feat: support custom prompt

[earayu]

Note

Medium Risk
Introduces new DB-backed prompt resolution used in the agent chat flow plus new public endpoints; incorrect resolution/validation could change agent behavior or break chats, and includes a schema migration.

Overview
Adds first-class prompt customization backed by a new prompt_template table (model, repository mixin, Alembic migration) and a PromptTemplateService that resolves prompts by priority (bot config → user default → system default → hardcoded) and supports preview/validation.

Exposes new REST endpoints under /api/v1/prompts/* (user CRUD/reset, system defaults, preview, validate) and updates OpenAPI schemas/clients accordingly; also extends collection config with index_prompts for per-collection index prompt overrides.

Integrates the resolver into agent_chat_service so WebSocket chats use resolved system/query prompts, bumps mcp-agent to 0.2.6 with corresponding logger setting changes, and includes small compatibility fixes (FastAPI Query(..., pattern=...), relax OTel span recording check).

^{Written by Cursor Bugbot for commit 637cc04. This will update automatically on new commits. Configure here.}

[cursor]

Missing unique constraint creates race condition for duplicates

Medium Severity

The prompt_template table lacks a unique constraint on (prompt_type, scope, user_id, language). The create_or_update_prompt_template method uses a read-check-write pattern (query existing, then create if not found) which is susceptible to race conditions. If two concurrent requests try to create the same prompt configuration, both could pass the existence check and create duplicate records, leading to data integrity issues and unpredictable behavior when querying.

Additional Locations (1)

• aperag/db/repositories/prompt_template.py#L135-L175

 

[cursor]

Template preview allows server-side template injection

High Severity

The preview_prompt method uses Jinja2's basic Template class to render user-provided templates without sandboxing. This allows authenticated users to execute arbitrary Python code on the server through Server-Side Template Injection (SSTI) payloads. Jinja2's SandboxedEnvironment from jinja2.sandbox should be used instead to restrict access to dangerous attributes and methods.

Additional Locations (1)

• aperag/views/prompts.py#L197-L198

 

[cursor]

Preview endpoint vulnerable to server-side template injection

High Severity

The /prompts/preview endpoint accepts user-provided Jinja2 templates and renders them using an unsandboxed Template(). This enables Server-Side Template Injection (SSTI). An attacker can craft a malicious template like {{ ''.__class__.__mro__[2].__subclasses__() }} to access Python internals, potentially leading to arbitrary code execution. Jinja2's SandboxedEnvironment is needed to restrict access to dangerous attributes and methods.

Additional Locations (1)

• aperag/service/prompt_template_service.py#L792-L794

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Race condition allows duplicate prompt records without unique constraint

Medium Severity

The PromptTemplate model and migration lack a unique constraint on the logical key (prompt_type, scope, user_id, language) for non-deleted records. The create_or_update_prompt_template method uses a check-then-act pattern (SELECT then INSERT) which creates a race condition. Concurrent requests could both find no existing record and both insert, creating duplicates. Subsequent queries use .first() without ORDER BY, causing non-deterministic results where updates might affect only one duplicate while stale data gets returned.

Additional Locations (1)

• aperag/db/repositories/prompt_template.py#L135-L175