apikey_cli.py operates directly on the DB (run inside the backend
container). Subcommands: create (alias required; reusing an alias
renews — same key, validity reset, reactivated, name/roles updated;
roles allowlisted; configurable --ttl-days), list (masked keys,
--show-keys to reveal), revoke (by --alias or --key).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- APIKey.alias (unique, required). Creating with an existing alias
renews that key: same key string kept, validity reset to 15d,
reactivated, name/roles updated (response has renewed=true).
- get_actor(): X-API-Key -> key alias, Bearer -> 'admin'.
- markdown & patch create/update record author / created_at /
updated_at / last_modified_by from the actor.
- Idempotent run_migrations() (information_schema-guarded ALTERs +
backfill) so existing tables/data gain the new columns on startup;
create_all still covers fresh DBs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add MarkdownPatch model (markdown_patch table, auto-created by
create_all) and /api/patch blueprint: list patches for a markdown
(inherits the parent's private/protected visibility), create/update
(admin|creator), delete (admin).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Critical:
- backup: prevent Zip Slip path traversal and zip bombs in restore/convert
via safe_extract(); serialize get_backup() with backup_lock and always
restore CWD so concurrent requests can't corrupt the os.chdir state
- app: only enable the Werkzeug debugger/reloader when ENVIRONMENT=dev;
always init rate limits (also under WSGI), not just under __main__
- apikey: fix create_key never committing (session.commit -> commit()),
validate roles against an allowlist, and fix revoke_key/update_last_used
operating on detached instances so revocation actually persists
- env_provider: redact DB_PASSWORD and SESSION_SECRET_KEY in summerize()
High:
- markdown: filter private/protected docs for non-admins in the listing,
get_home, get_index and search endpoints (was an anonymous data leak);
escape LIKE metacharacters and cap search results
- webhooks: validate target URL to block SSRF (loopback/private/link-local/
metadata IPs), disable redirects, safely parse additional_header
- auth: validate JWT issuer and require exp/iat; add timeout to JWKS fetch;
harden Authorization header parsing against malformed values
- log: require admin for GET /api/log and auth for POST; bound entry size
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
