fix: harden security and API semantics (Agent Team findings)

Three AI agents (Codex GPT-5.4, Gemini CLI, Claude subagent) ran end-to-end
scenarios against the live deployment. This commit fixes all findings they
surfaced, ordered by severity.

── P0 security fixes ──

1. Magic Link IP rate limiting (Codex MEDIUM + Portal BUG#4)
   Previously only per-email. An attacker could rotate across many victim
   emails from one IP and burn the Resend quota. Added per-IP counter (10
   per hour, cf-connecting-ip keyed), 1 KB request body cap, and unified
   the rate-limit helpers into `incrementRateCounter()` / `readRateCounter()`.
   src/handlers/auth.ts

2. Revocation propagation: LRU TTL 60s → 10s (Portal BUG#2)
   A revoked key kept working for ~73s because the auth LRU cache was per
   isolate with 60s TTL. 10s is a better worst-case guarantee; D1 read
   amplification is bounded by TIER_QUOTAS traffic and the hot cache below.
   Hard cross-isolate invalidation is Phase D territory.
   src/middleware/auth-d1.ts

3. CORS: add DELETE to Allow-Methods (Portal BUG#1)
   Portal worked same-origin, but any cross-origin client (CI dashboard,
   browser extension) couldn't preflight DELETE /api/keys/:id.
   src/config.ts

4. Portal CSP + HSTS (Portal BUG#5, BUG#6)
   The landing page had a CSP but /portal/ — the page that literally shows
   plaintext API keys in a modal — had none. Added PORTAL_CSP in
   helpers/response.ts (allows 'unsafe-inline' for the single-file SPA JS,
   Google Fonts for styles, same-origin for API calls). Added HSTS header
   (1 year, includeSubDomains) to landing, portal, and loading pages.
   src/helpers/response.ts, src/index.ts

5. Cache-Control: no-store, private on Portal API (Codex LOW)
   /api/me, /api/keys, /api/usage, /api/auth/* now set Cache-Control so
   session-authenticated data is never cached by browsers or intermediaries.
   src/handlers/keys.ts, usage.ts, auth.ts

── P1 correctness / semantics ──

6. /api/health now public-only by default (Codex LOW)
   Default response is { status, service, uptime_seconds } — no browser
   queue depth, paywall rule counts, or metric counters. Full metrics
   require /api/health?full=1 with API_TOKEN Bearer. Fallback behavior
   on stats-provider errors is preserved for the full path.
   src/handlers/health.ts (new handlePublicHealth/handleFullHealth/handleHealthRoute)

7. /api/stream now emits X-RateLimit-* headers (Codex INFO)
   Previously rate limit headers only appeared on 429. Now the SSE success
   response carries X-RateLimit-Limit/Remaining and X-Request-Cost so
   clients can self-throttle without a separate /api/usage call.
   src/handlers/stream.ts, src/index.ts

8. POST /api/keys prefix format consistency (Portal UX)
   GET returned `mk_abc12345...` but POST returned the raw `abc12345`.
   Clients that treat "prefix is prefix" broke on copy-paste. POST now
   returns the same `mk_xxx...` format.
   src/handlers/keys.ts

9. Too Many Keys: 400 → 409 (Portal UX)
   The request is well-formed; the account state prevents creation.
   409 Conflict is the correct status for a resource-state refusal.
   src/handlers/keys.ts

10. DELETE is now idempotent (Portal BUG#4)
    A second DELETE on an already-revoked key returned 400 "Already Revoked".
    REST convention is that DELETE is idempotent. Now returns 200 with the
    original revocation timestamp.
    src/handlers/keys.ts

── Tests ──

- 2 new health endpoint tests (public vs full with auth gate)
- Updated portal-keys.test.ts for prefix format, 409 status, idempotent DELETE
- Updated index-health-fallback.test.ts to use ?full=1 + admin Bearer
- All 603 tests pass (up from 601 due to 2 new health tests)

── Not in this commit ──

- HTTP 000 / SSL resets (Portal BUG#3): unable to reproduce outside Portal
  agent's network context, leaving for now
- prompt/alert/confirm in portal JS: UI polish, deferred
- __Host- session cookie prefix: breaks existing sessions, deferred
- Google Fonts SRI: Google Fonts doesn't publish subresource-integrity hashes;
  CSP restricts to fonts.googleapis.com which is the best available mitigation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Digidai

package-lock.json

@@ -25,26 +25,48 @@ describe("worker endpoints", () => {
     expect(res.headers.get("Access-Control-Allow-Headers")).toContain("Idempotency-Key");
   });
 
-  it("serves health endpoint for GET", async () => {
+  it("serves public health endpoint for GET (minimal info)", async () => {
     const req = new Request("https://md.example.com/api/health");
     const res = await worker.fetch(req, createMockEnv().env, mockCtx());
     const payload = await res.json() as {
       status?: string;
       service?: string;
-      browser?: { active?: number; queued?: number };
+      uptime_seconds?: number;
+      browser?: unknown;
+      metrics?: unknown;
+      paywall?: unknown;
+    };
+
+    expect(res.status).toBe(200);
+    expect(payload.status).toBe("ok");
+    expect(payload.service).toBe("md.example.com");
+    expect(payload.uptime_seconds).toBeGreaterThanOrEqual(0);
+    // Internal state must NOT be exposed on the public endpoint
+    expect(payload.browser).toBeUndefined();
+    expect(payload.metrics).toBeUndefined();
+    expect(payload.paywall).toBeUndefined();
+  });
+
+  it("serves full health via ?full=1 + API_TOKEN", async () => {
+    const { env } = createMockEnv({ API_TOKEN: "admin-token" });
+    const req = new Request("https://md.example.com/api/health?full=1", {
+      headers: { Authorization: "Bearer admin-token" },
+    });
+    const res = await worker.fetch(req, env, mockCtx());
+    const payload = await res.json() as {
+      status?: string;
+      browser?: { active?: number; maxConcurrent?: number };
       metrics?: {
-        requestsTotal?: number;
         operational?: {
           throughput?: { requests_per_min?: number };
-          latency_ms?: { convert?: { p50?: number; p95?: number } };
+          latency_ms?: { convert?: { p50?: number } };
         };
       };
       paywall?: { source?: string };
     };
 
     expect(res.status).toBe(200);
     expect(payload.status).toBe("ok");
-    expect(payload.service).toBe("md.example.com");
     expect(payload.browser).toBeTruthy();
     expect(payload.metrics).toBeTruthy();
     expect(payload.metrics?.operational).toBeTruthy();
@@ -53,6 +75,16 @@ describe("worker endpoints", () => {
     expect(payload.paywall).toBeTruthy();
   });
 
+  it("rejects full health without API_TOKEN (returns public info)", async () => {
+    const { env } = createMockEnv({ API_TOKEN: "admin-token" });
+    const req = new Request("https://md.example.com/api/health?full=1");
+    const res = await worker.fetch(req, env, mockCtx());
+    const payload = await res.json() as { browser?: unknown; metrics?: unknown };
+    expect(res.status).toBe(200);
+    expect(payload.browser).toBeUndefined();
+    expect(payload.metrics).toBeUndefined();
+  });
+
   it("serves health endpoint for HEAD without conversion", async () => {
     const fetchMock = vi.fn();
     vi.stubGlobal("fetch", fetchMock);

src/__tests__/index-endpoints.test.ts

@@ -50,7 +50,7 @@ afterEach(() => {
 });
 
 describe("/api/health defensive fallback", () => {
-  it("returns 200 even when stats providers throw", async () => {
+  it("returns 200 even when stats providers throw (full health path)", async () => {
     mocked.getBrowserCapacityStats.mockImplementation(() => {
       throw new Error("browser stats unavailable");
     });
@@ -59,8 +59,10 @@ describe("/api/health defensive fallback", () => {
     });
 
     const res = await worker.fetch(
-      new Request("https://md.example.com/api/health"),
-      createMockEnv().env,
+      new Request("https://md.example.com/api/health?full=1", {
+        headers: { Authorization: "Bearer admin-token" },
+      }),
+      createMockEnv({ API_TOKEN: "admin-token" }).env,
       mockCtx(),
     );
     const payload = await res.json() as {

src/__tests__/index-health-fallback.test.ts

@@ -218,7 +218,8 @@ describe("Portal: /api/keys create", () => {
     expect(res.status).toBe(201);
     const body = await res.json() as any;
     expect(body.key).toMatch(/^mk_[0-9a-f]{64}$/);
-    expect(body.prefix).toMatch(/^[0-9a-f]{8}$/);
+    // Prefix format matches GET /api/keys for client consistency
+    expect(body.prefix).toMatch(/^mk_[0-9a-f]{8}\.\.\.$/);
     expect(body.name).toBe("test-key");
     expect(body.warning).toBeTruthy();
   });
@@ -274,7 +275,9 @@ describe("Portal: /api/keys create", () => {
       headers: { Cookie: `md_session=${sessionToken}` },
     });
     const res = await worker.fetch(req, env, mockCtx());
-    expect(res.status).toBe(400);
+    // 409 Conflict is semantically correct for a quota violation,
+    // distinguishing it from 400 (malformed input)
+    expect(res.status).toBe(409);
     const body = await res.json() as any;
     expect(body.error).toBe("Too Many Keys");
   });
@@ -387,26 +390,33 @@ describe("Portal: /api/keys revoke", () => {
     expect(res.status).toBe(404);
   });
 
-  it("returns 400 when key is already revoked", async () => {
+  it("is idempotent when key is already revoked (returns existing timestamp)", async () => {
     const d1 = createMockD1();
     const { accountId, sessionToken } = await seedAccountAndSession(d1);
     const keyId = crypto.randomUUID();
+    const originalRevokedAt = "2026-04-10T00:00:00.000Z";
     d1.tables.api_keys.set(keyId, {
       id: keyId,
       account_id: accountId,
       prefix: "test1234",
       key_hash: "hash",
       name: null,
       created_at: new Date().toISOString(),
-      revoked_at: new Date().toISOString(),
+      revoked_at: originalRevokedAt,
     });
     const { env } = createMockEnv({ AUTH_DB: d1.db });
     const req = new Request(`https://md.example.com/api/keys/${keyId}`, {
       method: "DELETE",
       headers: { Cookie: `md_session=${sessionToken}` },
     });
     const res = await worker.fetch(req, env, mockCtx());
-    expect(res.status).toBe(400);
+    // DELETE is idempotent by REST convention: a second delete of a
+    // revoked key returns 200 with the original revocation timestamp,
+    // not an error.
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.id).toBe(keyId);
+    expect(body.revoked_at).toBe(originalRevokedAt);
   });
 });
 

src/__tests__/portal-keys.test.ts

@@ -59,7 +59,7 @@ export const CF_BLOCKED_DOMAINS_TTL = 2 * 60 * 60;
 
 export const CORS_HEADERS: Record<string, string> = {
   "Access-Control-Allow-Origin": "*",
-  "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+  "Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
   "Access-Control-Allow-Headers": "Accept, Content-Type, Authorization, Idempotency-Key",
   "Access-Control-Max-Age": "86400",
 };

src/config.ts

@@ -34,9 +34,50 @@ import {
 
 const TOKEN_TTL_MINUTES = 15;
 const EMAIL_RATE_LIMIT_PER_HOUR = 3;
+const IP_RATE_LIMIT_PER_HOUR = 10;  // Per-IP cap to prevent cross-email abuse
+const MAX_BODY_BYTES = 1024;         // Reject oversized magic-link request bodies
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 const MAX_EMAIL_LENGTH = 254;
 
+/**
+ * Increment a Cache-API-backed counter at `key` with `ttlSeconds` expiry.
+ * Returns the new count. Non-atomic across isolates but good enough for
+ * abuse prevention (a distributed attacker can still trivially stay under
+ * the limit across isolates; this mostly prevents single-source bursts).
+ */
+async function incrementRateCounter(key: string, ttlSeconds: number): Promise<number> {
+  if (typeof caches === "undefined") return 0;
+  try {
+    const req = new Request(key);
+    const existing = await caches.default.match(req);
+    const current = existing ? Number(await existing.text()) || 0 : 0;
+    const next = current + 1;
+    await caches.default.put(req, new Response(String(next), {
+      headers: { "Cache-Control": `max-age=${ttlSeconds}` },
+    }));
+    return next;
+  } catch {
+    return 0;
+  }
+}
+
+async function readRateCounter(key: string): Promise<number> {
+  if (typeof caches === "undefined") return 0;
+  try {
+    const existing = await caches.default.match(new Request(key));
+    if (!existing) return 0;
+    return Number(await existing.text()) || 0;
+  } catch {
+    return 0;
+  }
+}
+
+function getClientIp(request: Request): string {
+  return request.headers.get("cf-connecting-ip")
+    || request.headers.get("x-forwarded-for")?.split(",")[0]?.trim()
+    || "unknown";
+}
+
 // ─── POST /api/auth/magic-link ──────────────────────────────
 
 export async function handleSendMagicLink(
@@ -48,9 +89,15 @@ export async function handleSendMagicLink(
     return Response.json({ error: "Service Unavailable" }, { status: 503, headers: CORS_HEADERS });
   }
 
+  // Body size cap — prevent memory pressure from giant JSON payloads
+  const bodyText = await request.text();
+  if (bodyText.length > MAX_BODY_BYTES) {
+    return Response.json({ error: "Request too large" }, { status: 413, headers: CORS_HEADERS });
+  }
+
   let email: string;
   try {
-    const body = await request.json() as { email?: string };
+    const body = JSON.parse(bodyText) as { email?: string };
     email = String(body?.email || "").trim().toLowerCase();
   } catch {
     return Response.json({ error: "Invalid JSON body" }, { status: 400, headers: CORS_HEADERS });
@@ -60,18 +107,21 @@ export async function handleSendMagicLink(
     return Response.json({ error: "Invalid email address" }, { status: 400, headers: CORS_HEADERS });
   }
 
-  // Rate limit via Cache API (per email, per hour)
-  const rateLimitKey = `https://md-rate-limit/magic-link/${encodeURIComponent(email)}`;
-  let count = 0;
-  if (typeof caches !== "undefined") {
-    try {
-      const existing = await caches.default.match(new Request(rateLimitKey));
-      if (existing) {
-        count = Number(await existing.text()) || 0;
-      }
-    } catch { /* ignore */ }
-  }
-  if (count >= EMAIL_RATE_LIMIT_PER_HOUR) {
+  // ── Rate limiting (two-dimensional) ─────────────────────────
+  // 1) Per-email cap: prevents mailbox flooding for a specific victim
+  // 2) Per-IP cap: prevents a single attacker from burning Resend quota
+  //    by rotating across many victim emails
+  const emailKey = `https://md-rate-limit/magic-link/email/${encodeURIComponent(email)}`;
+  const ip = getClientIp(request);
+  const ipKey = `https://md-rate-limit/magic-link/ip/${encodeURIComponent(ip)}`;
+
+  const [emailCount, ipCount] = await Promise.all([
+    readRateCounter(emailKey),
+    readRateCounter(ipKey),
+  ]);
+
+  // Silently 200 on rate limit (don't reveal which dimension tripped)
+  if (emailCount >= EMAIL_RATE_LIMIT_PER_HOUR || ipCount >= IP_RATE_LIMIT_PER_HOUR) {
     return Response.json(
       { ok: true, note: "If an account exists, an email was sent." },
       { status: 200, headers: CORS_HEADERS },
@@ -118,15 +168,14 @@ export async function handleSendMagicLink(
     console.warn("RESEND_API_KEY not configured — magic link logged only:", verifyUrl);
   }
 
-  // Increment rate limit counter
-  if (typeof caches !== "undefined") {
-    try {
-      const newCount = count + 1;
-      const resp = new Response(String(newCount), {
-        headers: { "Cache-Control": `max-age=${60 * 60}` },
-      });
-      await caches.default.put(new Request(rateLimitKey), resp);
-    } catch { /* ignore */ }
+  // Increment both rate limit counters (1-hour TTL)
+  const ONE_HOUR = 60 * 60;
+  try {
+    await Promise.all([
+      incrementRateCounter(emailKey, ONE_HOUR),
+      incrementRateCounter(ipKey, ONE_HOUR),
+    ]);
+  } catch { /* ignore */
   }
 
   return Response.json({
@@ -256,6 +305,7 @@ export async function handleVerifyMagicLink(
       headers: {
         Location: `https://${host}/portal/`,
         "Set-Cookie": buildSessionCookie(sessionToken, sessionExpires),
+        "Cache-Control": "no-store, private",
       },
     });
   } catch (err) {
@@ -279,6 +329,7 @@ export async function handleLogout(
     headers: {
       "Content-Type": "application/json",
       "Set-Cookie": buildClearCookie(),
+      "Cache-Control": "no-store, private",
       ...CORS_HEADERS,
     },
   });

src/handlers/auth.ts

@@ -1,13 +1,64 @@
 // 健康检查端点
 
+import type { Env } from "../types";
 import { CORS_HEADERS } from "../config";
 import { getBrowserCapacityStats } from "../browser";
 import { getPaywallRuleStats } from "../paywall";
 import { buildOperationalMetricsSnapshot } from "../observability/metrics";
 import { runtimeStartedAt, runtimeCounters } from "../runtime-state";
 import { errorMessage } from "../utils";
+import { isAuthorizedByToken } from "../middleware/auth";
 
+/**
+ * Default /api/health handler — returns public-only info.
+ * Callers who need full operational metrics should use /api/health?full=1
+ * with an API_TOKEN Bearer header (see handleHealthRoute).
+ */
 export function handleHealth(host: string): Response {
+  return handlePublicHealth(host);
+}
+
+/**
+ * Router entry: decides between public and full based on ?full=1 + auth.
+ */
+export async function handleHealthRoute(request: Request, env: Env, host: string): Promise<Response> {
+  const url = new URL(request.url);
+  if (url.searchParams.get("full") === "1") {
+    return handleFullHealth(request, env, host);
+  }
+  return handlePublicHealth(host);
+}
+
+/**
+ * Public health check — minimal, no internal state.
+ * Returns just { status, service, uptime_seconds } so that monitoring
+ * tools can liveness-check without leaking operational capacity data.
+ */
+export function handlePublicHealth(host: string): Response {
+  return Response.json({
+    status: "ok",
+    service: host,
+    uptime_seconds: Math.max(0, Math.floor((Date.now() - runtimeStartedAt) / 1000)),
+  }, { headers: CORS_HEADERS });
+}
+
+/**
+ * Full health with browser capacity, paywall rule counts, metric counters.
+ * Requires API_TOKEN (admin) to prevent attackers from probing queue depth,
+ * rate limit state, browser concurrency, etc.
+ */
+export async function handleFullHealth(request: Request, env: Env, host: string): Promise<Response> {
+  // Require admin auth for full metrics
+  if (env.API_TOKEN) {
+    const authorized = await isAuthorizedByToken(request, env.API_TOKEN);
+    if (!authorized) {
+      return handlePublicHealth(host);
+    }
+  }
+  return buildFullHealthResponse(host);
+}
+
+function buildFullHealthResponse(host: string): Response {
   let browserStats: {
     active: number;
     queued: number;