Two critical issues and several high/medium issues were identified during
a security review of the backend API.
**Critical fixes:**
1. Path traversal (CWE-22): user-supplied `simulation_id`, `report_id`,
and `project_id` values were passed directly to `os.path.join()`
without validation, allowing `../` sequences to escape intended
directories.
- Added `backend/app/utils/id_validator.py` with `validate_safe_id()`
(rejects anything that isn't alphanumeric/underscore/hyphen) and
`safe_join()` (resolves realpath and verifies containment).
- Applied to all 3 path-construction sites in simulation.py, all 12
relevant handlers in report.py, and 6 sites in graph.py.
- Sanitized uploaded filenames with `os.path.basename()` in graph.py.
2. Missing authentication: all API endpoints were publicly accessible
with no auth mechanism.
- Added `backend/app/utils/auth.py` with an `X-Api-Key` middleware
registered as a `before_request` hook.
- Auth is opt-in: set `API_KEY` in `.env` to enforce it; if unset a
startup warning is logged. This preserves local dev workflows.
**High fixes:**
3. Hardcoded `SECRET_KEY` fallback replaced with `os.urandom(32).hex()`
so an unset key is never predictable.
4. `FLASK_DEBUG` now defaults to `False` instead of `True`.
5. Full Python tracebacks removed from all API error responses (51 total
across graph.py, report.py, simulation.py) — tracebacks still go to
the logger.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Background threads (graph building, simulation prep, report generation,
profile generation) now inherit the requesting user's locale preference.
Previously these fell back to 'zh' because Flask request context was
unavailable in spawned threads.
Ensure poster_type stays PascalCase English and stance stays English enum
values regardless of language setting. Only natural language fields follow
the user's language preference.
The language instruction was causing LLM to change entity/relation naming
conventions. Now explicitly enforce PascalCase/UPPER_SNAKE_CASE for technical
identifiers while only applying language preference to description fields.
- Implemented `_get_report_id_for_simulation` to find the most recent report ID associated with a simulation ID by scanning the reports directory.
- Updated `get_simulation_history` to include the retrieved report ID in the response, enhancing the simulation data returned to the client.
- Updated simulation history retrieval to read project details directly from the Simulation file.
- Improved simulation configuration handling by reading simulation requirements from JSON.
- Added project file listing to the simulation history, displaying up to three associated files.
- Refined card layout in HistoryDatabase.vue to accommodate new file display features and improved responsiveness.
- Deleted docker-compose.yml, backend Dockerfile, frontend Dockerfile, and nginx configuration to streamline project setup.
- Updated .env.example to reorganize LLM and ZEP API configurations for clarity and ease of use.
- Enhanced README.md to reflect changes in project structure and provide clearer setup instructions.
- Created package-lock.json for dependency management.
- Updated package.json and frontend package.json to version 0.1.0.
- Adjusted backend pyproject.toml to reflect version 0.1.0.
- Introduced uv.lock for Python dependency resolution.
- Modified the backend setup script to clear the virtual environment before installation.
- Improved README.md by restructuring the prerequisites section into a table for better readability.
- Added installation instructions for the `uv` package and clarified terminal requirements post-installation.
- Updated .env.example to reflect new LLM configuration with Aliyun's API.
- Enhanced .gitignore to include additional files and directories for better exclusion of sensitive and build artifacts.
- Added docker-compose.yml for streamlined deployment of backend and frontend services.
- Introduced Dockerfiles for both backend and frontend to facilitate containerized builds.
- Created README.md to provide comprehensive project documentation and setup instructions.
- Established nginx configuration for frontend to support API proxying and static file serving.
- Decreased the maximum tool calls per section from 8 to 5.
- Reduced the maximum iterations in the ReACT loop from 8 to 5, streamlining the report generation process.
- Deleted the backend README.md file as it was no longer needed.
- Changed the favicon from a SVG to a PNG format for better compatibility.
- Updated the page title in index.html to reflect a more concise branding message.
- Reduced maximum tool calls per chat from 5 to 2 for improved efficiency.
- Simplified system prompt to focus on concise responses and report content.
- Implemented report content retrieval with length limitation to prevent context overflow.
- Adjusted tool call execution to limit to one call per iteration, enhancing clarity in responses.
- Updated user message prompts to encourage concise answers based on retrieved data.
- Increased the maximum tool calls per section from 4 to 8, enhancing the agent's capabilities.
- Raised the maximum reflection rounds from 2 to 3 to allow for deeper analysis.
- Adjusted the maximum tool calls per chat from 3 to 5 for improved interaction.
- Expanded the maximum agents for interviews from 5 to 20, facilitating more comprehensive data gathering.
- Increased the maximum iterations for ReACT loops from 5 to 8 and from 3 to 5 in different contexts, optimizing the report generation process.
- Updated the `to_text` method in the `PanoramaResult` class to provide complete outputs for current facts, historical facts, and involved entities, improving data visibility.
- Modified the `to_text` method in the `AgentInterview` class to display the full agent bio without truncation.
- Adjusted the `ZepToolsService` class to retrieve all related entity details and facts without limiting the output, ensuring comprehensive data representation.
Maggie Chen
BaiFu
ghostubborn