docs(openspec): add fetch access controls change

Author: arabold

openspec/changes/add-fetch-access-controls/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-29

openspec/changes/add-fetch-access-controls/design.md

@@ -0,0 +1,146 @@
+## Context
+
+The server intentionally supports arbitrary HTTP(S) and `file://` fetching across CLI, MCP, and web-triggered scraping flows. Today, fetcher selection and local file traversal are centralized enough to apply consistent controls, but there is no policy layer that limits outbound network targets, constrains local file roots, or handles hidden paths and symlink escapes. The project already has a strong configuration model with schema-backed defaults and environment/CLI overrides, so access controls should be introduced as configuration-driven behavior rather than interface-specific flags.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Add one shared outbound access policy that applies to `fetch_url` and scrape workflows regardless of entry point.
+- Default-deny private, loopback, link-local, and similar special-use network targets unless explicitly configured.
+- Add configurable local file access modes with allowed roots, `$DOCUMENTS` token expansion, and secure defaults for hidden paths and symlinks.
+- Produce clear user-facing errors when policy blocks access.
+- Preserve explicit opt-in paths for trusted local and self-hosted deployments.
+
+**Non-Goals:**
+- Add per-user or per-token authorization rules.
+- Implement a sandbox or OS-level file isolation boundary.
+- Detect every possible cloud metadata alias or enterprise-internal hostname pattern out of the box.
+- Redesign the scrape tool surface or add new transport-level authentication features.
+
+## Decisions
+
+### Introduce a shared scraper security policy under configuration
+
+Add a new `scraper.security` section to the typed config schema. This keeps policy close to the fetch/scrape subsystem and lets the existing precedence model handle config file, environment, and CLI overrides.
+
+Alternative considered: a top-level `security` block. Rejected because the affected behavior is currently isolated to scraper-driven URL and file access, and placing the settings under `scraper` avoids broadening the configuration surface prematurely.
+
+### Enforce policy centrally before network or file reads
+
+Introduce a reusable access-policy helper that validates URLs and resolved file paths before `AutoDetectFetcher`, `HttpFetcher`, `FileFetcher`, and local crawl entry points perform I/O. DNS-resolved IP revalidation and redirect-target validation will be mandatory enforcement behavior, not optional configuration knobs. For archive-member URLs such as `file:///path/to/archive.zip/docs/readme.md`, policy evaluation will be based on the resolved backing archive file path plus the virtual entry path, not on the nonexistent combined filesystem path.
+
+Alternative considered: only validating at the MCP tool boundary. Rejected because CLI and web-triggered scraping must behave consistently, and lower-level enforcement prevents bypass through internal call paths.
+
+### Apply network policy to browser-initiated subrequests
+
+Treat browser-based fetching as a series of outbound requests rather than a single navigation. The same network policy must apply to the initial page load, redirects, frames, iframes, scripts, stylesheets, images, XHR/fetch calls, and any other subresource request initiated during rendering so that a public page cannot pivot the renderer into private network access.
+
+Alternative considered: only validating the initial browser navigation target. Rejected because it leaves a clear SSRF-style gap for render-time secondary requests.
+
+### Default-deny special network ranges while keeping explicit opt-in overrides
+
+Model network protection with one main switch, `allowPrivateNetworks`, that defaults to `false` and covers loopback, RFC1918 private ranges, link-local addresses, and equivalent IPv6 special-use ranges. Add `allowedHosts` and `allowedCidrs` so trusted deployments can permit only the specific internal targets they need while the broad default-deny behavior remains in place.
+
+When `allowPrivateNetworks` is `false`, an empty `allowedHosts` and `allowedCidrs` configuration means no private or special-use network targets are allowed. Public internet targets remain allowed unless blocked by some other rule. When `allowPrivateNetworks` is `true`, all network targets become eligible for access, subject to the same redirect and DNS resolution checks.
+
+`allowedHosts` and `allowedCidrs` serve different purposes. `allowedHosts` grants a hostname-bound exception for requests explicitly targeting that host, even when it resolves to private or special-use addresses. `allowedCidrs` grants an address-bound exception for direct IP targets or any hostname whose resolved connection address falls within an allowed subnet. Redirects and secondary requests are evaluated independently against the same rules, so a request allowed via `allowedHosts` does not automatically authorize a different hostname or a direct IP target unless that new target is also allowed.
+
+Example default-secure network configuration:
+
+```yaml
+scraper:
+  security:
+    network:
+      allowPrivateNetworks: false
+      allowedHosts: []
+      allowedCidrs: []
+```
+
+Example selective internal allowlist:
+
+```yaml
+scraper:
+  security:
+    network:
+      allowPrivateNetworks: false
+      allowedHosts:
+        - docs.internal.example
+      allowedCidrs:
+        - 10.42.0.0/16
+```
+
+Alternative considered: permissive defaults with warnings only. Rejected because the objective of this change is meaningful hardening for exposed deployments, and warnings do not reduce actual risk.
+
+Alternative considered: separate booleans such as `allowLoopback` and `allowLinkLocal`. Rejected because they create overlapping policy states and make it harder to explain how exceptions should be configured.
+
+### Add file access modes with allowlisted roots and secure traversal defaults
+
+Model local file access as `disabled`, `allowedRoots`, or `unrestricted`. In `allowedRoots` mode, expand configured tokens such as `$DOCUMENTS`, canonicalize paths, and require the effective target to remain inside an allowed root. Set `followSymlinks` and `includeHidden` to `false` by default. Hidden paths will be blocked even when explicitly named unless the user opts in.
+
+When `fileAccess.mode` is `allowedRoots`, an empty `allowedRoots` list means all user-requested `file://` access is denied. This does not block internally managed temporary archive handoff for accepted web archive roots.
+
+If `$DOCUMENTS` cannot be resolved on the current platform or runtime account, it will expand to no path and therefore grant no access by itself. Deployments that require local file access in containers or service accounts must configure explicit absolute paths.
+
+Example default file policy:
+
+```yaml
+scraper:
+  security:
+    fileAccess:
+      mode: allowedRoots
+      allowedRoots:
+        - $DOCUMENTS
+      followSymlinks: false
+      includeHidden: false
+```
+
+Example fully disabled local file access:
+
+```yaml
+scraper:
+  security:
+    fileAccess:
+      mode: disabled
+      allowedRoots: []
+      followSymlinks: false
+      includeHidden: false
+```
+
+Alternative considered: denylisting sensitive directories under `$HOME`. Rejected because denylisting is incomplete and easier to bypass than root allowlisting.
+
+### Preserve internal temporary archive handoff
+
+Treat temporary files created by the application itself for supported web archive scraping as internal implementation artifacts rather than user-requested `file://` access. Policy enforcement will still apply to the original network URL, but once a web archive root has been accepted and downloaded, the handoff into local archive processing must not be blocked merely because the temp file lives outside configured user roots such as `$DOCUMENTS`. This exception is limited to the downloaded archive artifact produced for that accepted request and virtual members read from that archive during the same processing flow.
+
+Alternative considered: requiring the temp directory to be added to default allowed roots. Rejected because it couples user-facing file policy to OS temp locations and would either over-broaden local access or break existing archive behavior.
+
+### Use `$DOCUMENTS` as a convenience token, not a policy special case
+
+Support `$DOCUMENTS` expansion during config resolution or policy evaluation, but enforce access against concrete absolute paths after expansion. This keeps the user experience simple without coupling enforcement logic to platform-specific home-directory conventions.
+
+Alternative considered: using `$HOME` as a default root. Rejected because it is too broad and includes common secret locations such as `.ssh`, `.aws`, and dot-config directories.
+
+## Risks / Trade-offs
+
+- [Behavior break for existing internal-doc users] -> Provide explicit `allowedHosts` and `allowedCidrs` overrides and document migration clearly.
+- [Regression in supported web archive scraping] -> Exempt internally managed temp archive handoff from user file-root checks while preserving network policy on the original URL.
+- [DNS resolution and redirect validation complexity] -> Keep the first implementation limited to HTTP(S) plus redirect revalidation and well-defined CIDR checks, covered by focused tests.
+- [Browser subrequest enforcement complexity] -> Intercept all Playwright requests centrally and apply the same resolver/policy helper used by non-browser fetchers.
+- [Platform-specific `$DOCUMENTS` resolution differences] -> Fall back to explicit paths when the token cannot be resolved reliably.
+- [Confusion around hidden path semantics] -> Treat `includeHidden: false` as a hard deny for both direct fetch and traversal, and document this explicitly.
+- [Symlink handling may surprise users with linked doc folders] -> Keep an opt-in `followSymlinks` flag and validate the resolved target stays within an allowed root.
+
+## Migration Plan
+
+1. Add the new config schema and defaults.
+2. Implement shared access-policy utilities and wire them into fetchers and local file traversal.
+3. Preserve archive workflows by validating virtual archive paths against the concrete archive file and by exempting internal temp archive handoff from user file-root checks.
+4. Update tests to cover blocked and allowed cases for top-level and browser-initiated network requests, hidden paths, symlinks, and archive workflows.
+5. Update user-facing documentation to explain defaults, array/env encoding, token expansion, and override patterns.
+6. Release with changelog notes highlighting that private-network access is now blocked by default and file access is restricted by policy.
+
+Rollback consists of removing the policy enforcement layer and reverting to the previous permissive defaults, but the preferred operational mitigation is to loosen the new config values rather than removing the feature.
+
+## Open Questions
+
+- Do we want CLI flags for temporary overrides in addition to config and environment variables, or is config-only sufficient for the first iteration?

openspec/changes/add-fetch-access-controls/proposal.md

@@ -0,0 +1,26 @@
+## Why
+
+The product intentionally fetches arbitrary web and local content, but today it does so without configurable network or file access restrictions. That is acceptable for trusted local workflows, yet it leaves shared or internet-exposed deployments without a first-class way to reduce SSRF-style risk, sensitive local file access, or accidental access to hidden content.
+
+## What Changes
+
+- Add configurable outbound access controls for HTTP(S) fetches used by `fetch_url` and scraping workflows.
+- Default-deny access to private, loopback, link-local, and other special-use network targets unless explicitly allowed via host or CIDR allowlists.
+- Add configurable local file access modes, with allowed root directories, `$DOCUMENTS` token expansion, and secure defaults for symlinks and hidden paths.
+- Preserve supported archive workflows by distinguishing user-requested local file access from internally managed temporary files and archive member resolution.
+- Enforce the same access policy across CLI, MCP, and web-triggered fetch/scrape operations.
+- Return clear validation errors when a URL or file path is blocked by policy, including guidance for enabling access.
+
+## Capabilities
+
+### New Capabilities
+- `outbound-access-control`: Define and enforce configurable network and local file access restrictions for one-shot fetches and scraping workflows.
+
+### Modified Capabilities
+- `configuration`: Add scraper security configuration for network restrictions, file access modes, allowed roots, symlink handling, and hidden path handling.
+
+## Impact
+
+- Affected code: scraper config schema and defaults, URL/file fetcher entry points, local file traversal, archive handoff paths, fetch and scrape tools, and related tests.
+- Affected interfaces: CLI, MCP, and web-backed scraping behavior will share the same enforcement rules.
+- Documentation impact: configuration and security docs will need updates to explain the new defaults and opt-in overrides.

openspec/changes/add-fetch-access-controls/specs/configuration/spec.md

@@ -0,0 +1,115 @@
+## MODIFIED Requirements
+
+### Requirement: Generic Environment Variable Overrides
+The system SHALL support overriding any configuration setting via environment variables using a predictable naming convention. Environment-derived configuration values SHALL be normalized by trimming surrounding whitespace and stripping matching surrounding single or double quotes before schema parsing.
+
+#### Scenario: Environment Variable Naming Convention
+- **GIVEN** a config path `scraper.document.maxSize`
+- **WHEN** the environment variable `DOCS_MCP_SCRAPER_DOCUMENT_MAX_SIZE` is set
+- **THEN** its value SHALL override the config file and default values
+
+#### Scenario: Quoted configuration override from Docker Compose
+- **GIVEN** the environment variable `DOCS_MCP_EMBEDDING_MODEL` is provided as `"openai:nomic-embed-text"`
+- **WHEN** the configuration is loaded
+- **THEN** the resulting `app.embeddingModel` value SHALL be `openai:nomic-embed-text`
+
+#### Scenario: Whitespace-padded configuration override
+- **GIVEN** the environment variable `DOCS_MCP_SCRAPER_MAX_PAGES` is provided as `  "500"  `
+- **WHEN** the configuration is loaded
+- **THEN** the resulting `scraper.maxPages` value SHALL be parsed as `500`
+
+#### Scenario: CamelCase to Upper Snake Case Conversion
+- **GIVEN** a config path segment `maxNestingDepth`
+- **WHEN** converted to environment variable format
+- **THEN** it SHALL become `MAX_NESTING_DEPTH`
+
+#### Scenario: Deeply Nested Path Conversion
+- **GIVEN** a config path `splitter.json.maxNestingDepth`
+- **WHEN** converted to environment variable name
+- **THEN** it SHALL become `DOCS_MCP_SPLITTER_JSON_MAX_NESTING_DEPTH`
+
+#### Scenario: Nested security override naming
+- **GIVEN** a config path `scraper.security.fileAccess.followSymlinks`
+- **WHEN** converted to environment variable name
+- **THEN** it SHALL become `DOCS_MCP_SCRAPER_SECURITY_FILE_ACCESS_FOLLOW_SYMLINKS`
+
+#### Scenario: Array override provided as JSON
+- **GIVEN** the environment variable `DOCS_MCP_SCRAPER_SECURITY_NETWORK_ALLOWED_HOSTS` is provided as `["docs.internal.example","wiki.corp.local"]`
+- **WHEN** the configuration is loaded
+- **THEN** the resulting `scraper.security.network.allowedHosts` value SHALL be parsed as a string array
+
+#### Scenario: Array override provided as inline array string
+- **GIVEN** the environment variable `DOCS_MCP_SCRAPER_SECURITY_FILE_ACCESS_ALLOWED_ROOTS` is provided as `["$DOCUMENTS", "/srv/docs"]`
+- **WHEN** the configuration is loaded
+- **THEN** the resulting `scraper.security.fileAccess.allowedRoots` value SHALL be parsed as a string array
+
+### Requirement: Scraper Security Configuration
+The system SHALL expose configuration for outbound network and local file access controls under `scraper.security`.
+
+#### Scenario: Private network access defaults to disabled
+- **GIVEN** no custom security configuration is provided
+- **WHEN** the configuration is loaded
+- **THEN** private network access for scraper-driven HTTP(S) fetches SHALL default to disabled
+
+#### Scenario: Host allowlist can permit a specific internal hostname
+- **GIVEN** `scraper.security.network.allowPrivateNetworks` is `false`
+- **AND** `scraper.security.network.allowedHosts` contains `docs.internal.example`
+- **WHEN** the configuration is loaded
+- **THEN** requests explicitly targeting `docs.internal.example` SHALL be eligible for access despite the default private-network restriction
+- **AND** direct IP requests SHALL still require `allowedCidrs` or `allowPrivateNetworks`
+
+#### Scenario: CIDR allowlist can permit a specific internal subnet
+- **GIVEN** `scraper.security.network.allowPrivateNetworks` is `false`
+- **AND** `scraper.security.network.allowedCidrs` contains `10.42.0.0/16`
+- **WHEN** the configuration is loaded
+- **THEN** requests whose resolved address falls within `10.42.0.0/16` SHALL be eligible for access despite the default private-network restriction
+
+#### Scenario: Empty network allowlists do not permit private targets
+- **GIVEN** `scraper.security.network.allowPrivateNetworks` is `false`
+- **AND** `scraper.security.network.allowedHosts` is empty
+- **AND** `scraper.security.network.allowedCidrs` is empty
+- **WHEN** the configuration is loaded
+- **THEN** no private or special-use network targets SHALL be permitted by configuration
+
+#### Scenario: Private network override enables broad internal access
+- **GIVEN** `scraper.security.network.allowPrivateNetworks` is `true`
+- **WHEN** the configuration is loaded
+- **THEN** private, loopback, link-local, and other special-use network targets SHALL be eligible for access
+
+#### Scenario: File access mode defaults to allowed roots
+- **GIVEN** no custom security configuration is provided
+- **WHEN** the configuration is loaded
+- **THEN** local file access mode SHALL default to `allowedRoots`
+
+#### Scenario: Documents root is configured by default
+- **GIVEN** no custom security configuration is provided
+- **WHEN** the configuration is loaded
+- **THEN** the allowed file roots SHALL include `$DOCUMENTS`
+
+#### Scenario: Internal archive handoff does not require temp root configuration
+- **GIVEN** no custom security configuration is provided
+- **WHEN** the system processes a supported web archive root via an internal temporary file
+- **THEN** the default file access configuration SHALL not require the OS temporary directory to be added to `allowedRoots`
+
+#### Scenario: Empty file root allowlist denies user-requested file access
+- **GIVEN** `scraper.security.fileAccess.mode` is `allowedRoots`
+- **AND** `scraper.security.fileAccess.allowedRoots` is empty
+- **WHEN** the configuration is loaded
+- **THEN** user-requested `file://` access SHALL not be permitted by configuration
+
+#### Scenario: Unresolvable documents token grants no access
+- **GIVEN** `scraper.security.fileAccess.allowedRoots` contains `$DOCUMENTS`
+- **AND** the runtime cannot resolve a documents directory for the current platform or account
+- **WHEN** the configuration is loaded and file access policy is evaluated
+- **THEN** `$DOCUMENTS` SHALL not expand to an implicit fallback path
+- **AND** no access SHALL be granted from that token alone
+
+#### Scenario: Hidden path access defaults to disabled
+- **GIVEN** no custom security configuration is provided
+- **WHEN** the configuration is loaded
+- **THEN** hidden file and directory access SHALL default to disabled
+
+#### Scenario: Symlink following defaults to disabled
+- **GIVEN** no custom security configuration is provided
+- **WHEN** the configuration is loaded
+- **THEN** symlink following for local file access SHALL default to disabled