AgentWorkforce · khaliqgant · Mar 26, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/.claude/worktrees/agent-accaf0e5 b/.claude/worktrees/agent-accaf0e5
diff --git a/.dev.vars.example b/.dev.vars.example
@@ -0,0 +1,3 @@
+SIGNING_KEY=dev-secret
+SIGNING_KEY_ID=dev-key
+INTERNAL_SECRET=internal-test-secret
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,7 @@ node_modules
 dist
 .wrangler
 .env
+.dev.vars
 *.log
 .turbo
 
@@ -13,3 +14,6 @@ __pycache__/
 *.egg-info/
 *.egg
 .eggs/
+
+# Build info
+tsconfig.tsbuildinfo
diff --git a/.msd-autofix-findings-summary.txt b/.msd-autofix-findings-summary.txt
@@ -0,0 +1,7 @@
+1. [CRITICAL] packages/server/src/worker.ts — packages/server/src/worker.ts
+2. [CRITICAL] packages/server/src/worker.ts — packages/server/src/worker.ts
+3. [CRITICAL] packages/server/src/worker.ts — packages/server/src/worker.ts
+4. [CRITICAL] packages/server/src/durable-objects/identity-do.ts — packages/server/src/durable-objects/identity-do.ts
+5. [CRITICAL] packages/ai/src/adapter.ts — packages/ai/src/adapter.ts
+6. [CRITICAL] packages/server/src/routes/discovery.ts — packages/server/src/routes/discovery.ts
+7. [CRITICAL] packages/server/src/routes/discovery.ts — packages/server/src/routes/discovery.ts
diff --git a/.msd-autofix-plan.json b/.msd-autofix-plan.json
@@ -0,0 +1,47 @@
+{
+  "groups": [
+    {
+      "id": "group-1",
+      "label": "Worker.ts security hardening: CORS, auth middleware, rate limiting",
+      "domain": "security",
+      "findings": [
+        "packages/server/src/worker.ts-Wildcard CORS allows cross-origin attacks-security-review-critical",
+        "packages/server/src/worker.ts-No default-deny auth middleware-security-review-critical",
+        "packages/server/src/worker.ts-Missing rate limiting enables SSRF-as-a-service-security-cross-review-critical"
+      ],
+      "files": [
+        "packages/server/src/worker.ts"
+      ],
+      "rationale": "All three findings target the same file (worker.ts) and relate to request-level security controls"
+    },
+    {
+      "id": "group-2",
+      "label": "Server route security: unauthenticated endpoints and SSRF validation",
+      "domain": "security",
+      "findings": [
+        "packages/server/src/durable-objects/identity-do.ts-Unauthenticated IdentityDO endpoints-security-review-critical",
+        "packages/server/src/routes/discovery.ts-SSRF validation divergence across codebase-historian-review-critical",
+        "packages/server/src/routes/discovery.ts-Hostname/host confusion SSRF bypass-historian-review-critical"
+      ],
+      "files": [
+        "packages/server/src/durable-objects/identity-do.ts",
+        "packages/server/src/routes/discovery.ts"
+      ],
+      "rationale": "Both files are in the server package with no overlap with other groups; identity-do auth and discovery SSRF fixes are independent but share the server domain"
+    },
+    {
+      "id": "group-3",
+      "label": "AI adapter SSRF: incomplete IPv6 private URL validation",
+      "domain": "security",
+      "findings": [
+        "packages/ai/src/adapter.ts-Incomplete IPv6 SSRF in isPrivateUrl()-developer-review-critical"
+      ],
+      "files": [
+        "packages/ai/src/adapter.ts"
+      ],
+      "rationale": "Isolated to the ai package adapter; single-file fix for IPv6 SSRF bypass in isPrivateUrl()"
+    }
+  ],
+  "totalGroups": 3,
+  "conflictCheck": "no file appears in multiple groups"
+}