fix(security): resolve all 17 codex findings — auth, grants, crypto, ops

Critical: broker HTTP auth via cli_session bearer token on all /cli/*; file download requires auth+membership; v2 claim gated; duplicate claimInviteV2Core removed; grant enforcement tries member then session pubkey; audit hash uses canonical sorted-keys JSON. High: rate limit args fixed (burst 10, 60/min) + both buckets swept; BROKER_ENCRYPTION_KEY fail-fast in prod; migrate uses pg_try + lock_ timeout; hello validates sessionPubkey hex; blocked DMs rejected pre- queue; watch timers cleaned on disconnect. Medium: inbound pushes serialized; reconnect jitter + timer guard; hardcoded URLs through env; v2 claim path configurable. Low: WSHelloMessage optional protocolVersion+capabilities. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 19:18:25 +01:00
parent 1a7a059e75
commit 2be5e9dccb
12 changed files with 464 additions and 341 deletions
--- a/apps/cli/src/commands/list.ts
+++ b/apps/cli/src/commands/list.ts
@@ -25,23 +25,16 @@ export async function runList(): Promise<void> {
  const config = readConfig();
  const auth = getStoredToken();

-  // Try to fetch from server
+  // Try to fetch from server. Broker authenticates via Bearer token.
  let serverMeshes: ServerMesh[] = [];
  if (auth) {
    try {
-      let userId = "";
-      try {
-        const payload = JSON.parse(Buffer.from(auth.session_token.split(".")[1]!, "base64url").toString()) as { sub?: string };
-        userId = payload.sub ?? "";
-      } catch {}
-
-      if (userId) {
-        const res = await request<{ meshes: ServerMesh[] }>({
-          path: `/cli/meshes?user_id=${userId}`,
-          baseUrl: BROKER_HTTP,
-        });
-        serverMeshes = res.meshes ?? [];
-      }
+      const res = await request<{ meshes: ServerMesh[] }>({
+        path: `/cli/meshes`,
+        baseUrl: BROKER_HTTP,
+        token: auth.session_token,
+      });
+      serverMeshes = res.meshes ?? [];
    } catch {}
  }