Expand developer documentation and add BrainSait platform info #96
Conversation
Adds comprehensive documentation for the PromptPex test generation command, including architecture overview, flow details, and usage patterns with custom instructions and session persistence. Documents build processes for cross-platform releases, integration testing setup, and the release workflow via git tags. Clarifies testing patterns by separating unit tests from integration tests, including prerequisites, authentication handling, and execution methods. Introduces BrainSait AI platform section in README, highlighting domain-specific agent systems for Arabic assistance, healthcare, development, and SQL analysis powered by Docker Compose. Improves developer onboarding by providing complete context on architecture, workflows, and testing strategies.
There was a problem hiding this comment.
Pull request overview
This pull request expands developer documentation and introduces the BrainSait AI platform as an extension to the gh-models CLI. The changes add comprehensive infrastructure for deploying domain-specific AI agent systems with API servers, billing integration, internationalization, and Docker-based deployment options.
- Adds BrainSait platform with four domain-specific agent systems (Arabic, Healthcare, Developer, SQL)
- Implements HTTP API server with middleware, billing (Stripe), and i18n support
- Provides complete deployment infrastructure (Docker, Kubernetes, Cloudflare Tunnel)
Reviewed changes
Copilot reviewed 62 out of 64 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/middleware/middleware.go | HTTP middleware for authentication, rate limiting, CORS, logging |
| internal/i18n/*.json, i18n.go | Internationalization support for English and Arabic |
| internal/billing/stripe.go | Stripe payment integration with pricing tiers |
| internal/api/server.go, handlers.go | REST API server and endpoint handlers |
| cmd/api/main.go | API server entry point with graceful shutdown |
| docker-compose.yml, Dockerfile* | Container orchestration and build configurations |
| deploy/* | Deployment scripts for VM setup, Docker Hub, Cloudflare Tunnel |
| db/init.sql | PostgreSQL schema for users, billing, usage tracking |
| compose-agents/* | Multi-agent AI systems using Docker Compose |
| examples/healthcare/*.prompt.yml | Healthcare-specific prompt templates |
| examples/arabic/*.prompt.yml | Arabic language prompt templates |
| docs/COMPLIANCE.md, API_INTEGRATION.md | Compliance and API documentation |
| agents/*.yaml | cagent configuration for AI agents |
| BRAINSAIT_CUSTOMIZATION.md | Guide for customizing and monetizing the platform |
| @@ -0,0 +1 @@ | |||
| postgres://healthcare:secure_password@database:5432/claims No newline at end of file | |||
There was a problem hiding this comment.
Database credentials are hardcoded in plain text. Similar to the SQL analyst, this exposes healthcare database credentials which is particularly concerning given HIPAA compliance requirements mentioned in the codebase.
| if time.Since(lastReset) > time.Minute { | ||
| requests = make(map[string]int) | ||
| lastReset = time.Now() | ||
| } | ||
|
|
||
| key := r.Header.Get("X-API-Key") | ||
| if key == "" { | ||
| key = r.RemoteAddr | ||
| } | ||
|
|
||
| requests[key]++ | ||
| count := requests[key] | ||
| mu.Unlock() |
There was a problem hiding this comment.
The rate limit implementation has a critical concurrency issue. The requests map is cleared and reassigned inside the lock (requests = make(map[string]int)), but immediately after unlocking, the code reads from the potentially stale requests map at line 71. This creates a race condition where the count could be incorrect if another goroutine resets the map between lines 72 and 71.
Instead of reassigning the map, clear it in place or store the count before unlocking.
| bytes := make([]byte, 16) | ||
| rand.Read(bytes) |
There was a problem hiding this comment.
The error from rand.Read(bytes) is silently ignored. This could result in generating predictable request IDs if the random number generator fails, which is a security concern for tracking and potentially DoS protection.
| origin := r.Header.Get("Origin") | ||
| if origin != "" { | ||
| w.Header().Set("Access-Control-Allow-Origin", origin) |
There was a problem hiding this comment.
The CORS middleware reflects the Origin header without validation, allowing any origin to make cross-origin requests. This bypasses the security purpose of CORS. Either specify allowed origins explicitly or implement an origin validation function.
| // TODO: Validate API key against database | ||
| // For now, accept any non-empty key | ||
| ctx := context.WithValue(r.Context(), UserIDKey, "user-from-api-key") |
There was a problem hiding this comment.
The TODO comment at line 40 indicates accepting any non-empty API key without validation. This is a critical security vulnerability in production code. If this middleware is active, authentication is effectively disabled.
| INSERT INTO users (email, name, tier, domain, api_key) VALUES | ||
| ('system@brainsait.ai', 'System', 'enterprise', 'general', 'system_internal_key_do_not_use'), | ||
| ('demo@brainsait.ai', 'Demo User', 'pro', 'developer', 'demo_api_key_for_testing_only'); |
There was a problem hiding this comment.
Database credentials are hardcoded in plain text in the initialization SQL. The demo API key and system internal key should be generated at runtime or provided via secure configuration, not committed to the repository.
| @@ -0,0 +1 @@ | |||
| postgres://analyst:analyst_password@database:5432/analytics No newline at end of file | |||
There was a problem hiding this comment.
Database credentials are hardcoded in plain text. This file could be accidentally committed, exposing the PostgreSQL connection string with password. Consider using a placeholder or documenting that this file should never be committed.
| import uvicorn | ||
| from fastapi import FastAPI, Request | ||
| from fastapi.responses import HTMLResponse, JSONResponse | ||
| from fastapi.staticfiles import StaticFiles |
There was a problem hiding this comment.
Import of 'StaticFiles' is not used.
1 participant
Adds comprehensive documentation for the PromptPex test generation command, including architecture overview, flow details, and usage patterns with custom instructions and session persistence.
Documents build processes for cross-platform releases, integration testing setup, and the release workflow via git tags.
Clarifies testing patterns by separating unit tests from integration tests, including prerequisites, authentication handling, and execution methods.
Introduces BrainSait AI platform section in README, highlighting domain-specific agent systems for Arabic assistance, healthcare, development, and SQL analysis powered by Docker Compose.
Improves developer onboarding by providing complete context on architecture, workflows, and testing strategies.