trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/changes/code-review-fix/proposal.md
Marko Djordjevic c327ba3370 bind: MLflow port to 127.0.0.1:5000:5000 in docker-compose.yml 
Changes:
- Updated docker-compose.yml MLflow service port binding from 5000:5000 to 127.0.0.1:5000:5000
  to restrict access to localhost only for security
- Marked task 1.7 as complete in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 10:58:11 +01:00

92 lines
5.2 KiB
Markdown
Raw Blame History

## Why
A comprehensive code review identified **93 issues** (13 Critical, 35 Major, 45 Minor) across the entire codebase. The application has zero authentication, hardcoded credentials in committed files, path traversal vectors, unsafe deserialization, frontend race conditions/memory leaks, and zero test files. These must be fixed before any production deployment.
## What Changes
### Security (Critical)
- Add authentication middleware to all API endpoints (Next.js + FastAPI)
- Fix `.env` gitignore and remove credentials from git history
- Replace all hardcoded database credentials with env var interpolation
- Bind PostgreSQL port to localhost only
- Validate `run_id` parameters to prevent SSRF/path traversal
- Add file upload size limits
- Fix CORS wildcard on ML service
- Add model file integrity checks (SHA256) for joblib/pickle files
### Frontend Stability (Critical + Major)
- Fix stale closures in `fetchPredictions`, CandleChart click handler, SpanAnnotationManager keyboard handler
- Add AbortController to cancel stale prediction requests
- Fix SpanAnnotationManager preview primitive memory leak
- Add `response.ok` checks on all fetch calls
- Add React Error Boundary
- Fix hardcoded 1-minute candle interval assumption
- Use `chart.applyOptions()` for theme changes instead of re-creating chart
- Fix `fitContent()` called on every span change
### API Hardening (Major)
- Add Zod validation on all proxy routes
- Wrap chart cascade delete in transaction + add span annotation deletion
- Stop leaking error details to clients (frontend + backend)
- Require `chartId` for bulk annotation deletes
- Add input size limits on batch prediction
### Code Quality (Major + Minor)
- Centralize duplicate interface definitions into `src/types/`
- Replace pervasive `any` types with proper interfaces
- Move dev dependencies to `devDependencies`
- Remove dead code (migrate.ts, get_db_session, dead filter)
- Replace deprecated Python APIs (on_event, declarative_base, utcnow)
### Infrastructure (Major + Minor)
- Add security response headers (CSP, X-Frame-Options)
- ML Dockerfile: run as non-root user
- Create `.dockerignore`
- Add rate limiting middleware
- Pin Docker base images to digests
- Implement real health checks on ML service
- Use `next/font` instead of CSS `@import`
### UX Polish (Minor)
- Add confirmation dialog for delete-all annotations
- Fix accessibility (ARIA labels, focus trapping, keyboard nav)
- Add CSV injection protection to exports
- Fix dark theme on settings pages
- Add debounce to confidence slider
- Add click-outside handler to chart dropdown
## Capabilities
### New Capabilities
- `api-authentication`: API key or session-based auth middleware for Next.js routes and FastAPI endpoints
- `input-validation`: Zod schemas for all proxy routes, file upload limits, run_id format validation, batch size limits
- `security-headers`: CSP, X-Frame-Options, and other security response headers via Next.js config
- `error-boundary`: React Error Boundary wrapping critical component subtrees
- `shared-types`: Centralized TypeScript interfaces in `src/types/` replacing duplicate definitions across 6+ files
### Modified Capabilities
- `docker-deployment`: Bind ports to localhost, add `.dockerignore`, run ML as non-root, pin images, fix healthcheck, TA-Lib HTTPS download
- `backend-api`: Transaction-wrapped cascade deletes, generic error responses, scoped bulk delete, rate limiting
- `ml-inference`: CORS fix, model integrity checks, path traversal prevention, thread-safe model reads, input size limits
- `ml-training`: run_id validation, resource limits, path traversal prevention
- `chart-canvas`: Fix stale closures, theme change via applyOptions, fix 1-min interval assumption, extract magic numbers, use refs for click handler
- `span-annotation`: Fix keyboard handler stale closure, preview primitive memory leak, fitContent removal, primitive recreation optimization
- `prediction-ui`: AbortController for requests, bounded prediction cache, response.ok checks
- `postgres-data-layer`: Remove `.env` from git, env var interpolation for credentials, SSL/TLS support
- `ui-shell`: Error boundary integration, confirmation dialogs, accessibility improvements, dark theme fixes, next/font migration
- `label-management`: (no spec-level changes, only implementation cleanup)
- `feature-engineering`: (no spec-level changes, deprecated API cleanup only)
## Impact
- **All 27 API route files** in `src/app/api/` — auth middleware, error handling, validation
- **`src/app/page.tsx`** — AbortController, response checks, cache bounds, confirmation dialog
- **`src/components/CandleChart.tsx`** — stale closures, theme, interval fix, refs
- **`src/components/SpanAnnotationManager.tsx`** — memory leak, keyboard handler, fitContent, primitives
- **`services/ml/app/main.py`** — CORS, auth, error messages, model integrity, path validation, deprecated APIs
- **`services/ml/Dockerfile`** — non-root user, HTTPS download
- **`docker-compose.yml`** — port bindings, credential interpolation
- **`next.config.js`** — security headers
- **`package.json`** — devDependencies reorganization
- **New files**: `src/middleware.ts`, `src/types/*.ts`, `src/components/ErrorBoundary.tsx`, `.dockerignore`
- **No breaking API changes** — all fixes are additive or internal
Reference in a new issue View git blame Copy permalink