Skip to content

Protect server endpoints with dashboard cookie auth; sanitize logs; OCR temp UUIDs; centralize CDP port; task execution lock and misc fixes#41

Open
AmrDab wants to merge 1 commit intov0.7.1from
codex/conduct-complete-codebase-audit
Open

Protect server endpoints with dashboard cookie auth; sanitize logs; OCR temp UUIDs; centralize CDP port; task execution lock and misc fixes#41
AmrDab wants to merge 1 commit intov0.7.1from
codex/conduct-complete-codebase-audit

Conversation

@AmrDab
Copy link
Owner

@AmrDab AmrDab commented Mar 19, 2026

Motivation

  • Improve server security by provisioning an HttpOnly dashboard token cookie and allowing the dashboard to authenticate protected endpoints without exposing bearer tokens in client-side code.
  • Prevent concurrent task execution races and ensure agent state is set consistently when executing tasks.
  • Avoid temp-file name collisions for OCR captures and make CDP port configuration centralized for consistent browser tooling.
  • Reduce sensitive data leakage in task logs and make clipboard paste handling and quick model checks more robust.

Description

  • Dashboard and server: mountDashboard now accepts a getToken callback and sets an HttpOnly SameSite cookie; server parses the cookie and requireAuth accepts bearer header or dashboard cookie via parseCookieToken and DASHBOARD_AUTH_COOKIE.
  • Protected endpoints: several read/write routes are now guarded with requireAuth and the dashboard is mounted with () => SERVER_TOKEN so the UI receives a cookie on GET /.
  • Auth token lifecycle: initServerToken remains the initializer and token persists to ~/.clawdcursor/token as before.
  • Task concurrency: added taskExecutionLocked to Agent, return busy if locked, set taskExecutionLocked = true at start and clear it in finally, and set state earlier when executing tasks.
  • OCR: temp screenshot filenames now include a randomUUID() suffix to avoid collisions when multiple OCR calls create temp files concurrently.
  • CDP/config centralization: exported DEFAULT_CDP_PORT from browser-config and updated tools/cdp.ts and tools/orchestration.ts to use it (replacing hardcoded ports), and updated human-facing messages accordingly.
  • Task logger: added INCLUDE_RAW_STEP_DETAILS env gate (CLAWD_DEBUG_RAW_LOGS) and sanitizeLogText/sanitizeLogValue helpers to redact API keys, bearer tokens, emails, and sensitive fields before writing logs.
  • ActionRouter: made clipboard paste resilient by checking (this.a11y as any).writeClipboard is a function and falling back to desktop.typeText if not available.
  • Doctor: quickTestModel now calls testVisionModel for vision roles and testTextModel for text roles.
  • ESLint: added shared globals and relaxed several TypeScript-related rules for the TS config and added test globals for *.test.ts files.

Testing

  • Ran the unit test suite via vitest which included tests/smoke.test.ts and src/__tests__/ocr-engine.test.ts and verified updated expectations for cookie auth and macOS OCR availability behavior; tests passed.
  • Verified the smoke tests that exercise protected endpoints (/task, /confirm, /logs) with initServerToken() and both Authorization header and dashboard cookie; tests passed.

Codex Task

AmrDab added a commit that referenced this pull request Mar 19, 2026
@AmrDab @claude
feat: security hardening + reliability fixes (cherry-pick PR #41 + #42)
96bda86 
Cherry-picked the best of both Codex audit PRs into a unified build:

Security:
- Log sanitization: API keys, Bearer tokens redacted from task logs
  (opt-out with CLAWD_DEBUG_RAW_LOGS=1)
- Token fingerprinting: startup prints first 8 chars, not full token
- Auth on sensitive GET endpoints: /favorites, /task-logs, /logs now
  require Bearer token (dashboard updated to include auth on all calls)

Reliability:
- Task execution lock: prevents TOCTOU race on concurrent /task requests
- Clipboard fallback: catches a11y bridge failure, falls back to typeText
- OCR temp file UUID suffix: prevents collision on concurrent OCR calls

Infrastructure:
- CDP port DRY: unified to 9223 everywhere (was 9222 in some, 9223 in
  others — real mismatch causing connection failures)
- ESLint: Node.js + vitest globals, relaxed no-explicit-any
- Test infra: tsconfig.tests.json, vitest covers tests/, withAuth helper
  new smoke tests for auth-protected endpoints
- Install robustness: verify-install.js checks Node version + native deps
  with platform-specific fix guidance (addresses Dabbas install failure)

17 files modified, 2 new files. Build passes. 130/131 tests pass
(1 pre-existing credential test failure unrelated to these changes).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AmrDab