feat: harden HTTP clients, dashboard server, and hook system#4
Merged
feat: harden HTTP clients, dashboard server, and hook system#4
Conversation
- Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor
There was a problem hiding this comment.
Pull request overview
This PR hardens network-facing components by extracting a shared HTTP request helper, improving dashboard routing/backpressure handling, and adding SSRF protections for HTTP hooks, alongside dashboard offline asset cleanup and documentation updates.
Changes:
- Introduces a shared
httpRequest_helper with timeouts and response-size caps, and migrates validation/hooks to use it. - Updates dashboard routing to use
URL.pathnameand adjusts SSE broadcasting/backpressure behavior. - Adds SSRF mitigation for HTTP hooks with private-IP blocking (opt-out via env var) and documents the behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils/http-request.ts | Adds shared HTTP(S) request helper with timeout + response body cap |
| src/core/validate.ts | Replaces duplicated request code with shared HTTP helper |
| src/core/hooks.ts | Uses shared HTTP helper; adds SSRF pre-checks for HTTP hooks and audit logging |
| src/core/dashboard.ts | Fixes route matching via pathname parsing; adjusts SSE broadcast backpressure handling |
| src/core/dashboard-html.ts | Removes external font/icon dependencies; switches to system fonts + inline SVG |
| README.md | Documents SSRF protection and override env var for hooks |
| .github/workflows/nextjs.yml | Bumps Next.js workflow Node version |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Owner
Author
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Contributor
…eview feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat(web): add Next.js site with deploy and CI workflows Made-with: Cursor * feat: harden HTTP clients, dashboard server, and hook system (#4) * feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> * feat(web): Tailwind v4, motion, docs/changelog, mobile nav - Add Tailwind CSS v4 with @theme tokens and PostCSS - Add Framer Motion (motion) FadeIn, StaggerGroup, animated stats - CopyableTerminal with copy buttons; remove RevealObserver - Mobile nav with focus trap, Docs/Changelog routes - Interactive Architecture tooltips and scroll targets - Getting Started (/docs) and Changelog (/changelog) pages - Skip link, main landmark, reduced-motion for WebGL Made-with: Cursor * chore: bump version to v0.4.1 Made-with: Cursor * chore: bump version to v0.9.0 Made-with: Cursor --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat(web): add Next.js site with deploy and CI workflows Made-with: Cursor * feat: harden HTTP clients, dashboard server, and hook system (#4) * feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> * feat(web): Tailwind v4, motion, docs/changelog, mobile nav - Add Tailwind CSS v4 with @theme tokens and PostCSS - Add Framer Motion (motion) FadeIn, StaggerGroup, animated stats - CopyableTerminal with copy buttons; remove RevealObserver - Mobile nav with focus trap, Docs/Changelog routes - Interactive Architecture tooltips and scroll targets - Getting Started (/docs) and Changelog (/changelog) pages - Skip link, main landmark, reduced-motion for WebGL Made-with: Cursor * chore: bump version to v0.4.1 Made-with: Cursor * chore: bump version to v0.9.0 Made-with: Cursor * docs: add missing Tier 4-6 features to CHANGELOG, web site, and MCP listings (#7) The Tier 4-6 features (composite secrets, approvals, JIT provisioning, exec/redaction, scanner, linter, agent memory, context, governance, team/org scopes, rotation, CI validation, audit verify/export, analytics, wizard, pre-commit hook) were shipped in v0.9.0 but never recorded in the CHANGELOG or reflected on the landing site. - CHANGELOG.md: consolidate 17 missing entries into [0.9.0] - web/app/changelog/page.tsx: match CHANGELOG with full 0.9.0 entry - web/components/McpSection.tsx: add 3 tool groups (15 tools), fix count 31→44 - web/components/Features.tsx: add 11 feature cards, update count 13→24 - web/components/Architecture.tsx: add 8 missing core modules - web/components/Stats.tsx: remove Tiers/Platforms cards, keep MCP Tools + Features Made-with: Cursor --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat(web): add Next.js site with deploy and CI workflows Made-with: Cursor * feat: harden HTTP clients, dashboard server, and hook system (#4) * feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> * feat(web): Tailwind v4, motion, docs/changelog, mobile nav - Add Tailwind CSS v4 with @theme tokens and PostCSS - Add Framer Motion (motion) FadeIn, StaggerGroup, animated stats - CopyableTerminal with copy buttons; remove RevealObserver - Mobile nav with focus trap, Docs/Changelog routes - Interactive Architecture tooltips and scroll targets - Getting Started (/docs) and Changelog (/changelog) pages - Skip link, main landmark, reduced-motion for WebGL Made-with: Cursor * chore: bump version to v0.4.1 Made-with: Cursor * chore: bump version to v0.9.0 Made-with: Cursor * docs: add missing Tier 4-6 features to CHANGELOG, web site, and MCP listings (#7) The Tier 4-6 features (composite secrets, approvals, JIT provisioning, exec/redaction, scanner, linter, agent memory, context, governance, team/org scopes, rotation, CI validation, audit verify/export, analytics, wizard, pre-commit hook) were shipped in v0.9.0 but never recorded in the CHANGELOG or reflected on the landing site. - CHANGELOG.md: consolidate 17 missing entries into [0.9.0] - web/app/changelog/page.tsx: match CHANGELOG with full 0.9.0 entry - web/components/McpSection.tsx: add 3 tool groups (15 tools), fix count 31→44 - web/components/Features.tsx: add 11 feature cards, update count 13→24 - web/components/Architecture.tsx: add 8 missing core modules - web/components/Stats.tsx: remove Tiers/Platforms cards, keep MCP Tools + Features Made-with: Cursor * chore: bump version to v0.9.1 Made-with: Cursor --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
This was referenced Mar 26, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/utils/http-request.ts): Extracts duplicatednode:http/node:httpslogic fromvalidate.tsandhooks.tsinto a single typed helper with configurable timeout and 64 KiB response body capURL.pathnameinstead of rawreq.url, so query strings (e.g./events?retry=true) no longer break SSE and API endpointsbroadcast()now checkswritableEnded/destroyedbefore writing and drops slow clients whenwrite()returnsfalse, preventing unbounded memory growthQ_RING_ALLOW_PRIVATE_HOOKS=1; blocked requests log apolicy_denyaudit eventAccess-Control-Allow-Origin: *headers from the localhost-only dashboard endpointsTest plan
pnpm run typecheckpassespnpm run buildpassesqring status), confirm SSE updates at/events, JSON at/api/status, HTML at//events?test=1should still streamhttp://127.0.0.1URL, confirm it is blockedQ_RING_ALLOW_PRIVATE_HOOKS=1, confirm local hooks workMade with Cursor