fix: complete medium hardening updates for auth, RBAC, OAuth/SSO, secrets, and admin UI defaults (m-batch-1) by crivetimihai · Pull Request #3129 · IBM/mcp-context-forge

crivetimihai · 2026-02-23T19:03:50Z

Scope (Hardening IDs + Description)

A-04: Broaden request logging masking beyond exact key matches while avoiding over-masking noise.
C-06: Enforce token scoping consistently for both header and cookie auth paths.
C-26: Normalize root-path-prefixed request paths before scoping/permission pattern matching.
C-31: Protect LLM chat session config secrets at rest and in response payloads.
C-34: Remove permissive fallback grants so RBAC relies on explicit permissions.
C-36: Validate membership/ownership when reassigning server team_id.
C-37: Make import visibility defaults secure-by-default with compatibility-safe behavior.
C-40: Protect LLM provider config secret fields at rest and on read APIs.
C-41: Complete remaining gap by adding at-rest protection for sensitive tool custom headers while preserving masked reads.
L-13: Align permission constants, decorator checks, validation, and default role assignments.
O-08: Tighten SSO email verification handling for missing/false claims and existing-user updates.
O-12: Replace PII-bearing OAuth state with opaque server-side state mapping.
O-13: Enforce trusted-domain policy for existing users as well.
U-02: Add CSRF protections for admin state-changing flows.
U-03: Remove residual unsafe DOM insertion patterns / enforce safe sanitization paths.
U-04: Complete SRI hardening coverage for external assets and resolve remaining exceptions appropriately.

Summary

This PR completes the medium hardening batch across API, middleware, RBAC, OAuth/SSO, secret handling, and admin UI behavior.

Key outcomes:

Secure-by-default authz/authn behavior across token scope + RBAC layers.
Explicit role permission model with fallback bypass removal.
Stronger secret protection at rest and in read responses.
Safer OAuth/SSO state and identity verification semantics.
Hardened admin UI mutation protections and safer dynamic rendering behavior.
Consistent behavior across API/admin/protocol/middleware paths.
RC2 changelog and related docs updated to reflect user-visible hardening/default changes.

Checklist

Tests updated for changed behavior
Docs/changelog updated where behavior changed
No secrets or credentials committed

Refs: A-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-06, C-26 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-31 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-34, L-13 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-36 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-37 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-40 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: C-41 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: O-08, O-13 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: O-12 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: U-02, U-03, U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Refs: A-04, C-06, C-26, C-31, C-34, C-36, C-37, C-40, C-41, L-13, O-08, O-12, O-13, U-02, U-03, U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

A-04 C-34 L-13 O-12 U-02 U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

U-03 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

C-34 O-12 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

…rets, and admin UI defaults (m-batch-1) (#3129) * fix: request logging hardening and behavior consistency Refs: A-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: token scoping hardening and behavior consistency Refs: C-06, C-26 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: llm chat config hardening and behavior consistency Refs: C-31 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: permission model hardening and behavior consistency Refs: C-34, L-13 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: server team assignment hardening and behavior consistency Refs: C-36 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: import visibility defaults hardening and behavior consistency Refs: C-37 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: llm provider config hardening and behavior consistency Refs: C-40 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: tool header protection hardening and behavior consistency Refs: C-41 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: sso identity checks hardening and behavior consistency Refs: O-08, O-13 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: oauth state handling hardening and behavior consistency Refs: O-12 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: admin ui hardening and behavior consistency Refs: U-02, U-03, U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * docs: rc2 hardening release notes and behavior consistency Refs: A-04, C-06, C-26, C-31, C-34, C-36, C-37, C-40, C-41, L-13, O-08, O-12, O-13, U-02, U-03, U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: harden medium security defaults and UI regression paths A-04 C-34 L-13 O-12 U-02 U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: escape pagination query params inside Alpine attributes U-03 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * chore: resolve migration and oauth lint warnings C-34 O-12 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix tests Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix cdn Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: harden playwright admin auth and entity timing stability Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: stabilize localhost admin auth flow in playwright Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: align admin auth-form csrf token issuance and submission Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: close remaining diff coverage gaps to 100 percent Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai added 16 commits February 23, 2026 15:54

fix: request logging hardening and behavior consistency

dda4efc

Refs: A-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: token scoping hardening and behavior consistency

0195be7

Refs: C-06, C-26 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: llm chat config hardening and behavior consistency

08f16ea

Refs: C-31 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: permission model hardening and behavior consistency

d292b76

Refs: C-34, L-13 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: server team assignment hardening and behavior consistency

25507e0

Refs: C-36 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: import visibility defaults hardening and behavior consistency

566433c

Refs: C-37 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: llm provider config hardening and behavior consistency

69b974f

Refs: C-40 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: tool header protection hardening and behavior consistency

71e3c4e

Refs: C-41 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: sso identity checks hardening and behavior consistency

34a3883

Refs: O-08, O-13 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: oauth state handling hardening and behavior consistency

74064db

Refs: O-12 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: admin ui hardening and behavior consistency

506cc2b

Refs: U-02, U-03, U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

docs: rc2 hardening release notes and behavior consistency

5352a13

Refs: A-04, C-06, C-26, C-31, C-34, C-36, C-37, C-40, C-41, L-13, O-08, O-12, O-13, U-02, U-03, U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

lint

85da51c

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: harden medium security defaults and UI regression paths

780f3c9

A-04 C-34 L-13 O-12 U-02 U-04 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: escape pagination query params inside Alpine attributes

42ca9d8

U-03 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

chore: resolve migration and oauth lint warnings

a7ec7b3

C-34 O-12 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai requested review from kevalmahajan and madhav165 as code owners February 23, 2026 19:03

crivetimihai self-assigned this Feb 23, 2026

crivetimihai added security Improves security revisit Revisit this PR at a later date to address further issues, or if problems arise. labels Feb 23, 2026

crivetimihai added this to the Release 1.0.0-GA milestone Feb 23, 2026

crivetimihai added 5 commits February 23, 2026 21:23

fix tests

8b0fc02

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix cdn

4baec15

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

test: harden playwright admin auth and entity timing stability

063678c

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

test: stabilize localhost admin auth flow in playwright

a884e51

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

fix: align admin auth-form csrf token issuance and submission

719fcda

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai changed the title ~~fix: complete medium hardening updates for auth, RBAC, OAuth/SSO, secrets, and admin UI defaults~~ fix: complete medium hardening updates for auth, RBAC, OAuth/SSO, secrets, and admin UI defaults (m-batch-1) Feb 24, 2026

crivetimihai added the SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release label Feb 24, 2026

test: close remaining diff coverage gaps to 100 percent

7446961

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai merged commit 32ca4d6 into main Feb 24, 2026
55 checks passed

crivetimihai deleted the m-batch-1 branch February 24, 2026 02:14

This was referenced Mar 2, 2026

[BUG]: Team selector dropdown items not clickable — onclick stripped by innerHTML sanitizer #3372

Closed

fix(ui): convert inline event handlers to addEventListener for innerHTML guard compatibility (#3372) #3373

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: complete medium hardening updates for auth, RBAC, OAuth/SSO, secrets, and admin UI defaults (m-batch-1)#3129

fix: complete medium hardening updates for auth, RBAC, OAuth/SSO, secrets, and admin UI defaults (m-batch-1)#3129
crivetimihai merged 22 commits intomainfrom
m-batch-1

crivetimihai commented Feb 23, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

crivetimihai commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Scope (Hardening IDs + Description)

Summary

Checklist

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

crivetimihai commented Feb 23, 2026 •

edited

Loading