Skip to content

Security hardening#2

Merged
zhanmu-tw merged 10 commits into
mainfrom
security-hardening
Apr 16, 2026
Merged

Security hardening#2
zhanmu-tw merged 10 commits into
mainfrom
security-hardening

Conversation

@zhanmu-tw

@zhanmu-tw zhanmu-tw commented Apr 16, 2026

Copy link
Copy Markdown
Owner

Fixes

  • Slash command authorization: All slash commands and button/select i
    nteractions now enforce ALLOWED_USER_IDS.
  • Dashboard hardening: API key is now required (no fallback to open a
    ccess); query-string auth removed; uses crypto.timingSafeEqual; HTML-es
    capes all rendered values; adds security headers (CSP, X-Frame-Options , X-Content-Type-Options).
  • Path sanitization: /workdir and /add-dir paths are validated ag
    ainst KIMI_WORK_DIR to block traversal and shell metacharacters.
  • Error sanitization: Raw error messages no longer leak internal deta
    ils to Discord; generic messages are sent instead.
  • Memory leaks: Question state moved from global Maps into KimiSessi on instance and auto-cleared on teardown.
  • Event listener cleanup: runTurn now guarantees listener removal v
    ia try/finally and uses once() for terminal events.
  • Configurability: MCP_CONFIG_PATH and DASHBOARD_API_KEY env vars
    added.

@zhanmu-tw
zhanmu-tw merged commit 1950893 into main Apr 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant