fix: harden remaining findings — sweep DoS, constraint validation, XSS, JSON safety, CCSDS parser, CLI errors

Sweep: validate step>0, min<=max, cap at 1000 iterations, index-based loop.
Constraints: validate required keys, operator whitelist, numeric threshold, lock.
JSON: sanitize inf/nan to null in all API responses.
HTTP: top-level exception guards on GET/POST/PUT/DELETE returning 500.
Export: sanitize Content-Disposition filename.
Compare: only compute delta for metrics present on both sides.
Evaluate: skip malformed constraint dicts instead of crashing.
Frontend: add escapeHtml() utility, apply to all innerHTML renders, fix report URL.
CCSDS parser: duplicate key detection, NaN/inf rejection, velocity guard, empty states guard, dead code removal, space-epoch support.
CLI: error handling for FileNotFoundError and CcsdsValidationError in CCSDS imports.

3573 tests passing, 5 skipped.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: planet.jeroen

packages/core/src/humeris/cli.py

@@ -414,9 +414,9 @@ def _run_sweep(args) -> None:
     output_path = args.output
 
     if fmt == "json":
-        import json as _json
+        import json
         with open(output_path, "w", encoding="utf-8") as f:
-            _json.dump(results, f, indent=2, default=str)
+            json.dump(results, f, indent=2, default=str)
     else:
         # CSV
         if not results:
@@ -446,7 +446,15 @@ def _run_sweep(args) -> None:
 def _run_import_opm(args) -> None:
     """Import CCSDS OPM file and display satellite info."""
     from humeris.domain.ccsds_parser import parse_opm
-    result = parse_opm(args.import_opm)
+    from humeris.domain.ccsds_contracts import CcsdsValidationError
+    try:
+        result = parse_opm(args.import_opm)
+    except FileNotFoundError:
+        print(f"Error: File not found: {args.import_opm}", file=sys.stderr)
+        sys.exit(1)
+    except CcsdsValidationError as e:
+        print(f"Error: Invalid OPM file: {e}", file=sys.stderr)
+        sys.exit(1)
     print(f"Object: {result.object_name} ({result.object_id})")
     print(f"Frame: {result.ref_frame}, Center: {result.center_name}")
     for i, state in enumerate(result.states):
@@ -458,7 +466,15 @@ def _run_import_opm(args) -> None:
 def _run_import_oem(args) -> None:
     """Import CCSDS OEM file and display satellite info."""
     from humeris.domain.ccsds_parser import parse_oem
-    result = parse_oem(args.import_oem)
+    from humeris.domain.ccsds_contracts import CcsdsValidationError
+    try:
+        result = parse_oem(args.import_oem)
+    except FileNotFoundError:
+        print(f"Error: File not found: {args.import_oem}", file=sys.stderr)
+        sys.exit(1)
+    except CcsdsValidationError as e:
+        print(f"Error: Invalid OEM file: {e}", file=sys.stderr)
+        sys.exit(1)
     print(f"Object: {result.object_name} ({result.object_id})")
     print(f"Frame: {result.ref_frame}, Center: {result.center_name}")
     print(f"Ephemeris points: {len(result.states)}")

packages/core/src/humeris/domain/ccsds_parser.py

@@ -56,8 +56,10 @@ def _parse_kvn_pairs(text: str) -> list[tuple[str, str]]:
 
 def _parse_epoch(epoch_str: str) -> datetime:
     """Parse CCSDS epoch string to datetime."""
-    # Handle fractional seconds
-    for fmt in ("%Y-%m-%dT%H:%M:%S.%f", "%Y-%m-%dT%H:%M:%S"):
+    for fmt in (
+        "%Y-%m-%dT%H:%M:%S.%f", "%Y-%m-%dT%H:%M:%S",
+        "%Y-%m-%d %H:%M:%S.%f", "%Y-%m-%d %H:%M:%S",
+    ):
         try:
             dt = datetime.strptime(epoch_str, fmt)
             return dt.replace(tzinfo=timezone.utc)
@@ -86,6 +88,8 @@ def _cartesian_to_orbital_state(
 
     if r_mag < 1.0:
         raise CcsdsValidationError("Position vector magnitude too small")
+    if v_mag < 1.0:
+        raise CcsdsValidationError("Velocity vector magnitude too small")
 
     # Specific angular momentum
     h_vec = np.cross(pos, vel)
@@ -175,13 +179,25 @@ def parse_opm(path: str) -> CcsdsOrbitData:
         text = f.read()
 
     pairs = _parse_kvn_pairs(text)
-    kvn = dict(pairs)
 
-    # Validate required fields
+    # Check for duplicate required keys
     required = {
         "OBJECT_NAME", "OBJECT_ID", "CENTER_NAME", "REF_FRAME",
         "TIME_SYSTEM", "EPOCH", "X", "Y", "Z", "X_DOT", "Y_DOT", "Z_DOT",
     }
+    seen: dict[str, int] = {}
+    for key, _ in pairs:
+        if key in required:
+            seen[key] = seen.get(key, 0) + 1
+    duplicates = sorted(k for k, v in seen.items() if v > 1)
+    if duplicates:
+        raise CcsdsValidationError(
+            f"Duplicate required keys in OPM: {', '.join(duplicates)}"
+        )
+
+    kvn = dict(pairs)
+
+    # Validate required fields
     missing = sorted(f for f in required if f not in kvn)
     if missing:
         raise CcsdsValidationError(
@@ -229,39 +245,8 @@ def parse_oem(path: str) -> CcsdsOrbitData:
 
     pairs = _parse_kvn_pairs(text)
 
-    # Extract header-level fields
-    header: dict[str, str] = {}
-    for key, val in pairs:
-        if key in ("CCSDS_OEM_VERS", "CREATION_DATE", "ORIGINATOR"):
-            header[key] = val
-
-    # Parse segments (each META_START...META_STOP block + data lines)
+    # Collect segments
     segments: list[tuple[dict[str, str], list[str]]] = []
-    meta: dict[str, str] = {}
-    data_lines: list[str] = []
-    in_meta = False
-
-    for key, val in pairs:
-        if key == "META_START":
-            in_meta = True
-            meta = {}
-            data_lines = []
-        elif key == "META_STOP":
-            in_meta = False
-        elif in_meta:
-            meta[key] = val
-        elif key == "_DATA_LINE" and meta:
-            data_lines.append(val)
-        elif key == "META_START" or (not in_meta and key == "_DATA_LINE"):
-            pass
-        # When we hit the next META_START, save current segment
-        if key == "META_START" and segments or (key == "META_START" and not segments):
-            if data_lines and meta:
-                # Save previous segment before starting new one
-                pass
-
-    # Finalize — collect segments by re-parsing
-    segments = []
     meta = {}
     data_lines = []
     in_meta = False
@@ -301,17 +286,27 @@ def parse_oem(path: str) -> CcsdsOrbitData:
             if len(parts) < 7:
                 continue
             epoch = _parse_epoch(parts[0])
+            try:
+                values = [float(parts[i]) for i in range(1, 7)]
+            except ValueError as e:
+                raise CcsdsValidationError(
+                    f"Non-numeric value in OEM data line: {e}"
+                ) from e
+            for i, v in enumerate(values):
+                if math.isnan(v) or math.isinf(v):
+                    raise CcsdsValidationError(
+                        f"NaN or Inf in OEM data line column {i + 1}"
+                    )
             state = _cartesian_to_orbital_state(
-                x_km=float(parts[1]),
-                y_km=float(parts[2]),
-                z_km=float(parts[3]),
-                vx_kms=float(parts[4]),
-                vy_kms=float(parts[5]),
-                vz_kms=float(parts[6]),
+                x_km=values[0], y_km=values[1], z_km=values[2],
+                vx_kms=values[3], vy_kms=values[4], vz_kms=values[5],
                 epoch=epoch,
             )
             all_states.append(state)
 
+    if not all_states:
+        raise CcsdsValidationError("OEM file contains no valid ephemeris data")
+
     return CcsdsOrbitData(
         object_name=object_name,
         object_id=object_id,

packages/pro/src/humeris/adapters/cesium_viewer.py

@@ -893,6 +893,13 @@ def generate_interactive_html(
             }}
         }}
 
+        // --- HTML escaping utility ---
+        function escapeHtml(str) {{
+            if (str === null || str === undefined) return "";
+            return String(str).replace(/&/g, "&amp;").replace(/</g, "&lt;")
+                .replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+        }}
+
         // --- Satellite data table (APP-03) ---
         var satTableData = null;
         var satTableSort = {{col: null, asc: true}};
@@ -938,13 +945,13 @@ def generate_interactive_html(
             cols.forEach(function(c) {{
                 var cls = "";
                 if (satTableSort.col === c) cls = satTableSort.asc ? "sort-asc" : "sort-desc";
-                html += '<th class="' + cls + '" onclick="sortSatTable(\'' + c + '\')">' + c.replace(/_/g, " ") + '</th>';
+                html += '<th class="' + cls + '" onclick="sortSatTable(\'' + escapeHtml(c) + '\')">' + escapeHtml(c.replace(/_/g, " ")) + '</th>';
             }});
             html += '</tr></thead><tbody>';
             rows.forEach(function(row, idx) {{
                 html += '<tr onclick="flyToSat(' + idx + ')">';
                 cols.forEach(function(c) {{
-                    html += '<td>' + row[c] + '</td>';
+                    html += '<td>' + escapeHtml(row[c]) + '</td>';
                 }});
                 html += '</tr>';
             }});
@@ -1259,11 +1266,11 @@ def generate_interactive_html(
                 el.style.display = "none";
                 return;
             }}
-            var html = '<div class="legend-title">' + (title || "Legend") + '</div>';
+            var html = '<div class="legend-title">' + escapeHtml(title || "Legend") + '</div>';
             legend.forEach(function(entry) {{
                 html += '<div class="legend-entry">' +
-                    '<span class="legend-swatch" style="background:' + entry.color + '"></span>' +
-                    '<span>' + entry.label + '</span></div>';
+                    '<span class="legend-swatch" style="background:' + escapeHtml(entry.color) + '"></span>' +
+                    '<span>' + escapeHtml(entry.label) + '</span></div>';
             }});
             el.innerHTML = html;
             el.style.display = "block";
@@ -1317,16 +1324,16 @@ def generate_interactive_html(
             var html = "";
             recent.forEach(function(r) {{
                 var ts = r.timestamp ? new Date(r.timestamp).toLocaleDateString() : "";
-                html += '<div class="recent-item" title="' + (r.description || "") + '">';
-                html += '<span class="recent-name">' + (r.name || "Untitled") + '</span>';
-                html += '<span class="recent-meta">' + r.layer_count + ' layers | ' + ts + '</span>';
+                html += '<div class="recent-item" title="' + escapeHtml(r.description || "") + '">';
+                html += '<span class="recent-name">' + escapeHtml(r.name || "Untitled") + '</span>';
+                html += '<span class="recent-meta">' + escapeHtml(r.layer_count) + ' layers | ' + escapeHtml(ts) + '</span>';
                 html += '</div>';
             }});
             container.innerHTML = html;
         }}
         // --- Report (APP-08) ---
         function generateReport() {{
-            window.open("/api/report", "_blank");
+            window.open(API + "/api/report", "_blank");
         }}
 
         // --- Constraints (APP-07) ---
@@ -1389,8 +1396,8 @@ def generate_interactive_html(
             apiPost("/api/compare", {{layer_a: layerA, layer_b: layerB}}).then(function(result) {{
                 var html = '<table style="width:100%;border-collapse:collapse">';
                 html += '<tr><th style="text-align:left;color:rgba(255,255,255,0.5)">Metric</th>';
-                html += '<th style="text-align:right;color:rgba(80,160,255,0.8)">' + result.config_a.name.split(":").pop() + '</th>';
-                html += '<th style="text-align:right;color:rgba(80,200,120,0.8)">' + result.config_b.name.split(":").pop() + '</th>';
+                html += '<th style="text-align:right;color:rgba(80,160,255,0.8)">' + escapeHtml(result.config_a.name.split(":").pop()) + '</th>';
+                html += '<th style="text-align:right;color:rgba(80,200,120,0.8)">' + escapeHtml(result.config_b.name.split(":").pop()) + '</th>';
                 html += '<th style="text-align:right;color:rgba(255,200,80,0.8)">Delta</th></tr>';
                 var allKeys = Object.keys(result.delta);
                 allKeys.forEach(function(k) {{
@@ -1400,7 +1407,7 @@ def generate_interactive_html(
                     var dColor = d > 0 ? "rgba(80,200,120,0.9)" : d < 0 ? "rgba(255,100,100,0.9)" : "rgba(255,255,255,0.5)";
                     var dStr = d > 0 ? "+" + d.toFixed(2) : d.toFixed(2);
                     html += '<tr>';
-                    html += '<td style="color:rgba(255,255,255,0.6)">' + k.replace(/_/g, " ") + '</td>';
+                    html += '<td style="color:rgba(255,255,255,0.6)">' + escapeHtml(k.replace(/_/g, " ")) + '</td>';
                     html += '<td style="text-align:right;font-family:monospace">' + (va !== undefined ? (typeof va === "number" ? va.toFixed(2) : va) : "-") + '</td>';
                     html += '<td style="text-align:right;font-family:monospace">' + (vb !== undefined ? (typeof vb === "number" ? vb.toFixed(2) : vb) : "-") + '</td>';
                     html += '<td style="text-align:right;font-family:monospace;color:' + dColor + '">' + dStr + '</td>';