Skip to main content

system-bus

Facilitates the development and management of Inngest durable functions and webhooks, enhancing observability and deployment efficiency.

Install this skill

or
0/100

Security score

The system-bus skill was audited on Jun 7, 2026 and we found 33 security issues across 3 threat categories, including 2 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 87

Curl to non-GitHub URL

SourceSKILL.md
875. verify `curl http://127.0.0.1:3111/` shows functions and `joelclaw functions` returns >0
high line 199

Curl to non-GitHub URL

SourceSKILL.md
199- **Inngest server function registry goes stale** on worker restart. Always `curl -X PUT http://127.0.0.1:3111/api/inngest` after restart. If PUT returns `Empty reply from server`, check `~/.local/log
medium line 243

Curl to non-GitHub URL

SourceSKILL.md
243curl http://localhost:3111/ | jq
medium line 261

Curl to non-GitHub URL

SourceSKILL.md
261curl -X PUT http://127.0.0.1:3111/api/inngest
medium line 4

Webhook reference - potential data exfiltration

SourceSKILL.md
4description: Develop, deploy, and debug the system-bus worker — joelclaw's 110+ Inngest durable function engine, webhook gateway, and observability pipeline. Triggers on 'add a function', 'new inngest
medium line 16

Webhook reference - potential data exfiltration

SourceSKILL.md
16The system-bus worker (`@joelclaw/system-bus`) is joelclaw's event-driven backbone — 110+ Inngest durable functions, webhook ingestion, and observability. It runs as a Hono HTTP server registered with
low line 41

Webhook reference - potential data exfiltration

SourceSKILL.md
41│ ├── webhooks/
low line 42

Webhook reference - potential data exfiltration

SourceSKILL.md
42│ │ ├── server.ts # Webhook router (mounted at /webhooks)
low line 44

Webhook reference - potential data exfiltration

SourceSKILL.md
44│ │ └── providers/ # Per-service webhook handlers
medium line 64

Webhook reference - potential data exfiltration

SourceSKILL.md
64| `cluster` | k8s pod (GHCR image) | Webhooks (Front, GitHub, Vercel, Todoist, Mux), approvals, notifications, Slack backfill — stateless, network-only |
medium line 91

Webhook reference - potential data exfiltration

SourceSKILL.md
91Queue pilot flags are evaluated inside the live worker process, not your shell. If a host-worker emitter like `discovery-capture` or `/webhooks/github` should switch to queue mode, put the flag in `~/
medium line 230

Webhook reference - potential data exfiltration

SourceSKILL.md
230## Adding a Webhook Provider
medium line 232

Webhook reference - potential data exfiltration

SourceSKILL.md
232See the `webhooks` skill for full details. Quick summary:
medium line 234

Webhook reference - potential data exfiltration

SourceSKILL.md
2341. Create `src/webhooks/providers/<service>.ts` implementing `WebhookProvider`
medium line 235

Webhook reference - potential data exfiltration

SourceSKILL.md
2352. Register in `src/webhooks/server.ts`
medium line 236

Webhook reference - potential data exfiltration

SourceSKILL.md
2363. Add secret to `WEBHOOK_SECRETS` array in `serve.ts`
medium line 237

Webhook reference - potential data exfiltration

SourceSKILL.md
2374. Store secret in agent-secrets: `secrets add <service>_webhook_secret`
medium line 300

Webhook reference - potential data exfiltration

SourceSKILL.md
300| `src/webhooks/server.ts` | Webhook route registration |
medium line 79

Access to hidden dotfiles in home directory

SourceSKILL.md
79Host worker registration supports an explicit `INNGEST_SERVE_HOST` override in `~/.config/system-bus.env`. Set `INNGEST_SERVE_HOST=connect` to suppress SDK callback URL advertising when the self-hoste
medium line 91

Access to hidden dotfiles in home directory

SourceSKILL.md
91Queue pilot flags are evaluated inside the live worker process, not your shell. If a host-worker emitter like `discovery-capture` or `/webhooks/github` should switch to queue mode, put the flag in `~/
medium line 100

Access to hidden dotfiles in home directory

SourceSKILL.md
100`content/updated` is the odd one out: its ingress comes from the launchd watcher `com.joel.content-sync-watcher`, not from a worker-local function. The canonical watcher source now belongs in `infra/l
medium line 106

Access to hidden dotfiles in home directory

SourceSKILL.md
106ADR-0217 Phase 3 Story 4 now has a live host-worker runtime in `packages/system-bus/src/inngest/functions/queue-observer.ts`. Durable cadence belongs in Inngest, not the gateway daemon: the cron contr
medium line 116

Access to hidden dotfiles in home directory

SourceSKILL.md
116Hard-won gotcha from the Story 3 live proof: queue operator commands must resolve Redis from the canonical CLI config (`~/.config/system-bus.env` → `REDIS_URL`) before ambient shell env. The first pro
medium line 199

Access to hidden dotfiles in home directory

SourceSKILL.md
199- **Inngest server function registry goes stale** on worker restart. Always `curl -X PUT http://127.0.0.1:3111/api/inngest` after restart. If PUT returns `Empty reply from server`, check `~/.local/log
medium line 79

Access to .env file

SourceSKILL.md
79Host worker registration supports an explicit `INNGEST_SERVE_HOST` override in `~/.config/system-bus.env`. Set `INNGEST_SERVE_HOST=connect` to suppress SDK callback URL advertising when the self-hoste
medium line 91

Access to .env file

SourceSKILL.md
91Queue pilot flags are evaluated inside the live worker process, not your shell. If a host-worker emitter like `discovery-capture` or `/webhooks/github` should switch to queue mode, put the flag in `~/
medium line 100

Access to .env file

SourceSKILL.md
100`content/updated` is the odd one out: its ingress comes from the launchd watcher `com.joel.content-sync-watcher`, not from a worker-local function. The canonical watcher source now belongs in `infra/l
medium line 106

Access to .env file

SourceSKILL.md
106ADR-0217 Phase 3 Story 4 now has a live host-worker runtime in `packages/system-bus/src/inngest/functions/queue-observer.ts`. Durable cadence belongs in Inngest, not the gateway daemon: the cron contr
medium line 116

Access to .env file

SourceSKILL.md
116Hard-won gotcha from the Story 3 live proof: queue operator commands must resolve Redis from the canonical CLI config (`~/.config/system-bus.env` → `REDIS_URL`) before ambient shell env. The first pro
low line 87

External URL reference

SourceSKILL.md
875. verify `curl http://127.0.0.1:3111/` shows functions and `joelclaw functions` returns >0
low line 199

External URL reference

SourceSKILL.md
199- **Inngest server function registry goes stale** on worker restart. Always `curl -X PUT http://127.0.0.1:3111/api/inngest` after restart. If PUT returns `Empty reply from server`, check `~/.local/log
low line 243

External URL reference

SourceSKILL.md
243curl http://localhost:3111/ | jq
low line 261

External URL reference

SourceSKILL.md
261curl -X PUT http://127.0.0.1:3111/api/inngest
Scanned on Jun 7, 2026
View Security Dashboard
Installation guide →