MCP Chat Support System

MCP
rag-backend

FIXES_APPLIED.md•4.5 KiB

# 🔧 Critical Fixes Applied to RAG Pipeline ## Summary This document details all critical security and multi-tenant isolation fixes applied to the RAG backend. --- ## 🔴 Critical Fix #1: Multi-Tenant Isolation ### Problem - Missing `tenant_id` in metadata and filtering - Risk of data leakage between tenants - Shared collection without proper isolation ### Fix Applied **Files Modified:** - `app/models/schemas.py` - Added `tenant_id` to all request/response models - `app/rag/chunking.py` - Added `tenant_id` parameter to metadata creation - `app/rag/retrieval.py` - Added `tenant_id` to all retrieval queries - `app/rag/vectorstore.py` - Added `tenant_id` filtering to all operations - `app/main.py` - Added `tenant_id` to all endpoints **Changes:** ```python # Before filter_dict = {"kb_id": kb_id, "user_id": user_id} # After filter_dict = { "tenant_id": tenant_id, # CRITICAL: Multi-tenant isolation "kb_id": kb_id, "user_id": user_id } ``` **Impact:** All queries now require `tenant_id`, ensuring complete data isolation. --- ## 🔴 Critical Fix #2: Enhanced Security ### Problem - CORS allows all origins (`*`) - No file size validation - No input sanitization ### Fix Applied **Files Modified:** - `app/config.py` - Added security settings - `app/main.py` - Added file size validation, restricted CORS **Changes:** ```python # CORS - Restricted allowed_origins = settings.ALLOWED_ORIGINS.split(",") if settings.ALLOWED_ORIGINS != "*" else ["*"] app.add_middleware( CORSMiddleware, allow_origins=allowed_origins, allow_methods=["GET", "POST", "DELETE"], # Restricted allow_headers=["Content-Type", "Authorization"], # Restricted ) # File Size Validation max_size_bytes = settings.MAX_FILE_SIZE_MB * 1024 * 1024 if file_size > max_size_bytes: raise HTTPException(status_code=400, detail=f"File too large. Maximum: {settings.MAX_FILE_SIZE_MB}MB") ``` **Impact:** Reduced attack surface, prevented DoS via large files. --- ## 🔴 Critical Fix #3: Enhanced Anti-Hallucination ### Problem - Prompts could be stricter - Temperature too high (0.1) - Missing explicit "no general knowledge" rule ### Fix Applied **Files Modified:** - `app/rag/prompts.py` - Enhanced system prompt with 10 strict rules - `app/config.py` - Set temperature to 0.0 **Changes:** ```python # Temperature TEMPERATURE: float = 0.0 # Zero for maximum determinism # Enhanced Prompt - Added rule: "DO NOT use general knowledge" - Added rule: "Verify every claim" - Added rule: "DO NOT extrapolate" ``` **Impact:** Significantly reduced hallucination risk. --- ## 🟠 Important Fix #4: Authentication Middleware Structure ### Problem - No authentication/authorization - Endpoints are public ### Fix Applied **Files Created:** - `app/middleware/auth.py` - Authentication middleware structure **Note:** This is a **placeholder** that must be implemented with your actual auth system. **TODO for Production:** 1. Integrate with JWT/OAuth provider 2. Verify tokens on every request 3. Extract tenant_id from token (don't trust client) 4. Implement RBAC if needed --- ## 🟠 Important Fix #5: Better Error Handling ### Problem - Generic error messages - Internal errors exposed to users ### Fix Applied **Files Modified:** - `app/main.py` - Enhanced error handling with structured responses **Changes:** - Specific error types (ValueError for config, generic for others) - Error metadata for debugging - User-friendly messages --- ## 📊 Configuration Updates ### Recommended Production Values ```env # Chunking (optimized) CHUNK_SIZE=600 CHUNK_OVERLAP=150 MIN_CHUNK_SIZE=100 # Retrieval (stricter) TOP_K=6 SIMILARITY_THRESHOLD=0.40 # LLM (anti-hallucination) TEMPERATURE=0.0 MAX_CONTEXT_TOKENS=3000 # Security MAX_FILE_SIZE_MB=50 ALLOWED_ORIGINS=https://yourdomain.com,https://app.yourdomain.com ``` --- ## ⚠️ Breaking Changes ### API Changes All endpoints now require `tenant_id` parameter: **Before:** ```json { "user_id": "user123", "kb_id": "kb001", "question": "How do I reset password?" } ``` **After:** ```json { "tenant_id": "tenant_abc", // REQUIRED "user_id": "user123", "kb_id": "kb001", "question": "How do I reset password?" } ``` ### Migration Required Existing data in vector store needs `tenant_id` added. See `MIGRATION_GUIDE.md`. --- ## ✅ Testing Checklist After applying fixes, test: - [ ] Upload with tenant_id - [ ] Chat with tenant_id - [ ] Verify tenant A cannot access tenant B's data - [ ] Test file size limits - [ ] Test CORS restrictions - [ ] Verify prompts refuse out-of-scope questions

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ChiragPatankar/MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

FIXES_APPLIED.md•4.5 KiB