P0 — CRITICAL (CWE-798): JWT_SECRET crash-early
Replace hardcoded super-secret-key fallback with os.environ["JWT_SECRET"]
and ${JWT_SECRET:?} syntax in app.py + docker-compose files
P1 — HIGH: Frontend dependency CVEs
Upgrade svelte 5.43.8 → 5.56.4 — resolves devalue DoS (GHSA-g2pg-6438-jwpf)
and svelte XSS (GHSA-crpf-4hrx-3jrp, GHSA-m56q-vw4c-c2cp, GHSA-rcqx-6q8c-2c42)
P2 — MEDIUM: Logging hygiene + contract gaps + tool resolver refactor
Apply _redact_sensitive_fields() in middleware + event streaming
Truncate LLM error body to 100 chars
Add @RATIONALE/@REJECTED to HandleResume + SaveConversation
Refactor deterministic intent matching → LLM-driven tool resolution
P3 — LOW: Translate logging hardening
Move _sanitize_url() to _utils.py (shared, no circular imports)
Sanitize base_url before logging in _llm_call.py and _llm_async_http.py
Emit EXPLORE warning when LLM_SSL_VERIFY=false disables TLS
superset_client module: passed clean — no changes needed
Superset Tools Frontend (SvelteKit)
This is the frontend for the Superset Tools application, built with SvelteKit in SPA mode.
Development
-
Install dependencies:
npm install -
Run development server:
npm run devThe frontend will be available at
http://localhost:5173. It is configured to proxy API requests tohttp://localhost:8000.
Production Build
-
Build the static SPA:
npm run buildThis generates a static SPA in the
build/directory. -
Serve with Backend: The Python backend is configured to serve the files from
frontend/build/. Ensure the backend is running:cd ../backend python src/app.py
Architecture
- Routing: File-based routing in
src/routes/. - Layouts: Shared UI in
src/routes/+layout.svelte. - Data Loading:
loadfunctions in+page.tsfor efficient data fetching. - API Client: Centralized API logic in
src/lib/api.js. - Styling: Tailwind CSS.