Skip to content

fix: throttle writes, bound mcp inputs, harden oauth consent#117

Closed
FrkAk wants to merge 1 commit into
mainfrom
claude/security-review-repo-bmn2el
Closed

fix: throttle writes, bound mcp inputs, harden oauth consent#117
FrkAk wants to merge 1 commit into
mainfrom
claude/security-review-repo-bmn2el

Conversation

@FrkAk

@FrkAk FrkAk commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Task Reference: none (security-review hardening; no associated Mymir task)

Addresses the high/medium findings from the security review that map to hosted-cost abuse and OAuth client spoofing. Dynamic client registration stays open (the standard MCP onboarding pattern); the fixes target what rides along with it rather than registration itself.

Cost / abuse (hosted):

  • Throttle the web write path with per-action budgets on the mutation wrappers (generous for humans, tight for scripts), since server-action POSTs bypass the /api/* middleware limiter.
  • Cap MCP tool inputs: an explicit request body-size limit on /api/mcp (MCP_MAX_BODY_BYTES) plus generous per-field/array ceilings — anti-abuse, not content policy; long unabridged plans still pass.
  • Per-project task cap (MAX_TASKS_PER_PROJECT, default 50k) as a growth backstop.
  • Throttle open OAuth client registration via the strict auth binding; nightly purge of abandoned dynamically-registered clients.

OAuth consent spoofing:

  • Gate brand-name normalization on a server-side verified client_id allowlist (empty by default), so an unverified dynamically-registered client renders its raw registered name and cannot impersonate a trusted brand.

Agent prompt-injection defense-in-depth:

  • Untrusted-content framing notice prepended to the agent and review context bundles.

Type of change

  • Bug fix
  • New feature
  • Refactor / cleanup
  • Documentation

Testing

  • Tested locally with bun run dev
  • Linting passes (bun run lint)
  • Typecheck passes (bun run typecheck)

Notes for reviewer

DB-backed test suites and bun run dev were not run in the sandbox (no Docker/Postgres available); affected golden snapshots were updated by hand and a regression test added for the register rate-limit rule. Tunable env knobs: MCP_MAX_BODY_BYTES, MAX_TASKS_PER_PROJECT, MYMIR_VERIFIED_OAUTH_CLIENT_IDS.

@FrkAk FrkAk force-pushed the claude/security-review-repo-bmn2el branch from 9a5ace5 to 3aac3b4 Compare June 10, 2026 12:21
@FrkAk FrkAk changed the title security: rate-limit writes, bound MCP inputs, harden consent + DCR security: throttle writes, bound mcp inputs, harden oauth consent Jun 10, 2026
@FrkAk FrkAk force-pushed the claude/security-review-repo-bmn2el branch from 3aac3b4 to 63604fa Compare June 10, 2026 12:26
@FrkAk FrkAk changed the title security: throttle writes, bound mcp inputs, harden oauth consent fix: throttle writes, bound mcp inputs, harden oauth consent Jun 10, 2026
@FrkAk FrkAk force-pushed the claude/security-review-repo-bmn2el branch 2 times, most recently from baf54f8 to 0fdfe18 Compare June 10, 2026 12:31
@FrkAk FrkAk force-pushed the claude/security-review-repo-bmn2el branch from 0fdfe18 to 8a5e3ae Compare June 10, 2026 12:37
@FrkAk Claude

FrkAk commented Jun 10, 2026

Copy link
Copy Markdown
Owner Author

Superseded by #118, which carries the identical commit on a branch without the claude/ prefix. Closing this one.

Generated by Claude Code

@FrkAk FrkAk closed this Jun 10, 2026
@FrkAk FrkAk deleted the claude/security-review-repo-bmn2el branch June 10, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulascanzorer ulascanzorer Awaiting requested review from ulascanzorer ulascanzorer is a code owner

@ZeyNor ZeyNor Awaiting requested review from ZeyNor ZeyNor is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FrkAk @claude