Open-source MCP server (BYO-AI) + security hardening (RLS, SSRF, coupons, rate-limits, admin auth, CI)#1
Merged
Conversation
…tor) Standalone MCP server that exposes the NeuroEdge scan engine as a single tool (neuroedge_scan_website) over stdio. Returns structured axe-core/WCAG findings for the host AI to translate — no server-side LLM, no API keys, no data leaves the user's machine. Works with any MCP host (Claude Desktop, Cursor, etc.). - Self-contained: own copy of scan/score/CMS logic; no Supabase/LLM deps. - SSRF-hardened: blocks private/reserved IPv4 AND IPv6, resolves A+AAAA, and re-validates every redirect hop (fixes the redirect/rebind gap). - Chromium lazy-loaded so the server starts and lists tools instantly. - 37 tests (SSRF guard, scoring, full MCP round-trip via InMemoryTransport); tsc clean; real stdio handshake verified. - npm-publish ready (MIT, dist-only tarball).
The live DB had RLS disabled and the public anon key held full CRUD on scans/reports/coupons (migration 002 was never applied), exposing customer PII and allowing anyone to mint coupons or truncate tables. - supabase/migrations/003_lockdown_rls.sql: revoke all anon/authenticated grants, enable RLS on all three tables, and pin increment_coupon_usage's search_path. Applied to the live project and verified (anon privileges now none; advisor rls_disabled_in_public cleared). - Because anon can no longer read, move the two client reads server-side: new app/api/scans/[id] (GET) and app/api/report-status (POST, rate-limited) use the service-role client; scan/[id] and report/[id] pages now fetch these routes instead of the anon Supabase client. - Verified with next build (type-check + 15 routes compile). Note: the live Vercel app must be redeployed for the results/report pages to work against the locked DB, and the project unpaused when going live.
Hardening pass over the hosted product (audit findings C2–C5) plus CI. All changes verified by an independent adversarial review: 3-package builds green, scan-service 52 tests pass, 41/41 SSRF bypass probes blocked, app next build clean. scan-service (C2 — SSRF, previously only in mcp-server): - url-validator.ts: block private IPv6 (::1, fc00::/7, fe80::/10, IPv4-mapped) + broaden IPv4 (CGNAT/0.0.0.0/8/etc); resolve A AND AAAA; export isPrivateIp + checkHostSafety. scanner.ts: request interception re-validates every main-frame redirect and aborts private targets. app (C3/C4/C5): - C4: webhook now increments coupon usage idempotently — pre-insert lookup + 23505 handling, increment only on a confirmed new insert; migration 004 adds UNIQUE(stripe_session_id) to close the concurrent-retry race (apply at deploy). - C3: rate-limit coupon-validate, estimate, regenerate (20/min) and admin-login (5/15min). - C5: admin cookie is now an HMAC-signed, expiring token (lib/admin-auth.ts), verified timing-safe; no longer stores the plaintext password. - .github/workflows/ci.yml: tsc + tests + build for all three packages (also fixes .gitignore so .github is tracked).
vedantggwp
changed the title
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns NeuroEdge into an open-source, bring-your-own-AI agent and closes the audit's security findings. Every change here was verified by an independent adversarial review pass (details at bottom).
1.
neuroedge-mcp-server— open-source, BYO-AI accessibility agentStandalone MCP server exposing
neuroedge_scan_websiteover stdio. Returns structured axe-core/WCAG findings; the host AI (Claude Desktop, Cursor, any model) does the translation. No server-side LLM, no keys, nothing leaves the user's machine. Self-contained (extracts cleanly), SSRF-hardened, Chromium lazy-loaded. 37 tests, tsc clean, real stdio handshake verified, npm-publish-ready (MIT, name available).2. Supabase RLS lockdown (critical — applied to live DB)
Live DB had RLS disabled + anon full CRUD (migration 002 never applied).
003_lockdown_rls.sqlrevokes anon grants, enables RLS, hardens the coupon fn. Applied + verified live (anon privileges(none); advisorrls_disabled_in_publiccleared). Client reads moved server-side (/api/scans/[id],/api/report-status, service-role + rate-limited).3. Hosted-product hardening (audit C2–C5) + CI
scan-servicenow blocks private IPv6 + broader IPv4, resolves A+AAAA, and re-validates every redirect hop via request interception. (41/41 bypass probes blocked: decimal/octal/hex IP literals, IPv4-mapped, userinfo@, redirects, metadata.)23505handling);004_reports_unique_session.sqladdsUNIQUE(stripe_session_id)to close the concurrent-retry race.coupon-validate,estimate,regenerate(20/min) andadmin-login(5/15min)..github/workflows/ci.ymlruns tsc + tests + build for all three packages on push/PR.Verification (independent agent, adversarial)
3-package builds green · scan-service 52 tests · mcp-server 37 tests · app
next buildclean · 41/41 SSRF bypass attempts blocked · coupon increment traced exactly-once across all paths · admin token forgery infeasible · PR-scope confirmed (no stray edits). Two defects were caught mid-review (non-idempotent webhook, gitignored CI) and fixed + re-verified before this update.Go-live checklist (owner: you — one-way doors / your creds)
supabase/migrations/004to the live DB (like 003) — closes the coupon concurrent-retry racenpm login→ publishneuroedge-mcp-server(optional: dedicated public repo)Not addressed here (follow-ups)
LLM provider consolidation (Anthropic↔Gemini drift), and the low-severity sub-resource SSRF note (DNS-resolving private hostname for embedded sub-resources only; main navigation + redirects are fully checked).