Climacs Homelab

⏱️

Rate Limiting

slowapi · RATE_LIMIT=10/minute
Per-IP rate limiter on all /api/<endpoint> POST routes. Returns HTTP 429 when exceeded. Limit is configurable via .env without code changes.

🔑

Secret Pattern Detection

guardrails.py · 6 regex patterns
Scans every request body before forwarding to AWS:
• AWS Access Keys (AKIA…)
• aws_access_key_id / aws_secret_access_key
• RSA / PEM private keys
• Slack bot tokens (xoxb-)
• GitHub PATs (ghp_…)
Returns HTTP 400 if any match found.

📏

Payload Size Cap

MAX_REQUEST_BYTES=51200 (50 KB)
Body size checked before secret scan or AWS forwarding. Returns HTTP 413 for oversized payloads. Prevents prompt-stuffing and runaway Lambda costs.

🚧

Endpoint Allowlist

ALLOWED_ENDPOINTS = {triage, explain, runbook-snippet}
Only 3 paths are routable to AWS. Any other path returns HTTP 404 before touching the network. Prevents endpoint-probing attacks.

🔇

No-Prompt Logging Policy

logger.info(metadata only)
Logs emit only: conv_id[:8], endpoint, status_code, latency_ms. Full prompts and responses are never logged to stdout. Only persisted (encrypted at rest) in PostgreSQL history.

🔧

LLM Response Normalization

_cleanup_response() · per-endpoint
Handles real-world LLM inconsistencies from Lambda:
• Strips markdown code fences (```json)
• Re-parses broken JSON payloads
• Converts "key": "value" dict responses to readable text
• Filters JSON noise ({, } lines) from steps lists
• Handles escaped \n and \" in runbook markdown

🗄️

PostgreSQL Conversation History

database.py · SQLite (dev) / PostgreSQL (prod)
Every request saved with: conv_id, endpoint, model_id, confidence, latency_ms, status_code. Supports project-based organization, archiving, soft-delete, and full-text search. Survives container restarts.

⏰

Request Timeout + Error Budget

REQUEST_TIMEOUT_SECONDS=30
HTTPX async client enforces 30s hard timeout to AWS. Timeouts and network errors return structured HTTP 504 / 502 and are also persisted to conversation history for debugging.