병합해주세요 (#16)

[parkcheolhong]

• Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces (Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces #5)

• Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces

수정해줘

• Fix profiler backend default host to loopback

---

• fix: harden auth recovery security (Harden auth recovery flow and disable perpetual admin tokens by default #6)

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/3d52b2c5-9c5a-43f7-91a5-9587bc9ce9a5

• Harden Pillow dependency floor to patched range for active image parsing CVEs (Harden Pillow dependency floor to patched range for active image parsing CVEs #7)

• chore: raise Pillow minimum version to 12.2

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/9ec743ae-a698-4cc0-aa87-8825771cb8d6

• chore: remove accidental pycache artifacts

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/9ec743ae-a698-4cc0-aa87-8825771cb8d6

---

• Harden orchestrator/auth error surfaces and remove CodeQL-flagged unsafe patterns (Harden orchestrator/auth error surfaces and remove CodeQL-flagged unsafe patterns #8)

• chore: start codeql alert remediation plan

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• fix: remediate CodeQL security and quality findings

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• fix: finalize CodeQL remediation hardening updates

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

---

• Sanitize health diagnostic errors to avoid exception detail exposure (Sanitize health diagnostic errors to avoid exception detail exposure #9)

• fix: redact health diagnostic exception details

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• test: make health sanitization checks portable

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• chore: remove compiled test artifacts

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• refactor: normalize diagnostic error codes

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• test: share diagnostic error code fixture

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• refactor: simplify safe diagnostic code map

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

---

• Potential fix for code scanning alert no. 4: Information exposure through an exception (Potential fix for code scanning alert no. 4: Information exposure through an exception #10)

• fix(ci): set explicit python-version in codeql workflow (Pin Python version in CodeQL workflow to eliminate setup-python v6 warnings #11)

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/4ea2a28e-7f09-4b9d-a3df-785939fa43ac

• fix: webauthn stub in tests, timezone-aware datetimes, Pydantic v2 ConfigDict, add .gitignore (fix: webauthn stub in tests, timezone-aware datetimes, Pydantic v2 ConfigDict, add .gitignore #12)

• fix(tests): stub webauthn in auth_router test fixture to fix import failures

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/63299979-62f4-489f-a1d2-307336759de9

• fix: stub webauthn in tests, replace datetime.utcnow, fix Pydantic Config, add .gitignore

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/63299979-62f4-489f-a1d2-307336759de9

---

• Add consolidated design-change report and expanded PR body draft (Add consolidated design-change report and expanded PR body draft #13)

• docs: add overall design change and PR report

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/82b0addf-4e64-42b9-ac75-63d99a14f84d

• docs: make PR report paths portable

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/82b0addf-4e64-42b9-ac75-63d99a14f84d

• docs: clarify bilingual PR report structure

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/82b0addf-4e64-42b9-ac75-63d99a14f84d

---

• Copilot/fix unauthorized data in path expression (Copilot/fix unauthorized data in path expression #15)

• chore: start codeql alert remediation plan

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• fix: remediate CodeQL security and quality findings

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• fix: finalize CodeQL remediation hardening updates

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• 검증확인했습니다, 병합해주세요 (검증확인했습니다, 병합해주세요 #14)

• Harden Pillow dependency floor to patched range for active image parsing CVEs (Harden Pillow dependency floor to patched range for active image parsing CVEs #7)

• chore: raise Pillow minimum version to 12.2

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/9ec743ae-a698-4cc0-aa87-8825771cb8d6

• chore: remove accidental pycache artifacts

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/9ec743ae-a698-4cc0-aa87-8825771cb8d6

---

• Harden orchestrator/auth error surfaces and remove CodeQL-flagged unsafe patterns (Harden orchestrator/auth error surfaces and remove CodeQL-flagged unsafe patterns #8)

• chore: start codeql alert remediation plan

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• fix: remediate CodeQL security and quality findings

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

• fix: finalize CodeQL remediation hardening updates

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/e096e163-c0eb-430e-95b8-006690b13d72

---

• Sanitize health diagnostic errors to avoid exception detail exposure (Sanitize health diagnostic errors to avoid exception detail exposure #9)

• fix: redact health diagnostic exception details

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• test: make health sanitization checks portable

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• chore: remove compiled test artifacts

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• refactor: normalize diagnostic error codes

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• test: share diagnostic error code fixture

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

• refactor: simplify safe diagnostic code map

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/5d18c2d0-8dda-4817-837b-37752598afa6

---

• Potential fix for code scanning alert no. 4: Information exposure through an exception (Potential fix for code scanning alert no. 4: Information exposure through an exception #10)

• fix(ci): set explicit python-version in codeql workflow (Pin Python version in CodeQL workflow to eliminate setup-python v6 warnings #11)

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/4ea2a28e-7f09-4b9d-a3df-785939fa43ac

• fix: webauthn stub in tests, timezone-aware datetimes, Pydantic v2 ConfigDict, add .gitignore (fix: webauthn stub in tests, timezone-aware datetimes, Pydantic v2 ConfigDict, add .gitignore #12)

• fix(tests): stub webauthn in auth_router test fixture to fix import failures

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/63299979-62f4-489f-a1d2-307336759de9

• fix: stub webauthn in tests, replace datetime.utcnow, fix Pydantic Config, add .gitignore

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/63299979-62f4-489f-a1d2-307336759de9

---

• Add consolidated design-change report and expanded PR body draft (Add consolidated design-change report and expanded PR body draft #13)

• docs: add overall design change and PR report

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/82b0addf-4e64-42b9-ac75-63d99a14f84d

• docs: make PR report paths portable

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/82b0addf-4e64-42b9-ac75-63d99a14f84d

• docs: clarify bilingual PR report structure

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/82b0addf-4e64-42b9-ac75-63d99a14f84d

---

---

• Update .github/workflows/codeql.yml

변경 감사합니다

• Potential fix for pull request finding

커밋합니다.

• fix: address PR review feedback for auth and progress persistence

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/54ddac5c-9ffc-4dd9-8328-a90404f7b582

---

• Potential fix for pull request finding

수정해주세요

• Potential fix for pull request finding

수정해주세요

• Potential fix for pull request finding

변경해주세요,

• Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression'

제안 사항에 맞게 수정해주세요.

• Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression'

제안 사항 감사합니다, 수정해주세요

• Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression'

수정해주세요

• Harden orchestrator progress file paths and profiler bind host policy (Harden orchestrator progress file paths and profiler bind host policy #17)

• fix: harden path handling and profiler bind defaults for CodeQL alerts

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/320282cc-04c8-415c-bacc-8f409266cde2

• chore: address review nits for host and run_id normalization

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/320282cc-04c8-415c-bacc-8f409266cde2

• fix: tighten localhost and hostname validation for profiler bind

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/320282cc-04c8-415c-bacc-8f409266cde2

• chore: improve profiler host validation diagnostics

Agent-Logs-Url: https://github.com/parkcheolhong/codeAI/sessions/320282cc-04c8-415c-bacc-8f409266cde2

---

---

Summary by Sourcery

Harden backend security and diagnostics, improve orchestration/profiler robustness, and update dependencies and CI configuration.

Bug Fixes:

• Fix JWT and auth/passkey flows to use timezone-aware datetimes and updated Pydantic v2 model config.
• Sanitize health diagnostics to avoid leaking exception details in CPU, GPU, memory, and queue runtime payloads, returning stable error codes instead.
• Prevent exposure of raw model loading errors from the GPU LLM server by returning a generic error code.
• Ensure marketplace feature orchestration errors surface only user-safe messages while logging full details server-side.
• Make orchestration progress file handling safe against path injection, partial writes, and concurrent access via hashing and file locks.
• Restrict profiler backend binding to loopback by default and gate remote or wildcard binds behind explicit configuration with validation.
• Normalize SECRET_KEY_FILE handling to require explicit configuration, secure file permissions, and avoid silent ephemeral secrets on failure.
• Stabilize Redis health diagnostics by mapping Redis errors to a non-sensitive error code and logging details internally.

Enhancements:

• Introduce centralized diagnostic error sanitization with a small allowlist of safe error codes used across runtime health checks.
• Improve robustness of orchestration progress persistence using atomic temp-file writes and structured warning logs on failure.
• Refine feature orchestrator frontend metadata usage by simplifying default catalog item titles.

Build:

• Raise the Pillow dependency minimum version to 12.2 to stay within a patched, secure range.

CI:

• Update the CodeQL GitHub Actions workflow to install an explicit Python 3.13 runtime for Python analyses.

Documentation:

• Add a new .gitignore file to clean up local development artifacts.

Tests:

• Add dedicated tests verifying that health diagnostics expose only sanitized, whitelisted error codes and non-sensitive payloads.
• Adjust auth router security tests to align with the new timezone-aware recovery session handling and in-memory stubs.

Chores:

• Introduce a helper for detecting container runtimes and simplify profiler host defaults around it.

[sourcery-ai]

Reviewer's Guide

This PR consolidates multiple security and robustness fixes: it hardens authentication secret handling and recovery flows, sanitizes health/diagnostic error outputs, secures orchestrator progress file paths and profiler host binding, updates CI and dependencies for CodeQL/Pillow, and adjusts frontend/backend tests and configs accordingly.

Sequence diagram for profiler backend host resolution and binding

sequenceDiagram
    participant Env as Env
    participant Main as main
    participant Prof as _resolve_profiler_host
    participant Net as NetworkStack
    participant Uvicorn as uvicorn

    Env->>Main: BACKEND_PROFILER_HOST, BACKEND_PROFILER_ALLOW_REMOTE
    Main->>Prof: _resolve_profiler_host()

    Prof->>Env: read BACKEND_PROFILER_HOST
    alt host not set
        Prof->>Prof: _default_profiler_host() -> 127.0.0.1
    else host set
        Prof->>Prof: requested_host = env or default
    end

    alt requested_host == "localhost"
        Prof->>Net: socket.getaddrinfo("localhost")
        alt all addresses loopback
            Prof-->>Main: "localhost"
        else non-loopback found or error
            Prof->>Prof: log warning
            Prof-->>Main: "127.0.0.1"
        end
    else requested_host in {"127.0.0.1", "::1"}
        Prof-->>Main: requested_host
    else requested_host is hostname or ip
        Prof->>Prof: ipaddress.ip_address(requested_host)
        alt invalid hostname
            Prof->>Prof: log warning
            Prof-->>Main: "127.0.0.1"
        else valid ip
            alt ip.is_loopback
                Prof-->>Main: requested_host
            else allow_remote is true
                alt ip.is_unspecified
                    Prof->>Prof: log warning bind all interfaces
                end
                Prof-->>Main: requested_host
            else allow_remote is false
                Prof->>Prof: log warning remote blocked
                Prof-->>Main: "127.0.0.1"
            end
        end
    end

    Main->>Main: _resolve_bind_port(host, requested_port)
    Main->>Uvicorn: uvicorn.run(app, host, port)

Loading

Class diagram for updated auth models and config

classDiagram
    class UserResponse {
        +int id
        +str email
        +Optional~str~ name
        +Optional~str~ phone
        +Optional~str~ company_name
        +Optional~str~ business_registration_number
        +Optional~str~ representative_name
        +ConfigDict model_config
    }

    class Token {
        +str access_token
        +str token_type
    }

    class PasswordRecoveryResetResponse {
        +bool ok
        +str detail
    }

    class ConfigDict

    UserResponse --> ConfigDict : uses

Loading

File-Level Changes

Change	Details	Files
Harden JWT secret resolution to prefer a configured file with strict permissions and fail fast on insecure initialization instead of silently falling back.	Introduce module-level logger earlier for use in secret resolution. Change SECRET_KEY_FILE handling to expanduser, verify existence and non-emptiness, and reject non-file paths. Generate secrets via os.open with O_EXCL, write with fsync, enforce 0600 via chmod, and log failures with explicit RuntimeErrors instead of silently generating ephemeral secrets. Log when falling back to ephemeral runtime secrets if neither SECRET_KEY nor SECRET_KEY_FILE is configured.	backend/auth.py
Sanitize runtime health diagnostics so error payloads only expose normalized error codes rather than raw exception messages or OS paths.	Add a small allowlist of safe diagnostic error codes plus a _sanitize_diagnostic_error helper shared by CPU, GPU, memory, and queue diagnostics. Update Linux/Windows memory snapshot helpers to wrap exceptions into structured error codes and treat any error as an unavailable-warning payload with a redacted error field. Update CPU, GPU, and queue/Redis health diagnostics to use error codes (e.g., cpu_load_unavailable, gpu_runtime_unavailable, queue_runtime_unavailable) instead of stringified exceptions and log details server-side where appropriate. Add an AST-based test module that loads the diagnostic helpers from backend.main and asserts redaction behavior and allowed error codes.	backend/main.py backend/marketplace/router.py backend/llm/orchestrator.py backend/marketplace/router.py gpu-llm-server/custom-server/server.py tests/test_health_diagnostics_sanitization.py
Secure orchestrator progress file storage by hashing run IDs, using a shared lock, and writing via atomic temp files.	Replace the old _orchestration_progress_path with _orchestration_progress_file_path that hashes the run_id via SHA-256 and uses a fixed .json filename under the runtime root, avoiding user-controlled filenames. Introduce a global threading lock for orchestration progress file I/O. Wrap writes in tempfile.NamedTemporaryFile in the target directory with a trusted prefix, fsync, and os.replace for atomic updates, plus cleanup/logging on failure. Guard reads with the same lock and add error logging when loading fails, while still returning in-memory cache or an empty dict.	backend/llm/orchestrator.py
Harden profiler backend host binding so it defaults to loopback and only binds to non-loopback addresses when explicitly allowed and validated.	Change the default profiler host from container-aware 0.0.0.0 to 127.0.0.1 regardless of container runtime. Add _resolve_profiler_host helper that reads BACKEND_PROFILER_HOST/BACKEND_PROFILER_ALLOW_REMOTE, enforces loopback-only by default, validates IPs via ipaddress, and logs warnings for unsafe or disallowed hosts. Update main() to use _resolve_profiler_host and keep port resolution logic unchanged.	run_profiler_backend.py
Tighten auth and password recovery flows to use timezone-aware datetimes and Pydantic v2 configuration, and update tests accordingly.	Switch Pydantic models in auth_router to ConfigDict(from_attributes=True) instead of the old Config class. Replace datetime.utcnow() usages in WebAuthn/passkey flows with datetime.now(timezone.utc) for expiry and registration timestamps. Adjust tests that previously constructed sessions with naive utcnow values so they no longer depend on naive datetimes (or are aligned with the new logic).	backend/auth_router.py tests/test_auth_router_security.py
Make user-facing marketplace error flows avoid leaking raw exception messages while keeping internal logging verbose.	On orchestrate stream failures, log exceptions via logger.exception but expose only a generic Korean error message in metadata, persisted progress, popup state, and SSE events. Standardize the public error message string used for failed live view runs to keep the UX consistent.	backend/marketplace/router.py
Improve CI and dependency security posture for static analysis and image handling.	Update the CodeQL GitHub Actions workflow to explicitly set up Python 3.13 when analyzing Python code. Raise the minimum Pillow dependency version to 12.2 to ensure active CVEs are patched while keeping the upper bound <13.0.	.github/workflows/codeql.yml pyproject.toml
Minor frontend/backend polish to remove no-op transforms and normalize error codes.	Simplify feature catalog item title generation by using meta.popupKicker directly instead of applying a no-op string replacement. Normalize model load errors in the GPU LLM server to a constant code (model_load_failed) instead of raw exception text. Add or update .gitignore to exclude generated/temporary artifacts from version control.	frontend/frontend/hooks/use-feature-orchestrator.ts gpu-llm-server/custom-server/server.py .gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In auth_router._issue_recovery_token and _purge_expired_password_recovery_sessions, expires_at/now are no longer defined after the UTC removal but are still referenced, which will raise a NameError; update these functions to compute timezone-aware timestamps instead of just deleting the old assignments.
• _is_container_runtime in run_profiler_backend.py is currently unused; either wire it into the profiler host/bind logic (if intended as part of the policy) or remove it to avoid dead code.
• _SAFE_DIAGNOSTIC_ERROR_CODES is defined both in backend/main.py and duplicated in test_health_diagnostics_sanitization.py; consider exposing the canonical set from the backend module and importing it in tests to keep the allowed error codes consistent and avoid divergence.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `auth_router._issue_recovery_token` and `_purge_expired_password_recovery_sessions`, `expires_at`/`now` are no longer defined after the UTC removal but are still referenced, which will raise a `NameError`; update these functions to compute timezone-aware timestamps instead of just deleting the old assignments.
- `_is_container_runtime` in `run_profiler_backend.py` is currently unused; either wire it into the profiler host/bind logic (if intended as part of the policy) or remove it to avoid dead code.
- `_SAFE_DIAGNOSTIC_ERROR_CODES` is defined both in `backend/main.py` and duplicated in `test_health_diagnostics_sanitization.py`; consider exposing the canonical set from the backend module and importing it in tests to keep the allowed error codes consistent and avoid divergence.

## Individual Comments

### Comment 1
<location path="backend/auth.py" line_range="26-35" />
<code_context>
-    except Exception:
-        return secrets.token_urlsafe(48), True
+
+            fallback_path.parent.mkdir(parents=True, exist_ok=True)
+            generated_secret = secrets.token_urlsafe(48)
+            fd = os.open(str(fallback_path), os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600)
+            try:
+                with os.fdopen(fd, "w", encoding="utf-8") as secret_file:
</code_context>
<issue_to_address>
**issue (bug_risk):** Creating the secret file with `O_EXCL` after an existence check introduces a race that now hard-fails startup.

The new SECRET_KEY_FILE logic correctly fails on initialization errors, but the `exists()` + `os.open(..., O_EXCL)` pattern is racy: if another process creates the file between these calls, `os.open` raises `FileExistsError`, which the broad `except` currently turns into a fatal `RuntimeError` even though the file now exists and is usable.

If multi-process startup or external creation of the secret is possible, handle `FileExistsError` explicitly (e.g., reopen the file read-only and use its contents) instead of treating it as a hard failure.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Creating the secret file with O_EXCL after an existence check introduces a race that now hard-fails startup.

The new SECRET_KEY_FILE logic correctly fails on initialization errors, but the exists() + os.open(..., O_EXCL) pattern is racy: if another process creates the file between these calls, os.open raises FileExistsError, which the broad except currently turns into a fatal RuntimeError even though the file now exists and is usable.

If multi-process startup or external creation of the secret is possible, handle FileExistsError explicitly (e.g., reopen the file read-only and use its contents) instead of treating it as a hard failure.

[Copilot]

Pull request overview

This PR bundles multiple security-hardening changes aimed at addressing CodeQL findings (exception-detail exposure, unsafe path usage, and insecure bind defaults) across the backend, tests, and CI.

Changes:

• Sanitize runtime/health diagnostic errors to stable public error codes (with new regression tests).
• Harden orchestration progress persistence (fixed file naming + atomic writes + locking) and redact client-facing exception messages in marketplace streaming.
• Tighten profiler backend bind-host defaults/validation (loopback by default, explicit opt-in for remote), update CodeQL workflow Python version, and bump Pillow to a patched range.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
backend/auth_router.py	Updates auth router models/time handling and recovery helpers (currently introduces import/NameError regressions).
backend/auth.py	Makes JWT expiration timezone-aware and hardens SECRET_KEY/SECRET_KEY_FILE handling/logging.
backend/llm/orchestrator.py	Hardens progress persistence pathing and uses atomic file writes with a lock.
backend/main.py	Adds diagnostic error sanitization helper and uses it in CPU/GPU/memory/queue runtime payloads.
backend/marketplace/router.py	Redacts exception details from SSE/public metadata and sanitizes Redis health diagnostic errors.
run_profiler_backend.py	Defaults profiler host to loopback and validates/blocks remote binds unless explicitly allowed.
tests/test_health_diagnostics_sanitization.py	Adds tests ensuring diagnostics redact exception/path details and only expose safe codes.
tests/test_auth_router_security.py	Adjusts auth router security tests (currently breaks recovery-session fixtures).
gpu-llm-server/custom-server/server.py	Replaces raw model load exception string with a stable error code.
frontend/frontend/hooks/use-feature-orchestrator.ts	Removes a no-op string replacement in default catalog title.
pyproject.toml	Raises Pillow minimum version to >=12.2,<13.0.
.github/workflows/codeql.yml	Pins CodeQL Python analysis to Python 3.13.
.gitignore	Adds standard ignores for Python/Node/IDE artifacts and archives.

Comments suppressed due to low confidence (2)

backend/auth_router.py:5

• backend.auth_router no longer imports datetime/timedelta/timezone and Pydantic symbols (BaseModel, EmailStr, ConfigDict), but they are referenced throughout the module. This will raise NameError at import time. Re-introduce the required imports (and keep them consistent with the timezone-aware datetime.now(timezone.utc) usage).

from secrets import compare_digest, randbelow, token_urlsafe
import base64
import os
from urllib.parse import urlparse

backend/auth_router.py:280

• _purge_expired_password_recovery_sessions() references now, but now is never defined after the recent edit. Re-add the current-time assignment (timezone-aware) so expiration purging works and the function doesn’t crash.

    expired_tokens = [
        session_token
        for session_token, session_state in _password_recovery_store.items()
        if not isinstance(session_state.get("expires_at"), datetime)
        or cast(datetime, session_state["expires_at"]) <= now

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

검토하고 수정해줘서 너무 감사합니다.

[parkcheolhong]

@copilot apply changes based on the comments in this thread