Full deployment history for this project.
⚡ Bolt: Implement request-level caching and query deduplication for fallback lists (#126) Introduced a lightweight, memory-efficient in-memory SimpleCache layer for high-frequency lists to deduplicate concurrent database queries within the same request tick. Updated mutating operations in RunOrchestrator and EvalSuiteService to automatically clear the cache, ensuring absolute consistency and instant freshness. This eliminates up to 66% of redundant list queries on complex pages like dashboards. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
⚡ Bolt: Implement request-level caching and query deduplication for fallback lists Introduced a lightweight, memory-efficient in-memory SimpleCache layer for high-frequency lists to deduplicate concurrent database queries within the same request tick. Updated mutating operations in RunOrchestrator and EvalSuiteService to automatically clear the cache, ensuring absolute consistency and instant freshness. This eliminates up to 66% of redundant list queries on complex pages like dashboards. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Improve navigation landmark accessibility semantics (#125) Distinguish multiple navigation landmarks across the site by adding unique aria-label attributes to `<nav>` elements, avoiding redundant or generic screen reader announcements. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Improve navigation landmark accessibility semantics Distinguish multiple navigation landmarks across the site by adding unique aria-label attributes to `<nav>` elements, avoiding redundant or generic screen reader announcements. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: Fix SSRF bypasses via DNS wildcard resolutions - Implement async DNS resolution in `validateWebhookUrl` via `dns.promises.lookup` to validate the actual IP address hostname resolves to. - Block loopback, private, and reserved ranges for both IPv4 and IPv6 resolved addresses. - Update custom grader webhook validation call-site to await. - Rewrite `tests/security.test.ts` to be async and mock `dns.promises.lookup` to ensure fast and network-independent test runs. - Document in Sentinel journal (.jules/sentinel.md). Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Consolidate open PRs, compatible upgrades, and platform auth Validated locally and through a READY Vercel preview. Merge commit preserves every original PR head in ancestry.
chore: validate consolidated upgrades and platform auth
chore: validate consolidated upgrades and platform auth
🛡️ Sentinel: Fix missing import in tests and secure GET endpoints - Secure sensitive GET endpoints with `withAuth`. - Update CI to use `pnpm` and follow project standards. - Fix missing `beforeEach` import in `tests/phase2-evals-mesh.test.ts`. - Ensure all tests pass with new authentication requirements. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Secure sensitive GET endpoints and fix CI workflow This change identifies and secures several unprotected GET endpoints that were leaking sensitive internal metadata and evaluation results. Endpoints secured: - /api/v1/registry - /api/v1/registry/status - /api/v1/registry/services - /api/v1/scorecards - /api/v1/scorecards/[id] - /api/v1/runs/[id] - /api/v1/runs/[id]/results - /api/evals/status - /api/evals/database-status Key improvements: - Applied `withAuth` higher-order wrapper to all targeted endpoints. - Updated Vitest tests to include necessary Authorization headers. - Fixed GitHub Actions CI (\`.github/workflows/ci.yml\`) to use \`pnpm\` instead of \`npm\` to match the project's lockfile and dependency management. - Added security journal entry documenting the metadata leak mitigation. Verified with \`pnpm lint\` and \`pnpm test\`. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Secure sensitive GET endpoints with authentication This change identifies and secures several unprotected GET endpoints that were leaking sensitive internal metadata and evaluation results. Endpoints secured: - /api/v1/registry - /api/v1/registry/status - /api/v1/registry/services - /api/v1/scorecards - /api/v1/scorecards/[id] - /api/v1/runs/[id] - /api/v1/runs/[id]/results - /api/evals/status - /api/evals/database-status Relevant tests in \`tests/phase2-evals-mesh.test.ts\` and \`tests/builder-evals-flow.test.tsx\` have been updated to include necessary authorization headers. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Fix internal auth gap and CI workflow - Secured `/api/evals/status` and `/api/evals/database-status` using the `withAuth` wrapper to prevent infrastructure metadata leakage. - Added reproduction test suite in `tests/security-auth-gap.test.ts`. - Fixed `.github/workflows/ci.yml` to use `pnpm` (required for this repository) instead of `npm`. - Updated `.jules/sentinel.md` with the latest security learning. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL] Fix missing authentication on internal status endpoints Applied the withAuth security wrapper to /api/evals/status and /api/evals/database-status to prevent unauthorized disclosure of infrastructure metadata and health status. Added a reproduction test suite in tests/security-auth-gap.test.ts. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
⚡ Bolt: parallelize registry service list queries This commit optimizes the `listRegistryServices` function by using `Promise.all` to execute the service data fetch and total count queries concurrently. In serverless environments using HTTP-based database drivers, sequential queries incur unnecessary network round-trip latency. By parallelizing these independent queries, we reduce the total execution time from 2x RTT to approximately 1x RTT, improving the responsiveness of the registry service list API. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Secure sensitive API endpoints, fix CI mismatch, and update tests Summary: Secured sensitive registry and evaluation API endpoints with authentication, fixed a pnpm version mismatch in CI, and updated existing tests to include required authentication. 💡 Vulnerability: - Multiple sensitive API endpoints (registry, runs, scorecards, MCP) were publicly accessible, leaking infrastructure status and private evaluation results. - CI was failing due to using npm instead of pnpm, and subsequently due to a redundant version specification in the workflow config. - Security changes caused existing tests to fail due to missing authentication. 🔧 Fix: - Applied `withAuth` wrapper to 8 sensitive API routes. - Updated `.github/workflows/ci.yml` to use `pnpm` and removed redundant `version` to allow automatic version detection from `package.json`. - Updated `tests/builder-evals-flow.test.tsx` and `tests/phase2-evals-mesh.test.ts` to use `NextRequest` and include authentication headers. - Added `tests
🛡️ Sentinel: [HIGH] Secure sensitive API endpoints and fix CI version mismatch Summary: Secured sensitive registry and evaluation API endpoints with authentication and fixed a pnpm version mismatch in CI. 💡 Vulnerability: - Multiple sensitive API endpoints (registry, runs, scorecards, MCP) were publicly accessible, leaking infrastructure status and private evaluation results. - CI was failing due to using npm instead of pnpm, and subsequently due to a redundant version specification in the workflow config. 🔧 Fix: - Applied `withAuth` wrapper to 8 sensitive API routes. - Updated `.github/workflows/ci.yml` to use `pnpm` and removed redundant `version: 10` to allow automatic version detection from `package.json`. - Added `tests/sentinel-fix-verification.test.ts` to verify 401 UNAUTHORIZED responses for all protected routes. ✅ Verification: - Added integration tests confirming all targeted endpoints are now protected and return 401 Unauthorized without credentials. - CI workflow is now correctly configured
🛡️ Sentinel: [HIGH] Secure sensitive API endpoints and fix CI workflow Summary: Secured sensitive registry and evaluation API endpoints with authentication and updated the CI workflow to use pnpm. 💡 Vulnerability: Multiple sensitive API endpoints were publicly accessible, leaking infrastructure status and private evaluation results. 🔧 Fix: - Applied `withAuth` wrapper to 8 sensitive API routes. - Updated `.github/workflows/ci.yml` to use `pnpm` (action-setup@v4) and `pnpm-lock.yaml`, resolving CI failures. - Added `tests/sentinel-fix-verification.test.ts` to verify 401 UNAUTHORIZED responses. ✅ Verification: - Added integration tests confirming all targeted endpoints are now protected. - CI workflow now aligns with the project's dependency management. - Updated Sentinel journal with the new learning. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Secure sensitive registry and evaluation API endpoints Summary: Identified and fixed a high-priority security issue where multiple sensitive API endpoints were publicly accessible. 💡 Vulnerability: The following endpoints were missing the `withAuth` authentication wrapper: - /api/v1/registry/status - /api/v1/registry - /api/v1/registry/services - /api/v1/runs/[id] - /api/v1/runs/[id]/results - /api/v1/runs/[id]/scorecard - /api/v1/scorecards - /api/mcp 🎯 Impact: Unauthorized access to sensitive infrastructure status, registry services, private evaluation run results, and the MCP tool interface. 🔧 Fix: Applied the `withAuth` higher-order wrapper to the GET (and POST for MCP) handlers of all targeted routes. ✅ Verification: - Added `tests/sentinel-fix-verification.test.ts` which confirms all 8 endpoints return 401 UNAUTHORIZED without a valid API key. - Verified that existing tests pass. - Updated `.jules/sentinel.md` with the new learning. Co-authored-by: google-labs-jules[bot] <1
🛡️ Sentinel: Secure V1 API endpoints and fix CI workflow This commit addresses two main issues: 1. Security: Several core V1 API endpoints (registry, runs, scorecards, and suite cases) were publicly accessible via GET requests. These have been secured using the `withAuth` wrapper. 2. CI: The GitHub Actions workflow was failing because it used `npm` instead of `pnpm`. The workflow has been updated to use `pnpm` and follow repository standards. Added `tests/secured-endpoints.test.ts` to verify the security of the modified routes. All security tests and existing tests pass. Updated Sentinel journal in `.jules/sentinel.md` with learnings from this task. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
🛡️ Sentinel: Secure sensitive V1 API endpoints with authentication This change applies the `withAuth` wrapper to several core API endpoints that were previously publicly accessible via GET requests: - `/api/v1/scorecards` - `/api/v1/scorecards/[id]` - `/api/v1/runs/[id]` - `/api/v1/suites/[idOrSlug]/cases` - `/api/v1/registry` Securing these endpoints prevents unauthorized access to sensitive evaluation data, including scorecards, run details, and registry information. Tests added: - `tests/secured-endpoints.test.ts` verifies that these endpoints now return 401 when unauthorized and function correctly when a valid API key is provided. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>