PyPI - omni-cortex - Versions diffs - 1.2.0__py3-none-any.whl → 1.11.3__py3-none-any.whl - Mend

omni-cortex 1.2.0py3-none-any.whl → 1.11.3py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

{omni_cortex-1.2.0.data → omni_cortex-1.11.3.data}/data/share/omni-cortex/dashboard/backend/main.py RENAMED Viewed

@@ -3,6 +3,7 @@
 import asyncio
 import json
+import os
 import traceback
 from contextlib import asynccontextmanager
 from datetime import datetime
@@ -10,19 +11,35 @@ from pathlib import Path
 from typing import Optional
 import uvicorn
-from fastapi import FastAPI, HTTPException, Query, WebSocket, WebSocketDisconnect
+from fastapi import FastAPI, HTTPException, Query, WebSocket, WebSocketDisconnect, Request, Depends
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
-from fastapi.responses import FileResponse
+from fastapi.responses import FileResponse, Response
+from starlette.middleware.base import BaseHTTPMiddleware
 from watchdog.events import FileSystemEventHandler
 from watchdog.observers import Observer
+# Rate limiting imports (optional - graceful degradation if not installed)
+try:
+    from slowapi import Limiter, _rate_limit_exceeded_handler
+    from slowapi.util import get_remote_address
+    from slowapi.errors import RateLimitExceeded
+    RATE_LIMITING_AVAILABLE = True
+except ImportError:
+    RATE_LIMITING_AVAILABLE = False
+    Limiter = None
 from database import (
     bulk_update_memory_status,
+    create_memory,
     delete_memory,
+    ensure_migrations,
     get_activities,
+    get_activity_detail,
     get_activity_heatmap,
     get_all_tags,
+    get_command_usage,
+    get_mcp_usage,
     get_memories,
     get_memories_needing_review,
     get_memory_by_id,
@@ -32,6 +49,7 @@ from database import (
     get_relationship_graph,
     get_relationships,
     get_sessions,
+    get_skill_usage,
     get_timeline,
     get_tool_usage,
     get_type_distribution,
@@ -40,11 +58,16 @@ from database import (
 )
 from logging_config import log_success, log_error
 from models import (
+    AggregateChatRequest,
+    AggregateMemoryRequest,
+    AggregateStatsRequest,
+    AggregateStatsResponse,
     ChatRequest,
     ChatResponse,
     ConversationSaveRequest,
     ConversationSaveResponse,
     FilterParams,
+    MemoryCreateRequest,
     MemoryUpdate,
     ProjectInfo,
     ProjectRegistration,
@@ -66,6 +89,48 @@ from project_scanner import scan_projects
 from websocket_manager import manager
 import chat_service
 from image_service import image_service, ImagePreset, SingleImageRequest
+from security import PathValidator, get_cors_config, IS_PRODUCTION
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    """Add security headers to all responses."""
+    async def dispatch(self, request: Request, call_next) -> Response:
+        response = await call_next(request)
+        # Prevent MIME type sniffing
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        # Prevent clickjacking
+        response.headers["X-Frame-Options"] = "DENY"
+        # XSS protection (legacy browsers)
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+        # Content Security Policy
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "  # Vue needs these
+            "style-src 'self' 'unsafe-inline'; "  # Tailwind needs inline
+            "img-src 'self' data: blob: https:; "  # Allow AI-generated images
+            "connect-src 'self' ws: wss: https://generativelanguage.googleapis.com; "
+            "font-src 'self'; "
+            "frame-ancestors 'none';"
+        )
+        # HSTS (only in production with HTTPS)
+        if IS_PRODUCTION and os.getenv("SSL_CERTFILE"):
+            response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
+        return response
+def validate_project_path(project: str = Query(..., description="Path to the database file")) -> Path:
+    """Validate project database path - dependency for endpoints."""
+    try:
+        return PathValidator.validate_project_path(project)
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
 class DatabaseChangeHandler(FileSystemEventHandler):
@@ -76,6 +141,7 @@ class DatabaseChangeHandler(FileSystemEventHandler):
         self.loop = loop
         self._debounce_task: Optional[asyncio.Task] = None
         self._last_path: Optional[str] = None
+        self._last_activity_count: dict[str, int] = {}
     def on_modified(self, event):
         if event.src_path.endswith("cortex.db") or event.src_path.endswith("global.db"):
@@ -87,9 +153,35 @@ class DatabaseChangeHandler(FileSystemEventHandler):
                 )
     async def _debounced_notify(self):
-        await asyncio.sleep(0.5)  # Wait for rapid changes to settle
+        await asyncio.sleep(0.3)  # Reduced from 0.5s for faster updates
         if self._last_path:
-            await self.ws_manager.broadcast("database_changed", {"path": self._last_path})
+            db_path = self._last_path
+            # Broadcast general database change
+            await self.ws_manager.broadcast("database_changed", {"path": db_path})
+            # Fetch and broadcast latest activities (IndyDevDan pattern)
+            try:
+                # Get recent activities
+                recent = get_activities(db_path, limit=5, offset=0)
+                if recent:
+                    # Broadcast each new activity
+                    for activity in recent:
+                        await self.ws_manager.broadcast_activity_logged(
+                            db_path,
+                            activity if isinstance(activity, dict) else activity.model_dump()
+                        )
+                    # Also broadcast session update
+                    sessions = get_recent_sessions(db_path, limit=1)
+                    if sessions:
+                        session = sessions[0]
+                        await self.ws_manager.broadcast_session_updated(
+                            db_path,
+                            session if isinstance(session, dict) else dict(session)
+                        )
+            except Exception as e:
+                print(f"[WS] Error broadcasting activities: {e}")
 # File watcher
@@ -133,13 +225,39 @@ app = FastAPI(
     lifespan=lifespan,
 )
-# CORS for frontend dev server
+# Add security headers middleware (MUST come before CORS)
+app.add_middleware(SecurityHeadersMiddleware)
+# Rate limiting (if available)
+if RATE_LIMITING_AVAILABLE:
+    limiter = Limiter(key_func=get_remote_address)
+    app.state.limiter = limiter
+    app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+else:
+    limiter = None
+def rate_limit(limit_string: str):
+    """Decorator for conditional rate limiting.
+    Returns the actual limiter decorator if available, otherwise a no-op.
+    Usage: @rate_limit("10/minute")
+    """
+    if limiter is not None:
+        return limiter.limit(limit_string)
+    # No-op decorator when rate limiting is not available
+    def noop_decorator(func):
+        return func
+    return noop_decorator
+# CORS configuration (environment-aware)
+cors_config = get_cors_config()
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["http://localhost:5173", "http://127.0.0.1:5173"],
+    allow_origins=cors_config["allow_origins"],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=cors_config["allow_methods"],
+    allow_headers=cors_config["allow_headers"],
 )
 # Static files for production build
@@ -234,7 +352,200 @@ async def refresh_projects():
     return {"count": len(projects)}
+# --- Aggregate Multi-Project Endpoints ---
+@app.post("/api/aggregate/memories")
+@rate_limit("50/minute")
+async def get_aggregate_memories(request: AggregateMemoryRequest):
+    """Get memories from multiple projects with project attribution."""
+    try:
+        all_memories = []
+        filters = request.filters or FilterParams()
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+            try:
+                memories = get_memories(project_path, filters)
+                # Add project attribution to each memory
+                for m in memories:
+                    m_dict = m.model_dump()
+                    m_dict['source_project'] = project_path
+                    # Extract project name from path
+                    project_dir = Path(project_path).parent
+                    m_dict['source_project_name'] = project_dir.name
+                    all_memories.append(m_dict)
+            except Exception as e:
+                log_error(f"/api/aggregate/memories (project: {project_path})", e)
+                continue
+        # Sort by last_accessed or created_at (convert to str to handle mixed tz-aware/naive)
+        all_memories.sort(
+            key=lambda x: str(x.get('last_accessed') or x.get('created_at') or ''),
+            reverse=True
+        )
+        # Apply pagination
+        start = filters.offset
+        end = start + filters.limit
+        return all_memories[start:end]
+    except Exception as e:
+        log_error("/api/aggregate/memories", e)
+        raise HTTPException(status_code=500, detail=str(e))
+@app.post("/api/aggregate/stats", response_model=AggregateStatsResponse)
+@rate_limit("50/minute")
+async def get_aggregate_stats(request: AggregateStatsRequest):
+    """Get combined statistics across multiple projects."""
+    try:
+        total_count = 0
+        total_access = 0
+        importance_sum = 0
+        by_type = {}
+        by_status = {}
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+            try:
+                stats = get_memory_stats(project_path)
+                total_count += stats.total_count
+                total_access += stats.total_access_count
+                # Weighted average for importance
+                project_count = stats.total_count
+                project_avg_importance = stats.avg_importance
+                importance_sum += project_avg_importance * project_count
+                # Aggregate by_type
+                for type_name, count in stats.by_type.items():
+                    by_type[type_name] = by_type.get(type_name, 0) + count
+                # Aggregate by_status
+                for status, count in stats.by_status.items():
+                    by_status[status] = by_status.get(status, 0) + count
+            except Exception as e:
+                log_error(f"/api/aggregate/stats (project: {project_path})", e)
+                continue
+        return AggregateStatsResponse(
+            total_count=total_count,
+            total_access_count=total_access,
+            avg_importance=round(importance_sum / total_count, 1) if total_count > 0 else 0,
+            by_type=by_type,
+            by_status=by_status,
+            project_count=len(request.projects),
+        )
+    except Exception as e:
+        log_error("/api/aggregate/stats", e)
+        raise HTTPException(status_code=500, detail=str(e))
+@app.post("/api/aggregate/tags")
+@rate_limit("50/minute")
+async def get_aggregate_tags(request: AggregateStatsRequest):
+    """Get combined tags across multiple projects."""
+    try:
+        tag_counts = {}
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+            try:
+                tags = get_all_tags(project_path)
+                for tag in tags:
+                    tag_name = tag['name']
+                    tag_counts[tag_name] = tag_counts.get(tag_name, 0) + tag['count']
+            except Exception as e:
+                log_error(f"/api/aggregate/tags (project: {project_path})", e)
+                continue
+        # Return sorted by count
+        return sorted(
+            [{'name': k, 'count': v} for k, v in tag_counts.items()],
+            key=lambda x: x['count'],
+            reverse=True
+        )
+    except Exception as e:
+        log_error("/api/aggregate/tags", e)
+        raise HTTPException(status_code=500, detail=str(e))
+@app.post("/api/aggregate/chat", response_model=ChatResponse)
+@rate_limit("10/minute")
+async def chat_across_projects(request: AggregateChatRequest):
+    """Ask AI about memories across multiple projects."""
+    try:
+        if not chat_service.is_available():
+            raise HTTPException(
+                status_code=503,
+                detail="Chat service not available. Set GEMINI_API_KEY environment variable."
+            )
+        all_sources = []
+        # Gather relevant memories from each project
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+            try:
+                memories = search_memories(
+                    project_path,
+                    request.question,
+                    limit=request.max_memories_per_project
+                )
+                for m in memories:
+                    project_dir = Path(project_path).parent
+                    source = {
+                        'id': m.id,
+                        'type': m.memory_type,
+                        'content_preview': m.content[:200],
+                        'tags': m.tags,
+                        'project_path': project_path,
+                        'project_name': project_dir.name,
+                    }
+                    all_sources.append(source)
+            except Exception as e:
+                log_error(f"/api/aggregate/chat (project: {project_path})", e)
+                continue
+        if not all_sources:
+            return ChatResponse(
+                answer="No relevant memories found across the selected projects.",
+                sources=[],
+            )
+        # Build context with project attribution
+        context = "\n\n".join([
+            f"[From: {s['project_name']}] {s['content_preview']}"
+            for s in all_sources
+        ])
+        # Query AI with attributed context
+        answer = await chat_service.generate_response(request.question, context)
+        log_success("/api/aggregate/chat", projects=len(request.projects), sources=len(all_sources))
+        return ChatResponse(
+            answer=answer,
+            sources=[ChatSource(**s) for s in all_sources],
+        )
+    except HTTPException:
+        raise
+    except Exception as e:
+        log_error("/api/aggregate/chat", e)
+        raise HTTPException(status_code=500, detail=str(e))
 @app.get("/api/memories")
+@rate_limit("100/minute")
 async def list_memories(
     project: str = Query(..., description="Path to the database file"),
     memory_type: Optional[str] = Query(None, alias="type"),
@@ -275,6 +586,46 @@ async def list_memories(
         raise
+@app.post("/api/memories")
+@rate_limit("30/minute")
+async def create_memory_endpoint(
+    request: MemoryCreateRequest,
+    project: str = Query(..., description="Path to the database file"),
+):
+    """Create a new memory."""
+    try:
+        if not Path(project).exists():
+            log_error("/api/memories POST", FileNotFoundError("Database not found"), project=project)
+            raise HTTPException(status_code=404, detail="Database not found")
+        # Create the memory
+        memory_id = create_memory(
+            db_path=project,
+            content=request.content,
+            memory_type=request.memory_type,
+            context=request.context,
+            tags=request.tags if request.tags else None,
+            importance_score=request.importance_score,
+        )
+        # Fetch the created memory to return it
+        created_memory = get_memory_by_id(project, memory_id)
+        # Broadcast to WebSocket clients
+        await manager.broadcast("memory_created", created_memory.model_dump(by_alias=True))
+        log_success("/api/memories POST", memory_id=memory_id, type=request.memory_type)
+        return created_memory
+    except HTTPException:
+        raise
+    except Exception as e:
+        import traceback
+        print(f"[DEBUG] create_memory_endpoint error: {type(e).__name__}: {e}")
+        traceback.print_exc()
+        log_error("/api/memories POST", e, project=project)
+        raise
 # NOTE: These routes MUST be defined before /api/memories/{memory_id} to avoid path conflicts
 @app.get("/api/memories/needs-review")
 async def get_memories_needing_review_endpoint(
@@ -417,6 +768,9 @@ async def list_activities(
     if not Path(project).exists():
         raise HTTPException(status_code=404, detail="Database not found")
+    # Ensure migrations are applied (adds summary columns if missing)
+    ensure_migrations(project)
     return get_activities(project, event_type, tool_name, limit, offset)
@@ -507,6 +861,86 @@ async def get_memory_growth_endpoint(
     return get_memory_growth(project, days)
+# --- Command Analytics Endpoints ---
+@app.get("/api/stats/command-usage")
+async def get_command_usage_endpoint(
+    project: str = Query(..., description="Path to the database file"),
+    scope: Optional[str] = Query(None, description="Filter by scope: 'universal' or 'project'"),
+    days: int = Query(30, ge=1, le=365),
+):
+    """Get slash command usage statistics."""
+    if not Path(project).exists():
+        raise HTTPException(status_code=404, detail="Database not found")
+    return get_command_usage(project, scope, days)
+@app.get("/api/stats/skill-usage")
+async def get_skill_usage_endpoint(
+    project: str = Query(..., description="Path to the database file"),
+    scope: Optional[str] = Query(None, description="Filter by scope: 'universal' or 'project'"),
+    days: int = Query(30, ge=1, le=365),
+):
+    """Get skill usage statistics."""
+    if not Path(project).exists():
+        raise HTTPException(status_code=404, detail="Database not found")
+    return get_skill_usage(project, scope, days)
+@app.get("/api/stats/mcp-usage")
+async def get_mcp_usage_endpoint(
+    project: str = Query(..., description="Path to the database file"),
+    days: int = Query(30, ge=1, le=365),
+):
+    """Get MCP server usage statistics."""
+    if not Path(project).exists():
+        raise HTTPException(status_code=404, detail="Database not found")
+    return get_mcp_usage(project, days)
+@app.get("/api/activities/{activity_id}")
+async def get_activity_detail_endpoint(
+    activity_id: str,
+    project: str = Query(..., description="Path to the database file"),
+):
+    """Get full activity details including complete input/output."""
+    if not Path(project).exists():
+        raise HTTPException(status_code=404, detail="Database not found")
+    # Ensure migrations are applied
+    ensure_migrations(project)
+    activity = get_activity_detail(project, activity_id)
+    if not activity:
+        raise HTTPException(status_code=404, detail="Activity not found")
+    return activity
+@app.post("/api/activities/backfill-summaries")
+async def backfill_activity_summaries_endpoint(
+    project: str = Query(..., description="Path to the database file"),
+):
+    """Generate summaries for existing activities that don't have them."""
+    if not Path(project).exists():
+        raise HTTPException(status_code=404, detail="Database not found")
+    try:
+        from backfill_summaries import backfill_all
+        results = backfill_all(project)
+        return {
+            "success": True,
+            "summaries_updated": results["summaries"],
+            "mcp_servers_updated": results["mcp_servers"],
+        }
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Backfill failed: {str(e)}")
 # --- Session Context Endpoints ---
@@ -563,6 +997,7 @@ async def chat_status():
 @app.post("/api/chat", response_model=ChatResponse)
+@rate_limit("10/minute")
 async def chat_with_memories(
     request: ChatRequest,
     project: str = Query(..., description="Path to the database file"),
@@ -589,6 +1024,7 @@ async def chat_with_memories(
 @app.get("/api/chat/stream")
+@rate_limit("10/minute")
 async def stream_chat(
     project: str = Query(..., description="Path to the database file"),
     question: str = Query(..., description="The question to ask"),
@@ -665,6 +1101,7 @@ async def get_image_presets():
 @app.post("/api/image/generate-batch", response_model=BatchImageGenerationResponse)
+@rate_limit("5/minute")
 async def generate_images_batch(
     request: BatchImageGenerationRequest,
     db_path: str = Query(..., alias="project", description="Path to the database file"),
@@ -722,6 +1159,7 @@ async def generate_images_batch(
 @app.post("/api/image/refine", response_model=SingleImageResponseModel)
+@rate_limit("5/minute")
 async def refine_image(request: ImageRefineRequest):
     """Refine an existing generated image with a new prompt."""
     result = await image_service.refine_image(
@@ -910,15 +1348,15 @@ async def serve_root():
 @app.get("/{path:path}")
 async def serve_spa(path: str):
-    """Catch-all route to serve SPA for client-side routing."""
+    """Catch-all route to serve SPA for client-side routing with path traversal protection."""
     # Skip API routes and known paths
     if path.startswith(("api/", "ws", "health", "docs", "openapi", "redoc")):
         raise HTTPException(status_code=404, detail="Not found")
-    # Check if it's a static file
-    file_path = DIST_DIR / path
-    if file_path.exists() and file_path.is_file():
-        return FileResponse(str(file_path))
+    # Check if it's a static file (with path traversal protection)
+    safe_path = PathValidator.is_safe_static_path(DIST_DIR, path)
+    if safe_path:
+        return FileResponse(str(safe_path))
     # Otherwise serve index.html for SPA routing
     index_file = DIST_DIR / "index.html"

omni-cortex 1.2.0__py3-none-any.whl → 1.11.3__py3-none-any.whl

omni-cortex 1.2.0py3-none-any.whl → 1.11.3py3-none-any.whl