29fdb64fa0
Two critical issues and several high/medium issues were identified during
a security review of the backend API.
**Critical fixes:**
1. Path traversal (CWE-22): user-supplied `simulation_id`, `report_id`,
and `project_id` values were passed directly to `os.path.join()`
without validation, allowing `../` sequences to escape intended
directories.
- Added `backend/app/utils/id_validator.py` with `validate_safe_id()`
(rejects anything that isn't alphanumeric/underscore/hyphen) and
`safe_join()` (resolves realpath and verifies containment).
- Applied to all 3 path-construction sites in simulation.py, all 12
relevant handlers in report.py, and 6 sites in graph.py.
- Sanitized uploaded filenames with `os.path.basename()` in graph.py.
2. Missing authentication: all API endpoints were publicly accessible
with no auth mechanism.
- Added `backend/app/utils/auth.py` with an `X-Api-Key` middleware
registered as a `before_request` hook.
- Auth is opt-in: set `API_KEY` in `.env` to enforce it; if unset a
startup warning is logged. This preserves local dev workflows.
**High fixes:**
3. Hardcoded `SECRET_KEY` fallback replaced with `os.urandom(32).hex()`
so an unset key is never predictable.
4. `FLASK_DEBUG` now defaults to `False` instead of `True`.
5. Full Python tracebacks removed from all API error responses (51 total
across graph.py, report.py, simulation.py) — tracebacks still go to
the logger.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
||
|---|---|---|
| .github/workflows | ||
| backend | ||
| frontend | ||
| locales | ||
| static/image | ||
| .dockerignore | ||
| .env.example | ||
| .gitignore | ||
| Dockerfile | ||
| LICENSE | ||
| README-ZH.md | ||
| README.md | ||
| docker-compose.yml | ||
| package-lock.json | ||
| package.json | ||
README.md
简洁通用的群体智能引擎,预测万物
A Simple and Universal Swarm Intelligence Engine, Predicting Anything
⚡ Overview
MiroFish is a next-generation AI prediction engine powered by multi-agent technology. By extracting seed information from the real world (such as breaking news, policy drafts, or financial signals), it automatically constructs a high-fidelity parallel digital world. Within this space, thousands of intelligent agents with independent personalities, long-term memory, and behavioral logic freely interact and undergo social evolution. You can inject variables dynamically from a "God's-eye view" to precisely deduce future trajectories — rehearse the future in a digital sandbox, and win decisions after countless simulations.
You only need to: Upload seed materials (data analysis reports or interesting novel stories) and describe your prediction requirements in natural language
MiroFish will return: A detailed prediction report and a deeply interactive high-fidelity digital world
Our Vision
MiroFish is dedicated to creating a swarm intelligence mirror that maps reality. By capturing the collective emergence triggered by individual interactions, we break through the limitations of traditional prediction:
- At the Macro Level: We are a rehearsal laboratory for decision-makers, allowing policies and public relations to be tested at zero risk
- At the Micro Level: We are a creative sandbox for individual users — whether deducing novel endings or exploring imaginative scenarios, everything can be fun, playful, and accessible
From serious predictions to playful simulations, we let every "what if" see its outcome, making it possible to predict anything.
🌐 Live Demo
Welcome to visit our online demo environment and experience a prediction simulation on trending public opinion events we've prepared for you: mirofish-live-demo
📸 Screenshots
 |
 |
 |
 |
 |
 |
🎬 Demo Videos
1. Wuhan University Public Opinion Simulation + MiroFish Project Introduction
Click the image to watch the complete demo video for prediction using BettaFish-generated "Wuhan University Public Opinion Report"
2. Dream of the Red Chamber Lost Ending Simulation
Click the image to watch MiroFish's deep prediction of the lost ending based on hundreds of thousands of words from the first 80 chapters of "Dream of the Red Chamber"
Financial Prediction, Political News Prediction and more examples coming soon...
🔄 Workflow
- Graph Building: Seed extraction & Individual/collective memory injection & GraphRAG construction
- Environment Setup: Entity relationship extraction & Persona generation & Agent configuration injection
- Simulation: Dual-platform parallel simulation & Auto-parse prediction requirements & Dynamic temporal memory updates
- Report Generation: ReportAgent with rich toolset for deep interaction with post-simulation environment
- Deep Interaction: Chat with any agent in the simulated world & Interact with ReportAgent
🚀 Quick Start
Option 1: Source Code Deployment (Recommended)
Prerequisites
| Tool | Version | Description | Check Installation |
|---|---|---|---|
| Node.js | 18+ | Frontend runtime, includes npm | node -v |
| Python | ≥3.11, ≤3.12 | Backend runtime | python --version |
| uv | Latest | Python package manager | uv --version |
1. Configure Environment Variables
# Copy the example configuration file
cp .env.example .env
# Edit the .env file and fill in the required API keys
Required Environment Variables:
# LLM API Configuration (supports any LLM API with OpenAI SDK format)
# Recommended: Alibaba Qwen-plus model via Bailian Platform: https://bailian.console.aliyun.com/
# High consumption, try simulations with fewer than 40 rounds first
LLM_API_KEY=your_api_key
LLM_BASE_URL=https://dashscope.aliyuncs.com/compatible-mode/v1
LLM_MODEL_NAME=qwen-plus
# Zep Cloud Configuration
# Free monthly quota is sufficient for simple usage: https://app.getzep.com/
ZEP_API_KEY=your_zep_api_key
2. Install Dependencies
# One-click installation of all dependencies (root + frontend + backend)
npm run setup:all
Or install step by step:
# Install Node dependencies (root + frontend)
npm run setup
# Install Python dependencies (backend, auto-creates virtual environment)
npm run setup:backend
3. Start Services
# Start both frontend and backend (run from project root)
npm run dev
Service URLs:
- Frontend:
http://localhost:3000 - Backend API:
http://localhost:5001
Start Individually:
npm run backend # Start backend only
npm run frontend # Start frontend only
Option 2: Docker Deployment
# 1. Configure environment variables (same as source deployment)
cp .env.example .env
# 2. Pull image and start
docker compose up -d
Reads .env from root directory by default, maps ports 3000 (frontend) / 5001 (backend)
Mirror address for faster pulling is provided as comments in
docker-compose.yml, replace if needed.
📬 Join the Conversation
The MiroFish team is recruiting full-time/internship positions. If you're interested in multi-agent simulation and LLM applications, feel free to send your resume to: mirofish@shanda.com
📄 Acknowledgments
MiroFish has received strategic support and incubation from Shanda Group!
MiroFish's simulation engine is powered by OASIS (Open Agent Social Interaction Simulations), We sincerely thank the CAMEL-AI team for their open-source contributions!