Skip to content

qa(connectors): gate unauthenticated /api/connectors/* routes + harden env write#45

Merged
aimerdoux merged 1 commit into
mainfrom
qa/connectors-auth-docs
Jun 3, 2026
Merged

qa(connectors): gate unauthenticated /api/connectors/* routes + harden env write#45
aimerdoux merged 1 commit into
mainfrom
qa/connectors-auth-docs

Conversation

@aimerdoux

Copy link
Copy Markdown
Owner

qa(connectors): gate unauthenticated /api/connectors/* routes + harden env write + docs

Smallest-safe fixes from a full triage of the connector suite (composio-shim, credential vault, connect/marketplace routes, plugin UI). 9 surfaces audited, 28 findings logged; this PR ships only the safe, verified subset.

Fixes

Fix Severity File
Add gateBoard() to the four global /api/connectors/* routes (setup-status, setup, enable-managed, catalog) — they ran with no auth while every sibling credential route is board-gated. setup persists COMPOSIO_API_KEY to .env and enable-managed flips managed billing, so these were unauthenticated state mutations. HIGH credentials.ts
Reject CR/LF in the setup apiKey body and in writeOrUpdateEnvFile values — prevents newline-injection of extra .env lines. HIGH credentials.ts
Write .env with mode 0o600 (was default umask) — it may hold a plaintext Composio key. LOW credentials.ts
Document WAVEX_COMPOSIO_MANAGED + WAVEX_CORE_URL; clarify WAVEX_COMPOSIO_DISABLED=0 is inert until a key is set. MED .env.example
De-drift stale op-omega / op-omega-server references in plugin doc comments (live route path was already /wavex-os/...; comments only). LOW ConnectorsSidebar.tsx, worker.ts

4 files, +41/-10.

Verification

  • wavex-os-server typecheck: exit 0 with these changes.
  • composio-shim tests: 12/12 pass (no regression).
  • Auth gap independently re-verified: sibling routes gate at credentials.ts:264/337/352/369/585/605; the four fixed routes previously did not.

Notable findings NOT fixed here (need a decision or live access)

  • C05-F1 [MED] featured-toolkits.ts:28-30 slugs google_calendar/google_drive/microsoft_calendar likely don't match Composio's canonical slugs (googlecalendar/googledrive; no microsoft_calendar) → live OAuth dead-paths. Not changed — needs live-account verification; slugs double as vault/UI keys.
  • C03-F1 / C04-F1 [MED] OAuth initiate and marketplace routes lack per-company auth (IDOR) — needs a route-auth-shape decision.
  • Lower-priority hardening: C01 raw-SDK-error leak, C02 cross-tenant process.env mutation / key-write-window / un-keyed hashHint / 403-vs-500 mapping, C09 missing route-auth tests.

Full per-finding detail (file:line + proposed fix) in the run deliverables under .plateau-agency/deliverables/connectors/.

🤖 Generated with Claude Code

…en env write

- Add gateBoard() to the four global /api/connectors/* routes (setup-status,
  setup, enable-managed, catalog) that previously ran with no auth while every
  sibling credential route is board-gated. setup persists COMPOSIO_API_KEY to
  .env and enable-managed flips managed billing, so these were unauthenticated
  state mutations.
- Reject CR/LF in the setup apiKey body and in writeOrUpdateEnvFile values to
  prevent newline-injection of extra .env lines.
- Write .env with mode 0o600 (was default umask) since it may hold a plaintext
  Composio key.
- Document WAVEX_COMPOSIO_MANAGED and WAVEX_CORE_URL in .env.example and clarify
  that WAVEX_COMPOSIO_DISABLED=0 is inert until COMPOSIO_API_KEY is set.
- De-drift stale op-omega/op-omega-server references in plugin doc comments to
  wavex-os-server (the live route path is already /wavex-os/...; comments only).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aimerdoux aimerdoux merged commit 17ac4f3 into main Jun 3, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant