Skip to content

feat: enable AI Analysis in read-only mode with explicit feature flag #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: enable AI Analysis in read-only mode with explicit feature flag #127

wants to merge 1 commit into from

Conversation

@crystalin
Copy link
Contributor

@crystalin crystalin commented Aug 21, 2025

Summary

This PR enables AI Analysis functionality in read-only dashboard mode when explicitly configured, while maintaining security for all other write operations.

Changes

Core Implementation

  • ✅ Added environment variable for explicit opt-in
  • ✅ Extended auth context with capability
  • ✅ Implemented secure endpoint allowlist for AI Analysis operations (POST only)
  • ✅ Updated UI tooltips to explain configuration requirements clearly
  • ✅ Added GEMINI_API_KEY validation (trim whitespace, check length)

Testing

  • ✅ Added comprehensive test coverage for various scenarios
  • ✅ Tests verify that only AI Analysis endpoints are allowed in read-only mode
  • ✅ Tests confirm other write operations remain blocked

Documentation

  • ✅ Updated environment variables reference
  • ✅ Added read-only mode section to AI Analysis guide
  • ✅ Updated ADR-019 to document the security exception

Security Considerations

This implementation follows security best practices:

  1. Explicit opt-in: Requires both and
  2. Narrow allowlist: Only specific AI Analysis endpoints are excepted
  3. Method restriction: Only POST requests to allowed endpoints
  4. Rate limiting: Existing rate limits still apply
  5. No key exposure: GEMINI_API_KEY remains server-only

Testing

  • Unit tests pass
  • TypeScript compilation successful
  • Code review completed with high-priority issues addressed

Configuration

To enable AI Analysis in read-only mode:

GEMINI_API_KEY=your-key-here
AI_ANALYSIS_READONLY_ENABLED=true
AI_WORKER_ENABLED=true
# DASHBOARD_API_KEY not set (read-only mode)

Closes #[issue-number]

Co-Authored-By: Claude [email protected]

@crystalin @claude
feat: enable AI Analysis in read-only mode with explicit feature flag
05e9915 
- Add AI_ANALYSIS_READONLY_ENABLED environment variable for explicit opt-in
- Extend auth context with canUseAiAnalysis capability
- Implement secure endpoint allowlist for AI Analysis operations
- Update UI tooltips to explain configuration requirements
- Add comprehensive test coverage for various scenarios
- Update documentation for new feature

This allows AI Analysis to function in read-only dashboard mode when both
GEMINI_API_KEY and AI_ANALYSIS_READONLY_ENABLED=true are configured, while
maintaining security for all other write operations.

Co-Authored-By: Claude <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crystalin