AI Fix Prompts for Agenthon 001

Fix a hardcoded credential in repository 'ncubelabs__agenthon-001'.

**Issue**: Hard-coded secret found (.env File Content)
**File**: deploy.sh
**Line**: 92
**Severity**: HIGH

**Current code around the issue:**
```
      87 | run_cmd "cd /home/daytona/kriyai && source venv/bin/activate && pip install -r backend/requirements.txt -q 2>&1 | tail -3"
      88 | 
      89 | # Write .env file
      90 | echo "  Writing environment configuration..."
      91 | ENV_CONTENT="OPENAI_API_KEY=$OPENAI_API_KEY
>>>   92 | TAVILY_API_KEY=$TAVILY_API_KEY
      93 | SUPABASE_URL=$SUPABASE_URL
      94 | SUPABASE_KEY=$SUPABASE_KEY
      95 | DAYTONA_API_KEY=$DAYTONA_API_KEY
      96 | DAYTONA_API_URL=$DAYTONA_API_URL
      97 | NEMOTRON_API_URL=$NEMOTRON_API_URL
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SECRET_KEY')` (Python) or `process.env.SECRET_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'ncubelabs__agenthon-001'.

**Issue**: Hard-coded secret found (.env File Content)
**File**: deploy.sh
**Line**: 94
**Severity**: HIGH

**Current code around the issue:**
```
      89 | # Write .env file
      90 | echo "  Writing environment configuration..."
      91 | ENV_CONTENT="OPENAI_API_KEY=$OPENAI_API_KEY
      92 | TAVILY_API_KEY=$TAVILY_API_KEY
      93 | SUPABASE_URL=$SUPABASE_URL
>>>   94 | SUPABASE_KEY=$SUPABASE_KEY
      95 | DAYTONA_API_KEY=$DAYTONA_API_KEY
      96 | DAYTONA_API_URL=$DAYTONA_API_URL
      97 | NEMOTRON_API_URL=$NEMOTRON_API_URL
      98 | NVIDIA_API_KEY=$NVIDIA_API_KEY
      99 | NEMOTRON_MODEL=$NEMOTRON_MODEL
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SECRET_KEY')` (Python) or `process.env.SECRET_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'ncubelabs__agenthon-001'.

**Issue**: Hard-coded secret found (.env File Content)
**File**: deploy.sh
**Line**: 95
**Severity**: HIGH

**Current code around the issue:**
```
      90 | echo "  Writing environment configuration..."
      91 | ENV_CONTENT="OPENAI_API_KEY=$OPENAI_API_KEY
      92 | TAVILY_API_KEY=$TAVILY_API_KEY
      93 | SUPABASE_URL=$SUPABASE_URL
      94 | SUPABASE_KEY=$SUPABASE_KEY
>>>   95 | DAYTONA_API_KEY=$DAYTONA_API_KEY
      96 | DAYTONA_API_URL=$DAYTONA_API_URL
      97 | NEMOTRON_API_URL=$NEMOTRON_API_URL
      98 | NVIDIA_API_KEY=$NVIDIA_API_KEY
      99 | NEMOTRON_MODEL=$NEMOTRON_MODEL
     100 | MAX_IDEAS=${MAX_IDEAS:-3}"
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SECRET_KEY')` (Python) or `process.env.SECRET_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'ncubelabs__agenthon-001'.

**Issue**: Hard-coded secret found (.env File Content)
**File**: deploy.sh
**Line**: 98
**Severity**: HIGH

**Current code around the issue:**
```
      93 | SUPABASE_URL=$SUPABASE_URL
      94 | SUPABASE_KEY=$SUPABASE_KEY
      95 | DAYTONA_API_KEY=$DAYTONA_API_KEY
      96 | DAYTONA_API_URL=$DAYTONA_API_URL
      97 | NEMOTRON_API_URL=$NEMOTRON_API_URL
>>>   98 | NVIDIA_API_KEY=$NVIDIA_API_KEY
      99 | NEMOTRON_MODEL=$NEMOTRON_MODEL
     100 | MAX_IDEAS=${MAX_IDEAS:-3}"
     101 | write_file "/home/daytona/kriyai/.env" "$ENV_CONTENT"
     102 | 
     103 | echo ""
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SECRET_KEY')` (Python) or `process.env.SECRET_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'ncubelabs__agenthon-001'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: frontend/components/dashboard/ResultsDashboard.tsx
**Line**: 32
**Severity**: HIGH

**Current code around the issue:**
```
      27 | // ---------------------------------------------------------------------------
      28 | // Data fetching helpers
      29 | // ---------------------------------------------------------------------------
      30 | 
      31 | async function fetchJson<T>(url: string): Promise<T[]> {
>>>   32 |   const res = await fetch(url);
      33 |   if (!res.ok) throw new Error(`Failed to fetch ${url}: ${res.status}`);
      34 |   const body: DataResponse<T> = await res.json();
      35 |   return body.data;
      36 | }
      37 | 
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'ncubelabs__agenthon-001'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: frontend/components/ui/InputBar.tsx
**Line**: 63
**Severity**: HIGH

**Current code around the issue:**
```
      58 |     isSubmitting.current = true;
      59 |     setError(null);
      60 |     setIsCreating(true);
      61 | 
      62 |     try {
>>>   63 |       const response = await fetch(`${API_BASE_URL}/api/runs`, {
      64 |         method: "POST",
      65 |         headers: { "Content-Type": "application/json" },
      66 |         body: JSON.stringify({ domain: domain.trim() }),
      67 |       });
      68 | 
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Address OWASP A02 (Cryptographic Failures) compliance gap in 'ncubelabs__agenthon-001'.

**OWASP Category**: A02 -- Cryptographic Failures
**Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2).

**Steps:**
1. Identify all code paths related to cryptographic failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A06 (Vulnerable Components) compliance gap in 'ncubelabs__agenthon-001'.

**OWASP Category**: A06 -- Vulnerable Components
**Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs.

**Steps:**
1. Identify all code paths related to vulnerable components
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A07 (Auth Failures) compliance gap in 'ncubelabs__agenthon-001'.

**OWASP Category**: A07 -- Auth Failures
**Fix guidance**: Implement proper session management, use MFA where possible, enforce strong passwords, protect against brute force.

**Steps:**
1. Identify all code paths related to auth failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Repository 'ncubelabs__agenthon-001' is failing the quality gate.

Failed conditions:
- critical_vulnerabilities: actual 2.0 <= 0 (FAILED)

Fix each failing condition to make the repo pass the quality gate.

Repository 'ncubelabs__agenthon-001' has 10 open issues:

- [CRITICAL] GHSA-9qr9-h5gf-34mp: next
- [CRITICAL] GHSA-f82v-jwr5-mffw: next
- [HIGH] GHSA-mwv6-3258-q52c: next
- [HIGH] GHSA-q4gf-8mx6-v5v3: next
- [HIGH] Hard-coded secret: .env File Content (deploy.sh)
- [HIGH] Hard-coded secret: .env File Content (deploy.sh)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (frontend/components/ui/InputBar.tsx)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (frontend/components/dashboard/ResultsDashboard.tsx)
- [HIGH] Hard-coded secret: .env File Content (deploy.sh)
- [HIGH] Hard-coded secret: .env File Content (deploy.sh)

Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.

Static analysis found 2 security issues in 'ncubelabs__agenthon-001':

- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at frontend/components/dashboard/ResultsDashboard.tsx:32
- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at frontend/components/ui/InputBar.tsx:63

For each finding:
- SQL injection: use parameterized queries
- Command injection: use subprocess with list args, no shell=True
- Path traversal: validate and sanitize paths
- Insecure deserialization: use json instead of pickle
- IaC misconfigs: apply the suggested fix from the rule

These files in 'ncubelabs__agenthon-001' have high cyclomatic complexity:

- **frontend/components/office/AgentSprite.tsx**: complexity=62, max nesting=5, longest function=423 lines
- **frontend/components/ui/InputBar.tsx**: complexity=38, max nesting=6, longest function=100 lines
- **frontend/components/ui/Whiteboard.tsx**: complexity=27, max nesting=7, longest function=103 lines
- **frontend/components/office/ConferenceRoom.tsx**: complexity=27, max nesting=5, longest function=157 lines
- **frontend/components/dashboard/ComparisonTable.tsx**: complexity=21, max nesting=5, longest function=78 lines

For each file:
1. Break large functions into smaller, focused functions
2. Reduce nesting depth (extract early returns, use guard clauses)
3. Simplify conditional logic
4. Extract complex expressions into named variables