Upgrade to highest standard of software engineering #18
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Security fixes (P0): - Fix XXE vulnerability in rtz_parser.py using defusedxml - Remove unsafe-inline/unsafe-eval from CSP headers - Add authentication to all mutating endpoints - Add file size limits on uploads (5MB RTZ, 50MB CSV) - Add rate limiting decorators to all endpoints Reliability improvements (P1): - Create thread-safe state management (api/state.py) - Implement bounded LRU cache with eviction (api/cache.py) - Add circuit breaker for external API calls (api/resilience.py) - Add retry logic with exponential backoff - Add comprehensive health checks with dependency verification Observability improvements: - Add K8s-ready health endpoints (/api/health/live, /api/health/ready) - Add detailed status endpoint (/api/status) - Health checks now verify database and Redis connectivity CI/CD fixes: - Add missing npm test step to frontend-test job - Add frontend coverage upload to Codecov Dependencies: - Add defusedxml for XXE protection - Add tenacity for retry logic - Add pybreaker for circuit breaker - Add slowapi for rate limiting https://claude.ai/code/session_01ByTUvqWcEnaBiRicm3Qnfy
Comprehensive review covering: - Architecture, stack, and container model assessment - Code quality and CI/CD pipeline analysis - Security evaluation (auth, input validation, headers) - Observability and operations readiness - Performance and scalability concerns - Deployment and rollback procedures - Documentation gaps Verdict: Yes-with-risks for production readiness Key improvements since previous review: - CORS wildcard removed - Dev API key removed from init script - Security headers middleware added - Structured logging implemented - Prometheus metrics endpoint added - Request ID tracing implemented Remaining P1 actions: - Refactor global mutable state - Add pagination to list endpoints - Add Trivy image scan to CI https://claude.ai/code/session_01P3Cc3QXZqDcpU5ikQfFSCc
Multi-phase validation roadmap starting with Windy-like weather visualization (Phase 1), followed by physics engine fixes (Phase 2), route optimization validation (Phase 3), and production hardening (Phase 4). Includes honest assessment of current state and high-impact contribution areas. https://claude.ai/code/session_01BdMG31NpXjwGRG9tESuALh
9 issues covering Phase 1 (weather viz), Phase 2 (physics bugs), and release blockers (license, .gitignore). Run with: gh auth login && bash scripts/create-github-issues.sh https://claude.ai/code/session_01BdMG31NpXjwGRG9tESuALh
Resolve conflicts in api/main.py (keep both RequestValidationError and RateLimitExceeded imports) and requirements.txt (use higher versions from engineering branch, deduplicate bcrypt/redis).
These files were generated during previous branch consolidation sessions and are no longer needed. Project documentation lives in README.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Analyzes divergence between the two branches from their common ancestor (30f07ed). Documents key differences in licensing, infrastructure, security, and strategic direction with actionable recommendations. https://claude.ai/code/session_01Vk55aPLw9Ryo8iqNArezEN
…windmar-branches-MyoPg
Fixes all references that incorrectly stated "Commercial License": - api/main.py: module docstring and OpenAPI license_info - Dockerfile: OCI image label - frontend/README.md: footer license line - scripts/create-github-issues.sh: mark license issue as resolved Removes the now-obsolete BRANCH_ASSESSMENT.md since the branches have been merged and aligned. https://claude.ai/code/session_01Vk55aPLw9Ryo8iqNArezEN
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Problems fixed: - CMEMS env vars mismatched: .env.example had COPERNICUS_USERNAME but the library expects COPERNICUSMARINE_SERVICE_USERNAME/PASSWORD - CDS API credentials (CDSAPI_URL/CDSAPI_KEY) were missing from .env.example - api/config.py had no Copernicus settings, so .env values never reached the provider - copernicusmarine.open_dataset() was called without passing credentials, causing interactive prompts when unconfigured - No credential guards: missing credentials caused noisy errors instead of clean fallback to synthetic data Changes: - .env.example: Replace COPERNICUS_MOCK_MODE/USERNAME/PASSWORD with correct CDSAPI_KEY and COPERNICUSMARINE_SERVICE_* vars - api/config.py: Add Copernicus credential settings with has_cds/cmems helper properties - api/main.py: Wire credentials from settings into provider, set CDSAPI env vars, add os import, update /api/data-sources to show credential status - src/data/copernicus.py: Fix env var names, pass credentials to all copernicusmarine.open_dataset() calls, add credential guards before API calls, add null checks on returned datasets - requirements.txt: Add cdsapi, copernicusmarine, xarray, netcdf4 https://claude.ai/code/session_01Vk55aPLw9Ryo8iqNArezEN
Separate combined sea state into wind-wave and primary swell components throughout the backend stack. This enables physically accurate motion prediction using RSS spectral superposition instead of treating the sea as a single wave system, which masks dangerous cross-swell conditions. Changes: - CMEMS fetch requests VHM0_WW, VTM01_WW, VMDR_WW, VHM0_SW1, VTM01_SW1, VMDR_SW1 - WeatherData/PointWeather extended with decomposed wave fields - SyntheticDataProvider generates realistic wind-wave + swell components - SeakeepingModel.calculate_motions_decomposed() with RSS combination - SafetyConstraints.assess_safety() uses decomposed data when available - LegWeather extended with windwave/swell fields and has_decomposition flag - API /api/weather/waves exposes decomposed wave data - Fix SecurityWarning (undefined) fallback in rtz_parser.py https://claude.ai/code/session_01Vk55aPLw9Ryo8iqNArezEN
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security fixes (P0):
Reliability improvements (P1):
Observability improvements:
CI/CD fixes:
Dependencies:
https://claude.ai/code/session_01ByTUvqWcEnaBiRicm3Qnfy