Conversation
Update README links and sponsor image URLs
Update special channels section in README
Improve the post-install script
added more download URLs
Update DownloadUrls.psd1
Add an architecture, and fixed a comment on the telemetry section.
Add a telemetry to WelsonJS Launcher
Added the assembly loader with Azure Blob Storage
Add support *.dll.gz file in Assembly Loader
Separate HttpClient instances for raw and compressed HTTP transfer modes
Introduce the Catswords.Phantomizer to load DLL files via network
Edit README.md (Catswords.Phantomizer)
Update README.md (Catswords.Phantomizer)
Update README.md (Catswords.Phantomizer)
Inspired by the i83 cats.txt draft format, integrated within the IETF cats.txt structure.
Update the integrity check (Catswords.Phantomizer)
Fix some bugs (Catswords.Phantomizer)
Change the project name to WelsonJS.Toolkit to WelsonJS.Augmented
Add the utm_source parameter to the all of external links (README.md)
Add Tenstorrent Korea OSS Developer Program (Planned for 2026)
Fix #374 (postInstall.ps1)
Add methods to ensure TLS security protocols are enabled
Add Catswords.TlsReport TLS 1.2 offline inspector tool
Add support Outlook classic (Microsoft Office)
Microsoft Outlook + ChatGPT integration with real-world case
Updated sections on offline distribution and license, added disclaimer.
Added section for requesting an offline copy of the project.
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
….18.1 Bump lodash from 4.17.23 to 4.18.1
All updates until 2026-04-12
Updated README to include new links and features.
--- updated-dependencies: - dependency-name: log4net dependency-version: 3.3.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…ted/WelsonJS.Launcher/log4net-3.3.0 Bump log4net from 3.2.0 to 3.3.0
All updates until 2026-04-18
Add WelsonJS One-Click Installer script #404
Rename install.ps1 to bootstrap.ps1 and update URLs
Add the one-click bootstrap
Clarified the PowerShell usage instruction in README.
Added PowerShell command for bootstrapping WelsonJS.
Contributor
Reviewer's GuideRefreshes project documentation and onboarding paths, introduces an agent architecture guide, updates funding and contact information, and aligns ancillary docs and metadata with current branding and distribution methods. Sequence diagram for WelsonJS launch and agent initializationsequenceDiagram
participant User
participant Launcher as WelsonJS_Launcher
participant JSRuntime as JavaScript_Runtime_Agent
participant Interop as Interop_Binding_Layer
participant Phantomizer as Catswords_Phantomizer
participant Toolkit as WelsonJS_Toolkit
User->>Launcher: Start_WelsonJS_application()
Launcher->>Launcher: loadConfiguration()
Launcher->>Toolkit: initializeEnvironment()
Toolkit-->>Launcher: environmentReady
Launcher->>Phantomizer: loadAssembly(WelsonJS_Toolkit)
Phantomizer-->>Launcher: assemblyLoaded
Launcher->>JSRuntime: initialize()
JSRuntime->>JSRuntime: loadPolyfills()
JSRuntime->>JSRuntime: initializeModuleSystem()
Launcher->>JSRuntime: runMainScript(entryScript)
JSRuntime->>Interop: require(nativeModule)
Interop->>Phantomizer: loadAssembly(nativeModule)
Phantomizer-->>Interop: nativeModuleInstance
Interop-->>JSRuntime: nativeModuleProxy
JSRuntime->>nativeModuleProxy: invokeBoundApi(parameters)
nativeModuleProxy-->>JSRuntime: result
JSRuntime-->>Launcher: scriptCompleted
Launcher-->>User: exitWithStatus(status)
Class diagram for WelsonJS agents and responsibilitiesclassDiagram
class JavaScript_Runtime_Agent {
+loadPolyfills()
+initializeModuleSystem()
+require(moduleId)
+executeScript(entryPath)
+handleError(error)
}
class WelsonJS_Launcher {
+loadConfiguration()
+initializeEnvironment()
+loadToolkitModules()
+runMainScript()
+startServiceMode()
}
class Interop_Binding_Layer {
+invokeNative(agentName, methodName, parameters)
+marshalToNative(value)
+marshalToJS(value)
+handleNativeException(exception)
+detectCapabilities()
}
class Security_Policy_Agent {
+verifyModuleIntegrity(path)
+isModuleAllowed(name)
+restrictFileSystem(path)
+restrictRegistry(path)
+logSecurityEvent(event)
}
class Fallback_Compatibility_Agent {
+isAgentAvailable(name)
+provideJSFallback(name)
+logMissingDependency(name)
+enterReducedFunctionalityMode()
}
class Catswords_Phantomizer {
+loadAssembly(path)
+loadCompressedAssembly(path)
+verifyAssemblySignature(path)
+getCachedAssembly(name)
+unloadAssembly(name)
}
class WelsonJS_Esent {
+createDatabase(path)
+openDatabase(path)
+openTable(name)
+beginTransaction()
+commitTransaction()
+rollbackTransaction()
+disposeResources()
}
class WelsonJS_Cryptography {
+encrypt(algorithm, key, data)
+decrypt(algorithm, key, data)
+computeHash(algorithm, data)
+generateRandomBytes(length)
+validateTestVectors()
}
class WelsonJS_Service {
+installService(serviceName)
+uninstallService(serviceName)
+onStart()
+onStop()
+runScriptAsService(scriptPath)
}
class WelsonJS_Toolkit {
+readFile(path)
+writeFile(path, content)
+log(message, level)
+getEnvironmentVariable(name)
+createComObject(progId)
}
class Virtual_HID_Agent {
+findWindow(title)
+sendClick(x, y)
+sendKeys(sequence)
+sendEnterKey()
+showAlert(message)
+showConfirm(message)
+showPrompt(message)
}
class Network_HTTP_ICMP_Agent {
+httpGet(url, options)
+httpPost(url, body, options)
+detectCharset(response)
+detectSsl(url)
+sendIcmpPing(host)
}
class Chromium_Control_Agent {
+runBrowser(profile)
+createProfile(name)
+navigate(url)
+getActivePages()
+findPageByTitle(title)
+setTextboxValue(selector, value)
+sendClick(selector)
+sendKeys(selector, sequence)
+autoScrollUntilEnd(selector)
}
class GRPC_Service_Agent {
+runServer(port)
+receiveCommand(command)
+shutdownServer()
}
class GUI_WebView_Agent {
+checkEnvironment()
+createWindow(title)
+navigate(url)
+closeWindow()
}
WelsonJS_Launcher --> JavaScript_Runtime_Agent : bootstraps
WelsonJS_Launcher --> Catswords_Phantomizer : loads_assemblies
WelsonJS_Launcher --> WelsonJS_Toolkit : initializes
JavaScript_Runtime_Agent --> Interop_Binding_Layer : uses
Interop_Binding_Layer --> Catswords_Phantomizer : resolves
Interop_Binding_Layer --> WelsonJS_Esent : database_calls
Interop_Binding_Layer --> WelsonJS_Cryptography : crypto_calls
Interop_Binding_Layer --> WelsonJS_Service : service_calls
Interop_Binding_Layer --> WelsonJS_Toolkit : utility_calls
Interop_Binding_Layer --> Virtual_HID_Agent : input_calls
Interop_Binding_Layer --> Network_HTTP_ICMP_Agent : network_calls
Interop_Binding_Layer --> Chromium_Control_Agent : browser_control
Interop_Binding_Layer --> GRPC_Service_Agent : grpc_calls
Interop_Binding_Layer --> GUI_WebView_Agent : gui_calls
Security_Policy_Agent --> Interop_Binding_Layer : enforces
Security_Policy_Agent --> WelsonJS_Toolkit : validates_access
Fallback_Compatibility_Agent --> JavaScript_Runtime_Agent : provides_polyfills
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Review Summary by QodoAdd agent architecture documentation and update project metadata
WalkthroughsDescription• Add comprehensive agent architecture documentation (AGENTS.md) • Update funding, contact, and community links across multiple files • Upgrade log4net dependency from 3.2.0 to 3.3.0 with binding redirect • Add cats.txt well-known file with WelsonJS metadata and feline registry • Enhance README with new badges, installation methods, and feature updates Diagramflowchart LR
A["Documentation Updates"] --> B["AGENTS.md<br/>Agent Architecture"]
A --> C["cats.txt<br/>Well-known Metadata"]
D["Configuration Updates"] --> E["Funding & Contact Info"]
D --> F["log4net 3.3.0<br/>Dependency Upgrade"]
G["README Enhancements"] --> H["New Badges & Links"]
G --> I["Installation Methods"]
G --> J["Feature Highlights"]
File Changes1. AGENTS.md
|
Contributor
Code Review by Qodo
1. Launcher boot depends on log4net
|
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- In README.md, the section header
## Offine copyhas a typo and the offline distribution instructions now differ from SECURITY.MD (form link vs. Discord contact); consider fixing the spelling and aligning both documents on a single, consistent process. - In AGENTS.md under the Subprojects section, there is a typo in
OpenClaw compatible the skill definition for a bulit-in JSRT— this should likely bebuilt-in JSRT(and you may want to tweak the surrounding phrasing for clarity while you are there). - The new
.well-known/cats.txtfile is added but appears to be empty in this diff; if it is required by a specification or integration, consider adding the expected contents or a short comment, otherwise remove it until it’s needed to avoid shipping unused placeholders.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In README.md, the section header `## Offine copy` has a typo and the offline distribution instructions now differ from SECURITY.MD (form link vs. Discord contact); consider fixing the spelling and aligning both documents on a single, consistent process.
- In AGENTS.md under the Subprojects section, there is a typo in `OpenClaw compatible the skill definition for a bulit-in JSRT` — this should likely be `built-in JSRT` (and you may want to tweak the surrounding phrasing for clarity while you are there).
- The new `.well-known/cats.txt` file is added but appears to be empty in this diff; if it is required by a specification or integration, consider adding the expected contents or a short comment, otherwise remove it until it’s needed to avoid shipping unused placeholders.
## Individual Comments
### Comment 1
<location path="README.md" line_range="177-178" />
<code_context>
-## Offline Distribution
-You may [request offline distribution](https://forms.gle/4WCnJmnFNDzubUmk7?utm_source=welsonjs) if you are in a restricted environment, such as one without internet access or with specific security requirements.
+## Offine copy
+If you require an offline copy of this project, please contact an appropriate project maintainer via Discord to arrange the request.
</code_context>
<issue_to_address>
**issue (typo):** Correct the heading typo from "Offine" to "Offline".
Change the heading text to "Offline copy".
```suggestion
## Offline copy
If you require an offline copy of this project, please contact an appropriate project maintainer via Discord to arrange the request.
```
</issue_to_address>
### Comment 2
<location path="README.md" line_range="189" />
<code_context>
+
+## Subprojects
+* [catswords-jsrt-rs](https://github.com/gnh1201/catswords-jsrt-rs): Minimal ChakraCore (JsRT) bindings for Rust.
+* [jsrt-claw](https://github.com/gnh1201/jsrt-claw): OpenClaw compatible the skill definition for a bulit-in JSRT (JScript 5.x)
+
+## Disclaimer
</code_context>
<issue_to_address>
**issue (typo):** Fix the typo "bulit-in" and clarify the phrasing of the jsrt-claw description.
For example: `OpenClaw-compatible skill definition for the built-in JSRT (JScript 5.x).`
```suggestion
* [jsrt-claw](https://github.com/gnh1201/jsrt-claw): OpenClaw-compatible skill definition for the built-in JSRT (JScript 5.x).
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
+177
to
+178
| ## Offine copy | ||
| If you require an offline copy of this project, please contact an appropriate project maintainer via Discord to arrange the request. |
Contributor
There was a problem hiding this comment.
issue (typo): Correct the heading typo from "Offine" to "Offline".
Change the heading text to "Offline copy".
Suggested change
| ## Offine copy | |
| If you require an offline copy of this project, please contact an appropriate project maintainer via Discord to arrange the request. | |
| ## Offline copy | |
| If you require an offline copy of this project, please contact an appropriate project maintainer via Discord to arrange the request. |
|
|
||
| ## Subprojects | ||
| * [catswords-jsrt-rs](https://github.com/gnh1201/catswords-jsrt-rs): Minimal ChakraCore (JsRT) bindings for Rust. | ||
| * [jsrt-claw](https://github.com/gnh1201/jsrt-claw): OpenClaw compatible the skill definition for a bulit-in JSRT (JScript 5.x) |
Contributor
There was a problem hiding this comment.
issue (typo): Fix the typo "bulit-in" and clarify the phrasing of the jsrt-claw description.
For example: OpenClaw-compatible skill definition for the built-in JSRT (JScript 5.x).
Suggested change
| * [jsrt-claw](https://github.com/gnh1201/jsrt-claw): OpenClaw compatible the skill definition for a bulit-in JSRT (JScript 5.x) | |
| * [jsrt-claw](https://github.com/gnh1201/jsrt-claw): OpenClaw-compatible skill definition for the built-in JSRT (JScript 5.x). |
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+77
to
80
| <Reference Include="log4net, Version=3.3.0.0, Culture=neutral, PublicKeyToken=669e0ddf0bb1aa2a"> | ||
| <HintPath>..\packages\log4net.3.3.0\lib\net462\log4net.dll</HintPath> | ||
| <Private>True</Private> | ||
| </Reference> |
Contributor
There was a problem hiding this comment.
1. Launcher boot depends on log4net 📘 Rule violation ☼ Reliability
The Launcher bootstrap path uses the third-party log4net library, which violates the requirement that initialization use only .NET BCL dependencies before loading additional modules. If log4net is missing/mis-bound, startup can fail before any fallback/toolkit loading occurs.
Agent Prompt
## Issue description
The Launcher initializes `log4net` during bootstrapping, which introduces a non-.NET-BCL dependency before the launcher’s module/toolkit loading phase.
## Issue Context
Per compliance, the earliest launcher initialization path must use only .NET BCL dependencies. Currently, `Program`'s static initialization calls `LoggingBootstrap.Init(...)` and `LogManager.GetLogger(...)` before `InitializeAssemblyLoader()`.
## Fix Focus Areas
- WelsonJS.Augmented/WelsonJS.Launcher/Program.cs[32-47]
- WelsonJS.Augmented/WelsonJS.Launcher/LoggingBootstrap.cs[1-47]
- WelsonJS.Augmented/WelsonJS.Launcher/WelsonJS.Launcher.csproj[77-80]
- WelsonJS.Augmented/WelsonJS.Launcher/app.config[35-41]
- WelsonJS.Augmented/WelsonJS.Launcher/packages.config[1-3]
## Implementation direction
- Replace early-boot logging with BCL-only mechanisms (e.g., `System.Diagnostics.Trace`, `EventLog`, or minimal file logging via `System.IO`) until after the toolkit/module loading boundary.
- If `log4net` is still desired, initialize/configure it only after the bootstrap phase completes, and ensure failures fall back to BCL logging rather than aborting startup.
- If `log4net` is not strictly required, remove the reference/package and the bindingRedirect entirely.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| * :rocket: [Launch the WelsonJS environment on Microsoft Azure (azuremarketplace.microsoft.com)](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/catswords.catswords-welsonjs-feb2025-02?tab=Overview) | ||
| * :rocket: [Launch the WelsonJS pre-configured VM from Microsoft Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/catswords.catswords-welsonjs-feb2025-02?tab=Overview) | ||
| * :kissing_cat: [Download the WelsonJS Launcher](https://catswords.blob.core.windows.net/welsonjs/welsonjs_launcher_latest.zip) | ||
| * :shell: In PowerShell: `irm https://catswords.blob.core.windows.net/welsonjs/bootstrap.ps1 | iex` |
Contributor
There was a problem hiding this comment.
2. Remote script pipe-exec 🐞 Bug ⛨ Security
README.md now instructs users to execute a remotely hosted PowerShell script via irm ... | iex, which runs network-fetched content directly in the caller’s session without any pinned hash/signature verification. If the hosting endpoint is compromised or content is modified, users following the official docs can be tricked into immediate arbitrary code execution.
Agent Prompt
### Issue description
`README.md` instructs users to run `irm https://…/bootstrap.ps1 | iex`, which executes remote content directly in the current PowerShell session without integrity verification.
### Issue Context
This is a supply-chain/RCE risk for any user who follows the project’s official installation instructions.
### Fix Focus Areas
- README.md[23-31]
- README.md[125-131]
### What to change
- Replace `irm … | iex` with a **download-to-file** flow, e.g. `iwr/irm -OutFile bootstrap.ps1`, then instruct users to **inspect** and run `./bootstrap.ps1`.
- Add at least one integrity mechanism:
- Preferably provide a **pinned SHA-256** (per release) and document `Get-FileHash` verification, and/or
- Use **Authenticode signing** and document `Get-AuthenticodeSignature` verification.
- If you must keep a one-liner, add a prominent warning and/or use a commit/release-pinned URL (not a mutable blob path), plus verification steps.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All updates of master branch until 2026-04-18
Summary by Sourcery
Update documentation, metadata, and sponsorship configuration, and add an agent architecture guide for WelsonJS.
Documentation:
Chores: