docs+ci: position brtc as a cost calculator and auto-render demo.gif#5
docs+ci: position brtc as a cost calculator and auto-render demo.gif#5
Conversation
Adds a callout immediately under the title pointing readers at zxcvbn for pattern detection. Raw entropy makes 'P@ssw0rd!' look strong, but a real attacker with a dictionary cracks it in seconds. Setting the expectation up front avoids misuse and prepares the ground for the upcoming --guesses flag that lets brtc consume zxcvbn output.
The previous demo.tape ran 'go build -o brtc' from inside VHS, which required a Go toolchain to be present in the VHS container — not the case for charmbracelet/vhs-action. Caller (CI workflow or local user) now builds the binary first; the tape only adjusts PATH. Regenerates assets/demo.gif from the new tape so the first CI run finds it unchanged and skips the auto-commit.
PR runs upload the rendered gif as an artifact (preview) without write permissions, so forked PRs don't try to push. Pushes to main render the gif and auto-commit only if it actually changed, with [skip ci] in the message to avoid loops. Triggered by changes to demo.tape, Go sources, or the workflow itself.
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request clarifies the purpose of brtc in the README as a cost calculator rather than a strength meter and updates the demo tape to assume a pre-built binary. Feedback was provided to correct a broken link and a syntax error in the README, along with a suggestion to rephrase the mention of a future feature for better clarity.
| > **brtc is a cost calculator, not a strength meter.** | ||
| > It converts an entropy/guess count into an offline-attack price tag in USD against a chosen GPU or cloud profile. | ||
| > It does **not** detect dictionary words, leetspeak, keyboard walks, or other patterns — `P@ssw0rd!` looks "strong" by raw entropy alone but is trivially guessable in practice. | ||
| > For real-world strength evaluation, **pair brtc with [zxcvbn](https://github.com/dropbox/zxcvbn)** (or [zxcvbn-ts](https://github.com/zxcvbn-ts/zxcvbn)) and feed its `guesses` value into brtc via `--guesses` (coming in a follow-up release). |
There was a problem hiding this comment.
The link for zxcvbn-ts is incorrect and leads to a 404 error; the correct repository is zxcvbn-ts/zxcvbn-ts. Additionally, there is a missing closing parenthesis for the (or ...) block. Finally, documenting the --guesses flag before it is implemented can lead to user confusion; consider rephrasing to clarify it as a planned feature.
| > For real-world strength evaluation, **pair brtc with [zxcvbn](https://github.com/dropbox/zxcvbn)** (or [zxcvbn-ts](https://github.com/zxcvbn-ts/zxcvbn)) and feed its `guesses` value into brtc via `--guesses` (coming in a follow-up release). | |
| > For real-world strength evaluation, **pair brtc with [zxcvbn](https://github.com/dropbox/zxcvbn)** (or [zxcvbn-ts](https://github.com/zxcvbn-ts/zxcvbn-ts)). A future update will allow feeding the `guesses` value directly into brtc via a `--guesses` flag. |
charmbracelet/vhs-action@v2 fails to install ffmpeg on the current ubuntu-latest runner image (see the failed run on PR #5). The official ghcr.io/charmbracelet/vhs Docker image bundles ttyd, ffmpeg, and fonts so the render step does not depend on apt or any network install at action time.
VHS drives headless Chrome internally; on ubuntu-latest with the default Docker shm size (64MB), Chrome crashes with 'chrome_crashpad_handler: --database is required' before any frame is captured. Sharing the host IPC namespace gives the container enough shared memory to render. Drops --user because the image's ttyd/chrome bits expect the in-image user; ownership of the produced gif is fixed up via sudo chown after the run.
charmbracelet/vhs-action@v2 fails to install ffmpeg on the current ubuntu-latest runner image (see the failed run on PR #5). The official ghcr.io/charmbracelet/vhs Docker image bundles ttyd, ffmpeg, and fonts so the render step does not depend on apt or any network install at action time.
1 participant
Summary
Two related concerns: setting reader expectations for what brtc actually does, and removing the manual step of regenerating
assets/demo.gif.P@ssw0rd!as strong; in practice it's trivially guessable. The follow-up--guessesflag (separate PR) will let users feed zxcvbn output into brtc directly.go buildstep out ofassets/demo.tape(the VHS container does not ship a Go toolchain) and regenerates the gif so the first CI run finds it unchanged..github/workflows/vhs.yml. PRs render the gif and upload it as an artifact (read-only token, safe for forked PRs). Pushes tomainrender and auto-commit the gif only if it actually changed, with[skip ci]to avoid recursion. Triggered by changes todemo.tape, any*.go,go.mod/go.sum, or the workflow itself.Verification
vhs assets/demo.taperuns locally and produces a 162 KB gif.go test -count=1 ./...andgo build ./...still pass.charmbracelet/vhs-action@v2andactions/upload-artifact@v4(current major versions).Test plan
demo-gifartifact under the workflow run