Security hardening - prevent command injection, limit SSE connections, harden container

[keithdealwis-ui]

Summary

Three security improvements to harden Crucix against common attack vectors:

1. Command injection prevention - Validate PORT environment variable
2. DoS mitigation - Limit concurrent SSE connections
3. Container security - Fix health check + non-root user

All changes are non-breaking and backward compatible.

---

1. Command Injection Prevention (crucix.config.mjs)

Issue: PORT env var is passed unsanitized to child_process.exec() when auto-opening browser:

exec(`${openCmd} "http://localhost:${config.port}"`, ...);

Attack vector: Malicious .env file could inject shell commands:

PORT=3117"; rm -rf / #

Fix: Validate PORT is numeric and within safe range (1024-65535) before use.

CWE: CWE-78: OS Command Injection

---

2. Denial of Service Mitigation (server.mjs)

Issue: /events SSE endpoint has no connection limit:

app.get('/events', (req, res) => {
  sseClients.add(res);  // No limit
});

Attack vector: Attacker opens 10,000+ connections → memory exhaustion → process crash.

Fix: Return HTTP 503 when sseClients.size >= 100.

CWE: CWE-400: Uncontrolled Resource Consumption

---

3. Container Security (Dockerfile)

Issues:

• Health check uses wget but node:22-alpine doesn't include it → silent failure
• Container runs as root → unnecessary privilege escalation risk

Fixes:

• Install wget via apk add --no-cache wget
• Create non-root user crucix:1001 and run as that user

CWE: CWE-250: Execution with Unnecessary Privileges

---

Testing

All changes tested on production deployment:

• ✅ PORT validation rejects invalid values (tested with non-numeric input)
• ✅ SSE endpoint returns 503 after 100 connections
• ✅ Docker health check passes (tested with docker compose up)
• ✅ Container runs as non-root user (verified with docker exec ... whoami)

---

Impact

• Severity: Medium (command injection) + Low (DoS, privilege escalation)
• Scope: All deployments exposed to untrusted .env files or public internet
• Breaking changes: None
• Performance impact: Negligible (single integer comparison per SSE connection)

Happy to address any feedback or concerns.

[calesthio]

I haven't been able to get to this yet because work has been busy, but I definitely plan to review it over the weekend.

[calesthio]

This is a worthwhile hardening change overall.

Running the container as non-root is a real improvement, and I think the unprivileged-port policy is reasonable if the intended deployment model is "Crucix binds to 3117 internally and 80/443 are handled by Docker port mapping or a reverse proxy."

Requested changes before merge:

1. Please make validatePort() treat an unset/empty PORT as the normal default path without warning. Right now ordinary startup logs [Crucix] Invalid PORT, using default 3117, which makes a healthy default config look broken.

2. Please make the validation strict instead of parseInt()-loose. Values like 3117junk currently get accepted as 3117; those should be rejected.

3. Please document the intended deployment policy clearly: app binds only to unprivileged ports (1024-65535), and 80/443 should be terminated by Docker port mapping or a reverse proxy.

Once those are addressed, I think this PR is in good shape.