* fix: update @falkordb/canvas version to 0.0.34 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 0.0.35 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 0.0.36 in package.json and package-lock.json

* Initial plan

* Fix flaky Playwright e2e tests for database connection verification

- Add waitForGraphPresent() polling helper to apiCalls.ts to retry
  getGraphs() until expected graph appears instead of one-shot calls
- Add connectDatabaseWithRetry() helper to retry streaming connection
  on transient errors with diagnostic logging
- Enhance parseStreamingResponse() to log error message details
- Update all database.spec.ts tests to use scoped test.setTimeout(120000/180000)
- Increase waitForDatabaseConnection timeout to 90s in all DB connection tests
- Replace bare getGraphs() calls with waitForGraphPresent() polling
- Add console.log diagnostics throughout for easier CI debugging

Co-authored-by: gkorland <[email protected]>

* Bump playwright from 1.57.0 to 1.58.0

Bumps [playwright](https://github.com/microsoft/playwright-python) from 1.57.0 to 1.58.0.
- [Release notes](https://github.com/microsoft/playwright-python/releases)
- [Commits](https://github.com/microsoft/playwright-python/compare/v1.57.0...v1.58.0)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.58.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Address review feedback: try/catch in retry, finalMessage guards, specific DB predicates, polling for deletion

- connectDatabaseWithRetry: wrap per-attempt logic in try/catch so
  network/parse exceptions don't abort retries; log with attempt# via
  console.error; backoff delay behaviour unchanged
- Add expect(messages.length).toBeGreaterThan(0) guard before accessing
  finalMessage in all 4 caller blocks (PostgreSQL API, MySQL API,
  PostgreSQL delete, MySQL delete)
- Fix UI-to-API test predicates from generic 'graphs.length > 0' to
  'testdb'/'_testdb' match, avoiding false positives on pre-existing graphs
- Replace wait(1000)+getGraphs() in both delete tests with
  waitForGraphPresent polling until the deleted graphId is absent

Co-authored-by: gkorland <[email protected]>

* Rename waitForGraphPresent to waitForGraphs; make database tests serial

- Rename waitForGraphPresent -> waitForGraphs in apiCalls.ts (more
  neutral name since it's used for both presence and absence checks)
- Update all 10 call sites in database.spec.ts accordingly
- Change outer test.describe -> test.describe.serial to prevent
  cross-test interference on local multi-worker runs (CI is already
  single-worker via workers: CI ? 1 : undefined in playwright.config.ts)

Co-authored-by: gkorland <[email protected]>

* Tighten testdb_delete predicate: use === / endsWith instead of includes

Replace id.includes('testdb_delete') with
id === 'testdb_delete' || id.endsWith('_testdb_delete') in both
delete test predicates and find() calls so only the exact graph forms
('testdb_delete' or '{userId}_testdb_delete') match, preventing
accidental matches on unrelated graph names.

Co-authored-by: gkorland <[email protected]>

* Bump fastapi, uvicorn, litellm, playwright, and globals (#439)

Update dependency versions:
- fastapi: ~=0.131.0 → ~=0.133.0
- uvicorn: ~=0.40.0 → ~=0.41.0
- litellm: ~=1.80.9 → ~=1.81.15
- playwright: ~=1.57.0 → ~=1.58.0
- globals (npm): ^15.15.0 → ^17.3.0

Co-authored-by: Copilot <[email protected]>

* fix: update @falkordb/canvas version to 0.0.40 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 1.51.1 in package-lock.json

* Fix SPA catch-all route not serving index.html (#433)

* Return generic 400 for RequestValidationError instead of Pydantic details

Add a global RequestValidationError exception handler that returns
{"detail": "Bad request"} with status 400, preventing internal
Pydantic validation details from leaking to clients. This primarily
affects the SPA catch-all proxy route when accessed without the
expected path parameter.

Co-authored-by: Copilot <[email protected]>

* Scope validation handler to SPA catch-all, add logging, fix tests

Address PR review feedback:
- Scope the generic 400 handler to only the SPA catch-all route
  (query._full_path errors) so API consumers still get useful 422
  responses with field-level detail
- Add logging.warning of validation details for server-side debugging
- Make test assertions unconditional instead of guarding behind
  status-code checks
- Add test verifying API routes preserve 422 with field-level info

Co-authored-by: Copilot <[email protected]>

* Fix SPA catch-all route parameter name mismatch

The function parameter `_full_path` didn't match the URL template
`{full_path:path}`, causing FastAPI to treat it as a required query
parameter and return 422 for every non-API route.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* Remove validation error handler workaround

The handler was masking a parameter name mismatch in the catch-all
route. Now that the root cause is fixed, the handler, its import,
pylint suppression, and test file are no longer needed.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* Suppress pylint unused-argument for catch-all route parameter

The parameter name must match the URL template to avoid validation
errors, but the function body doesn't use it.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

* Fix: Add CSRF protection via double-submit cookie pattern (#432)

* Add CSRF protection via double-submit cookie pattern

Add CSRFMiddleware to protect all state-changing endpoints (POST, PUT,
DELETE, PATCH) against cross-site request forgery attacks.

Backend:
- New CSRFMiddleware in app_factory.py sets a csrf_token cookie
  (non-HttpOnly, readable by JS) on every response
- State-changing requests must echo the token via X-CSRF-Token header
- Uses hmac.compare_digest for timing-safe validation
- Exempts Bearer token auth (not CSRF-vulnerable), login/signup/OAuth
  flows, and MCP endpoints

Frontend:
- New app/src/lib/csrf.ts utility reads the cookie and builds headers
- All service files (auth, tokens, database, chat) now include the
  X-CSRF-Token header on every state-changing fetch call

Fixes:
- CSRF on POST /tokens/generate (API token hijack)
- CSRF on POST /logout (forced session termination)
- Missing CSRF protection on all other mutating endpoints

Co-authored-by: Copilot <[email protected]>

* Address PR review feedback on CSRF protection

- Set CSRF cookie on 403 rejection responses so clients can retry
- Add max_age (14 days) to CSRF cookie matching session cookie lifetime
- Guard document access in csrf.ts for SSR/Node compatibility
- Add console.warn when CSRF cookie is missing for easier debugging
- Add comment clarifying MCP exempt prefix pattern
- Add comprehensive unit tests for CSRF middleware (12 test cases)

Co-authored-by: Copilot <[email protected]>

* Fix E2E tests: seed CSRF token in API request helpers

The E2E API helpers (postRequest, deleteRequest, patchRequest) now
make a lightweight GET to /auth-status first to obtain the csrf_token
cookie, then include it as X-CSRF-Token header on the actual request.
This ensures E2E tests pass with the new CSRF middleware.

Co-authored-by: Copilot <[email protected]>

* Address PR #432 review: fix missing CSRF headers and improvements

- Add csrfHeaders() to POST /graphs/{id}/refresh in Index.tsx
- Add csrfHeaders() to POST /database in DatabaseModal.tsx
- Refactor CSRFMiddleware.dispatch() to single return path
- Change console.warn to console.debug in csrf.ts
- Cache CSRF token per APIRequestContext in E2E helpers
- Add DELETE/PATCH and secure-flag tests

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

* Update @falkordb/canvas version to v0.0.40 (#440)

* fix: update @falkordb/canvas version to 0.0.34 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 0.0.35 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 0.0.36 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 0.0.40 in package.json and package-lock.json

* fix: update @falkordb/canvas version to 1.51.1 in package-lock.json

---------

Co-authored-by: Guy Korland <[email protected]>

* fix(e2e): pass authenticated request context to API calls and browser pages

- Add defaultRequestContext field to ApiCalls class, set via constructor
- All API methods now use the default context for auth (session cookies + CSRF)
- Tests use Playwright's request fixture which inherits storageState from config
- Pass storageState path to BrowserWrapper.createNewPage for authenticated browser sessions
- Revert outer test.describe.serial() to test.describe() to prevent cascade failures
  (inner Database Deletion Tests remain serial as needed)

Fixes unauthenticated API requests that caused 401 errors in Firefox E2E tests.

Co-authored-by: Copilot <[email protected]>

* fix: update @falkordb/canvas version to 0.0.41 in package.json and package-lock.json

* Bump fastapi from 0.133.0 to 0.135.0 (#446)

* Bump fastapi from 0.133.0 to 0.135.0

Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.133.0 to 0.135.0.
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](https://github.com/fastapi/fastapi/compare/0.133.0...0.135.0)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.135.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix(e2e): read CSRF token from storageState when Set-Cookie is absent

When the Playwright request fixture is initialised from a storageState
that already carries a csrf_token cookie, the server does not emit a
new Set-Cookie header.  getCsrfToken() would then return undefined,
causing every state-changing API call to fail with 403 'CSRF token
missing or invalid'.

Fall back to reading the token from the context's storageState() when
the Set-Cookie header does not contain it.

Co-authored-by: Copilot <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Bump actions/upload-artifact from 6 to 7 (#444)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* Bump the npm-minor-patch group in /app with 5 updates (#443)

* Bump the npm-minor-patch group in /app with 5 updates

Bumps the npm-minor-patch group in /app with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@falkordb/canvas](https://github.com/FalkorDB/falkordb-canvas) | `0.0.40` | `0.0.41` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.19` | `5.90.21` |
| [preact](https://github.com/preactjs/preact) | `10.28.3` | `10.28.4` |
| [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.71.1` | `7.71.2` |
| [autoprefixer](https://github.com/postcss/autoprefixer) | `10.4.23` | `10.4.27` |


Updates `@falkordb/canvas` from 0.0.40 to 0.0.41
- [Release notes](https://github.com/FalkorDB/falkordb-canvas/releases)
- [Commits](https://github.com/FalkorDB/falkordb-canvas/compare/v0.0.40...v0.0.41)

Updates `@tanstack/react-query` from 5.90.19 to 5.90.21
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/[email protected]/packages/react-query)

Updates `preact` from 10.28.3 to 10.28.4
- [Release notes](https://github.com/preactjs/preact/releases)
- [Commits](https://github.com/preactjs/preact/compare/10.28.3...10.28.4)

Updates `react-hook-form` from 7.71.1 to 7.71.2
- [Release notes](https://github.com/react-hook-form/react-hook-form/releases)
- [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md)
- [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.71.1...v7.71.2)

Updates `autoprefixer` from 10.4.23 to 10.4.27
- [Release notes](https://github.com/postcss/autoprefixer/releases)
- [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/autoprefixer/compare/10.4.23...10.4.27)

---
updated-dependencies:
- dependency-name: "@falkordb/canvas"
  dependency-version: 0.0.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.90.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: preact
  dependency-version: 10.28.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: react-hook-form
  dependency-version: 7.71.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: autoprefixer
  dependency-version: 10.4.27
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update root package-lock.json for app dependency bumps

The root package-lock.json must be kept in sync with app/package.json
changes since root package.json references app via file: protocol.
Without this update, npm ci at the root fails with lockfile mismatch.

Co-authored-by: Copilot <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>
Co-authored-by: Copilot <[email protected]>

* perf(ci): accelerate Playwright CI from ~16min to ~5min (#448)

* perf(ci): accelerate Playwright CI from ~16min to ~5min

- Increase CI workers from 1 to 4 (matches ubuntu-latest vCPUs)
- Skip Firefox in CI, run Chromium only (halves test count)
- Reduce retries from 2 to 1 (still catches transient failures)
- Add pip, npm, and Playwright browser caching
- Replace hardcoded sleep 20 with health-check polling
- Install only Chromium browser (not Firefox) in CI

Co-authored-by: Copilot <[email protected]>

* fix(ci): fix YAML indentation and use docker compose --wait

Replace inline Python health-check with docker compose --wait flag
which natively waits for service healthchecks to pass.

Co-authored-by: Copilot <[email protected]>

* fix(ci): remove pip cache (incompatible with pipenv setup)

Co-authored-by: Copilot <[email protected]>

* fix(ci): keep 2 retries for flaky AI-dependent chat tests

Chat tests that interact with the AI processing endpoint need 2 retries
to handle intermittent timeouts, especially under parallel execution.

Co-authored-by: Copilot <[email protected]>

* fix(ci): key npm cache on both root and app lockfiles

The setup-node npm cache was only keyed on the root package-lock.json.
Add cache-dependency-path to include app/package-lock.json so the cache
invalidates when frontend dependencies change.

Co-authored-by: Copilot <[email protected]>

* fix(ci): add pip caching with Pipfile.lock dependency path

The setup-python cache: 'pip' was removed earlier because it failed
without cache-dependency-path (defaults to requirements*.txt). Re-add
it with cache-dependency-path: Pipfile.lock so pip downloads are cached
between runs.

Co-authored-by: Copilot <[email protected]>

* fix: update comment to reflect hard-coded worker count

The comment said 'Use all available vCPUs' but the config hard-codes 4
workers. Update to accurately describe the intentional pinning.

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

* Bump litellm from 1.81.15 to 1.82.0 (#445)

Bumps [litellm](https://github.com/BerriAI/litellm) from 1.81.15 to 1.82.0.
- [Release notes](https://github.com/BerriAI/litellm/releases)
- [Commits](https://github.com/BerriAI/litellm/commits)

---
updated-dependencies:
- dependency-name: litellm
  dependency-version: 1.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* Bump the npm_and_yarn group across 1 directory with 2 updates (#447)

* Bump the npm_and_yarn group across 1 directory with 2 updates

Bumps the npm_and_yarn group with 2 updates in the /app directory: [minimatch](https://github.com/isaacs/minimatch) and [rollup](https://github.com/rollup/rollup).


Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5)

Updates `rollup` from 4.55.1 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v4.55.1...v4.59.0)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>

* ci: retrigger CI after transient test failure

The previous Playwright test run had database connectivity issues in CI
(Docker container readiness timing). All infrastructure steps passed but
database connection tests returned success:false. Retriggering to verify.

Co-authored-by: Copilot <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Bump version from 0.0.14 to 0.1.0 (#450)

* Initial plan

* chore: bump version from 0.0.14 to 0.1.0

Co-authored-by: gkorland <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: gkorland <[email protected]>
Co-authored-by: Guy Korland <[email protected]>

* Change npm install to npm ci for consistency (#454)

Change npm install to npm ci for consistency

* fix: update @falkordb/canvas version to 0.0.44 in package.json and package-lock.json

* Implement feature X to enhance user experience and fix bug Y in module Z

* chore: update dependencies and remove unused packages

- Removed unused Rollup binaries for various platforms.
- Updated `minimatch` from version 9.0.5 to 9.0.9.
- Updated `@types/estree` to version 1.0.8.
- Updated `ajv` to version 6.14.0 and added its dependencies.
- Removed several unused packages including `balanced-match`, `concat-map`, `fast-deep-equal`, and others.
- Added new Rollup binaries for version 4.59.0 across multiple platforms.

* Move the project from Pipfile to pyproject (#409)

* Initial plan

* Migrate from Pipfile to pyproject.toml with uv

- Created pyproject.toml with all dependencies from Pipfile
- Updated Makefile to use uv instead of pipenv
- Updated GitHub Actions workflows (tests.yml, pylint.yml, playwright.yml)
- Updated Dockerfile to use uv
- Updated setup_e2e_tests.sh script
- Updated README.md documentation
- Updated .github/copilot-instructions.md

Co-authored-by: gkorland <[email protected]>

* Generate uv.lock and remove Pipfile

- Generated uv.lock file with all dependencies
- Removed Pipfile and Pipfile.lock
- Updated pyproject.toml with hatch build config for api package

Co-authored-by: gkorland <[email protected]>

* Fix CI: use 'python -m' for pytest and pylint with uv

- Updated .github/workflows/tests.yml to use 'uv run python -m pytest'
- Updated .github/workflows/pylint.yml to use 'uv run python -m pylint'
- Updated Makefile test and lint commands to use 'python -m' syntax
- Updated README.md and copilot-instructions.md with correct commands
- Updated setup_e2e_tests.sh with correct pytest command

This fixes the CI failures where uv couldn't find pytest/pylint executables.

Co-authored-by: gkorland <[email protected]>

* Add 'uv' and 'pyproject' to spellcheck wordlist

Co-authored-by: Copilot <[email protected]>

* Fix test_simple_integration: update conftest.py to use uv instead of pipenv

The test fixture was still launching the app via 'pipenv run uvicorn',
causing FileNotFoundError in CI where pipenv is no longer installed.

Co-authored-by: Copilot <[email protected]>

* Fix Playwright CI: stop background server before post-job cleanup

The background 'uv run uvicorn' process was staying alive during
setup-uv's cache pruning step, causing a 5-minute timeout and
exit code 2 despite all 33 tests passing. Save the server PID
via GITHUB_OUTPUT and terminate it in the cleanup step.

Co-authored-by: Copilot <[email protected]>

* Allow GHSA-w8v5-vhqr-4h9v in dependency review (no fix available)

[email protected] is a transitive dependency via graphiti-core.
CVE-2025-69872 (unsafe pickle deserialization) has no patched
version upstream yet. Allow-listed to unblock the PR.

Co-authored-by: Copilot <[email protected]>

* Update dependabot to use uv package ecosystem

Replace 'pip' with 'uv' so Dependabot manages pyproject.toml + uv.lock
natively instead of looking for Pipfile/requirements.txt.

Co-authored-by: Copilot <[email protected]>

* Upgrade graphiti-core to 0.28.1 and remove diskcache workaround

graphiti-core 0.28.1 no longer depends on diskcache, which had a
moderate vulnerability (GHSA-w8v5-vhqr-4h9v). Switch from the git
fork to the PyPI release and remove the dependency-review allow-list.

Co-authored-by: Copilot <[email protected]>

* Fix Docker build: copy README.md for hatchling metadata

hatchling requires README.md during 'uv sync' to validate the
project metadata. Copy it alongside pyproject.toml and uv.lock.

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: anthropic-code-agent[bot] <[email protected]>
Co-authored-by: gkorland <[email protected]>
Co-authored-by: Guy Korland <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Move project to pyproject (#471)

* Initial plan

* Migrate from Pipfile to pyproject.toml with uv

- Created pyproject.toml with all dependencies from Pipfile
- Updated Makefile to use uv instead of pipenv
- Updated GitHub Actions workflows (tests.yml, pylint.yml, playwright.yml)
- Updated Dockerfile to use uv
- Updated setup_e2e_tests.sh script
- Updated README.md documentation
- Updated .github/copilot-instructions.md

Co-authored-by: gkorland <[email protected]>

* Generate uv.lock and remove Pipfile

- Generated uv.lock file with all dependencies
- Removed Pipfile and Pipfile.lock
- Updated pyproject.toml with hatch build config for api package

Co-authored-by: gkorland <[email protected]>

* Fix CI: use 'python -m' for pytest and pylint with uv

- Updated .github/workflows/tests.yml to use 'uv run python -m pytest'
- Updated .github/workflows/pylint.yml to use 'uv run python -m pylint'
- Updated Makefile test and lint commands to use 'python -m' syntax
- Updated README.md and copilot-instructions.md with correct commands
- Updated setup_e2e_tests.sh with correct pytest command

This fixes the CI failures where uv couldn't find pytest/pylint executables.

Co-authored-by: gkorland <[email protected]>

* Add 'uv' and 'pyproject' to spellcheck wordlist

Co-authored-by: Copilot <[email protected]>

* Fix test_simple_integration: update conftest.py to use uv instead of pipenv

The test fixture was still launching the app via 'pipenv run uvicorn',
causing FileNotFoundError in CI where pipenv is no longer installed.

Co-authored-by: Copilot <[email protected]>

* Fix Playwright CI: stop background server before post-job cleanup

The background 'uv run uvicorn' process was staying alive during
setup-uv's cache pruning step, causing a 5-minute timeout and
exit code 2 despite all 33 tests passing. Save the server PID
via GITHUB_OUTPUT and terminate it in the cleanup step.

Co-authored-by: Copilot <[email protected]>

* Allow GHSA-w8v5-vhqr-4h9v in dependency review (no fix available)

[email protected] is a transitive dependency via graphiti-core.
CVE-2025-69872 (unsafe pickle deserialization) has no patched
version upstream yet. Allow-listed to unblock the PR.

Co-authored-by: Copilot <[email protected]>

* Update dependabot to use uv package ecosystem

Replace 'pip' with 'uv' so Dependabot manages pyproject.toml + uv.lock
natively instead of looking for Pipfile/requirements.txt.

Co-authored-by: Copilot <[email protected]>

* Upgrade graphiti-core to 0.28.1 and remove diskcache workaround

graphiti-core 0.28.1 no longer depends on diskcache, which had a
moderate vulnerability (GHSA-w8v5-vhqr-4h9v). Switch from the git
fork to the PyPI release and remove the dependency-review allow-list.

Co-authored-by: Copilot <[email protected]>

* Fix Docker build: copy README.md for hatchling metadata

hatchling requires README.md during 'uv sync' to validate the
project metadata. Copy it alongside pyproject.toml and uv.lock.

Co-authored-by: Copilot <[email protected]>

* Fix Docker: add .dockerignore and venv PATH for uvicorn

- Add .dockerignore to prevent host .venv from being copied into the
  container (which overwrites the uv-installed packages).
- Add /app/.venv/bin to PATH so uvicorn and other entry points
  installed by uv sync are available to start.sh.

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: anthropic-code-agent[bot] <[email protected]>
Co-authored-by: gkorland <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Clean up remaining pipenv/poetry references after uv migration (#472)

- Remove 'pipenv'/'Pipenv' from spellcheck wordlist (no longer used)
- Update docs/postgres_loader.md: replace poetry/pip install with uv add

Co-authored-by: Copilot <[email protected]>

* feat: Configurable model usage (#386)

* init

* merge-staging

* update-model-usage

* fix: resolve pylint lint errors across PR files

Strip trailing whitespace from agents, config, and settings modules.
Suppress too-many-statements in app_factory.py factory function.
Fix no-else-return, too-many-return-statements, and unused argument
in settings.py route handler.

Co-authored-by: Copilot <[email protected]>

* refactor: extract shared LLM completion helper to eliminate duplicate code

Extract run_completion() into utils.py and use it across all agent
modules. Resolves pylint R0801 duplicate-code warning that was causing
CI build failures.

Co-authored-by: Copilot <[email protected]>

* fix: resolve review issues and add Ollama/Cohere provider support

- Add LLM_PROVIDER field to replace binary AZURE_FLAG for provider routing
- Add Ollama and Cohere provider support (cherry-picked from #452)
- Add _with_prefix() helper to eliminate duplicated prefix logic
- Fix Anthropic embedding fallback: fail-fast instead of silent Azure fallback
- Fix double-prefix bug in chat.ts (gemini/gemini/... no longer happens)
- Fix useEffect clobbering saved model name on Settings page load
- Forward custom credentials through confirm flow for destructive operations
- Add localStorage persistence for vendor/model settings (API key stays session-only)
- Remove stack trace leak from /validate-api-key error responses
- Add ollama/cohere to supported vendors in text2sql and settings routes
- Replace unnecessary hasattr with direct Pydantic field access
- Update .env.example with precedence docs, Ollama and Cohere examples
- Remove duplicate SettingsModal (consolidated into Settings page)

Co-authored-by: Udaykumar Dhokia <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

* fix: resolve pylint and CodeQL CI failures

- Rename SUPPORTED_VENDORS to snake_case (pylint C0103)
- Break long line in settings.py (pylint C0301)
- Remove exception details from log to prevent info exposure (CodeQL)
- Sanitize vendor in log message to prevent log injection

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: sanitize user input in log to prevent log injection

Add _sanitize_for_log() helper that strips \r, \n, and \t from
user-provided values before logging, preventing log injection attacks.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* Fix review comments: CSRF headers, buildApiUrl, type safety, docs

- useApiKeyValidation: add csrfHeaders() and buildApiUrl(), strip
  double-prefix from model name before sending to backend
- ChatInterface: use ConfirmRequest type instead of `any`
- Settings: use `import type` for AIVendor
- README: update provider priority to include Ollama/Cohere, fix
  Anthropic embeddings note (ValueError, not Azure fallback)
- .env.example: fix misleading fallback comments

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* Add Ollama and Cohere to spellcheck wordlist

Co-Authored-By: Claude Opus 4.6 <[email protected]>

---------

Co-authored-by: Guy Korland <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Udaykumar Dhokia <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

* chore: consolidate Dependabot PRs and resolve staging conflicts (#473)

* Initial plan

* Consolidate all 10 open Dependabot PRs into a single update targeting staging

Covers:
- Bump fastapi from ~=0.124.0 to ~=0.135.1 (PR #468)
- Bump @hookform/resolvers from ^3.10.0 to ^5.2.2 (PR #465)
- Bump react-router-dom from ^6.30.1 to ^7.13.1 (PR #463)
- Bump lucide-react from ^0.462.0 to ^0.577.0 (PR #462)
- Bump postcss from ^8.5.6 to ^8.5.8 (PR #470)
- Bump actions/cache from v4 to v5 in playwright.yml (PR #456)
- Bump docker/login-action from v3 to v4 in publish-docker.yml (PR #457)
- Bump docker/metadata-action from v5 to v6 in publish-docker.yml (PR #458)
- Bump docker/build-push-action from v6 to v7 in publish-docker.yml (PR #460)
- Bump rojopolis/spellcheck-github-actions from 0.58.0 to 0.59.0 in spellcheck.yml (PR #459)

Co-authored-by: gkorland <[email protected]>

* Add workflow to close superseded Dependabot PRs (#456-#470) as duplicates of #473

Co-authored-by: gkorland <[email protected]>

* Add workflow_dispatch trigger so maintainers can manually run close-superseded-prs workflow

Co-authored-by: gkorland <[email protected]>

* Delete .github/workflows/close-superseded-prs.yml

* Apply suggestion from @Copilot

Co-authored-by: Copilot <[email protected]>

* Remove obsolete BrowserRouter future prop for react-router-dom v7

Co-authored-by: gkorland <[email protected]>

* Refresh root package lock for CI

Co-authored-by: gkorland <[email protected]>

* Resolve staging conflicts

Co-authored-by: gkorland <[email protected]>

* Apply suggestion from @Copilot

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: gkorland <[email protected]>
Co-authored-by: Guy Korland <[email protected]>
Co-authored-by: Copilot <[email protected]>

* fix: replace unnecessary dynamic import of vendorConfig with static import (#474)

vendorConfig.ts is already statically imported by SettingsContext, useApiKeyValidation,
Settings, and chat service, so the dynamic import() in ChatInterface.tsx provided no
code-splitting benefit and triggered a Vite build warning.

Co-authored-by: Copilot <[email protected]>

* docs: add AGENTS.md project guide and CLAUDE.md symlink (#477)

Provide a single-file onboarding reference covering architecture, tech stack,
directory layout, build/test/lint commands, code conventions, environment
variables, and CI/CD workflows. CLAUDE.md symlinks to AGENTS.md so both
AI coding assistants and contributors find the same guide.

Co-authored-by: Claude Opus 4.6 <[email protected]>

* feat: add support for postgres schema selection (#475)

* feat: add support for postgres schema selection

Add support for selecting a PostgreSQL schema instead of always using
'public'. The schema is extracted from the connection URL's options
parameter (search_path), following PostgreSQL's native libpq format.

Changes:
- Add _parse_schema_from_url() to extract schema from connection URL
- Thread schema parameter through all extraction methods with 'public' default
- Add pg_namespace JOINs for correct cross-schema disambiguation
- Add schema input field in DatabaseModal (PostgreSQL only)
- Add comprehensive unit tests for URL schema parsing
- Update documentation with custom schema configuration guide

Based on PR #373 by sirudog with the following fixes:
- Fix pg_namespace JOIN order in extract_columns_info to prevent
  duplicate rows when same-named tables exist across schemas
- Fix regex to require '=' separator (prevents mis-capture edge cases)
- Improve $user handling to loop through all schemas instead of only
  checking first two positions
- Fix pylint line-too-long in test file

Co-authored-by: sirudog <[email protected]>
Co-authored-by: Copilot <[email protected]>

* fix: make parse_schema_from_url public to fix CI pylint

Rename _parse_schema_from_url to parse_schema_from_url since the
method is already documented for external use and tested directly.
This eliminates W0212 (protected-access) warnings that cause CI
pylint to fail with exit code 4.

Co-authored-by: Copilot <[email protected]>

* fix: address review comments on PR #475

- Add constraint_schema qualifier to key_column_usage JOINs in
  extract_columns_info to prevent cross-schema constraint name
  collisions
- Sanitize schema input in DatabaseModal to strip non-identifier
  characters before building the URL options
- Add edge case tests: empty tokens, blank quoted tokens, repeated
  $user entries

Co-authored-by: Copilot <[email protected]>

* chore: remove accidentally committed build artifacts

Co-authored-by: Copilot <[email protected]>

* fix: address copilot reviewer comments on PR #475

- Fix regex to capture search_path values with spaces after commas
  (e.g. $user, public) by matching up to next -c option or EOL
- Set session search_path explicitly after connecting so sample
  queries resolve to the correct schema
- Use versionless PostgreSQL docs link (/docs/current/)
- Clarify case-sensitivity note for schema names in troubleshooting

Co-authored-by: Copilot <[email protected]>

* chore: gitignore build artifacts

Co-authored-by: Copilot <[email protected]>

* fix: replace ReDoS-vulnerable regex in parse_schema_from_url

Replace (.+?)(?=\s+-c|\s*$) with [^\s,]+(?:\s*,\s*[^\s,]+)* to
eliminate polynomial backtracking flagged by CodeQL. The new pattern
uses unambiguous character classes with no overlapping quantifiers.

Co-authored-by: Copilot <[email protected]>

* fix: validate schema input instead of silent sanitization, fix doc URL encoding

- DatabaseModal: Show validation error for invalid schema characters instead
  of silently stripping them. Throw error on submit if invalid chars present.
- docs: URL-encode the example URL to prevent copy/paste connection failures.

Co-authored-by: Copilot <[email protected]>

* fix: revert doc URL to readable form to fix spellcheck

The URL-encoded form (-csearch_path%3Dmy_schema) inside the Liquid
capture block triggers spellcheck failures ('csearch', 'Dmy'). Reverted
to readable form since Python's urlparse handles both formats fine.

Co-authored-by: Copilot <[email protected]>

* fix: add missing tech terms to spellcheck wordlist

Add terms from AGENTS.md/CLAUDE.md (added in staging merge) to the
spellcheck wordlist: config, docstring, dotenv, ESLint, HSTS, init,
Middleware, monorepo, PRs, pylint, pytest, Radix, Zod, and error class
names. Also fix DockerHub capitalization.

Co-authored-by: Copilot <[email protected]>

* fix: ensure DB connection cleanup on error and add cursor type hints

- Wrap psycopg2 connection/cursor in try/finally so they are always
  closed, even when extract_tables_info or extract_relationships raises
- Set conn/cursor to None after explicit close to avoid double-close
  in the finally block
- Add Any type hints to cursor parameters on extract_tables_info,
  extract_columns_info, extract_foreign_keys, extract_relationships,
  and _execute_sample_query

Co-authored-by: Copilot <[email protected]>

* fix: increase timeout for multi-step E2E chat tests

Mark three tests that perform multiple LLM round-trips with
test.slow() to triple their timeout (60s → 180s), preventing
spurious CI failures when LLM responses are slow:

- multiple sequential queries maintain conversation history
- switching databases clears chat history
- duplicate record shows user-friendly error message

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: sirudog <[email protected]>
Co-authored-by: Copilot <[email protected]>

* fix: require SECRET_TOKEN at startup to prevent auth bypass (#476)

* fix: require SECRET_TOKEN at startup to prevent auth bypass

The original verify_token() allowed None == None when SECRET_TOKEN was
unset, silently disabling authentication.  The server now refuses to
start without SECRET_TOKEN configured, and validate_user() accepts the
static token via constant-time comparison (hmac.compare_digest) as an
alternative to DB-backed OAuth tokens.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: add pylint disable for wrong-import-position in conftest.py

The imports must come after os.environ.setdefault() for SECRET_TOKEN,
which is intentionally non-standard. Suppress the C0413 warning.

Co-authored-by: Copilot <[email protected]>

* fix: add SECRET_TOKEN to Playwright CI workflow env

The 'Start FastAPI application' step was missing SECRET_TOKEN, causing
the app to crash at startup with RuntimeError since the PR made it
required.

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: Copilot <[email protected]>

* fix: address PR #455 review comments (#478)

- Pin uv version (0.7.12) and use --locked in CI workflows
- Fix Dockerfile: split uv sync into deps-only + project install
- Remove || true from make lint so pylint failures are not masked
- Move max-line-length to [tool.pylint.format] (canonical section)
- Fix docs: use 'uv sync' instead of 'uv add' for existing deps
- Remove dead initial LLM_PROVIDER/AZURE_FLAG assignments in config

Co-authored-by: Copilot <[email protected]>

* fix: remove SECRET_TOKEN static API key requirement (#479)

Users create their own API tokens via /tokens/generate (stored in
FalkorDB), so the static SECRET_TOKEN env var is redundant. Removes:
- The SECRET_TOKEN module-level variable and hmac check in validate_user
- The hmac import (no longer needed)
- All references in .env.example, CI workflows, and test conftest

Reverts the hard requirement introduced in #476.

Co-authored-by: Copilot <[email protected]>

* fix: require authentication on validate-api-key endpoint (#481)

* fix: require authentication on validate-api-key endpoint

The POST /api/validate-api-key endpoint was missing the @token_required
decorator, allowing unauthenticated users to proxy LLM API calls through
the server. Add @token_required to match all other POST endpoints.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: suppress pylint unused-argument for decorated request param

The @token_required decorator consumes the request argument before the
function body, so pylint incorrectly flags it as unused.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: add 401 response to OpenAPI docs for validate-api-key

Add responses={401: UNAUTHORIZED_RESPONSE} to match the convention
used by all other @token_required endpoints.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

---------

Co-authored-by: Claude Opus 4.6 <[email protected]>

* chore(deps): bump graphiti-core in the uv group across 1 directory (#480)

Bumps the uv group with 1 update in the / directory: [graphiti-core](https://github.com/getzep/graphiti).


Updates `graphiti-core` from 0.28.1 to 0.28.2
- [Release notes](https://github.com/getzep/graphiti/releases)
- [Commits](https://github.com/getzep/graphiti/compare/v0.28.1...v0.28.2)

---
updated-dependencies:
- dependency-name: graphiti-core
  dependency-version: 0.28.2
  dependency-type: direct:production
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* ci(workflows): pin GitHub Actions dependencies to commit SHAs (#503)

Pin all third-party GitHub Actions to their full commit SHA
instead of mutable version tags. This is a supply-chain security
best practice that prevents tag-mutation attacks.

Changed files: dependency-review.yml, playwright.yml, publish-docker.yml, pylint.yml, spellcheck.yml, tests.yml
Total actions pinned: 17

Co-authored-by: Copilot <[email protected]>

* chore(deps): combine dependabot dependency updates (#504)

Python dependencies:
- uvicorn: 0.41.0 → 0.42.0
- litellm: 1.82.0 → 1.82.6
- authlib: 1.6.8 → 1.6.9
- fastmcp: 3.0.1 → 3.1.1
- pytest-asyncio: 1.2.0 → 1.3.0

GitHub Actions:
- astral-sh/setup-uv: v5.4.2 → v7.6.0
- rojopolis/spellcheck-github-actions: 0.59.0 → 0.60.0

NPM dependencies (app/):
- typescript-eslint: 8.53.0 → 8.57.0
- flatted: 3.3.3 → 3.4.2
- picomatch: 2.3.1 → 2.3.2 / 4.0.3 → 4.0.4

Replaces: #483, #484, #486, #487, #491, #493, #498, #499, #500, #501

Skipped major version bumps (require migration work):
- #488 vite 7→8, #489 react-dom 18→19
- #490 tailwind-merge 2→3, #492 tailwindcss 3→4

Co-authored-by: Copilot <[email protected]>

* fix: address PR review comments

- Fix CSRF docstring to reflect actual cookie-setting behavior
- Normalize X-Forwarded-Proto (handle comma-separated, mixed-case)
- Fix comment typo in create_app
- Serialize CI workers to 1 to avoid shared-state flakiness
- Fix CSRF comment in e2e apiRequests helper
- Retry only successful final_result in connectDatabaseWithRetry
- Add .env creation step in Playwright CI workflow

Co-authored-by: Copilot <[email protected]>

* fix(deps): upgrade pyjwt 2.11.0 → 2.12.1 (GHSA-752w-5fwx-jx9f)

PyJWT 2.11.0 accepts unknown `crit` header extensions in violation
of RFC 7515 §4.1.11, allowing security policy bypass.

Closes the dependency-review CI failure.

Co-authored-by: Copilot <[email protected]>

* fix(deps): upgrade requests 2.32.5 → 2.33.1 (GHSA-gc5v-m9x4-r6x2)

Insecure temp file reuse in extract_zipped_paths() utility.

Co-authored-by: Copilot <[email protected]>

* fix(deps): upgrade cryptography 46.0.5 → 46.0.6 (GHSA-m959-cc7f-wv43)

Incomplete DNS name constraint enforcement on peer names.

Co-authored-by: Copilot <[email protected]>

* fix(deps): upgrade pygments 2.19.2 → latest (GHSA-5239-wwwm-4pmq)

ReDoS via inefficient regex for GUID matching.

Co-authored-by: Copilot <[email protected]>

* ci(playwright): skip E2E tests for Dependabot PRs (#518)

* ci(playwright): skip E2E tests for Dependabot PRs

Dependabot PRs do not have access to repository secrets (AZURE_API_KEY,
AZURE_API_BASE, AZURE_API_VERSION) required by the LLM-dependent E2E
tests for database schema loading. This causes all Database Connection
and Chat Feature tests to fail with 'Failed to load database schema'.

Skip the Playwright job for Dependabot-authored PRs while preserving
full coverage on push events (merge to staging/main) where secrets are
available. Unit tests, pylint, dependency review, and spellcheck still
run for all PRs.

Co-authored-by: Copilot <[email protected]>

* docs(agents): note Playwright skip for Dependabot PRs

Co-authored-by: Copilot <[email protected]>

* ci(spellcheck): add Dependabot to wordlist

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

* chore(deps): bump fastapi from 0.135.1 to 0.135.2 (#509)

Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.135.1 to 0.135.2.
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](https://github.com/fastapi/fastapi/compare/0.135.1...0.135.2)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.135.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* chore(deps-dev): bump pytest from 8.4.2 to 9.0.2 (#508)

Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.4.2 to 9.0.2.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/8.4.2...9.0.2)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* chore(deps): bump fastmcp in the uv group across 1 directory (#515)

Bumps the uv group with 1 update in the / directory: [fastmcp](https://github.com/PrefectHQ/fastmcp).


Updates `fastmcp` from 3.1.1 to 3.2.0
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](https://github.com/PrefectHQ/fastmcp/compare/v3.1.1...v3.2.0)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.2.0
  dependency-type: direct:production
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates (#516)

Bumps the npm_and_yarn group with 3 updates in the /app directory: [lodash-es](https://github.com/lodash/lodash), [picomatch](https://github.com/micromatch/picomatch) and [flatted](https://github.com/WebReflection/flatted).


Updates `lodash-es` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* chore(deps): bump the npm-minor-patch group in /app with 2 updates (#510)

Bumps the npm-minor-patch group in /app with 2 updates: [@falkordb/canvas](https://github.com/FalkorDB/falkordb-canvas) and [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom).


Updates `@falkordb/canvas` from 0.0.44 to 0.0.45
- [Release notes](https://github.com/FalkorDB/falkordb-canvas/releases)
- [Commits](https://github.com/FalkorDB/falkordb-canvas/compare/v0.0.44...v0.0.45)

Updates `react-router-dom` from 7.13.1 to 7.13.2
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/[email protected]/packages/react-router-dom)

---
updated-dependencies:
- dependency-name: "@falkordb/canvas"
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: react-router-dom
  dependency-version: 7.13.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates (#519)

Bumps the npm_and_yarn group with 3 updates in the /app directory: [picomatch](https://github.com/micromatch/picomatch), [flatted](https://github.com/WebReflection/flatted) and [lodash](https://github.com/lodash/lodash).


Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <[email protected]>

* fix(deps): regenerate package-lock.json and fix vulnerabilities

Regenerated the root lockfile to sync with current app/package.json
dependencies. Also ran npm audit fix to resolve:
- lodash Code Injection and Prototype Pollution (high severity)
- brace-expansion DoS (moderate severity)
- picomatch ReDoS and method injection (high severity)

Co-authored-by: Copilot <[email protected]>

* fix(deps): bump litellm to ~=1.83.0 to fix critical vulnerabilities

Addresses:
- GHSA-jjhc-v7c2-5hh6: OIDC authentication bypass via cache key collision (critical)
- GHSA-53mr-6c8q-9789: Privilege escalation via unrestricted proxy config (high)

Both vulnerabilities are fixed in litellm 1.83.0+.

Co-authored-by: Copilot <[email protected]>

* fix(deps): upgrade aiohttp to 3.13.5 to fix security vulnerabilities

Addresses:
- GHSA-w2fm-2cpv-w7v5: unlimited trailer headers (moderate)
- GHSA-p998-jp59-783m: UNC SSRF/NTLMv2 credential theft (moderate)
- GHSA-m5qp-6w8w-w647: multipart header size bypass (moderate)
- GHSA-c427-h43c-vf67: duplicate Host headers (moderate)
- GHSA-hcc4-c3v8-rx92: DoS via unbounded DNS cache (low)

Co-authored-by: Copilot <[email protected]>

* chore(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (#525)

Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.6.0 to 8.0.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](https://github.com/astral-sh/setup-uv/compare/37802adc94f370d6bfd71619e3f0bf239e1f3b78...cec208311dfd045dd5311c1add060b2062131d57)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(snowflake): add Snowflake loader with key-pair auth and security hardening

Snowflake database loader:
- Full schema extraction (tables, columns, PKs, FKs, relationships)
- Key-pair authentication support (bypasses MFA)
- SHOW PRIMARY KEYS / SHOW IMPORTED KEYS for constraint discovery
- Identifier validation and parameterized queries for SQL injection prevention
- Connection timeouts (login: 30s, network: 60s)

Frontend:
- Snowflake option in DatabaseModal with manual/URL entry modes
- Key-pair auth UI (password/keypair toggle with PEM textarea)
- Custom API key/model passed through ChatService to backend

Security:
- @token_required on /validate-api-key endpoint
- Vendor-specific API key format validation
- Narrowed vendor allowlist for key validation
- Upgraded fastmcp 3.0.1→3.2.0, litellm→1.83+, aiohttp→3.13.5

Other fixes:
- load_dotenv() in config.py for reliable env loading
- Memory gracefully disabled for non-Azure/OpenAI providers
- Null-safe LLM description generation
- Anthropic config fails fast without embeddings
- python-dotenv as explicit dependency

Tests: 39 tests (20 Snowflake loader + 19 settings route)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix(spellcheck): add DDL and DML to wordlist

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* refactor: remove redundant API key validation from text2sql

LLM providers already reject invalid keys with auth errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: use /settings prefix for settings router instead of /api

Consistent with other routers (/graphs, /tokens, /database).

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: update test docstring to match /settings route path

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: restore staging code reverted during rebase

- Restore app_factory.py from staging (CSRF, proxy header handling)
  with only our 2 changes (remove load_dotenv, /settings prefix)
- Restore PostgreSQL schema field in DatabaseModal
- Restore vendor prefix logic in ChatService.streamQuery
- Restore static getVendorPrefix import in ChatInterface

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* chore(deps): bump uvicorn from 0.42.0 to 0.44.0 (#536)

Bumps [uvicorn](https://github.com/Kludex/uvicorn) from 0.42.0 to 0.44.0.
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.42.0...0.44.0)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump fastmcp from 3.2.0 to 3.2.4 (#543)

Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 3.2.0 to 3.2.4.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](https://github.com/PrefectHQ/fastmcp/compare/v3.2.0...v3.2.4)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix Docker build: align Python base to Debian trixie, pin FalkorDB image (#545)

* Initial plan

* Fix Docker build: align Python base to trixie and pin FalkorDB to v4.18.1

Agent-Logs-Url: https://github.com/FalkorDB/QueryWeaver/sessions/c0859d23-c001-47bd-8dc5-1285e253c7d0

Co-authored-by: gkorland <[email protected]>

* Update Dockerfile

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: gkorland <[email protected]>
Co-authored-by: Guy Korland <[email protected]>

* fix(docker): resolve apt dependency errors on falkordb trixie base (#546)

The falkordb/falkordb:latest base image (Debian trixie) ships without
libtinfo6 and bash. The apt 3.0 solver refuses to install build-essential
and friends because util-linux PreDepends on libtinfo6, and the NodeSource
setup script requires bash.

Install libtinfo6 in a separate apt step so the solver can satisfy the
remaining packages, and add bash so the NodeSource installer can run.

Co-authored-by: Copilot <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Anchel135 <[email protected]>
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: gkorland <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: Anchel123 <[email protected]>
Co-authored-by: Claude <[email protected]>
Co-authored-by: Gal Shubeli <[email protected]>
Co-authored-by: Udaykumar Dhokia <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: sirudog <[email protected]>