fix: address security, performance, and documentation audit findings#368
Merged
RobertLD merged 4 commits intodevelopmentfrom Mar 6, 2026
Merged
fix: address security, performance, and documentation audit findings#368RobertLD merged 4 commits intodevelopmentfrom
RobertLD merged 4 commits intodevelopmentfrom
Conversation
Security (closes #364): - Add sanitizeFtsWord() to strip FTS5 operators, column filters, and wildcards before query construction — prevents FTS5 injection - Change CORS default from ["*"] to localhost-only origins - Encrypt webhook secrets at rest using AES-256-GCM when LIBSCOPE_SECRET_KEY env var is set; graceful plaintext fallback Performance (closes #365): - Add migration v16: idx_documents_content_hash and idx_chunks_doc_idx indexes — eliminates full table scans on dedup and context fetching - Add SQLite pragmas: synchronous=NORMAL, cache_size=32MB, temp_store=MEMORY - Remove double 9x ANN over-fetch in vectorSearch (was 3x*3x, now 3x total) - Defer ratings AVG() join to post-pagination attachRatings() batch query - Combine getStats() 5 sequential COUNTs into a single subquery SELECT Documentation (closes #367): - Fix VitePress footer license: MIT → Business Source License 1.1 - Fix MCP tool count on homepage: 17 → 26 - Add docs/guide/how-search-works.md: hybrid RRF pipeline, search methods, scoreExplanation, and tuning options - Add docs/guide/troubleshooting.md: common issues and solutions - Document dedup modes and scoreExplanation in MCP tools reference - Add new pages to VitePress sidebar Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- url-fetcher.ts: move codeql[js/request-forgery] suppression comment
onto the fetch() line itself so CodeQL recognises it as intentional
(SSRF is mitigated by validateUrl() + DNS rebinding checks above)
- confluence.ts: cap [^>]* to [^>]{0,500} in ri:attachment regex to
prevent polynomial ReDoS on maliciously crafted Confluence markup
Both alerts were pre-existing on the development branch (detected
2026-03-04/05) and are not introduced by this PR.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prettier moved the inline comment inside the object literal on the previous commit; reposition it as a line comment directly above the fetch() call so CodeQL recognises the suppression. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/^\*+|\*+$/g triggers CodeQL js/polynomial-redos on strings with many consecutive '*' characters. Replace with a simple while-loop index scan that strips leading/trailing asterisks without regex backtracking. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses findings from a comprehensive security, performance, and documentation audit of the
developmentbranch. All 1089 tests pass, TypeScript clean.Security fixes (closes #364)
sanitizeFtsWord()helper that strips column-filter syntax, prefix/suffix wildcards, and standalone FTS5 operators (NEAR,AND,OR,NOT) before building queries. Applied to both AND and OR fallback paths.["*"]to["http://localhost", "http://localhost:3000"]. Callers can configurecorsOriginsexplicitly for custom setups.LIBSCOPE_SECRET_KEYenv var. Graceful fallback to plaintext if key not set (with warning log). Backward compatible with existing plaintext secrets.Performance fixes (closes #365)
idx_documents_content_hasheliminates full table scans on every dedup check; compositeidx_chunks_doc_idx ON chunks(document_id, chunk_index)speeds up context chunk range queriessynchronous = NORMAL(safe with WAL, 2–3× faster writes),cache_size = -32000(32MB),temp_store = MEMORYvectorSearchwas applying an inner* 3on top of the caller's* 3, totalling 9× over-fetch. Removed inner multiplier; effective fetch is now(offset + limit) * 3(capped at 5000).AVG(rating)subquery no longer inlined in all 4 search paths. WhenminRatingfilter is not set, ratings are fetched post-pagination in a single batch query on the final result set (typically 10 docs).getStats()combined — 5 sequentialCOUNT(*)queries merged into one subquery-basedSELECTDocumentation fixes (closes #367)
docs/guide/how-search-works.md) — Documents the full hybrid pipeline: query embedding → vector ANN → FTS5 → RRF fusion → title boost → pagination. Includes search methods table,scoreExplanationshape, and tuning reference.docs/guide/troubleshooting.md) — Common issues: sqlite-vec loading, model download, dimension mismatch, search quality, API auth, database locksdedup: skip | warn | forceanddedupOptionsadded to MCP tools and REST API referenceTest plan
npx tsc --noEmitcleanIF NOT EXISTS)🤖 Generated with Claude Code