검증확인했습니다, 병합해주세요

[parkcheolhong]

변경사항 변합해주세요

Summary by Sourcery

Harden health diagnostics, authentication, and orchestration progress handling while tightening error privacy, time handling, and CI/tooling, plus small frontend and GPU server adjustments.

Bug Fixes:

• Prevent health diagnostics from leaking low-level system paths or exception text by normalizing errors into a small set of safe codes.
• Ensure password recovery and passkey flows use timezone-aware UTC timestamps to avoid expiration and comparison issues.
• Fix orchestration progress persistence so multiple runs share a single JSON store with locking and reliable lookup by run ID.
• Avoid auth secret keys being silently written to disk by requiring explicit SECRET_KEY or SECRET_KEY_FILE and falling back to an in-memory secret only with logging.
• Stabilize ad queue health and marketplace orchestration error reporting by using fixed public error codes/messages instead of raw exception strings.

Enhancements:

• Normalize GPU server model load failures to a stable machine-readable error code.
• Simplify default feature catalog title handling in the frontend orchestrator hook.
• Add structured logging around ad queue diagnostics, runtime health, and marketplace orchestration failures for better observability.

Build:

• Bump the Pillow dependency to the 12.2–<13.0 range to track newer releases.

CI:

• Update the CodeQL workflow to provision Python 3.13 when analyzing Python code.

Documentation:

• Add a bilingual repository-wide design change and PR body template document outlining orchestrator, generator, admin UI, and operational verification baselines.

Tests:

• Add tests to verify that health diagnostic helpers sanitize errors into allowed codes and that memory/CPU/GPU snapshots do not expose raw system paths or exception messages.
• Extend auth router security tests to stub webauthn dependencies and use timezone-aware datetimes for recovery flows.

Chores:

• Introduce an empty .gitignore file as part of repo housekeeping.

[sourcery-ai]

Reviewer's Guide

This PR standardizes runtime health diagnostics error reporting, hardens auth and password recovery time handling, introduces concurrency-safe orchestration progress persistence, tightens security and observability around several runtime paths, updates dependencies and CI configuration, and adds tests and documentation to cover these changes.

Sequence diagram for orchestration progress save and load with shared JSON store

sequenceDiagram
    actor Client
    participant Orchestrator as Orchestrator
    participant Save as _save_orchestration_progress
    participant Store as _ORCHESTRATION_PROGRESS_STORE
    participant Lock as _ORCHESTRATION_PROGRESS_FILE_LOCK
    participant FS as OrchestrationProgressStoreFile

    Client->>Orchestrator: update_progress(run_id, payload)
    Orchestrator->>Save: _save_orchestration_progress(run_id, payload)
    Save->>Save: normalize payload (run_id, updated_at)
    Save->>Store: update in memory cache
    Save->>FS: progress_path = _orchestration_progress_store_path()
    Save->>Lock: acquire()
    activate Lock
    Save->>FS: check exists and is_file
    alt file exists
        Save->>FS: read_text()
        Save->>Save: json.loads(existing_payload)
        Save->>Save: persisted_payload = dict(existing_payload)
    else file missing or invalid
        Save->>Save: persisted_payload = {}
    end
    Save->>Save: persisted_payload[run_id] = normalized
    Save->>FS: write_text(json.dumps(persisted_payload))
    Save->>Lock: release()
    deactivate Lock
    Save-->>Orchestrator: normalized
    Orchestrator-->>Client: progress saved

    Client->>Orchestrator: get_progress(run_id)
    Orchestrator->>Orchestrator: _load_orchestration_progress(run_id)
    Orchestrator->>Store: get(run_id)
    alt cached entry exists
        Store-->>Orchestrator: cached_progress
        Orchestrator-->>Client: dict(cached_progress)
    else cache miss
        Orchestrator->>FS: progress_path = _orchestration_progress_store_path()
        Orchestrator->>Lock: acquire()
        activate Lock
        Orchestrator->>FS: check exists and is_file
        alt file exists
            Orchestrator->>FS: read_text()
            Orchestrator->>Orchestrator: json.loads(payload)
            Orchestrator->>Orchestrator: stored = payload[run_id]
            alt stored is dict
                Orchestrator->>Store: cache stored by run_id
                Orchestrator-->>Client: dict(stored)
            else run_id not found
                Orchestrator-->>Client: {}
            end
        else file missing
            Orchestrator-->>Client: {}
        end
        Orchestrator->>Lock: release()
        deactivate Lock
    end

Loading

Sequence diagram for standardized health diagnostic error sanitization

sequenceDiagram
    participant Checker as RuntimeHealthChecker
    participant CPU as _cpu_snapshot
    participant MEM as _memory_snapshot
    participant LNX as _linux_memory_snapshot
    participant WIN as _windows_memory_snapshot
    participant GPU as _gpu_snapshot
    participant QUEUE as get_ad_queue_runtime_status
    participant SAN as _sanitize_diagnostic_error

    Checker->>CPU: _cpu_snapshot()
    CPU->>CPU: read cpu_count and load
    alt exception in os.getloadavg
        CPU->>SAN: _sanitize_diagnostic_error(exc, cpu_load_unavailable)
        SAN-->>CPU: error_code
        CPU-->>Checker: payload with error=error_code
    else success
        CPU-->>Checker: payload without error
    end

    Checker->>MEM: _memory_snapshot()
    alt linux platform
        MEM->>LNX: _linux_memory_snapshot()
        alt exception reading meminfo
            LNX->>SAN: _sanitize_diagnostic_error(exc, memory_snapshot_unavailable)
            SAN-->>LNX: error_code
            LNX-->>MEM: {error: error_code}
        else ok
            LNX-->>MEM: snapshot
        end
    else windows platform
        MEM->>WIN: _windows_memory_snapshot()
        alt exception GlobalMemoryStatusEx
            WIN->>SAN: _sanitize_diagnostic_error(exc, memory_snapshot_unavailable)
            SAN-->>WIN: error_code
            WIN-->>MEM: {error: error_code}
        else ok
            WIN-->>MEM: snapshot
        end
    end
    alt snapshot missing or snapshot.error set
        MEM->>SAN: _sanitize_diagnostic_error(snapshot.error, memory_snapshot_unavailable)
        SAN-->>MEM: normalized_error
        MEM-->>Checker: warning payload with error=normalized_error
    else ok
        MEM-->>Checker: payload without error
    end

    Checker->>GPU: _gpu_snapshot()
    GPU->>GPU: gpu_runtime = get_gpu_runtime_info()
    GPU->>SAN: _sanitize_diagnostic_error(gpu_runtime.error, gpu_runtime_unavailable)
    SAN-->>GPU: gpu_error
    alt gpu_runtime.available is False
        GPU-->>Checker: warning payload with error=gpu_error or gpu_runtime_unavailable
    else available
        GPU-->>Checker: payload without error
    end

    Checker->>QUEUE: get_ad_queue_runtime_status()
    QUEUE->>QUEUE: query Redis
    alt RedisError
        QUEUE->>QUEUE: redis_available False, redis_error redis_queue_unavailable
        QUEUE-->>Checker: queue diagnostics
    else ok
        QUEUE-->>Checker: queue diagnostics
    end

Loading

Class diagram for auth and password recovery time handling and secret resolution

classDiagram
    class AuthModule {
        +str SECRET_KEY
        +bool SECRET_KEY_IS_RUNTIME_FALLBACK
        +_resolve_secret_key() tuple~str,bool~
        +get_password_hash(password str) str
        +create_access_token(data dict, expires_delta timedelta, no_expiry bool) str
    }

    class PasswordRecoveryModule {
        +_issue_recovery_token(prefix str) tuple~str,datetime~
        +_normalize_password_recovery_scope(scope str) str
        +_purge_expired_password_recovery_sessions() None
        +verify_password_recovery_identity(payload PasswordRecoveryVerifyIdentityRequest, db Session, request Request) PasswordRecoveryVerifyIdentityResponse
        +reset_password_via_recovery(payload PasswordRecoveryResetPasswordRequest, db Session) PasswordRecoveryResetResponse
    }

    class PasskeyModule {
        +start_passkey_registration(payload PasskeyRegistrationStartRequest, db Session, request Request) PasskeyRegistrationStartResponse
        +finish_passkey_registration(payload PasskeyRegistrationFinishRequest, db Session, request Request) PasskeyRegistrationFinishResponse
        +start_passkey_login(payload PasskeyLoginStartRequest, db Session, request Request) PasskeyLoginStartResponse
        +finish_passkey_login(payload PasskeyLoginFinishRequest, db Session, request Request) PasskeyLoginFinishResponse
    }

    class TimezoneAwareNowProvider {
        +now_utc() datetime
    }

    AuthModule ..> TimezoneAwareNowProvider : uses datetime.now(timezone.utc)
    PasswordRecoveryModule ..> TimezoneAwareNowProvider : uses datetime.now(timezone.utc)
    PasskeyModule ..> TimezoneAwareNowProvider : uses datetime.now(timezone.utc)

    class SecretKeySourceEnv {
        +SECRET_KEY str
        +SECRET_KEY_FILE str
    }

    class SecretKeyPersistence {
        +load_from_file(path Path) str
    }

    AuthModule ..> SecretKeySourceEnv : reads configuration
    AuthModule ..> SecretKeyPersistence : optional file read only

    class Logger {
        +error(message str)
        +warning(message str)
    }

    AuthModule ..> Logger : logs missing config
    PasswordRecoveryModule ..> Logger : logs HTTP errors
    PasskeyModule ..> Logger : logs HTTP errors

Loading

File-Level Changes

Change	Details	Files
Sanitize and normalize backend health diagnostic errors to stable, non-sensitive error codes.	Introduce a whitelist of safe diagnostic error codes and a helper to sanitize raw error values. Wrap Linux and Windows memory snapshot error handling to emit sanitized codes instead of raw exception text. Have CPU and GPU snapshot functions expose normalized error codes and avoid leaking system paths or messages. Normalize queue runtime health errors to a fixed code when diagnostics loading fails, and adjust Redis queue depth errors to a stable code.	backend/main.py backend/marketplace/router.py gpu-llm-server/custom-server/server.py backend/marketplace/router.py
Improve auth token and password recovery time handling and configuration safety.	Change various auth and password recovery timestamps from naive UTC to timezone-aware datetime.now(timezone.utc). Simplify secret key resolution to use explicit SECRET_KEY or SECRET_KEY_FILE only, logging when an ephemeral runtime secret is generated. Update auth_router Pydantic model configuration to the newer ConfigDict style.	backend/auth.py backend/auth_router.py tests/test_auth_router_security.py
Make orchestration progress persistence concurrent-safe and centralized into a single JSON store.	Replace per-run JSON files with a single progress_store.json file under the runtime progress root. Guard read/write access to the progress store with a threading.Lock to avoid race conditions. When loading progress, look up the specific run_id inside the shared store and log failures cleanly.	backend/llm/orchestrator.py
Harden marketplace feature orchestration error surfaces and Redis diagnostics.	On orchestration stream failures, log exceptions with context but expose a generic localized public error message to clients. Ensure SSE progress and popup state use the public error message instead of raw exception strings. For ad queue diagnostics, log Redis errors and report a stable redis_queue_unavailable code instead of propagating exception text.	backend/marketplace/router.py
Adjust tests, CI, dependency versions, and frontend behavior to align with the new backend behavior.	Stub the webauthn module in auth router security tests when it is not installed, and update tests to use timezone-aware datetimes. Add a new test module that dynamically loads functions from backend/main.py to verify diagnostic error sanitization behavior end-to-end. Configure CodeQL workflow to set up Python 3.13 for Python analyses and bump Pillow dependency range to >=12.2,<13.0. Simplify feature orchestrator frontend hook to use popupKicker directly without redundant replacement logic.	tests/test_auth_router_security.py tests/test_health_diagnostics_sanitization.py .github/workflows/codeql.yml pyproject.toml frontend/frontend/hooks/use-feature-orchestrator.ts docs/overall-design-change-pr-report-2026-05-08.md .gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[parkcheolhong]

수고했어요?부조종사님

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The change in _resolve_secret_key removes the on-disk fallback secret generation and now always returns an in-memory secret when neither SECRET_KEY nor SECRET_KEY_FILE is set; consider whether this behavior change is acceptable for existing deployments that relied on a persistent secret across restarts, and if not, keep the previous file-based fallback (or a similar persistence mechanism).
• The new orchestration progress store (progress_store.json) aggregates all run progress into a single file without any pruning or size control; consider adding a retention/cleanup strategy (e.g., max entries, age-based purge, or rotation) to avoid unbounded file growth and potential I/O slowdown over time.
• An empty .gitignore file was added at the repo root; if this was unintentional, it might be better to remove it or populate it with the intended ignore patterns to avoid confusion.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The change in `_resolve_secret_key` removes the on-disk fallback secret generation and now always returns an in-memory secret when neither `SECRET_KEY` nor `SECRET_KEY_FILE` is set; consider whether this behavior change is acceptable for existing deployments that relied on a persistent secret across restarts, and if not, keep the previous file-based fallback (or a similar persistence mechanism).
- The new orchestration progress store (`progress_store.json`) aggregates all run progress into a single file without any pruning or size control; consider adding a retention/cleanup strategy (e.g., max entries, age-based purge, or rotation) to avoid unbounded file growth and potential I/O slowdown over time.
- An empty `.gitignore` file was added at the repo root; if this was unintentional, it might be better to remove it or populate it with the intended ignore patterns to avoid confusion.

## Individual Comments

### Comment 1
<location path="backend/llm/orchestrator.py" line_range="2716-2725" />
<code_context>
-            if isinstance(payload, dict):
-                _ORCHESTRATION_PROGRESS_STORE[str(run_id or "")] = dict(payload)
-                return dict(payload)
+        with _ORCHESTRATION_PROGRESS_FILE_LOCK:
+            if progress_path.exists() and progress_path.is_file():
+                payload = json.loads(progress_path.read_text(encoding="utf-8"))
+                if isinstance(payload, dict):
+                    stored = payload.get(str(run_id or ""))
+                    if isinstance(stored, dict):
+                        _ORCHESTRATION_PROGRESS_STORE[str(run_id or "")] = dict(stored)
+                        return dict(stored)
     except Exception:
+        logger.error("Failed to load orchestration progress for run_id=%s", str(run_id or ""), exc_info=True)
         return {}
     return {}

diff --git a/backend/main.py b/backend/main.py
index 65c89cc..516b298 100644
--- a/backend/main.py
+++ b/backend/main.py
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Guard the write to the progress store file with error handling to avoid bubbling I/O failures into callers.

Because `write_text` is now on the hot path for each update, transient filesystem issues (disk full, permissions, temporary unavailability) could raise and disrupt orchestration. Please wrap the full read/modify/write block in a try/except that logs the failure but still returns `normalized`, relying on the already-updated in-memory `_ORCHESTRATION_PROGRESS_STORE` to keep the flow running.
</issue_to_address>

### Comment 2
<location path="backend/auth.py" line_range="21-30" />
<code_context>
+    configured_file = str(os.getenv("SECRET_KEY_FILE") or "").strip()
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Consider logging or surfacing failures to load `SECRET_KEY_FILE` rather than silently falling back to an ephemeral secret.

If `SECRET_KEY_FILE` is set but unreadable (bad path, permissions, etc.), this will silently fall back to an ephemeral secret. In production this means operators think a stable secret is configured, but tokens will still rotate on restart. Please emit at least a warning (including the path and exception) before falling back so misconfigurations are visible while keeping the behavior of not auto-creating/writing a key file.

Suggested implementation:

```python
import logging


logger = logging.getLogger(__name__)


def _resolve_secret_key() -> tuple[str, bool]:

```

```python
    configured_file = str(os.getenv("SECRET_KEY_FILE") or "").strip()
    if configured_file:
        fallback_path = Path(configured_file).expanduser()
        try:
            if fallback_path.exists() and fallback_path.is_file():
                cached_secret = fallback_path.read_text(encoding="utf-8").strip()
                if cached_secret:
                    return cached_secret, True
                logger.warning(
                    "SECRET_KEY_FILE '%s' is empty; falling back to ephemeral secret key",
                    fallback_path,
                )
            else:
                logger.warning(
                    "SECRET_KEY_FILE is set to '%s' but the file does not exist or is not a regular file; "
                    "falling back to an ephemeral secret key",
                    fallback_path,
                )
        except Exception as exc:
            logger.warning(
                "Failed to read SECRET_KEY_FILE '%s': %s; falling back to an ephemeral secret key",
                fallback_path,
                exc,
            )

```

If `backend/auth.py` does not currently import `logging` elsewhere, you may prefer to add the import near the top of the file instead of immediately before `_resolve_secret_key`:

<<<<<<< SEARCH
import os
=======
import os
import logging
>>>>>>> REPLACE

In that case, remove the `import logging` line from the `_resolve_secret_key` insertion and keep only the `logger = logging.getLogger(__name__)` definition at module scope (ideally near the imports).
</issue_to_address>

### Comment 3
<location path="tests/test_health_diagnostics_sanitization.py" line_range="16-25" />
<code_context>
+}
+
+
+def _load_functions(*names: str, extra_globals: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
+    tree = ast.parse(MAIN_PATH.read_text(encoding="utf-8-sig"), filename=str(MAIN_PATH))
+    selected = [
+        node
+        for node in tree.body
+        if isinstance(node, ast.FunctionDef) and node.name in names
+    ]
+    namespace: Dict[str, Any] = {
+        "Any": Any,
+        "Dict": Dict,
+        "List": List,
+        "Optional": Optional,
+        "Path": Path,
+        "cast": cast,
+        "os": os,
+    }
+    if extra_globals:
+        namespace.update(extra_globals)
+    exec(compile(ast.Module(body=selected, type_ignores=[]), str(MAIN_PATH), "exec"), namespace)
+    return namespace
+
</code_context>
<issue_to_address>
**suggestion:** Consider importing the module directly instead of using AST/exec, or add a comment explaining the rationale

This helper keeps tests decoupled from `backend.main`, but using AST/`exec` makes failures less transparent and can obscure missing dependencies (e.g., new globals causing runtime errors). Directly importing `backend.main` where feasible would keep tests simpler and easier to debug; if that’s not possible due to heavy dependencies or similar constraints, a brief comment about that trade-off would help future maintainers.

Suggested implementation:

```python
def _load_functions(*names: str, extra_globals: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
    """
    Helper for tests to access selected functions from ``backend.main``.

    We import ``backend.main`` directly instead of parsing/exec-ing its source via AST
    so that import errors and missing dependencies surface normally and failures are
    easier to debug for future maintainers.
    """
    import importlib

    module = importlib.import_module("backend.main")
    namespace: Dict[str, Any] = {}

    for name in names:
        try:
            namespace[name] = getattr(module, name)
        except AttributeError as exc:
            raise AssertionError(f"backend.main does not define {name!r}") from exc

    if extra_globals:
        namespace.update(extra_globals)

    return namespace

```

To fully apply this change you should:
1. Ensure `importlib` is imported at the top of `tests/test_health_diagnostics_sanitization.py` (e.g. `import importlib`), or leave the local import inside `_load_functions` as shown if you prefer to keep the dependency scoped.
2. Remove now-unused imports related to the previous AST-based implementation (`ast`, `Path`, `cast`, and possibly `os` and some typing aliases) if they are no longer referenced elsewhere in the file to keep the test module clean.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Guard the write to the progress store file with error handling to avoid bubbling I/O failures into callers.

Because write_text is now on the hot path for each update, transient filesystem issues (disk full, permissions, temporary unavailability) could raise and disrupt orchestration. Please wrap the full read/modify/write block in a try/except that logs the failure but still returns normalized, relying on the already-updated in-memory _ORCHESTRATION_PROGRESS_STORE to keep the flow running.

[sourcery-ai]

suggestion (bug_risk): Consider logging or surfacing failures to load SECRET_KEY_FILE rather than silently falling back to an ephemeral secret.

If SECRET_KEY_FILE is set but unreadable (bad path, permissions, etc.), this will silently fall back to an ephemeral secret. In production this means operators think a stable secret is configured, but tokens will still rotate on restart. Please emit at least a warning (including the path and exception) before falling back so misconfigurations are visible while keeping the behavior of not auto-creating/writing a key file.

Suggested implementation:

import logging


logger = logging.getLogger(__name__)


def _resolve_secret_key() -> tuple[str, bool]:

    configured_file = str(os.getenv("SECRET_KEY_FILE") or "").strip()
    if configured_file:
        fallback_path = Path(configured_file).expanduser()
        try:
            if fallback_path.exists() and fallback_path.is_file():
                cached_secret = fallback_path.read_text(encoding="utf-8").strip()
                if cached_secret:
                    return cached_secret, True
                logger.warning(
                    "SECRET_KEY_FILE '%s' is empty; falling back to ephemeral secret key",
                    fallback_path,
                )
            else:
                logger.warning(
                    "SECRET_KEY_FILE is set to '%s' but the file does not exist or is not a regular file; "
                    "falling back to an ephemeral secret key",
                    fallback_path,
                )
        except Exception as exc:
            logger.warning(
                "Failed to read SECRET_KEY_FILE '%s': %s; falling back to an ephemeral secret key",
                fallback_path,
                exc,
            )

If backend/auth.py does not currently import logging elsewhere, you may prefer to add the import near the top of the file instead of immediately before _resolve_secret_key:

<<<<<<< SEARCH
import os

import os
import logging

REPLACE

In that case, remove the import logging line from the _resolve_secret_key insertion and keep only the logger = logging.getLogger(__name__) definition at module scope (ideally near the imports).

[sourcery-ai]

suggestion: Consider importing the module directly instead of using AST/exec, or add a comment explaining the rationale

This helper keeps tests decoupled from backend.main, but using AST/exec makes failures less transparent and can obscure missing dependencies (e.g., new globals causing runtime errors). Directly importing backend.main where feasible would keep tests simpler and easier to debug; if that’s not possible due to heavy dependencies or similar constraints, a brief comment about that trade-off would help future maintainers.

Suggested implementation:

def _load_functions(*names: str, extra_globals: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
    """
    Helper for tests to access selected functions from ``backend.main``.

    We import ``backend.main`` directly instead of parsing/exec-ing its source via AST
    so that import errors and missing dependencies surface normally and failures are
    easier to debug for future maintainers.
    """
    import importlib

    module = importlib.import_module("backend.main")
    namespace: Dict[str, Any] = {}

    for name in names:
        try:
            namespace[name] = getattr(module, name)
        except AttributeError as exc:
            raise AssertionError(f"backend.main does not define {name!r}") from exc

    if extra_globals:
        namespace.update(extra_globals)

    return namespace

To fully apply this change you should:

1. Ensure importlib is imported at the top of tests/test_health_diagnostics_sanitization.py (e.g. import importlib), or leave the local import inside _load_functions as shown if you prefer to keep the dependency scoped.
2. Remove now-unused imports related to the previous AST-based implementation (ast, Path, cast, and possibly os and some typing aliases) if they are no longer referenced elsewhere in the file to keep the test module clean.

[Copilot]

Pull request overview

This PR tightens security/operational hygiene by sanitizing error surfaces (health diagnostics, SSE failures, model-load health), standardizing timezone-aware timestamps in auth flows, and aligning dependencies / tooling (Pillow + CodeQL Python setup), with supporting tests and documentation.

Changes:

• Add diagnostic error sanitization in backend/main.py and new tests ensuring only safe error codes are exposed.
• Make auth/passkey/password-recovery timestamps timezone-aware and update related tests; modernize a Pydantic config usage.
• Reduce error-detail exposure in marketplace SSE failures and GPU server model-load health; update Pillow version and CodeQL workflow; add repo docs and .gitignore.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/test_health_diagnostics_sanitization.py	New tests validating sanitized diagnostic error codes and payload behavior.
tests/test_auth_router_security.py	Updates tests to use timezone-aware datetimes; stubs webauthn for import safety in minimal envs.
pyproject.toml	Updates Pillow version constraint.
gpu-llm-server/custom-server/server.py	Replaces model-load error detail with a stable error code in health output.
frontend/frontend/hooks/use-feature-orchestrator.ts	Removes a no-op string replace when building default catalog item titles.
docs/overall-design-change-pr-report-2026-05-08.md	Adds a consolidated design-change / PR-body draft document.
backend/marketplace/router.py	Replaces exception text exposure with a public-safe message; logs the exception server-side.
backend/main.py	Introduces _sanitize_diagnostic_error and uses it to avoid leaking diagnostic exception details.
backend/llm/orchestrator.py	Changes orchestration progress persistence to a single JSON store file guarded by a thread lock.
backend/auth.py	Switches token expiry computation to timezone-aware UTC and changes SECRET_KEY fallback behavior/logging.
backend/auth_router.py	Makes password/passkey recovery timestamps timezone-aware; switches Pydantic config style.
.gitignore	Adds a repository .gitignore.
.github/workflows/codeql.yml	Adds explicit Python setup for the Python CodeQL job.