SkillGuard: complete frontend wiring and harden backend

Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.

This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
  from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
  and the full scan flow works end-to-end (malicious sample -> verdict block).

Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
  OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
  returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing rewritten to use fflate's streaming Unzip: caps (max files, total
  and per-file uncompressed bytes) are enforced DURING decompression. Oversized
  entries are skipped via the header size before inflation; chunked pushing with
  per-chunk size checks aborts early, so a zip bomb cannot be fully inflated into
  memory. Verified: 120MB->123KB bomb rejected with the service staying healthy;
  normal archives still parse correctly.

Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.

artifacts/api-server/src/lib/skillParser.ts

@@ -1,4 +1,4 @@
-import { unzipSync, strFromU8 } from "fflate";
+import { Unzip, UnzipInflate, strFromU8 } from "fflate";
 import type { FileKind, ParsedFile } from "./ruleCatalog";
 
 const LANG_BY_EXT: Record<string, string> = {
@@ -74,44 +74,119 @@ function isProbablyBinary(bytes: Uint8Array): boolean {
   return len > 0 && nontext / len > 0.3;
 }
 
+function concatChunks(chunks: Uint8Array[], total: number): Uint8Array {
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+
+/**
+ * Streaming ZIP extraction. Limits (file count, total uncompressed bytes,
+ * per-file bytes) are enforced WHILE decompressing — input is pushed in small
+ * chunks and decompression is aborted as soon as a cap is exceeded, so a
+ * crafted "zip bomb" cannot be fully inflated into memory before checks apply.
+ */
 export function parseZip(buffer: Buffer): ParsedFile[] {
-  const files = unzipSync(new Uint8Array(buffer));
+  const data = new Uint8Array(buffer);
   const result: ParsedFile[] = [];
   let totalBytes = 0;
-  let processed = 0;
+  let fileCount = 0;
-  for (const [rawPath, bytes] of Object.entries(files)) {
+  let abortReason: string | null = null;
-    const path = rawPath.replace(/\\/g, "/");
+
-    if (path.endsWith("/")) continue;
+  const unzip = new Unzip();
+  unzip.register(UnzipInflate);
+
+  unzip.onfile = (file) => {
+    if (abortReason) return;
+    const path = file.name.replace(/\\/g, "/");
+    if (path.endsWith("/")) return;
     const lower = path.toLowerCase();
-    if (SKIP_DIRS.some((d) => lower.includes(d))) continue;
+    if (SKIP_DIRS.some((d) => lower.includes(d))) return;
-    if (bytes.length === 0) continue;
+
-    if (bytes.length > MAX_ZIP_FILE_BYTES) continue;
+    // Early skip using the declared uncompressed size (when present). Not
-    totalBytes += bytes.length;
+    // calling start() causes fflate to skip the file's data without inflating.
-    if (totalBytes > MAX_ZIP_TOTAL_BYTES) {
+    if (
-      throw new Error("ZIP-Archiv ist zu groß (entpackt).");
+      typeof file.originalSize === "number" &&
+      file.originalSize > MAX_ZIP_FILE_BYTES
+    ) {
+      return;
     }
-    processed += 1;
+
-    if (processed > MAX_ZIP_FILES) {
+    fileCount += 1;
-      throw new Error("ZIP-Archiv enthält zu viele Dateien.");
+    if (fileCount > MAX_ZIP_FILES) {
+      abortReason = "ZIP-Archiv enthält zu viele Dateien.";
+      return;
     }
-    if (isProbablyBinary(bytes)) {
+
-      result.push({
+    const chunks: Uint8Array[] = [];
-        path,
+    let fileBytes = 0;
-        kind: "resource",
+    let skipFile = false;
-        language: null,
+
-        content: "",
+    file.ondata = (err, chunk, final) => {
-        size: bytes.length,
+      if (abortReason) return;
-      });
+      if (err) {
-      continue;
+        abortReason = "ZIP-Archiv konnte nicht entpackt werden.";
+        return;
+      }
+      if (chunk && chunk.length > 0) {
+        fileBytes += chunk.length;
+        totalBytes += chunk.length;
+        if (totalBytes > MAX_ZIP_TOTAL_BYTES) {
+          abortReason = "ZIP-Archiv ist zu groß (entpackt).";
+          return;
+        }
+        if (fileBytes > MAX_ZIP_FILE_BYTES) {
+          // Per-file cap hit (e.g. spoofed header size): drop buffered data,
+          // keep counting toward the total cap as a backstop.
+          skipFile = true;
+          chunks.length = 0;
+          return;
+        }
+        if (!skipFile) chunks.push(chunk);
+      }
+      if (final && !abortReason && !skipFile) {
+        const bytes = concatChunks(chunks, fileBytes);
+        chunks.length = 0;
+        if (bytes.length === 0) return;
+        if (isProbablyBinary(bytes)) {
+          result.push({
+            path,
+            kind: "resource",
+            language: null,
+            content: "",
+            size: bytes.length,
+          });
+        } else {
+          result.push({
+            path,
+            kind: classify(path),
+            language: LANG_BY_EXT[extOf(path)] ?? null,
+            content: strFromU8(bytes),
+            size: bytes.length,
+          });
+        }
+      }
+    };
+
+    file.start();
+  };
+
+  const CHUNK = 64 * 1024;
+  try {
+    for (let i = 0; i < data.length; i += CHUNK) {
+      if (abortReason) break;
+      const end = Math.min(i + CHUNK, data.length);
+      unzip.push(data.subarray(i, end), end >= data.length);
     }
-    result.push({
+  } catch {
-      path,
+    throw new Error("ZIP-Archiv konnte nicht entpackt werden.");
-      kind: classify(path),
-      language: LANG_BY_EXT[extOf(path)] ?? null,
-      content: strFromU8(bytes),
-      size: bytes.length,
-    });
   }
+
+  if (abortReason) throw new Error(abortReason);
   return result;
 }