tiletopia

megaproxy/tiletopia

Fork 0

Commit graph

Author	SHA1	Message	Date
megaproxy	bf2810a433	MCP v2 PR-3: write_pane, spawn_pane, connect_host + SSH safeguards Three of the highest-power v2 tools, plus a defense-in-depth pass on SSH-specific risk. write_pane sends keystrokes (or any bytes) to a pane's PTY. The policy engine matches against the text content directly so rules like write_pane(npm test*) match by what would run, and the compiled-in hard-deny catches rm -rf /, fork bombs, etc. regardless of policy. Per-pane token-bucket rate limiter (30 calls / 10s, 3/sec refill) prevents a runaway loop from spamming the user with confirm modals or burning audit-log capacity. The frontend handler truncates the text in modal/audit summaries to ~60 chars + escapes control characters so secrets pasted into write_pane don't echo verbatim into the UI. spawn_pane mirrors the existing SpawnSpec enum (WSL distro, PowerShell, SSH) as the tool schema. New splitLeafWith helper inserts a caller-built LeafNode (with a pre-generated id) so the handler can await waitForPaneRegistration on that exact leaf before replying with the resulting {leafId, paneId}. 15s spawn timeout covers cold-start WSL distros; 30s for connect_host covers SSH handshake + auth. Outer dispatch timeout bumped 30s → 60s. SSH spawns without a saved hostId are refused — LeafNode only persists sshHostId, no inline params, so use connect_host. connect_host is a thin wrapper that looks up a saved SSH host by id and routes through the same spawn machinery. McpConfirm.tsx gains an optional ssh context — when the call targets or spawns an SSH pane, a red warning banner renders explaining that pattern matching is best-effort on the bytes we send (remote shell expands aliases/subshells before executing). buildConfirmSummary became buildConfirmInfo and returns the SSH context alongside the summary string. PR-3.5 — SSH safeguards. Two new switches in the Policy tab, both off by default, both gated by mcp_policy::SshSafeguards: allowOpenSsh: when off, connect_host and spawn_pane(kind=ssh) refuse server-side with a clear "ssh-disabled" message pointing at the Policy tab. User must open SSH manually via the titlebar 🔑 picker and toggle 🤖 on to grant Claude access. autoAllowSpawnedSsh: when off, an SSH pane Claude spawns starts with mcpAllow=false. User must explicitly toggle 🤖 before Claude can read scrollback or send keystrokes. The second switch is disabled in the UI when the first is off. The safe-by-default design means a fresh install gives Claude no ability to autonomously touch SSH — full safety with one click per level to enable when consciously wanted. Both switches read fresh per call so policy edits take effect without a server restart. ErrorBoundary.tsx — last-resort guard against React render exceptions. Wraps the App root + each MCP panel tab independently so a bug in one tab doesn't blank the entire app. Shows a small red error card with the exception message and a "Try again" button. Caught a serde rename_all bug during PR-3.5 testing where PolicyTab read policy.sshSafeguards but Rust serialized ssh_safeguards (snake_case); without the boundary the whole window went black. newId() now exported from tree.ts for the splitLeafWith path. McpPolicy struct gained #[serde(rename_all = "camelCase")] so sshSafeguards survives the IPC round-trip cleanly; older policy files without the field still load (serde defaults to safe).	2026-05-26 14:50:06 +01:00
megaproxy	26ffe8859a	MCP v2 PR-1b: action dispatcher, confirm modal, set_label end-to-end App.tsx now listens on "mcp://request" and resolves each call: needsConfirm=true queues a confirm modal (Accept/Reject, or "Always allow <tool>" which appends the bare tool name to the policy's allow bucket on the fly); needsConfirm=false runs straight through. Replies via mcp_action_reply with externally-tagged Result. The only wired-up tool for now is set_label, which delegates to the existing ops.setLabel path. McpConfirm.tsx (new) — themed amber-bordered modal sibling to the existing overlays. Enter = accept, Esc = reject. Shows tool, the policy reason that triggered the prompt, a human-readable summary ("Rename pane X → Y"), and an expandable raw-args section. Audit log: subscription lifted from AuditTab up to App.tsx so events fired while the panel is closed (or on Config/Policy tab) still land in the ring. AuditTab becomes presentational; McpPanel forwards entries + clearAudit + computes the unread badge from a baseline seen-count. StrictMode race fix: both new App-level listeners (mcp://audit and mcp://request) use the cancelled-flag pattern so a late-resolving listen() Promise after a strict-mode pretend-unmount tears itself down instead of leaking a second subscription. Previously this manifested as duplicate audit rows and a need-to-click-twice on modal buttons.	2026-05-26 12:26:33 +01:00

Author

SHA1

Message

Date

megaproxy

bf2810a433

MCP v2 PR-3: write_pane, spawn_pane, connect_host + SSH safeguards

Three of the highest-power v2 tools, plus a defense-in-depth pass
on SSH-specific risk.

write_pane sends keystrokes (or any bytes) to a pane's PTY. The
policy engine matches against the text content directly so rules
like write_pane(npm test*) match by what would run, and the
compiled-in hard-deny catches rm -rf /, fork bombs, etc. regardless
of policy. Per-pane token-bucket rate limiter (30 calls / 10s,
3/sec refill) prevents a runaway loop from spamming the user with
confirm modals or burning audit-log capacity. The frontend handler
truncates the text in modal/audit summaries to ~60 chars + escapes
control characters so secrets pasted into write_pane don't echo
verbatim into the UI.

spawn_pane mirrors the existing SpawnSpec enum (WSL distro,
PowerShell, SSH) as the tool schema. New splitLeafWith helper
inserts a caller-built LeafNode (with a pre-generated id) so the
handler can await waitForPaneRegistration on that exact leaf before
replying with the resulting {leafId, paneId}. 15s spawn timeout
covers cold-start WSL distros; 30s for connect_host covers SSH
handshake + auth. Outer dispatch timeout bumped 30s → 60s. SSH
spawns without a saved hostId are refused — LeafNode only persists
sshHostId, no inline params, so use connect_host.

connect_host is a thin wrapper that looks up a saved SSH host by
id and routes through the same spawn machinery.

McpConfirm.tsx gains an optional ssh context — when the call
targets or spawns an SSH pane, a red warning banner renders
explaining that pattern matching is best-effort on the bytes we
send (remote shell expands aliases/subshells before executing).
buildConfirmSummary became buildConfirmInfo and returns the SSH
context alongside the summary string.

PR-3.5 — SSH safeguards. Two new switches in the Policy tab,
both off by default, both gated by mcp_policy::SshSafeguards:

  allowOpenSsh: when off, connect_host and spawn_pane(kind=ssh)
    refuse server-side with a clear "ssh-disabled" message pointing
    at the Policy tab. User must open SSH manually via the titlebar
    🔑 picker and toggle 🤖 on to grant Claude access.

  autoAllowSpawnedSsh: when off, an SSH pane Claude spawns starts
    with mcpAllow=false. User must explicitly toggle 🤖 before
    Claude can read scrollback or send keystrokes. The second switch
    is disabled in the UI when the first is off.

The safe-by-default design means a fresh install gives Claude no
ability to autonomously touch SSH — full safety with one click per
level to enable when consciously wanted. Both switches read fresh
per call so policy edits take effect without a server restart.

ErrorBoundary.tsx — last-resort guard against React render
exceptions. Wraps the App root + each MCP panel tab independently
so a bug in one tab doesn't blank the entire app. Shows a small
red error card with the exception message and a "Try again"
button. Caught a serde rename_all bug during PR-3.5 testing where
PolicyTab read policy.sshSafeguards but Rust serialized
ssh_safeguards (snake_case); without the boundary the whole window
went black.

newId() now exported from tree.ts for the splitLeafWith path.
McpPolicy struct gained #[serde(rename_all = "camelCase")] so
sshSafeguards survives the IPC round-trip cleanly; older policy
files without the field still load (serde defaults to safe).

2026-05-26 14:50:06 +01:00

megaproxy

26ffe8859a

MCP v2 PR-1b: action dispatcher, confirm modal, set_label end-to-end

App.tsx now listens on "mcp://request" and resolves each call:
needsConfirm=true queues a confirm modal (Accept/Reject, or
"Always allow <tool>" which appends the bare tool name to the
policy's allow bucket on the fly); needsConfirm=false runs straight
through. Replies via mcp_action_reply with externally-tagged
Result. The only wired-up tool for now is set_label, which delegates
to the existing ops.setLabel path.

McpConfirm.tsx (new) — themed amber-bordered modal sibling to the
existing overlays. Enter = accept, Esc = reject. Shows tool, the
policy reason that triggered the prompt, a human-readable summary
("Rename pane X → Y"), and an expandable raw-args section.

Audit log: subscription lifted from AuditTab up to App.tsx so events
fired while the panel is closed (or on Config/Policy tab) still land
in the ring. AuditTab becomes presentational; McpPanel forwards
entries + clearAudit + computes the unread badge from a baseline
seen-count.

StrictMode race fix: both new App-level listeners (mcp://audit and
mcp://request) use the cancelled-flag pattern so a late-resolving
listen() Promise after a strict-mode pretend-unmount tears itself
down instead of leaking a second subscription. Previously this
manifested as duplicate audit rows and a need-to-click-twice on
modal buttons.

2026-05-26 12:26:33 +01:00

2 commits