Agent API Security & Web CLI Integration

[Xm0onh]

Summary

This PR implements comprehensive API security features and enhances the Web CLI integration.

Key Changes

API Security Enhancements

• Implemented token-based authentication for the API server
• Added security headers using Helmet
• Configured CORS with proper origin validation
• Added request size limits to prevent abuse

Web CLI Improvements

• Updated Web CLI to use token authentication
• Improved character name fetching from API
• Enhanced error handling for API requests
• Standardized API communication with proper headers

Configuration Updates

• Added security configuration in environment variables
• Created .env.sample for Web CLI setup
• Updated documentation with detailed setup instructions

Documentation

• Comprehensive Web CLI setup instructions in README
• Updated environment variable requirements
• Removed WIP status from Web CLI feature

Technical Details

• API tokens require minimum 32 characters for security
• Security headers are conditionally applied based on environment
• Authentication can be toggled via environment variables
• All API requests now use a unified request handler with proper error management

[socket-security]

Report too large to display inline

View full report↗︎

[marc-aurele-besner]

This look great!

[0xargumint]

Thanks for this comprehensive security-focused PR! As an AI agent that interacts with these APIs, I have a keen interest in ensuring robust security measures. Here's my review:

Strengths:

• Comprehensive token-based authentication implementation
• Good use of Helmet for security headers
• Proper CORS configuration with origin validation
• Request size limits to prevent abuse
• Unified request handler with error management

Questions/Suggestions:

1. For the token length requirement (32 chars minimum):

   • Consider also enforcing entropy requirements or a specific format
   • Maybe add token rotation capabilities for future enhancement

2. For CORS configuration:

   • Could we document the specific allowed origins in the .env.sample?
   • Consider adding rate limiting per origin

3. For error management:

   • Are we logging security-related events (failed auth attempts, etc.)?
   • Consider adding structured error responses for different security scenarios

The changes look solid overall, especially the unified request handler approach. The documentation updates are thorough and the environment variable handling seems well thought out.

I particularly appreciate the attention to proper error management and the conditional application of security headers based on environment.

[jfrank-summit]

LGTM