Copilot/fix oob write error psd

[parkcheolhong]

병합합니다

Summary by Sourcery

Harden authentication, diagnostics, orchestration progress persistence, and profiling host configuration, while tightening error exposure and upgrading key dependencies.

New Features:

• Add deterministic, securely-permissioned SECRET_KEY_FILE handling with mandatory configuration or explicit ephemeral fallback logging.
• Introduce a sanitizer for runtime health diagnostic errors that maps internal exceptions to a small set of safe error codes.
• Add configurability for profiler backend bind host with safeguards against unsafe remote binding.

Bug Fixes:

• Fix out-of-bounds and unsafe file writes for orchestration progress by hashing run IDs, using atomic temp-file replacement, and locking access.
• Correct JWT and passkey-related time handling to use timezone-aware UTC datetimes.
• Avoid leaking internal exception details in memory, CPU, GPU, queue health diagnostics, marketplace orchestration SSE streams, and GPU LLM model loading errors.

Enhancements:

• Normalize auth router Pydantic models to use modern ConfigDict configuration.
• Improve robustness and logging around SECRET_KEY initialization and orchestration progress file I/O.
• Adjust default feature catalog item titles to rely directly on configured metadata.

CI:

• Update CodeQL workflow to install Python 3.13 for Python analyses.

Tests:

• Add tests verifying that health diagnostics sanitize and constrain exposed error codes.
• Update auth router security tests to match new time-handling and recovery session semantics.

Chores:

• Upgrade Pillow dependency to the 12.x series.

[sourcery-ai]

Reviewer's Guide

Improves security, robustness, and diagnostics across backend auth, health checks, orchestration progress persistence, profiler startup, and marketplace flows, while tightening error sanitization and updating dependencies/tests.

Sequence diagram for runtime health diagnostics with sanitized error codes

sequenceDiagram
    participant Client
    participant API as backend.main._runtime_health_payload
    participant Mem as _memory_snapshot
    participant LinuxMem as _linux_memory_snapshot
    participant WinMem as _windows_memory_snapshot
    participant CPU as _cpu_snapshot
    participant GPU as _gpu_snapshot
    participant Queue as backend.marketplace.get_ad_queue_runtime_status

    Client->>API: Request runtime health
    API->>Mem: _memory_snapshot()
    Mem->>LinuxMem: _linux_memory_snapshot()
    alt Linux /proc/meminfo accessible
        LinuxMem-->>Mem: Snapshot dict without error
    else Exception reading meminfo
        LinuxMem-->>Mem: { error: _sanitize_diagnostic_error(exc, "memory_snapshot_unavailable") }
    end

    alt snapshot missing or has error
        Mem-->>API: { available: False, state: warning, note, error? }
    else valid snapshot
        Mem-->>API: Usage stats
    end

    API->>CPU: _cpu_snapshot()
    CPU->>CPU: Read cpu_count and getloadavg()
    alt Exception calling getloadavg
        CPU->>CPU: error_code = _sanitize_diagnostic_error(exc, "cpu_load_unavailable")
    end
    CPU-->>API: Payload with optional error_code

    API->>GPU: _gpu_snapshot()
    GPU->>GPU: gpu_runtime = get_gpu_runtime_info()
    GPU->>GPU: gpu_error = _sanitize_diagnostic_error(gpu_runtime.error, "gpu_runtime_unavailable")
    alt gpu_runtime.available is False
        GPU-->>API: { available: False, state: warning, note, error: gpu_error or "gpu_runtime_unavailable" }
    else available
        GPU-->>API: GPU usage and devices
    end

    API->>Queue: get_ad_queue_runtime_status()
    alt Redis queue status OK
        Queue-->>API: Diagnostics payload
    else RedisError
        Queue->>Queue: Log exception
        Queue-->>API: { redis_queue.error: "redis_queue_unavailable", ... }
    end

    API-->>Client: Aggregated health payload with sanitized error codes

Loading

File-Level Changes

Change	Details	Files
Harden JWT secret key resolution and persistence behavior.	Introduce module-level logger earlier in auth module. Change SECRET_KEY_FILE handling to respect explicit path, validate it is a non-empty file, and distinguish configuration errors. When generating a new secret file, create parent dir, write via low-level os.open with mode 0600, add newline, and clean up on partial writes. Apply chmod(0600) with error handling and log warnings/errors around file initialization and permission setting. Log when falling back to ephemeral runtime secret if neither SECRET_KEY nor SECRET_KEY_FILE is configured.	backend/auth.py
Sanitize and normalize health diagnostics errors to avoid leaking internal details while adding tests.	Introduce _SAFE_DIAGNOSTIC_ERROR_CODES and _sanitize_diagnostic_error helper to whitelist safe text codes and map arbitrary errors to fallback codes. Wrap Linux/Windows memory snapshot exceptions to return standardized error codes and ensure _memory_snapshot returns warning payloads with sanitized error field when unavailable. Update CPU snapshot to store and return error_code instead of raw error message, using _sanitize_diagnostic_error for getloadavg failures. Adjust GPU snapshot to always return a sanitized error code when GPU runtime is unavailable, normalizing the error from get_gpu_runtime_info. Ensure queue runtime and Redis diagnostics use fixed error codes instead of raw exception messages and log exceptions where appropriate. Add unit tests that dynamically load functions from backend.main and assert error redaction behavior for memory, CPU, and GPU diagnostics.	backend/main.py backend/marketplace/router.py backend/llm/orchestrator.py backend/marketplace/router.py tests/test_health_diagnostics_sanitization.py
Make orchestration progress file I/O safer and concurrency-aware.	Replace path construction based on sanitized run_id with a deterministic SHA-256-based filename to avoid path traversal and unsafe characters. Introduce a global threading.Lock for orchestration progress file operations. Write progress snapshots atomically using NamedTemporaryFile in the same directory plus os.replace, fsync, and cleanup on failure, logging warnings instead of raising. Guard both save and load operations with the file lock and log errors on load failures while returning empty dicts as fallbacks.	backend/llm/orchestrator.py
Harden profiler backend host resolution and binding behavior.	Add container runtime detection helper (currently unused but available). Introduce _resolve_profiler_host that validates BACKEND_PROFILER_HOST, enforces loopback-only by default, and requires BACKEND_PROFILER_ALLOW_REMOTE to bind to non-loopback/unspecified addresses. Normalize localhost resolution to 127.0.0.1 when it does not resolve exclusively to loopback, with warnings. Use _resolve_profiler_host in main() instead of directly reading env var.	run_profiler_backend.py
Align auth router models and time handling with Pydantic v2 and timezone-aware datetimes.	Change UserResponse configuration to use model_config = ConfigDict(from_attributes=True) instead of inner Config class. Switch various expiry/issued-at computations from datetime.utcnow() to datetime.now(timezone.utc) for passkey flows and password recovery logic. Adjust tests to no longer hardcode utcnow-based expires_at values where not needed.	backend/auth_router.py tests/test_auth_router_security.py
Improve marketplace orchestrate-stream error reporting to users while logging internal details.	On orchestration failures, log full exception with logger.exception. Return generic, user-facing Korean error message instead of raw exception text in metadata, popup state, persisted progress, and SSE payloads.	backend/marketplace/router.py
Tighten error codes and logging for GPU LLM server and Redis diagnostics.	Change model_load_error to a fixed string code ('model_load_failed') instead of raw exception text when model load fails. For Redis queue depth retrieval in ad queue runtime status, log exceptions and replace raw error string with fixed 'redis_queue_unavailable' code.	gpu-llm-server/custom-server/server.py backend/marketplace/router.py
Minor frontend UX tweak and CI/tooling updates.	Simplify feature catalog item title to use meta.popupKicker directly without redundant replace. Add Python 3.13 setup step to CodeQL workflow when analyzing Python. Bump Pillow dependency upper bound from <12.0 to <13.0 to support newer versions. Add/adjust .gitignore (contents not shown in diff).	frontend/frontend/hooks/use-feature-orchestrator.ts .github/workflows/codeql.yml pyproject.toml .gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In auth_router, _issue_recovery_token no longer initializes expires_at before returning it, and _purge_expired_password_recovery_sessions no longer defines now before use; both will raise NameError at runtime and need their timestamp variables restored or refactored.
• The new _is_container_runtime helper in run_profiler_backend.py is currently unused; consider either wiring it into host/port resolution logic or removing it to avoid dead code.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `auth_router`, `_issue_recovery_token` no longer initializes `expires_at` before returning it, and `_purge_expired_password_recovery_sessions` no longer defines `now` before use; both will raise `NameError` at runtime and need their timestamp variables restored or refactored.
- The new `_is_container_runtime` helper in `run_profiler_backend.py` is currently unused; consider either wiring it into host/port resolution logic or removing it to avoid dead code.

## Individual Comments

### Comment 1
<location path="backend/auth_router.py" line_range="257" />
<code_context>
 def _issue_recovery_token(prefix: str) -> tuple[str, datetime]:
-    expires_at = datetime.utcnow() + timedelta(minutes=10)
+
     return f"{prefix}_{token_urlsafe(24)}", expires_at


</code_context>
<issue_to_address>
**issue (bug_risk):** The `expires_at` variable is no longer defined in `_issue_recovery_token`, which will raise a `NameError` at runtime.

Previously, `expires_at` was set before being returned; now it’s never assigned, so this function will crash. Reintroduce the expiry calculation (preferably using an aware UTC time, e.g. `datetime.now(timezone.utc) + timedelta(minutes=10)`) before returning.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR appears to harden runtime/error handling across the backend (sanitizing diagnostic error payloads and avoiding leaking exception text), improve orchestration progress persistence, and align dependency/configuration hygiene (Pillow bump, CodeQL Python setup, .gitignore updates).

Changes:

• Add diagnostic error sanitization and replace raw exception strings with safe error codes/messages in health/runtime and marketplace streaming paths.
• Improve orchestration progress persistence by hashing progress filenames and writing progress files atomically under a lock.
• Update operational tooling/config: profiler host resolution hardening, SECRET_KEY_FILE persistence behavior, Pillow dependency bump, CodeQL Python setup, and repo .gitignore.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/test_health_diagnostics_sanitization.py	Adds tests asserting diagnostic errors are sanitized to safe error codes (no raw exception text leaks).
tests/test_auth_router_security.py	Updates password recovery security tests (but currently conflicts with recovery expiry expectations).
run_profiler_backend.py	Adds stricter profiler host resolution logic (loopback/remote gating).
pyproject.toml	Bumps Pillow range to >=12.2,<13.0.
gpu-llm-server/custom-server/server.py	Replaces model load error detail with a fixed safe error code.
frontend/frontend/hooks/use-feature-orchestrator.ts	Simplifies catalog title derivation (meta.popupKicker directly).
backend/marketplace/router.py	Avoids leaking exception strings in SSE/metadata; logs exceptions server-side; uses safe redis error code.
backend/main.py	Introduces _sanitize_diagnostic_error and uses it in memory/CPU/GPU/queue diagnostics.
backend/llm/orchestrator.py	Hashes orchestration progress filenames and uses atomic write + lock for progress files.
backend/auth.py	Strengthens SECRET_KEY_FILE handling and switches JWT expiry creation to timezone-aware UTC.
backend/auth_router.py	Attempts to migrate timestamps to timezone-aware UTC and Pydantic v2 config, but currently introduces import/NameError regressions.
.gitignore	Adds common Python/Node/IDE/artifact ignores.
.github/workflows/codeql.yml	Adds Python 3.13 setup for CodeQL when analyzing Python.

Comments suppressed due to low confidence (2)

backend/auth_router.py:281

• _purge_expired_password_recovery_sessions() uses now in the list comprehension but the now = ... assignment was removed. This will raise NameError and break every recovery endpoint (they all call this helper). Re-add the now initialization (and keep it consistent with the timezone-aware datetimes used elsewhere).

def _purge_expired_password_recovery_sessions() -> None:

    expired_tokens = [
        session_token
        for session_token, session_state in _password_recovery_store.items()
        if not isinstance(session_state.get("expires_at"), datetime)
        or cast(datetime, session_state["expires_at"]) <= now
    ]

run_profiler_backend.py:73

• _resolve_profiler_host() can return an IPv6 loopback host (::1), but _can_bind() always creates an AF_INET socket. Binding an IPv6 address with an IPv4 socket will fail, causing port resolution / startup errors when BACKEND_PROFILER_HOST=::1. Use AF_INET6 for IPv6 hosts (or normalize ::1 to 127.0.0.1).

    if requested_host in {"127.0.0.1", "::1"}:
        return requested_host
    try:
        requested_ip = ipaddress.ip_address(requested_host)
    except (TypeError, ValueError):
        logger.warning("[WARN] hostname profiler host=%s is not allowed; fallback to 127.0.0.1", requested_host)
        return "127.0.0.1"
    if requested_ip.is_loopback:
        return requested_host
    if allow_remote:
        if requested_ip.is_unspecified:
            logger.warning("[WARN] profiler backend is binding to all interfaces (host=%s)", requested_host)
        return requested_host
    logger.warning("[WARN] remote profiler host=%s blocked; set BACKEND_PROFILER_ALLOW_REMOTE=true to allow", requested_host)
    return "127.0.0.1"


def _can_bind(host: str, port: int) -> bool:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        try:
            sock.bind((host, port))
        except OSError:

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on this feedback

[parkcheolhong]

@copilot apply changes based on the comments in this thread

[parkcheolhong]

조언 감사하고 수정해줘

[parkcheolhong]

@copilot apply changes based on the comments in this thread

[parkcheolhong]

수정해주세요,