Merged
Conversation
- security: prevent path traversal in PDF injection by sanitizing filenames - security: redact API keys/tokens from LLM error messages - fix: add --inject-pdfs option to resume command - fix: wire pdf_token_budget and abstract_fallback settings - fix: add S2 rate limiting to citation expansion stage - fix: clarify rapidfuzz is optional in CHANGELOG - test: add citation_expansion stage tests (rate limiting, filtering) - test: add OpenAlex source tests (field mapping, client behavior) - test: add Zotero export logic tests (item types, author parsing) - test: verify resume --inject-pdfs appears in CLI help
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves critical and high-priority issues identified in the v1.0.0 pre-release review:
Security Fixes
_injected_pdf_path()now only uses sanitized filenames viasafe_filename()and enforces path containment checks_sanitize_error()to redact API keys and tokens from LLM error outputBug Fixes
--inject-pdfsgap: Added missing--inject-pdfsoption to theresumecommandpdf_token_budgetandabstract_fallbacksettings are now functionalTests Added
test_stages_citation_expansion.py: 5 tests (disabled skip, reference fetching, min_cross_refs filtering, rate limiting)test_sources_openalex.py: 7 tests (headers, search, field mapping)test_exporters_zotero.py: 7 tests (item types, author parsing, DOI handling)Validation
uv run noxpasses all sessions (lint, typecheck, test)Files Changed
src/litresearch/stages/analysis.py— security fix, settings wiringsrc/litresearch/cli.py— resume inject_pdfssrc/litresearch/config.py— new settings fieldssrc/litresearch/llm.py— error sanitizationsrc/litresearch/stages/citation_expansion.py— rate limitingCHANGELOG.md— rapidfuzz clarification