Commit 8a8743c
committed
fix(039): resolve 13 QA findings in security scanner plugin system
Bundled fix for bugs surfaced by a full QA pass of Spec 039. Each finding has
a one-line code reference and a regression test where applicable.
Critical:
* F-01 security approve now actually unquarantines the server. The scanner
Service gets a new ServerUnquarantiner dependency injected from
server.Server.UnquarantineServer; ApproveServer calls it after persisting
the integrity baseline. Tool indexing and quarantine-bucket removal follow
the existing unquarantine path. Critical-findings guard still blocks the
call before anything mutates. TestServiceApproveServerCallsUnquarantiner
and TestServiceApproveServerCriticalDoesNotUnquarantine pin the contract.
* F-02 Source resolver no longer misreads a server's positional data-dir
argument as source code. For package-runner commands (npx, uvx, pipx,
pnpm dlx, bunx, yarn dlx) resolveFromPackageCache runs first; arg-scan
fallback only accepts directories containing a source marker
(package.json, pyproject.toml, setup.py, Cargo.toml, go.mod, or a source
file). Regression tests cover the filesystem-server false-positive case
and the legitimate python-script arg case.
High:
* F-03 macOS keychain probe no longer pops the "Keychain Not Found" modal.
KeyringProvider.IsAvailable uses a read-only Get probe with a 2s timeout
and a headless-environment fast path instead of keyring.Set. Public Get,
Store, Delete, List, and both registry helpers are wrapped in a new
runWithTimeout helper (3s hard deadline) backed by ErrKeyringTimeout.
Scanner ConfigureScanner already falls back to in-config storage on Store
errors. TestKeyringProvider_IsAvailable_HangingBackend proves the bail-out.
* F-04 UI Approve buttons are now scanner-aware. ServerCard, ServerDetail
and ScanReport call the new securityApproveServer store action. A custom
modal gates force-approve on servers with no scan or with critical
findings; the legacy unquarantineServer path is retained only for admin
and the Scan First action.
* F-05 CLI security scan no longer hangs after the job reports completed.
The poll loop now terminates on completed|failed|cancelled and prints live
progress lines (N run, M running, F failed).
Medium:
* F-06 --dry-run prints a structured plan (source method, source path,
scanner images, commands, timeouts) and exits without invoking the scan
endpoint. No containers start.
* F-09 Scanner status vocabulary unified between table and JSON output
(available | pulling | installed | configured | error).
* F-10 security report text output now contains "Scanners: X run, Y failed
(names) of Z" and a coverage warning when any scanner did not run, so a
user cannot mistake scanner crashes for "clean".
* F-11 Scan history endpoint returns the aggregated risk_score instead of
always zero.
UX:
* F-12 Dashboard "Security Scan" chip is now a live router-link to /security
with no "soon" placeholder; matches adjacent Docker / Quarantine chips.
* F-14 security overview shows "Last scan: never" instead of
0001-01-01 00:00:00, and JSON emits last_scan_at: null.
* F-15 security configure returns in ~3s (was 60s+), bumped client timeout
from 10s to 60s as additional safety, added existence prefetch so typos
return 404 fast.
* F-16 scan --all redraws the progress table in place on TTY via ANSI
cursor escapes; falls back to per-line output when piped; FINDINGS column
now populated from findings_count.
Extra:
* mcpproxy security subcommands now honor --config and --data-dir global
flags (newSecurityCLIClient checks the package-level configFile/dataDir
before calling config.LoadFromFile, mirroring main.go).
Not fixed (documented):
* F-07 ramparts scanner container ships a GLIBC_2.39-linked binary that
fails on arm64 macOS. Upstream scanner image issue, not mcpproxy code.
* F-13 cisco-mcp-scanner stdout contains a hardcoded server_url header.
Cosmetic upstream scanner output quirk.
Post-fix revalidation: 6 of 7 scanners run end-to-end on arm64 macOS
against the three test servers (everything, fetch-test, filesystem-test).
The QA report in docs/qa/security-scanners-2026-04-10.html now contains a
§11 "After-Fix Revalidation" section with per-finding verification
evidence, updated code-landscape table, and reproduction instructions.
Tests: internal/secret, internal/security, internal/security/scanner,
cmd/mcpproxy, frontend unit tests all pass. golangci-lint: 0 issues.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 6fbf914 commit 8a8743c
17 files changed
Lines changed: 3039 additions & 148 deletions
File tree
- cmd/mcpproxy
- docs/qa
- frontend
- src
- components
- composables
- stores
- views
- tests/unit
- internal
- secret
- security/scanner
- server
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
0 commit comments