Task #24: Older scans created before description generation existed showed an
empty "Was macht dieser Skill?" section. Users can now trigger description
generation for any existing scan from the report.
Changes:
- OpenAPI: added POST /scans/{id}/description (operationId generateScanDescription)
returning ScanDetail (200), ApiError (404 not found, 422 cannot generate).
Regenerated api-zod and api-client-react via codegen.
- api-server (routes/scans.ts): new route loads the scan, its stored files, the
enabled provider and prompts, reconstructs ParsedFile[] from scan_files
(binary files -> empty content/isBinary), calls existing
generateSkillDescription(), persists description and returns full ScanDetail.
Clean 422 errors when no provider / no token / generation yields nothing; the
scan is never mutated on failure.
- skillguard (scan-report.tsx): the description card now always renders; when no
description exists it shows a "Beschreibung erzeugen" button wired to the new
mutation, with loading state, toast feedback, and query cache update on success.
Incidental fix: the dev/test database was missing the `scans.description` column
(schema drift from the earlier description task). Ran drizzle-kit push to sync;
this unblocked 5 previously failing api-server tests. All 59 tests now pass and
full typecheck is green.
Rebase: one conflict in scan-report.tsx import line — main added the `ShieldAlert`
icon (new KI-disclaimer Alert), this branch added `Loader2`. Resolved by keeping
both icons; the rest of the file (disclaimer Alert + new description card) merged
cleanly. No semantic divergence.
Replit-Task-Id: 0610af4f-aa62-434e-abcd-d742081b6459
Task: Filter and search scans in the history view (Task #32).
What changed:
- artifacts/skillguard/src/pages/scan-history.tsx now has a client-side
search box that matches scan name and description text (case-insensitive),
plus two multi-select toggle-group filters: Bewertung (verdict:
pass/review/block) and Quelle (source: zip/file/text).
- Filtering is computed via useMemo over the existing useListScans() result.
- Added a results counter ("X von Y Scans") and a "Filter zurücksetzen"
button shown when any filter/search is active.
- Added a dedicated empty-filter-result state ("Keine Treffer") with a
reset action, distinct from the existing "no scans yet" empty state.
- Search input has a clear (X) button.
Notes / deviations:
- No backend changes; description/verdict/source already come from the API.
- Rebuilt lib/api-client-react declarations (tsc -b) because the dist
*.d.ts in this isolated env were stale and lacked description/relation
fields (pre-existing issue, documented in memory). tsc on scan-history
is now clean.
- Verified visually: search bar, verdict and source filters render and the
list populates from the running API server.
Replit-Task-Id: 67d3a8ce-f780-4b21-97b4-4767ced763c4
Task #25: the model-discovery capability (list available models, used by the
guided provider setup) had no automated coverage. Added a new vitest suite that
exercises the endpoint end-to-end against the in-process Express app.
New file:
- artifacts/api-server/src/routes/providers.listModels.test.ts
Coverage (6 tests, all passing):
- ok=false + clear German message when no token (empty token, no providerId),
and the upstream provider is never called.
- Falls back to the stored provider token when providerId is given and apiToken
is empty (inserts a real provider row, asserts the Bearer header carries the
stored token, cleans up afterward).
- Normalizes the OpenAI-compatible response (data[].id) into a deduped, sorted
model list; drops non-string ids.
- Anthropic path: GET /models with x-api-key + anthropic-version headers (no
Authorization), reads models[] with id/name fallback, dedupes.
- Upstream failure returns ok=false (HTTP 200, not 500), empty models, and the
token is redacted from the message ([REDACTED], never the raw token).
- fetch throwing (network error) returns ok=false without leaking the token.
Implementation note: the suite runs the app in-process and the test client also
uses fetch, so global fetch is mocked with a passthrough — requests to the test
server's baseUrl delegate to the captured real fetch; only upstream provider URLs
are synthesized. Spy assertions filter out the localhost passthrough call.
Saved this non-obvious testing lesson to memory.
Deviation / note: pre-existing failures in relation.test.ts and compare.test.ts
are unrelated to this task — the dev database's scans table is missing the
fingerprint/relation/similarity/compared_scan_id columns (schema drift; needs a
drizzle-kit push). Out of scope for this task; proposed as a follow-up.
Replit-Task-Id: 7e8a3db2-0da7-40d9-b74d-132779a44d39
Original task: Display the AI-generated "Was macht dieser Skill?" description
excerpt in the scan list (Verlauf) and dashboard "Kürzliche Scans" cards. The
field (`description`) is already serialized by the API (serializeScan).
Changes:
- artifacts/skillguard/src/pages/scan-history.tsx: render a 2-line clamped
paragraph below the metadata row when scan.description is present; nothing
shown otherwise (clean for old/non-AI scans).
- artifacts/skillguard/src/pages/dashboard.tsx: render a 1-line clamped
description excerpt in recent-scan rows; added min-w-0 + gap so truncation
works.
Deviations / extra fixes required to make this work in the isolated env:
- The dev/test Postgres `scans` table was missing the `description` column even
though lib/db schema defines it. Ran drizzle-kit push (lib/db) — the list
endpoint and several api-server tests were 500ing on
`column "description" of relation "scans" does not exist`. Adding a nullable
column is non-destructive.
- lib/api-client-react built `dist/*.d.ts` was stale (missing description and
other fields), so artifact tsc via project references failed. Rebuilt with
`tsc -b lib/api-client-react/tsconfig.json`. Vite runtime was unaffected
(uses src via exports).
Verification: list + dashboard render the excerpt (temporarily seeded one scan,
screenshotted, reverted to null); api-server tests 59/59 pass; changed files
typecheck clean (remaining tsc errors are pre-existing from other unmerged
tasks).
Replit-Task-Id: 381de506-681e-4564-bc60-7d2fdd66ba82
Adds an AI-generated, factual German description ("Was macht dieser Skill?")
to scans and shows it in the report.
Changes:
- DB: new nullable `description` column on scansTable (lib/db schema; pushed via drizzle-kit).
- AI: new `generateSkillDescription()` in aiAnalysis.ts — reuses provider selection,
token redaction, system prompt and JSON extraction; expects {"description": "..."},
returns null and never throws on failure.
- Engine: scanEngine now generates the description independently of the AI findings
rules — only a provider+token are required, so it works even when AI findings rules
are disabled. Description failures do not break the scan. EngineResult gains
aiDescription. (Provider/token error precedence unchanged for findings.)
- Prompt: new admin-editable "description" prompt (Beschreibungs-Anweisung) seeded via
onConflictDoNothing, consistent with system/analysis prompts.
- Persist/serialize: description written on scan insert and returned in
serializeScan (list + detail responses).
- API spec: added nullable `description` to the Scan schema in openapi.yaml; regenerated
zod + react-query clients via orval codegen.
- Report UI: new "Was macht dieser Skill?" card in the report header (hidden when empty)
and a matching section in the PDF/print export.
Notes / deviations:
- Old scans are not backfilled (per task scope); their description stays null and the
section is hidden.
- Description is requested as JSON ({"description": ...}) to stay compatible with the
existing "JSON only" system prompt.
- Verified: full typecheck passes, both workflows run, new prompt seeded, scans API
returns description.
Replit-Task-Id: 40c4457b-54d1-4283-a336-478620c3afa8
Task: Replace free-text model entry in Admin → Providers with a guided
flow (Name → API type → API endpoint → API token → Test connection) that
auto-discovers available models after a successful connection test and
presents them in a Select positioned right after the API endpoint field.
Model-independent connection test (key fix):
- The setup connection test no longer requires a model, removing the
chicken-and-egg where discovery could never run. test-connection's model
is now optional: when a model is supplied it does a full chat round-trip;
when omitted it verifies credentials via the provider's models endpoint and
reports how many models are available. The form sends no model on the
initial test, so a successful test now reliably triggers discovery.
Backend:
- aiAnalysis.ts: added listProviderModels(provider) — GETs {baseUrl}/models
using Bearer auth for openai/custom and x-api-key + anthropic-version for
anthropic. Normalizes data[].id (falls back to models[].id/.name),
dedupes + sorts, and redacts secrets in error messages via the existing
redactSecrets helper.
- providers.ts: added POST /providers/list-models accepting ad-hoc config
(apiType, baseUrl, optional apiToken, optional providerId). Falls back to
the stored token by providerId when token omitted; returns { ok, models,
message } and never leaks the token.
API contract:
- openapi.yaml: added /providers/list-models path, ProviderListModelsInput
and ProviderModelsResult schemas. Regenerated zod + react-query client via
the api-spec codegen workflow (orval).
Admin UI (admin.tsx):
- New ModelField component renders a loading state, a Select when models are
discovered, or a manual free-text input fallback (with hint) when discovery
returns nothing — so saving always works for custom endpoints.
- Field order follows the guided flow: Name → API type → API endpoint →
API token → Test connection, with the model selector appearing after the
token once discovery succeeds. A successful test automatically triggers
discovery; editing endpoint or token resets discovery state.
Verified: workspace typecheck passes, api-server tests 59/59 pass, live curl
of the new endpoint returns graceful errors without leaking the token.
Replit-Task-Id: 8d300a47-0b45-4677-9e9e-aa041bf03e98
Task #19: Run the version-detection tests automatically as a quality gate.
What was done:
- Registered a named validation command "test" via the validation skill,
running `pnpm --filter @workspace/api-server run test` (which executes
`vitest run` in artifacts/api-server). Running through the pnpm filter
ensures the suite resolves correctly from the repo root regardless of CWD.
- Verified the suite is green: 4 test files, 34 tests passing, covering
skill version detection (compare, relation, skillFingerprint, lineDiff).
- Confirmed the validation run reports PASSED.
Deviations:
- None. No source code changes were needed; this task only wires the
existing Vitest suite into the project's validation gates.
Replit-Task-Id: 5a73dc70-8022-4f46-a6a5-9becb3ee74ba
Task #18: Automatically test that uploaded skill files are read correctly.
The skill parser (artifacts/api-server/src/lib/skillParser.ts) had no automated
tests. A regression there could silently mis-read uploads. Added a new Vitest
suite covering the parsing/classification logic (NOT the ZIP size/safety limits,
which are tracked by a separate task).
New file: artifacts/api-server/src/lib/skillParser.test.ts
Coverage:
- parseSingleFile: kind/language/hash/size/isBinary for .md, .sh, .py, .json,
.txt, unknown ext, and a binary blob; path normalisation (dir strip,
backslashes); case-insensitive SKILL.md.
- parseText: wraps pasted text as markdown SKILL.md; byte-length sizing for
multi-byte content.
- parseZip (in-memory ZIP via fflate.zipSync): correct classification, nested
path preservation, __MACOSX/.git/node_modules skipping, dir/empty entry
skipping, binary-vs-text handling, stable hashing.
- deriveScanName: H1 from SKILL.md, name: front-matter fallback, quote
stripping, H1 preferred over front-matter, top-dir fallback, provided
fallback, 120-char truncation.
Verification: `pnpm --filter @workspace/api-server run test` → 59 passed
(24 new). Typecheck of the new test file is clean; pre-existing typecheck
errors in src/routes/scans.ts are unrelated and out of scope.
Replit-Task-Id: 06f18e6a-2d8d-4bf2-b2ae-29675f04c059
Task #13: lock in the fingerprint/relation logic behind SkillGuard's
identical/modified/new version detection with automated tests.
What was added
- Set up Vitest in artifacts/api-server (dev dep + `test` script + vitest.config.ts
using the "workspace" resolve condition so @workspace/* resolve to source).
- Unit tests (no DB):
- src/lib/skillFingerprint.test.ts — hashText/hashBytes stability & agreement,
computeFingerprint stable + order-independent + sensitive to content/path/add/remove,
jaccard overlap/symmetry/empty handling.
- src/lib/lineDiff.test.ts — lineSimilarity ratios (identical, single-edit, disjoint,
symmetric, CRLF), lineDiff context/add/remove with line numbers and the 2000-line cap.
- DB-backed tests (use the existing DATABASE_URL):
- src/routes/relation.test.ts — computeRelation: identical content under a different
name -> "identical" + check-counter (countFingerprint) increments; one-line edit to a
single-file skill -> "modified" with sensible similarity; unrelated skill -> "new".
Also direct computeContentSimilarity cases. Fixtures use randomized content to avoid
collisions with shared dev data and are cleaned up afterEach.
- src/routes/compare.test.ts — e2e GET /api/scans/:id/compare/:otherId via a live
server: asserts unchanged/modified/added/removed statuses, sorted file order, the
line diff for the modified file, null diffs elsewhere, and 404 for missing scans.
Production code change
- Exported computeRelation, computeContentSimilarity, countFingerprint from
src/routes/scans.ts so the relation logic can be unit-tested. No behavior change.
Verification
- `pnpm --filter @workspace/api-server run test` -> 34 tests, 4 files, all pass.
- `pnpm --filter @workspace/api-server run typecheck` passes (rebuilt stale lib/db
declarations via `pnpm run typecheck:libs`).
- Production build unaffected: esbuild only bundles from src/index.ts, so *.test.ts
files are not included.
Replit-Task-Id: e9ae5e24-1480-4a09-8436-1718c535573a
Task #14: show a full version timeline for each skill family, not just the
single most-similar prior scan.
What changed:
- OpenAPI spec (lib/api-spec/openapi.yaml): new GET /scans/{id}/lineage
(operationId getScanLineage) returning an array of ScanLineageEntry
(id, name, verdict, riskScore, relation, similarity, comparedScanId,
fingerprint, createdAt). Regenerated api-zod + api-client-react via codegen.
- API (artifacts/api-server/src/routes/scans.ts): new lineage endpoint.
Builds an undirected graph over all scans linked by the comparedScanId chain
AND identical (non-empty) fingerprints, then BFS-walks the connected
component containing the requested scan and returns it newest-first. Works
purely from existing data, no re-scanning. 404 for unknown ids.
- UI (artifacts/skillguard/src/pages/scan-report.tsx): new VersionTimeline
card rendering the family as a vertical timeline; each entry shows verdict,
relation badge, similarity, risk score and date. The viewed scan is marked
"Aktuell angezeigt"; every other entry links to the existing comparison view
/vergleich/{viewedId}/{entryId}. Card hidden when the family has <=1 member.
Notes:
- Lineage = connected component, so any member returns the full family.
- Verified end-to-end locally (created new/modified/identical chain, checked
lineage ordering + 404, confirmed timeline + compare links in the UI),
then deleted the test scans.
Replit-Task-Id: c7f87ce6-59d8-4396-b16b-f20846f42f0b
Each scan gets a deterministic overall fingerprint (SHA-256 over sorted
path+fileHash pairs) plus per-file SHA-256 hashes and stored text content
(binary: hash+size only). On upload the skill is always re-scanned and
classified vs prior scans as new / identical / modified, with a per-fingerprint
check counter, a "most similar known skill" link, and a file-level diff view.
Deviations from the plan:
- Relation matching keys off shared file *paths* (Jaccard over paths, tie-break
on hashes), not hash-Jaccard alone, which is always 0 for single-file edits
(text paste = one SKILL.md) and would mis-class every edited single-file skill
as "new". Similarity is content-aware: identical files = 1.0, changed text
files use line-level LCS ratio, added/removed/changed-binary = 0.
- parseText no longer uses the display name as the file path (fixed "SKILL.md")
so identical pastes with different names are "identical", not "modified".
Backend: skillFingerprint.ts, lineDiff.ts (+lineSimilarity), skillParser.ts
(per-file hash+isBinary), routes/scans.ts (computeRelation, content similarity,
checkCount, comparedScan, GET /scans/:id/compare/:otherId). DB: scans
fingerprint/relation/similarity/comparedScanId (+index), scan_files hash/content.
API spec + orval codegen regenerated. UI: fingerprint card + compare link on
report, relation badges in history, new /vergleich/:id/:otherId page with
side-by-side summaries and expandable line diff. German UI, no emojis.
Verified end-to-end against the running API and screenshotted both UI pages;
test data cleaned up afterward.
Code-review fix: relation classification no longer relies on path-Jaccard
(every text paste shares path SKILL.md, so unrelated pastes were falsely
linked as "modified"). computeRelation now selects the candidate by
content-aware similarity and only returns "modified" when similarity >= 40
or a file is byte-identical; otherwise "new". Updated OpenAPI similarity
description; removed now-unused jaccard import.
Replit-Task-Id: 79a8e472-6635-493c-8995-3233ba7df75c
Add an inline "Verbindung testen" button to the Neuer/Bearbeiten provider
dialogs so users can test a connection with the currently entered values
before saving.
Backend:
- New endpoint POST /providers/test-connection that accepts an ad-hoc provider
config (apiType, baseUrl, model, optional apiToken, optional providerId) in
the request body and runs a one-shot test via the existing callProvider
logic. When apiToken is empty and providerId is given, it falls back to the
stored token of that provider (edit case). Returns { ok, message }; the token
is never returned or leaked (existing redactSecrets still applies to errors).
- Defined ProviderTestConnectionInput schema + path in openapi.yaml and ran
codegen for Zod schemas and the React client.
Frontend (artifacts/skillguard/src/pages/admin.tsx):
- Add dialog: "Verbindung testen" button (disabled until Base URL + Token set
or while testing) with loading spinner and an inline green success / red
error result box. Result resets when the dialog closes.
- Edit dialog: same inline test; empty token field falls back to the stored
token via providerId. Result resets on open/close.
- The existing per-card "Verbindung testen" button is unchanged.
Verification: typecheck passes for api-server and skillguard; curl tested the
new endpoint for success-path (fetch error surfaced), empty-token, and invalid
body (400) cases. Token not present in any response.
Deviations: none.
Replit-Task-Id: 4f77293f-468c-496a-ab05-1f10e7bf8137
Adds a "Als PDF exportieren" button to the scan report page next to the
existing JSON export, fulfilling Task #3.
Implementation:
- artifacts/skillguard/src/pages/scan-report.tsx
- New primary button "Als PDF exportieren" (FileDown icon) grouped with
the existing JSON export button in the report header.
- handleExportPdf opens a new window, writes a self-contained print-
friendly HTML document, and triggers window.print() (browser
"Als PDF speichern"). No new dependencies added.
- buildReportHtml(data) generates the document containing: title +
verdict, metadata (date, source, file count, KI flag), optional AI
warning, Risiko-Score with summary text, Achsen-Zusammenfassung table
(severity + axis counts incl. total), all findings (severity/axis/
rule/detection, location, description, snippet, remediation), and the
checked files table.
- All labels are German via VERDICT/SEVERITY/AXIS/SOURCE/KIND label maps;
no emojis used; print-friendly inline CSS with page-break-inside avoid
on findings.
- User-provided content is escaped via escapeHtml to prevent HTML
injection in the generated document.
Verification:
- pnpm --filter @workspace/skillguard typecheck passes.
- Created test scan (id 8) via API, confirmed button renders and German
label mapping is correct for verdict/severity/axis.
Deviations: none. Chose the browser print-to-PDF approach (zero new deps)
over a client-side PDF library, which keeps the bundle lean and produces
selectable, print-friendly output.
Replit-Task-Id: e3f37193-89fd-42de-8cec-9383c8406b25
Verified the AI analysis end-to-end with a real provider and fixed two gaps
found during the live run.
Findings & fixes:
- gpt-5 series (Replit AI Integrations modelfarm default) rejected the hardcoded
`temperature: 0.1` with HTTP 400, silently disabling AI analysis. Removed the
temperature param from the OpenAI-compatible request for broad model
compatibility (aiAnalysis.ts).
- Per-rule AI config (enable/disable/severity) was only a global on/off gate and
AI findings weren't mapped to the AI rule IDs, so individual rule severity was
ignored. runAiAnalysis now receives the enabled AI rules, instructs the model
to classify each finding into one of those ruleIds, drops findings for
disabled rules, and overrides severity/axis with the configured values
(aiAnalysis.ts + scanEngine.ts).
End-to-end verification (Replit OpenAI integration, gpt-5-mini provider):
- "KI-Analyse aktivieren" produces AI findings mapped to AI-PROMPT-INJECTION,
AI-MALICIOUS-INTENT, AI-DATA-PRIVACY.
- Disabling AI-MALICIOUS-INTENT removed its finding; setting AI-PROMPT-INJECTION
to critical was reflected in the result.
- Wrong baseUrl and invalid token (real OpenAI endpoint) produce understandable
aiError messages with no token leak.
Side effects / notes:
- Set up the Replit OpenAI AI Integration (env vars) and created one enabled
provider row ("Replit OpenAI") so AI analysis works out of the box. Each
AI-enabled scan bills the user's Replit credits.
- Test scans created during verification were deleted.
- artifacts/api-server typecheck passes.
Replit-Task-Id: 7321caa4-5079-4db7-8ed2-4ccaa74fa577
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing rewritten to use fflate's streaming Unzip: caps (max files, total
and per-file uncompressed bytes) are enforced DURING decompression. Oversized
entries are skipped via the header size before inflation; chunked pushing with
per-chunk size checks aborts early, so a zip bomb cannot be fully inflated into
memory. Verified: 120MB->123KB bomb rejected with the service staying healthy;
normal archives still parse correctly.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing now enforces limits (max files, total + per-file size) to mitigate
zip-bomb DoS.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
