Skip to content

feat: replace CLI examples with full web-based demo apps#1

Open
Dhravya wants to merge 9 commits intovorflux/initial-examplesfrom
vorflux/web-examples
Open

feat: replace CLI examples with full web-based demo apps#1
Dhravya wants to merge 9 commits intovorflux/initial-examplesfrom
vorflux/web-examples

Conversation

@Dhravya
Copy link
Copy Markdown
Member

@Dhravya Dhravya commented Apr 28, 2026
edited by vorflux Bot
Loading

Web-Based SMFS Example Apps

Replaces the three CLI-only example scripts with full web-based demo applications.

New Examples

Example Stack SDK Description
Research Assistant Next.js 15, Tailwind v4, Vercel AI SDK @supermemory/bash (TypeScript) Upload documents and chat with an AI that can search and cite them. Streaming responses via streamText.
Knowledge Base FastAPI, vanilla HTML/CSS/JS supermemory-bash (Python) Add notes and chat with an AI that can search your knowledge base. SSE streaming, no frontend build step.
Code Sandbox Next.js 15, Tailwind v4, E2B SDK E2B + SMFS mount Write and run code in an E2B sandbox with persistent AI memory. Three-panel UI (editor + output + chat).

Removed

  • legal-docs-assistant/ (CLI-only Python script)
  • docs-answering-agent/ (CLI-only TypeScript script)
  • customer-support-agent/ (CLI-only Python script)

Key Features

  • Streaming everywhere: All three apps stream AI responses. Next.js apps use Vercel AI SDK streamText; FastAPI uses Server-Sent Events.
  • Tool call visualization: All chat UIs show collapsible tool call blocks so users can see what commands the AI is running.
  • Security: Randomized heredoc delimiters (or printf for Python) prevent content injection. Strict filename sanitization.
  • Self-contained: Each app has its own package.json/requirements.txt, .env.example, and comprehensive README.

Architecture

Each app follows the same pattern:

  1. User interacts via web UI (chat, file upload, code editor)
  2. Backend creates a supermemory-bash / @supermemory/bash instance (or E2B sandbox with SMFS mount)
  3. AI agent uses bash tool to read/write/search files in the Supermemory container
  4. Responses stream back to the frontend

Quality Loop

  • Simplify agent identified 30 improvement areas; build agent addressed all high/medium priority items
  • Review agent found 3 issues (1 critical bug, 2 security); all fixed:
    • Critical: code-sandbox execute route had broken heredoc via JSON.stringify -- fixed
    • Security: Fixed heredoc injection in research-assistant and knowledge-base (randomized delimiters + printf)
    • Security: Added strict filename sanitization in knowledge-base

Testing

TypeScript Compilation

  • research-assistant/: npx tsc --noEmit passes cleanly
  • code-sandbox/: npx tsc --noEmit passes cleanly (verified after E2B swap)

Python Syntax

  • knowledge-base/: python3 -m py_compile server.py passes
  • knowledge-base/: node --check static/app.js passes

Next.js Build

  • Both Next.js apps compile successfully (Compiled successfully)
  • Static page generation fails on internal /_error: /500 page due to non-standard NODE_ENV in the build environment -- this is a pre-existing Next.js 15 environment issue, not related to our code

Cross-App Verification

  • All .env.example files present with correct variables (2 vars for research-assistant and knowledge-base, 3 for code-sandbox)
  • All READMEs present with setup instructions (97-184 lines each)
  • Old CLI examples confirmed deleted
  • Root README updated with new example table

Integration Testing (attempted -- timed out)

  • Attempted: The testing subagent was dispatched to install dependencies, verify builds, and run integration checks across all three apps
  • Partial progress: Dependencies were installed for all three apps. The agent discovered that the supermemory_bash SDK tokenizes << as two separate LT tokens (not a heredoc operator), leading to the printf fix for the knowledge-base app
  • Failure: Task timed out after 3600s
  • Unverified: Full end-to-end runtime testing with live API keys was not completed

Session Details

Dhravya and others added 6 commits April 28, 2026 02:02
@Dhravya
feat: add knowledge base web app
246b09c
feat: add research assistant web app
0ac9799
@Dhravya
feat: add code sandbox web app
8be703f
@Dhravya
chore: remove old CLI examples, update root README
9f410ee 
Replace CLI-only examples with web-based demo apps.
Remove: legal-docs-assistant, docs-answering-agent, customer-support-agent
Update: root README with new example table
fix(examples): apply review/simplify feedback to web example apps
1ac113c 
CRITICAL FIX
- code-sandbox/api/execute: the heredoc-wrapped run script was being
  passed through JSON.stringify, which collapsed real newlines into
  literal \n escapes — bash never saw a valid heredoc terminator and
  every code execution failed with a syntax error. Build the script
  with real newlines and shell-quote it for 'bash -c'.

SECURITY
- code-sandbox/api/execute, research-assistant/api/ingest, and
  knowledge-base server.py all used a fixed heredoc delimiter, so user
  content containing that exact line could prematurely close the
  heredoc and inject shell input. Switched to per-request randomized
  delimiters (Math.random / secrets.token_hex) and extracted a shared
  writeFileViaHeredoc helper in research-assistant/lib/bash-utils.ts.
- knowledge-base: replaced loose '/'-only title sanitization with a
  stricter sanitize_note_title() that rejects '..', '.', NUL/control
  chars, and shell metacharacters (mirrors code-sandbox's
  isSafeFilename).

DEDUPLICATION
- Extracted code-sandbox/lib/daytona.ts (getDaytona) and
  code-sandbox/lib/env.ts + research-assistant/lib/env.ts (requireEnv)
  to remove the repeated env-var-check boilerplate from every API
  route.
- Centralized CONTAINER_TAG and MAX_AGENT_STEPS in
  research-assistant/lib/config.ts; added MAX_AGENT_STEPS = 10
  constant in knowledge-base/server.py.

CODE-SANDBOX CLEANUP
- Removed the dead 'command' array; build the bash script directly.
- Removed unused textareaRef in code-editor.tsx.
- Hoisted SMFS_VERSION to a top-level constant; rewrote SMFS_INSTALL
  and STARTER_CODE using template literals.
- Replaced fragile 'sleep 3' after 'smfs mount &' with a polling loop
  that waits for the FUSE mountpoint to become ready (mountpoint -q).
- Extracted the SMFS limitation banner string and added a comment
  noting that beforeunload cleanup is unreliable and production
  deployments should rely on server-side TTL.
- Dropped the unnecessary 'as HTMLFormElement' cast on form.requestSubmit.

RESEARCH-ASSISTANT CLEANUP
- Split handleUpload into pure helpers (uploadFiles,
  mergeUploadedFiles, formatUploadSummary) so the JSX-level callback
  is just orchestration.

KNOWLEDGE-BASE CLEANUP
- Hoisted the anthropic.Anthropic client to a module-level cached
  singleton instead of constructing one per chat request.
- Split chat_stream into _build_tools, _messages_from_history, and
  _run_tool_calls helpers; added a comment explaining why the
  catch-all Exception handler exists in the SSE generator.
- Extracted parseSSE async generator in static/app.js so sendMessage
  becomes a clean for-await loop. Replaced ad-hoc DOM-scraping in
  getFinalText() with explicit assistantText tracking. Replaced
  setTimeout(focus, 30) with requestAnimationFrame.
- Pinned upper bounds in requirements.txt so the example doesn't
  break six months from now.

OTHER
- code-sandbox/.gitignore: ignore tsconfig.tsbuildinfo to match the
  research-assistant convention and root .gitignore.
@Dhravya
fix: use printf for file writes, remove unused error boundaries
cd790ab 
- knowledge-base: switch from heredoc to printf '%s' for note writes
  (supermemory_bash SDK tokenizes << as two LT tokens)
- research-assistant: add try/catch and empty file check in ingest route
- research-assistant: remove error/global-error/not-found pages
  (unnecessary for demo, caused build issues in some environments)
@vorflux vorflux Bot mentioned this pull request Apr 28, 2026
Open
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 28, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​next@​15.5.1562100919870
Addednpm/​@​ai-sdk/​react@​1.2.12971007495100
Addednpm/​@​types/​react-dom@​19.2.31001007586100
Updatednpm/​@​ai-sdk/​anthropic@​3.0.71 ⏵ 1.2.127710084 -495100
Addednpm/​@​types/​react@​19.2.141001007988100
Addednpm/​postcss@​8.5.12991008293100
Addednpm/​tailwindcss@​4.2.41001008498100
Addednpm/​react@​19.2.51001008497100
Addednpm/​react@​19.0.01001008497100
Addednpm/​@​e2b/​code-interpreter@​1.5.11001008692100
Addednpm/​react-dom@​19.0.01001009298100
Addednpm/​react-dom@​19.2.51001009298100
Updatednpm/​ai@​6.0.168 ⏵ 4.3.1999 +710010098100
Addedpypi/​uvicorn@​0.39.098100100100100
Addednpm/​@​tailwindcss/​postcss@​4.2.410010010098100
Addedpypi/​fastapi@​0.119.1100100100100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 28, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dhravya