AI Fix Prompts for Codexproapi

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data)
**File**: src/auth.js
**Line**: 32
**Severity**: CRITICAL

**Current code around the issue:**
```
      27 |   } catch (e) {
      28 |     throw new Error(`无法读取认证文件: ${path} (${e.message})`);
      29 |   }
      30 |   let data;
      31 |   try {
>>>   32 |     data = JSON.parse(raw);
      33 |   } catch (e) {
      34 |     throw new Error(`auth.json 格式错误: ${e.message}`);
      35 |   }
      36 |   const tokens = data.tokens || (data.access_token ? { access_token: data.access_token, account_id: data.account_id } : null);
      37 |   const apiKey = data.api_key || data.OPENAI_API_KEY;
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data)
**File**: src/usageTracker.js
**Line**: 20
**Severity**: CRITICAL

**Current code around the issue:**
```
      15 | 
      16 | function load() {
      17 |   if (!existsSync(USAGE_FILE)) return { byAccount: {} };
      18 |   try {
      19 |     const raw = readFileSync(USAGE_FILE, 'utf8');
>>>   20 |     const data = JSON.parse(raw);
      21 |     return typeof data === 'object' && data !== null && Array.isArray(data.byAccount) === false
      22 |       ? { byAccount: data.byAccount || {} }
      23 |       : { byAccount: {} };
      24 |   } catch {
      25 |     return { byAccount: {} };
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/index.js
**Line**: 282
**Severity**: HIGH

**Current code around the issue:**
```
     277 | });
     278 | 
     279 | app.get('/api/oneclick/email', async (req, res) => {
     280 |   let domainList = ONECLICK_DOMAINS;
     281 |   try {
>>>  282 |     const r = await fetch(`${EMAIL_SERVICE_URL}/api/domains`, { method: 'GET' });
     283 |     if (r.ok) {
     284 |       const data = await r.json().catch(() => ({}));
     285 |       const fromApi = data.domains && Array.isArray(data.domains) ? data.domains : [];
     286 |       if (fromApi.length > 0) {
     287 |         domainList = fromApi.map((d) => (d.name || (d.api || '').replace(/^https?:\/\//, '').split('/')[0]).trim()).filter(Boolean);
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded api_key found (ElasticSearch URL)
**File**: public/index.html
**Line**: 11
**Severity**: HIGH

**Current code around the issue:**
```
       6 |   <title>Codex Pro API</title>
       7 |   <link rel="icon" type="image/svg+xml" href="/favicon.svg">
       8 |   <link rel="preconnect" href="https://fonts.googleapis.com">
       9 |   <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
      10 |   <link href="https://fonts.googleapis.com/css2?family=Orbitron:wght@400;500;600;700;800&family=Rajdhani:wght@400;500;600;700&display=swap" rel="stylesheet">
>>>   11 |   <link href="https://cdn.jsdelivr.net/npm/[email protected]/themes/prism-tomorrow.min.css" rel="stylesheet" onerror="this.onerror=null;this.href='https://unpkg.com/[email protected]/themes/prism-tomorrow.min.css'">
      12 |   <style>
      13 |     :root {
      14 |       --bg: #050508;
      15 |       --bg-elevated: #0a0a12;
      16 |       --surface: #0d0d18;
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/oauth.js
**Line**: 85
**Severity**: HIGH

**Current code around the issue:**
```
      80 |     redirect_uri: redirectUri,
      81 |     client_id: OAUTH_CLIENT_ID,
      82 |     code_verifier: code_verifier,
      83 |   });
      84 | 
>>>   85 |   const res = await fetch(TOKEN_URL, {
      86 |     method: 'POST',
      87 |     headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      88 |     body: body.toString(),
      89 |   });
      90 | 
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/proxy.js
**Line**: 265
**Severity**: HIGH

**Current code around the issue:**
```
     260 |     'Content-Type': 'application/json',
     261 |     'Authorization': `Bearer ${auth.accessToken}`,
     262 |     'chatgpt-account-id': auth.accountId,
     263 |     'session_id': sessionId,
     264 |   };
>>>  265 |   const res = await fetch(BACKEND_URL, {
     266 |     method: 'POST',
     267 |     headers,
     268 |     body: JSON.stringify(body),
     269 |   });
     270 |   if (!res.ok) {
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/index.js
**Line**: 316
**Severity**: HIGH

**Current code around the issue:**
```
     311 | }
     312 | 
     313 | app.get('/api/oneclick/emails/:email', async (req, res) => {
     314 |   const email = decodeURIComponent(req.params.email);
     315 |   try {
>>>  316 |     const r = await fetch(`${EMAIL_SERVICE_URL}/api/emails/${encodeURIComponent(email)}`, { method: 'GET' });
     317 |     const data = !r.ok ? { emails: [] } : await r.json().catch(() => ({}));
     318 |     const emails = data.emails || [];
     319 |     for (let i = 0; i < emails.length; i++) {
     320 |       if (!emails[i].verificationCode) {
     321 |         const code = extractVerificationCodeFromEmail(emails[i]);
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'violettoolssite__codexProapi'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/index.js
**Line**: 59
**Severity**: HIGH

**Current code around the issue:**
```
      54 |   return arr[Math.floor(Math.random() * arr.length)];
      55 | }
      56 | 
      57 | async function emailInboxHasMail(serviceUrl, email) {
      58 |   try {
>>>   59 |     const r = await fetch(`${serviceUrl}/api/emails/${encodeURIComponent(email)}`, { method: 'GET' });
      60 |     if (!r.ok) return false;
      61 |     const data = await r.json().catch(() => ({}));
      62 |     const count = data.count != null ? data.count : (data.emails && data.emails.length) || 0;
      63 |     return count > 0;
      64 |   } catch {
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Address OWASP A02 (Cryptographic Failures) compliance gap in 'violettoolssite__codexProapi'.

**OWASP Category**: A02 -- Cryptographic Failures
**Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2).

**Steps:**
1. Identify all code paths related to cryptographic failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A06 (Vulnerable Components) compliance gap in 'violettoolssite__codexProapi'.

**OWASP Category**: A06 -- Vulnerable Components
**Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs.

**Steps:**
1. Identify all code paths related to vulnerable components
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A07 (Auth Failures) compliance gap in 'violettoolssite__codexProapi'.

**OWASP Category**: A07 -- Auth Failures
**Fix guidance**: Implement proper session management, use MFA where possible, enforce strong passwords, protect against brute force.

**Steps:**
1. Identify all code paths related to auth failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Repository 'violettoolssite__codexProapi' is failing the quality gate.

Failed conditions:
- overall_score: actual 0.0 >= 50 (FAILED)
- security_score: actual 0.0 >= 40 (FAILED)
- critical_credentials: actual 2.0 <= 0 (FAILED)

Fix each failing condition to make the repo pass the quality gate.

Repository 'violettoolssite__codexProapi' has 9 open issues:

- [CRITICAL] Hard-coded sast: [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data (src/usageTracker.js)
- [CRITICAL] Hard-coded sast: [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data (src/auth.js)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/index.js)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/index.js)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/oauth.js)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/proxy.js)
- [HIGH] Hard-coded api_key: ElasticSearch URL (public/index.html)
- [HIGH] GHSA-37ch-88jc-xwx2: path-to-regexp
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/index.js)

Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.

Static analysis found 7 security issues in 'violettoolssite__codexProapi':

- [CRITICAL] [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data at src/auth.js:32
- [CRITICAL] [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data at src/usageTracker.js:20
- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/index.js:282
- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/oauth.js:85
- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/proxy.js:265
- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/index.js:316
- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/index.js:59

For each finding:
- SQL injection: use parameterized queries
- Command injection: use subprocess with list args, no shell=True
- Path traversal: validate and sanitize paths
- Insecure deserialization: use json instead of pickle
- IaC misconfigs: apply the suggested fix from the rule