Skip to content

feat(hub): i3X external ID columns + python-multipart CVE bump#1180

Merged
Mikecranesync merged 2 commits into
mainfrom
claude/tender-curran-fac741
May 11, 2026
Merged

feat(hub): i3X external ID columns + python-multipart CVE bump#1180
Mikecranesync merged 2 commits into
mainfrom
claude/tender-curran-fac741

Conversation

@Mikecranesync

Copy link
Copy Markdown
Owner

Summary

  • Adds `external_id` columns on `cmms_equipment` for i3X/MaintainX interop (migration 013)
  • Bumps python-multipart 0.0.27 → 0.0.28 (CVE-2026-42561) across mira-ingest + mira-mcp
  • Seed script for Stardust Racers demo
  • Updates by-tag asset API + mobile asset page

Test plan

  • Migration 013 applies cleanly
  • CVE scan clean
  • Asset by-tag lookup works with external IDs

🤖 Generated with Claude Code

Mike (FactoryLM) and others added 2 commits May 10, 2026 23:41
0.0.28 caps multipart boundary length at 256 bytes (Kludex/python-multipart#282),
patching the HIGH-severity DoS where a crafted boundary forces O(n²) tail scans.
0.0.27 added header limits but did not bound the boundary scan itself.

Affects mira-ingest (POST /ingest/photo) and mira-mcp (POST /ingest/pdf) —
both accept multipart uploads from untrusted callers.

CRA-252.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds 7 nullable TEXT columns to cmms_equipment so a MIRA asset can
round-trip with adjacent systems (cmms_id, plc_tag, scada_path,
manufacturer_part_number, uns_topic_path, erp_asset_id, drawing_reference).
serial_number already existed and is unchanged.

- migration 013_external_ids.sql (NOT auto-run — Mike approves)
- /api/assets/by-tag returns externalIds {} on the asset payload
- /m/[tag] renders a collapsed "External IDs" section, hidden when empty
  (only shown when at least one field is populated — keeps the
  glove-friendly main view uncluttered)
- seed-stardust-racers populates plc_tag / scada_path / uns_topic_path /
  manufacturer_part_number for SR-SUMP-001 for the May 21 demo

CRA-258.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

🤖 AI Code Review

Review by: groq (llama-3.3-70b-versatile)

Review

🔴 IMPORTANT: Security vulnerabilities

  • The diff updates python-multipart from version 0.0.27 to 0.0.28, which fixes a HIGH-severity CVE (CVE-2026-42561). This is a necessary update to prevent potential security vulnerabilities.
  • No hardcoded secrets, SQL injection, path traversal, or command injection vulnerabilities were found in the provided diff.

🔴 IMPORTANT: Missing error handling on network/IO operations

  • The diff does not introduce any new network/IO operations that are missing error handling. However, it's essential to review the entire codebase to ensure that all network/IO operations are properly handled.
  • For example, in mira-hub/src/app/api/assets/by-tag/[tag]/route.ts, the GET function performs a database query. Although it's not shown in the diff, it's crucial to verify that error handling is implemented for this query in the original code.

🟡 WARNING: Logic bugs or incorrect assumptions

  • In mira-hub/db/migrations/013_external_ids.sql, the migration adds several new columns to the cmms_equipment table. The comment suggests that these columns are nullable and will be empty for assets that aren't yet cross-referenced. This assumption seems reasonable, but it's essential to review the application logic to ensure that these columns are properly handled.
  • In mira-hub/scripts/seed-stardust-racers.ts, the SR_SUMP object is updated to include external IDs. The code assumes that these IDs will be used to demonstrate i3X cross-system interop. This assumption appears to be correct, but further review is necessary to ensure that the application logic correctly handles these IDs.

🟡 WARNING: Missing input validation at API boundaries

  • The diff does not introduce any new API endpoints or modify existing ones to accept user input. However, it's crucial to review the entire codebase to ensure that all API endpoints properly validate user input.
  • For example, in mira-hub/src/app/api/assets/by-tag/[tag]/route.ts, the GET function takes a tag parameter. Although it's not shown in the diff, it's essential to verify that this parameter is properly validated and sanitized in the original code.

🔵 SUGGESTION: Code quality improvements, naming, maintainability

  • The diff is well-structured, and the code is readable. However, some variable names could be improved for better clarity. For example, in mira-hub/src/app/m/[assetTag]/page.tsx, the ExtId component could be renamed to something more descriptive, such as ExternalIdDisplay.
  • The code could benefit from additional comments to explain the purpose of each section and the logic behind the code. This would improve maintainability and make it easier for new developers to understand the codebase.

✅ GOOD: Noteworthy good practices found

  • The diff includes a clear and concise comment explaining the purpose of the migration in mira-hub/db/migrations/013_external_ids.sql. This is a good practice, as it helps other developers understand the reasoning behind the changes.
  • The code uses a consistent naming convention and coding style throughout the diff. This is essential for maintaining a clean and readable codebase.

Generated by the MIRA automated code review pipeline (Groq → Cerebras → Gemini cascade)
To trigger self-fix: run bash scripts/pr_self_fix.sh 1180

@Mikecranesync Mikecranesync merged commit c0cdf0c into main May 11, 2026
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant