🔧 v4.3: Web app deep audit — 12 bugs fixed (4 critical) (#6)

- fix: web/app/api/analyze/route.ts (96721b2e57f74b9bb7327424c85dee26683c5ebc)
- fix: app.py (f62934e498c85fd4f9834437b06159f883b7c248)
- fix: web/app/api/chat/route.ts (79665bc493fe85fc3e56e243590d17838e06d3e2)
- fix: web/app/api/redline/route.ts (fdc2957e3519415ba5e717330403d689886a95d2)
- fix: web/app/api/compare/route.ts (761e06554aca48a923355066604f9fcfbd0de2a7)
- fix: web/components/nav.tsx (87c9600f2fe124d030c10870f8efc7d6973609a4)
- fix: web/app/api/parse-upload/route.ts (063b34984bfe2666b246ec31316ebd6501031626)
- fix: web/.env.example (e74f9e3c9d57f005a8237413c147713f137c8e20)

app.py

@@ -1823,7 +1823,8 @@ with gr.Blocks(
             doc_html, obligations_html, compliance_html, redlining_html,
             json_file, csv_file, status_msg, analysis_state,
             chunks_state, embeddings_state, chatbot_index_status,
-        ]
+        ],
+        api_name="analyze",
     )
 
     clear_btn.click(
@@ -1839,7 +1840,8 @@ with gr.Blocks(
     comp_btn.click(
         run_comparison,
         inputs=[comp_text_a, comp_text_b],
-        outputs=[comp_result_html, comp_json]
+        outputs=[comp_result_html, comp_json],
+        api_name="compare",
     )
 
     gr.HTML("""

web/.env.example

@@ -17,7 +17,13 @@ RESEND_API_KEY=re_...
 
 # App
 NEXT_PUBLIC_SITE_URL=http://localhost:3000
-CLAUSEGUARD_API_URL=https://gaurv007-clauseguard-api.hf.space
+
+# ClauseGuard Gradio Space URL (used by analyze, compare, redline routes)
+CLAUSEGUARD_GRADIO_URL=https://gaurv007-clauseguard.hf.space
+
+# Optional: FastAPI backend URL (only needed if deployed separately for chat/RAG sessions)
+# If not set, chat will direct users to the Gradio Space
+CLAUSEGUARD_API_URL=
 
 # HF Inference API (for chatbot + redlining LLM)
 HF_TOKEN=hf_...

web/app/api/analyze/route.ts

@@ -58,7 +58,8 @@ export async function POST(req: NextRequest) {
     }
 
     // Step 1: Submit to Gradio Space
-    const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/_analysis_and_index`, {
+    // FIX v4.3: Use the explicit api_name="analyze" set in app.py scan_btn.click()
+    const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/analyze`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ data: [text] }),
@@ -80,7 +81,7 @@ export async function POST(req: NextRequest) {
 
     while (attempts < maxAttempts) {
       const resultRes = await fetch(
-        `${GRADIO_URL}/gradio_api/call/_analysis_and_index/${event_id}`,
+        `${GRADIO_URL}/gradio_api/call/analyze/${event_id}`,
         { headers: { Accept: "text/event-stream" } }
       );
 
@@ -208,6 +209,21 @@ export async function POST(req: NextRequest) {
       .update({ analyses_this_month: scanCount + 1 })
       .eq("id", user.id);
 
+    // FIX v4.3: Save analysis to DB so it shows in history
+    await supabase.from("analyses").insert({
+      user_id: user.id,
+      total_clauses: totalClauses,
+      flagged_count: flaggedCount,
+      risk_score: riskScore,
+      grade,
+      clauses: results,
+      entities: analysisData.entities || [],
+      contradictions: analysisData.contradictions || [],
+      obligations: analysisData.obligations || [],
+      compliance: analysisData.compliance || {},
+      model: modelStatus.includes("loaded") ? "ml" : "regex",
+    }).then(() => {}).catch(() => {}); // fire-and-forget, don't block response
+
     return NextResponse.json({
       risk_score: riskScore,
       grade,

web/app/api/chat/route.ts

@@ -1,22 +1,23 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createClient } from "@/lib/supabase/server";
 
-const GRADIO_URL = process.env.CLAUSEGUARD_GRADIO_URL || "https://gaurv007-clauseguard.hf.space";
-
 /**
- * FIX v4.1: The chat endpoint now properly documents its limitations.
+ * FIX v4.3: Chat route completely rewritten.
  *
- * ARCHITECTURE NOTE:
- * The Gradio ChatInterface uses gr.State to store RAG embeddings per-session.
- * This state is NOT accessible via the Gradio API from an external caller —
- * each API call creates a new session with empty state.
+ * ARCHITECTURE:
+ * The Gradio ChatInterface uses gr.State for RAG embeddings — these are
+ * per-browser-session and NOT accessible via the Gradio REST API. Every API
+ * call creates a new session with empty state, so chat via Gradio API will
+ * NEVER have contract context.
  *
- * For the Next.js web app, chat should either:
- * 1. Use the FastAPI backend (/api/chat) which manages its own RAG sessions, OR
- * 2. Embed the Gradio Space in an iframe for direct interaction
+ * The correct approach:
+ * 1. PRIMARY: Use the FastAPI backend (/api/chat) which manages RAG sessions
+ *    with proper TTL-based expiry. The session_id comes from /api/analyze.
+ * 2. FALLBACK: If FastAPI is unavailable, return a clear error directing
+ *    the user to use the Gradio Space directly.
  *
- * This route attempts to use the Gradio API as a best-effort fallback,
- * but will clearly communicate to the user if the session is unavailable.
+ * The old code tried to call a non-existent Gradio "chat" endpoint which
+ * always failed. Removed the broken Gradio fallback entirely.
  */
 export async function POST(req: NextRequest) {
   try {
@@ -37,7 +38,6 @@ export async function POST(req: NextRequest) {
       );
     }
 
-    // FIX v4.1: Input validation
     if (message.length > 2000) {
       return NextResponse.json(
         { error: "Message too long (max 2000 characters)" },
@@ -45,7 +45,7 @@ export async function POST(req: NextRequest) {
       );
     }
 
-    // Try the FastAPI backend first (it has proper RAG session management)
+    // Try the FastAPI backend (it has proper RAG session management)
     const apiUrl = process.env.CLAUSEGUARD_API_URL || "";
     if (apiUrl && session_id) {
       try {
@@ -58,67 +58,40 @@ export async function POST(req: NextRequest) {
           const data = await apiRes.json();
           return NextResponse.json({ response: data.response });
         }
+        // If 404, session expired
+        if (apiRes.status === 404) {
+          return NextResponse.json({
+            response: "⚠️ Your chat session has expired (sessions last 1 hour). " +
+              "Please analyze the contract again to start a new chat session."
+          });
+        }
       } catch {
-        // Fall through to Gradio attempt
+        // FastAPI backend unreachable — fall through to error message
       }
     }
 
-    // Fallback: Try the Gradio API
-    const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/chat`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ data: [message] }),
-    });
-
-    if (!submitRes.ok) {
-      const errText = await submitRes.text().catch(() => "");
-      throw new Error(`Chat submit failed (${submitRes.status}): ${errText}`);
-    }
-
-    const { event_id } = await submitRes.json();
-    if (!event_id) throw new Error("No event_id from Gradio chat");
-
-    // Poll for result with timeout
-    let resultText = "";
-    let attempts = 0;
-    const maxAttempts = 30;
-
-    while (attempts < maxAttempts) {
-      const resultRes = await fetch(
-        `${GRADIO_URL}/gradio_api/call/chat/${event_id}`,
-        { headers: { Accept: "text/event-stream" } }
-      );
-
-      if (!resultRes.ok) {
-        throw new Error(`Chat result failed: ${resultRes.status}`);
-      }
-
-      resultText = await resultRes.text();
-
-      if (resultText.includes("event: complete")) break;
-      if (resultText.includes("event: error")) {
-        const errMatch = resultText.match(/event:\s*error\s*\ndata:\s*(.+)/);
-        if (errMatch) throw new Error(`Chat error: ${errMatch[1]}`);
-        throw new Error("Chat error from backend");
-      }
-
-      await new Promise(r => setTimeout(r, 1000));
-      attempts++;
+    // No FastAPI backend available or no session_id
+    // FIX v4.3: Return a clear, helpful message instead of trying a broken Gradio endpoint
+    if (!apiUrl) {
+      return NextResponse.json({
+        response: "⚠️ Contract Q&A chat requires the FastAPI backend which is not currently deployed. " +
+          "You can use the chat feature directly in the [Gradio Space](https://gaurv007-clauseguard.hf.space) " +
+          "— analyze a contract there, then switch to the Q&A tab."
+      });
     }
 
-    // Find the complete event data
-    const dataMatch = resultText.match(/event:\s*complete\s*\ndata:\s*(.+)/);
-    if (!dataMatch) {
+    if (!session_id) {
       return NextResponse.json({
-        response: "⚠️ Chat is unavailable. The contract needs to be analyzed in the same session. " +
-          "Please analyze a contract first in the Gradio Space, then use the chat tab there directly."
+        response: "⚠️ No active chat session. Please analyze a contract first — " +
+          "the chat session is created when you run analysis."
       });
     }
 
-    const responseData = JSON.parse(dataMatch[1]);
-    const responseText = typeof responseData === "string" ? responseData : responseData[0] || "";
+    return NextResponse.json({
+      response: "⚠️ Chat service is temporarily unavailable. Please try again, or use the " +
+        "[Gradio Space](https://gaurv007-clauseguard.hf.space) directly."
+    });
 
-    return NextResponse.json({ response: responseText });
   } catch (error: any) {
     console.error("Chat error:", error.message);
     return NextResponse.json(

web/app/api/compare/route.ts

@@ -13,7 +13,7 @@ export async function POST(req: NextRequest) {
     }
 
     const body = await req.json();
-    let { text_a, text_b } = body;
+    const { text_a, text_b } = body;
 
     if (!text_a || !text_b || text_a.trim().length < 50 || text_b.trim().length < 50) {
       return NextResponse.json(
@@ -21,13 +21,14 @@ export async function POST(req: NextRequest) {
         { status: 400 }
       );
     }
-    
-    // Sanitize basically
-    text_a = text_a.replace(/</g, "&lt;").replace(/>/g, "&gt;");
-    text_b = text_b.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+
+    // FIX v4.3: REMOVED HTML-escaping that CORRUPTED contract text before analysis.
+    // The old code did text_a.replace(/</g, "&lt;") which permanently mutated
+    // the text (e.g., ">$10,000" → "&gt;$10,000"). Sanitization is the
+    // frontend's job — React auto-escapes in JSX. Never mutate analysis input.
 
     // Call Gradio Space API
-    const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/run_comparison`, {
+    const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/compare`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ data: [text_a, text_b] }),
@@ -40,24 +41,44 @@ export async function POST(req: NextRequest) {
     const { event_id } = await submitRes.json();
     if (!event_id) throw new Error("No event_id from Gradio");
 
-    // Poll for result
-    const resultRes = await fetch(
-      `${GRADIO_URL}/gradio_api/call/run_comparison/${event_id}`,
-      { headers: { Accept: "text/event-stream" } }
-    );
+    // Poll for result with retry
+    let resultText = "";
+    let attempts = 0;
+    const maxAttempts = 60;
+    let delay = 500;
+
+    while (attempts < maxAttempts) {
+      const resultRes = await fetch(
+        `${GRADIO_URL}/gradio_api/call/compare/${event_id}`,
+        { headers: { Accept: "text/event-stream" } }
+      );
+
+      resultText = await resultRes.text();
+
+      if (resultText.includes("event: complete")) break;
+      if (resultText.includes("event: error")) {
+        const errMatch = resultText.match(/data:\s*(.+)/);
+        throw new Error(errMatch ? errMatch[1] : "Comparison failed in backend");
+      }
 
-    if (!resultRes.ok) {
-      throw new Error(`Gradio result failed: ${resultRes.status}`);
+      await new Promise(r => setTimeout(r, delay));
+      delay = Math.min(delay * 1.2, 2000);
+      attempts++;
     }
 
-    const resultText = await resultRes.text();
-    const dataMatch = resultText.match(/event:\s*complete\s*\ndata:\s*(.+)/);
-    if (!dataMatch) throw new Error("No complete event from Gradio");
+    if (!resultText.includes("event: complete")) {
+      throw new Error("Comparison timed out. Please try again.");
+    }
+
+    const completeIdx = resultText.indexOf("event: complete");
+    const dataIdx = resultText.indexOf("data: ", completeIdx);
+    if (dataIdx === -1) throw new Error("No data in response");
+
+    const dataStr = resultText.substring(dataIdx + 6).trim();
+    const gradioData = JSON.parse(dataStr);
 
-    const gradioData = JSON.parse(dataMatch[1]);
     // gradioData[0] = comparison HTML
     // gradioData[1] = raw JSON comparison data
-
     const comparisonResult = gradioData[1];
     if (typeof comparisonResult === "object" && comparisonResult !== null) {
       return NextResponse.json(comparisonResult);

web/app/api/parse-upload/route.ts

@@ -30,19 +30,21 @@ export async function POST(req: NextRequest) {
     const buffer = Buffer.from(await file.arrayBuffer());
     let text = "";
 
-    // Validate MIME types alongside extension
-    const mimeType = file.type;
-    
-    if ((name.endsWith(".txt") || name.endsWith(".md")) && (mimeType.includes("text/plain") || mimeType.includes("text/markdown"))) {
+    if (name.endsWith(".txt") || name.endsWith(".md")) {
       text = new TextDecoder().decode(buffer);
-    } else if (name.endsWith(".pdf") && mimeType === "application/pdf") {
-      // pdf-parse v2
-      await import("pdf-parse/worker");
-      const { PDFParse } = await import("pdf-parse");
-      const parser = new PDFParse({ data: buffer });
-      const result = await parser.getText();
-      text = result.text;
-      await parser.destroy();
+    } else if (name.endsWith(".pdf")) {
+      // FIX v4.3: pdf-parse API compatible with both v1 and v2
+      // Try the standard pdf-parse import (works with v1.x which is more common)
+      try {
+        const pdfParse = (await import("pdf-parse")).default;
+        const result = await pdfParse(buffer);
+        text = result.text;
+      } catch {
+        // If pdf-parse fails, try sending to Gradio Space for OCR
+        return NextResponse.json({
+          error: "PDF parsing failed. Please copy-paste the text directly, or use the Gradio Space which has OCR support."
+        }, { status: 400 });
+      }
     } else if (name.endsWith(".docx")) {
       const mammoth = (await import("mammoth")).default;
       const result = await mammoth.extractRawText({ buffer });

web/app/api/redline/route.ts

@@ -1,9 +1,25 @@
 import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
 
-const API_URL = process.env.CLAUSEGUARD_API_URL || "https://gaurv007-clauseguard-api.hf.space";
+/**
+ * FIX v4.3: Redline route now works through the Gradio Space directly.
+ * The old code pointed to a non-existent FastAPI Space (gaurv007-clauseguard-api.hf.space).
+ * Since redlining is already part of the analyze pipeline (returned in analysis results),
+ * this endpoint is primarily for re-running redlines on existing text.
+ */
+
+const GRADIO_URL = process.env.CLAUSEGUARD_GRADIO_URL || "https://gaurv007-clauseguard.hf.space";
+const API_URL = process.env.CLAUSEGUARD_API_URL || "";
 
 export async function POST(req: NextRequest) {
   try {
+    const supabase = await createClient();
+    const { data: { user } } = await supabase.auth.getUser();
+
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized. Please log in." }, { status: 401 });
+    }
+
     const body = await req.json();
     const { session_id, text, use_llm } = body;
 
@@ -14,19 +30,89 @@ export async function POST(req: NextRequest) {
       );
     }
 
-    const response = await fetch(`${API_URL}/api/redline`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ session_id, text, use_llm: use_llm ?? true }),
-    });
+    // Try FastAPI backend first (if configured and available)
+    if (API_URL) {
+      try {
+        const response = await fetch(`${API_URL}/api/redline`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ session_id, text, use_llm: use_llm ?? true }),
+        });
+
+        if (response.ok) {
+          const result = await response.json();
+          return NextResponse.json(result);
+        }
+      } catch {
+        // Fall through to Gradio approach
+      }
+    }
+
+    // Fallback: If text is provided, run full analysis via Gradio (includes redlines)
+    if (text) {
+      if (text.trim().length < 50) {
+        return NextResponse.json({ error: "Text too short (min 50 chars)" }, { status: 400 });
+      }
+
+      const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/analyze`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ data: [text] }),
+      });
 
-    if (!response.ok) {
-      const err = await response.text().catch(() => "");
-      throw new Error(err || `Backend error: ${response.status}`);
+      if (!submitRes.ok) {
+        throw new Error(`Gradio submit failed: ${submitRes.status}`);
+      }
+
+      const { event_id } = await submitRes.json();
+      if (!event_id) throw new Error("No event_id from Gradio");
+
+      let resultText = "";
+      let attempts = 0;
+      while (attempts < 90) {
+        const resultRes = await fetch(
+          `${GRADIO_URL}/gradio_api/call/analyze/${event_id}`,
+          { headers: { Accept: "text/event-stream" } }
+        );
+        resultText = await resultRes.text();
+        if (resultText.includes("event: complete")) break;
+        if (resultText.includes("event: error")) throw new Error("Redline analysis failed");
+        await new Promise(r => setTimeout(r, 1000));
+        attempts++;
+      }
+
+      if (!resultText.includes("event: complete")) {
+        throw new Error("Analysis timed out");
+      }
+
+      // Parse the result to extract redlines from the JSON report
+      const completeIdx = resultText.indexOf("event: complete");
+      const dataIdx = resultText.indexOf("data: ", completeIdx);
+      if (dataIdx === -1) throw new Error("No data in response");
+
+      const dataStr = resultText.substring(dataIdx + 6).trim();
+      const gradioData = JSON.parse(dataStr);
+
+      // Download JSON report file
+      const jsonFileObj = gradioData[8];
+      if (jsonFileObj?.url) {
+        const jsonRes = await fetch(jsonFileObj.url);
+        if (jsonRes.ok) {
+          const analysisData = await jsonRes.json();
+          if (analysisData.redlines) {
+            return NextResponse.json({ redlines: analysisData.redlines, count: analysisData.redlines.length });
+          }
+        }
+      }
+
+      return NextResponse.json({ redlines: [], count: 0 });
     }
 
-    const result = await response.json();
-    return NextResponse.json(result);
+    // No FastAPI backend and only session_id provided (can't access Gradio sessions)
+    return NextResponse.json({
+      error: "Redline by session_id requires the FastAPI backend. Provide contract text instead, or use the analysis results which already include redline suggestions.",
+    }, { status: 400 });
+
   } catch (error: any) {
     console.error("Redline error:", error.message);
     return NextResponse.json(

web/components/nav.tsx

@@ -88,7 +88,7 @@ export function Nav() {
         <Link href="/" className="flex items-center gap-2">
           <ShieldCheck className="w-5 h-5 text-zinc-900" strokeWidth={2.2} />
           <span className="font-semibold text-[15px] tracking-tight text-zinc-900">ClauseGuard</span>
-          <span className="hidden sm:inline text-[10px] font-medium text-zinc-400 ml-1 border border-zinc-200 px-1.5 py-0.5 rounded">v4.0</span>
+          <span className="hidden sm:inline text-[10px] font-medium text-zinc-400 ml-1 border border-zinc-200 px-1.5 py-0.5 rounded">v4.3</span>
         </Link>
 
         {/* Desktop Nav */}