Nexus SecOps -- Peer Review POC (Y.js + WebRTC)

Read this before connecting

This is a proof-of-concept, not a production peer-review platform. It demonstrates the Y.js + WebRTC pattern that a future production review tool would build on. There is no authentication, no persistence, no moderation, no rate-limiting, no cryptographic sign-off. Sign-offs in this POC are self-asserted strings in a CRDT — they have zero audit weight.

External CDN exception: Nexus SecOps is normally a zero-external-dependency static site. This tool is the documented exception (same scope as the Purple Team Arena POC). It loads yjs@13.6.18 and y-webrtc@10.3.0 from cdn.jsdelivr.net. The dynamic imports use Subresource Integrity (SRI) hashes for tamper detection.

SRI hashes are PLACEHOLDERS in this POC The integrity="sha384-ghlZMZ/j8iYg2QKKfDUo2/h7LTtqgqEDJZLR58Aha3XZ9l4K/MTy+y2mTTbKNPa9" attributes below are placeholders. Before deploying this page publicly, regenerate real SHA-384 SRI hashes for the exact pinned version URLs at srihash.org (or via openssl dgst -sha384 -binary file.mjs | openssl base64 -A) and replace the placeholder strings. With placeholders, modern browsers will refuse to execute the modules and the tool will silently fail — that is the intended fail-closed behavior until verification.

Public WebRTC signaling servers: The y-webrtc default signaling endpoints are wss://signaling.yjs.dev, wss://y-webrtc-signaling-eu.herokuapp.com, and wss://y-webrtc-signaling-us.herokuapp.com. Your room name is sent to those servers in plaintext. Anyone who knows your room name can join — there is no access control. Do not paste real detection rules with real IOCs, real internal hostnames, real CVE-correlation patterns, or anything that would expose your environment. All defaults below are clearly synthetic.

What a real review tool needs (and this POC does not provide): self-hosted signaling, OAuth-tied identity, role-based access enforced server-side, persistent storage with version history, cryptographically signed sign-offs (Verifiable Credentials — see the Skill Portfolio tool), audit logging, e-signature for approvals, diff rendering, file attachments, and moderation. See the "what this POC does NOT do" list at the bottom.

Educational use only. Use this to understand how CRDT-backed collaborative review feels in practice — concurrent editing of the artifact, real-time threaded comments, live aggregate sign-off counts. Use it for tabletop demos with synthetic content. Do not use it to approve real detection deployments or to formalize real change-control decisions.

Connection

Room name (synthetic / demo)

Reviewer display name

Reviewer role

Disconnected

Artifact under review

Concurrent editing via Y.Text. All connected reviewers can edit; CRDT preserves intent under simultaneous edits. Only Author / Moderator can change the artifact type.

Title (synthetic)

Type

Artifact body (Y.Text — concurrent-safe)

0 lines 0 chars 0 words 0 editor(s) tracked

Synthetic data only. Use RFC 5737 IPs (192.0.2.x / 198.51.100.x / 203.0.113.x), example.com hostnames, dummy CVE IDs, and made-up rule names. Never paste production rules with production IOCs over this peer channel.

Comments thread

Y.Array of comment objects. Severity-tagged, optional line anchor, threaded replies, status (open / resolved / wont-fix).

Severity Line anchor (optional integer) Comment

No comments yet. Connect and add the first review note.

Review summary

Sign-offs here are NOT cryptographically signed. They are self-asserted strings in a CRDT. For a real audit trail, use Verifiable Credentials (see the Skill Portfolio tool, Revolution 5).

Your sign-off

0 Approvals

0 Request changes

0 Comments

0 Open blockers

Reviewer sign-offs

Not connected.

How it works

Y.Doc -- single shared CRDT document for the review room.
Y.Map "meta" -- artifact title, type, last-updater.
Y.Text "body" -- artifact body. Concurrent edits merge with intent preservation; no last-write-wins clobbering.
Y.Array "comments" -- ordered list of comment objects (id, reviewer, role, time, severity, line_anchor, text, status, parent_id for replies).
Y.Map "signoffs" -- keyed by reviewer name. Each connected reviewer writes their own entry.
Y.Map "presence" -- ephemeral roster keyed by clientID.
WebrtcProvider -- peer discovery via signaling, then direct P2P data channels.
No server holds state. When the last peer leaves, the room is gone.

What this POC does NOT do

No cryptographic sign-offSign-offs are self-asserted strings written to a Y.Map. There is no signature, no key material, no non-repudiation. Anyone with the room name can write any sign-off under any name. For real review approvals use Verifiable Credentials (W3C VC) issued by an identifiable signer with a key bound to identity.
No persistenceState is ephemeral. When all peers disconnect, the room is gone. A page refresh loses your local view; reconnect re-syncs from any remaining peer. If you are the last peer and you refresh, all data is lost. For real use, add y-indexeddb for local persistence and a y-websocket server for room-state durability.
No authenticationAnyone who knows the room name joins. There is no identity verification. Display name and role are self-asserted and can be spoofed — a peer claiming "Moderator" has no enforced power because there is no server to enforce anything.
Public signaling (room name leaks)The y-webrtc defaults route discovery through public bridge servers. Your room name is sent there in plaintext. Anyone observing those servers sees room-discovery traffic. Use a private signaling server for anything non-demo.
No moderation, no kick, no rate limitA peer can spam comments, edit the artifact body destructively, or write nonsense sign-offs. There is no admin action to remove them. CRDT growth is unbounded.
No NAT traversal beyond STUNy-webrtc uses public STUN servers but no TURN. Peers behind symmetric NATs or strict corporate firewalls will fail to connect. Production needs TURN credentials.
No version history UIY.js retains operational history internally and supports snapshots, but this POC does not expose timeline navigation, blame, or rollback. There is no "what did Reviewer-XYZ change between 14:02 and 14:08?" view.
No diff viewThe artifact body shows current state only. There is no side-by-side diff against a baseline, no inline change highlighting, no per-comment diff anchor.
No file attachmentsComments are plaintext. You cannot attach screenshots, sample logs, packet captures, or supplementary YAML. WebRTC data channels could carry binary, but the UI does not.
No SRI verification (placeholder hashes)The CDN integrity attributes are PLACEHOLDER strings. Browsers will refuse to load the modules until real SRI hashes are computed and pasted in. This is intentional fail-closed behavior, identical to the arena POC.
For real productionSelf-hosted signaling (Cloudflare Workers WebSocket or dedicated y-websocket), y-indexeddb + y-leveldb for persistence, OAuth-tied identity, server-enforced roles, signed sign-offs (Verifiable Credentials), audit logging, e-signature for formal approvals, version-history UI, diff rendering, file attachments, abuse moderation.

Browser requirements

Chrome / Edge / Firefox / Safari recent versions. Requires:

WebRTC (RTCPeerConnection, RTCDataChannel) for peer-to-peer transport
WebSocket for signaling server connection
ES Modules (<script type="module">) for Y.js + y-webrtc imports
Subresource Integrity (SRI) — script will not execute without verified hashes