Skip to content

ci(security): add guard against hono/jsx ErrorBoundary usage #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
73junito wants to merge 103 commits into
base: main
Choose a base branch
from
Open

ci(security): add guard against hono/jsx ErrorBoundary usage #236

73junito wants to merge 103 commits into from

Conversation

@73junito
Copy link
Owner

@73junito 73junito commented Jan 29, 2026
edited
Loading

Summary:
Adds a CI workflow to detect any imports of hono/jsx and usage of the ErrorBoundary component in the frontend code. This prevents accidental introduction of a known XSS vulnerability.

Motivation:
The ErrorBoundary component in hono/jsx can render untrusted user input as raw HTML, creating a reflected XSS risk. While our current code doesn’t use hono/jsx, this workflow ensures future PRs do not accidentally introduce it.

Changes:

  • New GitHub Actions workflow (security/hono-ci-guard.yml)
  • Workflow scans frontend files for import { ErrorBoundary } from 'hono/jsx' or ErrorBoundary usage
  • CI fails if any occurrences are found

Testing / Verification:

  • CI run triggers successfully on this PR
  • Optional: test commit that imports ErrorBoundary should cause CI to fail (demonstrating the guard works)

Security Impact:
Prevents accidental inclusion of a vulnerable component, proactively reducing XSS exposure.

GitHub Copilot and others added 30 commits January 10, 2026 12:01
chore: regenerate pnpm-lock.yaml
02cb371
chore: add stub-guard (contentStatus, validator, CI); mark 01-brake-s…
a0cc448 
…ystems-ase-a5 humanized
Docs: formalize v1 content standards and pipeline-aligned Ollama guid…
cff97cc 
…ance
@73junito
Update docs/ai/ai-toolkit-guidance.md
071c1af 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update scripts/validate_no_stubs.py
2657155 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
9fe9bca 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
ba5898e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
e0ef1cf 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
8aafe33 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
11baa20 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update .github/workflows/block-stubs.yml
cc4f5ad 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update README.md
29f9cb5 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
b27ce05 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update .github/workflows/block-stubs.yml
0107c0e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
docs(bench): add Ollama client benchmark summary and link
998cc21
orchestrator: add orchestration skeleton, tests, and CI workflow
e8410e5
orchestrator: add simple quality guards (min tokens/chars + JSON reje…
7328ec1 
…ction) and tests
@73junito @github-advanced-security
Potential fix for code scanning alert no. 44: Workflow does not conta…
6e82393 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@73junito
Update .github/workflows/orchestrate-test.yml
fe17f4d 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update scripts/orchestrate_content.py
1768117 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update docs/ai/ai-toolkit-guidance.md
4e7d435 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Initial plan
faf1441
@73junito
Add comprehensive test coverage for orchestrate_content.py
7550fe9 
- Add test for skipping modules with contentStatus="humanized"
- Add test for error handling when call_ollama raises exceptions
- Add test for streaming mode with TTFT capture
- Add test for modules.json dict format with 'modules' key
- Add test for modules.json plain array format
- Fix existing test to meet quality guard requirements

Co-authored-by: 73junito <86015877+73junito@users.noreply.github.com>
Initial plan
3dc7236
@73junito
Add HTTP status code check to call_ollama function
cece8cd 
Co-authored-by: 73junito <86015877+73junito@users.noreply.github.com>
Initial plan
e5ed3c8
Initial plan
f96806a
@73junito
Fix GitHub API usage in block-stubs workflow
e536322 
Co-authored-by: 73junito <86015877+73junito@users.noreply.github.com>
Initial plan
1e9c290
Initial plan
1590666
GitHub Copilot added 17 commits January 28, 2026 19:41
fix(scripts): make generate_thumbnails import-safe (move future impor…
d7f288f 
…t to top)
ci: add pytest-httpserver and pytest-asyncio to test deps
77d4594
ci(tests): remove 'ollama' install; add placeholder course pages gene…
62a7649 
…rator/validator to satisfy CI tests
ci(tests): install pydantic and local lib/ollama-python in CI
4ee3a77
ci(tests): make placeholders produce expected course pages and valida…
834002d 
…te them
ci(python): install aiohttp/httpx/pytest deps in Python CI
b414bf8
ci(python): install test deps and local lib/ollama-python editable
fbc60a0
ci(python): checkout submodules for editable install
ea8094f
ci: ensure pnpm install before Playwright tests (fix missing @playwri…
8175a15 
…ght/test)
ci: trigger Playwright workflow (noop)
3272f46
ci(playwright): trigger CI with Node 20 noop
a4dc0c1
ci(workflows): enforce Node 20, pnpm install; verify editable ollama …
c3fb050 
…install and PYTHONPATH
ci(storybook): use local Storybook CLI in catalog-root script
39451fe
ci(python): install test deps and editable ollama-python in CI
c2fedf4
fix(security): avoid rendering raw error messages in UI; log errors s…
12748b4 
…erver-side
chore(security): add ESLint rule to forbid err.message/error.message …
791b99f 
…in frontend UI
ci(security): add Hono ErrorBoundary grep workflow
6eb69b0
Copilot AI review requested due to automatic review settings January 29, 2026 16:50
@73junito 73junito self-assigned this Jan 29, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 29, 2026
View reviewed changes
@73junito 73junito changed the title Security/hono ci guard ci(security): add guard against hono/jsx ErrorBoundary usage Jan 29, 2026
Copilot AI reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces additional CI/security guardrails (notably around Storybook and Hono usage) and expands Python/JS test workflows, but it also includes a very large set of changes under .venv3.10/Lib/* that look like accidental vendored stdlib/virtualenv churn.

Changes:

  • Add new GitHub Actions workflows for Playwright E2E, orchestrator tests, stub-blocking, and a Hono “ErrorBoundary” scan.
  • Harden Storybook CI with Node/pnpm verification and retry logic.
  • Update Python CI workflows to install more dependencies and run additional tests (plus editable install of lib/ollama-python).

Reviewed changes

Copilot reviewed 144 out of 1321 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
.venv3.10/Lib/abc.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/antigravity.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asynchat.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncore.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/main.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/base_futures.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/base_subprocess.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/base_tasks.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/coroutines.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/events.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/exceptions.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/format_helpers.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/futures.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/locks.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/mixins.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/protocols.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/queues.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/runners.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/sslproto.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/staggered.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/subprocess.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/tasks.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/transports.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/trsock.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/windows_events.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/asyncio/windows_utils.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/bdb.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/bisect.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/cProfile.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/chunk.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/cmd.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/code.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/codecs.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/codeop.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/collections/abc.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/concurrent/futures/init.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/concurrent/futures/_base.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/concurrent/futures/process.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/concurrent/futures/thread.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/contextvars.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/copy.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/copyreg.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/crypt.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/csv.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/init.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/_aix.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/macholib/init.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/macholib/dylib.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/macholib/dyld.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/macholib/framework.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/init.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/main.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_arrays.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_as_parameter.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_bitfields.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_buffers.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_bytes.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_byteswap.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_callbacks.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_cast.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_cfuncs.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_checkretval.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_errno.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_find.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_frombuffer.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_functions.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_funcptr.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_incomplete.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_internals.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_keeprefs.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_loading.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_macholib.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_memfunctions.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_numbers.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_objects.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_parameters.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_pep3118.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_pickling.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_pointers.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_prototypes.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_random_things.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_refcounts.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_repr.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_slicing.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_stringptr.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_strings.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_struct_fields.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_unaligned_structures.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_unicode.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_values.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_win32.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/test/test_wintypes.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/ctypes/wintypes.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/curses/init.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/curses/textpad.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/dbm/init.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/dbm/dumb.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/decimal.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/_bootsubprocess.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/_markupbase.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/_py_abc.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/_sitebuiltins.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/_threading_local.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.venv3.10/Lib/_weakrefset.py Virtualenv/stdlib formatting/behavior changes (likely unintended)
.github/workflows/ci.yml Expand Python CI dependency installs
.github/workflows/orchestrate-test.yml Add orchestrator test workflow
.github/workflows/playwright.yml Add Playwright E2E workflow
.github/workflows/python-ci.yml Harden Python CI + editable install verification
.github/workflows/python-lint-test.yml Expand pytest deps + editable install
.github/workflows/security-hono-grep.yml Add Hono “ErrorBoundary” grep gate
.github/workflows/storybook-monitor.yml Reduce schedule frequency + add concurrency + error handling
.github/workflows/storybook.yml Add Node/pnpm verification and retry logic for installs
.github/workflows/block-stubs.yml Add PR stub-content blocking workflow
.github/scripts/watch_and_fix.js Add workflow watcher that opens automated “retry” PR
.github/scripts/watch_and_fix.cjs Add CJS variant with GH CLI token fallback
.github/scripts/run_watcher.ps1 Add secure PowerShell wrapper to run watcher
.github/scripts/README.md Document watch-and-fix usage

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.venv3.10/Lib/decimal.py
Comment on lines 6 to 8
from _decimal import __libmpdec_version__
except ImportError:
from _pydecimal import *
Copy link

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR includes extensive changes under .venv3.10/Lib/*, which appears to be a committed virtualenv/stdlib directory. Checking in a virtualenv typically creates large, noisy diffs and can introduce accidental behavior changes that are not intended to be part of application code. Recommend removing .venv3.10/ from version control and adding it to .gitignore, then keeping CI changes scoped to repository source and workflow files.

Copilot uses AI. Check for mistakes.
73junito and others added 4 commits January 29, 2026 10:59
@73junito
Update .github/workflows/security-hono-grep.yml
ba5a359 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update .github/workflows/playwright.yml
930e937 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito
Update .github/workflows/storybook.yml
c06b741 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@73junito @github-advanced-security
Potential fix for code scanning alert no. 47: Workflow does not conta…
54d8183 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
73junito
73junito commented Jan 29, 2026
View reviewed changes
Copy link
Owner Author

@73junito 73junito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

viewed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@73junito 73junito

Labels

contains-stubs

Projects

@73junito's autolearnpro
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@73junito