ANTHROPIC_API_KEYandTAVILY_API_KEYlive in.env(root level)..envis in.gitignore— never committed..env.exampleprovides the template with placeholder values.- Keys are only loaded server-side via
python-dotenv. The frontend never sees them. - Docker: keys passed via
env_file: .envin docker-compose.
The calculate() tool uses eval() with a restricted environment:
eval(expression, {"__builtins__": {}}, SAFE_NAMES)__builtins__is empty — noimport,open,exec,__import__, etc.SAFE_NAMEScontains only math functions and constants.- No file system access, no network access, no code execution.
- No authentication on the
/wsendpoint (open access). - Each connection gets a unique thread_id (UUID) for conversation isolation.
- Malformed JSON is caught and returns an error message (no crash).
- For production: add rate limiting, authentication, and WSS (TLS).
- JPL Horizons: public API, no auth required.
- NASA GCS: public bucket, no auth required.
- Tavily: API key required, server-side only.
- YouTube (yt-dlp): public streams only, no auth.