Plan app improvements and publication

[UmutHasanoglu]

Phase 1 - Critical Fixes:

• Add .gitignore for proper version control
• Fix CORS configuration with environment variables (security)
• Add ISBN-10/13 validation with checksum verification
• Add structured logging throughout the application
• Add health check endpoint for container orchestration

Phase 2 - Code Quality:

• Pin dependency versions in requirements.txt
• Create pyproject.toml for modern Python packaging
• Add comprehensive docstrings to all modules
• Create validators.py for centralized input validation

Phase 3 - Documentation:

• Add CONTRIBUTING.md with development guidelines
• Add CHANGELOG.md using Keep a Changelog format

Phase 4 - Cross-platform Support:

• Add Unix shell scripts (install.sh, start_cli.sh, start_webui.sh)

Phase 5 - Deployment:

• Create Dockerfile with multi-stage build
• Create docker-compose.yml for easy deployment
• Add .dockerignore for optimized builds
• Add .env.example for environment configuration
• Create Makefile with common commands
• Add GitHub Actions CI/CD workflows (ci.yml, release.yml)

Tests:

• Add comprehensive tests for validators module
• Update API tests to use valid ISBN formats
• All 35 tests passing

[gemini-code-assist]

Summary of Changes

Hello @UmutHasanoglu, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the Library Management System by focusing on critical fixes, code quality, documentation, and deployment. It introduces robust input validation, configurable CORS, structured logging, and modern Python packaging. Furthermore, it provides comprehensive tools for containerization, local development, and contribution, making the application more secure, maintainable, and easier to deploy and extend.

Highlights

• Robust Input Validation: Introduced comprehensive validation for ISBN-10/13 (including checksum verification), publication year, title, and author, centralizing logic in a new validators.py module and integrating it into the FastAPI Book model.
• Enhanced Configuration and Logging: Implemented a dedicated config.py module for environment variable-based settings, allowing dynamic configuration of CORS, logging levels, and file paths. Structured logging has been integrated throughout the API for better observability.
• Improved Project Structure and Maintainability: Added pyproject.toml for modern Python packaging, pinned dependency versions in requirements.txt, and included comprehensive docstrings across modules. New .gitignore and .dockerignore files ensure proper version control and optimized Docker builds.
• Comprehensive Deployment and Development Tools: Provided Dockerfile for multi-stage containerization, docker-compose.yml for easy local deployment, and Makefile with common commands for development (testing, linting, formatting) and Docker operations. Unix shell scripts (install.sh, start_cli.sh, start_webui.sh) offer cross-platform setup and execution.
• Documentation and Contribution Guidelines: Added CHANGELOG.md following the Keep a Changelog format and CONTRIBUTING.md to guide potential contributors on bug reporting, enhancement suggestions, and pull request workflows.
• API Health Check: A new /health endpoint has been added to the FastAPI application, providing a simple way to monitor the service's operational status, crucial for container orchestration.
• Updated Test Suite: API tests have been updated to reflect the new ISBN validation rules, and a new test_validators.py file provides dedicated unit tests for the validation logic.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This impressive pull request significantly improves the project's quality, security, and deployability, introducing a proper project structure with "pyproject.toml", configuration management, input validation, structured logging, comprehensive documentation, and Docker support. Code quality improvements like pinned dependencies and extensive tests are also commendable. However, a security audit identified three vulnerabilities: a critical command injection in the "start_webui.sh" script, a high-severity Server-Side Request Forgery (SSRF), and a medium-severity CORS policy issue. There are also a few minor suggestions to further enhance consistency and robustness.

[gemini-code-assist]

The command export $(grep -v '^#' .env | xargs) used to load environment variables is critically vulnerable to command injection. If an attacker can write to the .env file, they can execute arbitrary commands. Furthermore, this method is not robust for parsing .env files and can fail if variable values contain spaces, quotes, or other special characters. A safer and more reliable approach is to use set -a (or set -o allexport) as suggested.

Suggested change

	if [ -f ".env" ]; then
	export $(grep -v '^#' .env | xargs)
	fi
	if [ -f ".env" ]; then
	set -a
	source .env
	set +a
	fi

[gemini-code-assist]

The endpoint /openlibrary/{isbn} passes the isbn parameter to the get_book_details_from_openlibrary function in main.py, which then uses it to construct a URL without proper sanitization. This is a Server-Side Request Forgery (SSRF) vulnerability. An attacker could provide a malicious isbn value to make the server issue requests to arbitrary internal or external services, potentially leading to information disclosure or network probing. The isbn parameter should be strictly validated to ensure it conforms to the expected format (e.g., using a regular expression) before being used to construct the URL.

[gemini-code-assist]

The default CORS policy includes the null origin. This allows any local HTML file opened by a user to make requests to the API. An attacker could craft a malicious HTML file and trick a user into opening it, which would then allow the attacker to make requests to the API on behalf of the user. This could lead to Cross-Site Request Forgery (CSRF) or other attacks. You should remove null from the CORS_ORIGINS list.

[gemini-code-assist]

The install-dev target reinstalls dependencies from requirements.txt and then installs ruff separately. This is inconsistent with pyproject.toml, which defines development dependencies (including ruff) under [project.optional-dependencies].dev. It's also inconsistent with the instructions in CONTRIBUTING.md, which recommend pip install -e ".[dev]".

To maintain pyproject.toml as the single source of truth for dependencies, this target should be updated to use the dev extras.

install-dev:
	pip install -e ".[dev]"

[gemini-code-assist]

In the /health endpoint, using app_state.get("library", Library()) is not ideal. If app_state somehow lacks the "library" key, this will create a new Library() instance on every health check, which involves reading the file from disk. This is inefficient and could lead to inconsistent state. The lifespan manager ensures app_state["library"] is available, so you can access it directly. This makes the code cleaner and avoids the unnecessary overhead of creating a new object.

Suggested change

	"books_count": len(app_state.get("library", Library()).books)
	"books_count": len(app_state["library"].books)

[gemini-code-assist]

This section contains dependencies that are either for development or appear to be unused.

• pytest and pytest-cov are development dependencies. They are correctly defined in pyproject.toml under the [dev] extra and should not be in the production requirements.
• python-dotenv seems to be unused, as configuration is handled by os.getenv and shell scripts.

Removing these will make the production environment leaner and establishes pyproject.toml as the single source of truth for dependencies. Developers can install them using pip install -e .[dev].