MC-3441 — [LegalMind] Analyze endpoint accepts unvalidated AI temperature from request body

Home Board MC-3441

[LegalMind] Analyze endpoint accepts unvalidated AI temperature from request body

The POST /api/documents/:id/analyze endpoint destructures a temperature field from req.body (line 409) and passes it directly to AI API calls (line 457) without range validation...

State Done Next Action Closed Owner Luci Runtime Closed Age 29d ago

← MC-3441

Ticket is done; runtime is closed. · profile claude_opus_1m_medium · cwd /home/lucienne/workspace · uptime 29d 3h · last activity 29d 1h ago

Description

MC-3441

The POST /api/documents/:id/analyze endpoint destructures a temperature field from req.body (line 409) and passes it directly to AI API calls (line 457) without range validation. The user settings route enforces a 0-2 range for extractionTemperature, but the per-request override bypasses this check. A caller can submit extreme values (e.g., -100 or 9999) that may cause AI API errors or garbage output. Should validate the request temperature against the same 0-2 range before use. File: server/routes/documents.ts:409 Complexity: simple Found by: nightly code review (3a243848 Merge pull request #401 from conrelma/fix/mc-3430-bundle-extra-page-end) Auto-fix skipped: Luci-side scheduled autofix is disabled by default; Larry owns LegalMind code changes.

Activity

done

Luci is working...

Details — Done · Medium · Luci ▼

State

Done

Closed

State

Priority

People

Owner (assigned to)

Controller

Timing / Details

Due Date

Snooze

Source legalmind-review (scheduled)

Project LegalMind

Created 29d ago

Updated 29d ago

Advanced / Operator evidence

Routing owner

Routes via

Operator console

Evidence

Ticket is done; runtime is closed. completed profile claude_opus_1m_medium · cwd /home/lucienne/workspace · uptime 29d 3h · last activity 29d 1h ago MC is visibility-only. Hermes Luci launches and gates work outside MC, then mirrors evidence/status here. abb881c5-cd11-4618-ba1e-7fd67e07c388 · luci · claude/anthropic/opus[1m]

Workflow

Start Dev Review + QA ▾

Select phases to include:

Research (scott) Implement (larry) (required) Council Review (council) Code Review (luci) Validate (tessa) (required) Sign-off (atlas)

Agents

Review Gates

Decision

WAT routing: choose an agent, review gate, or decision. Buttons use the live runtime when one is attached.

luci 29d ago

Luci dispatching this ticket to Larry (background worker via SSH).

luci 29d ago

Larry: Planning — reading ticket and target filePROGRESS: Building — adding temperature range validationPROGRESS: Testing — running typecheckPre-existing errors unrelated to my change. Let me confirm.Pre-existing errors confirmed unrelated. Now checking branch state.PROGRESS: Building — committing changePROGRESS: Done — pushing branchPROGRESS: Done — temperature validation added and pushed on feat/mc-3441

luci 29d ago

Completed on Larry: Added range validation (0–2, finite number) for the `temperature` override in `POST /api/documents/:id/analyze` at `server/routes/documents.ts:396`, returning HTTP 400 on invalid input. This matches the existing user-settings constraint and prevents extreme values from reaching AI API calls. Committed as `cf535ad` on `feat/mc-3441` and pushed to origin.

luci 29d ago

Larry: Triggering post-completion code review...

luci 29d ago

Code review (Larry reviewer via claude/opus): Valid ates temperature override on /analyze with proper type, fin iteness, and range checks before use. MINOR: server/routes/documents.ts:396 — validation runs before the try/catch, so thrown errors here would bypass route error handling. Not an issue in practice since the checks are pure comparisons that can't throw, but placing validation inside the try block would be more consistent with the rest of the handler. MINOR: server/routes/documents.ts:404 — error message says "between 0 and 2" which is accurate but doesn't clarify the range is inclusive; minor wording nit. VERDICT : PASS Validates temperature override on /analyze with proper type, finiteness, and range checks before use. MINOR: server/routes/documents.ts:396 — validation runs before the try/catch, so thrown errors here would bypass route error handling. Not an issue in practice since the checks are pure comparisons that can't throw, but placing validation inside the try block would be more consistent with the rest of the handler. MINOR: server/routes/documents.ts:404 — error message says "between 0 and 2" which is accurate but doesn't clarify the range is inclusive; minor wording nit. VERDICT: PASS

luci 29d ago

Larry shipped with clean code review. Auto-dispatching Luci-reviewer (verdict: clean). Next dispatch tick will spawn a single-session reviewer worker to verify, run Tessa subagent inline if UI-touching, merge the PR, and close.

luci 29d ago

Completed: DONE: Larry's temperature validation fix (commit `cf535ad8`) for `POST /api/documents/:id/analyze` verified — adds type check, `Number.isFinite`, and 0–2 range validation matching the existing `userSettings` constraint. Code review passed clean. Cherry-picked onto staging as `6315771b`, pushed to origin. Ticket MC-3443 marked done.

Live ▼

No activity yet

←