Spring week notes: Chapel/PBT post, ActivityPub pulse, Vite 8#73
Closed
Jesssullivan wants to merge 11 commits into
Closed
Spring week notes: Chapel/PBT post, ActivityPub pulse, Vite 8#73Jesssullivan wants to merge 11 commits into
Jesssullivan wants to merge 11 commits into
Conversation
Drop the npm:rolldown-vite alias and overrides block, bump @sveltejs/vite-plugin-svelte from v6 to v7. No config renames needed — vite.config.ts had no rollupOptions or advancedChunks. Build, typecheck, lint, and 88/88 unit tests pass cleanly.
Source-agnostic AP ingestion pipeline: prebuild script reads from mock JSON now, switches to real AP outbox URL via env var when tinyland.dev is ready. AS2-compliant schema with tl: namespace extensions for bird sightings, bike rides, code activity, sensor readings, and freeform notes. Five kind-specific card components with filter bar and optional client-side live refresh. 75 mock activities spanning 90 days with real Maine bird species, Lewiston/Auburn routes, and actual repo names.
generate-git-pulse.mts scans ~/git/ repos for commit history, aggregates by day per repo, and merges real code activities into the mock outbox. 410 code activities from 12,288 commits across 90 days spanning jesssullivan.github.io, XoxdWM, cmux, scheduling-kit, acuity-middleware, eGreg, GloriousFlywheel, rockies, linux-xr, and aperture-bootstrap. Non-code activity types remain mock for now.
Restructured for formal methods / compiler audience: - Leads with typed method (Chapel forall, PBT, Dhall), not RT - Actual source snippets from HostNumaProbe.chpl, TimingProofs.chpl, TestTimingProofs.chpl, TestHostNumaTiming.chpl - Nine PBT properties shown with quickchpl generators - RT as a measured aside (~15% of post), not the centerpiece - Passive links to linux-xr, DRM patches, Monado, quickchpl - CSV data and raw evidence paths linked
- Module dependency graph (HostNumaProbe → TimingProofs → HostNumaTiming) - PBT property coverage map (9 properties → 4 functions) - Pipeline flowchart (just → Nix → chpl → capture → Dhall) - Per-sample ratio xychart with actual data from captures - Per-sample parallel time xychart showing RT outlier - Skeleton compile commands (nix develop + chpl + test suite)
Updated the title and description for clarity and added more context to the content. Enhanced the explanations of tools and methodologies used in the post.
📝 Blog Post ReviewFound 2 blog post(s) in this PR:
Schema Validation✅ All posts pass schema validation. Hyperlink SuggestionsSlash Commands
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| ## The reproducibility pipeline | ||
| Each probe run is projected into a typed [Dhall](https://dhall-lang.org/) record via [`ChapelHostProbeRun.dhall`](https://github.com/Jesssullivan/Dell-7810/blob/main/dhall/types/ChapelHostProbeRun.dhall). The type carries metadata (date, host, compiler, kernel), configuration (locale count, channels, samples, sample rate, partitions), results (timing conforms, jitter stats), and performance (serial time, parallel time, speedup ratio). A separate [`KernelValidationRun.dhall`](https://github.com/Jesssullivan/Dell-7810/blob/main/dhall/types/KernelValidationRun.dhall) type covers kernel validation captures. | ||
|
|
There was a problem hiding this comment.
🔗 Consider linking Dhall: [Dhall](https://dhall-lang.org)
|
|
||
| ## The reproducibility pipeline | ||
| Each probe run is projected into a typed [Dhall](https://dhall-lang.org/) record via [`ChapelHostProbeRun.dhall`](https://github.com/Jesssullivan/Dell-7810/blob/main/dhall/types/ChapelHostProbeRun.dhall). The type carries metadata (date, host, compiler, kernel), configuration (locale count, channels, samples, sample rate, partitions), results (timing conforms, jitter stats), and performance (serial time, parallel time, speedup ratio). A separate [`KernelValidationRun.dhall`](https://github.com/Jesssullivan/Dell-7810/blob/main/dhall/types/KernelValidationRun.dhall) type covers kernel validation captures. | ||
|
|
There was a problem hiding this comment.
🔗 Consider linking Nix: [Nix](https://nixos.org)
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| </div> | ||
| <div class="prose prose-sm mt-1 text-surface-700-300 leading-relaxed"> | ||
| <!-- eslint-disable-next-line svelte/no-at-html-tags --> | ||
| {@html activity.content} |
There was a problem hiding this comment.
{@html} without sanitization on live-fetch path
activity.content is rendered as raw HTML. When AP_CONFIG.enableLiveFetch is flipped to true, the browser fetches from https://tinyland.dev/@jesssullivan/outbox at runtime and renders its content field here. ActivityPub content is freeform HTML — any XSS payload in that field would execute in every visitor's browser. Consider passing content through a sanitiser (e.g. DOMPurify) before rendering, or strip tags via the stripHtml helper already present in resolve.ts for the live-fetch code path.
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/lib/components/activity/NoteCard.svelte
Line: 21
Comment:
**`{@html}` without sanitization on live-fetch path**
`activity.content` is rendered as raw HTML. When `AP_CONFIG.enableLiveFetch` is flipped to `true`, the browser fetches from `https://tinyland.dev/@jesssullivan/outbox` at runtime and renders its `content` field here. ActivityPub `content` is freeform HTML — any XSS payload in that field would execute in every visitor's browser. Consider passing content through a sanitiser (e.g. DOMPurify) before rendering, or strip tags via the `stripHtml` helper already present in `resolve.ts` for the live-fetch code path.
How can I resolve this? If you propose a fix, please make it concise.| */ | ||
| import { readFile, writeFile, mkdir } from 'node:fs/promises'; | ||
|
|
||
| const OUTBOX_SOURCE = process.env.AP_OUTBOX_URL || 'scripts/data/mock-outbox.json'; |
There was a problem hiding this comment.
http:// URLs accepted for AP_OUTBOX_URL
fetchOutbox branches on source.startsWith('http'), which permits http:// (unencrypted) remote sources as well as https://. Because this script runs at prebuild time and its output (static/data/activity-outbox.json) is committed into the static site, a MITM on an http:// endpoint could silently inject arbitrary activity data that gets shipped to visitors. Consider validating that any remote source starts with https://, or enforcing the check in fetchOutbox:
if (source.startsWith('https://')) {Prompt To Fix With AI
This is a comment left during a code review.
Path: scripts/generate-activity-stream.mts
Line: 9
Comment:
**Plain `http://` URLs accepted for `AP_OUTBOX_URL`**
`fetchOutbox` branches on `source.startsWith('http')`, which permits `http://` (unencrypted) remote sources as well as `https://`. Because this script runs at **prebuild** time and its output (`static/data/activity-outbox.json`) is committed into the static site, a MITM on an `http://` endpoint could silently inject arbitrary activity data that gets shipped to visitors. Consider validating that any remote source starts with `https://`, or enforcing the check in `fetchOutbox`:
```ts
if (source.startsWith('https://')) {
```
How can I resolve this? If you propose a fix, please make it concise.| } | ||
|
|
||
| async function main(): Promise<void> { | ||
| const gitDir = resolve(process.env.HOME || '~', 'git'); |
There was a problem hiding this comment.
HOME || '~' fallback resolves literally, not as home directory
resolve(process.env.HOME || '~', 'git') — when HOME is unset (e.g. certain CI environments), '~' is treated as a literal directory name and resolves to <cwd>/~/git, not the actual home directory. The sibling-repo scan silently finds nothing useful rather than erroring out, which may cause confusion. Using os.homedir() from node:os is the idiomatic fix:
import { homedir } from 'node:os';
// ...
const gitDir = resolve(process.env.HOME ?? homedir(), 'git');Prompt To Fix With AI
This is a comment left during a code review.
Path: scripts/generate-git-pulse.mts
Line: 149
Comment:
**`HOME || '~'` fallback resolves literally, not as home directory**
`resolve(process.env.HOME || '~', 'git')` — when `HOME` is unset (e.g. certain CI environments), `'~'` is treated as a literal directory name and resolves to `<cwd>/~/git`, not the actual home directory. The sibling-repo scan silently finds nothing useful rather than erroring out, which may cause confusion. Using `os.homedir()` from `node:os` is the idiomatic fix:
```ts
import { homedir } from 'node:os';
// ...
const gitDir = resolve(process.env.HOME ?? homedir(), 'git');
```
How can I resolve this? If you propose a fix, please make it concise.
Owner
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/pulserouteReview checklist
mock-outbox.json(16K) is intentional test data, not production PII-Jess
Greptile Summary
This PR adds an ActivityPub-backed
/pulseroute (bird sightings, bike rides, code activity, sensor readings, notes), wires its prebuild data pipeline intopackage.json, and migrates fromrolldown-vite@7.3.1to native Vite 8. Thestatic/data/activity-outbox.jsonsnapshot contains no PII — all data is synthetic. Three P2 items worth addressing before enabling live fetch:NoteCard.svelterenders{@html activity.content}without sanitization (safe today withenableLiveFetch: false, XSS surface when flipped on);generate-activity-stream.mtsaccepts plainhttp://forAP_OUTBOX_URLat build time; andgenerate-git-pulse.mtshas aHOME || '~'fallback that silently breaks in environments whereHOMEis unset.Confidence Score: 4/5
Safe to merge as-is; P2 findings should be addressed before enabling live ActivityPub fetch
All findings are P2: the XSS surface is currently gated behind a false flag, the HTTP build-time fetch is a hardening gap rather than an active exploit, and the HOME fallback only affects a manual dev script. No P0/P1 issues found.
scripts/generate-activity-stream.mts and src/lib/components/activity/NoteCard.svelte should be revisited before enableLiveFetch is set to true
Security Review
src/lib/components/activity/NoteCard.svelteline 21:{@html activity.content}renders raw ActivityPub HTML without sanitization. Harmless whileenableLiveFetch: false, but becomes an XSS vector for any visitor the moment that flag is enabled.scripts/generate-activity-stream.mts:AP_OUTBOX_URLis accepted over plainhttp://, meaning a MITM could inject arbitrary content into the committedstatic/data/activity-outbox.jsonduring CI builds.Important Files Changed
Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "post: publish chapel/pbt host characteri..." | Re-trigger Greptile