forked from Rockachopa/Timmy-time-dashboard
refactor: centralize config & harden security (#141)
* feat: upgrade primary model from llama3.1:8b to qwen2.5:14b - Swap OLLAMA_MODEL_PRIMARY to qwen2.5:14b for better reasoning - llama3.1:8b-instruct becomes fallback - Update .env default and README quick start - Fix hardcoded model assertions in tests qwen2.5:14b provides significantly better multi-step reasoning and tool calling reliability while still running locally on modest hardware. The 8B model remains as automatic fallback. * security: centralize config, harden uploads, fix silent exceptions - Add 9 pydantic Settings fields (skip_embeddings, disable_csrf, rqlite_url, brain_source, brain_db_path, csrf_cookie_secure, chat_api_max_body_bytes, timmy_test_mode) to centralize env-var access - Migrate 8 os.environ.get() calls across 5 source files to use `from config import settings` per project convention - Add path traversal defense-in-depth to file upload endpoint - Add 1MB request body size limit to chat API - Make CSRF cookie secure flag configurable via settings - Replace 2 silent `except: pass` blocks with debug logging in session.py - Remove unused `import os` from brain/memory.py and csrf.py - Update 5 CSRF test fixtures to patch settings instead of os.environ Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Trip T <trip@local> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Alexander Whitestone
committed by
GitHub
GitHub
parent
cdd3e1a90b
commit
b615595100
@@ -106,6 +106,29 @@ class Settings(BaseSettings):
|
||||
# In production, security settings are strictly enforced.
|
||||
timmy_env: Literal["development", "production"] = "development"
|
||||
|
||||
# ── Test / Diagnostics ─────────────────────────────────────────────
|
||||
# Skip loading heavy embedding models (for tests / low-memory envs).
|
||||
timmy_skip_embeddings: bool = False
|
||||
# Disable CSRF middleware entirely (for tests).
|
||||
timmy_disable_csrf: bool = False
|
||||
# Mark the process as running in test mode.
|
||||
timmy_test_mode: bool = False
|
||||
|
||||
# ── Brain / rqlite ─────────────────────────────────────────────────
|
||||
# URL of the local rqlite node for distributed memory.
|
||||
# Empty string means rqlite is not configured.
|
||||
rqlite_url: str = ""
|
||||
# Source identifier for brain memory entries.
|
||||
brain_source: str = "default"
|
||||
# Path override for the local brain SQLite database.
|
||||
brain_db_path: str = ""
|
||||
|
||||
# ── Security Tuning ───────────────────────────────────────────────
|
||||
# Set to True in production to mark CSRF cookies as Secure (HTTPS only).
|
||||
csrf_cookie_secure: bool = False
|
||||
# Maximum size in bytes for chat API request bodies.
|
||||
chat_api_max_body_bytes: int = 1_048_576 # 1 MB
|
||||
|
||||
# ── Self-Modification ──────────────────────────────────────────────
|
||||
# Enable self-modification capabilities. When enabled, the agent can
|
||||
# edit its own source code, run tests, and commit changes.
|
||||
|
||||
Reference in New Issue
Block a user