8 Commits

Author	SHA1	Message	Date
will.anderson	2447310367	chore: update El SDK to dev@8212e12 (OOM fix, precompile opt, gcloud fix)	2026-05-08 12:46:06 -05:00
will.anderson	0ace906823	ci: commit El SDK binaries for PR build fallback ... PR builds can't pull ci-base (no GCP secrets on pull_request events). dev.yaml falls back to committed bin/ + runtime/ instead. Extracted from ci-base:latest (sdk-release.yaml run 1411).	2026-05-07 09:34:34 -05:00
Will Anderson	c75d8a9563	ci: add gitflow — dev/stage/main branches with CI workflows ... - dev.yaml: build + local docker smoke test only (no push, no deploy) - stage.yaml: build + push + deploy to marketing-stage + smoke test (stops here) - deploy.yaml: add HTML placeholder touch step before docker build Proper human gate between stage and prod: the stage→main merge decision.	2026-05-03 11:28:43 -05:00
Will Anderson	8704f7cdfc	update el runtime to v1.2.0, refactor checkout script to external asset	2026-05-03 01:13:25 -05:00
Will Anderson	46f93fd6eb	security: replace denylist sanitize_share_html with allowlist el_html_sanitize ... A real attacker probed /api/share earlier today with <script>alert(1), <iframe src=evil>, <img onerror>, <a href="javascript:...">, and a <form action="/steal"> payload. Nothing executed because the chat bubble at /share/<id> renders the served HTML inside marked.js's already-escaped output, but the prior denylist sanitizer was fragile: - It comment-wrapped dangerous tags ("<!--script>...-->") which a literal "-->" inside an attacker-supplied attribute value can close early, re-exposing the original payload. - It renamed on*= attributes to data-x-on*= which left attack indicators visible in the served HTML. - It was a denylist; every new attack vector required a code change. - It didn't validate <a href> URL schemes properly. The replacement is a runtime-level state-machine allowlist parser (foundation/el af480f6: el_html_sanitize). The product just specifies the JSON allowlist of allowed tags + attributes; the runtime drops everything else, validates href/src URL schemes (http/https/mailto/ fragment/relative only), and drops whole subtrees of script/style/ iframe/object/embed/form regardless of the allowlist. Phase 4 of bl-dc55ae07: deletes sanitize_share_html (main.el) and gal_sanitize_html (gallery.el); replaces 3 call sites with el_html_sanitize(html, allowlist). Defines default_share_allowlist in main.el and the identical gallery_share_allowlist in gallery.el (separate bindings to avoid a forward-reference at build-concat order — gallery is concatenated before main). Phase 5: migrations/20260502185500_backfill_resanitize_share_cards.sql nulls answer_html for any share_cards row older than 1 hour. Applied via the Supabase Management API; 0 rows in scope (the column was added today and existing rows pre-date its first write). Also fixes an orthogonal duplicate-symbol bug: unix_timestamp() was defined in both dist/web_stubs.c and the runtime (the latter is a recent runtime addition picked up by the runtime sync). Removed the stub. Backlog: bl-dc55ae07	2026-05-02 12:56:33 -05:00
Will Anderson	5e6b28b0e8	runtime: sync el_runtime.h from foundation - adds engram_scan_nodes_by_type_json forward decl	2026-05-02 01:30:36 -05:00
Will Anderson	8184859754	runtime: sync from foundation/el; HEAD method support, plus all uncommitted runtime work from prior sessions	2026-05-02 01:15:24 -05:00
Will Anderson	ff1f9577db	Add marketplace section, OAuth checkout, social icons, 35% efficiency claim, preorder CTAs, enterprise Q1 2027, founding member limits, paragraph spacing in demo chat, no em dashes	2026-05-01 09:20:45 -05:00