Security Breakdown #226

[codewithakshyaaa]

Description

This PR resolves a high-severity structural vulnerability in the /api/generate endpoint. Previously, the system executed a raw JSON.parse() on streamed AI text outputs without exception containment. A malicious actor could exploit this via prompt injection (jailbreak) or by sending inputs that lead to truncated/malformed JSON sequences from the LLM. This would trigger unhandled SyntaxError exceptions mid-stream, immediately breaking the active ReadableStream pipeline and causing localized Denial of Service (DoS).

With these changes, the backend gracefully handles structural anomalies, repairs partial tokens, and maintains endpoint reliability under adversarial or unstable model conditions.

🛠️ Changes Implemented

1. Robust JSON Extraction & Parsing Containment (parseAIResponse)

• Enclosed the primary JSON.parse() within a robust try-catch containment boundary.
• Eradicated potential unhandled parsing crashes that would otherwise interrupt the active ReadableStream connection.

2. Multi-Stage Automated Self-Healing Mechanism

• Quote & Bracket Balancer: Implemented a stateful scanner inside the exception fallback block. It tracks unclosed strings, unmatched curly braces {...}, and square brackets [...] to structurally reconstruct truncated strings before parsing.
• Fail-Safe Fallback Object: If the stream content is unsalvageable or severely truncated, the system bypasses parser failures and returns a structured fail-safe JSON response matching the schema expectations. This prevents downstream workflow or database operations from throwing process-level faults.

3. Graceful Error Handling & Metric Logging

• Preserved existing Prometheus metric tracking, ensuring API gateway errors and generation failures are still logged correctly without crashing the runtime process.

---

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🔧 Configuration change
• ♻️ Refactoring (no functional changes)
• 🎨 Style/UI changes

Related Issues

closes issue no #226

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code where necessary
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have tested my changes locally
• Any dependent changes have been merged and published

[netlify]

👷 Deploy request for arcmind-ai pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	59f1f58

[codewithakshyaaa]

hey @SATYAM-PRATIBHAN kindly review my PR

[SATYAM-PRATIBHAN]

solve the ci checks and we are good to go!! @codewithakshyaaa

[codewithakshyaaa]

hey @SATYAM-PRATIBHAN kindly review now.

[SATYAM-PRATIBHAN]

we don't need this file

[SATYAM-PRATIBHAN]

maybe solve everything now @codewithakshyaaa

[codewithakshyaaa]

@SATYAM-PRATIBHAN i have deleted the file. kindly let me know if any other changes are required

[SATYAM-PRATIBHAN]

@SATYAM-PRATIBHAN i have deleted the file. kindly let me know if any other changes are required

ci checks are still pending.

[codewithakshyaaa]

hey @SATYAM-PRATIBHAN i have tried fixing all the issues this time. I also double checked the type compilation and prettier styling guidelines using pnpm tsc --noEmit and pnpm prettier --check "app/api/generate/route.ts"