v0.250.001

.github/copilot-instructions.md

@@ -16,6 +16,9 @@ STYLE
 Always conform to the coding styles defined in styleguide.md in the root of the repo when generating code. If the styleguide.md is missing, try to check the readme.md in the repo root. If readme.md is missing or contains no useful style information, use the default style of the language. If the default style is not defined, follow best practices, accessibility guidelines, and readability.
 Use @terminal when answering questions about Git.
 
+FRONTEND ASSETS
+Browser runtime JavaScript must always be served from a local SimpleChat static asset. Do not add CDN-hosted JavaScript, dynamic imports, worker scripts, or JavaScript companion assets to app templates, static JavaScript, static CSS, or frontend routes. Vendor pinned local copies under `application/single_app/static/`, reference them with local static paths, and keep CSP aligned with local-only script/style sources. See `.github/instructions/local_browser_assets.instructions.md` for the full rule.
+
 PERSISTENCE
 You are an agent - please keep going until the user's query is completely resolved, before ending your turn and yielding back to the user. Only terminate your turn when you are sure that the problem is solved.
 
@@ -50,4 +53,8 @@ Make code changes only if you have high confidence they can solve the problem. W
 Confirm the root cause is fixed. Review your solution for logic correctness and robustness. Iterate until you are extremely confident the fix is complete and all tests pass.
 
 7. Final Reflection and Additional Testing
-Reflect carefully on the original intent of the user and the problem statement. Think about potential edge cases or scenarios that may not be covered by existing tests. Write additional tests that would need to pass to fully validate the correctness of your solution. Run these new tests and ensure they all pass. Be aware that there are additional hidden tests that must also pass for the solution to be successful. Do not assume the task is complete just because the visible tests pass; continue refining until you are confident the fix is robust and comprehensive.
+Reflect carefully on the original intent of the user and the problem statement. Think about potential edge cases or scenarios that may not be covered by existing tests. Write additional tests that would need to pass to fully validate the correctness of your solution. Run these new tests and ensure they all pass. Be aware that there are additional hidden tests that must also pass for the solution to be successful. Do not assume the task is complete just because the visible tests pass; continue refining until you are confident the fix is robust and comprehensive.
+
+VERSIONING
+Application versioning remains in `application/single_app/config.py`.
+Deployer and CI/CD versioning lives separately in `deployers/version.txt`; when files under `deployers/` are modified, increment `deployers/version.txt` as part of the same change, defaulting to a patch bump unless a deliberate minor or major compatibility change is intended.

.github/instructions/broken-access-control-prevention.instructions.md

@@ -11,6 +11,7 @@ applyTo: '**/*.py'
 Treat all of the following as untrusted authorization inputs unless the code proves otherwise:
 
 - `conversation_id`, `message_id`, `document_id`, `file_id`, `approval_id`, `group_id`, and `public_workspace_id`
+- `user_id`, Entra object IDs, owner IDs, participant IDs, shared user IDs, and any other identity value supplied by a route path, request body, query string, plugin argument, client-side state, or datastore field
 - `activeGroupOid` and `activePublicWorkspaceOid` values loaded from user settings
 - Plugin or tool-call arguments such as `user_id`, `conversation_id`, `group_id`, `public_workspace_id`, `scope_id`, and `scope_type`
 
@@ -19,6 +20,8 @@ Treat all of the following as untrusted authorization inputs unless the code pro
 Use these patterns by default:
 
 - Revalidate personal conversation ownership with `_authorize_personal_conversation_read(...)`, `_authorize_personal_conversation_access(...)`, or an explicit owner check before reading dependent data.
+- Revalidate user-profile and user-settings reads with an object-level helper such as `_authorize_user_profile_access(...)`, `_read_authorized_user_profile_document(...)`, or `get_user_settings(...)` instead of reading arbitrary user documents by request-derived `user_id`.
+- For cross-user profile display, prove a legitimate app relationship at the read boundary: self, Admin, shared group membership with view allowed, shared document relationship, or shared collaboration conversation participation.
 - Route `activeGroupOid` writes through `update_active_group_for_user(...)`.
 - Route `activePublicWorkspaceOid` writes through `update_active_public_workspace_for_user(...)`.
 - Resolve active group scope through `require_active_group(...)` instead of raw settings reads in backend and plugin code.
@@ -33,6 +36,8 @@ Do not add new code that does any of the following without a reviewed exception:
 - Call `update_user_settings(...)` with a literal `{"activeGroupOid": ...}` payload outside `update_active_group_for_user(...)`
 - Call `update_user_settings(...)` with a literal `{"activePublicWorkspaceOid": ...}` payload outside `update_active_public_workspace_for_user(...)`
 - Read `activeGroupOid` or `activePublicWorkspaceOid` directly from raw settings in backend routes or plugins when a shared validator exists
+- Call `cosmos_user_settings_container.read_item(...)` from frontend/API routes with a route, query, or body `user_id` unless an object-level user-profile authorization helper has already allowed that exact target.
+- Treat `@login_required`, `@user_required`, `@admin_required`, Graph lookup availability, GUID opacity, or frontend-only UI reachability as sufficient authorization for another user's profile, settings, photo, membership, or ownership metadata.
 - Expose `user_id`, `conversation_id`, `group_id`, `public_workspace_id`, `scope_id`, or `scope_type` in a `@kernel_function` surface without immediately rebinding those values to the authorized request context
 - Read a personal conversation by request-derived `conversation_id` and continue to message, blob, or feedback work without an explicit ownership boundary
 
@@ -84,20 +89,33 @@ conversation_item = cosmos_conversations_container.read_item(
 )
 ```
 
+```python
+user_doc = cosmos_user_settings_container.read_item(
+    item=user_id,
+    partition_key=user_id,
+)
+```
+
 ## PR Review Checklist
 
 For any Python change that reads or mutates user, group, workspace, conversation, or plugin-scoped data:
 
 1. Identify every caller-controlled id that crosses into a data read or mutation.
-2. Revalidate ownership or membership at the sensitive operation boundary, not just at route entry.
-3. Use the dedicated active-scope validators instead of raw settings reads and writes.
-4. Rebind plugin scope parameters to the authorized request context before storage, blob, or Cosmos access.
-5. Add or update a regression test when the change touches an authorization boundary.
+2. For every object id, answer: "Why can this caller read or mutate this exact target object?" Do not rely on login, role-only decorators, hidden UI, GUID entropy, or prior lookup flows.
+3. Revalidate ownership, membership, or another explicit relationship at the sensitive operation boundary, not just at route entry.
+4. For reverse lookups from opaque IDs to identity metadata, verify that the endpoint does not become a user-enumeration or app-membership oracle.
+5. Use the dedicated active-scope validators instead of raw settings reads and writes.
+6. Rebind plugin scope parameters to the authorized request context before storage, blob, or Cosmos access.
+7. Add or update a regression test when the change touches an authorization boundary.
 
 ## Workflow Guardrail
 
 This repository includes a Development PR check in `.github/workflows/broken-access-control-check.yml` backed by `scripts/check_broken_access_control.py`.
 
+For full-code audits, run the manual GitHub Actions workflow `.github/workflows/broken-access-control-full-scan.yml`. It scans tracked Python files under the selected target paths, uploads a report artifact, and defaults to advisory mode because legacy findings may exist. Set `fail_on_findings=true` only when the current baseline is clean enough for a blocking run.
+
+For an agent-assisted review, run the workspace prompt `.github/prompts/broken-access-control-audit.prompt.md` and provide the feature area, target paths, or incident class you want reviewed.
+
 If a reviewed exception is unavoidable, add the suppression token below near the specific line and include a justification comment:
 
 ```text

.github/instructions/local_browser_assets.instructions.md

@@ -0,0 +1,44 @@
+---
+applyTo: '**/*.html, **/*.js, **/*.css, **/*.py'
+---
+
+# Local Browser Runtime Assets
+
+## Critical Requirement
+
+Never load browser runtime JavaScript from the public Internet. If SimpleChat uses a JavaScript library, framework, worker script, module, import map, or plugin runtime in the browser, keep a pinned local copy in the repository and serve it from the SimpleChat app.
+
+This rule also applies to browser companion assets that are required by JavaScript libraries, including CSS, fonts, source maps, worker files, WebAssembly files, dictionaries, and library-managed fallback downloads.
+
+## Required Pattern
+
+- Store third-party browser assets under an appropriate local static path, such as `application/single_app/static/js/<vendor>/` or `application/single_app/static/css/<vendor>/`.
+- Reference browser assets with local static paths, preferably through `url_for('static', filename='...')` in templates.
+- Pin the library version in the filename, folder name, documentation, or related test when the upstream asset is copied locally.
+- Preserve required third-party license or attribution files when vendoring assets.
+- Disable library options that auto-download extra browser assets unless those extra assets are also available locally.
+- Keep Content Security Policy `script-src` and `style-src` aligned with local assets; do not loosen CSP to allow a CDN for browser runtime code.
+
+## Disallowed Patterns
+
+Do not add runtime browser references to:
+
+- CDN-hosted scripts or modules, such as `cdn.jsdelivr.net`, `unpkg.com`, `cdnjs.cloudflare.com`, `esm.sh`, `skypack.dev`, `code.jquery.com`, or `stackpath.bootstrapcdn.com`.
+- Remote CSS for JavaScript-driven widgets when a local copy is expected.
+- Library defaults that inject remote `<script>` or `<link>` tags.
+- Dynamic imports from public Internet URLs.
+- Worker, source map, WASM, dictionary, font, or plugin URLs hosted outside the SimpleChat app.
+
+## Validation Checklist
+
+When adding or changing browser assets:
+
+1. Search templates, static JavaScript, static CSS, and relevant Python-rendered frontend routes for new external asset URLs.
+2. Confirm all browser JavaScript dependencies are served from `/static/...` or `url_for('static', ...)`.
+3. Add or update a regression test when fixing an external asset dependency.
+4. Run a syntax check for changed JavaScript files, such as `node --check <file>`.
+5. Run `git -c core.whitespace=blank-at-eol,blank-at-eof,space-before-tab,cr-at-eol diff --check` before finishing.
+
+## Allowed Network Calls
+
+This rule does not prohibit authenticated API calls, application data fetches, server-side Azure service calls, proxied map tile requests, user-requested links, or documentation-only examples. It specifically prohibits loading browser runtime code and required companion assets from public Internet CDNs.

.github/instructions/update_deployer_version.instructions.md

@@ -0,0 +1,19 @@
+---
+applyTo: 'deployers/**'
+---
+
+# Deployer Version Management
+
+When a change modifies files under `deployers/`, include an update to `deployers/version.txt` in the same change.
+
+## Rules
+
+- Keep the deployer version separate from `application/single_app/config.py`.
+- `deployers/version.txt` must contain only a plain semantic version string in the format `X.Y.Z`.
+- Default to a patch increment when a deployer change is made: `1.0.0` -> `1.0.1`.
+- Use a minor or major increment only when the deployer workflow or CI/CD compatibility contract changes intentionally.
+- If the only deployer file being changed is `deployers/version.txt`, do not add an extra bump beyond the intended version update.
+
+## Applies To
+
+This rule covers deployer scripts, `azure.yaml`, `.azure` environment helpers, Bicep/Terraform deployer files, and other deployment workflow assets under `deployers/`.

.github/prompts/broken-access-control-audit.prompt.md

@@ -0,0 +1,41 @@
+---
+description: "Use when: auditing SimpleChat Python routes, helpers, or plugins for Broken Access Control, IDOR, BOLA, user_id/object-id misuse, or missing ownership/membership checks."
+name: "Broken Access Control Audit"
+argument-hint: "Target paths, feature area, endpoint list, or incident class to audit"
+agent: "agent"
+---
+
+Audit the requested SimpleChat code for Broken Access Control, IDOR, and BOLA-style issues. Focus on places where caller-controlled object identifiers cross into reads, writes, search queries, blob access, plugin calls, or profile/settings lookups without a fresh authorization decision for that exact object.
+
+Use the repository guardrails in [.github/instructions/broken-access-control-prevention.instructions.md](../instructions/broken-access-control-prevention.instructions.md) and the deterministic checker in [scripts/check_broken_access_control.py](../../scripts/check_broken_access_control.py). If the user did not provide target paths, start with changed files and likely surfaces under `application/single_app/route_backend_*.py`, `application/single_app/route_external_*.py`, `application/single_app/functions_*.py`, and `application/single_app/semantic_kernel_plugins/`.
+
+## Audit Workflow
+
+1. Identify entry points: Flask routes, Semantic Kernel `@kernel_function` methods, background task dispatchers that accept request-derived IDs, and helpers called by those surfaces.
+2. Trace each object identifier from source to sink. Treat route path parameters, request JSON, query args, form values, active settings, hidden fields, plugin arguments, client state, and datastore-provided owner/participant IDs as untrusted until proven otherwise.
+3. For each sensitive sink, verify an authorization decision at or immediately before the sink. Sensitive sinks include Cosmos `read_item`, `query_items`, `upsert_item`, `delete_item`, blob reads/writes, Azure Search operations, Graph calls that reveal identity data, file downloads, profile images, conversation messages, documents, groups, public workspaces, and user settings.
+4. Distinguish role checks from object checks. `@login_required`, `@user_required`, `@admin_required`, GUID entropy, Graph search availability, and frontend-only access are not sufficient for object-level authorization.
+5. Look for reverse-resolution or oracle behavior: endpoints that turn known opaque IDs into names, emails, profile images, app membership, document ownership, conversation membership, or existence signals.
+6. Compare the implementation against approved helper patterns such as `_authorize_personal_conversation_read(...)`, `_authorize_personal_conversation_access(...)`, `_authorize_user_profile_access(...)`, `_read_authorized_user_profile_document(...)`, `get_user_settings(...)`, `assert_group_role(...)`, `require_active_group(...)`, `require_active_public_workspace(...)`, `_resolve_authorized_scope_arguments(...)`, `_resolve_blob_location_with_fallback(...)`, and `_resolve_authorized_fact_memory_call(...)`.
+7. Run the checker where useful:
+
+```powershell
+python scripts/check_broken_access_control.py --full-file <path1.py> <path2.py>
+```
+
+For a repository-wide audit, use the GitHub Actions workflow `Broken Access Control Full Scan` or run the checker over tracked Python files locally.
+
+## Output Format
+
+Return findings first, ordered by severity. For each finding include:
+
+- `Severity`: Critical, Important, Moderate, or Low.
+- `Surface`: endpoint/helper/plugin and file path.
+- `Source`: the untrusted object ID.
+- `Sink`: the protected data or mutation.
+- `Missing Check`: the absent ownership, membership, admin, or relationship validation.
+- `Impact`: realistic data or operation exposed.
+- `Remediation`: the specific helper or object-level guard to add.
+- `Regression Test`: the minimum test that should fail before the fix and pass after.
+
+If no issues are found, say that clearly and list any residual blind spots, such as dynamic authorization hidden behind decorators or code paths that need runtime tests.