Tighten ingress/egress controls #58

New issue

Open

opened 2026-05-23 20:55:28 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-23 20:55:28 +00:00

Owner

Copy link

Originally filed by @coilysiren on 2026-05-05T08:23:35Z - https://github.com/coilysiren/repo-recall/issues/54

Today repo-recall binds 127.0.0.1 (no auth), shells out to git/gh, and makes outbound calls to FCM (opt-in push) plus gh API. Reasonable for a personal-laptop tool, but the surface is wider than it needs to be: any local process can hit :7777, and subprocess construction is scattered across call sites.

Three tiers, pick one:

Tier 1 - tighten what's there (~2-4h)

• Bearer token on HTTP (env-injected, required header). Localhost-only bind stays.
• Audit every Command::new call site. Confirm no sh -c with interpolation, all args go through .arg().
• CORS lockdown - deny *, allow only explicit origins (or null for file-scheme MCP widgets).
• --mcp-only flag that skips the HTTP listener when the dashboard isn't wanted.

Tier 2 - real fences (~1 day)

• Move HTTP from TCP to a unix socket under $XDG_RUNTIME_DIR (or $TMPDIR on Mac) with 0600 perms. Kills the "any process on the box" ingress.
• Single subprocess chokepoint: run_tool(Tool::Git | Tool::Gh, args). Reject anything else. Log invocations to a ring buffer for audit.
• Outbound HTTP pinned to FCM host. Custom reqwest resolver or connect-time hostname check, deny everything else.

Tier 3 - sandbox the process (~2 days)

• macOS sandbox-exec profile - filesystem read-only outside ~/projects and ~/.claude/projects, network deny except FCM, no exec except git/gh. Brew binary becomes a launcher that re-execs itself under the profile.
• Linux equivalent via systemd unit hardening (ProtectSystem=strict, RestrictAddressFamilies, SystemCallFilter). Skip until there's a homelab deployment that wants it.

Recommendation

Tier 2. Unix socket + subprocess chokepoint covers most of the upside without the launcher complexity of Tier 3. Tier 1 items are cheap enough to fold in alongside.

Out of scope

• Multi-user auth. Single-user-on-laptop assumption stays.
• Rate limiting. Not a real threat for a local tool.
• Encrypted-at-rest cache. The cache is in $TMPDIR, regenerable, not sensitive.

_Originally filed by @coilysiren on 2026-05-05T08:23:35Z - [https://github.com/coilysiren/repo-recall/issues/54](https://github.com/coilysiren/repo-recall/issues/54)_ Today repo-recall binds `127.0.0.1` (no auth), shells out to `git`/`gh`, and makes outbound calls to FCM (opt-in push) plus `gh` API. Reasonable for a personal-laptop tool, but the surface is wider than it needs to be: any local process can hit `:7777`, and subprocess construction is scattered across call sites. Three tiers, pick one: ## Tier 1 - tighten what's there (~2-4h) - Bearer token on HTTP (env-injected, required header). Localhost-only bind stays. - Audit every `Command::new` call site. Confirm no `sh -c` with interpolation, all args go through `.arg()`. - CORS lockdown - deny `*`, allow only explicit origins (or `null` for file-scheme MCP widgets). - `--mcp-only` flag that skips the HTTP listener when the dashboard isn't wanted. ## Tier 2 - real fences (~1 day) - Move HTTP from TCP to a unix socket under `$XDG_RUNTIME_DIR` (or `$TMPDIR` on Mac) with 0600 perms. Kills the "any process on the box" ingress. - Single subprocess chokepoint: `run_tool(Tool::Git | Tool::Gh, args)`. Reject anything else. Log invocations to a ring buffer for audit. - Outbound HTTP pinned to FCM host. Custom reqwest resolver or connect-time hostname check, deny everything else. ## Tier 3 - sandbox the process (~2 days) - macOS `sandbox-exec` profile - filesystem read-only outside `~/projects` and `~/.claude/projects`, network deny except FCM, no exec except `git`/`gh`. Brew binary becomes a launcher that re-execs itself under the profile. - Linux equivalent via systemd unit hardening (`ProtectSystem=strict`, `RestrictAddressFamilies`, `SystemCallFilter`). Skip until there's a homelab deployment that wants it. ## Recommendation Tier 2. Unix socket + subprocess chokepoint covers most of the upside without the launcher complexity of Tier 3. Tier 1 items are cheap enough to fold in alongside. ## Out of scope - Multi-user auth. Single-user-on-laptop assumption stays. - Rate limiting. Not a real threat for a local tool. - Encrypted-at-rest cache. The cache is in `$TMPDIR`, regenerable, not sensitive.

coilysiren added the

P2

label 2026-05-31 01:55:00 +00:00

coilysiren added

P3

and removed

P2

labels 2026-05-31 07:01:11 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

action-required-mine

mcp-app-rewrite

v0.45.0

v0.44.0

v0.43.0

v0.42.2

v0.42.1

v0.42.0

v0.41.1

v0.41.0

v0.40.7

v0.40.6

v0.40.5

v0.40.4

v0.40.3

v0.40.2

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.0

v0.34.0

v0.33.1

v0.33.0

v0.32.3

v0.32.2

v0.32.1

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.56

v0.29.55

v0.29.54

v0.29.53

v0.29.52

v0.29.51

v0.29.50

v0.29.49

v0.29.48

v0.29.47

v0.29.46

v0.29.45

v0.29.44

v0.29.43

v0.29.42

v0.29.41

v0.29.40

v0.29.39

v0.29.38

v0.29.37

v0.29.36

v0.29.35

v0.29.34

v0.29.33

v0.29.32

v0.29.31

v0.29.30

v0.29.29

v0.29.28

v0.29.27

v0.29.26

v0.29.25

v0.29.24

v0.29.23

v0.29.22

v0.29.21

v0.29.20

v0.29.19

v0.29.18

v0.29.17

v0.29.16

v0.29.15

v0.29.14

v0.29.13

v0.29.12

v0.29.11

v0.29.10

v0.29.9

v0.29.8

v0.29.7

v0.29.6

v0.29.5

v0.29.4

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.36

v0.28.35

v0.28.34

v0.28.33

v0.28.32

v0.28.31

v0.28.30

v0.28.29

v0.28.28

v0.28.27

v0.28.26

v0.28.25

v0.28.24

v0.28.23

v0.28.22

v0.28.21

v0.28.20

v0.28.19

v0.28.18

v0.28.17

v0.28.16

v0.28.15

v0.28.14

v0.28.13

v0.28.12

v0.28.11

v0.28.10

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.0

v0.23.1

v0.23.0

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.0

v0.14.1

v0.14.0

v0.13.15

v0.13.14

v0.13.13

v0.13.12

v0.13.11

v0.13.10

v0.13.9

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.9

v0.12.8

v0.12.7

v0.12.6

v0.12.5

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/repo-recall#58

No description provided.