Initial commit: hardened DeerFlow factory

Vendored deer-flow upstream (bytedance/deer-flow) plus prompt-injection
hardening:

- New deerflow.security package: content_delimiter, html_cleaner,
  sanitizer (8 layers — invisible chars, control chars, symbols, NFC,
  PUA, tag chars, horizontal whitespace collapse with newline/tab
  preservation, length cap)
- New deerflow.community.searx package: web_search, web_fetch,
  image_search backed by a private SearX instance, every external
  string sanitized and wrapped in <<<EXTERNAL_UNTRUSTED_CONTENT>>>
  delimiters
- All native community web providers (ddg_search, tavily, exa,
  firecrawl, jina_ai, infoquest, image_search) replaced with hard-fail
  stubs that raise NativeWebToolDisabledError at import time, so a
  misconfigured tool.use path fails loud rather than silently falling
  back to unsanitized output
- Native client back-doors (jina_client.py, infoquest_client.py)
  stubbed too
- Native-tool tests quarantined under tests/_disabled_native/
  (collect_ignore_glob via local conftest.py)
- Sanitizer Layer 7 fix: only collapse horizontal whitespace, preserve
  newlines and tabs so list/table structure survives
- Hardened runtime config.yaml references only the searx-backed tools
- Factory overlay (backend/) kept in sync with deer-flow tree as a
  reference / source

See HARDENING.md for the full audit trail and verification steps.

deer-flow/frontend/public/demo/threads/d3e5adaf-084c-4dd5-9d29-94f1d6bccd98/user-data/outputs/diana_hu_research.md

@@ -0,0 +1,372 @@
+# Diana Hu: Technical Startup Founder Advice - Comprehensive Research
+
+## Video Overview
+
+**Title:** Tips For Technical Startup Founders | Startup School  
+**Speaker:** Diana Hu, Y Combinator Group Partner  
+**Date:** April 21, 2023  
+**Length:** 28 minutes  
+**YouTube URL:** https://www.youtube.com/watch?v=rP7bpYsfa6Q
+
+## Speaker Background
+
+### Education
+
+- **BS and MS in Electrical and Computer Engineering** from Carnegie Mellon University
+- Focus on **computer vision and machine learning**
+- Originally from Chile
+
+### Career Path
+
+1. **Co-founder & CTO of Escher Reality** (YC S17)
+   - Startup building augmented reality SDK for game developers
+   - Company acquired by Niantic (makers of Pokémon Go) in February 2018
+
+2. **Director of Engineering at Niantic**
+   - Headed AR platform after acquisition
+   - Responsible for scaling AR infrastructure to millions of users
+
+3. **Group Partner at Y Combinator** (Current)
+   - Has conducted **over 1,700 office hours** across 5 batches
+   - Advises top YC alumni companies
+   - Specializes in technical founder guidance
+
+### Key Achievements
+
+- Successfully built and sold AR startup to Niantic
+- Scaled systems from prototype to millions of users
+- Extensive experience mentoring technical founders
+
+## Escher Reality Acquisition
+
+- **Founded:** 2016
+- **Y Combinator Batch:** Summer 2017 (S17)
+- **Product:** Augmented Reality backend/SDK for cross-platform mobile AR
+- **Acquisition:** February 1, 2018 by Niantic
+- **Terms:** Undisclosed, but both co-founders (Ross Finman and Diana Hu) joined Niantic
+- **Technology:** Persistent, cross-platform, multi-user AR experiences
+- **Impact:** Accelerated Niantic's work on planet-scale AR platform
+
+## Video Content Analysis
+
+### Three Stages of Technical Founder Journey
+
+#### Stage 1: Ideating (0:00-8:30)
+
+**Goal:** Build a prototype as soon as possible (matter of days)
+
+**Key Principles:**
+
+- Build something to show/demo to users
+- Doesn't have to work fully
+- CEO co-founder should be finding users to show prototype
+
+**Examples:**
+
+1. **Optimizely** (YC W10)
+   - Built prototype in couple of days
+   - JavaScript file on S3 for A/B testing
+   - Manual execution via Chrome console
+
+2. **Escher Reality** (Diana's company)
+   - Computer vision algorithms on phones
+   - Demo completed in few weeks
+   - Visual demo easier than explaining
+
+3. **Remora** (YC W21)
+   - Carbon capture for semi-trucks
+   - Used 3D renderings to show promise
+   - Enough to get users excited despite hard tech
+
+**Common Mistakes:**
+
+- Overbuilding at this stage
+- Not talking/listening to users soon enough
+- Getting too attached to initial ideas
+
+#### Stage 2: Building MVP (8:30-19:43)
+
+**Goal:** Build to launch quickly (weeks, not months)
+
+**Key Principles:**
+
+1. **Do Things That Don't Scale** (Paul Graham)
+   - Manual onboarding (editing database directly)
+   - Founders processing requests manually
+   - Example: Stripe founders filling bank forms manually
+
+2. **Create 90/10 Solution** (Paul Buchheit)
+   - Get 90% of value with 10% of effort
+   - Restrict product to limited dimensions
+   - Push features to post-launch
+
+3. **Choose Tech for Iteration Speed**
+   - Balance product needs with personal expertise
+   - Use third-party frameworks and APIs
+   - Don't build from scratch
+
+**Examples:**
+
+1. **DoorDash** (originally Palo Alto Delivery)
+   - Static HTML with PDF menus
+   - Google Forms for orders
+   - "Find My Friends" to track deliveries
+   - Built in one afternoon
+   - Focused only on Palo Alto initially
+
+2. **WayUp** (YC 2015)
+   - CTO JJ chose Django/Python over Ruby/Rails
+   - Prioritized iteration speed over popular choice
+   - Simple stack: Postgres, Python, Heroku
+
+3. **Justin TV/Twitch**
+   - Four founders (three technical)
+   - Each tackled different parts: video streaming, database, web
+   - Hired "misfits" overlooked by Google
+
+**Tech Stack Philosophy:**
+
+- "If you build a company and it works, tech choices don't matter as much"
+- Facebook: PHP → HipHop transpiler
+- JavaScript: V8 engine optimization
+- Choose what you're dangerous enough with
+
+#### Stage 3: Launch Stage (19:43-26:51)
+
+**Goal:** Iterate towards product-market fit
+
+**Key Principles:**
+
+1. **Quickly Iterate with Hard and Soft Data**
+   - Set up simple analytics dashboard (Google Analytics, Amplitude, Mixpanel)
+   - Keep talking to users
+   - Marry data with user insights
+
+2. **Continuously Launch**
+   - Example: Segment launched 5 times in one month
+   - Each launch added features based on user feedback
+   - Weekly launches to maintain momentum
+
+3. **Balance Building vs Fixing**
+   - Tech debt is totally fine early on
+   - "Feel the heat of your tech burning"
+   - Fix only what prevents product-market fit
+
+**Examples:**
+
+1. **WePay** (YC company)
+   - Started as B2C payments (Venmo-like)
+   - Analytics showed features unused
+   - User interviews revealed GoFundMe needed API
+   - Pivoted to API product
+
+2. **Pokémon Go Launch**
+   - Massive scaling issues on day 1
+   - Load balancer problems caused DDoS-like situation
+   - Didn't kill the company (made $1B+ revenue)
+   - "Breaking because of too much demand is a good thing"
+
+3. **Segment**
+   - December 2012: First launch on Hacker News
+   - Weekly launches adding features
+   - Started with Google Analytics, Mixpanel, Intercom support
+   - Added Node, PHP, WordPress support based on feedback
+
+### Role Evolution Post Product-Market Fit
+
+- **2-5 engineers:** 70% coding time
+- **5-10 engineers:** <50% coding time
+- **Beyond 10 engineers:** Little to no coding time
+- Decision point: Architect role vs People/VP role
+
+## Key Concepts Deep Dive
+
+### 90/10 Solution (Paul Buchheit)
+
+- Find ways to get 90% of the value with 10% of the effort
+- Available 90% solution now is better than 100% solution later
+- Restrict product dimensions: geography, user type, data type, functionality
+
+### Technical Debt in Startups
+
+- **Early stage:** Embrace technical debt
+- **Post product-market fit:** Address scaling issues
+- **Philosophy:** "Tech debt is totally fine - feel the heat of your tech burning"
+- Only fix what prevents reaching product-market fit
+
+### MVP Principles
+
+1. **Speed over perfection:** Launch in weeks, not months
+2. **Manual processes:** Founders do unscalable work
+3. **Limited scope:** Constrain to prove core value
+4. **Iterative validation:** Launch, learn, iterate
+
+## Companies Mentioned (with Context)
+
+### Optimizely (YC W10)
+
+- A/B testing platform
+- Prototype: JavaScript file on S3, manual execution
+- Founders: Pete Koomen and Dan Siroker
+- Dan previously headed analytics for Obama campaign
+
+### Remora (YC W21)
+
+- Carbon capture device for semi-trucks
+- Prototype: 3D renderings to demonstrate concept
+- Captures 80%+ of truck emissions
+- Can make trucks carbon-negative with biofuels
+
+### Justin TV/Twitch
+
+- Live streaming platform → gaming focus
+- Founders: Justin Kan, Emmett Shear, Michael Seibel, Kyle Vogt
+- MVP built by 4 founders (3 technical)
+- Hired overlooked engineers from Google
+
+### Stripe
+
+- Payment processing API
+- Early days: Founders manually processed payments
+- Filled bank forms manually for each transaction
+- Classic "do things that don't scale" example
+
+### DoorDash
+
+- Originally "Palo Alto Delivery"
+- Static HTML with PDF menus
+- Google Forms for orders
+- "Find My Friends" for delivery tracking
+- Focused on suburbs vs metro areas (competitive advantage)
+
+### WayUp (YC 2015)
+
+- Job board for college students
+- CTO JJ chose Django/Python over Ruby/Rails
+- Prioritized iteration speed over popular choice
+- Simple, effective tech stack
+
+### WePay (YC company)
+
+- Started as B2C payments (Venmo competitor)
+- Pivoted to API after user discovery
+- GoFundMe became key customer
+- Example of data + user interviews driving pivot
+
+### Segment
+
+- Analytics infrastructure
+- Multiple launches in short timeframe
+- Started with limited integrations
+- Added features based on user requests
+- Acquired by Twilio for $3.2B
+
+### Algolia
+
+- Search API mentioned as YC success
+- Part of Diana's network of advised companies
+
+## Actionable Advice for Technical Founders
+
+### Immediate Actions (Week 1)
+
+1. **Build clickable prototype** (Figma, InVision) in 1-3 days
+2. **Find 10 potential users** to show prototype
+3. **Use existing tools** rather than building from scratch
+4. **Embrace ugly code** - it's temporary
+
+### Tech Stack Selection
+
+1. **Choose familiarity over trendiness**
+2. **Use third-party services** for non-core functions
+3. **Keep infrastructure simple** (Heroku, Firebase, AWS)
+4. **Only build what's unique** to your value proposition
+
+### Hiring Strategy
+
+1. **Don't hire too early** (slows you down)
+2. **Founders must build** to gain product insights
+3. **Look for "misfits"** - overlooked talent
+4. **Post product-market fit:** Scale team strategically
+
+### Launch Strategy
+
+1. **Launch multiple times** (weekly iterations)
+2. **Combine analytics with user interviews**
+3. **Balance feature development with bug fixes**
+4. **Accept technical debt** until product-market fit
+
+### Mindset Shifts
+
+1. **From perfectionist to pragmatist**
+2. **From specialist to generalist** (do whatever it takes)
+3. **From employee to owner** (no task beneath you)
+4. **From certainty to comfort with ambiguity**
+
+## Diana's Personal Insights
+
+### From Her Experience
+
+- "Technical founder is committed to the success of your company"
+- "Do whatever it takes to get it to work"
+- "Your product will evolve - if someone else builds it, you miss key learnings"
+- "The only tech choices that matter are tied to customer promises"
+
+### Common Traps to Avoid
+
+1. **"What would Google do?"** - Building like a big company too early
+2. **Hiring to move faster** - Actually slows you down initially
+3. **Over-fixing vs building** - Focus on product-market fit first
+4. **Building features without user insights** - Keep talking to users
+
+## Resources & References
+
+### YC Resources
+
+- Y Combinator Library: "Tips for technical startup founders"
+- Paul Graham Essay: "Do Things That Don't Scale"
+- Paul Buchheit Concept: "90/10 Solution"
+- Startup School: Technical founder track
+
+### Tools Mentioned
+
+- **Prototyping:** Figma, InVision
+- **Analytics:** Google Analytics, Amplitude, Mixpanel
+- **Infrastructure:** Heroku, Firebase, AWS, GCP
+- **Authentication:** Auth0
+- **Payments:** Stripe
+- **Landing Pages:** Webflow
+
+### Further Reading
+
+1. Paul Graham essays (paulgraham.com)
+2. Y Combinator Startup School materials
+3. Case studies: Stripe, DoorDash, Segment early days
+4. Technical debt management in startups
+
+## Key Takeaways
+
+### For Technical Founders
+
+1. **Speed is your superpower** - Move faster than established companies
+2. **Embrace imperfection** - Good enough beats perfect when speed matters
+3. **Stay close to users** - Insights come from conversations, not just data
+4. **Tech debt is a feature, not a bug** - Early stage startups should accumulate it
+
+### For Startup Strategy
+
+1. **Constrained focus** leads to better unit economics (DoorDash example)
+2. **Manual processes** create customer intimacy and learning
+3. **Continuous launching** builds momentum and feedback loops
+4. **Break things at scale** is a good problem to have
+
+### For Team Building
+
+1. **Founders build first** - Critical for product insights
+2. **Hire for adaptability** over pedigree
+3. **Evolve role with growth** - Coding time decreases with team size
+4. **Culture emerges** from early team composition
+
+---
+
+_Research compiled from YouTube transcript, web searches, and Y Combinator resources. Last updated: January 25, 2026_