omni-cortex 1.3.0__py3-none-any.whl → 1.11.3__py3-none-any.whl

{omni_cortex-1.3.0.data → omni_cortex-1.11.3.data}/data/share/omni-cortex/dashboard/backend/main.py

@@ -3,6 +3,7 @@
 
 import asyncio
 import json
+import os
 import traceback
 from contextlib import asynccontextmanager
 from datetime import datetime
@@ -10,16 +11,29 @@ from pathlib import Path
 from typing import Optional
 
 import uvicorn
-from fastapi import FastAPI, HTTPException, Query, WebSocket, WebSocketDisconnect
+from fastapi import FastAPI, HTTPException, Query, WebSocket, WebSocketDisconnect, Request, Depends
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
-from fastapi.responses import FileResponse
+from fastapi.responses import FileResponse, Response
+from starlette.middleware.base import BaseHTTPMiddleware
 from watchdog.events import FileSystemEventHandler
 from watchdog.observers import Observer
 
+# Rate limiting imports (optional - graceful degradation if not installed)
+try:
+    from slowapi import Limiter, _rate_limit_exceeded_handler
+    from slowapi.util import get_remote_address
+    from slowapi.errors import RateLimitExceeded
+    RATE_LIMITING_AVAILABLE = True
+except ImportError:
+    RATE_LIMITING_AVAILABLE = False
+    Limiter = None
+
 from database import (
     bulk_update_memory_status,
+    create_memory,
     delete_memory,
+    ensure_migrations,
     get_activities,
     get_activity_detail,
     get_activity_heatmap,
@@ -44,11 +58,16 @@ from database import (
 )
 from logging_config import log_success, log_error
 from models import (
+    AggregateChatRequest,
+    AggregateMemoryRequest,
+    AggregateStatsRequest,
+    AggregateStatsResponse,
     ChatRequest,
     ChatResponse,
     ConversationSaveRequest,
     ConversationSaveResponse,
     FilterParams,
+    MemoryCreateRequest,
     MemoryUpdate,
     ProjectInfo,
     ProjectRegistration,
@@ -70,6 +89,48 @@ from project_scanner import scan_projects
 from websocket_manager import manager
 import chat_service
 from image_service import image_service, ImagePreset, SingleImageRequest
+from security import PathValidator, get_cors_config, IS_PRODUCTION
+
+
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    """Add security headers to all responses."""
+
+    async def dispatch(self, request: Request, call_next) -> Response:
+        response = await call_next(request)
+
+        # Prevent MIME type sniffing
+        response.headers["X-Content-Type-Options"] = "nosniff"
+
+        # Prevent clickjacking
+        response.headers["X-Frame-Options"] = "DENY"
+
+        # XSS protection (legacy browsers)
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+
+        # Content Security Policy
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "  # Vue needs these
+            "style-src 'self' 'unsafe-inline'; "  # Tailwind needs inline
+            "img-src 'self' data: blob: https:; "  # Allow AI-generated images
+            "connect-src 'self' ws: wss: https://generativelanguage.googleapis.com; "
+            "font-src 'self'; "
+            "frame-ancestors 'none';"
+        )
+
+        # HSTS (only in production with HTTPS)
+        if IS_PRODUCTION and os.getenv("SSL_CERTFILE"):
+            response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
+
+        return response
+
+
+def validate_project_path(project: str = Query(..., description="Path to the database file")) -> Path:
+    """Validate project database path - dependency for endpoints."""
+    try:
+        return PathValidator.validate_project_path(project)
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
 
 
 class DatabaseChangeHandler(FileSystemEventHandler):
@@ -80,6 +141,7 @@ class DatabaseChangeHandler(FileSystemEventHandler):
         self.loop = loop
         self._debounce_task: Optional[asyncio.Task] = None
         self._last_path: Optional[str] = None
+        self._last_activity_count: dict[str, int] = {}
 
     def on_modified(self, event):
         if event.src_path.endswith("cortex.db") or event.src_path.endswith("global.db"):
@@ -91,9 +153,35 @@ class DatabaseChangeHandler(FileSystemEventHandler):
                 )
 
     async def _debounced_notify(self):
-        await asyncio.sleep(0.5)  # Wait for rapid changes to settle
+        await asyncio.sleep(0.3)  # Reduced from 0.5s for faster updates
         if self._last_path:
-            await self.ws_manager.broadcast("database_changed", {"path": self._last_path})
+            db_path = self._last_path
+
+            # Broadcast general database change
+            await self.ws_manager.broadcast("database_changed", {"path": db_path})
+
+            # Fetch and broadcast latest activities (IndyDevDan pattern)
+            try:
+                # Get recent activities
+                recent = get_activities(db_path, limit=5, offset=0)
+                if recent:
+                    # Broadcast each new activity
+                    for activity in recent:
+                        await self.ws_manager.broadcast_activity_logged(
+                            db_path,
+                            activity if isinstance(activity, dict) else activity.model_dump()
+                        )
+
+                    # Also broadcast session update
+                    sessions = get_recent_sessions(db_path, limit=1)
+                    if sessions:
+                        session = sessions[0]
+                        await self.ws_manager.broadcast_session_updated(
+                            db_path,
+                            session if isinstance(session, dict) else dict(session)
+                        )
+            except Exception as e:
+                print(f"[WS] Error broadcasting activities: {e}")
 
 
 # File watcher
@@ -137,13 +225,39 @@ app = FastAPI(
     lifespan=lifespan,
 )
 
-# CORS for frontend dev server
+# Add security headers middleware (MUST come before CORS)
+app.add_middleware(SecurityHeadersMiddleware)
+
+# Rate limiting (if available)
+if RATE_LIMITING_AVAILABLE:
+    limiter = Limiter(key_func=get_remote_address)
+    app.state.limiter = limiter
+    app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+else:
+    limiter = None
+
+
+def rate_limit(limit_string: str):
+    """Decorator for conditional rate limiting.
+
+    Returns the actual limiter decorator if available, otherwise a no-op.
+    Usage: @rate_limit("10/minute")
+    """
+    if limiter is not None:
+        return limiter.limit(limit_string)
+    # No-op decorator when rate limiting is not available
+    def noop_decorator(func):
+        return func
+    return noop_decorator
+
+# CORS configuration (environment-aware)
+cors_config = get_cors_config()
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["http://localhost:5173", "http://127.0.0.1:5173"],
+    allow_origins=cors_config["allow_origins"],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=cors_config["allow_methods"],
+    allow_headers=cors_config["allow_headers"],
 )
 
 # Static files for production build
@@ -238,7 +352,200 @@ async def refresh_projects():
     return {"count": len(projects)}
 
 
+# --- Aggregate Multi-Project Endpoints ---
+
+
+@app.post("/api/aggregate/memories")
+@rate_limit("50/minute")
+async def get_aggregate_memories(request: AggregateMemoryRequest):
+    """Get memories from multiple projects with project attribution."""
+    try:
+        all_memories = []
+        filters = request.filters or FilterParams()
+
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+
+            try:
+                memories = get_memories(project_path, filters)
+                # Add project attribution to each memory
+                for m in memories:
+                    m_dict = m.model_dump()
+                    m_dict['source_project'] = project_path
+                    # Extract project name from path
+                    project_dir = Path(project_path).parent
+                    m_dict['source_project_name'] = project_dir.name
+                    all_memories.append(m_dict)
+            except Exception as e:
+                log_error(f"/api/aggregate/memories (project: {project_path})", e)
+                continue
+
+        # Sort by last_accessed or created_at (convert to str to handle mixed tz-aware/naive)
+        all_memories.sort(
+            key=lambda x: str(x.get('last_accessed') or x.get('created_at') or ''),
+            reverse=True
+        )
+
+        # Apply pagination
+        start = filters.offset
+        end = start + filters.limit
+        return all_memories[start:end]
+    except Exception as e:
+        log_error("/api/aggregate/memories", e)
+        raise HTTPException(status_code=500, detail=str(e))
+
+
+@app.post("/api/aggregate/stats", response_model=AggregateStatsResponse)
+@rate_limit("50/minute")
+async def get_aggregate_stats(request: AggregateStatsRequest):
+    """Get combined statistics across multiple projects."""
+    try:
+        total_count = 0
+        total_access = 0
+        importance_sum = 0
+        by_type = {}
+        by_status = {}
+
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+
+            try:
+                stats = get_memory_stats(project_path)
+                total_count += stats.total_count
+                total_access += stats.total_access_count
+
+                # Weighted average for importance
+                project_count = stats.total_count
+                project_avg_importance = stats.avg_importance
+                importance_sum += project_avg_importance * project_count
+
+                # Aggregate by_type
+                for type_name, count in stats.by_type.items():
+                    by_type[type_name] = by_type.get(type_name, 0) + count
+
+                # Aggregate by_status
+                for status, count in stats.by_status.items():
+                    by_status[status] = by_status.get(status, 0) + count
+            except Exception as e:
+                log_error(f"/api/aggregate/stats (project: {project_path})", e)
+                continue
+
+        return AggregateStatsResponse(
+            total_count=total_count,
+            total_access_count=total_access,
+            avg_importance=round(importance_sum / total_count, 1) if total_count > 0 else 0,
+            by_type=by_type,
+            by_status=by_status,
+            project_count=len(request.projects),
+        )
+    except Exception as e:
+        log_error("/api/aggregate/stats", e)
+        raise HTTPException(status_code=500, detail=str(e))
+
+
+@app.post("/api/aggregate/tags")
+@rate_limit("50/minute")
+async def get_aggregate_tags(request: AggregateStatsRequest):
+    """Get combined tags across multiple projects."""
+    try:
+        tag_counts = {}
+
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+
+            try:
+                tags = get_all_tags(project_path)
+                for tag in tags:
+                    tag_name = tag['name']
+                    tag_counts[tag_name] = tag_counts.get(tag_name, 0) + tag['count']
+            except Exception as e:
+                log_error(f"/api/aggregate/tags (project: {project_path})", e)
+                continue
+
+        # Return sorted by count
+        return sorted(
+            [{'name': k, 'count': v} for k, v in tag_counts.items()],
+            key=lambda x: x['count'],
+            reverse=True
+        )
+    except Exception as e:
+        log_error("/api/aggregate/tags", e)
+        raise HTTPException(status_code=500, detail=str(e))
+
+
+@app.post("/api/aggregate/chat", response_model=ChatResponse)
+@rate_limit("10/minute")
+async def chat_across_projects(request: AggregateChatRequest):
+    """Ask AI about memories across multiple projects."""
+    try:
+        if not chat_service.is_available():
+            raise HTTPException(
+                status_code=503,
+                detail="Chat service not available. Set GEMINI_API_KEY environment variable."
+            )
+
+        all_sources = []
+
+        # Gather relevant memories from each project
+        for project_path in request.projects:
+            if not Path(project_path).exists():
+                continue
+
+            try:
+                memories = search_memories(
+                    project_path,
+                    request.question,
+                    limit=request.max_memories_per_project
+                )
+
+                for m in memories:
+                    project_dir = Path(project_path).parent
+                    source = {
+                        'id': m.id,
+                        'type': m.memory_type,
+                        'content_preview': m.content[:200],
+                        'tags': m.tags,
+                        'project_path': project_path,
+                        'project_name': project_dir.name,
+                    }
+                    all_sources.append(source)
+            except Exception as e:
+                log_error(f"/api/aggregate/chat (project: {project_path})", e)
+                continue
+
+        if not all_sources:
+            return ChatResponse(
+                answer="No relevant memories found across the selected projects.",
+                sources=[],
+            )
+
+        # Build context with project attribution
+        context = "\n\n".join([
+            f"[From: {s['project_name']}] {s['content_preview']}"
+            for s in all_sources
+        ])
+
+        # Query AI with attributed context
+        answer = await chat_service.generate_response(request.question, context)
+
+        log_success("/api/aggregate/chat", projects=len(request.projects), sources=len(all_sources))
+
+        return ChatResponse(
+            answer=answer,
+            sources=[ChatSource(**s) for s in all_sources],
+        )
+    except HTTPException:
+        raise
+    except Exception as e:
+        log_error("/api/aggregate/chat", e)
+        raise HTTPException(status_code=500, detail=str(e))
+
+
 @app.get("/api/memories")
+@rate_limit("100/minute")
 async def list_memories(
     project: str = Query(..., description="Path to the database file"),
     memory_type: Optional[str] = Query(None, alias="type"),
@@ -279,6 +586,46 @@ async def list_memories(
         raise
 
 
+@app.post("/api/memories")
+@rate_limit("30/minute")
+async def create_memory_endpoint(
+    request: MemoryCreateRequest,
+    project: str = Query(..., description="Path to the database file"),
+):
+    """Create a new memory."""
+    try:
+        if not Path(project).exists():
+            log_error("/api/memories POST", FileNotFoundError("Database not found"), project=project)
+            raise HTTPException(status_code=404, detail="Database not found")
+
+        # Create the memory
+        memory_id = create_memory(
+            db_path=project,
+            content=request.content,
+            memory_type=request.memory_type,
+            context=request.context,
+            tags=request.tags if request.tags else None,
+            importance_score=request.importance_score,
+        )
+
+        # Fetch the created memory to return it
+        created_memory = get_memory_by_id(project, memory_id)
+
+        # Broadcast to WebSocket clients
+        await manager.broadcast("memory_created", created_memory.model_dump(by_alias=True))
+
+        log_success("/api/memories POST", memory_id=memory_id, type=request.memory_type)
+        return created_memory
+    except HTTPException:
+        raise
+    except Exception as e:
+        import traceback
+        print(f"[DEBUG] create_memory_endpoint error: {type(e).__name__}: {e}")
+        traceback.print_exc()
+        log_error("/api/memories POST", e, project=project)
+        raise
+
+
 # NOTE: These routes MUST be defined before /api/memories/{memory_id} to avoid path conflicts
 @app.get("/api/memories/needs-review")
 async def get_memories_needing_review_endpoint(
@@ -421,6 +768,9 @@ async def list_activities(
     if not Path(project).exists():
         raise HTTPException(status_code=404, detail="Database not found")
 
+    # Ensure migrations are applied (adds summary columns if missing)
+    ensure_migrations(project)
+
     return get_activities(project, event_type, tool_name, limit, offset)
 
 
@@ -561,6 +911,9 @@ async def get_activity_detail_endpoint(
     if not Path(project).exists():
         raise HTTPException(status_code=404, detail="Database not found")
 
+    # Ensure migrations are applied
+    ensure_migrations(project)
+
     activity = get_activity_detail(project, activity_id)
     if not activity:
         raise HTTPException(status_code=404, detail="Activity not found")
@@ -568,6 +921,26 @@ async def get_activity_detail_endpoint(
     return activity
 
 
+@app.post("/api/activities/backfill-summaries")
+async def backfill_activity_summaries_endpoint(
+    project: str = Query(..., description="Path to the database file"),
+):
+    """Generate summaries for existing activities that don't have them."""
+    if not Path(project).exists():
+        raise HTTPException(status_code=404, detail="Database not found")
+
+    try:
+        from backfill_summaries import backfill_all
+        results = backfill_all(project)
+        return {
+            "success": True,
+            "summaries_updated": results["summaries"],
+            "mcp_servers_updated": results["mcp_servers"],
+        }
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Backfill failed: {str(e)}")
+
+
 # --- Session Context Endpoints ---
 
 
@@ -624,6 +997,7 @@ async def chat_status():
 
 
 @app.post("/api/chat", response_model=ChatResponse)
+@rate_limit("10/minute")
 async def chat_with_memories(
     request: ChatRequest,
     project: str = Query(..., description="Path to the database file"),
@@ -650,6 +1024,7 @@ async def chat_with_memories(
 
 
 @app.get("/api/chat/stream")
+@rate_limit("10/minute")
 async def stream_chat(
     project: str = Query(..., description="Path to the database file"),
     question: str = Query(..., description="The question to ask"),
@@ -726,6 +1101,7 @@ async def get_image_presets():
 
 
 @app.post("/api/image/generate-batch", response_model=BatchImageGenerationResponse)
+@rate_limit("5/minute")
 async def generate_images_batch(
     request: BatchImageGenerationRequest,
     db_path: str = Query(..., alias="project", description="Path to the database file"),
@@ -783,6 +1159,7 @@ async def generate_images_batch(
 
 
 @app.post("/api/image/refine", response_model=SingleImageResponseModel)
+@rate_limit("5/minute")
 async def refine_image(request: ImageRefineRequest):
     """Refine an existing generated image with a new prompt."""
     result = await image_service.refine_image(
@@ -971,15 +1348,15 @@ async def serve_root():
 
 @app.get("/{path:path}")
 async def serve_spa(path: str):
-    """Catch-all route to serve SPA for client-side routing."""
+    """Catch-all route to serve SPA for client-side routing with path traversal protection."""
     # Skip API routes and known paths
     if path.startswith(("api/", "ws", "health", "docs", "openapi", "redoc")):
         raise HTTPException(status_code=404, detail="Not found")
 
-    # Check if it's a static file
-    file_path = DIST_DIR / path
-    if file_path.exists() and file_path.is_file():
-        return FileResponse(str(file_path))
+    # Check if it's a static file (with path traversal protection)
+    safe_path = PathValidator.is_safe_static_path(DIST_DIR, path)
+    if safe_path:
+        return FileResponse(str(safe_path))
 
     # Otherwise serve index.html for SPA routing
     index_file = DIST_DIR / "index.html"

{omni_cortex-1.3.0.data → omni_cortex-1.11.3.data}/data/share/omni-cortex/dashboard/backend/models.py

@@ -70,6 +70,53 @@ class MemoryStats(BaseModel):
     tags: list[dict[str, int | str]]
 
 
+class FilterParams(BaseModel):
+    """Query filter parameters."""
+
+    memory_type: Optional[str] = None
+    status: Optional[str] = None
+    tags: Optional[list[str]] = None
+    search: Optional[str] = None
+    min_importance: Optional[int] = None
+    max_importance: Optional[int] = None
+    sort_by: str = "last_accessed"
+    sort_order: str = "desc"
+    limit: int = 50
+    offset: int = 0
+
+
+class AggregateMemoryRequest(BaseModel):
+    """Request for aggregate memory data across projects."""
+
+    projects: list[str] = Field(..., description="List of project db paths")
+    filters: Optional[FilterParams] = None
+
+
+class AggregateStatsRequest(BaseModel):
+    """Request for aggregate statistics."""
+
+    projects: list[str] = Field(..., description="List of project db paths")
+
+
+class AggregateStatsResponse(BaseModel):
+    """Aggregate statistics across multiple projects."""
+
+    total_count: int
+    total_access_count: int
+    avg_importance: float
+    by_type: dict[str, int]
+    by_status: dict[str, int]
+    project_count: int
+
+
+class AggregateChatRequest(BaseModel):
+    """Request for chat across multiple projects."""
+
+    projects: list[str] = Field(..., description="List of project db paths")
+    question: str = Field(..., min_length=1, max_length=2000)
+    max_memories_per_project: int = Field(default=5, ge=1, le=20)
+
+
 class Activity(BaseModel):
     """Activity log record."""
 
@@ -84,6 +131,14 @@ class Activity(BaseModel):
     duration_ms: Optional[int] = None
     file_path: Optional[str] = None
     timestamp: datetime
+    # Command analytics fields
+    command_name: Optional[str] = None
+    command_scope: Optional[str] = None
+    mcp_server: Optional[str] = None
+    skill_name: Optional[str] = None
+    # Natural language summary fields
+    summary: Optional[str] = None
+    summary_detail: Optional[str] = None
 
 
 class Session(BaseModel):
@@ -105,19 +160,14 @@ class TimelineEntry(BaseModel):
     data: dict
 
 
-class FilterParams(BaseModel):
-    """Query filter parameters."""
+class MemoryCreateRequest(BaseModel):
+    """Create request for a new memory."""
 
-    memory_type: Optional[str] = None
-    status: Optional[str] = None
-    tags: Optional[list[str]] = None
-    search: Optional[str] = None
-    min_importance: Optional[int] = None
-    max_importance: Optional[int] = None
-    sort_by: str = "last_accessed"
-    sort_order: str = "desc"
-    limit: int = 50
-    offset: int = 0
+    content: str = Field(..., min_length=1, max_length=50000)
+    memory_type: str = Field(default="general")
+    context: Optional[str] = None
+    importance_score: int = Field(default=50, ge=1, le=100)
+    tags: list[str] = Field(default_factory=list)
 
 
 class MemoryUpdate(BaseModel):
@@ -155,6 +205,8 @@ class ChatSource(BaseModel):
     type: str
     content_preview: str
     tags: list[str]
+    project_path: Optional[str] = None
+    project_name: Optional[str] = None
 
 
 class ChatResponse(BaseModel):