Summary

Fixes M6 from the 2026-06-12 security audit (private advisory GHSA-5mh2-6xgr-rf89) — a permissive-CORS misconfiguration in kbagent serve.

create_app registers CORSMiddleware with allow_credentials=True. Combined with a wildcard --cors-origin '*' (or a malformed origin), Starlette reflects the request Origin back and returns Access-Control-Allow-Credentials: true — the textbook unsafe combination that lets any website read authenticated cross-origin responses from a victim's running serve. The previous code passed cors_origins straight into the middleware with no validation.

Fix

create_app now validates the origins via _resolve_cors_origins:

• rejects * and any value that isn't a concrete scheme://host[:port] (no path/query/fragment, per the CORS Origin spec), raising ConfigError;
• the default (no --cors-origin) localhost dev set is unchanged, so normal use is unaffected — only the actively-dangerous wildcard/malformed config is refused.

kbagent serve catches the ConfigError and surfaces it as a clean typer.BadParameter usage error on --cors-origin (exit 2) instead of a traceback. The guard lives in create_app (the point where the credentialed middleware is configured) so the unsafe combination can't ship via any caller.

No regex / new imports in app.py — the origin check is a small structural predicate.

Tests

New TestCorsCredentialsGuard in test_serve_ui.py: parametrized rejection of ["*"], a mixed list containing *, a scheme-less origin, an origin with a path, and a ws:// origin; parametrized acceptance of None (defaults) and explicit http(s)://host[:port] lists; plus a unit test of the _is_valid_cors_origin predicate. Full suite green: 4021 passed, 132 skipped; lint/format/ty/changelog clean.

Audit progress

Open advisories after this: M7 (silent plaintext-on-encrypt write — spans config/variables/data-app services), M8 (SSRF), M10 (version regex), plus the M5 residual (accepted) and M1 residual. M9 (npm --ignore-scripts) also remains.