Skip to content

Add citations support and figure generation improvements#49

Merged
bbsngg merged 3 commits intomainfrom
citations-and-figure-gen
Mar 21, 2026
Merged

Add citations support and figure generation improvements#49
bbsngg merged 3 commits intomainfrom
citations-and-figure-gen

Conversation

@DLYuanGod
Copy link
Copy Markdown
Collaborator

@DLYuanGod DLYuanGod commented Mar 18, 2026

  • Add API key management for figure generation providers in CredentialsSettings
  • Enhance figure generation skill with updated prompts and scripts
  • Add citation handling support to paper writing skill

@Mora-2024 @DLYuanGod
Add citations support and figure generation improvements
aa35d6a 
- Add API key management for figure generation providers in CredentialsSettings
- Enhance figure generation skill with updated prompts and scripts
- Add citation handling support to paper writing skill
- Update agent and auto-research routes for provider flexibility
- Add i18n strings for new settings (en, zh-CN, ko)

Co-Authored-By: Zhengqing Yuan <96673402+DLYuanGod@users.noreply.github.com>
Zhang-Henry
Zhang-Henry reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Zhang-Henry Zhang-Henry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Comments

Critical: Global process.env injection of per-user API keys

The Gemini API key is injected into process.env.GEMINI_API_KEY in server/index.js, server/routes/agent.js, and server/routes/auto-research.js. This is a multi-user security issue:

  • The first user to trigger injectGeminiApiKey() sets the key globally for the entire Node process. All subsequent requests from other users will inherit that key.
  • The key is never cleared — it persists for the server's lifetime.
  • Classic TOCTOU race condition: two simultaneous requests can both pass the !process.env.GEMINI_API_KEY check.

Fix: Pass the API key explicitly to the SDK/spawn functions instead of mutating process.env. This is how the rest of the codebase handles per-request credentials.

DRY violation

The injectGeminiApiKey block is copy-pasted across 3 files. Extract it into a shared utility if you keep this approach (but the approach itself needs to change per above).

Minor

  • toggleGeminiCredential: !isActive on undefined/null silently becomes true — add a guard.
  • Citation verification instruction in CLAUDE.md says "automatically run" but doesn't specify how — clarify whether this is an agent responsibility or a manual step.

@bbsngg
Copy link
Copy Markdown
Contributor

bbsngg commented Mar 21, 2026

Follow-up update pushed in commit bd9375e.

What changed:

  • Replaced global GEMINI_API_KEY mutation with per-session env resolution.
  • Added a shared Gemini key helper that prefers the user credential from DB and falls back to the server environment variable.
  • Wired the resolved env through Claude, Codex, Gemini, and Cursor execution paths so user-level overrides no longer leak across sessions.
  • Added a guard for toggleGeminiCredential so non-boolean values are ignored.
  • Relaxed citation verification from mandatory execution to a user reminder, and updated the skill reference to the skill-library path at skills/inno-reference-audit/SKILL.md.
  • Updated settings copy to clarify the fallback behavior.

Validation:

  • git diff --check
  • npm run typecheck

@bbsngg bbsngg merged commit 8109e77 into main Mar 21, 2026
1 check passed
@bbsngg bbsngg deleted the citations-and-figure-gen branch March 21, 2026 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Zhang-Henry Zhang-Henry Zhang-Henry left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@DLYuanGod @bbsngg @Zhang-Henry @Mora-2024