OWL PULL#142
Open
ESADavid wants to merge 53 commits into
Open
Conversation
- Added src/cloudflare/observability.ts for Cloudflare Observability MCP - Added src/cloudflare/radar.ts for Cloudflare Radar MCP - Added src/cloudflare/browser.ts for Cloudflare Browser MCP - Added src/cloudflare/index.ts as module entry point - Updated src/index.ts to include Cloudflare tool definitions - Updated TODO.md with progress
- Added observability.ts, radar.ts, browser.ts, index.ts - Provides integration with Cloudflare's remote MCP servers
…dflare integrations - Add src/alby.ts: Alby MCP server config, listAlbyServers, isAlbyConfigured, getAlbyConfig - Update src/index.ts: Add alby_list_servers, alby_get_server_info tools and handlers; add agentql_query_data, agentql_get_web_element tools with real API call handlers - Update README.md: Add Alby MCP Server section with NWC tools, Lightning tools, setup instructions - Update TODO files: Mark all Cloudflare, AgentQL, and Alby tasks as complete - Build verified: TypeScript compilation successful
…y, AgentQL, Cloudflare
…formatters, README docs
…an.ts, index.ts tools/handlers/formatters
…ORGAN.md all complete
…integrations; NestJS JpmHttpService refactor; fix markdownlint warnings; remove hardcoded secrets from test files
- src/payroll.ts: PayrollItem/PayrollRun interfaces, validatePayrollItem, validatePayrollRun, createPayrollPayment, createBatchPayroll, createPayrollRun - src/index.ts: jpmorgan_create_payroll_payment, jpmorgan_create_batch_payroll, jpmorgan_create_payroll_run tool definitions, handlers, and formatters - test_payroll_critical.mjs: 27/27 tests passing across 6 suites - TODO_PAYROLL.md: all steps complete
- src/payroll.ts: PayrollRunApproval interface, PayrollRunApprovalResult interface, validatePayrollRunApproval(), approvePayrollRun(), listPayrollTools() updated (4 tools) - src/index.ts: jpmorgan_approve_payroll_run tool def, handler, formatPayrollRunApprovalResult, formatPayrollRunResult; also wired up missing jpmorgan_create_payroll_run - test_payroll_critical.mjs: Suite 7 (validatePayrollRunApproval, 6 tests) + Suite 8 (approvePayrollRun MCP mapping, 3 tests) — 36/36 passing - TODO_PAYROLL_APPROVAL.md: all steps complete
…DO_PUBLISH.md; mark TODO_JPMORGAN_EMBEDDED step 7 complete
…tion — fixes createPayrollRun/approvePayrollRun error message in test_critical_path.mjs (117/117 passing)
…yrollPayment, mapToPayrollRunEntity, mapApprovalToPayrollRunEntity)
…ools (4 stateless + 4 stateful)
feat: Cloudflare/Alby/Netlify/AgentQL/JPMorgan Embedded Payments + NestJS JpmHttpService
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 6 potential issues.
Bugbot Autofix could not resolve the issues found in the latest run.
⚠️ Could not fix: Failing tests can be silently bypassed- I could not verify or patch this workflow because
.github/workflows/release.ymlis not present in this repository/branch.
- I could not verify or patch this workflow because
⚠️ Could not fix: Webhook signature verification uses wrong payload bytes- I could not verify or patch this controller because
nestjs-reference/jpm/controllers/jpm-payment.controller.tsis not present in this repository/branch.
- I could not verify or patch this controller because
⚠️ Could not fix: Error requests logged with success status- I could not verify or patch this interceptor because
nestjs-reference/common/interceptors/audit-log.interceptor.tsis not present in this repository/branch.
- I could not verify or patch this interceptor because
⚠️ Could not fix: Callback body treated as object under raw parser- I could not verify or patch this callback handling because
nestjs-reference/jpm/controllers/jpm-payment.controller.tsis not present in this repository/branch.
- I could not verify or patch this callback handling because
⚠️ Could not fix: Alloy health check default port is incorrect- I could not verify or patch this script/config mismatch because
nestjs-reference/scripts/deploy-check.shandnestjs-reference/alloy/alloy.riverare not present in this repository/branch.
- I could not verify or patch this script/config mismatch because
⚠️ Could not fix: Unverified JPM callbacks accepted when cert missing- I could not verify or patch this authentication gate because
nestjs-reference/jpm/controllers/jpm-payment.controller.tsis not present in this repository/branch.
- I could not verify or patch this authentication gate because
This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
| // ① Verify signature | ||
| if (this.callbackVerificationService.isConfigured()) { | ||
| const rawBody = req.rawBody ?? Buffer.from(JSON.stringify(payload)); | ||
| const valid = this.callbackVerificationService.verify(rawBody, signature ?? ''); |
There was a problem hiding this comment.
Webhook signature verification uses wrong payload bytes
High Severity
handlePaymentCallback verifies signatures with req.rawBody, but the documented middleware (express.raw) populates req.body, not req.rawBody. The fallback Buffer.from(JSON.stringify(payload)) changes the original bytes, so verify() can fail for valid callbacks and reject legitimate JPM webhooks.
Additional Locations (1)
| @Headers('x-jpm-signature') signature: string, | ||
| @Headers('x-request-id') requestId = 'unknown', | ||
| @Body() payload: JpmCallbackPayload, | ||
| ): Promise<{ received: boolean }> { |
There was a problem hiding this comment.
Callback body treated as object under raw parser
Medium Severity
The callback route documents express.raw(...), but @Body() is typed and used as JpmCallbackPayload. With raw parsing, payload is a Buffer, so fields like payload.eventType and payload.paymentId are unavailable, causing incorrect callback logging and audit records with unknown resource IDs.
Additional Locations (1)
| SERVICE_HOST="${SERVICE_HOST:-localhost}" | ||
| SERVICE_PORT="${SERVICE_PORT:-3000}" | ||
| ALLOY_HOST="${ALLOY_HOST:-localhost}" | ||
| ALLOY_PORT="${ALLOY_PORT:-12345}" |
There was a problem hiding this comment.
Alloy health check default port is incorrect
Low Severity
deploy-check.sh defaults ALLOY_PORT to 12345, but the provided alloy.river exposes Alloy’s HTTP server on 9090. Running the default checks against the bundled config makes check_alloy call the wrong endpoint and report false deployment failures.
Additional Locations (1)
| this.logger.debug('JPM callback signature verified'); | ||
| } else { | ||
| this.logger.warn('Callback verification not configured — skipping signature check'); | ||
| } |
There was a problem hiding this comment.
Unverified JPM callbacks accepted when cert missing
High Severity
If callbackVerificationService is not configured, handlePaymentCallback logs a warning and still accepts the webhook. This skips signature verification entirely and allows unauthenticated callback payloads to be treated as valid events.
Additional Locations (1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
COMPANY DATA
Note
Medium Risk
Medium risk because it introduces a new npm publish workflow (
.github/workflows/release.yml) and adds substantial new NestJS reference code for audit logging/metrics that could affect the published package footprint and operational expectations.Overview
Adds a full GitHub Copilot customization kit under
.github/(global instructions, reusable prompts, specialist agents, and skills) and a newmcp.jsonexample wiring these resources.Introduces a NestJS reference implementation for SOC 2 + observability, including new audit logging (
AuditLoggerService), PII masking utilities, HTTP metrics/access interceptors, and a global exception filter, plus expanded NestJS reference docs and Alloy scrape config/checklists.Updates release/deployment scaffolding by adding a tag-triggered GitHub Actions workflow to test/build and
npm publish, plus new deployment status/plan docs and a.markdownlint.json, and significantly expandsREADME.mdwith integration setup guidance (Stripe, Cloudflare, ElevenLabs, GitHub, AgentQL, Alby, Netlify, JPM).Written by Cursor Bugbot for commit 677c06c. This will update automatically on new commits. Configure here.