#181
Add swamp data delete command to remove a data artifact by model and name
s12h ago
#180
add `swamp doctor extensions` subcommand for on-demand extension load diagnostics
s10h ago
#179
AI agent skipped adversarial review step before smoke testing extension code
s10h ago
#178
Better Auth rejects requests on hostnames not in hardcoded trustedOrigins (signup/signin broken on non-canonical hosts)
k1d ago
#177
Local extension models in extensions/models are not discovered in fresh repo tutorial flow
s10h ago
#176
ticket 1138 not clear - can we still use github?
17h ago
#175
Drag Windows into the Swamp
s9h ago
#174
Add `swamp extension test` command to run built-in extension tests with coverage
1d ago
#173
swamp repo init --tool kiro does not create .kiro/settings/cli.json
s9h ago
#172
Support multi-agent repo initialization (multiple --tool targets)
1d ago
#171
CLI dumps 300-line Cliffy Command object on unknown flags / subcommands
s1d ago
#170
Docs: repository-configuration.md missing defaultDriver / defaultDriverConfig
k3d ago
#169
Server-side parse query params on /lab/all so refresh preserves multi-filter URLs
k3d ago
#168
fast-path sidecar TOCTOU: post-op HEAD can record generation from a concurrent writer's push, masking their data on next sync
s4d ago
#167
Scorer should honour files/deno.json imports so bare specifiers resolve
s4d ago
#166
@swamp/gcs-datastore: same minutes-slow zero-diff sync cliff as lab/164; mirror fingerprint fast path
s4d ago
#165
cleanup for repoDriver
k4d ago
#164
swamp datastore sync is minutes-slow at 4k-file scale even with zero-diff; outer 300s timeout fires
s4d ago
#163
swamp-extension-publish skill: add quality rubric check before push
s4d ago
#162
New @swamp extension: extension quality rubric checker for CI
s4d ago
#161
swamp-extension-quality and swamp-extension-publish skills don't guide zod import map resolution for scorer
s4d ago
#160
swamp repo upgrade deletes extension model source files
s4d ago
#159
Add repo-level `defaultDriver` to `.swamp.yaml`
k4d ago
#158
User report extensions registered lazily are silently skipped during method execution
s4d ago
#157
swamp extension install: datastore push hangs ~8.5m then crashes with Deno TLS panic (tls_wrap.rs:1918 unwrap on None)
s5d ago
#156
Add a preflight diagnostic for AI-tool audit integrations (so upstream CLI changes stop breaking us silently)
s4d ago
#155
audit record --from-hook silently drops input from kiro-cli postToolUse hooks
5d ago
#154
codegen pipelines don't detect _lib/*.ts changes so manifest CalVer never bumps
4d ago
#153
Link to namespace extensions listing from profile pages
s5d ago
#152
Trailing slash on /extensions/@<namespace>/ returns 404
s5d ago
#151
No way to browse all extensions belonging to a collective by URL
s5d ago
#150
DatastoreProvider.resolveCachePath declared optional but silently required at runtime
s5d ago
#147
Accept-invite link returns HTML instead of JSON, breaking collective join
s6d ago
#146
additionalFiles flatten to basenames on push and lack a runtime access API, creating a source-vs-pulled layout mismatch
s5d ago
#145
Extension search returns inflated results for quoted phrase queries
s6d ago
#144
Docs: document jsr:/https: imports and non-local pinning convention in user-facing manual
s7d ago
#143
First-class jsr: specifier support in extension bundler
s7d ago
#142
Cross-extension code sharing via manifest exports field
2d ago
#141
Extension models: document/resolve implicit-any in execute parameters when imported by test files
s7d ago
#140
extension yank: allow unyank and version-specific yanks
s7d ago
#139
extension source add does not discover brand new types — only overrides already-pulled types
s7d ago
#138
Add light mode to swamp.club and swamp open UI
7d ago
#137
Add 'swamp open' command to open the swamp.club web UI
7d ago
#136
Add light mode to swamp.club website
7d ago
#135
Datastore sync surfaces opaque errors from extensions verbatim — no status code or body preview
s8d ago
#134
@swamp/s3-datastore: first-attempt 403 masked as "UnknownError" from AWS SDK deserializer
8d ago
#133
Extension auto-resolve reports "already_installed" for truncated pulled-extension trees
8d ago
#131
Email delivery for mention notifications
8d ago
#130
Auto-update WARN is silent in --json mode (logger suppresses non-fatal)
s8d ago
#129
open.ts web UI uses force:true pullExtension, same data-loss family as #126
s8d ago
#128
Port bundle_freshness (content-fingerprint cache invalidation) to reports / drivers / datastores / vaults loaders
s8d ago
#127
Mentions and notifications system for issues
s8d ago
#126
Datastore auto-update in resolve_datastore.ts uses force:true, risking silent overwrite of local edits
s10d ago
#125
Per-repo user-extension bundle cache doesn't invalidate on source changes
s11d ago
#124
Adding methods to in-body `methods:{}` on `export const model` doesn't re-register
s4d ago
#123
User extensions silently dropped when base type not yet registered at scan time
s11d ago
#122
Footer floats when page content is shorter than viewport
s7d ago
#121
workflow validate can silently overwrite local edits to pulled extensions via force-pull in auto-resolver
s11d ago
#120
Extension pull should namespace files by extension to prevent filename collisions
s11d ago
#119
Update CLAUDE.md co-author instructions to use swamp-club issue author lookup
s13d ago
#118
Add swamp issue get CLI command to fetch issue details
s13d ago
#117
swamp-club API: include issue author in GET /api/v1/lab/issues/{number} response
s13d ago
#116
Install command curl-pipe-sh overflows the component on swamp.club homepage
s13d ago
#115
'Assigned to me' overlaps 'Privacy policy' on short viewports
s13d ago
#114
Collapsible left rail and repositionable right rail in Lab
k12d ago
#113
Usernames aren't linked to their profile pages
k12d ago
#112
Filter lab issues by author (opened by user)
k12d ago
#111
Add skills extension type for bundling agent/human guidance documents
s14d ago
#110
Remove traffic lights in column 2 of /lab
ks11d ago
#109
Multi-select combo filtering on /lab
k12d ago
#108
data gc skips version-count GC when no lifetime-expired data exists
k14d ago
#107
Content filter should identify the flagged word or phrase
k15d ago
#106
Bog flow: text rendering and layout issues
k12d ago
#101
Flow modal: text rendering issues
k12d ago
#99
Normalize text sizing across issue list and detail views
k15d ago
#98
Description 'Show more' button appears even when text fits
k15d ago
#97
Inline editing: click-to-edit fields instead of pencil icons
ks7d ago
#96
Persist lab filter selection in localStorage
k3d ago
#95
Update how-to guide with swamp-extension-publish skill
s15d ago
#94
Fix incorrect favicon in Google search results
15d ago
#93
Missing section on user profile page for wendy
s15d ago
#92
Extension skills missing repository initialization and publishing prerequisites
s15d ago
#91
Vault CEL expressions replaced with VaultSecretBag sentinels after model type upgrade
k15d ago
#90
Audit: modelRegistry.get() without ensureTypeLoaded() in YAML repository save() paths
s15d ago
#89
Cross-model expression validator fails on lazy-loaded types — modelRegistry.get() bypasses ensureTypeLoaded
17d ago
#88
forEach.in with data.latest() throws misleading 'got: object' error for unresolved Promise
s15d ago
#86
issue-lifecycle models should support --assignee for swamp.club issues
s17d ago
#85
Driver capability registry: declare richer execution capabilities at driver design time
s17d ago
#84
Consolidate MethodReportContext construction — manual and workflow report paths build contexts divergently
s14d ago
#83
Workflow-level workspace for docker driver: stateful multi-step workflows
s17d ago
#82
"OG Swamper" badge inconsistent
k17d ago
#81
Workflow-scope user extension reports don't execute: getAll() excludes lazy-loaded reports
s17d ago
#80
Improve skill trigger routing accuracy across models
s14d ago
#66
Add GitHub Copilot IDE support
s13d ago
#65
Phase 1: /feed — judge-gated content stream
k5d ago
#64
Add reactions and Giphy integration to comments
12d ago
#63
Architecture violation: search route imports directly from lib/infrastructure
s18d ago
#62
Introduce domain events to formalize the telemetry-to-consumer pipeline
12d ago
#61
Refactor: move telemetry track() calls from route handlers to application services
s18d ago
#59
Reindex path feeds error events to consumer, bypassing filtering
s17d ago
#58
Custom swamp-themed avatar generator with daily rerolls
19d ago
#57
Profile content links with scoring for community contributions
5d ago
#56
Score extension pull events for extension authors
s18d ago
#55
Score daily sign-in events with streak multiplier
s17d ago
#54
Score sign_up events in the telemetry pipeline
5d ago
#53
Score extension publish events in the telemetry pipeline
s17d ago
#52
Add 'award' telemetry event type for arbitrary score grants
19d ago
#51
Bug: authenticated pulls always shows 0 on profile page
11d ago
#50
Decouple identity_map from main app: username renames via event, not shared DB
12d ago
#49
Optimise MongoDB Search Queries
12d ago
#48
Transactional emails on login with google/similar
12d ago
#47
Add rate limiting to send-verification-email endpoint
12d ago
#46
Add authentication or rate limiting to check-verified endpoint
12d ago
#45
swamp data query for morning-message in hello-world tutorial returns nothing.
a17d ago
#44
Document vault migrate command in reference docs
s19d ago
#43
Locks on long running actions
19d ago
#42
issue-lifecycle skill: improve resumption and close-out guidance
s19d ago
#41
deprovision: firewall deletion fails with resource_in_use immediately after server delete
s5d ago
#40
swamp workflow validate should check step inputs against method's required arguments
s19d ago
#39
data.latest() returns null when new data written while _catalog.db is already marked populated
a19d ago
#38
Bundle cache fallback silently skipped when source and bundle have equal mtimes
s19d ago
#37
Add vault migrate command to move secrets between vaults
s19d ago
#35
Consolidate method execution paths — workflow steps and manual runs build MethodContext divergently
k17d ago
#33
CatalogStore constructor runs createSchema before migrateIfNeeded; v1→v2 upgrade fails on existing repos
a19d ago
#32
discord-bot poller double-processes events with >1 replica
19d ago
#31
datastore sync: clean up zombie _catalog.db* entries from remote index and S3 bucket
20d ago
#30
datastore sync --push runs pushChanged() twice per invocation (coordinator dedup)
20d ago
#29
datastore sync --push fails on _catalog.db-wal: catalog SQLite DB lives inside the S3 sync cache
20d ago
#28
.swamp/datastore-bundles/ leaks into deno lint and deno fmt scans
20d ago
#27
deno run audit task missing --allow-env flag
20d ago
#26
Error when submitting a new issue manually
20d ago
#25
Green text on issue details is a lot
20d ago
#24
evals/promptfoo: bump hono and @hono/node-server to clear 6 dependabot alerts
20d ago
#21
issue-lifecycle: COMMENTED PR review can overwrite a prior decisive state in fetchPrReviews
5d ago
#20
Add agent-constraints/ for issue-lifecycle skill
5d ago
#19
@swamp/aws/ec2: auto-generated models lack list, tag, and factory-compatible update methods
20d ago
#18
@swamp/digitalocean/space-key stores secret in plaintext - should mark as sensitive
20d ago
#17
Add Azure provider pipeline to codegen
20d ago
#16
feat: Namespace.so execution driver for remote workload execution
17d ago
#15
Add macOS Keychain vault type
12d ago
#14
Add uniform bucket-level IAM support to @swamp/gcp/storage
20d ago
#13
Expand DataRecord with first-class provenance fields; remove all hidden scoping from data access
a19d ago
#12
feat: Private extensions
20d ago
#11
Workflow execution repeats #1091: cross-model CEL expression validation fails for unresolved types
s11d ago
#10
context.readModelData returns different results depending on invocation context (manual vs workflow)
s11d ago
#9
Handle sensitive fields gracefully when no vault is configured
s19d ago
#8
Vault reads for model global arguments are cached at workflow start, making in-workflow token refresh ineffective
12d ago
#7
feat: approval gates for workflow steps and jobs
12d ago
#6
Install script: curl fails TLS verification for swamp.club (certificate chain)
2d ago
#5
Extension Patches: contribution workflow for community extensions
20d ago
#4
Feature: swamp issue for extensions — bug reports, security disclosures, and author notifications
s6d ago
#3
Support 'swamp <app> run' as containerized entrypoint for easy onboarding
20d ago
#2
Persistent runner / server mode to eliminate per-invocation CLI startup overhead
4d ago
#1
feat: add support for Nix via a flake
8d ago
← Back to list4/16/2026, 7:42:38 PM
01Issue
FeatureClosedSwamp Club
AssigneesNone
Add rate limiting to send-verification-email endpoint
Opened by stack72 · 4/9/2026· GitHub #46
Issue
BetterAuth's /api/auth/send-verification-email endpoint has no rate limiting. An attacker can repeatedly call it with a known registered email address to flood the target's inbox with verification emails.
BetterAuth does implement timing-safe behavior (creates a token even for non-existent emails to prevent timing-based enumeration), but does not throttle repeated requests.
Impact
Low severity. The attacker cannot gain access to the account or intercept the verification token — emails are sent to the actual owner's inbox. The risk is inbox spam/harassment.
Options
- Rate limit at nginx — limit POST requests to
/api/auth/send-verification-emailper IP (e.g., 3 per 15 minutes) - Rate limit in app — track send attempts per email address and reject after threshold
- Check BetterAuth's
rateLimitconfig — BetterAuth may support built-in rate limiting for this endpoint
02Bog Flow
Closed
No activity in this phase yet.
03Sludge Pulse