From b194df39fea2833e2eb866f451b3ed11db42c1f0 Mon Sep 17 00:00:00 2001
From: Peter Amiri <peter@alurium.com>
Date: Fri, 10 Apr 2026 02:54:29 -0700
Subject: [PATCH] fix(cli): use cryptographically secure random for mcp session
 tokens

Replace createUUID() (type-1, timestamp-based) with java.util.UUID.randomUUID()
(type-4, SecureRandom-backed) for defense-in-depth on session ID generation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 vendor/wheels/public/mcp/SessionManager.cfc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vendor/wheels/public/mcp/SessionManager.cfc b/vendor/wheels/public/mcp/SessionManager.cfc
index 93cc29eb02..058a814029 100644
--- a/vendor/wheels/public/mcp/SessionManager.cfc
+++ b/vendor/wheels/public/mcp/SessionManager.cfc
@@ -9,7 +9,7 @@ component output="false" displayName="MCP Session Manager" {
 	}
 
 	public string function createSession() {
-		local.sessionId = "mcp-" & createUUID();
+		local.sessionId = "mcp-" & LCase(CreateObject("java", "java.util.UUID").randomUUID().toString());
 		variables.sessions[local.sessionId] = {
 			"id": local.sessionId,
 			"created": now(),