system-bus
Facilitates the development and management of Inngest durable functions and webhooks, enhancing observability and deployment efficiency.
Install this skill
Security score
The system-bus skill was audited on Jun 7, 2026 and we found 33 security issues across 3 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 87 | 5. verify `curl http://127.0.0.1:3111/` shows functions and `joelclaw functions` returns >0 |
Curl to non-GitHub URL
| 199 | - **Inngest server function registry goes stale** on worker restart. Always `curl -X PUT http://127.0.0.1:3111/api/inngest` after restart. If PUT returns `Empty reply from server`, check `~/.local/log |
Curl to non-GitHub URL
| 243 | curl http://localhost:3111/ | jq |
Curl to non-GitHub URL
| 261 | curl -X PUT http://127.0.0.1:3111/api/inngest |
Webhook reference - potential data exfiltration
| 4 | description: Develop, deploy, and debug the system-bus worker — joelclaw's 110+ Inngest durable function engine, webhook gateway, and observability pipeline. Triggers on 'add a function', 'new inngest |
Webhook reference - potential data exfiltration
| 16 | The system-bus worker (`@joelclaw/system-bus`) is joelclaw's event-driven backbone — 110+ Inngest durable functions, webhook ingestion, and observability. It runs as a Hono HTTP server registered with |
Webhook reference - potential data exfiltration
| 41 | │ ├── webhooks/ |
Webhook reference - potential data exfiltration
| 42 | │ │ ├── server.ts # Webhook router (mounted at /webhooks) |
Webhook reference - potential data exfiltration
| 44 | │ │ └── providers/ # Per-service webhook handlers |
Webhook reference - potential data exfiltration
| 64 | | `cluster` | k8s pod (GHCR image) | Webhooks (Front, GitHub, Vercel, Todoist, Mux), approvals, notifications, Slack backfill — stateless, network-only | |
Webhook reference - potential data exfiltration
| 91 | Queue pilot flags are evaluated inside the live worker process, not your shell. If a host-worker emitter like `discovery-capture` or `/webhooks/github` should switch to queue mode, put the flag in `~/ |
Webhook reference - potential data exfiltration
| 230 | ## Adding a Webhook Provider |
Webhook reference - potential data exfiltration
| 232 | See the `webhooks` skill for full details. Quick summary: |
Webhook reference - potential data exfiltration
| 234 | 1. Create `src/webhooks/providers/<service>.ts` implementing `WebhookProvider` |
Webhook reference - potential data exfiltration
| 235 | 2. Register in `src/webhooks/server.ts` |
Webhook reference - potential data exfiltration
| 236 | 3. Add secret to `WEBHOOK_SECRETS` array in `serve.ts` |
Webhook reference - potential data exfiltration
| 237 | 4. Store secret in agent-secrets: `secrets add <service>_webhook_secret` |
Webhook reference - potential data exfiltration
| 300 | | `src/webhooks/server.ts` | Webhook route registration | |
Access to hidden dotfiles in home directory
| 79 | Host worker registration supports an explicit `INNGEST_SERVE_HOST` override in `~/.config/system-bus.env`. Set `INNGEST_SERVE_HOST=connect` to suppress SDK callback URL advertising when the self-hoste |
Access to hidden dotfiles in home directory
| 91 | Queue pilot flags are evaluated inside the live worker process, not your shell. If a host-worker emitter like `discovery-capture` or `/webhooks/github` should switch to queue mode, put the flag in `~/ |
Access to hidden dotfiles in home directory
| 100 | `content/updated` is the odd one out: its ingress comes from the launchd watcher `com.joel.content-sync-watcher`, not from a worker-local function. The canonical watcher source now belongs in `infra/l |
Access to hidden dotfiles in home directory
| 106 | ADR-0217 Phase 3 Story 4 now has a live host-worker runtime in `packages/system-bus/src/inngest/functions/queue-observer.ts`. Durable cadence belongs in Inngest, not the gateway daemon: the cron contr |
Access to hidden dotfiles in home directory
| 116 | Hard-won gotcha from the Story 3 live proof: queue operator commands must resolve Redis from the canonical CLI config (`~/.config/system-bus.env` → `REDIS_URL`) before ambient shell env. The first pro |
Access to hidden dotfiles in home directory
| 199 | - **Inngest server function registry goes stale** on worker restart. Always `curl -X PUT http://127.0.0.1:3111/api/inngest` after restart. If PUT returns `Empty reply from server`, check `~/.local/log |
Access to .env file
| 79 | Host worker registration supports an explicit `INNGEST_SERVE_HOST` override in `~/.config/system-bus.env`. Set `INNGEST_SERVE_HOST=connect` to suppress SDK callback URL advertising when the self-hoste |
Access to .env file
| 91 | Queue pilot flags are evaluated inside the live worker process, not your shell. If a host-worker emitter like `discovery-capture` or `/webhooks/github` should switch to queue mode, put the flag in `~/ |
Access to .env file
| 100 | `content/updated` is the odd one out: its ingress comes from the launchd watcher `com.joel.content-sync-watcher`, not from a worker-local function. The canonical watcher source now belongs in `infra/l |
Access to .env file
| 106 | ADR-0217 Phase 3 Story 4 now has a live host-worker runtime in `packages/system-bus/src/inngest/functions/queue-observer.ts`. Durable cadence belongs in Inngest, not the gateway daemon: the cron contr |
Access to .env file
| 116 | Hard-won gotcha from the Story 3 live proof: queue operator commands must resolve Redis from the canonical CLI config (`~/.config/system-bus.env` → `REDIS_URL`) before ambient shell env. The first pro |
External URL reference
| 87 | 5. verify `curl http://127.0.0.1:3111/` shows functions and `joelclaw functions` returns >0 |
External URL reference
| 199 | - **Inngest server function registry goes stale** on worker restart. Always `curl -X PUT http://127.0.0.1:3111/api/inngest` after restart. If PUT returns `Empty reply from server`, check `~/.local/log |
External URL reference
| 243 | curl http://localhost:3111/ | jq |
External URL reference
| 261 | curl -X PUT http://127.0.0.1:3111/api/inngest |