diff --git a/CLAUDE.md b/CLAUDE.md index 462157d..cbeeea7 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -102,12 +102,36 @@ LOWER(r.country_code) = ? Valid inputs: `"korea"`, `"KR"`, `"seoul"`, `"ap-northeast-2"`, `"icn"` -### AI Prompt Strategy (`ai.ts`) +### AI Prompt Strategy (`recommend.ts`) - Uses OpenAI GPT-4o-mini via Cloudflare AI Gateway (bypasses regional restrictions) - Server list format: `[server_id=XXXX] Provider Name...` for accurate ID extraction - Scoring: Cost efficiency (40%) + Capacity fit (30%) + Scalability (30%) - Capacity response in Korean for Korean users +- **Prompt injection protection**: User inputs sanitized via `sanitizeForAIPrompt()` +- **Token optimization**: Candidates limited to top 15 by price + +### Security Features + +- **Input validation**: Comprehensive checks with length limits (tech_stack ≤20, use_case ≤500 chars) +- **Rate limiting**: 60 req/min per IP with in-memory fallback when KV unavailable +- **SQL injection prevention**: All queries use parameterized statements +- **Security headers**: CSP, HSTS, X-Frame-Options, X-Content-Type-Options +- **API key protection**: Keys never logged, sanitized from error messages + +### Configuration (`config.ts`) + +Centralized limits and constants: +```typescript +LIMITS = { + MAX_REQUEST_BODY_BYTES: 10240, // 10KB + CACHE_TTL_SECONDS: 300, // 5 minutes + RATE_LIMIT_MAX_REQUESTS: 60, // per minute + MAX_AI_CANDIDATES: 15, // reduce API cost + MAX_TECH_STACK: 20, + MAX_USE_CASE_LENGTH: 500, +} +``` ## Bindings (wrangler.toml) @@ -154,9 +178,28 @@ curl -X POST https://server-recommend.kappa-d8e.workers.dev/api/recommend \ ## Recent Changes -- **Modular architecture**: Split from single 2370-line file into 7 modules +### Architecture +- **Modular architecture**: Split from single 2370-line file into organized modules +- **Centralized config**: All magic numbers moved to `LIMITS` in config.ts +- **Type safety**: `parseAIResponse(unknown)` with proper type guards + +### Features - **DB workload multiplier**: Database resource calculation based on use_case -- **KV caching**: 5-minute cache with smart invalidation (empty results not cached) -- **OpenAI integration**: GPT-4o-mini via AI Gateway for better recommendations - **Bandwidth estimation**: Automatic bandwidth category detection for provider filtering - **Tech specs update**: Realistic vcpu_per_users values for 150+ technologies + +### Security +- **Prompt injection protection**: `sanitizeForAIPrompt()` filters malicious patterns +- **Rate limiting fallback**: In-memory Map when KV unavailable +- **Input sanitization**: All user inputs validated and length-limited + +### Performance +- **O(1) VPS lookup**: Map-based benchmark matching (was O(n×m)) +- **AI token optimization**: Candidates limited to 15 (was 50) +- **KV caching**: 5-minute TTL, empty results not cached +- **Parallel queries**: Promise.all for independent DB operations + +### Code Quality +- **Dead code removed**: Unused `queryVPSBenchmarks` function deleted +- **DRY**: `DEFAULT_REGION_FILTER_SQL` shared between handlers +- **Name-based filtering**: Provider queries use names, not hardcoded IDs