- APIKey.alias (unique, required). Creating with an existing alias
renews that key: same key string kept, validity reset to 15d,
reactivated, name/roles updated (response has renewed=true).
- get_actor(): X-API-Key -> key alias, Bearer -> 'admin'.
- markdown & patch create/update record author / created_at /
updated_at / last_modified_by from the actor.
- Idempotent run_migrations() (information_schema-guarded ALTERs +
backfill) so existing tables/data gain the new columns on startup;
create_all still covers fresh DBs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Critical:
- backup: prevent Zip Slip path traversal and zip bombs in restore/convert
via safe_extract(); serialize get_backup() with backup_lock and always
restore CWD so concurrent requests can't corrupt the os.chdir state
- app: only enable the Werkzeug debugger/reloader when ENVIRONMENT=dev;
always init rate limits (also under WSGI), not just under __main__
- apikey: fix create_key never committing (session.commit -> commit()),
validate roles against an allowlist, and fix revoke_key/update_last_used
operating on detached instances so revocation actually persists
- env_provider: redact DB_PASSWORD and SESSION_SECRET_KEY in summerize()
High:
- markdown: filter private/protected docs for non-admins in the listing,
get_home, get_index and search endpoints (was an anonymous data leak);
escape LIKE metacharacters and cap search results
- webhooks: validate target URL to block SSRF (loopback/private/link-local/
metadata IPs), disable redirects, safely parse additional_header
- auth: validate JWT issuer and require exp/iat; add timeout to JWKS fetch;
harden Authorization header parsing against malformed values
- log: require admin for GET /api/log and auth for POST; bound entry size
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
