Jules/cleanup

[jdrean]

Summary by cubic

Made the client stateless across Go/JS/Swift by moving key fetch to Identity.fetchFromServer and removing URL pinning. Hardened streaming decryption with non-recursive parsing and a 1 MB chunk limit, now enforced in Swift to prevent OOM.

• Refactors

  • Transport now takes only an Identity in Go/JS; Swift EHBPClient takes an Identity and full URLs.
  • Removed createTransport/Transport.create and host rewriting; requests require absolute URLs.
  • Added Identity.fetchFromServer(serverURL) with media-type parameter parsing and typed errors on invalid responses.
  • Removed JS Transport identity pass-through getters; use Identity for public key access.
  • Docs/examples/tests updated.

• Migration

  • JS: Replace createTransport('https://example.com') with:
    • const identity = await Identity.fetchFromServer('https://example.com');
    • const transport = new Transport(identity);
    • Use absolute URLs, e.g., transport.post('https://example.com/api', body).
  • Go: const ident = identity.FetchFromServer('https://example.com'); http.Client{Transport: client.NewTransport(ident)}.
  • Swift: let ident = try Identity(publicKeyBytes: ...); let client = EHBPClient(identity: ident); pass full URL strings to request methods.

^{Written for commit cdd79cf. Summary will update on new commits.}

[cubic-dev-ai]

3 issues found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="js/README.md">

<violation number="1" location="js/README.md:44">
P3: The API example redeclares `identity` and `transport` in the same code block, so copying the snippet will throw `Identifier has already been declared`. Consider using distinct variable names (or separate code blocks) for the two alternatives.</violation>
</file>

<file name="js/src/identity.ts">

<violation number="1" location="js/src/identity.ts:216">
P1: Rule violated: **Flag Security Vulnerabilities**

Enforce HTTPS/TLS for the key endpoint fetch. Rule 3 requires network requests use HTTPS/TLS, but this new fetch accepts http URLs, allowing insecure key retrieval and MITM risk.</violation>

<violation number="2" location="js/src/identity.ts:221">
P2: The Content-Type check is too strict; responses with a valid media type plus parameters (e.g., charset) will be rejected. Consider allowing parameters by checking the media type prefix or parsing the header.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 14 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="identity/identity.go">

<violation number="1" location="identity/identity.go:220">
P1: Custom agent: **Flag Security Vulnerabilities**

Enforce HTTPS before fetching the server key. This function currently allows plaintext HTTP requests, which violates the requirement that network requests use HTTPS/TLS.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}