feat: add prompt library with theme organization

[devin-ai-integration]

Add prompt library feature with theme-based organization

This PR adds a new prompt library feature that allows users to:

• Browse prompts organized by themes (marketing, finance, customer support, sales)
• Create, read, update, and delete prompts through the UI
• Filter prompts by theme
• Store prompts in the database with creation/update timestamps

Technical Details

• Added zod schema validation for frontend data validation
• Added Pydantic models for backend API validation
• Implemented proper error handling with user-friendly messages
• Added ARIA attributes for accessibility
• Added loading states with proper indicators
• Added synchronous database operations for better error handling
• Added JSON response validation in both frontend and backend

Testing

• ✅ API endpoints return valid JSON responses
• ✅ Frontend validates data before sending to API
• ✅ Error messages are human-readable
• ✅ Loading states are properly indicated
• ✅ CI checks are passing

Link to Devin run: https://app.devin.ai/sessions/2430149b78eb49f6bff9c52e97afdb17
Requested by: [email protected]

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add "(aside)" to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[semgrep-code-assistant-ws]

Semgrep found 1 wildcard-cors finding:

• llm_gateway/app.py
  • L66 - Triage

CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided.

View Dataflow Graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>llm_gateway/app.py</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/wealthsimple/llm-gateway/blob/66a0538d8fd74b608835e9ed9fabf6e69f486332/llm_gateway/app.py#L62 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 62] [&quot;*&quot;]</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/wealthsimple/llm-gateway/blob/66a0538d8fd74b608835e9ed9fabf6e69f486332/llm_gateway/app.py#L62 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 62] origins</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/wealthsimple/llm-gateway/blob/66a0538d8fd74b608835e9ed9fabf6e69f486332/llm_gateway/app.py#L66 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 66] origins</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

[semgrep-code-assistant-ws]

Semgrep identified an issue in your code:

Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like and and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>llm_gateway/app.py</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/wealthsimple/llm-gateway/blob/66a0538d8fd74b608835e9ed9fabf6e69f486332/llm_gateway/app.py#L49 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 49] request</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/wealthsimple/llm-gateway/blob/66a0538d8fd74b608835e9ed9fabf6e69f486332/llm_gateway/app.py#L49 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 49] request</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/wealthsimple/llm-gateway/blob/66a0538d8fd74b608835e9ed9fabf6e69f486332/llm_gateway/app.py#L50 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 50] f&quot;Database error in {request.url.path}: {str(exc)}&quot;</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

	logging.error(f"Database error in {request.url.path}: {str(exc)}")
	import re
	def sanitize_input(input_str):
	# Allow only alphanumeric characters, slashes, underscores, and hyphens
	return re.sub(r'[^a-zA-Z0-9/_-]', '', input_str)
	@api.exception_handler(SQLAlchemyError)
	async def sqlalchemy_exception_handler(request: Request, exc: SQLAlchemyError):
	logging.error(f"Database error in {sanitize_input(request.url.path)}: {str(exc)}")
	if hasattr(exc, "detail"):
	return JSONResponse(status_code=503, content={"detail": exc.detail})
	return JSONResponse(
	status_code=503,
	content={"detail": "Database operation failed. Please try again later."},
	)

View step-by-step instructions

1. Sanitize the request.url.path before logging it to prevent log injection. You can use a simple sanitization function that removes or escapes potentially dangerous characters.
2. Define a sanitization function, for example:

   def sanitize_input(input_str):
       return input_str.replace('\n', '').replace('\r', '').replace('\t', '')

3. Use the sanitization function on request.url.path before logging:

   logging.error(f"Database error in {sanitize_input(request.url.path)}: {str(exc)}")

4. Alternatively, if you want to ensure that only alphanumeric characters and a few safe symbols are logged, you can use a regular expression to filter the input:

   import re
   def sanitize_input(input_str):
       return re.sub(r'[^a-zA-Z0-9/_-]', '', input_str)

5. Replace the logging statement with the sanitized version:

   logging.error(f"Database error in {sanitize_input(request.url.path)}: {str(exc)}")

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-log-injection-stdlib-fastapi.

_{You can view more details about this finding in the Semgrep AppSec Platform.}