Commit Graph

3 Commits

  • docs: add model mapping documentation for Amp CLI integration
    - Add model mapping feature to README.md Amp CLI section
    - Add detailed Model Mapping Configuration section to amp-cli-integration.md
    - Update architecture diagram to show model mapping flow
    - Update Model Fallback Behavior to include mapping step
    - Add Table of Contents entry for model mapping
  • security: fix localhost middleware header spoofing vulnerability
    Fix critical security vulnerability in amp-restrict-management-to-localhost
    feature where attackers could bypass localhost restriction by spoofing
    X-Forwarded-For headers.
    
    Changes:
    - Use RemoteAddr (actual TCP connection) instead of ClientIP() in
      localhostOnlyMiddleware to prevent header spoofing attacks
    - Add comprehensive test coverage for spoofing prevention (6 test cases)
    - Update documentation with reverse proxy deployment guidance and
      limitations of the RemoteAddr approach
    
    The fix prevents attacks like:
      curl -H "X-Forwarded-For: 127.0.0.1" https://server/api/user
    
    Trade-off: Users behind reverse proxies will need to disable the feature
    and use alternative security measures (firewall rules, proxy ACLs).
    
    Addresses security review feedback from PR #287.
  • docs: reposition Amp CLI as integrated feature for upstream PR
    - Update README.md to present Amp CLI as standard feature, not fork differentiator
    - Remove USING_WITH_FACTORY_AND_AMP.md (fork-specific, Factory docs live upstream)
    - Add comprehensive docs/amp-cli-integration.md with setup, config, troubleshooting
    - Eliminate fork justification messaging throughout documentation
    - Prepare Amp CLI integration for upstream merge consideration
    
    This positions Amp CLI support as a natural extension of CLIProxyAPI's
    multi-client architecture rather than a fork-specific feature.