Skip to content

feat(protect): opt-in response screening for node/express + Supabase guard#64

Merged
patchstackdave merged 4 commits into
mainfrom
feat/protect-tier3-complete
Jul 14, 2026
Merged

feat(protect): opt-in response screening for node/express + Supabase guard#64
patchstackdave merged 4 commits into
mainfrom
feat/protect-tier3-complete

Conversation

@patchstackdave

Copy link
Copy Markdown
Contributor

Stacked on #61 (feat/protect-demo).

Completes Tier-3 response-phase screening across all server surfaces — until now, secret-leak redaction / withhold only ran on the fetch() path.

What changed

  • runtime: exposes screenResponse(response) and wires a { screenResponses: true } option into node() and express(). When set, the adapter buffers the outgoing body and runs it through the response rules — redacting the offending spans or withholding (500). Opt-in, because buffering can delay a streamed response; bodies over 512 KiB pass through unscanned. fetch() now shares the same screenResp() closure.
  • supabase-guard: screens the forwarded upstream Supabase response through protection.screenResponse (query results can leak secrets/PII). Fails open if unavailable.
  • types: screenResponse + the screenResponses option added to protect.d.ts.

Tests

tests/protect/response-guards.test.ts (+8): node/express/Supabase redact, block→withhold (500), non-text passthrough, dry-run observe-only, and opt-in gating (no screening unless requested). Full suite 366 pass, typecheck + build clean.

🤖 Generated with Claude Code

patchstackdave and others added 2 commits July 14, 2026 12:36
examples/protect/ — a runnable Verified Vulnerability Shielding demo against a REAL
vulnerable dependency (lodash@4.17.11, CVE-2019-10744): exploit works unprotected →
dry-run detects → block rejects the request before the sink → benign still served →
response AWS-key redaction → egress SSRF block → proof line. No app redeploy, no token.

rules.demo.json holds EXAMPLE rules for public CVEs only (clearly labeled) — NOT the
production corpus, which is fetched per-site from the API at runtime. No secrets in-repo.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…guard

Extend Tier-3 response-phase screening (secret-leak redaction / withhold)
beyond the fetch() path to the remaining server surfaces:

- runtime: expose `screenResponse(response)`; wire `{ screenResponses: true }`
  into node() and express() (buffers the outgoing body, then redacts spans or
  withholds via the response rules). Opt-in — buffering can delay a stream, and
  bodies over 512 KiB pass through unscanned. fetch() now shares the same
  screenResp() closure.
- supabase-guard: screen the forwarded upstream response through
  protection.screenResponse (query results can leak secrets/PII). Fails open.
- types: add screenResponse + the screenResponses option; +8 tests
  (tests/protect/response-guards.test.ts) covering node/express/Supabase
  redact, block-withhold, non-text passthrough, dry-run, and opt-in gating.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderbuds

coderbuds Bot commented Jul 14, 2026

Copy link
Copy Markdown

Introduces robust opt-in response screening across fetch, Express, Node, and Supabase.

🎯 Quality: 86% Excellent · 📦 Size: Medium

📈 This month: Your 26th PR — above team average · Averaging Excellent

See how your team is trending →

…ash)

Pins lodash@4.17.11 so the end-to-end demo reproducibly installs the exact
version CVE-2019-10744 targets.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@patchstackdave

Copy link
Copy Markdown
Contributor Author

/review

Base automatically changed from feat/protect-demo to main July 14, 2026 12:07
@patchstackdave patchstackdave merged commit 45d9c64 into main Jul 14, 2026
4 checks passed
@patchstackdave patchstackdave deleted the feat/protect-tier3-complete branch July 14, 2026 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants