Securing and Shipping Modern JavaScript: BuildScanner and Agent Harness

React Office Hours
Starting @ 5pm we hold office hours. Come on by to get some help, ask questions, and meet other developers. Or just hang out!

---
BuildScanner: Source-Mapped Static and Runtime Security Analysis for Modern JavaScript Applications (Laxmi P. Srinivas Sarva)

BuildScanner is a developer-first security scanning framework for modern JavaScript applications that combines build-to-source mapping, static taint-aware analysis, and lightweight runtime validation to find high-impact vulnerabilities earlier in the development lifecycle. By using production source maps, BuildScanner maps issues discovered in minified front-end bundles back to original files and lines, improving remediation accuracy. Its static analysis performs AST-based taint tracking tailored for React and Node.js idioms to identify unsafe data flows (including SQL injection, unsafe eval, and dangerouslySetInnerHTML usage). The runtime validation engine executes ephemeral, containerized test runs with headless browser automation to validate CORS, CSP, security headers, and runtime-only behaviors. We discuss implementation choices, limitations (source-map dependence, runtime variability), mitigation strategies, and a roadmap toward broader vulnerability classes and LLM-assisted triage. BuildScanner is available open-source to encourage community-driven improvement and adoption.

Bio: Laxmi P. Srinivas Sarva is a Senior Software Engineer based in Austin, TX with 10+ years of full‑stack experience and 8+ years focused on modern JavaScript/TypeScript ecosystems (React, React Native, Node.js). He currently architects scalable frontend and mobile systems at Apex Fintech Solutions.

The Other Half of the Stack (Bishop Zareh)

Andrej Karpathy published a wiki pattern for giving AI persistent memory. Addy Osmani published production-grade agent skills with verification gates and staged discipline. Both landed in April 2026. Neither combined them into a system you could actually run a product on. Bishop Zareh did, and in February he showed React ATX the code half: a production-ready React 19, TypeScript, and Vite boilerplate built for agent-assisted development. This talk is the other half. Agent Harness is a Markdown operating loop (wiki, lifecycle, skills) that sits alongside the boilerplate and turns Karpathy's memory architecture and Osmani's skill discipline into something you can run from idea to shipped artifact without losing the thread between sessions. He opens with what those two systems get right, names what still breaks when you bolt them onto real work, and runs a live demo of the harness driving a project through its lifecycle on a fresh clone. If you left the boilerplate talk wondering where the agent actually lives, this is the answer.

Bio: Bishop Zareh is an Austin-based creative technologist and returning React ATX speaker who builds with React, TypeScript, and Vite. He created the 2026 Agent Harness and 2026 Boilerplate as a paired stack for AI-assisted product work, and organizes the Vibe Code Austin meetup group.
---

Station Austin is sponsoring the venue!
Want to be a sponsor? Food, Drinks, Venue? Reach out!

Schedule
5.00 - 6.00 = React Office Hours
6.00 - 6.15 = Setting up, eating/drinking
6.15 - 8.00 = Presentations

Doors open 15 minutes before. The elevators will work only then. Come to the 16th floor.

Parking
There is partial parking validation. If you enter the garage attached to the Omni (entrance on Brazos Street) after 5pm and leave before 10pm, you will be given a parking slip that reduces your fee to $8 flat for the duration of your stay within that time frame.

• What to bring
Curiosity, Kindness, Willingness To Learn
• Important to know
Be Nice!