Replace naive string-based ".." detection with component-based analysis
to eliminate false positives while maintaining security.
Problem:
- Filenames like "Battery... Rekon 35.m4a" were incorrectly flagged
- String check `if ".." in path` matched ellipsis (...) as traversal
Solution:
- Parse path into components using Path().parts
- Check each component for exact ".." match
- Allows ellipsis in filenames while blocking actual traversal
Security maintained:
- ✅ Blocks: ../etc/passwd, dir/../../secret, /../../../etc/hosts
- ✅ Allows: file...mp3, Wait... what.m4a, Battery...Rekon.m4a
Tests:
- Added comprehensive test suite with 8 test cases
- Verified ellipsis filenames pass validation
- Verified path traversal attacks still blocked
- All tests passing (8/8)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Upgrade PyTorch and torchaudio to 2.6.0 with CUDA 12.4 support
- Update GPU reset script to gracefully stop/start Ollama via supervisorctl
- Add Docker Compose configuration for both API and MCP server modes
- Implement comprehensive Docker entrypoint for multi-mode deployment
- Add GPU health check cleanup to prevent memory leaks
- Fix transcription memory management with proper resource cleanup
- Add filename security validation to prevent path traversal attacks
- Include .dockerignore for optimized Docker builds
- Remove deprecated supervisor configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed two separate deadlock issues preventing job queue from processing
multiple jobs sequentially:
**Deadlock #1: JobQueue lock ordering violation**
- Fixed _calculate_queue_positions() attempting to acquire _jobs_lock
while already holding _queue_positions_lock
- Implemented snapshot pattern to avoid nested lock acquisition
- Updated submit_job() to properly separate lock acquisitions
**Deadlock #2: JobRepository non-reentrant lock bug**
- Fixed _flush_dirty_jobs_sync() trying to re-acquire _dirty_lock
while already holding it (threading.Lock is not reentrant)
- Removed redundant lock acquisition since caller already holds lock
Additional improvements:
- Added comprehensive lock ordering documentation to JobQueue class
- Added detailed debug logging throughout job submission flow
- Enabled DEBUG logging in API server for troubleshooting
Testing: Successfully processed 3 consecutive jobs without hanging
- Update CLAUDE.md with new test suite documentation
- Add PYTHONPATH instructions for direct execution
- Document new utility modules (startup, circuit_breaker, input_validation)
- Remove passwordless sudo section from GPU auto-reset docs
- Reduce job queue max size to 5 in API server config
- Rename supervisor program to transcriptor-api
- Remove log files from repository
- Implement circuit breaker pattern for GPU health checks
- Prevents repeated failures with configurable thresholds
- Three states: CLOSED, OPEN, HALF_OPEN
- Integrated into GPU health monitoring
- Add comprehensive input validation and path sanitization
- Path traversal attack prevention
- Whitelist-based validation for models, devices, formats
- Error message sanitization to prevent information leakage
- File size limits and security checks
- Centralize startup logic across servers
- Extract common startup procedures to utils/startup.py
- Deduplicate GPU health checks and initialization code
- Simplify both MCP and API server startup sequences
- Add proper Python package structure
- Add __init__.py files to all modules
- Improve package organization
- Add circuit breaker status API endpoints
- GET /health/circuit-breaker - View circuit breaker stats
- POST /health/circuit-breaker/reset - Reset circuit breaker
- Reorganize test files into tests/ directory
- Rename and restructure test files for better organization
- Fix: Change threading.Lock to threading.RLock in JobQueue to prevent deadlock
- Issue: list_jobs() acquired lock then called get_job_status() which tried to acquire same lock
- Solution: Use re-entrant lock (RLock) to allow nested lock acquisition (src/core/job_queue.py:144)
- Refactor: Update test_phase2.py to use real test.mp3 file
- Changed _create_test_audio_file() to return /home/uad/agents/tools/mcp-transcriptor/data/test.mp3
- Removed specific text assertion, now just verifies transcription is not empty
- Tests use tiny model for speed while processing real 6.95s audio file
- Update: Improve audio validation error handling in transcriber.py
- Changed validate_audio_file() to use exception-based validation
- Better error messages for API responses
- Add: Job queue configuration to startup scripts
- Added JOB_QUEUE_MAX_SIZE, JOB_METADATA_DIR, JOB_RETENTION_DAYS env vars
- Added GPU health monitoring configuration
- Create job metadata directory on startup
Major features:
- GPU auto-reset on CUDA errors with cooldown protection (handles sleep/wake)
- Async job queue system for long-running transcriptions
- Comprehensive GPU health monitoring with real model tests
- Phase 1 component testing with detailed logging
New modules:
- src/core/gpu_reset.py: GPU driver reset with 5-min cooldown
- src/core/gpu_health.py: Real GPU health checks using model inference
- src/core/job_queue.py: FIFO queue with background worker and persistence
- src/utils/test_audio_generator.py: Test audio generation for GPU checks
- test_phase1.py: Component tests with logging
- reset_gpu.sh: GPU driver reset script
Updates:
- CLAUDE.md: Added GPU auto-reset docs and passwordless sudo setup
- requirements.txt: Updated to PyTorch CUDA 12.4
- Model manager: Integrated GPU health check with reset
- Both servers: Added startup GPU validation with auto-reset
- Startup scripts: Added GPU_RESET_COOLDOWN_MINUTES env var
- Reorganize source code into src/ directory with logical subdirectories:
- src/servers/: MCP and REST API server implementations
- src/core/: Core business logic (transcriber, model_manager)
- src/utils/: Utility modules (audio_processor, formatters)
- Update all import statements to use proper module paths
- Configure PYTHONPATH in startup scripts and Dockerfile
- Update documentation with new structure and paths
- Update pyproject.toml with package configuration
- Keep DevOps files (scripts, Dockerfile, configs) at root level
All functionality validated and working correctly.
