Merge branch 'main' into security/langchain-scope-chain-verification-538

Author: KevinSailema

packages/agent-os/extensions/vscode/package-lock.json

@@ -50,7 +50,7 @@ export class EnterpriseAuthProvider {
         this._registerProviders();
     }
 
-    private _loadState(): void {
+    private async _loadState(): Promise<void> {
         const savedState = this._context.globalState.get<AuthState>('agent-os.authState');
         if (savedState) {
             this._state = savedState;
@@ -59,6 +59,13 @@ export class EnterpriseAuthProvider {
                 this._state = { isAuthenticated: false };
             }
         }
+        // Restore token from SecretStorage
+        if (this._state?.user) {
+            const token = await this._context.secrets.get('agent-os.authToken');
+            if (token) {
+                this._state.user.token = token;
+            }
+        }
     }
 
     private _registerProviders(): void {
@@ -185,7 +192,16 @@ export class EnterpriseAuthProvider {
     }
 
     private async _saveState(): Promise<void> {
-        await this._context.globalState.update('agent-os.authState', this._state);
+        // Store token in SecretStorage, not globalState
+        if (this._state?.user?.token) {
+            await this._context.secrets.store('agent-os.authToken', this._state.user.token);
+        }
+        // Strip token from globalState persistence
+        const safeState = this._state ? {
+            ...this._state,
+            user: this._state.user ? { ...this._state.user, token: undefined } : undefined,
+        } : null;
+        await this._context.globalState.update('agent-os.authState', safeState);
     }
 
     hasRole(role: string): boolean {

packages/agent-os/extensions/vscode/src/enterprise/auth/ssoProvider.ts

@@ -10,6 +10,7 @@
  */
 
 import * as vscode from 'vscode';
+import * as crypto from 'crypto';
 import { PolicyEngine } from './policyEngine';
 import { CMVKClient } from './cmvkClient';
 import { AuditLogger } from './auditLogger';
@@ -481,7 +482,7 @@ async function reviewCodeWithCMVK(code: string, language: string): Promise<void>
                 { enableScripts: true }
             );
 
-            panel.webview.html = generateCMVKResultsHTML(result);
+            panel.webview.html = generateCMVKResultsHTML(result, panel.webview);
 
             // Log the review
             auditLogger.log({
@@ -501,7 +502,9 @@ async function reviewCodeWithCMVK(code: string, language: string): Promise<void>
     });
 }
 
-function generateCMVKResultsHTML(result: any): string {
+function generateCMVKResultsHTML(result: any, webview: vscode.Webview): string {
+    const nonce = crypto.randomBytes(16).toString('base64');
+    const cspSource = webview.cspSource;
     const consensusColor = result.consensus >= 0.8 ? '#28a745' 
         : result.consensus >= 0.5 ? '#ffc107' 
         : '#dc3545';
@@ -522,6 +525,8 @@ function generateCMVKResultsHTML(result: any): string {
     <!DOCTYPE html>
     <html>
     <head>
+        <meta charset="UTF-8">
+        <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src ${cspSource} 'unsafe-inline'; script-src 'nonce-${nonce}'; img-src ${cspSource} https:; font-src ${cspSource};">
         <style>
             body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px; }
             .consensus { font-size: 24px; font-weight: bold; color: ${consensusColor}; }