Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing rewritten to use fflate's streaming Unzip: caps (max files, total
and per-file uncompressed bytes) are enforced DURING decompression. Oversized
entries are skipped via the header size before inflation; chunked pushing with
per-chunk size checks aborts early, so a zip bomb cannot be fully inflated into
memory. Verified: 120MB->123KB bomb rejected with the service staying healthy;
normal archives still parse correctly.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
8eae5f4fe6