feat: initial implementation of abuse reporting wizard#1
Merged
lizthegrey merged 6 commits intomainfrom Feb 7, 2026
Merged
Conversation
Go web app automating infrastructure discovery and abuse report lifecycle for endharassment.net. Server-rendered HTML with htmx, SQLite storage, SendGrid email delivery. Core workflow: URL submission → DNS/ASN/RDAP/BGP discovery → Cloudflare detection → evidence upload → X-ARF report generation → admin approval queue → SendGrid delivery → escalation to upstreams. Includes security review with rate limiting, HMAC-signed CSRF, content safety validation, and CSAM/legal risk analysis. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
lizthegrey
force-pushed
the
lizf.initial-implementation
branch
from
0e5e201 to
6359e8a
Compare
- Remove magic link auth entirely; use Google/GitHub OAuth only. Eliminates token race conditions, SendGrid auth abuse, and brute-forcing risks. - Rearchitect evidence from local file uploads to user-provided cloud storage URLs (Google Drive, Dropbox, etc.). Users paste share links instead of uploading files. Eliminates blob storage, disk exhaustion, and content-type attack surface. - Add URL text snapshotting (internal/snapshot/) for best-effort text-only crawls of reported URLs for evidentiary purposes. Runs asynchronously after URL submission. - Add prominent CSAM/IC3/NCMEC disclaimers on home page, step 1, step 3, layout footer. Directs users to report CSAM to NCMEC CyberTipline and federal cybercrimes to IC3. - Wire up escalation engine in main.go with RDAP-based abuse contact lookup. Was previously a placeholder log line. - Add busy_timeout(5000) pragma to SQLite connection string. - Update X-ARF generation and email composition to include evidence URLs instead of file hashes. - Update SECURITY_REVIEW.md with changes-since-initial-review section documenting all architectural changes. Co-authored-by: Cursor <cursoragent@cursor.com>
Request drive.metadata.readonly OAuth scope and offline access during Google login, persist access/refresh tokens on user records, and verify Google Drive evidence URLs by extracting file IDs and pulling metadata (name, mimeType, size, createdTime) via the Drive REST API. - New internal/gdrive/ package: URL parsing, file ID extraction, Drive API metadata fetch, token refresh helper - Migration 003: adds google token columns to users table and Drive metadata columns to evidence table - Updated store layer with UpdateEvidence method and expanded column sets - Wizard step 3 now auto-verifies Drive links during evidence submission - Templates show "Verified"/"Unverified" badges with file metadata - CSS badges for verified/unverified states Co-authored-by: Cursor <cursoragent@cursor.com>
Warn users prominently that hosting providers will forward abuse reports to site operators, who may retaliate by publicly posting complaints and encouraging further harassment. There is no expectation of privacy. Warnings appear in three locations with escalating severity: - Home page: informational overview of risks - Wizard step 1: direct warning before entering any data - Wizard step 4: explicit acknowledgment before final submission Verified that outgoing emails and X-ARF reports do not include the individual reporter's email or name -- reports are sent on behalf of the organization only. Co-authored-by: Cursor <cursoragent@cursor.com>
…limits Add prominent disclosures that reports are filed on behalf of and with the permission of the reporter: - Home page: new "How We File Reports" info section explaining that reports are ToS-based, NCII reporters must be the affected person or their authorized representative, and we do NOT file DMCA takedown notices (which require being a copyright agent under penalty of perjury) - Wizard step 3: strengthened NCII warning requires confirmation of identity; new copyvio-warning appears when copyright is selected, explaining the DMCA distinction - Outgoing emails: opening line now says "on behalf of an affected individual"; NCII emails note the report is from the depicted person or their representative; copyright emails explicitly state this is a ToS report, not a DMCA notice - CSS: added alert-danger and alert-info styles (were used but missing) Co-authored-by: Cursor <cursoragent@cursor.com>
- Add Apache 2.0 LICENSE file - Add comprehensive README.md with setup, configuration, architecture, workflow, and pre-launch checklist - Add AGENTS.md with AI coding agent guidelines covering architecture, conventions, security rules, and common task recipes - Fix session secret: fail-fast if unset with HTTPS base URL; warn in dev mode instead of silently using a weak default - Fix logout cookie: add missing Secure flag (consistent with session cookie) - Remove vestigial evidence/ directory and Config.EvidenceDir field (evidence is now URL-based) - Update SECURITY_REVIEW.md with all changes since initial review: Drive verification, retaliation warnings, NCII identity, DMCA distinction, session secret hardening, updated findings table Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Summary
html/template+ htmx), SQLite storage, SendGrid email deliverySECURITY_REVIEW.md)Key Design Decisions
internal/snapshot/). Designed to integrate withendharassment/tor-fetcherfor .onion sites.Packages
cmd/wizard/internal/model/internal/store/internal/infra/internal/report/internal/server/internal/admin/internal/escalation/internal/snapshot/Test plan
go build ./...passesgo vet ./...passesgo test ./...passes (infra, report, escalation, server packages)go run ./cmd/wizard, walk through wizard with a real domainSECURITY_REVIEW.mdfor pre-launch blockers (NCMEC reporting, legal counsel, SPF/DKIM)