Fix anime-watch-hub

[zk1tty]

I fixed the issues of #86

After

Summary by CodeRabbit

Release Notes

• New Features

  • Enabled script execution and form submission capabilities within embedded streaming content for improved interactivity.

• Bug Fixes

  • Improved streaming event detection with stricter type validation.
  • Enhanced error handling and status messaging during anime searches.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9b9811ae-bcc2-43fb-b530-484bd6a3cdd9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

These changes update streaming platform integration by reformatting SSE encoding logic, extending iframe sandbox permissions for script and form execution, and refactoring event-stream parsing logic including updated field references (streaming_url), event types (PROGRESS replacing STATUS), and status-based completion branching.

Changes

Cohort / File(s)	Summary
SSE Streaming Endpoint app/api/check-platform/route.ts	Reformatted SSE controller.enqueue call into single-line expression; no behavior or error-handling changes.
Embedded Content Sandbox components/platform-card.tsx	Extended iframe sandbox policy to permit script execution and form submission alongside same-origin access.
Event-Stream Parsing Logic hooks/use-anime-search.ts	Refactored streamed JSON event handling: STREAMING_URL now requires strict type check and reads from data.streaming_url; STATUS events replaced with PROGRESS events using data.purpose; COMPLETE events now branch on data.status === 'failed' with error/success paths; ERROR handling preserved.

Sequence Diagram

sequenceDiagram
    participant API as Check-Platform API
    participant Hook as useAnimeSearch Hook
    participant UI as Platform Component
    participant Browser as Browser/Iframe

    API->>Hook: SSE Stream (STREAMING_URL)
    Note over Hook: Check data.type === 'STREAMING_URL'<br/>Read data.streaming_url
    Hook->>Hook: Set streamingUrl state

    API->>Hook: SSE Stream (PROGRESS)
    Note over Hook: Check data.type === 'PROGRESS'<br/>Read data.purpose
    Hook->>Hook: Update statusMessage

    API->>Hook: SSE Stream (COMPLETE)
    alt data.status === 'failed'
        Hook->>Hook: Set status='error'<br/>Set statusMessage from error<br/>Clear streamingUrl
    else success
        Hook->>Hook: Set status='complete'<br/>Set result from data.result<br/>Clear streamingUrl & statusMessage
    end

    Hook->>UI: Provide streamingUrl & status
    UI->>Browser: Render iframe with<br/>sandbox="allow-same-origin<br/>allow-scripts allow-forms"
    Browser->>Browser: Execute scripts & forms

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly Related Issues

• Event handling bug + live streaming inside iframe #86: This PR directly addresses the event-parsing schema evolution (STREAMING_URL → data.streaming_url, STATUS → PROGRESS, COMPLETE status branching) and iframe sandbox capability expansion for embedded streaming content.

Poem

🐰 Hop-hop, the sandbox grows wide,
Scripts and forms now fit inside!
Event streams dance with purpose bright,
PROGRESS flows and errors set right—
A streaming burrow, snug and tight! 🎬

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The pull request title "Fix anime-watch-hub" is vague and generic, using only the word "Fix" without specifying what was fixed or which components were changed.	Replace with a more specific title that describes the main changes, such as "Fix streaming URL handling and iframe sandbox policy" or "Fix /run-see event handling and live streaming support."

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[simantak-dabhade]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@anime-watch-hub/components/platform-card.tsx`:
- Around line 69-73: The iframe is rendering agent.streamingUrl directly and
uses a permissive sandbox ("allow-same-origin allow-scripts allow-forms");
validate and gate the URL before rendering by enforcing a strict HTTPS origin
allowlist and a safe URL format (e.g., hostname check + https scheme) where the
SSE assigns state (the useAnimeSearch hook / the code that sets
agent.streamingUrl), and remove dangerous sandbox flags (drop allow-same-origin
and allow-scripts/allow-forms unless explicitly needed); only render the
<iframe> in PlatformCard when the streamingUrl has passed the
allowlist/validation and use a minimal sandbox (no same-origin/scripts/forms) to
follow least privilege.

In `@anime-watch-hub/hooks/use-anime-search.ts`:
- Around line 60-83: The SSE parser in use-anime-search.ts is using the wrong
event shape; update the handling in the event dispatching (the code that
currently checks for data.type === 'STREAMING_URL' / 'PROGRESS' / 'COMPLETE') to
match the documented Mino schema: treat streamingUrl as a top-level field on
events (if data.streamingUrl exists, call updateAgent(platform.id, { status:
'browsing', streamingUrl: data.streamingUrl, statusMessage: 'Browsing
platform...' })), treat progress updates as type === 'STATUS' and use
data.message for statusMessage (updateAgent(platform.id, { statusMessage:
data.message })), and for COMPLETE events read data.resultJson (string) and
JSON.parse it into result before calling updateAgent(platform.id, { status:
'complete', result: parsedResult, statusMessage: undefined }); also preserve the
error branch for COMPLETE when data.status === 'failed' but read error message
from data.error?.message as before. Ensure you reference these symbols: the SSE
parsing block in use-anime-search.ts and the updateAgent(platform.id, ...)
calls.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a24c2676-0d6d-477b-9955-8c741a29917d

📥 Commits

Reviewing files that changed from the base of the PR and between 119903c and e1b84c4.

📒 Files selected for processing (3)

• anime-watch-hub/app/api/check-platform/route.ts
• anime-watch-hub/components/platform-card.tsx
• anime-watch-hub/hooks/use-anime-search.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify unvalidated streaming_url -> streamingUrl data flow
rg -nP --type=ts --type=tsx '\bstreaming_url\b|\bstreamingUrl\b' -C2

# Verify iframe sandbox usage and current permissions
rg -nP --type=tsx '<iframe|sandbox=' -C2

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 100

---

🏁 Script executed:

# List repository structure to understand the codebase
git ls-files | head -30

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 1292

---

🏁 Script executed:

# Search for platform-card.tsx regardless of reported type
fd "platform-card" -t f

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 117

---

🏁 Script executed:

# Also search for anime-watch-hub or similar directory patterns
fd -t d "anime" 2>/dev/null || true

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 89

---

🏁 Script executed:

# Read the platform-card.tsx file to verify the actual code
cat -n anime-watch-hub/components/platform-card.tsx

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 5057

---

🏁 Script executed:

# Check file sizes to decide on full vs partial read
wc -l anime-watch-hub/hooks/use-anime-search.ts anime-watch-hub/lib/types.ts 2>/dev/null || true

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 164

---

🏁 Script executed:

# Read use-anime-search.ts around lines 56-66 to verify data flow
sed -n '45,100p' anime-watch-hub/hooks/use-anime-search.ts

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 2016

---

🏁 Script executed:

# Read types.ts to check MinoAgentState definition and streamingUrl type
cat -n anime-watch-hub/lib/types.ts

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 1761

---

🏁 Script executed:

# Check the start of use-anime-search.ts to see where the SSE endpoint comes from
head -50 anime-watch-hub/hooks/use-anime-search.ts

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 1619

---

Harden iframe sandbox + validate streaming URL before render

Line 72 enables scripts and forms while line 69 renders agent.streamingUrl directly. The streamingUrl originates from external SSE payloads via /api/check-platform (anime-watch-hub/hooks/use-anime-search.ts, line 64) with no origin validation or format checking before assignment to state. This creates a high-risk trust boundary: an attacker controlling the backend or intercepting the SSE stream could inject arbitrary URLs that execute scripts inside your app frame. Gate the URL with a strict HTTPS origin allowlist and remove allow-same-origin unless absolutely required.

🔒 Suggested fix (least-privilege + allowlist)

+const TRUSTED_STREAM_ORIGINS = new Set([
+  'https://www.crunchyroll.com',
+  'https://www.netflix.com',
+  'https://www.amazon.com/Prime-Video',
+  'https://www.hulu.com',
+  'https://www.funimation.com',
+  'https://www.hidive.com',
+  'https://www.disneyplus.com',
+  'https://www.max.com',
+])
+
+function getTrustedStreamingUrl(raw?: string): string | null {
+  if (!raw) return null
+  try {
+    const u = new URL(raw)
+    if (u.protocol !== 'https:') return null
+    return TRUSTED_STREAM_ORIGINS.has(u.origin) ? u.toString() : null
+  } catch {
+    return null
+  }
+}
+
 export function PlatformCard({ agent }: PlatformCardProps) {
+  const trustedStreamingUrl = getTrustedStreamingUrl(agent.streamingUrl)
   ...
-        {agent.streamingUrl && (agent.status === 'connecting' || agent.status === 'browsing') && (
+        {trustedStreamingUrl && (agent.status === 'connecting' || agent.status === 'browsing') && (
           <div className="relative aspect-video w-full overflow-hidden rounded-md border bg-muted">
             <iframe
-              src={agent.streamingUrl}
+              src={trustedStreamingUrl}
               className="h-full w-full"
               title={`${agent.platformName} live view`}
-              sandbox="allow-same-origin allow-scripts allow-forms"
+              sandbox="allow-scripts allow-forms"
             />

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@anime-watch-hub/components/platform-card.tsx` around lines 69 - 73, The
iframe is rendering agent.streamingUrl directly and uses a permissive sandbox
("allow-same-origin allow-scripts allow-forms"); validate and gate the URL
before rendering by enforcing a strict HTTPS origin allowlist and a safe URL
format (e.g., hostname check + https scheme) where the SSE assigns state (the
useAnimeSearch hook / the code that sets agent.streamingUrl), and remove
dangerous sandbox flags (drop allow-same-origin and allow-scripts/allow-forms
unless explicitly needed); only render the <iframe> in PlatformCard when the
streamingUrl has passed the allowlist/validation and use a minimal sandbox (no
same-origin/scripts/forms) to follow least privilege.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Documented Mino SSE fields =="
rg -n -C2 'streamingUrl|type":"STATUS"|resultJson' anime-watch-hub/docs/mino-api-integration.md

echo
echo "== Current client parser =="
sed -n '56,85p' anime-watch-hub/hooks/use-anime-search.ts

echo
echo "== Server proxy behavior =="
sed -n '88,97p' anime-watch-hub/app/api/check-platform/route.ts

echo
echo "== Downstream UI dependence on agent.result.available =="
rg -n -C2 'result\?\.available' anime-watch-hub/components/platform-card.tsx

Repository: tinyfish-io/tinyfish-cookbook

Length of output: 4228

---

Fix schema mismatch between Mino SSE and client parser.

The documented Mino SSE schema (lines 256–265 in anime-watch-hub/docs/mino-api-integration.md and concrete examples at lines 395–407) sends:

• streamingUrl as a direct field (not under type: 'STREAMING_URL')
• type: 'STATUS' with message for progress updates
• resultJson (stringified) in COMPLETE events

The hook parser (lines 60–83 in anime-watch-hub/hooks/use-anime-search.ts) currently looks for:

• type: 'STREAMING_URL' with streaming_url (field structure mismatch)
• type: 'PROGRESS' with purpose (type mismatch)
• result field (schema has resultJson)

Since /api/check-platform/route.ts proxies the upstream stream unchanged, the parser drops all streaming URL events and progress updates, and sets result: undefined on completion. This causes anime-watch-hub/components/platform-card.tsx (lines 22, 42) to render "Not Found" regardless of the actual search result.

🔧 Proposed compatibility fix

-                if (data.type === 'STREAMING_URL' && data.streaming_url) {
+                const streamingUrl = data.streamingUrl ?? data.streaming_url
+                if (streamingUrl) {
                   updateAgent(platform.id, {
                     status: 'browsing',
-                    streamingUrl: data.streaming_url,
+                    streamingUrl,
                     statusMessage: 'Browsing platform...',
                   })
                 }
 
-                if (data.type === 'PROGRESS' && data.purpose) {
-                  updateAgent(platform.id, { statusMessage: data.purpose })
+                const progressMessage =
+                  data.type === 'STATUS'
+                    ? data.message
+                    : data.type === 'PROGRESS'
+                      ? data.purpose
+                      : undefined
+                if (progressMessage) {
+                  updateAgent(platform.id, { statusMessage: progressMessage })
                 }
 
                 if (data.type === 'COMPLETE') {
                   if (data.status === 'failed') {
                     updateAgent(platform.id, {
@@
                   } else {
+                    const result =
+                      data.result ??
+                      (typeof data.resultJson === 'string'
+                        ? JSON.parse(data.resultJson)
+                        : data.resultJson)
+
                     updateAgent(platform.id, {
                       status: 'complete',
-                      result: data.result,
+                      result,
                       statusMessage: undefined,
                       streamingUrl: undefined,
                     })
                   }
                 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@anime-watch-hub/hooks/use-anime-search.ts` around lines 60 - 83, The SSE
parser in use-anime-search.ts is using the wrong event shape; update the
handling in the event dispatching (the code that currently checks for data.type
=== 'STREAMING_URL' / 'PROGRESS' / 'COMPLETE') to match the documented Mino
schema: treat streamingUrl as a top-level field on events (if data.streamingUrl
exists, call updateAgent(platform.id, { status: 'browsing', streamingUrl:
data.streamingUrl, statusMessage: 'Browsing platform...' })), treat progress
updates as type === 'STATUS' and use data.message for statusMessage
(updateAgent(platform.id, { statusMessage: data.message })), and for COMPLETE
events read data.resultJson (string) and JSON.parse it into result before
calling updateAgent(platform.id, { status: 'complete', result: parsedResult,
statusMessage: undefined }); also preserve the error branch for COMPLETE when
data.status === 'failed' but read error message from data.error?.message as
before. Ensure you reference these symbols: the SSE parsing block in
use-anime-search.ts and the updateAgent(platform.id, ...) calls.