HITL support for react-package#17
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR is for react-package, which is not one of the specified monitored repos (kernel, infra, hypeman, hypeship). To monitor this PR anyway, reply with |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
|
|
||
| {liveViewUrl ? ( | ||
| <div className="kma-human-intervention__iframe-wrap"> | ||
| <iframe |
There was a problem hiding this comment.
The iframe element in HumanInterventionStep.tsx is missing the sandbox attribute, which lacks protection against potential XSS and script injection attacks
masnwilliams
left a comment
masnwilliams
left a comment
There was a problem hiding this comment.
reviewed alongside the server side (kernel/kernel#2117). the flow lines up well — the AWAITING_HUMAN_INTERVENTION enum and live_view_url match both ends, the SSE merge already propagates the url, and the bouncing-dots fallback handles the timing gap nicely. but the PR doesn't currently compile, and a few user-facing bits need to route through the customization systems:
blocking
src/components/HumanInterventionStep.tsx:18—slot("humanInterventionMessage", ...)references an appearance key that was never added toAppearanceElements. sinceAppearanceElementKey = keyof AppearanceElements(no index signature),bun run typecheckfails:
error TS2345: Argument of type '"humanInterventionMessage"' is not assignable to parameter of type 'keyof AppearanceElements'.
registerhumanInterventionMessageinsrc/appearance/types.tsto fix the build and actually expose the slot.
customization / localization / styling
src/appearance/types.ts— also add a slot for the live-view iframe wrap (e.g.humanInterventionFrame) and apply it on.kma-human-intervention__iframe-wrap. it's this step's distinctive visual element (the wayexternalActionIconis for the external-action step), so customers should be able to theme it.src/components/HumanInterventionStep.tsx— theLivebadge label is a hardcoded literal; it's the only string in the component not going throughl.*. add ahumanInterventionLiveBadgelocalization key (localization/types.ts+defaults.ts) and render{l.humanInterventionLiveBadge}.src/styles/styles.css— hardcoded colors should use design tokens: live dotoklch(0.704 0.191 22.216)→var(--kma-color-danger)(red live indicator = that semantic); badgergba(0,0,0,0.65)/#fff→ prefer tokens for the overlay foreground at least.
note (no action)
- the iframe has no
sandbox. fine here —live_view_urlis built entirely server-side (kernel-controlled origin) and the live view needs full interactivity to solve the captcha, so a restrictive sandbox would break it. flagging only because the trust boundary was raised in the summary.
2 participants
Note
Medium Risk
Embeds a backend-provided URL in an iframe during login, which affects trust boundaries and UX in the auth flow though session logic is mostly mapping and presentation.
Overview
Adds human-in-the-loop (HITL) handling when the backend reports
AWAITING_HUMAN_INTERVENTION: the session maps that flow step to a newawaiting_human_interventionUI state andKernelManagedAuthrenders a dedicated step instead of the normal form or external-action waiters.The new
HumanInterventionStepshows localized copy (with an appearance slot on the message), embedsstate.live_view_urlin a 4:3 iframe when present (with a “Live” badge andclipboard-write), or falls back to bouncing dots while the URL is missing. Default English strings and optional localization keys were added for this step.Styles widen the shell/card via
:has(.kma-human-intervention)and animatemax-widthso the live view has room (up to ~960px).Reviewed by Cursor Bugbot for commit 956c8b1. Bugbot is set up for automated code reviews on this repo. Configure here.