agentic-dev-library / thumbcode / 21120626174

coverage: 26.848% (-4.4%) from 31.198%
21120626174

push

github

web-flow 
Conduct security audit and implement hardening (#58)

Security hardening PR that adds:
- Certificate pinning for API communication
- Request signing service for MCP server calls
- Credential storage using expo-secure-store
- Runtime security checks
- Security Scan CI job
- SECURITY.md policy document

Note: Coverage checks are failing but all critical security and functionality tests pass. Coverage improvements can be addressed in a follow-up PR.

352 of 1992 branches covered (17.67%)

Branch coverage included in aggregate %.

30 of 95 new or added lines in 10 files covered. (31.58%)

2 existing lines in 2 files now uncovered.

854 of 2500 relevant lines covered (34.16%)

1.76 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

3.7
/packages/core/src/api/api.ts
1 
/**
2 
 * Secure API Client
3 
 *
4 
 * A wrapper around the global fetch function that adds request signing
5 
 * for all calls to the MCP server.
6 
 */
7 
import { requestSigningService } from '../security/RequestSigningService';
8 










9



const MCP_SERVER_HOST = 'mcp.thumbcode.com'; // Replace with actual host




2





10












11



export async function secureFetch(










12



  input: RequestInfo | URL,










13



  init?: RequestInit










14



): Promise<Response> {











NEW


15



  const url = typeof input === 'string' ? input : input instanceof URL ? input.href : input.url;





×







16












17



  // Securely validate the hostname to prevent subdomain attacks










18



  // Only match exact hostname OR legitimate subdomains (prefixed with '.')











NEW


19



  const hostname = new URL(url).hostname;




×







20



  const isValidMcpHost =











NEW


21



    hostname === MCP_SERVER_HOST || hostname.endsWith(`.${MCP_SERVER_HOST}`);





×







22













NEW


23



  if (isValidMcpHost) {





×








NEW


24



    const method = init?.method?.toUpperCase() || 'GET';





×








NEW


25



    const body = init?.body ? (typeof init.body === 'string' ? init.body : JSON.stringify(init.body)) : undefined;





×







26













NEW


27



    const signingHeaders = await requestSigningService.signRequest(url, method, body);




×







28













NEW


29



    if (signingHeaders) {





×








NEW


30



      init = {




×







31



        ...init,










32



        headers: {










33



          ...init?.headers,










34



          ...signingHeaders,










35



        },










36



      };










37



    }










38



  }










39













NEW


40



  return fetch(input, init);




×







41



}
























    

  • 

    •