mikael-lovqvists-claude-agent/claude-code-conduit
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Add HMAC auth, user permissions, snake_case rename

Browse Source 
Each request is signed with HMAC-SHA256 over timestamp+body using a
per-user secret loaded from a --secrets file (never env vars or git).
Users have a canApprove list controlling who may approve queued actions.
Queue entries track submitted_by for permission checks on approve/deny.

Also renames all identifiers to snake_case throughout the codebase.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
mikael-lovqvists-claude-agent
2026-03-07 20:18:41 +00:00
parent f02e2a746d
commit 67c1c3f9a4
11 changed files with 226 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/helpers.mjs
View File

@@ -4,10 +4,10 @@ import path from "path";
const WORKSPACE_ROOT = process.env.CONDUIT_ROOT || "/workspace";
// Resolve a path param relative to WORKSPACE_ROOT, preventing traversal.
export function resolvePath(userPath) {
const resolved = path.resolve(WORKSPACE_ROOT, userPath.replace(/^\//, ""));
export function resolve_path(user_path) {
const resolved = path.resolve(WORKSPACE_ROOT, user_path.replace(/^\//, ""));
if (!resolved.startsWith(WORKSPACE_ROOT)) {
throw new Error(`Path escapes workspace root: ${userPath}`);
throw new Error(`Path escapes workspace root: ${user_path}`);
}
return resolved;
}