HITL support for react-package

[dcruzeneil2]

Note

Medium Risk
Embeds backend-provided live_view_url in an iframe during auth, which expands the attack surface if URLs are not strictly controlled server-side; otherwise UI and flow-mapping only.

Overview
Adds human-in-the-loop (HITL) handling to the managed-auth React flow when the backend reports AWAITING_HUMAN_INTERVENTION.

The session hook maps that flow step to a new awaiting_human_intervention UI state, and KernelManagedAuth renders a dedicated HumanInterventionStep: localized copy, an embedded live view via state.live_view_url when present (otherwise a loading indicator), and styles that widen the shell/card for the iframe. Protocol types and default/customizable localization strings for this step are included.

^{Reviewed by Cursor Bugbot for commit d294e2d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
managed-auth-react-demo	Ready	Preview, Comment	May 29, 2026 6:56pm

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

PRs in the kernel, infra, hypeman, and hypeship repos. kernel is a ~mono repo with many logical services underneath, ensure to focus on the implicated service for the PR

Reason: PR is for react-package, which is not one of the specified monitored repos (kernel, infra, hypeman, hypeship).

To monitor this PR anyway, reply with @firetiger monitor this.

[vercel]

Additional Suggestion:

HumanInterventionStep component is not exported from the package's main index.ts file, breaking consistency with other step components and preventing headless usage.

[vercel]

The iframe element in HumanInterventionStep.tsx is missing the sandbox attribute, which lacks protection against potential XSS and script injection attacks