kunthawat/moreminimore-vibe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security Panel MVP (#1660)

Browse Source 
TODOs:

- [x] Add documentation
- [x] e2e tests: run security review, update knowledge, and fix issue
- [x] more stringent risk rating


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces a new Security mode with a Security Review panel that runs
reviews, edits rules, parses findings via IPC, and supports fixing
issues, with tests and prompt/runtime support.
> 
> - **UI/Preview Panel**:
> - Add `security` preview mode to `previewModeAtom` and ActionHeader
(Shield button).
> - New `SecurityPanel` showing findings table (sorted by severity), run
review, fix issue flow, and edit `SECURITY_RULES.md` dialog.
>   - Wire into `PreviewPanel` content switch.
> - **Hooks**:
>   - `useSecurityReview(appId)`: fetch latest review via IPC.
> - `useStreamChat`: add `onSettled` callback to invoke refreshes after
streams.
> - **IPC/Main**:
> - `security_handlers`: `get-latest-security-review` parses
`<dyad-security-finding>` from latest assistant message.
>   - Register handler in `ipc_host`; expose channel in `preload`.
>   - `ipc_client`: add `getLatestSecurityReview(appId)`.
> - `chat_stream_handlers`: detect `/security-review`, use dedicated
system prompt, optionally append `SECURITY_RULES.md`, suppress
Supabase-not-available note in this mode.
> - **Prompts**:
> - Add `SECURITY_REVIEW_SYSTEM_PROMPT` with structured finding output.
> - **Supabase**:
> - Enhance schema query to include `rls_enabled`, split policy
`using_clause`/`with_check_clause`.
> - **E2E Tests**:
> - New `security_review.spec.ts` plus snapshots and fixture findings;
update test helper for `security` mode and findings table snapshot.
> - Fake LLM server streams security findings for `/security-review` and
increases batch size.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5022d01e22a2dd929a968eeba0da592e0aeece01. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
This commit is contained in:
Will Chen
2025-10-29 17:32:52 -07:00
committed by GitHub
parent a3997512d2
commit c50527b4c0
22 changed files with 3574 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/ipc/handlers/chat_stream_handlers.ts
View File

@@ -43,6 +43,7 @@ import {
getSupabaseClientCode,
} from "../../supabase_admin/supabase_context";
import { SUMMARIZE_CHAT_SYSTEM_PROMPT } from "../../prompts/summarize_chat_system_prompt";
import { SECURITY_REVIEW_SYSTEM_PROMPT } from "../../prompts/security_review_prompt";
import fs from "node:fs";
import * as path from "path";
import * as os from "os";
@@ -578,6 +579,29 @@ ${componentSnippet}
systemPrompt += `\n\n# Referenced Apps\nThe user has mentioned the following apps in their prompt: ${mentionedAppsList}. Their codebases have been included in the context for your reference. When referring to these apps, you can understand their structure and code to provide better assistance, however you should NOT edit the files in these referenced apps. The referenced apps are NOT part of the current app and are READ-ONLY.`;
}
const isSecurityReviewIntent =
req.prompt.startsWith("/security-review");
if (isSecurityReviewIntent) {
systemPrompt = SECURITY_REVIEW_SYSTEM_PROMPT;
try {
const appPath = getDyadAppPath(updatedChat.app.path);
const rulesPath = path.join(appPath, "SECURITY_RULES.md");
let securityRules = "";
await fs.promises.access(rulesPath);
securityRules = await fs.promises.readFile(rulesPath, "utf8");
if (securityRules && securityRules.trim().length > 0) {
systemPrompt +=
"\n\n# Project-specific security rules:\n" + securityRules;
}
} catch (error) {
// Best-effort: if reading rules fails, continue without them
logger.info("Failed to read security rules", error);
}
}
if (
updatedChat.app?.supabaseProjectId &&
settings.supabase?.accessToken?.value
@@ -591,7 +615,9 @@ ${componentSnippet}
}));
} else if (
// Neon projects don't need Supabase.
!updatedChat.app?.neonProjectId
!updatedChat.app?.neonProjectId &&
// If in security review mode, we don't need to mention supabase is available.
!isSecurityReviewIntent
) {
systemPrompt += "\n\n" + SUPABASE_NOT_AVAILABLE_SYSTEM_PROMPT;
}

71
src/ipc/handlers/security_handlers.ts Normal file
View File

@@ -0,0 +1,71 @@
import { ipcMain } from "electron";
import { db } from "../../db";
import { chats, messages } from "../../db/schema";
import { eq, and, like, desc } from "drizzle-orm";
import type { SecurityReviewResult, SecurityFinding } from "../ipc_types";
export function registerSecurityHandlers() {
ipcMain.handle("get-latest-security-review", async (event, appId: number) => {
if (!appId) {
throw new Error("App ID is required");
}
// Query for the most recent message with security findings
// Use database filtering instead of loading all data into memory
const result = await db
.select({
content: messages.content,
createdAt: messages.createdAt,
chatId: messages.chatId,
})
.from(messages)
.innerJoin(chats, eq(messages.chatId, chats.id))
.where(
and(
eq(chats.appId, appId),
eq(messages.role, "assistant"),
like(messages.content, "%<dyad-security-finding%"),
),
)
.orderBy(desc(messages.createdAt))
.limit(1);
if (result.length === 0) {
throw new Error("No security review found for this app");
}
const message = result[0];
const findings = parseSecurityFindings(message.content);
if (findings.length === 0) {
throw new Error("No security review found for this app");
}
return {
findings,
timestamp: message.createdAt.toISOString(),
chatId: message.chatId,
} satisfies SecurityReviewResult;
});
}
function parseSecurityFindings(content: string): SecurityFinding[] {
const findings: SecurityFinding[] = [];
// Regex to match dyad-security-finding tags
// Using lazy quantifier with proper boundaries to prevent catastrophic backtracking
const regex =
/<dyad-security-finding\s+title="([^"]+)"\s+level="(critical|high|medium|low)">([\s\S]*?)<\/dyad-security-finding>/g;
let match;
while ((match = regex.exec(content)) !== null) {
const [, title, level, description] = match;
findings.push({
title: title.trim(),
level: level as "critical" | "high" | "medium" | "low",
description: description.trim(),
});
}
return findings;
}

7
src/ipc/ipc_client.ts
View File

@@ -48,6 +48,7 @@ import type {
VercelDeployment,
GetVercelDeploymentsParams,
DisconnectVercelProjectParams,
SecurityReviewResult,
IsVercelProjectAvailableParams,
SaveVercelAccessTokenParams,
VercelProject,
@@ -1197,6 +1198,12 @@ export class IpcClient {
return this.ipcRenderer.invoke("check-ai-rules", params);
}
public async getLatestSecurityReview(
appId: number,
): Promise<SecurityReviewResult> {
return this.ipcRenderer.invoke("get-latest-security-review", appId);
}
public async importApp(params: ImportAppParams): Promise<ImportAppResult> {
return this.ipcRenderer.invoke("import-app", params);
}

2
src/ipc/ipc_host.ts
View File

@@ -31,6 +31,7 @@ import { registerPortalHandlers } from "./handlers/portal_handlers";
import { registerPromptHandlers } from "./handlers/prompt_handlers";
import { registerHelpBotHandlers } from "./handlers/help_bot_handlers";
import { registerMcpHandlers } from "./handlers/mcp_handlers";
import { registerSecurityHandlers } from "./handlers/security_handlers";
export function registerIpcHandlers() {
// Register all IPC handlers by category
@@ -67,4 +68,5 @@ export function registerIpcHandlers() {
registerPromptHandlers();
registerHelpBotHandlers();
registerMcpHandlers();
registerSecurityHandlers();
}

12
src/ipc/ipc_types.ts
View File

@@ -9,6 +9,18 @@ export interface AppOutput {
appId: number;
}
export interface SecurityFinding {
title: string;
level: "critical" | "high" | "medium" | "low";
description: string;
}
export interface SecurityReviewResult {
findings: SecurityFinding[];
timestamp: string;
chatId: number;
}
export interface RespondToAppInputParams {
appId: number;
response: string;