Conversation
…cess - Add src/lib/ip-restriction.ts with Edge Runtime compatible CIDR matching - Inject X-Real-IP header in server.ts for trusted IP identification - Add IP restriction check in middleware.ts (Step 1, before auth) - Add IP restriction check in ws-server.ts (defense-in-depth) - Extend CLI with --allowed-ips and --trust-proxy options - Add daemon.ts authEnvKeys for CM_ALLOWED_IPS/CM_TRUST_PROXY - Add 45 unit tests and 6 integration tests for IP restriction - All static analysis checks passed (tsc, ESLint) Resolves #332 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…le.log Reorganize ip-restriction.ts module-scope initialization before dependent functions for better readability. Enhance JSDoc with S4-001 future extension notes and S4-002/S4-005 rationale. Remove console.log statements from ws-server.ts per CLAUDE.md production rules. Fix daemon.ts REVERSE_PROXY_WARNING to account for CM_ALLOWED_IPS (consistent with start.ts). Improvements: - ip-restriction.ts: module-scope vars moved before getClientIp() that references them - ip-restriction.ts: enhanced JSDoc for S1-004, S4-001, S4-002, S4-005, S4-006 - ws-server.ts: removed 8 console.log calls, kept console.warn/error for security/errors - daemon.ts: added CM_ALLOWED_IPS check to suppress REVERSE_PROXY_WARNING Quality Metrics: - TypeScript errors: 0 - ESLint errors: 0 - Unit tests: 3796 passed (185 files) - Integration auth-middleware tests: 17 passed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…orts - Add ip-restriction.ts entry to CLAUDE.md module list - Add Issue #332 to docs/implementation-history.md - Add design policy, issue review, design review, and TDD reports Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CM_ALLOWED_IPS環境変数によるIPv4 allowlist方式(カンマ区切り複数CIDR対応)Changes
New files
src/lib/ip-restriction.ts- Edge Runtime互換CIDRマッチングコアモジュール(parseAllowedIps/getAllowedRanges/isIpAllowed/normalizeIp/isIpRestrictionEnabled/getClientIp)tests/unit/ip-restriction.test.ts- 47テストケースModified files
server.ts- X-Real-IPヘッダー注入(CM_TRUST_PROXY対応)src/middleware.ts- IP制限チェック(Step 1、認証・WebSocket処理前)src/lib/ws-server.ts- WebSocket upgradeハンドラーIP制限 + console.log削除src/lib/env.ts- Envインターフェース拡張src/cli/utils/daemon.ts- authEnvKeys拡張 + REVERSE_PROXY_WARNING条件追加src/cli/types/index.ts- StartOptions拡張src/cli/index.ts- --allowed-ips/--trust-proxyオプション追加src/cli/commands/start.ts- 環境変数転送・警告抑制src/cli/commands/init.ts- IP制限ヒント追加src/cli/commands/status.ts- IP制限状態表示src/cli/config/security-messages.ts- --allowed-ips案内追加tests/integration/auth-middleware.test.ts- IP制限統合テスト6件追加tsconfig.server.json- ip-restriction.ts追加Security
Test plan
Closes #332
🤖 Generated with Claude Code