Files

root 65fd71dc0d fix(workers): yt-dlp argv injection — scheme check + -- separator

The url passed to yt-dlp is user-controllable (via /api/capture). Any
string starting with '-' would be parsed as a flag (e.g.
--config-location=/etc/passwd). Mitigations:
1. Validate scheme is http(s) and hostname is present before subprocess.
2. Pass `--` to yt-dlp so it stops flag parsing before the positional
   URL.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-01 10:11:57 +10:00

tests

fix(workers): yt-dlp argv injection — scheme check + -- separator

2026-06-01 10:11:57 +10:00

void_workers

fix(workers): yt-dlp argv injection — scheme check + -- separator

2026-06-01 10:11:57 +10:00

.gitignore

feat(workers): Python skeleton + config + structlog

2026-06-01 04:41:33 +10:00

pyproject.toml

feat(workers): Python skeleton + config + structlog

2026-06-01 04:41:33 +10:00

README.md

feat(workers): Python skeleton + config + structlog

2026-06-01 04:41:33 +10:00

README.md

void-workers

Python ML ingest service alongside void-server (Node). Sibling of lib/ in the void-v2 repo.

Local dev

cd workers
python3.12 -m venv .venv
. .venv/bin/activate
pip install -e ".[all]"
export DATABASE_URL="postgres://..."
python -m void_workers.runner

Tests

pip install -e ".[test,all]"
DATABASE_URL="postgres://..." pytest -v

See ../docs/superpowers/plans/2026-06-01-void-v2-plan4-workers.md for the full plan and ../docs/superpowers/specs/2026-06-01-void-v2-plan4-workers.md for the design.