fix: security hardening and code quality fixes

* Security hardening and code quality fixes

- Replace execSync with execFileSync to prevent shell injection (providers, executor, fetcher, publish)
- Add security headers: X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, Referrer-Policy
- Add input validation for save route name field to prevent path traversal
- Fix rate limiter IP extraction (x-forwarded-for + x-real-ip fallback)
- Default server bind to 127.0.0.1 instead of 0.0.0.0
- CORS fallback to * (configurable via options.corsOrigin)
- Use execFileSync in publish submit (avoid shell injection when opening browser)
- TLS-aware health checks and HTTPS support in RemoteTransport
- Conditional rejectUnauthorized for TLS (self-signed configurable)
- Add **/.env.local patterns to .gitignore
- Formatting: double quotes, trailing commas (Prettier)

* fix: address CodeRabbit and Devin review findings from PR #74

- TLS: default allowSelfSigned=true to preserve self-signed cert workflow;
  enforce rejectUnauthorized=true when trustedCAs are supplied in client context
- Signature verification: verifySecureMessage now cryptographically verifies
  signatures using PeerIdentity.verifyHex instead of only checking fingerprints
- WebSocket: fix timeout handle leak in performClientHandshake; add error
  logging to empty catch blocks; add per-socket error handler; pre-compute
  signature once in broadcast(); add send error callbacks; reject startup if
  TLS configured but certInfo missing
- Command parsing: replace broken regex tokenizer with shared splitCommand()
  utility that correctly handles --flag="value with spaces"
- Rate limiter: prefer x-real-ip, fall back to rightmost x-forwarded-for entry
- Save route: scope IPv6 prefix checks to actual IPv6 addresses; stop leaking
  internal error messages to clients
- Publish: extract shared parseSkillFrontmatter(); fix getRepoInfo to use
  async execFileSync; fix path containment checks with separator
- Remote transport: add rejectUnauthorized option; bracket IPv6 in URLs;
  fix host:port splitting for IPv6 with lastIndexOf
- Health checks: add tls/tlsAllowSelfSigned to Host type; pass https options
- Fetcher: validate owner/repo; derive indexDir from INDEX_PATH
- .gitignore: add recursive **/.env pattern, remove redundant entries

* fix(executor): restore shell feature support in shellExecutor

The previous security hardening replaced execSync with execFileSync,
which broke commands using pipes, redirects, and subshells. Now detects
shell metacharacters and falls back to sh -c for those commands while
keeping execFileSync for simple commands.

Author: rohitg00

.gitignore

@@ -24,8 +24,9 @@ npm-debug.log*
 
 # Environment
 .env
-.env.local
-.env.*.local
+**/.env
+**/.env.local
+**/.env.*.local
 
 # Package manager
 yarn.lock

packages/api/src/middleware/rate-limit.ts

@@ -1,4 +1,4 @@
-import type { Context, Next } from 'hono';
+import type { Context, Next } from "hono";
 
 interface RateLimitEntry {
   count: number;
@@ -18,8 +18,12 @@ export function rateLimiter(maxRequests = 60, windowMs = 60_000) {
   }, windowMs).unref();
 
   return async (c: Context, next: Next): Promise<Response | void> => {
-    const forwardedFor = c.req.header('x-forwarded-for');
-    const ip = (forwardedFor?.split(',')[0]?.trim()) || c.req.header('x-real-ip') || 'unknown';
+    const xRealIp = c.req.header("x-real-ip");
+    const forwarded = c.req.header("x-forwarded-for");
+    const forwardedIp = forwarded
+      ? forwarded.split(",").at(-1)?.trim()
+      : undefined;
+    const ip = xRealIp || forwardedIp || "unknown";
     const now = Date.now();
 
     let entry = windows.get(ip);
@@ -30,12 +34,21 @@ export function rateLimiter(maxRequests = 60, windowMs = 60_000) {
 
     entry.count++;
 
-    c.header('X-RateLimit-Limit', String(maxRequests));
-    c.header('X-RateLimit-Remaining', String(Math.max(0, maxRequests - entry.count)));
-    c.header('X-RateLimit-Reset', String(Math.ceil(entry.resetAt / 1000)));
+    c.header("X-RateLimit-Limit", String(maxRequests));
+    c.header(
+      "X-RateLimit-Remaining",
+      String(Math.max(0, maxRequests - entry.count)),
+    );
+    c.header("X-RateLimit-Reset", String(Math.ceil(entry.resetAt / 1000)));
 
     if (entry.count > maxRequests) {
-      return c.json({ error: 'Too many requests', retryAfter: Math.ceil((entry.resetAt - now) / 1000) }, 429);
+      return c.json(
+        {
+          error: "Too many requests",
+          retryAfter: Math.ceil((entry.resetAt - now) / 1000),
+        },
+        429,
+      );
     }
 
     await next();

packages/api/src/routes/save.ts

@@ -1,5 +1,5 @@
-import { Hono } from 'hono';
-import { ContentExtractor, SkillGenerator, AutoTagger } from '@skillkit/core';
+import { Hono } from "hono";
+import { ContentExtractor, SkillGenerator, AutoTagger } from "@skillkit/core";
 
 interface SaveRequest {
   url?: string;
@@ -10,25 +10,40 @@ interface SaveRequest {
 
 const MAX_TEXT_LENGTH = 500_000;
 
-const BLOCKED_HOSTS = new Set(['localhost', '127.0.0.1', '[::1]', '::1', '0.0.0.0']);
+const BLOCKED_HOSTS = new Set([
+  "localhost",
+  "127.0.0.1",
+  "[::1]",
+  "::1",
+  "0.0.0.0",
+]);
 
 function isAllowedUrl(url: string): boolean {
   try {
     const parsed = new URL(url);
-    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return false;
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+      return false;
 
     const hostname = parsed.hostname.toLowerCase();
-    const bare = hostname.replace(/^\[|\]$/g, '');
+    const bare = hostname.replace(/^\[|\]$/g, "");
 
     if (BLOCKED_HOSTS.has(hostname) || BLOCKED_HOSTS.has(bare)) return false;
-    if (bare.startsWith('::ffff:')) return isAllowedUrl(`http://${bare.slice(7)}`);
+    if (bare.startsWith("::ffff:"))
+      return isAllowedUrl(`http://${bare.slice(7)}`);
     if (/^127\./.test(bare) || /^0\./.test(bare)) return false;
-    if (bare.startsWith('10.') || bare.startsWith('192.168.')) return false;
+    if (bare.startsWith("10.") || bare.startsWith("192.168.")) return false;
     if (/^172\.(1[6-9]|2\d|3[01])\./.test(bare)) return false;
-    if (bare.startsWith('169.254.')) return false;
-    if (bare.startsWith('fe80:') || bare.startsWith('fc') || bare.startsWith('fd')) return false;
+    if (bare.startsWith("169.254.")) return false;
+    if (bare.includes(":")) {
+      if (
+        bare.startsWith("fe80:") ||
+        bare.startsWith("fc") ||
+        bare.startsWith("fd")
+      )
+        return false;
+      if (bare.startsWith("ff")) return false;
+    }
     if (/^(22[4-9]|23\d|24\d|25[0-5])\./.test(bare)) return false;
-    if (bare.startsWith('ff')) return false;
     return true;
   } catch {
     return false;
@@ -41,24 +56,39 @@ export function saveRoutes() {
   const generator = new SkillGenerator();
   const tagger = new AutoTagger();
 
-  app.post('/save', async (c) => {
+  app.post("/save", async (c) => {
     let body: SaveRequest;
     try {
       body = await c.req.json();
     } catch {
-      return c.json({ error: 'Invalid JSON body' }, 400);
+      return c.json({ error: "Invalid JSON body" }, 400);
     }
 
     if (!body.url && !body.text) {
       return c.json({ error: 'Either "url" or "text" is required' }, 400);
     }
 
     if (body.url && !isAllowedUrl(body.url)) {
-      return c.json({ error: 'URL must be a public HTTP(S) address' }, 400);
+      return c.json({ error: "URL must be a public HTTP(S) address" }, 400);
+    }
+
+    if (body.name && !/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(body.name)) {
+      return c.json(
+        {
+          error:
+            "Name must be alphanumeric (hyphens, underscores, dots allowed)",
+        },
+        400,
+      );
     }
 
     if (body.text && body.text.length > MAX_TEXT_LENGTH) {
-      return c.json({ error: `Text exceeds maximum length of ${MAX_TEXT_LENGTH} characters` }, 400);
+      return c.json(
+        {
+          error: `Text exceeds maximum length of ${MAX_TEXT_LENGTH} characters`,
+        },
+        400,
+      );
     }
 
     try {
@@ -78,16 +108,17 @@ export function saveRoutes() {
         tags: tagger.detectTags(content),
       });
     } catch (err) {
-      const message = err instanceof Error ? err.message : 'Unknown error';
+      console.error("Save extraction failed:", err);
       const isTimeout =
-        (err instanceof DOMException && err.name === 'TimeoutError') ||
-        (err instanceof Error && (err.name === 'TimeoutError' || err.name === 'AbortError'));
+        (err instanceof DOMException && err.name === "TimeoutError") ||
+        (err instanceof Error &&
+          (err.name === "TimeoutError" || err.name === "AbortError"));
 
       if (isTimeout) {
-        return c.json({ error: `Fetch timeout: ${message}` }, 504);
+        return c.json({ error: "Fetch timed out" }, 504);
       }
 
-      return c.json({ error: `Extraction failed: ${message}` }, 422);
+      return c.json({ error: "Extraction failed" }, 422);
     }
   });
 

packages/api/src/server.ts

@@ -1,15 +1,15 @@
-import { Hono } from 'hono';
-import { cors } from 'hono/cors';
-import { MemoryCache } from '@skillkit/core';
-import { rateLimiter } from './middleware/rate-limit.js';
-import { healthRoutes } from './routes/health.js';
-import { searchRoutes } from './routes/search.js';
-import { skillRoutes } from './routes/skills.js';
-import { trendingRoutes } from './routes/trending.js';
-import { categoryRoutes } from './routes/categories.js';
-import { docsRoutes } from './routes/docs.js';
-import { saveRoutes } from './routes/save.js';
-import type { ApiSkill, SearchResponse } from './types.js';
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { MemoryCache } from "@skillkit/core";
+import { rateLimiter } from "./middleware/rate-limit.js";
+import { healthRoutes } from "./routes/health.js";
+import { searchRoutes } from "./routes/search.js";
+import { skillRoutes } from "./routes/skills.js";
+import { trendingRoutes } from "./routes/trending.js";
+import { categoryRoutes } from "./routes/categories.js";
+import { docsRoutes } from "./routes/docs.js";
+import { saveRoutes } from "./routes/save.js";
+import type { ApiSkill, SearchResponse } from "./types.js";
 
 export interface ServerOptions {
   port?: number;
@@ -29,26 +29,36 @@ export function createApp(options: ServerOptions = {}) {
 
   const app = new Hono();
 
-  app.use('*', cors({ origin: options.corsOrigin || '*' }));
-  app.use('*', rateLimiter(options.rateLimitMax ?? 60));
+  app.use("*", cors({ origin: options.corsOrigin || "*" }));
+  app.use("*", async (c, next) => {
+    await next();
+    c.header("X-Content-Type-Options", "nosniff");
+    c.header("X-Frame-Options", "DENY");
+    c.header(
+      "Content-Security-Policy",
+      "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'",
+    );
+    c.header("Referrer-Policy", "strict-origin-when-cross-origin");
+  });
+  app.use("*", rateLimiter(options.rateLimitMax ?? 60));
 
-  app.route('/', healthRoutes(skills.length, cache));
-  app.route('/', searchRoutes(skills, cache));
-  app.route('/', skillRoutes(skills));
-  app.route('/', trendingRoutes(skills));
-  app.route('/', categoryRoutes(skills));
-  app.route('/', docsRoutes());
-  app.route('/', saveRoutes());
+  app.route("/", healthRoutes(skills.length, cache));
+  app.route("/", searchRoutes(skills, cache));
+  app.route("/", skillRoutes(skills));
+  app.route("/", trendingRoutes(skills));
+  app.route("/", categoryRoutes(skills));
+  app.route("/", docsRoutes());
+  app.route("/", saveRoutes());
 
   return { app, cache };
 }
 
 export async function startServer(options: ServerOptions = {}) {
   const port = options.port ?? 3737;
-  const host = options.host ?? '0.0.0.0';
+  const host = options.host ?? "127.0.0.1";
   const { app, cache } = createApp(options);
 
-  const { serve } = await import('@hono/node-server');
+  const { serve } = await import("@hono/node-server");
 
   const server = serve({ fetch: app.fetch, port, hostname: host }, () => {
     console.log(`SkillKit API server running at http://${host}:${port}`);