security: v1.7.7 hardening release

- Add WEBHOOK_CLIENT_SECRET validation for Graph webhooks
- Add Redis-backed rate limiting (fetch/ask/write/default tiers)
- Validate LLM_BASE_URL to prevent SSRF (HTTPS only, block private IPs)
- Enforce non-wildcard CORS when AUTH_ENABLED=true
- Add Content-Security-Policy headers
- Fix audit middleware to use verified JWT claims via contextvars
- Cap bulk_tags updates to 10,000 documents
- Return generic error messages to clients (no internal detail leakage)
- Strict AlertCondition Pydantic model for alert rules
- Security warning on MCP stdio server startup
- Remove MongoDB/Redis host ports from docker-compose
- Remove mongo_query from /ask API response

backend/main.py

@@ -6,7 +6,7 @@ from pathlib import Path
 
 import structlog
 from audit_trail import log_action
-from config import AI_FEATURES_ENABLED, CORS_ORIGINS, ENABLE_PERIODIC_FETCH, FETCH_INTERVAL_MINUTES
+from config import AI_FEATURES_ENABLED, AUTH_ENABLED, CORS_ORIGINS, ENABLE_PERIODIC_FETCH, FETCH_INTERVAL_MINUTES
 from database import setup_indexes
 from fastapi import FastAPI, HTTPException, Request
 from fastapi.middleware.cors import CORSMiddleware
@@ -52,10 +52,19 @@ logger = structlog.get_logger("aoc.fetcher")
 
 app = FastAPI()
 
+# CORS: reject wildcard in production when auth is enabled
+_effective_cors = CORS_ORIGINS
+if AUTH_ENABLED and "*" in _effective_cors:
+    logger.warning(
+        "CORS wildcard (*) is insecure when AUTH_ENABLED=true. "
+        "Removing wildcard. Set CORS_ORIGINS explicitly in production."
+    )
+    _effective_cors = [o for o in _effective_cors if o != "*"] or ["http://localhost:8000"]
+
 app.add_middleware(CorrelationIdMiddleware)
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=CORS_ORIGINS,
+    allow_origins=_effective_cors,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
@@ -80,27 +89,39 @@ async def cache_control_middleware(request: Request, call_next):
         response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
         response.headers["Pragma"] = "no-cache"
         response.headers["Expires"] = "0"
+    # Basic CSP for the UI and API
+    if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' cdn.jsdelivr.net alcdn.msauth.net; "
+            "style-src 'self' 'unsafe-inline'; "
+            "connect-src 'self'; "
+            "img-src 'self' data:;"
+        )
     return response
 
 
+@app.middleware("http")
+async def rate_limit_middleware(request: Request, call_next):
+    """Apply Redis-backed rate limiting before processing the request."""
+    if request.url.path.startswith("/api/"):
+        from rate_limiter import check_rate_limit
+
+        await check_rate_limit(request)
+    return await call_next(request)
+
+
 @app.middleware("http")
 async def audit_middleware(request: Request, call_next):
     response = await call_next(request)
     if request.url.path.startswith("/api/") and request.method in ("POST", "PATCH", "PUT", "DELETE"):
-        from auth import AUTH_ENABLED
-
         user = "anonymous"
         if AUTH_ENABLED:
-            auth_header = request.headers.get("authorization", "")
-            if auth_header.lower().startswith("bearer "):
-                try:
-                    from jose import jwt
+            from auth import _auth_context
 
-                    token = auth_header.split(" ", 1)[1]
-                    claims = jwt.get_unverified_claims(token)
-                    user = claims.get("sub", "unknown")
-                except Exception:
-                    pass
+            claims = _auth_context.get(None)
+            if isinstance(claims, dict):
+                user = claims.get("sub", "unknown")
         log_action(
             action=request.method.lower(),
             resource=request.url.path,
@@ -152,6 +173,19 @@ async def version():
     return {"version": os.environ.get("VERSION", "unknown")}
 
 
+@app.exception_handler(Exception)
+async def generic_exception_handler(request: Request, exc: Exception):
+    """Return generic error messages for unhandled exceptions to avoid info leakage."""
+    if isinstance(exc, HTTPException):
+        raise exc
+    logger.error("Unhandled exception", path=request.url.path, error=str(exc))
+    return Response(
+        content='{"detail":"Internal server error"}',
+        status_code=500,
+        media_type="application/json",
+    )
+
+
 frontend_dir = Path(__file__).parent / "frontend"
 app.mount("/", StaticFiles(directory=frontend_dir, html=True), name="frontend")