Initial commit: hardened DeerFlow factory

Vendored deer-flow upstream (bytedance/deer-flow) plus prompt-injection hardening: - New deerflow.security package: content_delimiter, html_cleaner, sanitizer (8 layers — invisible chars, control chars, symbols, NFC, PUA, tag chars, horizontal whitespace collapse with newline/tab preservation, length cap) - New deerflow.community.searx package: web_search, web_fetch, image_search backed by a private SearX instance, every external string sanitized and wrapped in <<<EXTERNAL_UNTRUSTED_CONTENT>>> delimiters - All native community web providers (ddg_search, tavily, exa, firecrawl, jina_ai, infoquest, image_search) replaced with hard-fail stubs that raise NativeWebToolDisabledError at import time, so a misconfigured tool.use path fails loud rather than silently falling back to unsanitized output - Native client back-doors (jina_client.py, infoquest_client.py) stubbed too - Native-tool tests quarantined under tests/_disabled_native/ (collect_ignore_glob via local conftest.py) - Sanitizer Layer 7 fix: only collapse horizontal whitespace, preserve newlines and tabs so list/table structure survives - Hardened runtime config.yaml references only the searx-backed tools - Factory overlay (backend/) kept in sync with deer-flow tree as a reference / source See HARDENING.md for the full audit trail and verification steps.
2026-04-12 14:23:57 +02:00
commit 6de0bf9f5b
889 changed files with 173052 additions and 0 deletions
--- a/deer-flow/scripts/wait-for-port.sh
+++ b/deer-flow/scripts/wait-for-port.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#
+# wait-for-port.sh - Wait for a TCP port to become available
+#
+# Usage: ./scripts/wait-for-port.sh <port> [timeout_seconds] [service_name]
+#
+# Arguments:
+#   port             - TCP port to wait for (required)
+#   timeout_seconds  - Max seconds to wait (default: 60)
+#   service_name     - Display name for messages (default: "Service")
+#
+# Exit codes:
+#   0 - Port is listening
+#   1 - Timed out waiting
+
+PORT="${1:?Usage: wait-for-port.sh <port> [timeout] [service_name]}"
+TIMEOUT="${2:-60}"
+SERVICE="${3:-Service}"
+
+elapsed=0
+interval=1
+
+is_port_listening() {
+    if command -v lsof >/dev/null 2>&1; then
+        if lsof -nP -iTCP:"$PORT" -sTCP:LISTEN -t >/dev/null 2>&1; then
+            return 0
+        fi
+    fi
+
+    if command -v ss >/dev/null 2>&1; then
+        if ss -ltn "( sport = :$PORT )" 2>/dev/null | tail -n +2 | grep -q .; then
+            return 0
+        fi
+    fi
+
+    if command -v netstat >/dev/null 2>&1; then
+        if netstat -ltn 2>/dev/null | awk '{print $4}' | grep -Eq "(^|[.:])${PORT}$"; then
+            return 0
+        fi
+    fi
+
+    if command -v timeout >/dev/null 2>&1; then
+        timeout 1 bash -c "exec 3<>/dev/tcp/127.0.0.1/$PORT" >/dev/null 2>&1
+        return $?
+    fi
+
+    return 1
+}
+
+while ! is_port_listening; do
+    if [ "$elapsed" -ge "$TIMEOUT" ]; then
+        echo ""
+        echo "✗ $SERVICE failed to start on port $PORT after ${TIMEOUT}s"
+        exit 1
+    fi
+    printf "\r  Waiting for %s on port %s... %ds" "$SERVICE" "$PORT" "$elapsed"
+    sleep "$interval"
+    elapsed=$((elapsed + interval))
+done
+
+printf "\r  %-60s\r" ""   # clear the waiting line