병합해주세요

[parkcheolhong]

변경내용을 검토했습니다.

Summary by Sourcery

Harden authentication, diagnostics, and orchestration persistence while updating dependencies and adding regression tests.

New Features:

• Introduce configurable limits and scope validation for password recovery flows, including verification code generation and session purging.
• Persist orchestration progress to disk using hashed run IDs and atomic, lock-guarded file writes.

Bug Fixes:

• Ensure admin non-expiring tokens are gated by an environment flag instead of being enabled unconditionally.
• Normalize time handling to use timezone-aware UTC datetimes across auth and passkey flows.
• Prevent exposure of raw exception details in health diagnostics, GPU runtime status, queue diagnostics, and model loading errors.
• Fix feature catalog UI titles by removing unnecessary string replacement logic.

Enhancements:

• Improve JWT secret key resolution by preferring an explicit file, logging misconfigurations, and falling back to ephemeral secrets with clearer messaging.
• Sanitize and normalize diagnostic error codes for CPU, GPU, memory, and queue health checks for safer, more stable telemetry.
• Add thread-safe orchestration progress file I/O with robust error handling and logging.
• Simplify profiler backend host defaults by always binding to localhost.
• Adjust Pillow dependency to a newer major version.

CI:

• Update CodeQL workflow to install Python 3.13 when analyzing Python code.

Tests:

• Add auth router security tests covering admin token expiry behavior and password recovery verification behavior.
• Add health diagnostics sanitization tests to ensure only safe error codes are exposed and sensitive details are redacted.

[sourcery-ai]

Reviewer's Guide

Improves security, observability, and robustness across auth, diagnostics, orchestration persistence, and marketplace streaming; tightens password recovery and token handling, sanitizes health/diagnostic errors, hardens progress file I/O, adjusts secret key behavior, and adds regression tests and minor config updates.

Sequence diagram for the tightened password recovery flow

sequenceDiagram
    actor User
    participant Client
    participant AuthRouter
    participant DB
    participant RecoveryStore

    User->>Client: 요청: 비밀번호 복구 시작 (email/username, scope)
    Client->>AuthRouter: POST /recovery/start
    AuthRouter->>AuthRouter: _purge_expired_password_recovery_sessions()
    AuthRouter->>AuthRouter: scope = _normalize_password_recovery_scope(payload.scope)
    AuthRouter->>DB: 사용자 조회 (email 또는 username)
    DB-->>AuthRouter: User 또는 None
    AuthRouter->>AuthRouter: scope == admin 인 경우 관리자 여부 검사
    AuthRouter->>AuthRouter: recovery_session_token, expires_at = _issue_recovery_token("recovery")
    AuthRouter->>AuthRouter: verification_code = _issue_recovery_verification_code()
    AuthRouter->>RecoveryStore: 세션 저장 {user_id, scope, verified=False, verification_code, verification_attempts=0, expires_at}
    AuthRouter-->>Client: recovery_session_token, expires_at
    Client-->>User: 복구 코드 전송 안내 (실제 전송 로직은 외부)

    User->>Client: 받은 코드 입력
    Client->>AuthRouter: POST /recovery/verify-identity
    AuthRouter->>AuthRouter: _purge_expired_password_recovery_sessions()
    AuthRouter->>RecoveryStore: 세션 조회 by recovery_session_token
    RecoveryStore-->>AuthRouter: session_state 또는 None
    AuthRouter->>AuthRouter: expires_at 검증 (datetime.now(timezone.utc) 기준)
    AuthRouter->>AuthRouter: expected_code = session_state.verification_code
    AuthRouter->>AuthRouter: compare_digest(입력코드, expected_code)
    alt 코드 불일치
        AuthRouter->>AuthRouter: verification_attempts += 1
        AuthRouter->>RecoveryStore: 세션 업데이트 (verification_attempts)
        alt verification_attempts >= MAX
            AuthRouter->>RecoveryStore: 세션 삭제
            AuthRouter-->>Client: 429 본인확인 시도 횟수 초과
        else
            AuthRouter-->>Client: 401 본인확인 코드 오류
        end
    else 코드 일치
        AuthRouter->>AuthRouter: identity_session_token 정규화
        AuthRouter->>AuthRouter: reset_token, reset_expires_at = _issue_recovery_token("reset")
        AuthRouter->>RecoveryStore: 세션 업데이트 {verified=True, verification_attempts=0, identity_session_token, reset_token, reset_expires_at}
        AuthRouter-->>Client: reset_token, reset_expires_at
    end

    User->>Client: 새 비밀번호 입력 및 제출
    Client->>AuthRouter: POST /recovery/reset-password
    AuthRouter->>AuthRouter: _purge_expired_password_recovery_sessions()
    AuthRouter->>AuthRouter: 새 비밀번호 길이 >= 8 확인
    AuthRouter->>AuthRouter: scope = _normalize_password_recovery_scope(payload.scope)
    AuthRouter->>RecoveryStore: 모든 세션 순회
    AuthRouter->>AuthRouter: compare_digest(session_state.reset_token, payload.reset_token) and session_state.scope == scope
    RecoveryStore-->>AuthRouter: matched_session 또는 None
    alt 일치하는 세션 없음
        AuthRouter-->>Client: 404 재설정 토큰 없음
    else 세션 있음
        AuthRouter->>AuthRouter: verified 플래그 및 identity_session_token 존재 확인
        alt verified=False 또는 identity_session_token 없음
            AuthRouter-->>Client: 403 본인확인 미완료
        else
            AuthRouter->>AuthRouter: reset_expires_at 검증 (datetime.now(timezone.utc))
            alt reset_expires_at 만료
                AuthRouter->>RecoveryStore: 세션 삭제
                AuthRouter-->>Client: 410 재설정 토큰 만료
            else
                AuthRouter->>DB: 사용자 비밀번호 갱신
                DB-->>AuthRouter: 커밋 완료
                AuthRouter->>RecoveryStore: 세션 삭제 또는 정리
                AuthRouter-->>Client: 비밀번호 재설정 성공 응답
                Client-->>User: 비밀번호 재설정 완료 안내
            end
        end
    end

Loading

Sequence diagram for orchestration progress persistence with file locking

sequenceDiagram
    participant Orchestrator
    participant ProgressStore as _ORCHESTRATION_PROGRESS_STORE
    participant FS as Filesystem
    participant Lock as _ORCHESTRATION_PROGRESS_FILE_LOCK

    Orchestrator->>Orchestrator: _save_orchestration_progress(run_id, payload)
    Orchestrator->>Orchestrator: normalized = dict(payload)
    Orchestrator->>Orchestrator: normalized.run_id = str(run_id)
    Orchestrator->>Orchestrator: normalized.updated_at 기본값 설정 (UTC ISO8601)
    Orchestrator->>ProgressStore: 메모리 캐시 업데이트 [run_id] = normalized
    Orchestrator->>Orchestrator: progress_path = _orchestration_progress_file_path(run_id)
    Orchestrator->>Lock: acquire()
    alt 파일 쓰기 성공 경로
        Orchestrator->>FS: NamedTemporaryFile 생성 (dir=progress_path.parent)
        Orchestrator->>FS: temp_file.write(json.dumps(normalized))
        Orchestrator->>FS: temp_file.flush(), os.fsync()
        Orchestrator->>FS: os.replace(temp_path, progress_path)
        Orchestrator->>Lock: release()
        Orchestrator-->>Orchestrator: normalized 반환
    else 예외 발생
        Orchestrator->>FS: temp_path 존재 시 unlink() 시도
        Orchestrator->>Orchestrator: logger.warning("Failed to write orchestration progress file", exc_info=True)
        Orchestrator->>Lock: release()
        Orchestrator-->>Orchestrator: dict(ProgressStore[run_id]) 또는 {}
    end

    Orchestrator->>Orchestrator: _load_orchestration_progress(run_id)
    Orchestrator->>ProgressStore: cached = ProgressStore.get(str(run_id))
    alt cached 유효
        Orchestrator-->>Orchestrator: dict(cached) 반환
    else 파일에서 로드
        Orchestrator->>Orchestrator: progress_path = _orchestration_progress_file_path(run_id)
        Orchestrator->>Lock: acquire()
        alt 파일 존재
            Orchestrator->>FS: read_text(progress_path)
            Orchestrator->>Orchestrator: payload = json.loads(text)
            alt payload is dict
                Orchestrator->>ProgressStore: ProgressStore[str(run_id)] = dict(payload)
                Orchestrator->>Lock: release()
                Orchestrator-->>Orchestrator: dict(payload) 반환
            else dict 아님
                Orchestrator->>Lock: release()
                Orchestrator-->>Orchestrator: {} 반환
            end
        else 파일 없음
            Orchestrator->>Lock: release()
            Orchestrator-->>Orchestrator: {} 반환
        end
        opt 로드 예외 발생
            Orchestrator->>Lock: release() (finally)
            Orchestrator->>Orchestrator: logger.error("Failed to load orchestration progress", exc_info=True)
            Orchestrator-->>Orchestrator: {}
        end
    end

Loading

File-Level Changes

Change	Details	Files
Harden password recovery, token issuance behavior, and datetime handling in auth_router.	Gate non‑expiring admin tokens behind ALLOW_NON_EXPIRING_ADMIN_TOKENS env flag so they are disabled by default. Switch various expiry and timestamp fields from naive UTC to timezone-aware datetime.now(timezone.utc). Generate random 6‑digit verification codes for password recovery instead of a fixed value, and track verification attempts with a configurable max from PASSWORD_RECOVERY_MAX_VERIFY_ATTEMPTS. Normalize and strictly validate password recovery scope to the allowed set and reuse it across flow steps. Add periodic purge of expired password recovery sessions before each recovery step and reset verification attempts on success. Use constant-time comparisons for verification codes and reset tokens and require verified identity session before allowing password reset. Update Pydantic model config for UserResponse to use model_config / ConfigDict(from_attributes=True).	backend/auth_router.py tests/test_auth_router_security.py
Sanitize diagnostic errors so only safe, code-like identifiers leak to clients, and add tests for this behavior.	Introduce a small allowlist of safe diagnostic error codes and a _sanitize_diagnostic_error helper that maps arbitrary exceptions or strings to those codes. Ensure memory snapshot helpers wrap exceptions into structured warnings using sanitized error codes instead of raw exception strings. Update CPU snapshot to expose only sanitized error codes for loadavg failures while keeping normal payload semantics. Update GPU snapshot to always return a stable gpu_runtime_unavailable style code when runtime is unavailable, hiding underlying driver errors. Harden queue runtime error handling by logging exceptions and returning a stable queue_runtime_unavailable error code. Add tests that dynamically load and execute the relevant functions from backend.main to assert error sanitization behavior and absence of raw paths/messages.	backend/main.py tests/test_health_diagnostics_sanitization.py
Make orchestration progress file persistence more robust and less leaky.	Rename progress file path helper to use SHA-256 hash of run_id instead of raw run_id in filenames, reducing information exposure and path issues. Add a global threading.Lock around progress file read/write to avoid concurrent access races. Write progress files via durable temp file + fsync + os.replace pattern and log structured warnings when writes fail, cleaning up temp files when possible. Guard loading with the same lock and log explicit errors when file load/parsing fails, returning empty payloads instead of raising.	backend/llm/orchestrator.py
Tighten auth secret key behavior and token expiry semantics.	Change SECRET_KEY resolution to prefer explicit SECRET_KEY or SECRET_KEY_FILE, reading from the configured file only when present and non-empty, without attempting to auto-generate and persist a secret file. Add structured logging for misconfigured or unreadable SECRET_KEY_FILE and for the absence of any configured secret, clarifying that an ephemeral runtime secret invalidates tokens on restart. Use timezone-aware datetime.now(timezone.utc) for JWT exp claims instead of naive datetime.utcnow. Initialize the module-level logger earlier and simplify oauth2_scheme setup.	backend/auth.py
Improve marketplace orchestrator error reporting and queue diagnostics resilience.	In marketplace feature orchestrate stream error handler, log the exception with context but expose a generic user-facing error message instead of propagating raw exception text through metadata, progress, popup state, and SSE events. In queue runtime diagnostics, log Redis errors with stack traces and return a stable redis_queue_unavailable error code rather than raw Redis exception strings.	backend/marketplace/router.py
Miscellaneous operational and config updates.	Add a Python 3.13 setup step to the CodeQL GitHub Actions workflow for Python-language analysis. Bump Pillow dependency from 10.x–11.x to 12.2–<13.0. Simplify profiler backend default host logic to always bind to 127.0.0.1 instead of detecting container environment. Fix frontend feature orchestrator catalog title construction to use meta.popupKicker as-is instead of a no-op replace, and normalize file ending. Change GPU LLM server model load failure to return a stable model_load_failed error string instead of raw exception text. Introduce a .gitignore file (contents not shown in diff).	.github/workflows/codeql.yml pyproject.toml run_profiler_backend.py frontend/frontend/hooks/use-feature-orchestrator.ts gpu-llm-server/custom-server/server.py .gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The SAFE_DIAGNOSTIC_ERROR_CODES set is duplicated between backend/main.py and tests/test_health_diagnostics_sanitization.py; consider exposing it from the module (or centralizing in a shared constants module) so tests can import it and avoid drift if the allowed error codes change.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The SAFE_DIAGNOSTIC_ERROR_CODES set is duplicated between backend/main.py and tests/test_health_diagnostics_sanitization.py; consider exposing it from the module (or centralizing in a shared constants module) so tests can import it and avoid drift if the allowed error codes change.

## Individual Comments

### Comment 1
<location path="backend/llm/orchestrator.py" line_range="2698-2701" />
<code_context>
-def _orchestration_progress_path(run_id: str) -> Path:
-    safe_run_id = re.sub(r"[^a-zA-Z0-9_.-]+", "-", str(run_id or "unknown")).strip("-") or "unknown"
-    return _runtime_progress_root() / f"{safe_run_id}.json"
+def _orchestration_progress_file_path(run_id: str) -> Path:
+    safe_run_id = str(run_id or "unknown")
+    file_name = f"{hashlib.sha256(safe_run_id.encode('utf-8')).hexdigest()}.json"
+    return _runtime_progress_root() / file_name


</code_context>
<issue_to_address>
**question (bug_risk):** Hashing the progress file name may break compatibility with existing plaintext run_id progress files.

Since the filename changed from a sanitized plaintext run_id to a SHA-256 hash, `_load_orchestration_progress` will no longer find existing progress files created with the old naming scheme. If there are active or resumable orchestrations depending on those files, consider a migration or a temporary fallback (e.g., if the hashed file is missing, also check for the legacy sanitized filename).
</issue_to_address>

### Comment 2
<location path="run_profiler_backend.py" line_range="26-27" />
<code_context>


 def _default_profiler_host() -> str:
-    if os.path.exists("/.dockerenv") or os.getenv("DOTNET_RUNNING_IN_CONTAINER") == "true":
-        return "0.0.0.0"
     return "127.0.0.1"


</code_context>
<issue_to_address>
**question:** Removing container detection may make the profiler unreachable when running inside containers.

This change means the profiler will now only be reachable from within the container, which may break setups that connect from the host or other services. If external access from containers is still needed, consider keeping the old behavior behind a config flag or env var so users can opt into binding to `0.0.0.0`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[parkcheolhong]

오류 수정 및 제거해줘서 감사합니다.

[Copilot]

Pull request overview

운영/보안 관점에서 민감한 오류 메시지 노출을 줄이고(health diagnostics, marketplace SSE, GPU 서버 health), 인증/비밀번호 복구 로직과 오케스트레이션 진행 상태 저장의 안정성을 강화하는 PR입니다.

Changes:

• 런타임 health diagnostics 오류를 안전한 에러 코드로 정규화하고 관련 테스트를 추가
• 비밀번호 복구 흐름(랜덤 인증코드, 시도 횟수 제한, scope 정규화, verified 강제) 및 토큰 만료/시간대 처리 강화 + 보안 회귀 테스트 추가
• 오케스트레이션 진행 상태 파일 저장을 해시 기반 파일명 + 원자적(atomic) 쓰기/락으로 변경, marketplace 실패 메시지/Redis 진단 오류 메시지 sanitization

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/test_health_diagnostics_sanitization.py	backend/main.py의 health diagnostics 오류 sanitization 동작을 검증하는 테스트 추가
tests/test_auth_router_security.py	auth_router 보안/회귀(관리자 토큰 만료 기본값, 복구 코드 랜덤화, 시도 제한 등) 테스트 추가
run_profiler_backend.py	profiler 기본 bind host 로직 변경(컨테이너 기본 바인딩 제거)
pyproject.toml	Pillow 버전 범위 상향 조정
gpu-llm-server/custom-server/server.py	모델 로드 실패 사유 노출을 안전한 코드로 축소
frontend/frontend/hooks/use-feature-orchestrator.ts	기본 카탈로그 아이템 title 처리 단순화
backend/marketplace/router.py	feature orchestrate SSE 예외 메시지 공개용으로 치환, Redis 진단 오류 메시지 안전 코드화
backend/main.py	health diagnostics 오류 코드 allowlist 및 sanitization 적용(메모리/CPU/GPU/queue)
backend/llm/orchestrator.py	진행 상태 파일 경로를 sha256 기반으로 변경 + 파일 쓰기/읽기 락 및 atomic write 적용
backend/auth.py	SECRET_KEY/SECRET_KEY_FILE 처리 로직 변경(파일 읽기 중심, 실패 시 ephemeral fallback) 및 exp 시간대(UTC) 처리
backend/auth_router.py	비밀번호 복구 보안 강화(시도 제한, scope 정규화, compare_digest, UTC 만료) 및 non-expiring admin token 발급 조건 명확화
.gitignore	Python/Node/IDE/빌드 산출물 ignore 규칙 추가
.github/workflows/codeql.yml	CodeQL 워크플로우에 Python 3.13 셋업 단계 추가

[parkcheolhong]

수정 제안 감사합니다.

[parkcheolhong]

@copilot apply changes based on the comments in this thread

[Copilot]

@parkcheolhong I can’t apply these changes because the pull request’s branch is the repository’s default branch, which I’m not allowed to push to directly.

You can ask me to create a new pull request with the requested changes instead and I'll open a separate PR on a new branch.

[parkcheolhong]

@copilot apply changes based on the comments in this thread

[Copilot]

@parkcheolhong I can’t apply these changes because the pull request’s branch is the repository’s default branch, which I’m not allowed to push to directly.

You can ask me to create a new pull request with the requested changes instead and I'll open a separate PR on a new branch.