security: enforce MCP scopes, fix SSRF bypass, add security context and URL awareness

[mcheemaa]

Summary

Security hardening and URL awareness improvements. Addresses findings from a comprehensive security audit conducted after the /trigger endpoint vulnerability (fixed in #11).

Security fixes

• MCP scope enforcement. Tool-level scopes were fully implemented (TOOL_SCOPES, getRequiredScope(), hasScope()) but never wired into the request path. Read-only tokens could call admin tools like phantom_register_tool. Scopes are now enforced at the HTTP dispatch layer before the MCP transport sees the request. Handles batch JSON-RPC to prevent bypass.

• IPv6 SSRF bypass. The URL validator's private IP check was bypassable via IPv4-mapped IPv6 addresses ([::ffff:127.0.0.1], [::7f00:1], [::ffff:0:7f00:1]). The URL parser strips brackets, so isIP() returned 0 and the entire check was skipped. Now handles mapped, compatible, and ISATAP forms.

• Per-message security context. External channel messages (Slack, Telegram, Email, Webhook, CLI) get a concise security frame prepended and appended before reaching the agent. Reminds the agent not to leak credentials in responses. Internal sources (scheduler, trigger) bypass wrapping.

• Session token removed from tool output. phantom_generate_login no longer returns the raw 7-day session token. The agent only sees the magic link URL.

• MCP token log redaction. Runtime auto-generated tokens are no longer printed to stdout.

• SWE tools added to scope map. phantom_review_request now correctly requires operator scope.

URL awareness

The agent sometimes didn't know its own public URL when asked to share UI links. Root cause: PHANTOM_DOMAIN was often missing from the environment, and the URL derivation was scattered across 5+ locations.

• Added public_url config field with priority chain: PHANTOM_PUBLIC_URL env var > public_url in phantom.yaml > auto-derived from name + domain
• Both env var and derived paths validate as proper URLs
• System prompt tells the agent its public URL in identity, environment, and page sections
• UI tools return full public URLs instead of relative paths
• Health endpoint includes public_url
• Backwards compatible: missing config works exactly as before

Test plan

• 822 tests pass, 0 failures (28 new tests added)
• Typecheck clean
• Lint clean
• MCP scope enforcement: read-only token blocked from phantom_ask and phantom_register_tool
• Batch JSON-RPC bypass prevented
• IPv6 bypass: all forms blocked (::ffff:, ::, ::ffff:0:)
• Session token not in phantom_generate_login output
• No raw tokens in runtime logs
• URL awareness: PHANTOM_PUBLIC_URL, yaml config, name+domain derivation, no-domain fallback
• Security wrapping: external channels wrapped, internal channels not wrapped
• Reviewed by two independent Opus agents (SHIP IT)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2c541d1422

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep security wrapper out of memory query text

handleMessage now forwards wrappedText into runQuery, but runQuery uses its text parameter for memoryContextBuilder.build() (which drives recallEpisodes, recallFacts, and findProcedure). For external channels, the retrieval query is therefore polluted with the same [SECURITY] boilerplate every turn, which degrades memory relevance and can surface unrelated context. Use the raw user message for memory lookup and only wrap the prompt that is sent to the model.

Useful? React with 👍 / 👎.