Final_fixes

[wesleykirkland]

Add in additional features/fixes for OpenHealth

[gemini-code-assist]

Summary of Changes

Hello @wesleykirkland, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a series of critical updates and enhancements across the OpenHealth application. It focuses on bolstering the application's infrastructure with robust health checks and updated dependencies, streamlining the initial data seeding process, and refining API key handling for external LLM services. Furthermore, it significantly improves the reliability and performance of document parsing functionalities and enhances the user experience for file uploads.

Highlights

• Infrastructure Enhancements: Docker Compose configurations have been updated to include health checks for the database and docling-serve services, improving service reliability and startup dependencies. The Containerfile now includes ghostscript for enhanced image processing capabilities.
• Dependency Updates: The prisma and @prisma/client packages have been upgraded to version 6.19.0, bringing the database toolkit up to date with the latest features and fixes. Numerous other package-lock.json entries were updated, including adding peer: true flags for various dependencies.
• Data Seeding Improvements: The Prisma seed script (prisma/seed.ts) has been significantly expanded to automatically create a default 'demo' user, along with pre-populating assistant modes and LLM providers from JSON data files. This streamlines initial setup and testing.
• API Key Management Refinement: Encryption/decryption logic for LLM API keys has been removed from several API routes and parser implementations. API keys are now expected to be handled securely via environment variables or directly provided, simplifying the key management flow within the application.
• Document Parsing Logic: The DoclingDocumentParser and UpstageDocumentParser have received significant updates. Docling now includes request timeouts, improved error handling, and an optimization to try parsing without OCR first. Upstage's parser has better API key handling and improved markdown content extraction.
• User Interface Improvements: The file upload component (src/components/source/source-add-screen.tsx) now supports drag-and-drop functionality, enhancing the user experience for adding new sources. The feedback banner and link have been removed from the chat screen and navigation bar, respectively.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces several features and fixes, including dependency updates, Docker configuration improvements with healthchecks, and a new database seeding script. It also refactors the document parsing logic, removing direct filesystem access in favor of URL fetching and adding better error handling. However, there are significant security concerns. A critical regression is the removal of API key encryption, which now stores sensitive keys in plaintext in the database. Additionally, the new seed script uses a hardcoded, weak password. I've also noted a potential issue with a Docker service dependency condition and a possible regression in language support for OCR.

[gemini-code-assist]

This change removes the decryption of the LLM provider's API key. Storing and handling API keys in plaintext is a critical security vulnerability. The key should be stored encrypted and decrypted only when it's about to be used. Please restore the call to decrypt().

Suggested change

	apiKey = llmProvider.apiKey
	apiKey = decrypt(llmProvider.apiKey)

[gemini-code-assist]

This change removes the decryption of the API key. This appears to be related to a broader removal of API key encryption, which is a critical security vulnerability. API keys must be stored encrypted at rest and only decrypted in memory when needed for an API call. Please restore the decryption logic.

    let apiKey: string
    try {
        apiKey = decrypt(llmProvider.apiKey)
    } catch (e) {
        apiKey = ''
    }

[gemini-code-assist]

Storing API keys in plaintext is a critical security vulnerability. The encryption for the apiKey was removed before saving it to the database. If the database is ever compromised, all user API keys will be exposed. The previous implementation correctly used encrypt() to secure these keys at rest. This encryption logic must be restored.

    // API key encryption
    if (body.apiKey) body.apiKey = encrypt(body.apiKey)

[gemini-code-assist]

This change removes the decryption of API keys. While the goal might have been to stop sending keys to the client (which is good), the underlying issue is that this is part of a move to store API keys in plaintext in the database. This is a critical security vulnerability. Keys must be encrypted at rest. Please ensure encryption is used for storage and decryption is used server-side when making API calls.

            })
            .map((provider) => {
                let decryptedApiKey: string
                try {
                    decryptedApiKey = decrypt(provider.apiKey)
                } catch (e) {
                    decryptedApiKey = ''
                }

                return {...provider, apiKey: decryptedApiKey}
            }

[gemini-code-assist]

Using a hardcoded, simple password like "password" in a seed script is a security risk. While this might be for a development environment, there's a danger of this script being run against a staging or production-like environment, creating a user with a well-known weak password. It's better to use a more secure, randomly generated password or pull it from an environment variable.

Suggested change

	const hashedPassword = await hash('password', 10)
	const hashedPassword = await hash(process.env.DEMO_USER_PASSWORD || 'a_much_more_secure_default_password_!@#$', 10)

[gemini-code-assist]

The app service depends on docling-serve with condition: service_started. However, the docling-serve service has a healthcheck defined. Using condition: service_healthy would be more robust, as it ensures docling-serve is not just started, but is actually ready to accept requests before the app service starts. This can prevent race conditions and startup errors.

      docling-serve:
        condition: service_healthy

[gemini-code-assist]

The previous implementation included support for Korean OCR by passing ocr_lang: 'ko'. This has been removed in the refactoring. If Korean language support is still a requirement for document parsing, this should be added back.

Suggested change

	formData.append('ocr_lang', 'en');
	formData.append('ocr_lang', 'en');
	formData.append('ocr_lang', 'ko');