Skip to content

feat: add skill file viewer #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
regenrek wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add skill file viewer #44

regenrek wants to merge 2 commits into from
+573 −329

Conversation

@regenrek
Copy link

@regenrek regenrek commented Jan 26, 2026

summary

  • Add skill file viewer and refactor detail page into smaller components.

motivation

  • Surface all skill files before install and keep files under 500 LOC.

what's included

  • Clickable file list + preview panel.
  • New tabs/comments/util modules.
  • Styles for viewer layout.

what's not included

  • Command warnings/highlights (in PR4).
  • Backend changes.

tests

  • bun run test
  • bun run lint

affected files

  • src/components/SkillDetailPage.tsx
  • src/components/SkillFilesPanel.tsx
  • src/components/SkillDetailTabs.tsx
  • src/components/SkillCommentsPanel.tsx
  • src/components/skillDetailUtils.ts
  • src/styles.css

prompt

# ClawdHub Security Hardening

## Goal & Success Criteria

- Block download inflation: rate limit + per‑IP/day dedupe on ZIP downloads.
- IP spoofing fixed: trust only cf-connecting-ip.
- Files tab shows full file viewer + warnings for dangerous commands.
- Each PR has Conventional Commits, full test suite runs, PR opened from regenrek fork.

## Non‑goals / Out of Scope

- Replace download stats with installs.
- Auth‑gated downloads or paid access.
- Deep static analysis beyond warning heuristics.

## Assumptions

- Rate limits: new “download” tier tighter than “read”.
- IP trust: CF‑only, no fallback.
- PRs live on regenrek fork, not upstream.

## Proposed Solution

- Single canonical rate‑limit/IP module (Convex best‑practice: no duplicated logic).
- Dedupe table keyed by hashed IP + skill + day bucket; increment only once.
- UI file viewer loads via existing getFileText; warnings from regex scan.

### Alternatives Considered

- Reuse “read” limits in convex/httpApiV1.ts:634 — too permissive.
- Fallback to x-forwarded-for — violates CF‑only requirement.
- Store raw IPs — privacy risk.

## System Design

- Increment flow: new mutation recordDownload handles dedupe + stats increment atomically.
- Cleanup: cron job prunes dedupe rows older than N days.
- UI: SkillDetailPage Files tab extracted to SkillFilesPanel with viewer + warnings.

## Interfaces & Data Contracts

- recordDownload mutation args: { skillId: Id<'skills'>, ipHash?: string, dayStart: number }.
- downloadDedupes schema: { skillId, ipHash, dayStart, createdAt }.
- Rate limit config includes download: { ip, key } in shared helper.

## Execution Details

PR 3 — File Viewer (feat)

- Extract Files tab to src/components/SkillFilesPanel.tsx.
- Add clickable file list; load via api.skills.getFileText.
- Add viewer panel, empty/error states.
- Adjust CSS in src/styles.css:1696.

## Testing & Quality

- Full suite per PR: bun run test and bun run lint.
- Add unit tests for dedupe/rate limit in convex/downloads.test.ts.
- Extend handler tests to cover CF‑only IP logic.

## Risks & Mitigations

- Missing CF header → “unknown” key. Mitigate by documenting requirement.
- Dedupe table growth → cron pruning.
- Viewer perf → relies on existing 200KB cap.
@vercel
Copy link
Contributor

vercel bot commented Jan 26, 2026

@regenrek is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.
vercel[bot]
vercel bot reviewed Jan 26, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@regenrek