병합 확인

[parkcheolhong]

검토후 병합합시다, 수정할 것이 있으면 수정해줘요

Summary by Sourcery

Harden backend security and diagnostics while improving orchestration persistence, profiler binding safety, and dependency/configuration updates.

Bug Fixes:

• Ensure JWT and passkey-related expirations use timezone-aware UTC datetimes to avoid expiry logic issues.
• Prevent orchestration progress file corruption and race conditions by serializing writes through a lock and atomic temp-file replacement.
• Fix health diagnostics to avoid treating empty or errorful memory snapshots as healthy and to surface consistent error flags instead.
• Avoid unsafe or invalid profiler host bindings by validating and constraining BACKEND_PROFILER_HOST resolution.
• Stop leaking raw exception messages and internal paths in runtime diagnostics, marketplace streaming errors, model load failures, and queue health checks.

Enhancements:

• Make SECRET_KEY resolution stricter and more secure by honoring an explicit SECRET_KEY_FILE with controlled permissions and logging, falling back to ephemeral secrets only when misconfigured.
• Sanitize and normalize health diagnostic error codes across CPU, memory, GPU, and queue status payloads to use a limited set of safe identifiers.
• Make orchestration progress file paths deterministic and non-user-controlled by hashing run IDs into filenames.
• Switch Pydantic model configuration in auth_router to the modern ConfigDict-based style for from_attributes support.
• Use the feature metadata popup kicker verbatim in the frontend orchestrator hook instead of applying a no-op string replacement.

Build:

• Bump the Pillow dependency to the 12.2–<13.0 range.

CI:

• Update the CodeQL workflow to set up Python 3.13 when analyzing Python code.

Tests:

• Add tests to ensure health diagnostic error sanitization for memory, CPU, and GPU snapshots, and validate that only safe error codes are exposed.
• Adjust auth router security tests to align with updated time-handling logic for password recovery sessions.

Chores:

• Add a new .gitignore file stub to the repository.

[sourcery-ai]

Reviewer's Guide

Strengthens security, stability, and observability across auth, diagnostics, orchestration progress, profiling, and marketplace features, while adding sanitization tests and CI setup tweaks.

Updated class diagram for auth router UserResponse model

classDiagram
    class BaseModel

    class UserResponse {
        +int id
        +str email
        +Optional~str~ name
        +Optional~str~ profile_image_url
        +Optional~str~ phone_number
        +Optional~str~ business_name
        +Optional~str~ business_registration_number
        +Optional~str~ representative_name
        +ConfigDict model_config
    }

    UserResponse --|> BaseModel

Loading

Flow diagram for sanitized health diagnostics error reporting

flowchart TD
    subgraph Inputs
        A_cpu[CPU diagnostics]
        A_mem[Memory diagnostics]
        A_gpu[GPU runtime]
        A_queue[Queue runtime]
    end

    subgraph Sanitizer
        S_sanitize[_sanitize_diagnostic_error]
    end

    subgraph MemorySnapshot
        M_linux[_linux_memory_snapshot]
        M_windows[_windows_memory_snapshot]
        M_wrapper[_memory_snapshot]
    end

    subgraph CPU
        C_snapshot[_cpu_snapshot]
    end

    subgraph GPU
        G_snapshot[_gpu_snapshot]
    end

    subgraph Queue
        Q_runtime[_runtime_health_payload queue handling]
    end

    subgraph Output
        O_health[_runtime_health_payload response]
    end

    %% Memory path
    A_mem --> M_linux
    A_mem --> M_windows
    M_linux -->|exception| S_sanitize
    M_windows -->|exception| S_sanitize
    S_sanitize -->|fallback code memory_snapshot_unavailable| M_linux
    S_sanitize -->|fallback code memory_snapshot_unavailable| M_windows
    M_linux --> M_wrapper
    M_windows --> M_wrapper
    M_wrapper -->|no snapshot or error present| O_health

    %% CPU path
    A_cpu --> C_snapshot
    C_snapshot -->|exception in getloadavg| S_sanitize
    S_sanitize -->|fallback code cpu_load_unavailable| C_snapshot
    C_snapshot -->|error_code set| O_health

    %% GPU path
    A_gpu --> G_snapshot
    G_snapshot --> S_sanitize
    S_sanitize -->|fallback code gpu_runtime_unavailable| G_snapshot
    G_snapshot --> O_health

    %% Queue path
    A_queue --> Q_runtime
    Q_runtime -->|exception importing or calling get_ad_queue_runtime_status| O_health

    O_health -->|sanitized error codes only| Client

Loading

File-Level Changes

Change	Details	Files
Harden JWT secret resolution and make expiry handling timezone-aware in auth flows.	Refactored SECRET_KEY resolution to honor explicit SECRET_KEY_FILE, enforce file-only, non-empty secrets, generate 48-byte persistent secrets with 0600 permissions, and log/raise on initialization failures instead of silently falling back. Introduced module-level logger earlier in backend/auth.py and removed the late logger assignment near oauth2_scheme. Changed token expiry calculations in create_access_token and passkey-related flows from datetime.utcnow() to timezone-aware datetime.now(timezone.utc).	backend/auth.py backend/auth_router.py
Sanitize and standardize diagnostic error reporting for CPU, memory, GPU, and queue health endpoints.	Introduced _SAFE_DIAGNOSTIC_ERROR_CODES and _sanitize_diagnostic_error to normalize allowed error codes and avoid leaking raw exception messages. Updated Linux/Windows memory snapshots, CPU snapshot, GPU snapshot, and runtime health payload to emit structured warning payloads and safe error codes instead of raw exception strings. Adjusted marketplace and ad queue diagnostics to log server-side exceptions while exposing stable public error codes such as queue_runtime_unavailable and redis_queue_unavailable, plus a user-friendly message for orchestrate stream failures.	backend/main.py backend/marketplace/router.py
Make orchestration progress persistence robust and non-leaky using hashed filenames and atomic writes.	Replaced run-id-derived filenames with SHA-256–based names using _orchestration_progress_file_path to avoid unsafe characters and potential traversal issues. Wrapped on-disk progress writes in a threading.Lock and used NamedTemporaryFile + fsync + os.replace for atomic, crash-safe updates and cleanup of temp files on failure. Guarded file reads with the same lock and added error logging when progress loading fails.	backend/llm/orchestrator.py
Restrict profiler backend binding host and make configuration safer.	Added _resolve_profiler_host that validates BACKEND_PROFILER_HOST, forces loopback by default, and only permits non-loopback bindings when BACKEND_PROFILER_ALLOW_REMOTE is explicitly enabled. Preserved existing port-resolution logic while updating main() to use the new host resolution function and logging warnings for unsafe or invalid host settings.	run_profiler_backend.py
Improve frontend feature-orchestrator UX copy and update supporting infra/tests.	Simplified FeatureCatalogItem title generation to use meta.popupKicker directly instead of a no-op string replacement. Adjusted Pydantic model configuration to use model_config = ConfigDict(from_attributes=True) for UserResponse. Removed now-unnecessary utcnow usages from password recovery tests corresponding to the updated auth router time handling. Added tests to verify diagnostic error sanitization behavior for memory, CPU, and GPU snapshots and ensured safe error codes are returned. Configured CodeQL workflow to set up Python 3.13 for Python analysis and bumped Pillow dependency to >=12.2,<13.0. Changed GPU LLM server model load error reporting to use a stable model_load_failed code instead of raw exception text.	frontend/frontend/hooks/use-feature-orchestrator.ts backend/auth_router.py tests/test_auth_router_security.py tests/test_health_diagnostics_sanitization.py .github/workflows/codeql.yml pyproject.toml gpu-llm-server/custom-server/server.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[parkcheolhong]

검토완료

[sourcery-ai]

Hey - I've found 4 issues, and left some high level feedback:

• _issue_recovery_token no longer defines expires_at before returning it, which will raise at runtime; reintroduce the expires_at assignment (ideally using timezone-aware datetimes) before the return.
• _purge_expired_password_recovery_sessions removes the now variable but still uses it in the list comprehension, which will cause a NameError; restore or replace the timestamp variable used for expiry comparison.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- _issue_recovery_token no longer defines expires_at before returning it, which will raise at runtime; reintroduce the expires_at assignment (ideally using timezone-aware datetimes) before the return.
- _purge_expired_password_recovery_sessions removes the now variable but still uses it in the list comprehension, which will cause a NameError; restore or replace the timestamp variable used for expiry comparison.

## Individual Comments

### Comment 1
<location path="backend/auth_router.py" line_range="257" />
<code_context>
 def _issue_recovery_token(prefix: str) -> tuple[str, datetime]:
-    expires_at = datetime.utcnow() + timedelta(minutes=10)
+
     return f"{prefix}_{token_urlsafe(24)}", expires_at


</code_context>
<issue_to_address>
**issue (bug_risk):** The _issue_recovery_token function now references expires_at without defining it, which will raise a NameError at runtime.

The previous `expires_at = datetime.utcnow() + timedelta(minutes=10)` line was removed but `expires_at` is still returned, so the first call to `_issue_recovery_token` will raise a `NameError`. Please reintroduce the `expires_at` assignment (preferably using `datetime.now(timezone.utc)` for timezone awareness) before the return statement.
</issue_to_address>

### Comment 2
<location path="backend/auth_router.py" line_range="276" />
<code_context>
 def _purge_expired_password_recovery_sessions() -> None:
-    now = datetime.utcnow()
+
     expired_tokens = [
         session_token
         for session_token, session_state in _password_recovery_store.items()
</code_context>
<issue_to_address>
**issue (bug_risk):** _purge_expired_password_recovery_sessions uses now but no longer defines it, leading to a NameError.

In `_purge_expired_password_recovery_sessions`, `now` was removed but is still referenced in the comprehension (`session_state.get("expires_at") <= now`), which will cause a `NameError`. Define `now` again before building `expired_tokens` (e.g., `now = datetime.now(timezone.utc)`).
</issue_to_address>

### Comment 3
<location path="run_profiler_backend.py" line_range="51" />
<code_context>
+            logger.warning("[WARN] failed to resolve localhost loopback addresses", exc_info=True)
+        logger.warning("[WARN] localhost does not resolve to loopback only; fallback to 127.0.0.1")
+        return "127.0.0.1"
+    if requested_host in {"127.0.0.1", "::1"}:
+        return requested_host
+    try:
</code_context>
<issue_to_address>
**issue (bug_risk):** Allowing ::1 as a valid host conflicts with _can_bind using an IPv4 socket, which can prevent the profiler from starting.

When `_resolve_profiler_host` returns `"::1"`, `_resolve_bind_port` passes this to `_can_bind`, which always uses `socket.AF_INET`. Binding an IPv4 socket to an IPv6 loopback address fails, so `_resolve_bind_port` may never find a usable port and will raise `RuntimeError`. Consider either normalizing `"::1"` to `"127.0.0.1"` here or updating `_can_bind` to handle IPv6 by selecting the address family based on the host.
</issue_to_address>

### Comment 4
<location path="tests/test_health_diagnostics_sanitization.py" line_range="8-12" />
<code_context>
+
+
+MAIN_PATH = Path(__file__).resolve().parent.parent / "backend" / "main.py"
+SAFE_DIAGNOSTIC_ERROR_CODES = {
+    "cpu_load_unavailable",
+    "gpu_runtime_unavailable",
+    "memory_snapshot_unavailable",
+    "queue_runtime_unavailable",
+}
+
</code_context>
<issue_to_address>
**suggestion (testing):** Avoid duplicating `_SAFE_DIAGNOSTIC_ERROR_CODES` in tests to reduce drift risk.

Redefining the set here means tests can silently diverge from the implementation if the constant changes. Instead, import `_SAFE_DIAGNOSTIC_ERROR_CODES` from `backend.main` and assert against it directly, or at least assert that this local set matches the implementation’s value so tests catch any mismatch.

Suggested implementation:

```python
from pathlib import Path
from typing import Any, Dict, List, Optional, cast

from backend.main import _SAFE_DIAGNOSTIC_ERROR_CODES as SAFE_DIAGNOSTIC_ERROR_CODES

```

```python
MAIN_PATH = Path(__file__).resolve().parent.parent / "backend" / "main.py"

```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): The _issue_recovery_token function now references expires_at without defining it, which will raise a NameError at runtime.

The previous expires_at = datetime.utcnow() + timedelta(minutes=10) line was removed but expires_at is still returned, so the first call to _issue_recovery_token will raise a NameError. Please reintroduce the expires_at assignment (preferably using datetime.now(timezone.utc) for timezone awareness) before the return statement.

[sourcery-ai]

issue (bug_risk): _purge_expired_password_recovery_sessions uses now but no longer defines it, leading to a NameError.

In _purge_expired_password_recovery_sessions, now was removed but is still referenced in the comprehension (session_state.get("expires_at") <= now), which will cause a NameError. Define now again before building expired_tokens (e.g., now = datetime.now(timezone.utc)).

[sourcery-ai]

issue (bug_risk): Allowing ::1 as a valid host conflicts with _can_bind using an IPv4 socket, which can prevent the profiler from starting.

When _resolve_profiler_host returns "::1", _resolve_bind_port passes this to _can_bind, which always uses socket.AF_INET. Binding an IPv4 socket to an IPv6 loopback address fails, so _resolve_bind_port may never find a usable port and will raise RuntimeError. Consider either normalizing "::1" to "127.0.0.1" here or updating _can_bind to handle IPv6 by selecting the address family based on the host.

[sourcery-ai]

suggestion (testing): Avoid duplicating _SAFE_DIAGNOSTIC_ERROR_CODES in tests to reduce drift risk.

Redefining the set here means tests can silently diverge from the implementation if the constant changes. Instead, import _SAFE_DIAGNOSTIC_ERROR_CODES from backend.main and assert against it directly, or at least assert that this local set matches the implementation’s value so tests catch any mismatch.

Suggested implementation:

from pathlib import Path
from typing import Any, Dict, List, Optional, cast

from backend.main import _SAFE_DIAGNOSTIC_ERROR_CODES as SAFE_DIAGNOSTIC_ERROR_CODES

MAIN_PATH = Path(__file__).resolve().parent.parent / "backend" / "main.py"

[Copilot]

Pull request overview

This PR primarily hardens error handling and security by redacting internal exception details from health/diagnostics outputs, improving secret-key initialization behavior, and making orchestration progress file writes safer and more atomic.

Changes:

• Sanitize/standardize diagnostic error payloads (health snapshots, marketplace runtime status) to avoid leaking internal exception strings/paths.
• Improve persistence/locking behavior for orchestration progress files and refine profiler bind-host resolution.
• Dependency/ops hygiene updates (Pillow bump, CodeQL Python setup, new .gitignore) plus a few UI/server error-message redactions.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/test_health_diagnostics_sanitization.py	Adds tests ensuring diagnostic errors are sanitized/redacted to safe error codes.
tests/test_auth_router_security.py	Updates password-recovery security tests (currently missing required expiry fields).
run_profiler_backend.py	Adds host-resolution hardening for profiler bind host (IPv6/localhost binding needs fixing).
pyproject.toml	Bumps Pillow version range to align with requirements.
gpu-llm-server/custom-server/server.py	Redacts model load error details into a stable error code.
frontend/frontend/hooks/use-feature-orchestrator.ts	Removes a no-op string replace and minor formatting change.
backend/marketplace/router.py	Replaces public-facing exception strings with safe messages/codes; adds server-side logging.
backend/main.py	Introduces _sanitize_diagnostic_error and uses it in CPU/GPU/memory/queue diagnostics.
backend/llm/orchestrator.py	Uses hashed run_id file names + atomic write pattern with a file lock for progress persistence.
backend/auth.py	Hardens SECRET_KEY_FILE handling (secure creation/permissions) and switches JWT exp to timezone-aware UTC.
backend/auth_router.py	Migrates to timezone-aware timestamps, but currently has critical missing imports and undefined variables.
.gitignore	Adds standard Python/Node/IDE artifact ignores.
.github/workflows/codeql.yml	Ensures Python is set up (3.13) for CodeQL runs on Python matrix jobs.

Comments suppressed due to low confidence (2)

backend/auth_router.py:281

• _purge_expired_password_recovery_sessions() references now when filtering expired sessions, but now is no longer defined (the now = datetime... line was removed). This makes purge crash and will break all password recovery flows. Reintroduce now using the same timezone-aware timestamp as the expiry checks.

def _purge_expired_password_recovery_sessions() -> None:

    expired_tokens = [
        session_token
        for session_token, session_state in _password_recovery_store.items()
        if not isinstance(session_state.get("expires_at"), datetime)
        or cast(datetime, session_state["expires_at"]) <= now
    ]

run_profiler_backend.py:75

• _resolve_profiler_host() explicitly allows returning "::1" (and can return "localhost" even when it only resolves to IPv6), but _can_bind() uses an IPv4-only socket (AF_INET). This makes port probing fail (or always return false) for IPv6 loopback and some localhost configurations. Update _can_bind() to handle both address families (e.g., use getaddrinfo and try each result, or use socket.create_server with the appropriate family).

def _resolve_profiler_host() -> str:
    requested_host = (os.getenv("BACKEND_PROFILER_HOST") or _default_profiler_host()).strip()
    allow_remote = (os.getenv("BACKEND_PROFILER_ALLOW_REMOTE", "") or "").strip().lower() in {"1", "true", "yes", "on"}
    if requested_host == "localhost":
        try:
            infos = socket.getaddrinfo("localhost", None)
            if infos and all(ipaddress.ip_address(info[4][0]).is_loopback for info in infos):
                return requested_host
        except Exception:
            logger.warning("[WARN] failed to resolve localhost loopback addresses", exc_info=True)
        logger.warning("[WARN] localhost does not resolve to loopback only; fallback to 127.0.0.1")
        return "127.0.0.1"
    if requested_host in {"127.0.0.1", "::1"}:
        return requested_host
    try:
        requested_ip = ipaddress.ip_address(requested_host)
    except (TypeError, ValueError):
        logger.warning("[WARN] hostname profiler host=%s is not allowed; fallback to 127.0.0.1", requested_host)
        return "127.0.0.1"
    if requested_ip.is_loopback:
        return requested_host
    if allow_remote:
        if requested_ip.is_unspecified:
            logger.warning("[WARN] profiler backend is binding to all interfaces (host=%s)", requested_host)
        return requested_host
    logger.warning("[WARN] remote profiler host=%s blocked; set BACKEND_PROFILER_ALLOW_REMOTE=true to allow", requested_host)
    return "127.0.0.1"


def _can_bind(host: str, port: int) -> bool:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        try:
            sock.bind((host, port))
        except OSError:
            return False
    return True