cachibot 0.2.5.dev1__tar.gz → 0.2.6.dev1__tar.gz

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cachibot
-Version: 0.2.5.dev1
+Version: 0.2.6.dev1
 Summary: The Armored AI Agent. Cross-platform, secure, yours.
 Project-URL: Homepage, https://cachibot.dev
 Project-URL: Documentation, https://cachibot.dev/docs

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cachibot"
-version = "0.2.5.dev1"
+version = "0.2.6.dev1"
 description = "The Armored AI Agent. Cross-platform, secure, yours."
 readme = "README.md"
 license = "MIT"

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/auth.py

@@ -1,9 +1,11 @@
 """Authentication endpoints."""
 
+import time
 import uuid
+from collections import defaultdict
 from datetime import datetime
 
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, status
 
 from cachibot.api.auth import get_admin_user, get_current_user
 from cachibot.models.auth import (
@@ -26,6 +28,30 @@ from cachibot.storage.user_repository import UserRepository
 
 router = APIRouter(prefix="/auth")
 
+# Simple in-memory rate limiter for auth endpoints
+_rate_limit_store: dict[str, list[float]] = defaultdict(list)
+RATE_LIMIT_WINDOW = 60  # seconds
+RATE_LIMIT_MAX_REQUESTS = 5  # max attempts per window
+
+
+async def rate_limit_auth(request: Request) -> None:
+    """Rate limit authentication endpoints by client IP."""
+    client_ip = request.client.host if request.client else "unknown"
+    now = time.monotonic()
+
+    # Prune old entries
+    _rate_limit_store[client_ip] = [
+        t for t in _rate_limit_store[client_ip] if now - t < RATE_LIMIT_WINDOW
+    ]
+
+    if len(_rate_limit_store[client_ip]) >= RATE_LIMIT_MAX_REQUESTS:
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail="Too many attempts. Please try again later.",
+        )
+
+    _rate_limit_store[client_ip].append(now)
+
 
 @router.get("/setup-required", response_model=SetupStatusResponse)
 async def check_setup_required() -> SetupStatusResponse:
@@ -35,7 +61,7 @@ async def check_setup_required() -> SetupStatusResponse:
     return SetupStatusResponse(setup_required=count == 0)
 
 
-@router.post("/setup", response_model=LoginResponse)
+@router.post("/setup", response_model=LoginResponse, dependencies=[Depends(rate_limit_auth)])
 async def setup_initial_admin(request: SetupRequest) -> LoginResponse:
     """
     Create the initial admin user (first-time setup).
@@ -103,7 +129,7 @@ async def setup_initial_admin(request: SetupRequest) -> LoginResponse:
     )
 
 
-@router.post("/login", response_model=LoginResponse)
+@router.post("/login", response_model=LoginResponse, dependencies=[Depends(rate_limit_auth)])
 async def login(request: LoginRequest) -> LoginResponse:
     """
     Login with email or username and password.

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/bots.py

@@ -9,7 +9,7 @@ from datetime import datetime
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel, Field
 
-from cachibot.api.auth import get_current_user
+from cachibot.api.auth import get_current_user, require_bot_access
 from cachibot.models.auth import User
 from cachibot.models.bot import Bot, BotResponse
 from cachibot.models.skill import BotSkillRequest, SkillResponse
@@ -49,7 +49,7 @@ async def list_bots(
 @router.get("/{bot_id}")
 async def get_bot(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> BotResponse:
     """Get a specific bot."""
     bot = await repo.get_bot(bot_id)
@@ -62,7 +62,7 @@ async def get_bot(
 async def sync_bot(
     bot_id: str,
     body: BotSyncRequest,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> BotResponse:
     """Sync a bot from frontend (create or update)."""
     if body.id != bot_id:
@@ -88,7 +88,7 @@ async def sync_bot(
 @router.delete("/{bot_id}", status_code=204)
 async def delete_bot(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> None:
     """Delete a bot."""
     deleted = await repo.delete_bot(bot_id)
@@ -104,7 +104,7 @@ async def delete_bot(
 @router.get("/{bot_id}/skills")
 async def get_bot_skills(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[SkillResponse]:
     """Get all activated skills for a bot."""
     skill_defs = await skills_repo.get_bot_skill_definitions(bot_id)
@@ -114,7 +114,7 @@ async def get_bot_skills(
 @router.get("/{bot_id}/skills/ids")
 async def get_bot_skill_ids(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[str]:
     """Get just the IDs of activated skills for a bot."""
     return await skills_repo.get_bot_skills(bot_id)
@@ -124,7 +124,7 @@ async def get_bot_skill_ids(
 async def activate_bot_skill(
     bot_id: str,
     body: BotSkillRequest,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> dict:
     """Activate a skill for a bot."""
     # Verify skill exists
@@ -140,7 +140,7 @@ async def activate_bot_skill(
 async def deactivate_bot_skill(
     bot_id: str,
     skill_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> None:
     """Deactivate a skill for a bot."""
     deactivated = await skills_repo.deactivate_skill(bot_id, skill_id)
@@ -181,7 +181,7 @@ class BotImportResponse(BaseModel):
 @router.get("/{bot_id}/export")
 async def export_bot(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> BotExportFormat:
     """
     Export a bot configuration as JSON.

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/chats.py

@@ -7,7 +7,7 @@ Endpoints for managing bot chats, including platform conversations.
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel
 
-from cachibot.api.auth import get_current_user
+from cachibot.api.auth import get_current_user, require_bot_access
 from cachibot.models.auth import User
 from cachibot.models.chat_model import ChatResponse
 from cachibot.models.knowledge import BotMessage
@@ -46,7 +46,7 @@ class MessageResponse(BaseModel):
 async def list_chats(
     bot_id: str,
     include_archived: bool = False,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[ChatResponse]:
     """Get all chats for a bot (including platform chats). Excludes archived by default."""
     chats = await chat_repo.get_chats_by_bot(bot_id, include_archived=include_archived)
@@ -71,7 +71,7 @@ class ArchiveResponse(BaseModel):
 @router.post("/_clear", status_code=200)
 async def clear_all_chats(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ClearDataResponse:
     """Delete all chats and messages for a bot (platform data cleanup)."""
     # Delete all messages first (they reference chats)
@@ -90,7 +90,7 @@ async def clear_all_chats(
 async def get_chat(
     bot_id: str,
     chat_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ChatResponse:
     """Get a specific chat."""
     chat = await chat_repo.get_chat(chat_id)
@@ -104,7 +104,7 @@ async def get_chat_messages(
     bot_id: str,
     chat_id: str,
     limit: int = 50,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[MessageResponse]:
     """Get messages for a chat."""
     chat = await chat_repo.get_chat(chat_id)
@@ -119,7 +119,7 @@ async def get_chat_messages(
 async def delete_chat(
     bot_id: str,
     chat_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> None:
     """Delete a chat permanently (including messages)."""
     chat = await chat_repo.get_chat(chat_id)
@@ -136,7 +136,7 @@ async def delete_chat(
 async def clear_chat_messages(
     bot_id: str,
     chat_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ClearDataResponse:
     """Clear all messages for a chat but keep the chat itself."""
     chat = await chat_repo.get_chat(chat_id)
@@ -151,7 +151,7 @@ async def clear_chat_messages(
 async def archive_chat(
     bot_id: str,
     chat_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ArchiveResponse:
     """Archive a chat. Archived chats are hidden and won't receive new messages."""
     chat = await chat_repo.get_chat(chat_id)
@@ -166,7 +166,7 @@ async def archive_chat(
 async def unarchive_chat(
     bot_id: str,
     chat_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ArchiveResponse:
     """Unarchive a chat. It will appear in listings and receive messages again."""
     chat = await chat_repo.get_chat(chat_id)

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/connections.py

@@ -4,18 +4,21 @@ Connections API Routes
 CRUD endpoints for managing bot platform connections.
 """
 
+import logging
 import uuid
 from datetime import datetime
 
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel
 
-from cachibot.api.auth import get_current_user
+from cachibot.api.auth import get_current_user, require_bot_access
 from cachibot.models.auth import User
 from cachibot.models.connection import BotConnection, ConnectionPlatform, ConnectionStatus
 from cachibot.services.platform_manager import get_platform_manager
 from cachibot.storage.repository import ConnectionRepository
 
+logger = logging.getLogger(__name__)
+
 router = APIRouter(prefix="/api/bots/{bot_id}/connections", tags=["connections"])
 
 # Repository instance
@@ -79,7 +82,7 @@ class ConnectionResponse(BaseModel):
 @router.get("")
 async def list_connections(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[ConnectionResponse]:
     """Get all connections for a bot."""
     connections = await repo.get_connections_by_bot(bot_id)
@@ -90,7 +93,7 @@ async def list_connections(
 async def create_connection(
     bot_id: str,
     body: ConnectionCreate,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ConnectionResponse:
     """Create a new connection for a bot."""
     if not body.name.strip():
@@ -126,7 +129,7 @@ async def create_connection(
 async def get_connection(
     bot_id: str,
     connection_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ConnectionResponse:
     """Get a specific connection."""
     connection = await repo.get_connection(connection_id)
@@ -140,7 +143,7 @@ async def update_connection(
     bot_id: str,
     connection_id: str,
     body: ConnectionUpdate,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ConnectionResponse:
     """Update an existing connection."""
     connection = await repo.get_connection(connection_id)
@@ -166,7 +169,7 @@ async def update_connection(
 async def delete_connection(
     bot_id: str,
     connection_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> None:
     """Delete a connection."""
     connection = await repo.get_connection(connection_id)
@@ -185,7 +188,7 @@ async def delete_connection(
 async def connect_platform(
     bot_id: str,
     connection_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ConnectionResponse:
     """Start a platform connection."""
     connection = await repo.get_connection(connection_id)
@@ -199,14 +202,15 @@ async def connect_platform(
         connection = await repo.get_connection(connection_id)
         return ConnectionResponse.from_connection(connection)
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logger.error(f"Failed to connect {connection_id}: {e}")
+        raise HTTPException(status_code=500, detail="Failed to start connection")
 
 
 @router.post("/{connection_id}/disconnect")
 async def disconnect_platform(
     bot_id: str,
     connection_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ConnectionResponse:
     """Stop a platform connection."""
     connection = await repo.get_connection(connection_id)

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/contacts.py

@@ -61,7 +61,7 @@ class ContactResponse(BaseModel):
 @router.get("")
 async def list_contacts(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[ContactResponse]:
     """Get all contacts for a bot."""
     contacts = await repo.get_contacts_by_bot(bot_id)
@@ -72,7 +72,7 @@ async def list_contacts(
 async def create_contact(
     bot_id: str,
     body: ContactCreate,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ContactResponse:
     """Create a new contact for a bot."""
     if not body.name.strip():
@@ -95,7 +95,7 @@ async def create_contact(
 async def get_contact(
     bot_id: str,
     contact_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ContactResponse:
     """Get a specific contact."""
     contact = await repo.get_contact(contact_id)
@@ -109,7 +109,7 @@ async def update_contact(
     bot_id: str,
     contact_id: str,
     body: ContactUpdate,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> ContactResponse:
     """Update an existing contact."""
     contact = await repo.get_contact(contact_id)
@@ -131,7 +131,7 @@ async def update_contact(
 async def delete_contact(
     bot_id: str,
     contact_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> None:
     """Delete a contact."""
     contact = await repo.get_contact(contact_id)

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/documents.py

@@ -15,7 +15,7 @@ import aiofiles
 from fastapi import APIRouter, BackgroundTasks, Depends, File, HTTPException, UploadFile
 from pydantic import BaseModel
 
-from cachibot.api.auth import get_current_user
+from cachibot.api.auth import get_current_user, require_bot_access
 from cachibot.models.auth import User
 from cachibot.models.knowledge import Document, DocumentStatus
 from cachibot.services.document_processor import get_document_processor
@@ -85,7 +85,7 @@ async def upload_document(
     bot_id: str,
     file: Annotated[UploadFile, File()],
     background_tasks: BackgroundTasks,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> UploadResponse:
     """
     Upload a document to the bot's knowledge base.
@@ -163,7 +163,7 @@ async def upload_document(
 @router.get("/", response_model=list[DocumentResponse])
 async def list_documents(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> list[DocumentResponse]:
     """List all documents for a bot."""
     repo = KnowledgeRepository()
@@ -175,7 +175,7 @@ async def list_documents(
 async def get_document(
     bot_id: str,
     document_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> DocumentResponse:
     """Get a specific document."""
     repo = KnowledgeRepository()
@@ -191,7 +191,7 @@ async def get_document(
 async def delete_document(
     bot_id: str,
     document_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> dict:
     """Delete a document and its chunks."""
     repo = KnowledgeRepository()

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/instructions.py

@@ -7,7 +7,7 @@ Endpoints for managing bot custom instructions.
 from fastapi import APIRouter, Depends
 from pydantic import BaseModel, Field
 
-from cachibot.api.auth import get_current_user
+from cachibot.api.auth import get_current_user, require_bot_access
 from cachibot.models.auth import User
 from cachibot.storage.repository import KnowledgeRepository
 
@@ -30,7 +30,7 @@ class InstructionsUpdate(BaseModel):
 @router.get("/", response_model=InstructionsResponse)
 async def get_instructions(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> InstructionsResponse:
     """Get custom instructions for a bot."""
     repo = KnowledgeRepository()
@@ -49,7 +49,7 @@ async def get_instructions(
 async def update_instructions(
     bot_id: str,
     data: InstructionsUpdate,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> InstructionsResponse:
     """Update custom instructions for a bot."""
     repo = KnowledgeRepository()
@@ -64,7 +64,7 @@ async def update_instructions(
 @router.delete("/")
 async def delete_instructions(
     bot_id: str,
-    user: User = Depends(get_current_user),
+    user: User = Depends(require_bot_access),
 ) -> dict:
     """Delete custom instructions for a bot."""
     repo = KnowledgeRepository()

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/models.py

@@ -7,9 +7,12 @@ import os
 import re
 from pathlib import Path
 
-from fastapi import APIRouter
+from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel, Field
 
+from cachibot.api.auth import get_current_user
+from cachibot.models.auth import User
+
 logger = logging.getLogger("cachibot.api.models")
 router = APIRouter()
 
@@ -52,7 +55,7 @@ class DefaultModelUpdate(BaseModel):
 
 
 @router.get("/models", response_model=ModelsResponse)
-async def get_models() -> ModelsResponse:
+async def get_models(user: User = Depends(get_current_user)) -> ModelsResponse:
     """
     Get all available models from configured providers.
 
@@ -188,14 +191,17 @@ async def get_models() -> ModelsResponse:
 
 
 @router.get("/models/default", response_model=DefaultModelResponse)
-async def get_default_model() -> DefaultModelResponse:
+async def get_default_model(user: User = Depends(get_current_user)) -> DefaultModelResponse:
     """Get the current default model."""
     model = os.getenv("CACHIBOT_DEFAULT_MODEL", DEFAULT_MODEL)
     return DefaultModelResponse(model=model)
 
 
 @router.put("/models/default")
-async def set_default_model(body: DefaultModelUpdate) -> dict:
+async def set_default_model(
+    body: DefaultModelUpdate,
+    user: User = Depends(get_current_user),
+) -> dict:
     """
     Set the default model.
 
@@ -205,6 +211,10 @@ async def set_default_model(body: DefaultModelUpdate) -> dict:
     key = "CACHIBOT_DEFAULT_MODEL"
     value = body.model
 
+    # Reject values with newlines or control chars to prevent .env injection
+    if any(c in value for c in ("\n", "\r", "\0")):
+        raise HTTPException(status_code=400, detail="Invalid model ID")
+
     # Update .env file
     content = ""
     if ENV_PATH.exists():

{cachibot-0.2.5.dev1 → cachibot-0.2.6.dev1}/src/cachibot/api/routes/skills.py

@@ -84,9 +84,15 @@ async def create_skill(
         else:
             filename = "new-skill.md"
 
+    # Sanitize filename to prevent path traversal
+    base_name = filename.rsplit(".", 1)[0]
+    base_name = re.sub(r"[^a-z0-9_-]+", "-", base_name.lower()).strip("-")
+    if not base_name:
+        base_name = "new-skill"
+
     # Create in user's .claude/skills directory
     # Create skill directory with SKILL.md inside
-    skill_dir = USER_SKILLS_DIR / filename.rsplit(".", 1)[0]
+    skill_dir = USER_SKILLS_DIR / base_name
     counter = 1
     while skill_dir.exists():
         base = filename.rsplit(".", 1)[0]