mito-ds
diff --git a/‎mito-ai/mito_ai/completions/prompt_builders/agent_system_message.py‎
Lines changed: 7 additions & 1 deletion b/‎mito-ai/mito_ai/completions/prompt_builders/agent_system_message.py‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎mito-ai/mito_ai/completions/prompt_builders/chat_system_message.py‎
Lines changed: 4 additions & 0 deletions b/‎mito-ai/mito_ai/completions/prompt_builders/chat_system_message.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎mito-ai/mito_ai/completions/prompt_builders/prompt_constants.py‎
Lines changed: 15 additions & 0 deletions b/‎mito-ai/mito_ai/completions/prompt_builders/prompt_constants.py‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎mito-ai/mito_ai/rules/handlers.py‎
Lines changed: 46 additions & 12 deletions b/‎mito-ai/mito_ai/rules/handlers.py‎
Lines changed: 46 additions & 12 deletions
diff --git a/‎mito-ai/mito_ai/rules/utils.py‎
Lines changed: 170 additions & 6 deletions b/‎mito-ai/mito_ai/rules/utils.py‎
Lines changed: 170 additions & 6 deletions
@@ -10,6 +10,7 @@
     get_database_rules
 )
 from mito_ai.completions.prompt_builders.prompt_section_registry.base import PromptSection
+from mito_ai.rules.utils import get_default_rules_content
 
 def create_agent_system_message_prompt(isChromeBrowser: bool) -> str:
 
@@ -474,7 +475,12 @@ def create_agent_system_message_prompt(isChromeBrowser: bool) -> str:
 
     # Database rules
     sections.append(SG.Generic("Database Rules", get_database_rules()))
-    
+
+    # Default rules
+    default_rules = get_default_rules_content()
+    if default_rules:
+        sections.append(SG.Generic("Default (User Defined) Rules", default_rules))
+
     # RULES OF YOUR WORKING PROCESS
     sections.append(SG.Generic("Rules Of Working Process", f"""The user is going to ask you to guide them as through the process of completing a task. You will help them complete a task over the course of an entire conversation with them. The user will first share with you what they want to accomplish. You will then use a tool to execute the first step of the task, they will execute the tool and return to you the updated notebook state with you, and then you will give them the next step of the task. You will continue to give them the next step of the task until they have completed the task.
 
 
@@ -11,6 +11,7 @@
     get_database_rules
 )
 from mito_ai.completions.prompt_builders.prompt_section_registry.base import PromptSection
+from mito_ai.rules.utils import get_default_rules_content
 
 def create_chat_system_message_prompt() -> str:
     sections: List[PromptSection] = []
@@ -34,6 +35,9 @@ def create_chat_system_message_prompt() -> str:
 
     sections.append(SG.Generic("Chart Config Rules", CHART_CONFIG_RULES))
     sections.append(SG.Generic("DatabaseRules", get_database_rules()))
+    default_rules = get_default_rules_content()
+    if default_rules:
+        sections.append(SG.Generic("Default (User Defined) Rules", default_rules))
     sections.append(SG.Generic("Citation Rules", CITATION_RULES))
     sections.append(SG.Generic("Cell Reference Rules", CELL_REFERENCE_RULES))
 
 
@@ -26,6 +26,17 @@
 - NEVER include comments on the same line as a variable assignment. Each variable assignment must be on its own line with no trailing comments.
 - For string values, use either single or double quotes (e.g., TITLE = "Sales by Product" or TITLE = 'Sales by Product'). Do not use nested quotes (e.g., do NOT use '"value"').
 
+Fixed acceptable ranges (matplotlib constraints):
+- For numeric variables that have a fixed acceptable range, add a line immediately BEFORE the variable assignment: # RANGE VARIABLE_NAME MIN MAX
+- This allows the Chart Wizard to clamp inputs and prevent invalid values. Use the following ranges when you use these variables:
+  - ALPHA (opacity): 0 1
+  - FIGURE_SIZE (tuple width, height in inches): 1 24 (each element)
+  - LINE_WIDTH, LINEWIDTH, LWD: 0 20
+  - FONT_SIZE, FONTSIZE, FONT_SIZE_TITLE, FONT_SIZE_LABEL: 0.1 72
+  - MARKER_SIZE, MARKERSIZE, S: 0 1000
+  - DPI: 1 600
+  - Any other numeric or tuple variable that you know has matplotlib constraints: add # RANGE VARIABLE_NAME MIN MAX with the appropriate min and max.
+
 Common Mistakes to Avoid:
 - WRONG: COLOR = '"#1877F2" # Meta Blue'  (nested quotes and inline comment)
 - WRONG: COLOR = "#1877F2" # Meta Blue  (inline comment)
@@ -38,6 +49,10 @@
 X_LABEL = "Product"
 Y_LABEL = "Sales"
 BAR_COLOR = "#000000"
+# RANGE ALPHA 0 1
+ALPHA = 0.8
+# RANGE FIGURE_SIZE 1 24
+FIGURE_SIZE = (12, 6)
 # === END CONFIG ===
 """
 
 
@@ -7,7 +7,16 @@
 import tornado
 import os
 from jupyter_server.base.handlers import APIHandler
-from mito_ai.rules.utils import RULES_DIR_PATH, get_all_rules, get_rule, set_rules_file
+from mito_ai.rules.utils import (
+    RULES_DIR_PATH,
+    cleanup_rules_metadata,
+    delete_rule,
+    get_all_rules,
+    get_rule,
+    get_rule_default,
+    set_rule_default,
+    set_rules_file,
+)
 
 
 class RulesHandler(APIHandler):
@@ -17,17 +26,26 @@ class RulesHandler(APIHandler):
     def get(self, key: Union[str, None] = None) -> None:
         """Get a specific rule by key or all rules if no key provided"""
         if key is None or key == '':
-            # No key provided, return all rules
-            rules = get_all_rules()
+            # No key provided, return all rules with is_default flag
+            rule_files = get_all_rules()
+            rules = [
+                {"name": name, "is_default": get_rule_default(name)}
+                for name in rule_files
+            ]
             self.finish(json.dumps(rules))
         else:
             # Key provided, return specific rule
-            rule_content = get_rule(key)
-            if rule_content is None:
-                self.set_status(404)
-                self.finish(json.dumps({"error": f"Rule with key '{key}' not found"}))
-            else:
-                self.finish(json.dumps({"key": key, "content": rule_content}))
+            try:
+                rule_content = get_rule(key)
+                if rule_content is None:
+                    self.set_status(404)
+                    self.finish(json.dumps({"error": f"Rule with key '{key}' not found"}))
+                else:
+                    is_default = get_rule_default(key)
+                    self.finish(json.dumps({"key": key, "content": rule_content, "is_default": is_default}))
+            except ValueError as e:
+                self.set_status(400)
+                self.finish(json.dumps({"error": str(e)}))
 
     @tornado.web.authenticated
     def put(self, key: str) -> None:
@@ -37,8 +55,24 @@ def put(self, key: str) -> None:
             self.set_status(400)
             self.finish(json.dumps({"error": "Content is required"}))
             return
-            
-        set_rules_file(key, data['content'])
-        self.finish(json.dumps({"status": "updated", "rules file ": key}))
 
+        try:
+            set_rules_file(key, data['content'])
+            if 'is_default' in data:
+                set_rule_default(key, bool(data['is_default']))
+            cleanup_rules_metadata()
+            self.finish(json.dumps({"status": "updated", "rules_file": key}))
+        except ValueError as e:
+            self.set_status(400)
+            self.finish(json.dumps({"error": str(e)}))
 
+    @tornado.web.authenticated
+    def delete(self, key: str) -> None:
+        """Delete a rule by key (rule name)."""
+        try:
+            delete_rule(key)
+            cleanup_rules_metadata()
+            self.finish(json.dumps({"status": "deleted", "key": key}))
+        except ValueError as e:
+            self.set_status(400)
+            self.finish(json.dumps({"error": str(e)}))
@@ -1,37 +1,166 @@
 # Copyright (c) Saga Inc.
 # Distributed under the terms of the GNU Affero General Public License v3.0 License.
 
-from typing import Any, Final, List, Optional
+from typing import Any, Final, List, Optional, cast
 import os
+import json
 from mito_ai.utils.schema import MITO_FOLDER
 
 RULES_DIR_PATH: Final[str] = os.path.join(MITO_FOLDER, 'rules')
+RULES_METADATA_FILENAME: Final[str] = '_metadata.json'
+
+
+def _sanitize_rule_name(rule_name: str) -> str:
+    """
+    Sanitizes a rule name to prevent path traversal attacks.
+    Raises ValueError if the rule name contains unsafe characters.
+    
+    Args:
+        rule_name: The rule name to sanitize
+        
+    Returns:
+        The sanitized rule name (with .md extension stripped if present)
+        
+    Raises:
+        ValueError: If the rule name contains path traversal sequences or other unsafe characters
+    """
+    if not rule_name:
+        raise ValueError("Rule name cannot be empty")
+    
+    # Strip .md extension if present
+    if rule_name.endswith('.md'):
+        rule_name = rule_name[:-3]
+    
+    # Check for path traversal sequences
+    if '..' in rule_name or '/' in rule_name or '\\' in rule_name:
+        raise ValueError(f"Rule name contains invalid characters: {rule_name}")
+    
+    # Check for absolute paths
+    if os.path.isabs(rule_name):
+        raise ValueError(f"Rule name cannot be an absolute path: {rule_name}")
+    
+    # Check for null bytes or other control characters
+    if '\x00' in rule_name:
+        raise ValueError("Rule name cannot contain null bytes")
+    
+    # Ensure it's a valid filename (no reserved characters on Windows)
+    # Windows reserved: < > : " | ? * 
+    invalid_chars = set('<>:|?*"')
+    if any(c in rule_name for c in invalid_chars):
+        raise ValueError(f"Rule name contains invalid filename characters: {rule_name}")
+    
+    return rule_name
+
+
+def _validate_rule_path(file_path: str, rule_name: str) -> None:
+    """
+    Validates that a rule file path is within the rules directory.
+    This provides defense-in-depth protection against path traversal attacks.
+    
+    Args:
+        file_path: The file path to validate
+        rule_name: The rule name (for error messages)
+        
+    Raises:
+        ValueError: If the resolved path is outside RULES_DIR_PATH
+    """
+    resolved_path = os.path.abspath(file_path)
+    rules_dir_abs = os.path.abspath(RULES_DIR_PATH)
+    if not resolved_path.startswith(rules_dir_abs):
+        raise ValueError(f"Invalid rule name: {rule_name}")
+
+
+def _get_metadata_path() -> str:
+    return os.path.join(RULES_DIR_PATH, RULES_METADATA_FILENAME)
+
+
+def _load_metadata() -> dict[Any, Any]:
+    path = _get_metadata_path()
+    if not os.path.exists(path):
+        return {}
+    try:
+        with open(path, 'r') as f:
+            return cast(dict[Any, Any], json.load(f))
+    except (json.JSONDecodeError, OSError):
+        return {}
+
+
+def _save_metadata(metadata: dict) -> None:
+    if not os.path.exists(RULES_DIR_PATH):
+        os.makedirs(RULES_DIR_PATH)
+    path = _get_metadata_path()
+    with open(path, 'w') as f:
+        json.dump(metadata, f, indent=2)
+
+
+def get_rule_default(rule_name: str) -> bool:
+    """Returns whether the rule is marked as a default (auto-applied) rule."""
+    if rule_name.endswith('.md'):
+        rule_name = rule_name[:-3]
+    metadata = _load_metadata()
+    entry = metadata.get(rule_name, {})
+    return bool(entry.get('is_default', False))
+
+
+def set_rule_default(rule_name: str, is_default: bool) -> None:
+    """Sets whether the rule is a default (auto-applied) rule."""
+    if rule_name.endswith('.md'):
+        rule_name = rule_name[:-3]
+    metadata = _load_metadata()
+    metadata[rule_name] = {**metadata.get(rule_name, {}), 'is_default': is_default}
+    _save_metadata(metadata)
+
 
 def set_rules_file(rule_name: str, value: Any) -> None:
     """
     Updates the value of a specific rule file in the rules directory
     """
+    # Sanitize rule name to prevent path traversal
+    rule_name = _sanitize_rule_name(rule_name)
+    
     # Ensure the directory exists
     if not os.path.exists(RULES_DIR_PATH):
         os.makedirs(RULES_DIR_PATH)
-    
+
     # Create the file path to the rule name as a .md file
     file_path = os.path.join(RULES_DIR_PATH, f"{rule_name}.md")
 
+    # Additional safety check: ensure the resolved path is still within RULES_DIR_PATH
+    _validate_rule_path(file_path, rule_name)
+
     with open(file_path, 'w+') as f:
         f.write(value)
+
+
+def delete_rule(rule_name: str) -> None:
+    """
+    Deletes a rule file from the rules directory. Normalizes rule_name (strips .md).
+    Metadata for this rule is removed by cleanup_rules_metadata().
+    """
+    # Sanitize rule name to prevent path traversal
+    rule_name = _sanitize_rule_name(rule_name)
+    
+    file_path = os.path.join(RULES_DIR_PATH, f"{rule_name}.md")
+    
+    # Additional safety check: ensure the resolved path is still within RULES_DIR_PATH
+    _validate_rule_path(file_path, rule_name)
 
+    if os.path.exists(file_path):
+        os.remove(file_path)
+
 
 def get_rule(rule_name: str) -> Optional[str]:
     """
     Retrieves the value of a specific rule file from the rules directory
     """
-    
-    if rule_name.endswith('.md'):
-        rule_name = rule_name[:-3]
+    # Sanitize rule name to prevent path traversal
+    rule_name = _sanitize_rule_name(rule_name)
 
     file_path = os.path.join(RULES_DIR_PATH, f"{rule_name}.md")
 
+    # Additional safety check: ensure the resolved path is still within RULES_DIR_PATH
+    _validate_rule_path(file_path, rule_name)
+    
     if not os.path.exists(file_path):
         return None
 
@@ -47,10 +176,45 @@ def get_all_rules() -> List[str]:
     if not os.path.exists(RULES_DIR_PATH):
         os.makedirs(RULES_DIR_PATH)
         return []  # Return empty list if directory didn't exist
-    
+
     try:
         return [f for f in os.listdir(RULES_DIR_PATH) if f.endswith('.md')]
     except OSError as e:
         # Log the error if needed and return empty list
         print(f"Error reading rules directory: {e}")
         return []
+
+
+def cleanup_rules_metadata() -> None:
+    """
+    Removes metadata entries for rules that no longer exist on disk (deleted or renamed).
+    Call after rule create/update so metadata stays in sync with actual rule files.
+    """
+    current_files = get_all_rules()
+    current_rule_names = {f[:-3] if f.endswith('.md') else f for f in current_files}
+    metadata = _load_metadata()
+    if not metadata:
+        return
+    keys_to_remove = [k for k in metadata if k not in current_rule_names]
+    if not keys_to_remove:
+        return
+    for k in keys_to_remove:
+        del metadata[k]
+    _save_metadata(metadata)
+
+
+def get_default_rules_content() -> str:
+    """
+    Returns the concatenated content of all rules marked as default (auto-applied).
+    Each rule is included as "Rule name:\n\n{content}". Returns empty string if no default rules.
+    """
+    rule_files = get_all_rules()
+    parts: List[str] = []
+    for f in rule_files:
+        rule_name = f[:-3] if f.endswith('.md') else f
+        if not get_rule_default(rule_name):
+            continue
+        content = get_rule(rule_name)
+        if content and content.strip():
+            parts.append(f"{rule_name}:\n\n{content}")
+    return '\n\n'.join(parts) if parts else ""