superadmin/agenticSystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Añadido el modo producción / test

Browse Source
This commit is contained in:
Jordan Diaz
2026-04-08 23:52:54 +00:00
parent c1a29bbbf8
commit 993e7d3000
9 changed files with 240 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
mcp-server/utils/cmsTargetSafety.js
View File

@@ -11,6 +11,7 @@ function parseUrl(url, fieldName, context) {
export function assertSafeCmsTarget(target, context = "cms") {
const publicUrl = typeof target === "string" ? target : (target?.web_url || "");
const apiUrl = typeof target === "string" ? target : (target?.api_web_url || "");
const mode = typeof target === "string" ? "local" : (target?.mode || "local");
if (!apiUrl) {
throw new Error(
@@ -19,12 +20,6 @@ export function assertSafeCmsTarget(target, context = "cms") {
}
const parsedApiUrl = parseUrl(apiUrl, "ACAI_API_WEB_URL", context);
if (!SAFE_INTERNAL_HOSTS.has(parsedApiUrl.hostname)) {
throw new Error(
`[${context}] Unsafe ACAI_API_WEB_URL host "${parsedApiUrl.hostname}". ` +
`Only approved local hosts are allowed: ${Array.from(SAFE_INTERNAL_HOSTS).join(", ")}.`
);
}
if (!["http:", "https:"].includes(parsedApiUrl.protocol)) {
throw new Error(
@@ -32,6 +27,25 @@ export function assertSafeCmsTarget(target, context = "cms") {
);
}
// Modo "production": el .acai del proyecto autoriza explicitamente apuntar
// al sitio real. Saltamos el whitelist de hosts internos. Usar SOLO para
// testing/debug controlado — el agente IA puede modificar produccion.
if (mode === "production") {
return {
publicUrl,
apiUrl,
forgeHost: typeof target === "string" ? null : (target?.forge_host || null),
};
}
if (!SAFE_INTERNAL_HOSTS.has(parsedApiUrl.hostname)) {
throw new Error(
`[${context}] Unsafe ACAI_API_WEB_URL host "${parsedApiUrl.hostname}". ` +
`Only approved local hosts are allowed: ${Array.from(SAFE_INTERNAL_HOSTS).join(", ")}. ` +
`Set "mode": "production" in .acai to bypass this check (intended for testing only).`
);
}
if (publicUrl) {
const parsedPublicUrl = parseUrl(publicUrl, "ACAI_WEB_URL", context);
const publicIsSafeInternal = SAFE_INTERNAL_HOSTS.has(parsedPublicUrl.hostname);