fix: security hardening, chat sync bugs, and code cleanup

Security:
- CORS now denies unknown origins instead of allowing all
- Path traversal prevention via safePath() on all file operations
- Replace new Function() with vm.runInNewContext() in config loader

Chat/Sync:
- API_BASE lazily evaluated to fix race condition with MDX wrapper
- Non-streaming fallback now persists chat to localStorage
- generateStory returns post-processed code instead of pre-fix code
- Remove _debug field from streaming request body

Cleanup:
- Remove debug console.logs from StoryUIPanel
- CLI version reads from package.json instead of hardcoded 1.0.0
- Remove 3 dead functions and unused import from CLI
- Remove unused pg/types-pg dependencies
- Update API key validation models (gpt-4o-mini, gemini-2.0-flash)

Author: tpitre

cli/index.ts

@@ -5,7 +5,6 @@ import { spawn } from 'child_process';
 import fs from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
-import { createStoryUIConfig } from '../story-ui.config.js';
 import { setupCommand, cleanupDefaultStorybookComponents } from './setup.js';
 import { deployCommand } from './deploy.js';
 import { updateCommand, statusCommand } from './update.js';
@@ -14,12 +13,16 @@ import net from 'net';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
+// Read version from package.json
+const packageJsonPath = path.resolve(__dirname, '..', 'package.json');
+const packageVersion = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')).version;
+
 const program = new Command();
 
 program
   .name('story-ui')
   .description('AI-powered Storybook story generator for React component libraries')
-  .version('1.0.0');
+  .version(packageVersion);
 
 program
   .command('init')
@@ -156,129 +159,6 @@ program
     }
   });
 
-async function autoDetectAndCreateConfig() {
-  const cwd = process.cwd();
-  const config: any = {
-    generatedStoriesPath: './src/stories/generated',
-    storyPrefix: 'Generated/',
-    defaultAuthor: 'Story UI AI',
-    componentPrefix: '',
-    layoutRules: {
-      multiColumnWrapper: 'div',
-      columnComponent: 'div',
-      layoutExamples: {
-        twoColumn: `<div style={{display: 'grid', gridTemplateColumns: '1fr 1fr', gap: '1rem'}}>
-  <div>Column 1 content</div>
-  <div>Column 2 content</div>
-</div>`
-      },
-      prohibitedElements: []
-    }
-  };
-
-  // Try to detect package.json
-  const packageJsonPath = path.join(cwd, 'package.json');
-  if (fs.existsSync(packageJsonPath)) {
-    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
-    config.importPath = packageJson.name || 'your-component-library';
-  }
-
-  // Try to detect components directory
-  const possibleComponentPaths = [
-    './src/components',
-    './lib/components',
-    './components',
-    './src'
-  ];
-
-  for (const possiblePath of possibleComponentPaths) {
-    if (fs.existsSync(path.join(cwd, possiblePath))) {
-      config.componentsPath = possiblePath;
-      break;
-    }
-  }
-
-  writeConfig(config, 'js');
-}
-
-async function createTemplateConfig(template: string) {
-  let config: any;
-
-  switch (template) {
-    case 'chakra-ui':
-      config = {
-        importPath: '@chakra-ui/react',
-        componentPrefix: '',
-        layoutRules: {
-          multiColumnWrapper: 'SimpleGrid',
-          columnComponent: 'Box',
-          layoutExamples: {
-            twoColumn: `<SimpleGrid columns={2} spacing={4}>
-  <Box><Card>Left content</Card></Box>
-  <Box><Card>Right content</Card></Box>
-</SimpleGrid>`
-          }
-        }
-      };
-      break;
-
-    case 'ant-design':
-      config = {
-        importPath: 'antd',
-        componentPrefix: '',
-        layoutRules: {
-          multiColumnWrapper: 'Row',
-          columnComponent: 'Col',
-          layoutExamples: {
-            twoColumn: `<Row gutter={16}>
-  <Col span={12}><Card>Left content</Card></Col>
-  <Col span={12}><Card>Right content</Card></Col>
-</Row>`
-          }
-        }
-      };
-      break;
-
-    default:
-      throw new Error(`Unknown template: ${template}`);
-  }
-
-  // Add common defaults
-  config = {
-    generatedStoriesPath: './src/stories/generated',
-    componentsPath: './src/components',
-    storyPrefix: 'Generated/',
-    defaultAuthor: 'Story UI AI',
-    ...config
-  };
-
-  writeConfig(config, 'js');
-}
-
-async function createBasicConfig() {
-  const config = {
-    generatedStoriesPath: './src/stories/generated',
-    componentsPath: './src/components',
-    storyPrefix: 'Generated/',
-    defaultAuthor: 'Story UI AI',
-    importPath: 'your-component-library',
-    componentPrefix: '',
-    layoutRules: {
-      multiColumnWrapper: 'div',
-      columnComponent: 'div',
-      layoutExamples: {
-        twoColumn: `<div style={{display: 'grid', gridTemplateColumns: '1fr 1fr', gap: '1rem'}}>
-  <div>Column 1 content</div>
-  <div>Column 2 content</div>
-</div>`
-      },
-      prohibitedElements: []
-    }
-  };
-
-  writeConfig(config, 'js');
-}
-
 function generateSampleConfig(filename: string, type: 'json' | 'js') {
   const config = {
     generatedStoriesPath: './src/stories/generated',

mcp-server/index.ts

@@ -64,14 +64,29 @@ function removeStoryExtension(filename: string): string {
   return filename;
 }
 
+/**
+ * Safely resolve a file path within a base directory.
+ * Prevents path traversal attacks by ensuring the resolved path
+ * stays within the allowed base directory.
+ * Returns null if the path escapes the base directory.
+ */
+function safePath(baseDir: string, fileName: string): string | null {
+  const resolvedBase = path.resolve(baseDir);
+  const resolvedPath = path.resolve(baseDir, fileName);
+  if (!resolvedPath.startsWith(resolvedBase + path.sep) && resolvedPath !== resolvedBase) {
+    return null;
+  }
+  return resolvedPath;
+}
+
 const app = express();
 
 // CORS configuration
-// - Allow all origins for /story-ui/* routes (public API for production Storybooks)
-// - Restrict to localhost + configured origins for other routes
+// - Allow localhost, Railway, Cloudflare Pages, and custom origins
+// - Deny unknown origins to prevent CSRF and unauthorized access
 const corsOptions = {
   origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
-    // Allow requests with no origin (like mobile apps or curl)
+    // Allow requests with no origin (same-origin, mobile apps, curl, server-to-server)
     if (!origin) return callback(null, true);
 
     // Allow localhost on any port (development)
@@ -80,21 +95,26 @@ const corsOptions = {
       return callback(null, true);
     }
 
+    // Allow Railway deployment domains (*.up.railway.app)
+    const railwayPattern = /^https:\/\/[a-z0-9-]+\.up\.railway\.app$/;
+    if (railwayPattern.test(origin)) {
+      return callback(null, true);
+    }
+
     // Allow Cloudflare Pages domains (*.pages.dev)
     const cloudflarePattern = /^https:\/\/[a-z0-9-]+\.pages\.dev$/;
     if (cloudflarePattern.test(origin)) {
       return callback(null, true);
     }
 
-    // Allow custom origins from environment
-    const allowedOrigins = process.env.STORY_UI_ALLOWED_ORIGINS?.split(',') || [];
+    // Allow custom origins from environment (comma-separated)
+    const allowedOrigins = process.env.STORY_UI_ALLOWED_ORIGINS?.split(',').map(o => o.trim()) || [];
     if (allowedOrigins.includes(origin)) {
       return callback(null, true);
     }
 
-    // For production, allow any origin to access /story-ui/* endpoints
-    // These are public read-only endpoints for accessing generated stories
-    callback(null, true);
+    // Deny unknown origins
+    callback(new Error(`Origin ${origin} not allowed by CORS`), false);
   },
   credentials: true,
 };
@@ -458,10 +478,13 @@ app.post('/story-ui/stories', async (req, res) => {
     const extension = adapter?.defaultExtension || '.stories.tsx';
 
     const fileName = `${id}${extension}`;
-    const filePath = path.join(storiesPath, fileName);
+    const filePath = safePath(storiesPath, fileName);
+    if (!filePath) {
+      return res.status(400).json({ error: 'Invalid file path' });
+    }
 
     fs.writeFileSync(filePath, code, 'utf-8');
-    console.log(`✅ Saved story: ${filePath}`);
+    console.log(`Saved story: ${filePath}`);
 
     return res.json({
       success: true,
@@ -493,7 +516,10 @@ app.delete('/story-ui/stories/:id', async (req, res) => {
       const extension = adapter?.defaultExtension || '.stories.tsx';
       fileName = `${id}${extension}`;
     }
-    const filePath = path.join(storiesPath, fileName);
+    const filePath = safePath(storiesPath, fileName);
+    if (!filePath) {
+      return res.status(400).json({ error: 'Invalid file path' });
+    }
 
     if (fs.existsSync(filePath)) {
       fs.unlinkSync(filePath);
@@ -592,7 +618,12 @@ app.post('/story-ui/stories/delete-bulk', async (req, res) => {
       try {
         // Check if id already has a story extension
         const fileName = isStoryFile(id) ? id : `${id}${extension}`;
-        const filePath = path.join(storiesPath, fileName);
+        const filePath = safePath(storiesPath, fileName);
+
+        if (!filePath) {
+          errors.push(id);
+          continue;
+        }
 
         if (fs.existsSync(filePath)) {
           fs.unlinkSync(filePath);
@@ -603,7 +634,9 @@ app.post('/story-ui/stories/delete-bulk', async (req, res) => {
           const files = fs.readdirSync(storiesPath);
           const matchingFile = files.find(f => isStoryFile(f) && (f === id || removeStoryExtension(f) === id));
           if (matchingFile) {
-            fs.unlinkSync(path.join(storiesPath, matchingFile));
+            const matchPath = safePath(storiesPath, matchingFile);
+            if (!matchPath) { errors.push(id); continue; }
+            fs.unlinkSync(matchPath);
             deleted.push(id);
             console.log(`✅ Deleted: ${matchingFile}`);
           } else {
@@ -651,7 +684,10 @@ app.delete('/story-ui/stories', async (req, res) => {
       }
 
       // Try exact match first
-      let filePath = path.join(storiesPath, fileName);
+      let filePath = safePath(storiesPath, fileName);
+      if (!filePath) {
+        return res.status(400).json({ success: false, error: 'Invalid file path' });
+      }
       if (fs.existsSync(filePath)) {
         fs.unlinkSync(filePath);
         console.log(`✅ Deleted story: ${filePath}`);
@@ -665,7 +701,10 @@ app.delete('/story-ui/stories', async (req, res) => {
         const files = fs.readdirSync(storiesPath);
         const matchingFile = files.find(f => f.includes(`-${hash}.stories.`));
         if (matchingFile) {
-          filePath = path.join(storiesPath, matchingFile);
+          filePath = safePath(storiesPath, matchingFile);
+          if (!filePath) {
+            return res.status(400).json({ success: false, error: 'Invalid file path' });
+          }
           fs.unlinkSync(filePath);
           console.log(`✅ Deleted story by hash match: ${filePath}`);
           return res.json({ success: true, message: 'Story deleted successfully' });
@@ -689,7 +728,9 @@ app.delete('/story-ui/stories', async (req, res) => {
 
     for (const file of storyFiles) {
       try {
-        fs.unlinkSync(path.join(storiesPath, file));
+        const fp = safePath(storiesPath, file);
+        if (!fp) continue;
+        fs.unlinkSync(fp);
         deleted++;
       } catch (err) {
         console.error(`Error deleting ${file}:`, err);
@@ -742,7 +783,8 @@ app.post('/story-ui/orphan-stories', async (req, res) => {
 
     // Get details for each orphan
     const orphanDetails = orphans.map(fileName => {
-      const filePath = path.join(storiesPath, fileName);
+      const filePath = safePath(storiesPath, fileName);
+      if (!filePath) return null;
       const content = fs.readFileSync(filePath, 'utf-8');
       const stats = fs.statSync(filePath);
 
@@ -757,13 +799,13 @@ app.post('/story-ui/orphan-stories', async (req, res) => {
         title,
         lastUpdated: stats.mtime.getTime()
       };
-    });
+    }).filter(Boolean);
 
-    console.log(`📋 Found ${orphans.length} orphan stories out of ${storyFiles.length} total`);
+    console.log(`📋 Found ${orphanDetails.length} orphan stories out of ${storyFiles.length} total`);
 
     return res.json({
       orphans: orphanDetails,
-      count: orphans.length,
+      count: orphanDetails.length,
       totalStories: storyFiles.length
     });
   } catch (error) {
@@ -806,7 +848,8 @@ app.delete('/story-ui/orphan-stories', async (req, res) => {
 
     for (const fileName of orphans) {
       try {
-        const filePath = path.join(storiesPath, fileName);
+        const filePath = safePath(storiesPath, fileName);
+        if (!filePath) { errors.push(fileName); continue; }
         fs.unlinkSync(filePath);
         deleted.push(fileName);
         console.log(`🗑️ Deleted orphan story: ${fileName}`);

mcp-server/routes/generateStory.ts

@@ -1115,7 +1115,7 @@ export async function generateStoryFromPrompt(req: Request, res: Response) {
       storyId,
       outPath,
       title: cleanTitle,  // Use versioned title (e.g., "Navigation Bar v2")
-      story: fileContents,
+      story: fixedFileContents,
       storage: 'file-system',
       isUpdate: isActualUpdate,
       validation: {

package.json

@@ -74,7 +74,6 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.23.0",
-    "@types/pg": "^8.15.6",
     "chalk": "^5.3.0",
     "commander": "^11.0.0",
     "cors": "^2.8.5",
@@ -84,7 +83,6 @@
     "http-proxy-middleware": "^3.0.0",
     "inquirer": "^9.2.0",
     "node-fetch": "^2.6.7",
-    "pg": "^8.16.3",
     "typescript": "^5.8.3",
     "zod": "^3.22.4"
   },

story-generator/configLoader.ts

@@ -1,5 +1,6 @@
 import fs from 'fs';
 import path from 'path';
+import vm from 'vm';
 import { createRequire } from 'module';
 import { StoryUIConfig, DEFAULT_CONFIG, createStoryUIConfig, IconImportsConfig } from '../story-ui.config.js';
 
@@ -177,9 +178,8 @@ export function loadUserConfig(): StoryUIConfig {
                 .replace(/\/\/[^\n]*/g, '') // Remove single-line comments
                 .replace(/,(\s*[}\]])/g, '$1'); // Remove trailing commas
 
-              // Use Function constructor (safer than eval, runs in isolated scope)
-              const configFn = new Function(`return ${configObj}`);
-              userConfig = configFn();
+              // Use vm.runInNewContext for sandboxed evaluation (no access to require, process, etc.)
+              userConfig = vm.runInNewContext(`(${configObj})`, Object.create(null), { timeout: 1000 });
             } catch (parseError) {
               console.warn(`Failed to parse config from ${configPath}:`, parseError);
               throw requireError; // Re-throw original error

story-generator/llm-providers/gemini-provider.ts

@@ -328,7 +328,7 @@ export class GeminiProvider extends BaseLLMProvider {
   async validateApiKey(apiKey: string): Promise<ValidationResult> {
     try {
       // Make a minimal API call to validate the key
-      const url = `${this.getApiUrl('gemini-1.5-flash')}?key=${apiKey}`;
+      const url = `${this.getApiUrl('gemini-2.0-flash')}?key=${apiKey}`;
       const response = await fetch(url, {
         method: 'POST',
         headers: {