fix: address code review issues (security, performance, quality)

Security: - Add JSON.parse error handling (return 400 instead of 500) - Add rate limiting fallback when KV unavailable (in-memory Map) - Add AI prompt injection protection (sanitizeForAIPrompt) Performance: - Optimize VPS benchmark matching (O(1) Map lookup vs O(n*m) loop) - Reduce AI candidates from 50 to 15 (saves ~60% API cost) - Centralize magic numbers in LIMITS config Code Quality: - Remove dead code (unused queryVPSBenchmarks function) - Extract duplicated region SQL to DEFAULT_REGION_FILTER_SQL - Replace hardcoded provider IDs with name-based filtering - Move magic numbers to config.ts LIMITS object Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 18:08:06 +09:00
parent b682abc45d
commit 7dfd3659ec
4 changed files with 99 additions and 48 deletions
--- a/src/config.ts
+++ b/src/config.ts
@@ -4,6 +4,21 @@

 import type { UseCaseConfig } from './types';

+/**
+ * System limits and configuration constants
+ */
+export const LIMITS = {
+  MAX_REQUEST_BODY_BYTES: 10240,      // 10KB
+  CACHE_TTL_SECONDS: 300,              // 5 minutes
+  RATE_LIMIT_MAX_REQUESTS: 60,         // per minute
+  RATE_LIMIT_WINDOW_MS: 60000,         // 1 minute
+  VPS_BENCHMARK_LIMIT: 20,
+  MAX_AI_CANDIDATES: 15,               // Reduce from 50 to save tokens
+  MAX_TECH_STACK: 20,
+  MAX_USE_CASE_LENGTH: 500,
+  MAX_REGION_PREFERENCE: 10,
+} as const;
+
 export const USE_CASE_CONFIGS: UseCaseConfig[] = [
  {
    category: 'video',