Skip to content

Merge dev into master: architecture, security & daily push#234

Merged
jerry609 merged 15 commits into
masterfrom
dev
Mar 4, 2026
Merged

Merge dev into master: architecture, security & daily push#234
jerry609 merged 15 commits into
masterfrom
dev

Conversation

@jerry609

@jerry609 jerry609 commented Mar 4, 2026

Copy link
Copy Markdown
Owner

Summary

  • Update architecture diagram in README (replace ASCII with arc.png + Excalidraw academic color scheme)
  • Restructure README for professional presentation
  • Harden CodeQL security fixes (studio chat, runbook validation, review findings)
  • Daily push Epic [Epic] 每日推送优化 — 内容增强 + 图表提取 + 多渠道推送 #179 completion (MinerU figure extraction, email rendering, push channels)
  • Studio context pack, duplicate import UX, CLI chat fixes

Commits included

13 commits from dev since last merge to master.

Test plan

  • Verify README renders correctly on GitHub
  • Verify arc.png architecture image displays
  • Run existing CI test suite
  • Confirm no regressions in API endpoints

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

    • Paper Gallery view in Studio for browsing and managing research papers
    • Enhanced figure extraction from research papers with configurable MinerU integration
    • Context pack generation for reproducible research workflows
    • Improved search functionality across the application
  • Documentation

    • Reorganized README with clearer getting started and architecture sections
    • Added comprehensive AgentSwarm design documentation
    • Updated architecture diagrams and visual references
  • Tests

    • Added end-to-end test coverage for Papers and Research pages
    • Introduced smoke tests for core application pages
    • Expanded unit test suite for components and utilities
  • Chores

    • Added testing framework dependencies (Playwright, Vitest)
    • Environment configuration improvements

jerry609 and others added 14 commits March 3, 2026 18:03
* feat(push): implement Epic #179 — daily push optimization

Multi-channel push infrastructure with structured digest cards:

- #187: Integrate HF upvotes into Judge scoring prompt
- #180: Add digest_card extraction (highlight/method/finding/tags)
  with new LLM prompt, email template rendering, markdown output
- #181: MinerU Cloud API client for PDF figure extraction
- #182: Apprise multi-channel push layer with YAML config
- #183-185: Channel formatters (Telegram MarkdownV2, Discord Rich
  Embed, WeCom markdown+news, Feishu/Lark interactive card)
- #186: RSS 2.0 + Atom feed endpoints (/api/feed/daily.xml, .atom)

Also creates follow-up issues #190 (Push Channel Settings UI)
and #191 (Dashboard Digest Card Enhancement).

56 new tests, all passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: integrate MinerU figure extraction into CLI and ARQ worker daily-paper workflow

Refs #179

* fix(daily-push): enable MinerU flags in ARQ cron payload (refs #181)

* feat(push): wire channel formatters into apprise digest delivery (refs #182 #183 #184 #185)

* feat(feed): add keyword RSS, feed cache, and figure enclosure support (refs #186)

* feat(mineru): add extraction result cache for daily push figure pipeline (refs #181)

* feat(push): add telegram bot command subscription endpoint (refs #191)

* fix(push): add retry/backoff for channel delivery failures (refs #191)

* feat(hf): add trending modes, cache, and arxiv identity dedupe (refs #193)

* feat(push): add idempotency and error-code mapping for channel delivery (refs #191)

* test(push): add mock channel e2e and failure-injection coverage (refs #191)

* docs(push): add audit script and ops runbook for acceptance closure (refs #192)

* docs: update README for AgentSwarm execution transition

* docs: archive stale docs and rename AgentSwarm todo

* docs: add AgentSwarm design proposal + web Playwright e2e setup

- Add docs/proposals/agentswarm-design.md covering multi-agent
  orchestration architecture, adapter pattern, session management,
  skills ecosystem, and OpenCode/OpenClaw/oMo integration (refs #197, #214)
- Add Playwright e2e test scaffolding for web dashboard (smoke,
  papers, research specs)
- Update web/.gitignore for Playwright artifacts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…LI chat errors (#223)

* fix(studio): fix context pack generation, duplicate import UX, and CLI chat errors

- 支持内联标题/摘要,以绕过 PaperInputRouter 获取 studio 论文 ID

- 使上下文包生成 SSE 流期间的数据库持久化操作不再致命

- 从库中导入重复论文时显示错误消息

- 将左侧文件面板宽度缩小至约 18%(默认宽度);移除默认模板文件

- 为 Claude CLI 添加 --verbose 标志,以兼容 stream-json 输出

Related to #222

* fix(studio): fix context pack generation, duplicate import UX, and CLI chat errors
- 修改Gemini AI review代码问题

* fix(studio): fix context pack generation, duplicate import UX, and CLI chat errors
- 修改Gemini AI review代码问题

---------

Co-authored-by: Jerry Zhang <1772030600@qq.com>
* fix(mineru): support v4 async task extraction flow

* refactor(mineru): standardize on v4 task API for daily push (#179)
- Add centered hero header with badges (CI, Roadmap, License, Python, Next.js)
- Replace verbose 18-row feature table with categorized bullet lists
- Move Roadmap Phase 1-6 content to pinned issue #232
- Move module maturity matrix to Roadmap #232
- Consolidate screenshots into collapsible sections
- Remove inline API endpoint table (40+ rows) and directory tree
- Add Contributing section with Roadmap link
- Streamline Getting Started with collapsible config details
- Add repo topics for GitHub discoverability

References: vLLM, Docling, PaperQA2, R2R README patterns

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace ASCII architecture diagram in README with arc.png image
- Add TODO comment for future high-res diagram redraw
- Update architecture.excalidraw with academic color scheme (blue-gray + gold Domain accent)
- Add editable source links for Excalidraw and draw.io

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 4, 2026 11:48
@vercel

vercel Bot commented Mar 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
paper-bot Ready Ready Preview, Comment Mar 4, 2026 11:53am

@coderabbitai

coderabbitai Bot commented Mar 4, 2026

Copy link
Copy Markdown

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces comprehensive enhancements across the PaperBot stack: MinerU-based figure extraction with async task polling and inline image support, hardened path validation for CLI safety, redesigned Studio UI with gallery/workspace modes and per-paper state caching, AgentSwarm design proposal documentation, new E2E and unit test infrastructure (Playwright/Vitest), and README restructuring to emphasize English-centric marketing layout. Multiple interconnected features enable context-pack-driven studio workflows with event-based streaming.

Changes

Cohort / File(s) Summary
Configuration & Git
.gitignore, web/.gitignore, env.example
Added environment file and test artifact ignores; introduced MinerU API config (base URL, model version, polling timeout) and DailyPaper figure rendering toggles.
Documentation
README.md, docs/proposals/agentswarm-design.md, asset/architecture.excalidraw
Restructured README from Chinese module-dense to English marketing layout; added comprehensive AgentSwarm design proposal covering multi-agent architecture, event-sourced state, and UI paradigm; refreshed architecture diagram with hexagonal/clean architecture annotations.
MinerU Integration
src/paperbot/infrastructure/extractors/mineru_client.py, src/paperbot/application/workflows/dailypaper.py, src/paperbot/application/services/email_template.py
Refactored MinerU client to async task-based API (create task, poll, parse ZIP/Markdown); added inline base64 image data URL support; introduced figure URL publishability filtering; added main figure HTML rendering in email templates.
Repro Context & Studio Chat
src/paperbot/api/routes/repro_context.py, src/paperbot/api/routes/studio_chat.py
Added inline paper data (title/abstract) support to context generation; enhanced studio chat with runtime directory allowance, context-pack loading/formatting, and NDJSON-based Claude CLI event streaming with keepalive heartbeats; added fallback to Anthropic API.
Path Safety & Hardening
src/paperbot/api/routes/runbook.py
Implemented realpath-based directory normalization; explicit denial checks against dangerous roots and home directory; tightened input validation with early rejection of empty/null-terminated strings.
Queue & CLI Configuration
src/paperbot/infrastructure/queue/arq_worker.py, src/paperbot/presentation/cli/main.py
Added MinerU config parameters (base URL, model version, max wait seconds) to daily_papers_job signature and CLI daily-paper command; threaded configuration through job enqueue payloads.
Studio Web UI
web/src/app/studio/page.tsx, web/src/components/studio/PaperGallery.tsx, web/src/components/studio/PaperIcon.tsx, web/src/components/studio/ReproductionLog.tsx, web/src/components/studio/NewPaperModal.tsx, web/src/components/studio/PapersPanel.tsx
Introduced gallery/workspace dual-mode layout; added deterministic identicon-based PaperIcon component; created PaperGallery with search/sort/delete; enhanced ReproductionLog with context-pack generation, event-based CLI streaming, and streaming action aggregation; improved duplicate-title detection in NewPaperModal.
Store & State Management
web/src/lib/store/studio-store.ts, web/src/lib/store/project-context.ts, web/src/hooks/useContextPackGeneration.ts
Implemented per-paper caching of context/generation/observation state across paper switches; added appendToLastAction for streaming text aggregation; added title/abstract to context-pack generation payload; simplified project file defaults.
Runbook Utilities
web/src/lib/runbook/deleteProjectFiles.ts
New utility function for batch deletion of project files via API listing and per-file delete requests.
Testing Infrastructure
web/package.json, web/playwright.config.ts, web/vitest.config.ts
Added Playwright and Vitest testing frameworks; configured E2E runner with auto-server startup, CI-specific retries, and Chromium project profile; configured Vitest with node environment.
Backend Unit Tests
tests/unit/test_mineru_client.py, tests/unit/test_dailypaper.py, tests/unit/test_arq_daily_papers.py, tests/unit/test_daily_digest_card.py
Added comprehensive MinerU client tests (URL validation, host rejection, ZIP/Markdown parsing, inline data); dailypaper publishable-figure filtering; digest card main-figure rendering (inline/external/rejected URLs); ARQ job config propagation.
Frontend E2E & Unit Tests
web/e2e/papers.spec.ts, web/e2e/research.spec.ts, web/e2e/smoke.spec.ts, web/src/components/studio/PaperIcon.test.tsx, tests/unit/test_studio_chat_path_validation.py, web/src/lib/store/studio-store.test.ts
New Playwright test suites for papers, research, and smoke; PaperIcon abbreviation and SVG determinism tests; studio chat path resolution validation; studio store per-paper caching and text-append tests.
Web Config
web/next.config.ts
Enabled HTTP agent keep-alive for improved connection reuse.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

Possibly related PRs

Suggested reviewers

  • Copilot

Poem

🐰 Whiskers twitching with delight,
MinerU figures render bright,
Papers bloom in gallery mode,
Studio paths on safer road,
AgentSwarm takes its stance,
With event-driven dance!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 29.07% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Merge dev into master: architecture, security & daily push' accurately summarizes the main changes. It identifies the primary focus areas (architecture updates, security hardening, and daily push feature implementation) and clearly indicates this is a merge commit.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch dev

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request merges the dev branch into master, bringing significant architectural, security, and feature enhancements. The core focus is on refining the DeepCode Studio experience, introducing advanced capabilities like MinerU-powered figure extraction for daily paper reports, and laying the groundwork for a sophisticated multi-agent system with the AgentSwarm design proposal. Additionally, the project's documentation has been modernized, security validations improved, and a comprehensive E2E testing suite integrated for the web frontend.

Highlights

  • README Revamp: The README.md has been completely rewritten, transitioning from Chinese to English, and features a new, professional presentation with updated architecture diagrams and feature descriptions.
  • Enhanced Studio Workflow: The DeepCode Studio now includes a paper gallery view, improved handling of duplicate paper imports, and a more robust Claude CLI integration with structured JSON streaming and context pack support.
  • MinerU Figure Extraction: Integrated MinerU Cloud API for automated extraction of main figures from PDFs in the daily paper workflow, with support for rendering these figures in email notifications.
  • Security Hardening: Strengthened runbook directory validation to prevent path traversal vulnerabilities and improved error handling for context pack persistence.
  • AgentSwarm Design Proposal: A new detailed design document for AgentSwarm has been added, outlining a multi-agent collaboration platform for paper-to-code reproduction.
  • E2E Testing Infrastructure: New Playwright end-to-end tests have been added for key web pages (Papers, Research, Studio smoke tests) to improve UI reliability.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • .gitignore
    • Added patterns to ignore various .env files and their subdirectories.
  • README.md
    • Rewrote the entire README to English, updated the architecture section with a new image, reorganized features, and added new sections for getting started, module status, roadmap, contributing, and documentation.
  • asset/architecture.excalidraw
    • Updated the Excalidraw architecture diagram with new colors and elements to reflect the system's design.
  • docs/proposals/agentswarm-design.md
    • Added a new detailed design proposal document for the AgentSwarm multi-agent collaboration platform.
  • env.example
    • Added new environment variables for MinerU API configuration and daily paper figure extraction settings.
  • src/paperbot/api/routes/repro_context.py
    • Implemented inline paper data support for context pack generation requests and added robust error handling for database persistence operations.
  • src/paperbot/api/routes/runbook.py
    • Enhanced directory path validation in runbook operations to prevent path traversal attacks and explicitly denied sensitive root directories.
  • src/paperbot/api/routes/studio_chat.py
    • Refactored Claude CLI integration to use structured JSON streaming, added context pack integration by writing CONTEXT.md to the project directory, and improved project directory validation.
  • src/paperbot/application/services/email_template.py
    • Modified email rendering logic to include support for displaying main figures extracted from papers, handling both direct URLs and inline data URLs.
  • src/paperbot/application/workflows/dailypaper.py
    • Integrated MinerU figure extraction into the daily paper generation workflow, allowing for the inclusion of main figures in reports.
  • src/paperbot/infrastructure/extractors/mineru_client.py
    • Updated the MinerU client to utilize the v4 async task API, added logic for parsing figures from ZIP artifacts and embedding them as inline data URLs, and implemented URL validation to reject unsupported hosts.
  • src/paperbot/infrastructure/queue/arq_worker.py
    • Updated the cron_daily_papers job to pass MinerU API configuration parameters for figure extraction.
  • src/paperbot/presentation/cli/main.py
    • Added new command-line arguments for configuring MinerU API settings (base URL, model version, max wait time) in the daily-paper command.
  • tests/unit/test_arq_daily_papers.py
    • Updated the unit test for cron_daily_papers to verify the correct passing of MinerU API parameters.
  • tests/unit/test_daily_digest_card.py
    • Added new unit tests to ensure main figures are correctly rendered in email HTML, including inline data URLs and public HTTP URLs, while rejecting insecure or unpublishable URLs.
  • tests/unit/test_dailypaper.py
    • Added unit tests for the _is_publishable_figure_url helper and extract_figures_for_report to verify correct handling of inline main figures.
  • tests/unit/test_mineru_client.py
    • Added comprehensive unit tests for MinerU client's URL validation, parsing figures from markdown within ZIP files, and generating inline data URLs for images.
  • tests/unit/test_studio_chat_path_validation.py
    • Added new unit tests to validate the _resolve_cli_project_dir function, ensuring it correctly handles project directory paths and rejects disallowed locations.
  • web/.gitignore
    • Added new entries to ignore Playwright test reports and cache directories.
  • web/e2e/papers.spec.ts
    • Added new Playwright end-to-end tests to verify the papers page loads correctly and displays import/export options.
  • web/e2e/research.spec.ts
    • Added new Playwright end-to-end tests to confirm the research page loads and contains search input and topic sections.
  • web/e2e/smoke.spec.ts
    • Added a suite of Playwright end-to-end smoke tests to ensure various core web pages (homepage, dashboard, papers, research, scholars, settings, studio) load without application errors.
  • web/next.config.ts
    • Configured httpAgentOptions with keepAlive: true for improved HTTP connection management.
  • web/package-lock.json
    • Updated package-lock.json to reflect new dependencies for Playwright and Vitest.
  • web/package.json
    • Added Playwright and Vitest as dev dependencies and included new npm scripts for running E2E and unit tests.
  • web/playwright.config.ts
    • Added a new Playwright configuration file for running end-to-end tests, including web server setup and reporting.
  • web/src/app/studio/page.tsx
    • Refactored the Studio page to introduce a paper gallery view, improved the display of paper statuses with loading indicators, and streamlined the layout for better mobile responsiveness.
  • web/src/components/studio/NewPaperModal.tsx
    • Enhanced the new paper modal in the Studio to prevent adding papers with duplicate titles and to provide clearer feedback when importing existing papers.
  • web/src/components/studio/PaperGallery.tsx
    • Introduced a new PaperGallery component to provide a visual overview of all papers in the Studio, complete with search, add, and delete functionalities, replacing the previous PapersPanel.
  • web/src/components/studio/PaperIcon.test.tsx
    • Added unit tests for the PaperIcon component, covering abbreviation generation and deterministic rendering.
  • web/src/components/studio/PaperIcon.tsx
    • Created a new PaperIcon component that generates deterministic SVG icons based on paper ID and title, used in the paper gallery.
  • web/src/components/studio/PapersPanel.tsx
    • Removed the PapersPanel component, as its functionality has been absorbed and enhanced by the new PaperGallery component.
  • web/src/components/studio/ReproductionLog.tsx
    • Updated the Reproduction Log to display a 'Generate Context Pack' button when no generation is in progress, and improved the handling of streaming output from the Claude CLI, including structured tool calls and thinking messages.
  • web/src/hooks/useContextPackGeneration.ts
    • Modified the useContextPackGeneration hook to accept inline paper title and abstract, allowing context pack generation without prior paper persistence, and improved error message extraction.
  • web/src/lib/runbook/deleteProjectFiles.ts
    • Added a new utility function deleteProjectFiles to recursively list and delete files within a specified project directory via API calls.
  • web/src/lib/store/project-context.ts
    • Removed the hardcoded default files from the project context store, making it start with an empty state.
  • web/src/lib/store/studio-store.test.ts
    • Added new unit tests for the Studio store, specifically for verifying per-paper state caching and the appendToLastAction functionality.
  • web/src/lib/store/studio-store.ts
    • Implemented a per-paper caching mechanism to preserve context pack generation progress and active task states when switching between papers in the Studio, and added appendToLastAction for efficient text streaming.
  • web/vitest.config.ts
    • Added a new Vitest configuration file for running unit tests in the web frontend.
Activity
  • This pull request integrates 13 commits from the dev branch into master.
  • The changes encompass significant updates to the architecture, security, and daily push features.
  • The PR description outlines a comprehensive set of updates, including a README revamp, CodeQL security fixes, and completion of the Daily Push Epic [Epic] 每日推送优化 — 内容增强 + 图表提取 + 多渠道推送 #179.
  • The integration also includes improvements to the Studio context pack, duplicate import UX, and CLI chat fixes.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Resolve README conflict by using dev's version with arc.png image.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR merges 13 commits from dev to master, landing three major feature areas: (1) security hardening of path validation in the studio chat and runbook APIs, (2) completion of the Daily Push Epic #179 (MinerU figure extraction, email figure rendering, push channels), and (3) Studio UX improvements (gallery view, per-paper state caching, duplicate import detection, Claude CLI stream-JSON integration).

Changes:

  • MinerU Cloud API client reworked to use the v4 async task API (poll-until-done), with SSRF-safe URL validation and inline data URL support for zip-bundled figures
  • Studio frontend restructured: PapersPanel replaced by a PaperGallery gallery/workspace split, per-paper Zustand state preserved on paper switches, streaming Claude CLI output parsed as structured NDJSON events
  • Security: path traversal protection hardened with os.path.realpath-based symlink-safe checks in both runbook.py and studio_chat.py

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
web/src/lib/store/studio-store.ts Adds per-paper state cache and appendToLastAction for streaming text
web/src/lib/store/studio-store.test.ts Unit tests for state cache round-trip and text streaming
web/src/lib/runbook/deleteProjectFiles.ts New helper: lists then deletes files one-by-one via N+1 API calls
web/src/hooks/useContextPackGeneration.ts Passes inline title/abstract to context-pack endpoint
web/src/components/studio/ReproductionLog.tsx Handles structured CLI SSE events (tool_use, tool_result, thinking)
web/src/components/studio/PapersPanel.tsx Delegates deletion to deleteProjectFiles
web/src/components/studio/PaperIcon.tsx New deterministic identicon SVG component
web/src/components/studio/PaperGallery.tsx New gallery view with search, delete confirmation, and duplicated statusConfig
web/src/components/studio/NewPaperModal.tsx Duplicate detection changed from ID-based to title-based
web/src/app/studio/page.tsx Gallery/workspace split, duplicated statusConfig, removes PapersPanel
web/vitest.config.ts New Vitest config
web/playwright.config.ts New Playwright E2E config
web/package.json / package-lock.json Adds Vitest and Playwright devDeps
web/e2e/*.spec.ts Smoke and feature E2E tests
src/paperbot/infrastructure/extractors/mineru_client.py Full v4 async task API implementation with zip extraction, inline data URLs
src/paperbot/application/workflows/dailypaper.py Adds _is_publishable_figure_url guard and passes new MinerU params
src/paperbot/application/services/email_template.py Renders main_figure block (inline data URL or HTTP URL) in email HTML
src/paperbot/api/routes/studio_chat.py Path hardening, context-pack injection, stream-JSON CLI integration
src/paperbot/api/routes/runbook.py Symlink-safe os.path.realpath fix in add_allowed_dir
src/paperbot/api/routes/repro_context.py Inline paper data bypass for input router; persistence errors no longer fatal
src/paperbot/infrastructure/queue/arq_worker.py Forwards MinerU config to job queue
src/paperbot/presentation/cli/main.py Adds --mineru-api-base-url, --mineru-model-version, --mineru-max-wait-seconds flags
tests/unit/test_mineru_client.py New URL validation and markdown/zip parsing tests
tests/unit/test_dailypaper.py New figure filter and inline figure tests
tests/unit/test_daily_digest_card.py New email rendering tests for figure block
tests/unit/test_arq_daily_papers.py Verifies new MinerU env vars are forwarded to job kwargs
tests/unit/test_studio_chat_path_validation.py Tests _resolve_cli_project_dir security logic
README.md Complete rewrite: English, condensed, references arc.png (not in diff)
env.example Adds MinerU and daily-push environment variables
asset/architecture.excalidraw Updated color scheme and layout
docs/proposals/agentswarm-design.md New 779-line AgentSwarm architecture proposal
web/src/lib/store/project-context.ts Removes hardcoded default files
.gitignore Adds .env.* and Playwright report dirs
web/.gitignore Adds Playwright output dirs

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread README.md
<details>
<summary>Data pipeline</summary>
<!-- TODO: 待重绘高清架构图 -->
![Architecture](asset/arc.png)

Copilot AI Mar 4, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The README references asset/arc.png as the architecture image (![Architecture](asset/arc.png)), but this file does not appear in the diff — there is no arc.png added to the asset/ directory. The PR description explicitly states "Verify arc.png architecture image displays" as a checklist item, suggesting this file should have been committed. If arc.png is missing from the repository, the architecture section in the README will show a broken image on GitHub.

Copilot uses AI. Check for mistakes.
@jerry609
jerry609 merged commit 4e37a37 into master Mar 4, 2026
9 checks passed

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant features and improvements, including a major README overhaul, security hardening, and enhancements to the Studio and daily push functionalities, alongside new features like a Paper Gallery, enhanced figure extraction using MinerU, and context pack generation. While the code includes some security hardening measures such as path traversal protections in the Runbook API, it lacks a comprehensive authentication and authorization framework. This results in multiple Insecure Direct Object Reference (IDOR) and Broken Access Control vulnerabilities across the newly introduced API endpoints. Additionally, a weak URL validation logic in the MinerU client facilitates Blind SSRF. Beyond these critical security concerns, there are also areas for improvement concerning code duplication of security-critical logic and potential robustness enhancements in path validation and error handling. Addressing these points, especially implementing robust ownership checks and stricter input validation, will further strengthen the maintainability and security of the codebase.

I am having trouble creating individual review comments. Click here to see my feedback.

src/paperbot/infrastructure/extractors/mineru_client.py (134-144)

security-medium medium

The _validate_source_url method only checks if the URL scheme is http or https. It does not prevent requests to private IP ranges (e.g., 127.0.0.1, 169.254.169.254) or internal hostnames. Since these URLs are sent to the MinerU Cloud API for processing, this facilitates a Blind SSRF vulnerability where an attacker can use the MinerU service to probe internal infrastructure.

Remediation: Implement a strict allow-list of trusted domains or use a dedicated library to validate that the provided URL does not resolve to a private or reserved IP address.

src/paperbot/api/routes/studio_chat.py (133-231)

medium

This block of code for path validation (_load_runtime_allowed_dirs, _allowed_workdir_prefixes, _is_under_prefix, _resolve_cli_project_dir) is nearly identical to the logic in src/paperbot/api/routes/runbook.py. Duplicating security-critical code is risky as it can lead to inconsistencies if one file is updated but the other is not.

To improve maintainability and ensure consistent security, this logic should be centralized into a shared utility module (e.g., in src/paperbot/api/utils/). Both studio_chat.py and runbook.py can then import and use these shared functions.

src/paperbot/api/routes/repro_context.py (72-88)

medium

While wrapping the database call in a try...except block improves resilience, catching a generic Exception can mask underlying issues that should be addressed, such as TypeError from incorrect data. This makes debugging more difficult.

Consider catching more specific exceptions related to database operations (e.g., sqlalchemy.exc.OperationalError). This would provide clearer insight into failure modes while still allowing the application to handle expected errors gracefully.

@coderabbitai coderabbitai Bot mentioned this pull request Mar 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants