kimi/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Pull Requests Activity

refactor: centralize config & harden security (#141)

Browse Source 
* feat: upgrade primary model from llama3.1:8b to qwen2.5:14b

- Swap OLLAMA_MODEL_PRIMARY to qwen2.5:14b for better reasoning
- llama3.1:8b-instruct becomes fallback
- Update .env default and README quick start
- Fix hardcoded model assertions in tests

qwen2.5:14b provides significantly better multi-step reasoning
and tool calling reliability while still running locally on
modest hardware. The 8B model remains as automatic fallback.

* security: centralize config, harden uploads, fix silent exceptions

- Add 9 pydantic Settings fields (skip_embeddings, disable_csrf,
  rqlite_url, brain_source, brain_db_path, csrf_cookie_secure,
  chat_api_max_body_bytes, timmy_test_mode) to centralize env-var access
- Migrate 8 os.environ.get() calls across 5 source files to use
  `from config import settings` per project convention
- Add path traversal defense-in-depth to file upload endpoint
- Add 1MB request body size limit to chat API
- Make CSRF cookie secure flag configurable via settings
- Replace 2 silent `except: pass` blocks with debug logging in session.py
- Remove unused `import os` from brain/memory.py and csrf.py
- Update 5 CSRF test fixtures to patch settings instead of os.environ

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Trip T <trip@local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Alexander Whitestone
2026-03-07 18:49:37 -05:00
committed by GitHub
parent cdd3e1a90b
commit b615595100
14 changed files with 80 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/dashboard/middleware/csrf.py
View File

@@ -7,7 +7,6 @@ to protect state-changing endpoints from cross-site request attacks.
import secrets
import hmac
import hashlib
import os
from typing import Callable, Optional
from functools import wraps
@@ -125,7 +124,8 @@ class CSRFMiddleware(BaseHTTPMiddleware):
For unsafe methods: Validate the CSRF token.
"""
# Bypass CSRF if explicitly disabled (e.g. in tests)
if os.environ.get("TIMMY_DISABLE_CSRF") == "1":
from config import settings
if settings.timmy_disable_csrf:
return await call_next(request)
# Get existing CSRF token from cookie
@@ -142,7 +142,7 @@ class CSRFMiddleware(BaseHTTPMiddleware):
key=self.cookie_name,
value=new_token,
httponly=False, # Must be readable by JavaScript
secure=False, # Set to True in production with HTTPS
secure=settings.csrf_cookie_secure,
samesite="Lax",
max_age=86400 # 24 hours
)