)) {
+        throw new Error(`Blocked protocol: ${parsed.protocol}`);
+      }
+      const host = parsed.hostname;
+      if (host === '169.254.169.254' || host.startsWith('fd') || host === '::1') {
+        throw new Error('Blocked: metadata/link-local address');
+      }
+    } catch (err) {
+      if (err instanceof TypeError) throw new Error(`Invalid URL: ${url}`);
+      throw err;
+    }
+
     const start = Date.now();
     try {
       const resp = await fetch(url, {

ark-home/src/server.ts

@@ -1,31 +1,65 @@
 // Ark Home — HTTP API Server
-// Resource orchestration daemon on port 7700. No terminal UI.
+// Resource orchestration daemon on port 7700. Localhost-only by default.
 // JSON API for conversation, search, stats, resources, health.
 
 import type { Conversation } from './conversation';
 import type { ArkHomeConfig, Context } from './types';
 import type { ResourceRegistry } from './providers/index';
+import type { PermissionManager } from './permissions';
+import { randomBytes } from 'crypto';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { join, dirname } from 'path';
 
 export interface ServerHandle {
   port: number;
+  token: string;
   stop: () => void;
 }
 
+/** Load or generate a bearer token for API authentication. */
+function loadOrCreateToken(configDir: string): string {
+  const tokenPath = join(configDir, 'api-token');
+  try {
+    if (existsSync(tokenPath)) {
+      return readFileSync(tokenPath, 'utf-8').trim();
+    }
+  } catch { /* regenerate */ }
+
+  const token = randomBytes(32).toString('hex');
+  const dir = dirname(tokenPath);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  writeFileSync(tokenPath, token, { mode: 0o600 });
+  return token;
+}
+
 export function startServer(
   conversation: Conversation,
   config: ArkHomeConfig,
   resources?: ResourceRegistry,
+  permissions?: PermissionManager,
 ): ServerHandle {
   const port = config.mcpPort || 7700;
+  const configDir = join(process.env.HOME || '/root', '.ark-home');
+  const token = loadOrCreateToken(configDir);
 
   const corsHeaders = {
-    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Origin': 'http://localhost',
     'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-    'Access-Control-Allow-Headers': 'Content-Type',
+    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
   };
 
+  function checkAuth(req: Request): boolean {
+    // Health endpoint is public
+    const url = new URL(req.url);
+    if (url.pathname === '/api/health') return true;
+
+    const auth = req.headers.get('authorization');
+    return auth === `Bearer ${token}`;
+  }
+
   const server = Bun.serve({
     port,
+    hostname: '127.0.0.1',
     fetch: async (req) => {
       const url = new URL(req.url);
       const path = url.pathname;
@@ -34,6 +68,14 @@ export function startServer(
         return new Response(null, { status: 204, headers: corsHeaders });
       }
 
+      // Auth check (health is public, everything else requires token)
+      if (!checkAuth(req)) {
+        return Response.json(
+          { error: 'Unauthorized. Include Authorization: Bearer <token> header.' },
+          { status: 401, headers: corsHeaders },
+        );
+      }
+
       try {
         // GET /api/health
         if (path === '/api/health' && req.method === 'GET') {
@@ -127,6 +169,22 @@ export function startServer(
             ? await req.json() as Record<string, unknown>
             : {};
 
+          // Permission check
+          if (permissions) {
+            const provider = resources.get(providerName);
+            if (provider) {
+              const actionDef = provider.actions().find(a => a.name === action);
+              const destructive = actionDef?.destructive ?? true;
+              const check = permissions.check(providerName, action, conversation.context, destructive);
+              if (!check.permitted) {
+                return Response.json(
+                  { error: `Permission denied: ${check.reason}` },
+                  { status: 403, headers: corsHeaders },
+                );
+              }
+            }
+          }
+
           const result = await resources.execute(providerName, action, body);
           return Response.json(result, { headers: corsHeaders });
         }
@@ -146,14 +204,19 @@ export function startServer(
         }, { status: 404, headers: corsHeaders });
 
       } catch (err) {
-        const message = err instanceof Error ? err.message : 'Internal server error';
-        return Response.json({ error: message }, { status: 500, headers: corsHeaders });
+        // Log details server-side, return generic error to client
+        console.error('[ark-home] Request error:', err);
+        return Response.json(
+          { error: 'Internal server error' },
+          { status: 500, headers: corsHeaders },
+        );
       }
     },
   });
 
   return {
     port: server.port,
+    token,
     stop: () => server.stop(),
   };
 }

ark-home/test/daemon.test.ts

@@ -5,6 +5,7 @@ import { Conversation } from '../src/conversation';
 import { startServer } from '../src/server';
 import { ResourceRegistry } from '../src/providers/index';
 import { FsProvider } from '../src/providers/fs';
+import { PermissionManager } from '../src/permissions';
 import { DEFAULT_CONFIG } from '../src/types';
 import { mkdtempSync, writeFileSync, mkdirSync } from 'fs';
 import { tmpdir } from 'os';
@@ -21,7 +22,8 @@ const config = {
 };
 
 let baseUrl: string;
-let handle: { port: number; stop: () => void };
+let handle: { port: number; token: string; stop: () => void };
+let authHeaders: Record<string, string>;
 let conversation: Conversation;
 let resources: ResourceRegistry;
 let origCwd: string;
@@ -34,8 +36,12 @@ beforeAll(async () => {
   resources = new ResourceRegistry();
   resources.register(new FsProvider({ roots: [tmpDir], allowWrite: true, maxReadSize: 1024 * 1024 }));
   await resources.initAll();
-  handle = startServer(conversation, config, resources);
-  baseUrl = `http://localhost:${handle.port}`;
+  const perms = new PermissionManager(tmpDir);
+  // Allow write for tests
+  perms.addGlobalRule({ provider: 'fs', action: 'write', allowed: true });
+  handle = startServer(conversation, config, resources, perms);
+  baseUrl = `http://127.0.0.1:${handle.port}`;
+  authHeaders = { 'Authorization': `Bearer ${handle.token}` };
 });
 
 afterAll(() => {
@@ -59,7 +65,7 @@ describe('conversation API', () => {
   test('POST /api/message requires content', async () => {
     const resp = await fetch(`${baseUrl}/api/message`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({}),
     });
     expect(resp.status).toBe(400);
@@ -68,7 +74,7 @@ describe('conversation API', () => {
   test('POST /api/message accepts valid input', async () => {
     const resp = await fetch(`${baseUrl}/api/message`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({ content: 'hello from test' }),
     });
     expect(resp.status).toBe(200);
@@ -81,7 +87,7 @@ describe('conversation API', () => {
   test('POST /api/context switches context', async () => {
     const resp = await fetch(`${baseUrl}/api/context`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({ context: 'personal' }),
     });
     expect(resp.status).toBe(200);
@@ -92,26 +98,26 @@ describe('conversation API', () => {
   test('POST /api/context rejects invalid', async () => {
     const resp = await fetch(`${baseUrl}/api/context`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({ context: 'invalid' }),
     });
     expect(resp.status).toBe(400);
   });
 
   test('GET /api/stats returns stats', async () => {
-    const resp = await fetch(`${baseUrl}/api/stats`);
+    const resp = await fetch(`${baseUrl}/api/stats`, { headers: authHeaders });
     expect(resp.status).toBe(200);
     const body = await resp.json() as Record<string, unknown>;
     expect(typeof body.total).toBe('number');
   });
 
   test('GET /api/search requires q param', async () => {
-    const resp = await fetch(`${baseUrl}/api/search`);
+    const resp = await fetch(`${baseUrl}/api/search`, { headers: authHeaders });
     expect(resp.status).toBe(400);
   });
 
   test('GET /api/search returns results', async () => {
-    const resp = await fetch(`${baseUrl}/api/search?q=hello`);
+    const resp = await fetch(`${baseUrl}/api/search?q=hello`, { headers: authHeaders });
     expect(resp.status).toBe(200);
     const body = await resp.json() as { results: unknown[]; count: number };
     expect(Array.isArray(body.results)).toBe(true);
@@ -120,7 +126,7 @@ describe('conversation API', () => {
 
 describe('resource API', () => {
   test('GET /api/resources lists providers', async () => {
-    const resp = await fetch(`${baseUrl}/api/resources`);
+    const resp = await fetch(`${baseUrl}/api/resources`, { headers: authHeaders });
     expect(resp.status).toBe(200);
     const body = await resp.json() as { providers: { name: string }[] };
     expect(body.providers.length).toBeGreaterThan(0);
@@ -130,7 +136,7 @@ describe('resource API', () => {
   test('POST /api/resources/fs/list works', async () => {
     const resp = await fetch(`${baseUrl}/api/resources/fs/list`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({ path: tmpDir }),
     });
     expect(resp.status).toBe(200);
@@ -145,7 +151,7 @@ describe('resource API', () => {
 
     const resp = await fetch(`${baseUrl}/api/resources/fs/read`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({ path: testFile }),
     });
     expect(resp.status).toBe(200);
@@ -157,7 +163,7 @@ describe('resource API', () => {
     const testFile = join(tmpDir, 'test-write.txt');
     const resp = await fetch(`${baseUrl}/api/resources/fs/write`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({ path: testFile, content: 'written by daemon' }),
     });
     expect(resp.status).toBe(200);
@@ -170,16 +176,21 @@ describe('resource API', () => {
   test('POST /api/resources/unknown/action returns 500', async () => {
     const resp = await fetch(`${baseUrl}/api/resources/nonexistent/action`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
       body: JSON.stringify({}),
     });
     expect(resp.status).toBe(500);
   });
 });
 
 describe('404 handling', () => {
+  test('unauthenticated request returns 401', async () => {
+    const resp = await fetch(`${baseUrl}/api/stats`);
+    expect(resp.status).toBe(401);
+  });
+
   test('unknown route returns 404 with route list', async () => {
-    const resp = await fetch(`${baseUrl}/api/nonexistent`);
+    const resp = await fetch(`${baseUrl}/api/nonexistent`, { headers: authHeaders });
     expect(resp.status).toBe(404);
     const body = await resp.json() as { routes: string[] };
     expect(Array.isArray(body.routes)).toBe(true);