mirror of
https://github.com/karpathy/nanochat.git
synced 2026-04-02 05:35:19 +00:00
ac5927e158
H-2 (High) — scripts/chat_web.py Fix CORS misconfiguration: remove allow_credentials=True (incompatible with wildcard origin) and restrict allow_methods/allow_headers to the minimum required set (GET, POST / Content-Type, X-Stats-Key). M-5 (Medium) — scripts/chat_web.py Add sliding-window rate limiter on /chat/completions keyed by client IP. Implemented without additional dependencies using asyncio + defaultdict. Configurable via NANOCHAT_RATE_LIMIT and NANOCHAT_RATE_WINDOW env vars (defaults: 10 requests per 60 seconds). M-1 (Medium) — scripts/chat_web.py Protect /health and /stats with an optional API key dependency. When NANOCHAT_STATS_KEY env var is set, both endpoints require the value in the X-Stats-Key header. Uses secrets.compare_digest to prevent timing attacks. No-op when env var is unset (backwards compatible). M-4 (Medium) — scripts/chat_web.py Redact full conversation content from server logs. User message bodies are no longer logged at INFO level; only message count and a 120-char preview at DEBUG level. Assistant response logs now record character count only, not content. L-2 (Low) — nanochat/execution.py Enforce memory limits on macOS in the code execution sandbox. Previously the entire resource limit block was skipped on Darwin with a comment 'seem to fail'. RLIMIT_AS is indeed unsupported on macOS, but RLIMIT_DATA is. Linux now uses both RLIMIT_AS and RLIMIT_DATA; macOS uses RLIMIT_DATA. Both paths are guarded by a None check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| base_eval.py | ||
| base_train.py | ||
| chat_cli.py | ||
| chat_eval.py | ||
| chat_rl.py | ||
| chat_sft.py | ||
| chat_web.py | ||
| tok_eval.py | ||
| tok_train.py | ||