fix(security): mobile token, bind-address, route scoping, validator hardening

P1-1  StartMCPServer binds 127.0.0.1 by default; 0.0.0.0 only in Docker mode.
      StartRemoteServer keeps 0.0.0.0 (explicit user action for WiFi/mobile).

P1-2  Coordinator token never returned to renderer. Removed 'token' field from
      StartRemoteServer, GetRemoteStatus, and StartMCPServer IPC returns.
      GetMCPStatus.serverUrl now uses getMCPRemoteServerUrl (no token).
      RemoteAccess store type and initial state updated accordingly.

P1-3  Third mobileToken generated at startup. wifiUrl/tailscaleUrl/url all
      embed mobileToken instead of coordinator token. Mobile callers are
      classified as 'mobile' and restricted to GET /api/agents, GET /api/tasks
      (read-only). Only coordinator token grants WebSocket + write routes.

P2-1  redactServerUrl() exported from server.ts; used in register.ts console.warn
      to strip token query param before logging.

P2-2  validateBranchName rejects path traversal (/../) and shell metacharacters
      (`$(){}[]<>\\'*?!#;|&") in addition to existing control-char checks.

P2-3  MCP_HydrateCoordinatedTask now calls validateBranchName on branchName and
      baseBranch (if present) — matches validation enforced by createTask.

P2-4  PARALLEL_CODE_MCP_TOKEN added to SpawnAgent ENV_BLOCK_LIST so a crafted
      IPC call cannot override the MCP auth token in spawned agents.

P2-5  X-Coordinator-Id header is now verified against registered coordinators
      (isRegisteredCoordinator) before being used for task scoping. Unregistered
      IDs are silently ignored — caller sees unscoped view.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brooksc

electron/ipc/pty.ts

@@ -232,6 +232,8 @@ export function spawnAgent(
     'DYLD_INSERT_LIBRARIES',
     'NODE_OPTIONS',
     'ELECTRON_RUN_AS_NODE',
+    // Prevent renderer from injecting or overriding MCP auth tokens.
+    'PARALLEL_CODE_MCP_TOKEN',
   ]);
   const safeEnvOverrides: Record<string, string> = {};
   for (const [k, v] of Object.entries(args.env ?? {})) {

electron/ipc/register.ts

@@ -79,6 +79,7 @@ import {
 import { warn as logWarn } from '../log.js';
 import { getMCPRemoteServerUrl, detectStaleDockerMCPUrl } from '../mcp/config.js';
 import { validateBranchName as sharedValidateBranchName } from '../mcp/validation.js';
+import { redactServerUrl } from '../remote/server.js';
 
 export function selectMcpJsonDir(worktreePath: string | undefined, projectRoot: string): string {
   return worktreePath ?? projectRoot;
@@ -1021,12 +1022,13 @@ export function registerAllHandlers(win: BrowserWindow): void {
         url: remoteServer.url,
         wifiUrl: remoteServer.wifiUrl,
         tailscaleUrl: remoteServer.tailscaleUrl,
-        token: remoteServer.token,
         port: remoteServer.port,
       };
 
     const thisDir = path.dirname(fileURLToPath(import.meta.url));
     const distRemote = path.join(thisDir, '..', '..', 'dist-remote');
+    // Remote access is an explicit user action — bind to all interfaces so WiFi/Tailscale clients
+    // can reach the SPA. Coordinator MCP-only mode uses 127.0.0.1 by default.
     remoteServer = await startRemoteServer({
       port: args.port ?? 7777,
       host: '0.0.0.0',
@@ -1046,7 +1048,6 @@ export function registerAllHandlers(win: BrowserWindow): void {
       url: remoteServer.url,
       wifiUrl: remoteServer.wifiUrl,
       tailscaleUrl: remoteServer.tailscaleUrl,
-      token: remoteServer.token,
       port: remoteServer.port,
     };
   });
@@ -1077,7 +1078,6 @@ export function registerAllHandlers(win: BrowserWindow): void {
       url: remoteServer.url,
       wifiUrl: remoteServer.wifiUrl,
       tailscaleUrl: remoteServer.tailscaleUrl,
-      token: remoteServer.token,
       port: remoteServer.port,
     };
   });
@@ -1215,6 +1215,8 @@ export function registerAllHandlers(win: BrowserWindow): void {
         assertString(args.projectId, 'projectId');
         validatePath(args.projectRoot, 'projectRoot');
         assertString(args.branchName, 'branchName');
+        sharedValidateBranchName(args.branchName, 'branchName');
+        if (args.baseBranch !== undefined) sharedValidateBranchName(args.baseBranch, 'baseBranch');
         validatePath(args.worktreePath, 'worktreePath');
         assertString(args.coordinatorTaskId, 'coordinatorTaskId');
         coordinator?.hydrateTask({
@@ -1334,8 +1336,10 @@ export function registerAllHandlers(win: BrowserWindow): void {
       if (!remoteServer) {
         const thisDir = path.dirname(fileURLToPath(import.meta.url));
         const distRemote = path.join(thisDir, '..', '..', 'dist-remote');
+        // Docker mode requires 0.0.0.0 so the agent inside the container can reach the host.
+        // Without Docker, bind to loopback — sub-agents are local processes.
         remoteServer = await startRemoteServerOnFreePort(7777, 7800, {
-          host: '0.0.0.0',
+          host: args.dockerContainerName ? '0.0.0.0' : '127.0.0.1',
           staticDir: distRemote,
           getTaskName: (taskId: string) => taskNames.get(taskId) ?? taskId,
           getAgentStatus: (agentId: string) => {
@@ -1510,12 +1514,11 @@ export function registerAllHandlers(win: BrowserWindow): void {
         console.warn('[MCP] Config written to:', configPath);
       }
       console.warn('[MCP] Server path:', mcpServerPath);
-      console.warn('[MCP] Remote URL:', serverUrl);
+      console.warn('[MCP] Remote URL:', redactServerUrl(serverUrl));
 
       return {
         configPath,
         serverUrl,
-        token: remoteServer.token,
         port: remoteServer.port,
       };
     },
@@ -1536,7 +1539,7 @@ export function registerAllHandlers(win: BrowserWindow): void {
       remoteRunning,
       coordinatorRoutesAttached: coordinator !== null,
       coordinatorRegistered: coordinator?.hasActiveCoordinator() ?? false,
-      serverUrl: remoteServer?.url ?? null,
+      serverUrl: remoteServer ? getMCPRemoteServerUrl(remoteServer.port) : null,
       mcpConfigPath: lastMcpConfigPath,
     };
   });

electron/mcp/coordinator.ts

@@ -1387,6 +1387,10 @@ export class Coordinator {
     }
   }
 
+  isRegisteredCoordinator(coordinatorTaskId: string): boolean {
+    return this.coordinators.has(coordinatorTaskId);
+  }
+
   registerCoordinator(
     coordinatorTaskId: string,
     projectId: string,

electron/mcp/validation.ts

@@ -5,8 +5,12 @@ export function validateBranchName(value: unknown, field = 'baseBranch'): string
   if (typeof value !== 'string') throw new Error(`${field} must be a string`);
   if (!value.trim()) throw new Error(`${field} must be a non-empty string`);
   if (value.startsWith('-')) throw new Error(`${field} must not start with "-"`);
-  // Reject ASCII control characters (0x00–0x1f, 0x7f) and spaces.
   // eslint-disable-next-line no-control-regex
   if (/[\x00-\x1f\x7f ]/.test(value)) throw new Error(`${field} contains invalid characters`);
+  // Reject path traversal sequences.
+  if (/(?:^|\/)\.\.(?:\/|$)/.test(value)) throw new Error(`${field} contains path traversal`);
+  // Reject shell metacharacters that could be dangerous in command arguments.
+  if (/[`$(){}[\]<>\\'*?!#;|&"]/.test(value))
+    throw new Error(`${field} contains invalid characters`);
   return value;
 }

electron/remote/coordinator-scoping.test.ts

@@ -77,6 +77,7 @@ function makeMockCoordinator(): Coordinator {
   ]);
 
   return {
+    isRegisteredCoordinator: (id: string) => id === COORD_A || id === COORD_B,
     listTasks: () => [summaryA, summaryB],
     getTaskStatus: (id: string) => tasks.get(id) ?? null,
     sendPrompt: vi.fn().mockResolvedValue(undefined),

electron/remote/server.ts

@@ -44,6 +44,17 @@ export function getMCPLogs(): MCPLogEntry[] {
   return mcpLogs.slice();
 }
 
+/** Strip the token query param before logging or displaying a server URL. */
+export function redactServerUrl(rawUrl: string): string {
+  try {
+    const u = new URL(rawUrl);
+    u.searchParams.delete('token');
+    return u.toString();
+  } catch {
+    return rawUrl;
+  }
+}
+
 const MIME: Record<string, string> = {
   '.html': 'text/html',
   '.js': 'application/javascript',
@@ -58,7 +69,9 @@ interface RemoteServer {
   stop: () => Promise<void>;
   token: string;
   subtaskToken: string;
+  mobileToken: string;
   port: number;
+  /** Mobile-scoped URL (embedded mobileToken). Safe to send to the renderer. */
   url: string;
   tailscaleUrl: string | null;
   wifiUrl: string | null;
@@ -132,23 +145,27 @@ export function startRemoteServer(opts: {
 }): Promise<RemoteServer> {
   const token = randomBytes(24).toString('base64url');
   const subtaskToken = randomBytes(24).toString('base64url');
+  const mobileToken = randomBytes(24).toString('base64url');
   const ips = getNetworkIps();
 
   const tokenBuf = Buffer.from(token);
   const subtaskTokenBuf = Buffer.from(subtaskToken);
+  const mobileTokenBuf = Buffer.from(mobileToken);
 
   function classifyCandidate(
     candidate: string | null | undefined,
-  ): 'coordinator' | 'subtask' | null {
+  ): 'coordinator' | 'subtask' | 'mobile' | null {
     if (!candidate) return null;
     const buf = Buffer.from(candidate);
     if (buf.length === tokenBuf.length && timingSafeEqual(buf, tokenBuf)) return 'coordinator';
     if (buf.length === subtaskTokenBuf.length && timingSafeEqual(buf, subtaskTokenBuf))
       return 'subtask';
+    if (buf.length === mobileTokenBuf.length && timingSafeEqual(buf, mobileTokenBuf))
+      return 'mobile';
     return null;
   }
 
-  function classifyToken(req: IncomingMessage): 'coordinator' | 'subtask' | null {
+  function classifyToken(req: IncomingMessage): 'coordinator' | 'subtask' | 'mobile' | null {
     const auth = req.headers.authorization;
     if (auth?.startsWith('Bearer ')) return classifyCandidate(auth.slice(7));
     const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
@@ -180,6 +197,20 @@ export function startRemoteServer(opts: {
           return;
         }
       }
+      // Mobile token: read-only access to agent and task status.
+      if (tokenClass === 'mobile') {
+        const allowed =
+          req.method === 'GET' &&
+          (url.pathname === '/api/agents' ||
+            /^\/api\/agents\/[^/]+$/.test(url.pathname) ||
+            url.pathname === '/api/tasks' ||
+            /^\/api\/tasks\/[^/]+$/.test(url.pathname));
+        if (!allowed) {
+          res.writeHead(403, { ...SECURITY_HEADERS, 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'forbidden' }));
+          return;
+        }
+      }
 
       if (url.pathname === '/api/agents' && req.method === 'GET') {
         const list = buildAgentList(opts.getTaskName, opts.getAgentStatus);
@@ -328,10 +359,12 @@ export function startRemoteServer(opts: {
         }
 
         // Extract the coordinator ID from the header (set by MCP coordinator clients).
-        // When absent (REST/mobile callers), no scoping is applied.
+        // Only honor it if it is a registered coordinator — prevents a caller from
+        // injecting an arbitrary ID to scope against another coordinator's tasks.
         const callerCoordinatorId = (() => {
           const h = req.headers['x-coordinator-id'];
-          return typeof h === 'string' && h ? h : undefined;
+          if (typeof h !== 'string' || !h) return undefined;
+          return orch.isRegisteredCoordinator(h) ? h : undefined;
         })();
 
         const ownedByCallerOrUnscoped = (taskCoordinatorId: string): boolean =>
@@ -652,7 +685,7 @@ export function startRemoteServer(opts: {
     clientSubs.set(ws, new Map());
 
     // Support legacy URL-based auth (verifyClient accepted all connections).
-    // Subtask tokens are denied WS access — they only need REST signal_done.
+    // Only coordinator token grants WS access; subtask and mobile tokens are denied.
     if (classifyToken(req) === 'coordinator') {
       authenticatedClients.add(ws);
       const list = buildAgentList(opts.getTaskName, opts.getAgentStatus);
@@ -671,7 +704,7 @@ export function startRemoteServer(opts: {
       const msg = parseClientMessage(String(raw));
       if (!msg) return;
 
-      // Handle first-message auth. Subtask tokens are denied WS access.
+      // Handle first-message auth. Only coordinator token grants WS access.
       if (msg.type === 'auth') {
         if (classifyCandidate(msg.token) === 'coordinator') {
           authenticatedClients.add(ws);
@@ -779,21 +812,23 @@ export function startRemoteServer(opts: {
   });
 
   const primaryIp = ips.wifi ?? ips.tailscale ?? '127.0.0.1';
-  const url = `http://${primaryIp}:${opts.port}?token=${token}`;
+  // url embeds the mobileToken — safe to surface in UI. Coordinator token never leaves the main process.
+  const url = `http://${primaryIp}:${opts.port}?token=${mobileToken}`;
 
   const result: RemoteServer = {
     token,
     subtaskToken,
+    mobileToken,
     port: opts.port,
     url,
     /** Re-detect network IPs so newly connected interfaces (e.g. Tailscale) are picked up. */
     get wifiUrl() {
       const cur = getNetworkIps();
-      return cur.wifi ? `http://${cur.wifi}:${opts.port}?token=${token}` : null;
+      return cur.wifi ? `http://${cur.wifi}:${opts.port}?token=${mobileToken}` : null;
     },
     get tailscaleUrl() {
       const cur = getNetworkIps();
-      return cur.tailscale ? `http://${cur.tailscale}:${opts.port}?token=${token}` : null;
+      return cur.tailscale ? `http://${cur.tailscale}:${opts.port}?token=${mobileToken}` : null;
     },
     connectedClients: () => authenticatedClients.size,
     stop: () =>

src/store/core.ts

@@ -58,7 +58,6 @@ export const [store, setStore] = createStore<AppStore>({
   missingProjectIds: {},
   remoteAccess: {
     enabled: false,
-    token: null,
     port: 7777,
     url: null,
     wifiUrl: null,

src/store/remote.ts

@@ -6,7 +6,6 @@ interface ServerResult {
   url: string;
   wifiUrl: string | null;
   tailscaleUrl: string | null;
-  token: string;
   port: number;
 }
 
@@ -18,7 +17,6 @@ export async function startRemoteAccess(port?: number): Promise<ServerResult> {
   const result = await invoke<ServerResult>(IPC.StartRemoteServer, port ? { port } : {});
   setStore('remoteAccess', {
     enabled: true,
-    token: result.token,
     port: result.port,
     url: result.url,
     wifiUrl: result.wifiUrl,
@@ -34,7 +32,6 @@ export async function stopRemoteAccess(): Promise<{ stopped: boolean; reason?: s
   if (result.stopped) {
     setStore('remoteAccess', {
       enabled: false,
-      token: null,
       port: 7777,
       url: null,
       wifiUrl: null,
@@ -53,7 +50,6 @@ export async function refreshRemoteStatus(): Promise<void> {
     url?: string;
     wifiUrl?: string;
     tailscaleUrl?: string;
-    token?: string;
     port?: number;
   }>(IPC.GetRemoteStatus);
 
@@ -67,7 +63,6 @@ export async function refreshRemoteStatus(): Promise<void> {
       url: result.url ?? null,
       wifiUrl: result.wifiUrl ?? null,
       tailscaleUrl: result.tailscaleUrl ?? null,
-      token: result.token ?? null,
       port: result.port ?? 7777,
     });
   } else {

src/store/types.ts

@@ -216,7 +216,6 @@ export interface PendingAction {
 
 export interface RemoteAccess {
   enabled: boolean;
-  token: string | null;
   port: number;
   url: string | null;
   wifiUrl: string | null;