Security, reliability, and hardening audit pass

Security fixes:
- Remove hardcoded API credentials from VIPTrack CONFIG
- Bind Ollama/Kiwix to Config.APP_HOST (127.0.0.1) instead of 0.0.0.0
- Replace naive replace('..','') folder sanitization in media uploads
  with proper posixpath.normpath-based _sanitize_folder()
- Sanitize SSE event_type in broadcast_event to prevent injection

Reliability fixes:
- Add double-checked locking for WAL mode init in db.py (_wal_lock)
- Use PASSIVE WAL checkpoint in backup_db to avoid blocking writers
- Keep pool lock held during get_nowait in _pool_acquire (TOCTOU fix)
- Fix zombie process leak in manager.py start_process error path
  (add proc.wait + stdout.close on DB failure)
- Fix is_running race: keep _lock held during proc.poll()
- Add double-checked locking for GPU detection (prevent concurrent
  subprocess spawns)
- Make federation sync atomic: single commit for data + vector clocks
  + sync log instead of three separate commits
- Wrap save_config with _config_lock to prevent concurrent write races
- Fix db-vacuum endpoint for in-memory test databases (uri= parameter)

Frontend hardening:
- Add 30s AbortController timeout to safeFetch, apiFetch, and CSRF
  token fetch to prevent hanging on dead requests
- Add 60s/30s timeouts to offline.js fullSync/incrementalSync fetches

Performance:
- Prune empty IP deques in mutating rate limiter to prevent unbounded
  memory growth from old client addresses

Data integrity:
- Add CHECK constraints for medical vitals (bp, pulse, resp, temp,
  spo2 0-100, pain 0-10, GCS 3-15)
- Add CHECK constraints for patient age (0-200) and weight (0-700)

Observability:
- Log failed RSS feed worker exceptions with feed name instead of
  silently swallowing

All 913 tests pass.

Author: FOSSFOREVER

config.py

@@ -160,31 +160,31 @@ def get_config_value(key: str, default=None):
 def save_config(data: dict):
     global _config_cache, _config_mtime
     path = get_config_path()
-    os.makedirs(os.path.dirname(path), exist_ok=True)
-    tmp_path = path + '.tmp'
-    with open(tmp_path, 'w') as f:
-        json.dump(data, f, indent=2)
-        f.flush()
-        os.fsync(f.fileno())
-    import sys
-    try:
-        os.replace(tmp_path, path)
-    except PermissionError:
-        if sys.platform == 'win32':
-            # Windows: retry with backoff — antivirus may briefly lock the file
-            import time as _time
-            for _attempt in range(3):
-                _time.sleep(0.1 * (_attempt + 1))
-                try:
-                    os.replace(tmp_path, path)
-                    break
-                except PermissionError:
-                    if _attempt == 2:
-                        raise
-        else:
-            raise
-    # Update cache immediately so subsequent reads are consistent
     with _config_lock:
+        os.makedirs(os.path.dirname(path), exist_ok=True)
+        tmp_path = path + '.tmp'
+        with open(tmp_path, 'w') as f:
+            json.dump(data, f, indent=2)
+            f.flush()
+            os.fsync(f.fileno())
+        import sys
+        try:
+            os.replace(tmp_path, path)
+        except PermissionError:
+            if sys.platform == 'win32':
+                # Windows: retry with backoff — antivirus may briefly lock the file
+                import time as _time
+                for _attempt in range(3):
+                    _time.sleep(0.1 * (_attempt + 1))
+                    try:
+                        os.replace(tmp_path, path)
+                        break
+                    except PermissionError:
+                        if _attempt == 2:
+                            raise
+            else:
+                raise
+        # Update cache immediately so subsequent reads are consistent
         _config_cache = data
         try:
             _config_mtime = os.path.getmtime(path)

db.py

@@ -52,6 +52,7 @@ def get_db_path():
 
 
 _wal_set = False
+_wal_lock = threading.Lock()
 _migration_lock = threading.Lock()
 
 
@@ -63,8 +64,10 @@ def get_db():
         conn.row_factory = sqlite3.Row
         # WAL mode is persistent on the database file — only set once per process
         if not _wal_set:
-            conn.execute('PRAGMA journal_mode=WAL')
-            _wal_set = True
+            with _wal_lock:
+                if not _wal_set:
+                    conn.execute('PRAGMA journal_mode=WAL')
+                    _wal_set = True
         conn.execute('PRAGMA foreign_keys=ON')
         # Register on flask.g so teardown_appcontext can auto-close leaked connections
         try:
@@ -97,10 +100,10 @@ def _pool_acquire():
         if _pool_db_path != current_path:
             _pool_clear()
             _pool_db_path = current_path
-    try:
-        conn = _pool.get_nowait()
-    except queue.Empty:
-        return get_db(), False
+        try:
+            conn = _pool.get_nowait()
+        except queue.Empty:
+            return get_db(), False
     try:
         conn.execute('SELECT 1').fetchone()
         # Rebind to current flask.g so teardown can see it
@@ -210,10 +213,11 @@ def backup_db():
     os.makedirs(backup_dir, exist_ok=True)
     from datetime import datetime
     backup_path = os.path.join(backup_dir, f'nomad_{datetime.now().strftime("%Y%m%d_%H%M%S")}.db')
-    # Use SQLite backup API for WAL-safe copies
+    # Use SQLite backup API for WAL-safe copies.
+    # PASSIVE checkpoint avoids blocking concurrent writers.
     src = sqlite3.connect(db_path, timeout=30)
     try:
-        src.execute('PRAGMA wal_checkpoint(RESTART)')
+        src.execute('PRAGMA wal_checkpoint(PASSIVE)')
         dst = sqlite3.connect(backup_path)
         try:
             src.backup(dst)
@@ -878,8 +882,8 @@ def _create_medical_security_tables(conn):
             id INTEGER PRIMARY KEY AUTOINCREMENT,
             contact_id INTEGER,
             name TEXT NOT NULL,
-            age INTEGER,
-            weight_kg REAL,
+            age INTEGER CHECK (age IS NULL OR (age >= 0 AND age <= 200)),
+            weight_kg REAL CHECK (weight_kg IS NULL OR (weight_kg >= 0 AND weight_kg <= 700)),
             sex TEXT DEFAULT '',
             blood_type TEXT DEFAULT '',
             allergies TEXT DEFAULT '[]',
@@ -893,14 +897,14 @@ def _create_medical_security_tables(conn):
         CREATE TABLE IF NOT EXISTS vitals_log (
             id INTEGER PRIMARY KEY AUTOINCREMENT,
             patient_id INTEGER NOT NULL,
-            bp_systolic INTEGER,
-            bp_diastolic INTEGER,
-            pulse INTEGER,
-            resp_rate INTEGER,
-            temp_f REAL,
-            spo2 INTEGER,
-            pain_level INTEGER,
-            gcs INTEGER,
+            bp_systolic INTEGER CHECK (bp_systolic IS NULL OR (bp_systolic >= 20 AND bp_systolic <= 350)),
+            bp_diastolic INTEGER CHECK (bp_diastolic IS NULL OR (bp_diastolic >= 10 AND bp_diastolic <= 250)),
+            pulse INTEGER CHECK (pulse IS NULL OR (pulse >= 0 AND pulse <= 300)),
+            resp_rate INTEGER CHECK (resp_rate IS NULL OR (resp_rate >= 0 AND resp_rate <= 100)),
+            temp_f REAL CHECK (temp_f IS NULL OR (temp_f >= 70.0 AND temp_f <= 115.0)),
+            spo2 INTEGER CHECK (spo2 IS NULL OR (spo2 >= 0 AND spo2 <= 100)),
+            pain_level INTEGER CHECK (pain_level IS NULL OR (pain_level >= 0 AND pain_level <= 10)),
+            gcs INTEGER CHECK (gcs IS NULL OR (gcs >= 3 AND gcs <= 15)),
             notes TEXT DEFAULT '',
             created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
         );

services/kiwix.py

@@ -776,7 +776,8 @@ def start():
         log.warning('No ZIM files found — kiwix-serve needs content to run. Download a ZIM from the Library tab first.')
         raise RuntimeError('No content downloaded yet — add content from the Library tab before starting Kiwix')
 
-    args = ['--port', str(KIWIX_PORT), '--address', '0.0.0.0'] + zim_paths
+    from config import Config
+    args = ['--port', str(KIWIX_PORT), '--address', Config.APP_HOST] + zim_paths
     exe = get_exe_path()
 
     from platform_utils import popen_kwargs

services/manager.py

@@ -59,16 +59,20 @@ def get_services_dir():
 # ─── GPU Detection ────────────────────────────────────────────────────
 
 _gpu_info = None
+_gpu_lock = threading.Lock()
 
 
 def detect_gpu() -> dict:
     """Detect GPU type and capabilities (cross-platform)."""
-    from platform_utils import detect_gpu as _detect_gpu
     global _gpu_info
     if _gpu_info is not None:
         return _gpu_info
-    _gpu_info = _detect_gpu()
-    return _gpu_info
+    with _gpu_lock:
+        if _gpu_info is not None:
+            return _gpu_info
+        from platform_utils import detect_gpu as _detect_gpu
+        _gpu_info = _detect_gpu()
+        return _gpu_info
 
 
 def get_ollama_gpu_env() -> dict:
@@ -220,6 +224,15 @@ def _read_output():
     except Exception as e:
         log.error(f'Failed to update DB for {service_id}: {e}')
         proc.terminate()
+        try:
+            proc.wait(timeout=5)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+        if proc.stdout:
+            try:
+                proc.stdout.close()
+            except Exception:
+                pass
         with _lock:
             _processes.pop(service_id, None)
         raise
@@ -284,8 +297,8 @@ def is_running(service_id: str) -> bool:
     """
     with _lock:
         proc = _processes.get(service_id)
-    if proc and proc.poll() is None:
-        return True
+        if proc and proc.poll() is None:
+            return True
 
     db = get_db()
     try:

services/ollama.py

@@ -184,7 +184,8 @@ def start():
 
     from platform_utils import get_ollama_gpu_env
     env = get_ollama_gpu_env()
-    env['OLLAMA_HOST'] = f'0.0.0.0:{OLLAMA_PORT}'
+    from config import Config
+    env['OLLAMA_HOST'] = f'{Config.APP_HOST}:{OLLAMA_PORT}'
     env['OLLAMA_MODELS'] = models_dir
 
     from platform_utils import popen_kwargs

web/app.py

@@ -171,6 +171,11 @@ def _check_mutating_rate_limit():
                     return _j({'error': 'Rate limit exceeded for mutating requests',
                                'retry_after': _mutating_window}), 429
                 q.append(now)
+                # Prune empty deques to prevent unbounded memory growth from old IPs
+                if len(_mutating_hits) > 500:
+                    stale_addrs = [a for a, dq in _mutating_hits.items() if not dq]
+                    for a in stale_addrs:
+                        del _mutating_hits[a]
 
         app.extensions['limiter'] = limiter
     except ImportError:

web/blueprints/federation.py

@@ -346,7 +346,7 @@ def api_node_sync_receive():
                     log.warning('Federation sync insert failed for %s: %s', tname, e)
             imported[tname] = count
             total += count
-        db.commit()
+        # Do NOT commit yet — data + vector clocks must be atomic
 
         incoming_clocks = data.get('vector_clocks', {})
         if not isinstance(incoming_clocks, dict):
@@ -389,11 +389,11 @@ def api_node_sync_receive():
                     merged[node] = max(merged.get(node, 0), val)
                 db.execute('INSERT OR REPLACE INTO vector_clocks (table_name, row_hash, clock, last_node, updated_at) VALUES (?, ?, ?, ?, datetime("now"))',
                            (tname, row_hash, json.dumps(merged), source_node))
-        db.commit()
 
         db.execute('INSERT INTO sync_log (direction, peer_node_id, peer_name, peer_ip, tables_synced, items_count, status, conflicts_detected, conflict_details) VALUES (?,?,?,?,?,?,?,?,?)',
                    ('receive', source_node, source_name, request.remote_addr or '',
                     json.dumps(imported), total, 'success', len(conflicts), json.dumps(conflicts, default=str)))
+        # Single atomic commit: data + vector clocks + sync log
         db.commit()
 
     log_activity('sync_received', detail=f'From {source_name} ({source_node}): {total} items')

web/blueprints/media.py

@@ -22,6 +22,24 @@
 from web.sql_safety import safe_table, safe_columns, build_update
 import web.state as _state
 from web.utils import clone_json_fallback as _clone_json_fallback, safe_json_list as _safe_json_list, validate_download_url as _validate_download_url
+import posixpath as _posixpath
+
+
+def _sanitize_folder(raw):
+    """Sanitize a user-supplied folder path for media organization.
+
+    Collapses traversal sequences, rejects anything that escapes the root,
+    and strips leading/trailing slashes. Returns a clean relative path or ''.
+    """
+    if not raw:
+        return ''
+    # Normalize using posixpath to collapse .. and . regardless of OS
+    normed = _posixpath.normpath(raw.replace('\\', '/'))
+    # Reject any path that escapes root (starts with .. or is absolute)
+    if normed.startswith('..') or normed.startswith('/'):
+        return ''
+    # Strip surrounding slashes and dots for safety
+    return normed.strip('/').strip('.')
 
 try:
     from web.catalog import CHANNEL_CATALOG, CHANNEL_CATEGORIES
@@ -409,7 +427,7 @@ def api_videos_upload():
     file.save(filepath)
     filesize = os.path.getsize(filepath) if os.path.isfile(filepath) else 0
     category = request.form.get('category', 'general')
-    folder = request.form.get('folder', '').replace('..', '').strip('/')
+    folder = _sanitize_folder(request.form.get('folder', ''))
     title = request.form.get('title', filename.rsplit('.', 1)[0])
     with db_session() as db:
         cur = db.execute('INSERT INTO videos (title, filename, category, folder, filesize) VALUES (?, ?, ?, ?, ?)',
@@ -1502,7 +1520,7 @@ def api_audio_upload():
     filesize = os.path.getsize(filepath) if os.path.isfile(filepath) else 0
     title = request.form.get('title', filename.rsplit('.', 1)[0])
     category = request.form.get('category', 'general')
-    folder = request.form.get('folder', '').replace('..', '').strip('/')
+    folder = _sanitize_folder(request.form.get('folder', ''))
     artist = request.form.get('artist', '')
     with db_session() as db:
         cur = db.execute('INSERT INTO audio (title, filename, category, folder, artist, filesize) VALUES (?, ?, ?, ?, ?, ?)',
@@ -2091,7 +2109,7 @@ def api_books_upload():
     title = request.form.get('title', filename.rsplit('.', 1)[0])
     author = request.form.get('author', '')
     category = request.form.get('category', 'general')
-    folder = request.form.get('folder', '').replace('..', '').strip('/')
+    folder = _sanitize_folder(request.form.get('folder', ''))
     with db_session() as db:
         cur = db.execute('INSERT INTO books (title, author, filename, format, category, folder, filesize) VALUES (?, ?, ?, ?, ?, ?, ?)',
                          (title, author, filename, fmt, category, folder, filesize))

web/blueprints/situation_room.py

@@ -660,8 +660,10 @@ def _fetch_rss_feeds():
         for fut in as_completed(futures, timeout=90):
             try:
                 articles.extend(fut.result())
-            except Exception:
-                pass
+            except Exception as e:
+                feed = futures.get(fut)
+                feed_name = feed.get('name', '?') if feed else '?'
+                log.debug('RSS fetch worker failed for %s: %s', feed_name, e)
 
     if not articles:
         return

web/blueprints/system.py

@@ -1872,7 +1872,7 @@ def api_system_db_vacuum():
     """Run VACUUM and REINDEX to optimize the database."""
     import sqlite3
     path = get_db_path()
-    conn = sqlite3.connect(path)
+    conn = sqlite3.connect(path, uri=path.startswith('file:'))
     conn.execute('VACUUM')
     conn.execute('REINDEX')
     conn.close()