-
Notifications
You must be signed in to change notification settings - Fork 0
[Snyk] Security upgrade next from 15.4.6 to 16.1.5 #14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: dev
Are you sure you want to change the base?
Changes from all commits
cf2ca63
6dba6ec
f81d7e6
bf73b42
e28eec6
0c9b733
61d0892
3b963e5
6d25e8f
f4a179e
ae6ef8c
f8b9e80
a58613a
41363b1
c3fe31e
708e84f
51a39ef
ccad664
e7f8602
b0e8131
683826c
921fb20
f786142
e3590e1
38ea49c
070e1c0
4d6ec00
c955e9a
39fe22f
29d4b4f
03cf392
f44920c
079d7c2
d991b4f
8321677
3c62ca2
7ea4077
9171c6d
f7c1906
b71d0ec
4d05a27
95650ee
04f8cd6
55af487
a60abe5
83f96b7
b9c7642
a37fac3
7373b47
b087618
02f5e92
bb71492
48f7561
9ca75d9
e3fa8f6
903a3b8
68974dc
b429505
df399e5
9b94a7d
b56da45
f542995
054c20a
9ce857e
2167625
686d811
d323dc2
e371ef8
878f61a
e632549
8331dab
7705cf2
326c4a9
4283798
69d873d
1c3fa80
0978f40
5dbc3a7
e043e49
2182c7b
e5d3eba
b85e820
6f8d0bf
1e6bd8d
05d4d21
5a5f7f0
cc6697e
f9b255f
b935638
fa2d968
3fe88b6
9848266
4a63fbc
c936055
59cc326
e2af2f4
a21711a
f172b31
7922e4a
377b5ef
2d10ac9
7b3ee66
c972f34
178c91d
40601f1
3c52b75
378d256
3131e2e
e60deba
ac9265c
4f208d2
fbe4329
e8f897e
5338ab5
de7b6b5
a28b2cf
098c12a
da16397
c1c5571
b68e490
0116866
d4b5508
28d85ad
f4a7323
e13e0d4
89eb5d1
c168277
6c34790
abba10b
b9c3920
a2059c6
793de77
41f5007
34dd218
2d436ca
a135f09
0dd30e2
af7d566
4bfeddc
b53c373
21faf1b
df20b70
6bb6a08
03e3e2e
af58b31
2403931
9158d4b
6fce3a0
bf92e7d
32513b2
5d364e1
7293859
542f951
908dcd7
ba65fee
5da5c2e
92515b3
a8feb3c
312cb02
35bd7f7
105d5dc
62032e6
75a159d
260dd52
483c399
650be0d
e2c33e3
fa14bf4
4abe373
ebfbf31
38610d1
c6247f2
1105e6c
0c09b0c
2610c45
c2af8c1
c4483fa
ccc4d0d
4589b15
f4538d6
68cd1cb
7c908c1
fa5ff9c
2848e62
aa256f2
bd97727
5502256
a54bed6
61f17e5
476bfc6
8a9c165
a9530b7
e0520f5
5b12e02
76090f0
2bb8e91
890bb3b
1aa7e10
469b1fc
bc43d05
da585a3
8a68e03
c0172c9
fecbd30
c682148
533d2d0
44d7393
3718b94
b713093
82618ae
c9a545e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,11 +9,13 @@ | |
|
|
||
| # Platform - Backend | ||
| !autogpt_platform/backend/backend/ | ||
| !autogpt_platform/backend/test/e2e_test_data.py | ||
| !autogpt_platform/backend/migrations/ | ||
| !autogpt_platform/backend/schema.prisma | ||
| !autogpt_platform/backend/pyproject.toml | ||
| !autogpt_platform/backend/poetry.lock | ||
| !autogpt_platform/backend/README.md | ||
| !autogpt_platform/backend/.env | ||
|
|
||
| # Platform - Market | ||
| !autogpt_platform/market/market/ | ||
|
|
@@ -26,13 +28,15 @@ | |
| # Platform - Frontend | ||
| !autogpt_platform/frontend/src/ | ||
| !autogpt_platform/frontend/public/ | ||
| !autogpt_platform/frontend/scripts/ | ||
| !autogpt_platform/frontend/package.json | ||
| !autogpt_platform/frontend/pnpm-lock.yaml | ||
| !autogpt_platform/frontend/tsconfig.json | ||
| !autogpt_platform/frontend/README.md | ||
| ## config | ||
| !autogpt_platform/frontend/*.config.* | ||
| !autogpt_platform/frontend/.env.* | ||
| !autogpt_platform/frontend/.env | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Including |
||
|
|
||
| # Classic - AutoGPT | ||
| !classic/original_autogpt/autogpt/ | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,244 @@ | ||||||
| # GitHub Copilot Instructions for AutoGPT | ||||||
|
|
||||||
| This file provides comprehensive onboarding information for GitHub Copilot coding agent to work efficiently with the AutoGPT repository. | ||||||
|
|
||||||
| ## Repository Overview | ||||||
|
|
||||||
| **AutoGPT** is a powerful platform for creating, deploying, and managing continuous AI agents that automate complex workflows. This is a large monorepo (~150MB) containing multiple components: | ||||||
|
|
||||||
| - **AutoGPT Platform** (`autogpt_platform/`) - Main focus: Modern AI agent platform (Polyform Shield License) | ||||||
| - **Classic AutoGPT** (`classic/`) - Legacy agent system (MIT License) | ||||||
| - **Documentation** (`docs/`) - MkDocs-based documentation site | ||||||
| - **Infrastructure** - Docker configurations, CI/CD, and development tools | ||||||
|
|
||||||
| **Primary Languages & Frameworks:** | ||||||
| - **Backend**: Python 3.10-3.13, FastAPI, Prisma ORM, PostgreSQL, RabbitMQ | ||||||
| - **Frontend**: TypeScript, Next.js 15, React, Tailwind CSS, Radix UI | ||||||
| - **Development**: Docker, Poetry, pnpm, Playwright, Storybook | ||||||
|
|
||||||
| ## Build and Validation Instructions | ||||||
|
|
||||||
| ### Essential Setup Commands | ||||||
|
|
||||||
| **Always run these commands in the correct directory and in this order:** | ||||||
|
|
||||||
| 1. **Initial Setup** (required once): | ||||||
| ```bash | ||||||
| # Clone and enter repository | ||||||
| git clone <repo> && cd AutoGPT | ||||||
|
|
||||||
| # Start all services (database, redis, rabbitmq, clamav) | ||||||
| cd autogpt_platform && docker compose --profile local up deps --build --detach | ||||||
| ``` | ||||||
|
|
||||||
| 2. **Backend Setup** (always run before backend development): | ||||||
| ```bash | ||||||
| cd autogpt_platform/backend | ||||||
| poetry install # Install dependencies | ||||||
| poetry run prisma migrate dev # Run database migrations | ||||||
| poetry run prisma generate # Generate Prisma client | ||||||
| ``` | ||||||
|
|
||||||
| 3. **Frontend Setup** (always run before frontend development): | ||||||
| ```bash | ||||||
| cd autogpt_platform/frontend | ||||||
| pnpm install # Install dependencies | ||||||
| ``` | ||||||
|
|
||||||
| ### Runtime Requirements | ||||||
|
|
||||||
| **Critical:** Always ensure Docker services are running before starting development: | ||||||
| ```bash | ||||||
| cd autogpt_platform && docker compose --profile local up deps --build --detach | ||||||
| ``` | ||||||
|
|
||||||
| **Python Version:** Use Python 3.11 (required; managed by Poetry via pyproject.toml) | ||||||
| **Node.js Version:** Use Node.js 21+ with pnpm package manager | ||||||
|
|
||||||
| ### Development Commands | ||||||
|
|
||||||
| **Backend Development:** | ||||||
| ```bash | ||||||
| cd autogpt_platform/backend | ||||||
| poetry run serve # Start development server (port 8000) | ||||||
| poetry run test # Run all tests (requires ~5 minutes) | ||||||
| poetry run pytest path/to/test.py # Run specific test | ||||||
| poetry run format # Format code (Black + isort) - always run first | ||||||
| poetry run lint # Lint code (ruff) - run after format | ||||||
| ``` | ||||||
|
|
||||||
| **Frontend Development:** | ||||||
| ```bash | ||||||
| cd autogpt_platform/frontend | ||||||
| pnpm dev # Start development server (port 3000) - use for active development | ||||||
| pnpm build # Build for production (only needed for E2E tests or deployment) | ||||||
| pnpm test # Run Playwright E2E tests (requires build first) | ||||||
| pnpm test-ui # Run tests with UI | ||||||
| pnpm format # Format and lint code | ||||||
| pnpm storybook # Start component development server | ||||||
| ``` | ||||||
|
|
||||||
| ### Testing Strategy | ||||||
|
|
||||||
| **Backend Tests:** | ||||||
| - **Block Tests**: `poetry run pytest backend/blocks/test/test_block.py -xvs` (validates all blocks) | ||||||
| - **Specific Block**: `poetry run pytest 'backend/blocks/test/test_block.py::test_available_blocks[BlockName]' -xvs` | ||||||
| - **Snapshot Tests**: Use `--snapshot-update` when output changes, always review with `git diff` | ||||||
|
|
||||||
| **Frontend Tests:** | ||||||
| - **E2E Tests**: Always run `pnpm dev` before `pnpm test` (Playwright requires running instance) | ||||||
| - **Component Tests**: Use Storybook for isolated component development | ||||||
|
|
||||||
| ### Critical Validation Steps | ||||||
|
|
||||||
| **Before committing changes:** | ||||||
| 1. Run `poetry run format` (backend) and `pnpm format` (frontend) | ||||||
| 2. Ensure all tests pass in modified areas | ||||||
| 3. Verify Docker services are still running | ||||||
| 4. Check that database migrations apply cleanly | ||||||
|
|
||||||
| **Common Issues & Workarounds:** | ||||||
| - **Prisma issues**: Run `poetry run prisma generate` after schema changes | ||||||
| - **Permission errors**: Ensure Docker has proper permissions | ||||||
| - **Port conflicts**: Check the `docker-compose.yml` file for the current list of exposed ports. You can list all mapped ports with: | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This sentence appears to be incomplete. Please either add the command to list mapped ports or remove the trailing 'with:'.
Suggested change
|
||||||
| - **Test timeouts**: Backend tests can take 5+ minutes, use `-x` flag to stop on first failure | ||||||
|
|
||||||
| ## Project Layout & Architecture | ||||||
|
|
||||||
| ### Core Architecture | ||||||
|
|
||||||
| **AutoGPT Platform** (`autogpt_platform/`): | ||||||
| - `backend/` - FastAPI server with async support | ||||||
| - `backend/backend/` - Core API logic | ||||||
| - `backend/blocks/` - Agent execution blocks | ||||||
| - `backend/data/` - Database models and schemas | ||||||
| - `schema.prisma` - Database schema definition | ||||||
| - `frontend/` - Next.js application | ||||||
| - `src/app/` - App Router pages and layouts | ||||||
| - `src/components/` - Reusable React components | ||||||
| - `src/lib/` - Utilities and configurations | ||||||
| - `autogpt_libs/` - Shared Python utilities | ||||||
| - `docker-compose.yml` - Development stack orchestration | ||||||
|
|
||||||
| **Key Configuration Files:** | ||||||
| - `pyproject.toml` - Python dependencies and tooling | ||||||
| - `package.json` - Node.js dependencies and scripts | ||||||
| - `schema.prisma` - Database schema and migrations | ||||||
| - `next.config.mjs` - Next.js configuration | ||||||
| - `tailwind.config.ts` - Styling configuration | ||||||
|
|
||||||
| ### Security & Middleware | ||||||
|
|
||||||
| **Cache Protection**: Backend includes middleware preventing sensitive data caching in browsers/proxies | ||||||
| **Authentication**: JWT-based with Supabase integration | ||||||
| **User ID Validation**: All data access requires user ID checks - verify this for any `data/*.py` changes | ||||||
|
|
||||||
| ### Development Workflow | ||||||
|
|
||||||
| **GitHub Actions**: Multiple CI/CD workflows in `.github/workflows/` | ||||||
| - `platform-backend-ci.yml` - Backend testing and validation | ||||||
| - `platform-frontend-ci.yml` - Frontend testing and validation | ||||||
| - `platform-fullstack-ci.yml` - End-to-end integration tests | ||||||
|
|
||||||
| **Pre-commit Hooks**: Run linting and formatting checks | ||||||
| **Conventional Commits**: Use format `type(scope): description` (e.g., `feat(backend): add API`) | ||||||
|
|
||||||
| ### Key Source Files | ||||||
|
|
||||||
| **Backend Entry Points:** | ||||||
| - `backend/backend/server/server.py` - FastAPI application setup | ||||||
| - `backend/backend/data/` - Database models and user management | ||||||
| - `backend/blocks/` - Agent execution blocks and logic | ||||||
|
|
||||||
| **Frontend Entry Points:** | ||||||
| - `frontend/src/app/layout.tsx` - Root application layout | ||||||
| - `frontend/src/app/page.tsx` - Home page | ||||||
| - `frontend/src/lib/supabase/` - Authentication and database client | ||||||
|
|
||||||
| **Protected Routes**: Update `frontend/lib/supabase/middleware.ts` when adding protected routes | ||||||
|
|
||||||
| ### Agent Block System | ||||||
|
|
||||||
| Agents are built using a visual block-based system where each block performs a single action. Blocks are defined in `backend/blocks/` and must include: | ||||||
| - Block definition with input/output schemas | ||||||
| - Execution logic with proper error handling | ||||||
| - Tests validating functionality | ||||||
|
|
||||||
| ### Database & ORM | ||||||
|
|
||||||
| **Prisma ORM** with PostgreSQL backend including pgvector for embeddings: | ||||||
| - Schema in `schema.prisma` | ||||||
| - Migrations in `backend/migrations/` | ||||||
| - Always run `prisma migrate dev` and `prisma generate` after schema changes | ||||||
|
|
||||||
| ## Environment Configuration | ||||||
|
|
||||||
| ### Configuration Files Priority Order | ||||||
| 1. **Backend**: `/backend/.env.default` → `/backend/.env` (user overrides) | ||||||
| 2. **Frontend**: `/frontend/.env.default` → `/frontend/.env` (user overrides) | ||||||
| 3. **Platform**: `/.env.default` (Supabase/shared) → `/.env` (user overrides) | ||||||
| 4. Docker Compose `environment:` sections override file-based config | ||||||
| 5. Shell environment variables have highest precedence | ||||||
|
|
||||||
| ### Docker Environment Setup | ||||||
| - All services use hardcoded defaults (no `${VARIABLE}` substitutions) | ||||||
| - The `env_file` directive loads variables INTO containers at runtime | ||||||
| - Backend/Frontend services use YAML anchors for consistent configuration | ||||||
| - Copy `.env.default` files to `.env` for local development customization | ||||||
|
|
||||||
| ## Advanced Development Patterns | ||||||
|
|
||||||
| ### Adding New Blocks | ||||||
| 1. Create file in `/backend/backend/blocks/` | ||||||
| 2. Inherit from `Block` base class with input/output schemas | ||||||
| 3. Implement `run` method with proper error handling | ||||||
| 4. Generate block UUID using `uuid.uuid4()` | ||||||
| 5. Register in block registry | ||||||
| 6. Write tests alongside block implementation | ||||||
| 7. Consider how inputs/outputs connect with other blocks in graph editor | ||||||
|
|
||||||
| ### API Development | ||||||
| 1. Update routes in `/backend/backend/server/routers/` | ||||||
| 2. Add/update Pydantic models in same directory | ||||||
| 3. Write tests alongside route files | ||||||
| 4. For `data/*.py` changes, validate user ID checks | ||||||
| 5. Run `poetry run test` to verify changes | ||||||
|
|
||||||
| ### Frontend Development | ||||||
| 1. Components in `/frontend/src/components/` | ||||||
| 2. Use existing UI components from `/frontend/src/components/ui/` | ||||||
| 3. Add Storybook stories for component development | ||||||
| 4. Test user-facing features with Playwright E2E tests | ||||||
| 5. Update protected routes in middleware when needed | ||||||
|
|
||||||
| ### Security Guidelines | ||||||
| **Cache Protection Middleware** (`/backend/backend/server/middleware/security.py`): | ||||||
| - Default: Disables caching for ALL endpoints with `Cache-Control: no-store, no-cache, must-revalidate, private` | ||||||
| - Uses allow list approach for cacheable paths (static assets, health checks, public pages) | ||||||
| - Prevents sensitive data caching in browsers/proxies | ||||||
| - Add new cacheable endpoints to `CACHEABLE_PATHS` | ||||||
|
|
||||||
| ### CI/CD Alignment | ||||||
| The repository has comprehensive CI workflows that test: | ||||||
| - **Backend**: Python 3.11-3.13, services (Redis/RabbitMQ/ClamAV), Prisma migrations, Poetry lock validation | ||||||
| - **Frontend**: Node.js 21, pnpm, Playwright with Docker Compose stack, API schema validation | ||||||
| - **Integration**: Full-stack type checking and E2E testing | ||||||
|
|
||||||
| Match these patterns when developing locally - the copilot setup environment mirrors these CI configurations. | ||||||
|
|
||||||
| ## Collaboration with Other AI Assistants | ||||||
|
|
||||||
| This repository is actively developed with assistance from Claude (via CLAUDE.md files). When working on this codebase: | ||||||
| - Check for existing CLAUDE.md files that provide additional context | ||||||
| - Follow established patterns and conventions already in the codebase | ||||||
| - Maintain consistency with existing code style and architecture | ||||||
| - Consider that changes may be reviewed and extended by both human developers and AI assistants | ||||||
|
|
||||||
| ## Trust These Instructions | ||||||
|
|
||||||
| These instructions are comprehensive and tested. Only perform additional searches if: | ||||||
| 1. Information here is incomplete for your specific task | ||||||
| 2. You encounter errors not covered by the workarounds | ||||||
| 3. You need to understand implementation details not covered above | ||||||
|
|
||||||
| For detailed platform development patterns, refer to `autogpt_platform/CLAUDE.md` and `AGENTS.md` in the repository root. | ||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Including
.envfiles in the Docker build context by using!is a critical security risk. These files often contain secrets and sensitive configuration that should never be part of a Docker image. If these images are published, it could lead to a secret leak. Please remove this line to ensure.envfiles are always ignored.