Commit graph

695 commits

Author SHA1 Message Date
Luis Novo
c0010a189c
Merge pull request #762 from lfnovo/dependabot/uv/langchain-openai-1.1.14
chore(deps): bump langchain-openai from 1.1.7 to 1.1.14
2026-04-17 08:59:00 -03:00
Luis Novo
7fb2341bf1
Merge pull request #761 from lfnovo/dependabot/uv/langchain-text-splitters-1.1.2
chore(deps): bump langchain-text-splitters from 1.1.0 to 1.1.2
2026-04-17 08:58:56 -03:00
Luis Novo
63784c42b2
Merge pull request #760 from lfnovo/dependabot/uv/authlib-1.6.11
chore(deps): bump authlib from 1.6.9 to 1.6.11
2026-04-17 08:58:52 -03:00
Luis Novo
6c3bc6ae51
Merge pull request #759 from lfnovo/dependabot/uv/langsmith-0.7.31
chore(deps): bump langsmith from 0.6.4 to 0.7.31
2026-04-17 08:58:48 -03:00
Luis Novo
f0207687f6
Merge pull request #758 from lfnovo/dependabot/uv/python-multipart-0.0.26
chore(deps): bump python-multipart from 0.0.22 to 0.0.26
2026-04-17 08:58:44 -03:00
Luis Novo
ca211721bc
Merge pull request #754 from lfnovo/dependabot/npm_and_yarn/frontend/follow-redirects-1.16.0
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /frontend
2026-04-17 08:58:41 -03:00
Luis Novo
ee6f27e5a2
Merge pull request #752 from lfnovo/dependabot/uv/pytest-9.0.3
chore(deps): bump pytest from 9.0.2 to 9.0.3
2026-04-17 08:58:37 -03:00
Luis Novo
2cdbd8b3c0
Merge pull request #748 from lfnovo/dependabot/npm_and_yarn/frontend/axios-1.15.0
chore(deps): bump axios from 1.13.5 to 1.15.0 in /frontend
2026-04-17 08:58:34 -03:00
Luis Novo
8653c18c27
Merge pull request #744 from lfnovo/dependabot/npm_and_yarn/frontend/next-16.2.3
chore(deps): bump next from 16.1.7 to 16.2.3 in /frontend
2026-04-17 08:58:30 -03:00
Luis Novo
1d0a60f9c7
Merge pull request #728 from lfnovo/dependabot/npm_and_yarn/frontend/vite-7.3.2
chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in /frontend
2026-04-17 08:58:26 -03:00
dependabot[bot]
61684ba660
chore(deps): bump langchain-openai from 1.1.7 to 1.1.14
Bumps [langchain-openai](https://github.com/langchain-ai/langchain) from 1.1.7 to 1.1.14.
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-openai==1.1.7...langchain-openai==1.1.14)

---
updated-dependencies:
- dependency-name: langchain-openai
  dependency-version: 1.1.14
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-17 01:11:11 +00:00
dependabot[bot]
54e626cd9e
chore(deps): bump langchain-text-splitters from 1.1.0 to 1.1.2
Bumps [langchain-text-splitters](https://github.com/langchain-ai/langchain) from 1.1.0 to 1.1.2.
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-text-splitters==1.1.0...langchain-text-splitters==1.1.2)

---
updated-dependencies:
- dependency-name: langchain-text-splitters
  dependency-version: 1.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-17 01:07:27 +00:00
dependabot[bot]
45c16e1fa1
chore(deps): bump authlib from 1.6.9 to 1.6.11
Bumps [authlib](https://github.com/authlib/authlib) from 1.6.9 to 1.6.11.
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst)
- [Commits](https://github.com/authlib/authlib/compare/v1.6.9...v1.6.11)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-16 23:59:26 +00:00
dependabot[bot]
869604f824
chore(deps): bump langsmith from 0.6.4 to 0.7.31
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.6.4 to 0.7.31.
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.4...v0.7.31)

---
updated-dependencies:
- dependency-name: langsmith
  dependency-version: 0.7.31
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-16 02:36:34 +00:00
Luis Novo
d7967a0fcf
Merge pull request #755 from lfnovo/refactor/migrate-i18n-to-standard-t-function
refactor: migrate i18n from Proxy pattern to standard t() function
2026-04-15 21:56:01 -03:00
dependabot[bot]
2b4535413b
chore(deps): bump python-multipart from 0.0.22 to 0.0.26
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.22 to 0.0.26.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.26)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.26
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-15 20:59:54 +00:00
Luis Novo
e2cf35060b fix: use getApiErrorMessage in use-settings and update CLAUDE.md docs
- Replace getApiErrorKey with getApiErrorMessage in use-settings.ts
  so error toasts show translated messages instead of raw i18n keys
- Update CLAUDE.md files to reflect the new t('section.key') pattern
  and remove outdated Proxy-related gotchas
2026-04-14 18:31:18 -03:00
Luis Novo
98a528158a refactor: migrate i18n from custom Proxy pattern to standard react-i18next t() function
- Replace Proxy-based useTranslation hook with thin react-i18next wrapper
- Convert all t.section.key property access to t('section.key') function calls across 84 files
- Migrate TranslationKeys type parameters to TFunction from i18next
- Update test setup mock and test assertions for new pattern
- Preserve setLanguage with language change events for loading overlay

Closes #579
2026-04-14 14:42:58 -03:00
dependabot[bot]
edf323fbc9
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /frontend
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.11...v1.16.0)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 17:38:52 +00:00
Luis Novo
1e090b04a5
Merge pull request #753 from lfnovo/fix/graceful-credential-decryption-errors
fix: handle credential decryption errors gracefully
2026-04-14 14:37:19 -03:00
Luis Novo
621dd6c42a chore: bump version to 1.8.5 and update changelog 2026-04-14 14:03:48 -03:00
Luis Novo
0c2522074d fix: narrow exception handling and support migrate_to for broken credentials
- Catch only ValueError (decryption errors) instead of broad Exception
  so NotFoundError and other failures propagate correctly
- Support migrate_to parameter in the fallback delete path so linked
  models can be reassigned instead of always cascade-deleted
- Sanitize decryption_error message to not expose raw exception details
2026-04-14 10:34:32 -03:00
dependabot[bot]
171e9d3bd3
chore(deps): bump pytest from 9.0.2 to 9.0.3
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.2 to 9.0.3.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 02:21:10 +00:00
Luis Novo
ba01f7df4e fix: handle credential decryption errors gracefully (#740)
- Credential.get_all() now uses per-row error handling instead of failing on first bad row
- Broken credentials include decryption_error field with descriptive message
- DELETE endpoint falls back to direct DB delete when credential can't be decrypted
- Frontend shows amber warning alert for broken credentials with disabled test/edit/discover
- Added i18n translation keys for decryption error warning in all 9 locales
2026-04-12 21:22:37 -03:00
dependabot[bot]
6b23e7cee8
chore(deps): bump axios from 1.13.5 to 1.15.0 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.5...v1.15.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-12 10:40:02 +00:00
dependabot[bot]
9c73299da0
chore(deps): bump next from 16.1.7 to 16.2.3 in /frontend
Bumps [next](https://github.com/vercel/next.js) from 16.1.7 to 16.2.3.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/compare/v16.1.7...v16.2.3)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 16.2.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-11 04:20:11 +00:00
dependabot[bot]
b7788ec05a
chore(deps): bump tornado from 6.5.4 to 6.5.5 (#668)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.4 to 6.5.5.
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](https://github.com/tornadoweb/tornado/compare/v6.5.4...v6.5.5)

---
updated-dependencies:
- dependency-name: tornado
  dependency-version: 6.5.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 13:23:46 -03:00
Luis Novo
4222329451
fix: map base_url to endpoint for Azure credentials (#741)
* fix: map base_url to endpoint for Azure credentials

The Azure credential form only exposes a base_url field, but the
connection tester, key provisioner, and Esperanto config all expect
an endpoint field. This maps base_url to endpoint for Azure providers
so credentials work without requiring a dedicated endpoint form field.

Closes #727

* docs: update Azure credential docs to reflect base_url mapping
2026-04-09 13:22:00 -03:00
Luis Novo
ade4adc0b2
Merge pull request #736 from lfnovo/dependabot/uv/cryptography-46.0.7
chore(deps): bump cryptography from 46.0.6 to 46.0.7
2026-04-09 12:53:39 -03:00
Luis Novo
51bdc09965
Merge pull request #737 from lfnovo/dependabot/uv/langchain-core-1.2.28
chore(deps): bump langchain-core from 1.2.22 to 1.2.28
2026-04-09 12:53:26 -03:00
Luis Novo
4ae459ca5e
Merge pull request #739 from lfnovo/docs/security-guidelines
docs: add security guidelines for contributors
2026-04-09 12:19:43 -03:00
Luis Novo
8ee18d1fb7 docs: add security guidelines for contributors
Add security.md covering database query safety, template rendering,
file handling, secrets management, and a code review checklist.
Informed by CERT-EU coordinated vulnerability disclosures.
2026-04-09 12:16:09 -03:00
Luis Novo
1a35240e15
Merge pull request #738 from lfnovo/fix/security-vulnerabilities-round2
fix: prevent RCE, path traversal, and LFI vulnerabilities
2026-04-09 12:08:18 -03:00
Luis Novo
2f75c5978c fix: harden path validation to prevent sibling directory bypass
Append os.sep to the directory path before startswith() check so that
paths like /app/data/uploads_evil/ cannot bypass the uploads directory
validation.
2026-04-09 12:05:38 -03:00
Luis Novo
70a466a640 fix: prevent RCE via SSTI, path traversal file write, and LFI file read
- Bump ai-prompter to >=0.4.0 which uses Jinja2 SandboxedEnvironment,
  preventing arbitrary code execution via user-provided transformation prompts
- Sanitize uploaded filenames with os.path.basename() and validate resolved
  path stays within upload directory to prevent path traversal
- Validate file_path in source creation is within UPLOADS_FOLDER to prevent
  arbitrary file read via Local File Inclusion
2026-04-09 11:58:16 -03:00
dependabot[bot]
58e9998bb8
chore(deps): bump langchain-core from 1.2.22 to 1.2.28
Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.2.22 to 1.2.28.
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-core==1.2.22...langchain-core==1.2.28)

---
updated-dependencies:
- dependency-name: langchain-core
  dependency-version: 1.2.28
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 22:28:22 +00:00
dependabot[bot]
3755b1f2d4
chore(deps): bump cryptography from 46.0.6 to 46.0.7
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.6...46.0.7)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 21:55:21 +00:00
Luis Novo
89eac04c63
Merge pull request #731 from lfnovo/fix/surrealdb-injection
fix: prevent SurrealDB injection via unsanitized query parameters
2026-04-07 14:52:22 -03:00
Luis Novo
3d560b4248 chore: bump version to 1.8.3 and update changelog
Add 1.8.2 and 1.8.3 entries to CHANGELOG.md.
1.8.3 documents the SurrealDB injection security fix.
2026-04-07 07:59:16 -03:00
Luis Novo
e5b253b11d fix: prevent SurrealDB injection via order_by and unparameterized queries
- Add allowlist validation for order_by param in notebooks endpoint
- Parameterize session_id query in source_chat router
- Add regex validation in base.py get_all() order_by parameter
- Convert async_migrate bump/lower_version to parameterized queries
2026-04-07 07:58:54 -03:00
dependabot[bot]
19b82b24ed
chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in /frontend
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-06 22:12:45 +00:00
Luis Novo
6274358b21
Merge pull request #725 from lfnovo/feat/dashscope-minimax-providers
feat: add DashScope (Qwen) and MiniMax provider support
2026-04-06 13:42:45 -03:00
Luis Novo
3934fe7e5e chore: bump version to 1.8.2 and update changelog and provider docs
- Bump version from 1.8.1 to 1.8.2
- Add changelog entry for DashScope and MiniMax provider support
- Update provider counts across README and docs (16+ → 18+, 15+ → 17+)
- Add DashScope and MiniMax to README provider support matrix
2026-04-06 10:59:47 -03:00
Luis Novo
adc03e56bb feat: add DashScope (Qwen) and MiniMax provider support
- Bump esperanto dependency to >=2.20.0 for new provider profiles
- Register both providers in credentials, key provider, connection tester, model discovery, and models router
- Add frontend provider entries (display names, modalities, docs links)
- Add documentation sections for both providers in ai-providers.md, environment-reference.md, and provider comparison
2026-04-06 10:54:37 -03:00
Luis Novo
c42dc10d2b
Merge pull request #723 from lfnovo/docs/deprecate-single-container
docs: deprecate single-container image
2026-04-06 08:21:06 -03:00
Luis Novo
746218248c docs: add surrealdb service notes to docker-compose snippets
The v1-latest image requires a separate surrealdb service unlike the
deprecated single-container image. Add comments pointing to the full
base docker-compose.yml in all partial code examples.
2026-04-06 08:15:33 -03:00
Luis Novo
309004aef4 docs: deprecate single-container image in favor of Docker Compose
The v1-single image is being phased out ahead of v2. This adds
deprecation notices to the single-container docs and replaces
v1-latest-single image references with v1-latest across all
configuration guides and issue templates.

Closes #498
2026-04-06 08:10:32 -03:00
Luis Novo
33920285ca
Merge pull request #722 from lfnovo/fix/source-and-credential-bugs
fix: source asset persistence, title preservation, credential cascade delete
2026-04-06 08:01:56 -03:00
Luis Novo
bcec7e89ef refactor: move tests from test_bug_fixes.py to proper test modules
- Title preservation tests → test_graphs.py (TestSaveSourceTitlePreservation)
- Source asset persistence tests → test_sources_api.py (new file)
- Credential cascade delete tests → test_credentials_api.py (new file)
- Delete test_bug_fixes.py
2026-04-06 07:45:49 -03:00
Luis Novo
18a7cab36f fix: improve test quality for #627 and #651
- #627: Replace model-construction tests with endpoint-level tests that
  exercise the real create_source async path via TestClient, capturing
  the Source instance passed to save() using patch.object(autospec=True)
- #651: Use assert_awaited_once() instead of assert_called_once() on
  AsyncMock methods to catch missing await bugs
- Remove redundant class-level @patch for Source.save in title tests
2026-04-06 07:42:20 -03:00