Address PR review feedback from akshay-joshi and coderabbitai

- Enforce TLS 1.2 minimum on all SSL contexts to resolve SonarQube
  weak SSL/TLS vulnerability across all provider files
- Remove unused manager parameter from _generate_security_report_llm
- Remove unused readonly_wrapper variable in database.py
- Replace raise Exception with specific exception types (ValueError,
  ConnectionError) in model-fetching functions
- Use optional chaining in ai_tools.js (res?.data?.success)
- Fix all line length violations (>79 chars) in chat.py, __init__.py,
  test_llm_status.py, and database.py
- Fix DOCKER_API_URL comment to say "Typical value" instead of
  "Default value" since the actual default is empty string

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dpage

web/config.py

@@ -1019,7 +1019,7 @@
 # Docker Desktop 4.40+ includes a built-in model runner with an
 # OpenAI-compatible API. No API key is required.
 # URL for the Docker Model Runner API endpoint. Leave empty to disable.
-# Default value: http://localhost:12434
+# Typical value: http://localhost:12434
 DOCKER_API_URL = ''
 
 # The Docker Model Runner model to use for AI features.

web/pgadmin/llm/__init__.py

@@ -28,6 +28,9 @@
 except ImportError:
     SSL_CONTEXT = ssl.create_default_context()
 
+# Enforce minimum TLS 1.2 to satisfy security requirements
+SSL_CONTEXT.minimum_version = ssl.TLSVersion.TLSv1_2
+
 
 MODULE_NAME = 'llm'
 
@@ -606,8 +609,8 @@ def _fetch_anthropic_models(api_key):
             data = json.loads(response.read().decode('utf-8'))
     except urllib.error.HTTPError as e:
         if e.code == 401:
-            raise Exception('Invalid API key')
-        raise Exception(f'API error: {e.code}')
+            raise ValueError('Invalid API key')
+        raise ConnectionError(f'API error: {e.code}')
 
     models = []
     seen = set()
@@ -661,8 +664,8 @@ def _fetch_openai_models(api_key):
             data = json.loads(response.read().decode('utf-8'))
     except urllib.error.HTTPError as e:
         if e.code == 401:
-            raise Exception('Invalid API key')
-        raise Exception(f'API error: {e.code}')
+            raise ValueError('Invalid API key')
+        raise ConnectionError(f'API error: {e.code}')
 
     models = []
     seen = set()
@@ -706,9 +709,13 @@ def _fetch_ollama_models(api_url):
         ) as response:
             data = json.loads(response.read().decode('utf-8'))
     except urllib.error.URLError as e:
-        raise Exception(f'Cannot connect to Ollama: {e.reason}')
-    except Exception as e:
-        raise Exception(f'Error fetching models: {str(e)}')
+        raise ConnectionError(
+            f'Cannot connect to Ollama: {e.reason}'
+        )
+    except OSError as e:
+        raise ConnectionError(
+            f'Error fetching models: {str(e)}'
+        )
 
     models = []
     for model in data.get('models', []):
@@ -755,12 +762,15 @@ def _fetch_docker_models(api_url):
         ) as response:
             data = json.loads(response.read().decode('utf-8'))
     except urllib.error.URLError as e:
-        raise Exception(
-            f'Cannot connect to Docker Model Runner: {e.reason}. '
-            f'Is Docker Desktop running with model runner enabled?'
+        raise ConnectionError(
+            f'Cannot connect to Docker Model Runner: '
+            f'{e.reason}. Is Docker Desktop running '
+            f'with model runner enabled?'
+        )
+    except OSError as e:
+        raise ConnectionError(
+            f'Error fetching models: {str(e)}'
         )
-    except Exception as e:
-        raise Exception(f'Error fetching models: {str(e)}')
 
     models = []
     seen = set()
@@ -1031,7 +1041,7 @@ def _gather_security_config(conn, manager):
     return security_info
 
 
-def _generate_security_report_llm(client, security_info, manager):
+def _generate_security_report_llm(client, security_info):
     """
     Use the LLM to analyze the security configuration and generate a report.
     """
@@ -1046,11 +1056,12 @@ def _generate_security_report_llm(client, security_info, manager):
         "objects or data.\n\n"
         "IMPORTANT: Do NOT include a report title, header block, or "
         "generation date at the top of your response. The title and "
-        "metadata are added separately by the application. "
-        "Start directly with the Executive Summary section.\n\n"
+        "metadata are added separately by the application. Start "
+        "directly with the Executive Summary section.\n\n"
         "The report should include:\n"
         "1. **Executive Summary** - Brief overview of the security posture\n"
-        "2. **Critical Issues** - Vulnerabilities needing immediate attention\n"
+        "2. **Critical Issues** - Vulnerabilities needing "
+        "immediate attention\n"
         "3. **Warnings** - Important security concerns to be addressed\n"
         "4. **Recommendations** - Best practices to improve security\n"
         "5. **Configuration Review** - Analysis of key security settings\n\n"

web/pgadmin/llm/chat.py

@@ -65,7 +65,8 @@ def chat_with_database(
         did: Database ID for database connection
         conversation_history: Optional list of previous messages
         system_prompt: Optional custom system prompt (uses default if None)
-        max_tool_iterations: Maximum number of tool call rounds (uses preference)
+        max_tool_iterations: Maximum number of tool call
+            rounds. Uses preference setting if None.
         provider: Optional LLM provider override
         model: Optional model override
 

web/pgadmin/llm/providers/anthropic.py

@@ -23,6 +23,9 @@
 except ImportError:
     SSL_CONTEXT = ssl.create_default_context()
 
+# Enforce minimum TLS 1.2 to satisfy security requirements
+SSL_CONTEXT.minimum_version = ssl.TLSVersion.TLSv1_2
+
 from pgadmin.llm.client import LLMClient, LLMClientError
 from pgadmin.llm.models import (
     Message, Tool, ToolCall, LLMResponse, LLMError,

web/pgadmin/llm/providers/docker.py

@@ -28,6 +28,9 @@
 except ImportError:
     SSL_CONTEXT = ssl.create_default_context()
 
+# Enforce minimum TLS 1.2 to satisfy security requirements
+SSL_CONTEXT.minimum_version = ssl.TLSVersion.TLSv1_2
+
 from pgadmin.llm.client import LLMClient, LLMClientError
 from pgadmin.llm.models import (
     Message, Tool, ToolCall, LLMResponse, LLMError,

web/pgadmin/llm/providers/openai.py

@@ -24,6 +24,9 @@
 except ImportError:
     SSL_CONTEXT = ssl.create_default_context()
 
+# Enforce minimum TLS 1.2 to satisfy security requirements
+SSL_CONTEXT.minimum_version = ssl.TLSVersion.TLSv1_2
+
 from pgadmin.llm.client import LLMClient, LLMClientError
 from pgadmin.llm.models import (
     Message, Tool, ToolCall, LLMResponse, LLMError,

web/pgadmin/llm/static/js/ai_tools.js

@@ -167,7 +167,7 @@ define([
       const api = getApiInstance();
       api.get(url_for('llm.status'))
         .then((res) => {
-          if (res.data && res.data.success) {
+          if (res?.data?.success) {
             this.llmEnabled = res.data.data?.enabled || false;
             this.llmSystemEnabled = res.data.data?.system_enabled || false;
           }

web/pgadmin/llm/tests/test_llm_status.py

@@ -52,10 +52,16 @@ def runTest(self):
             self.provider_enabled and hasattr(self, 'provider_name')
         ) else None
 
-        with patch('pgadmin.llm.utils.is_llm_enabled') as mock_enabled, \
-             patch('pgadmin.llm.utils.is_llm_enabled_system') as mock_system, \
-             patch('pgadmin.llm.utils.get_default_provider') as mock_provider, \
-             patch('pgadmin.authenticate.mfa.utils.mfa_required', lambda f: f):
+        with patch(
+            'pgadmin.llm.utils.is_llm_enabled'
+        ) as mock_enabled, patch(
+            'pgadmin.llm.utils.is_llm_enabled_system'
+        ) as mock_system, patch(
+            'pgadmin.llm.utils.get_default_provider'
+        ) as mock_provider, patch(
+            'pgadmin.authenticate.mfa.utils.mfa_required',
+            lambda f: f
+        ):
 
             mock_enabled.return_value = self.expected_enabled
             mock_system.return_value = self.provider_enabled

web/pgadmin/llm/tools/database.py

@@ -142,16 +142,8 @@ def _execute_readonly_query(conn, query: str) -> dict:
     Raises:
         DatabaseToolError: If query execution fails
     """
-    # Wrap the query in a read-only transaction
-    # This ensures even if the query tries to modify data, it will fail
-    readonly_wrapper = """
-    BEGIN TRANSACTION READ ONLY;
-    {query}
-    ROLLBACK;
-    """
-
-    # For SELECT queries, we need to handle them differently
-    # We'll set the transaction to read-only, execute, then rollback
+    # Set the transaction to read-only, execute, then rollback.
+    # This ensures even if the query tries to modify data, it will fail.
     try:
         # First, set the transaction to read-only mode
         status, result = conn.execute_void(
@@ -237,7 +229,8 @@ def execute_readonly_query(
         - truncated: True if results were limited
 
     Raises:
-        DatabaseToolError: If the query fails or connection cannot be established
+        DatabaseToolError: If the query fails or connection
+            cannot be established
     """
     # Generate unique connection ID for this LLM query
     conn_id = f"llm_{secrets.choice(range(1, 9999999))}"
@@ -364,10 +357,13 @@ def get_database_schema(sid: int, did: int) -> dict:
                             'description': row.get('description')
                         })
 
-                # Get views for this schema (relkind v=view, m=materialized view)
+                # Get views (relkind v=view, m=materialized view)
                 views_sql = f"""
-                    SELECT c.oid, c.relname AS name,
-                           pg_catalog.obj_description(c.oid, 'pg_class') AS description
+                    SELECT c.oid,
+                           c.relname AS name,
+                           pg_catalog.obj_description(
+                               c.oid, 'pg_class'
+                           ) AS description
                     FROM pg_catalog.pg_class c
                     WHERE c.relkind IN ('v', 'm')
                       AND c.relnamespace = {schema_oid}::oid
@@ -486,7 +482,10 @@ def get_table_columns(
             for row in cols_res.get('rows', []):
                 columns.append({
                     'name': row.get('name'),
-                    'data_type': row.get('displaytypname') or row.get('datatype'),
+                    'data_type': (
+                        row.get('displaytypname')
+                        or row.get('datatype')
+                    ),
                     'not_null': row.get('not_null', False),
                     'has_default': row.get('has_default_val', False),
                     'description': row.get('description')
@@ -591,7 +590,10 @@ def get_table_info(
                 for row in cols_res.get('rows', []):
                     columns.append({
                         'name': row.get('name'),
-                        'data_type': row.get('displaytypname') or row.get('datatype'),
+                        'data_type': (
+                        row.get('displaytypname')
+                        or row.get('datatype')
+                    ),
                         'not_null': row.get('not_null', False),
                         'has_default': row.get('has_default_val', False),
                         'description': row.get('description')
@@ -608,7 +610,9 @@ def get_table_info(
                         WHEN 'c' THEN 'CHECK'
                         WHEN 'x' THEN 'EXCLUSION'
                     END AS type,
-                    pg_catalog.pg_get_constraintdef(con.oid, true) AS definition
+                    pg_catalog.pg_get_constraintdef(
+                        con.oid, true
+                    ) AS definition
                 FROM pg_catalog.pg_constraint con
                 WHERE con.conrelid = {table_oid}::oid
                 ORDER BY con.contype, con.conname
@@ -740,8 +744,10 @@ def execute_tool(
                 "query": {
                     "type": "string",
                     "description": (
-                        "The SQL query to execute. Should be a SELECT query "
-                        "or other read-only statement. DML statements will fail."
+                        "The SQL query to execute. Should "
+                        "be a SELECT query or other "
+                        "read-only statement. DML "
+                        "statements will fail."
                     )
                 }
             },
@@ -751,8 +757,9 @@ def execute_tool(
     Tool(
         name="get_database_schema",
         description=(
-            "Get a list of all schemas, tables, and views in the database. "
-            "Use this to understand the database structure before writing queries."
+            "Get a list of all schemas, tables, and views "
+            "in the database. Use this to understand the "
+            "database structure before writing queries."
         ),
         parameters={
             "type": "object",