Skip to content

feat(system): add data auto-sync API for data/ directory #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
boy-hack merged 3 commits into from
Apr 14, 2026
Merged

feat(system): add data auto-sync API for data/ directory #301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
30c56cf
feat(system): add data auto-sync API for data/ directory
Apr 10, 2026
0a20010
docs: add SECURITY.md with trust model and vulnerability disclosure p…
Apr 13, 2026
ae79508
Merge branch 'main' into feat/data-auto-sync-20260410
boy-hack Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 1 addition & 29 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,34 +92,6 @@ AI-Infra-Guard is a **single-operator security tool**, not a multi-tenant platfo
- Scanner-only claims without a working reproduction or against stale paths.
- Reports that restate an already-fixed issue against later released versions without showing the vulnerable path still exists.

## Operational Guidance

### Network Exposure

AIG WebUI defaults to `127.0.0.1:8088` (loopback only). **Do not expose it to the public internet.**

If remote access is needed:
- Use an SSH tunnel: `ssh -L 8088:127.0.0.1:8088 user@host`
- Or deploy behind a reverse proxy (nginx/caddy) with authentication, accessible only over a VPN or trusted network.

Do **not** bind to `0.0.0.0` without additional access controls.

### Docker Deployment

When running AIG via Docker:

```bash
# Restrict to loopback only
docker run -p 127.0.0.1:8088:8088 zhuque/aig-server:latest

# Further restrict with read-only filesystem where possible
docker run -p 127.0.0.1:8088:8088 --read-only \
-v aig-data:/app/data \
zhuque/aig-server:latest
```

Avoid publishing `8088` without `-p 127.0.0.1:8088:8088` binding in production environments.

### API Key Protection

AIG uses LLM API keys for agent scan and MCP scan. Protect them:
Expand Down Expand Up @@ -157,4 +129,4 @@ AI-Infra-Guard is an open-source project. There is no formal bug bounty program.
Security reports are handled by the **Tencent Zhuque Lab** team.

- GitHub: [@Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)
- Contact: [zhuque@tencent.com](mailto:zhuque@tencent.com)
- Contact: [zhuque@tencent.com](mailto:zhuque@tencent.com)
8 changes: 8 additions & 0 deletions common/websocket/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,14 @@ func RunWebServer(options *version.Options) {
"changelog": string(data),
})
})

// system — data directory auto-sync
system := v1.Group("/system")
system.Use(setupIdentityMiddleware())
{
system.POST("/update-data", HandleTriggerDataUpdate)
system.GET("/update-status", HandleGetUpdateStatus)
}
}

// Swagger UI - 必须在 NoRoute 之前注册
Expand Down
Loading
Loading