Test Coverage & Performance Improvements

.env.example

@@ -113,6 +113,10 @@ PROXY_URL=
 EXTERNAL_SSL_CA_PATH=
 EXTERNAL_SSL_INSECURE=
 
+## HTTP client timeout in seconds for external API calls (LLM providers, search tools, etc.)
+## Default: 600 (10 minutes). Set to 0 to use the default.
+HTTP_CLIENT_TIMEOUT=
+
 ## Scraper URLs and settings
 ## For Docker (default):
 SCRAPER_PUBLIC_URL=

README.md

@@ -2870,6 +2870,7 @@ EMBEDDING_STRIP_NEW_LINES=true  # Whether to remove new lines from text before e
 
 # Advanced settings
 PROXY_URL=                      # Optional proxy for all API calls
+HTTP_CLIENT_TIMEOUT=600         # Timeout in seconds for external API calls (default: 600, 0 = no timeout)
 
 # SSL/TLS Certificate Configuration (for external communication with LLM backends and tool servers)
 EXTERNAL_SSL_CA_PATH=           # Path to custom CA certificate file (PEM format) inside the container

backend/cmd/installer/wizard/controller/controller.go

@@ -1912,6 +1912,7 @@ type ServerSettingsConfig struct {
 	CorsOrigins         loader.EnvVar // CORS_ORIGINS
 	CookieSigningSalt   loader.EnvVar // COOKIE_SIGNING_SALT
 	ProxyURL            loader.EnvVar // PROXY_URL
+	HTTPClientTimeout   loader.EnvVar // HTTP_CLIENT_TIMEOUT
 	ExternalSSLCAPath   loader.EnvVar // EXTERNAL_SSL_CA_PATH
 	ExternalSSLInsecure loader.EnvVar // EXTERNAL_SSL_INSECURE
 	SSLDir              loader.EnvVar // PENTAGI_SSL_DIR
@@ -1932,6 +1933,7 @@ func (c *controller) GetServerSettingsConfig() *ServerSettingsConfig {
 		"CORS_ORIGINS",
 		"COOKIE_SIGNING_SALT",
 		"PROXY_URL",
+		"HTTP_CLIENT_TIMEOUT",
 		"EXTERNAL_SSL_CA_PATH",
 		"EXTERNAL_SSL_INSECURE",
 		"PENTAGI_SSL_DIR",
@@ -1946,6 +1948,7 @@ func (c *controller) GetServerSettingsConfig() *ServerSettingsConfig {
 		"CORS_ORIGINS":          "https://localhost:8443",
 		"PENTAGI_DATA_DIR":      "pentagi-data",
 		"PENTAGI_SSL_DIR":       "pentagi-ssl",
+		"HTTP_CLIENT_TIMEOUT":   "600",
 		"EXTERNAL_SSL_INSECURE": "false",
 	}
 
@@ -1964,6 +1967,7 @@ func (c *controller) GetServerSettingsConfig() *ServerSettingsConfig {
 		CorsOrigins:         vars["CORS_ORIGINS"],
 		CookieSigningSalt:   vars["COOKIE_SIGNING_SALT"],
 		ProxyURL:            vars["PROXY_URL"],
+		HTTPClientTimeout:   vars["HTTP_CLIENT_TIMEOUT"],
 		ExternalSSLCAPath:   vars["EXTERNAL_SSL_CA_PATH"],
 		ExternalSSLInsecure: vars["EXTERNAL_SSL_INSECURE"],
 		SSLDir:              vars["PENTAGI_SSL_DIR"],
@@ -2002,6 +2006,7 @@ func (c *controller) UpdateServerSettingsConfig(config *ServerSettingsConfig) er
 		"CORS_ORIGINS":          config.CorsOrigins.Value,
 		"COOKIE_SIGNING_SALT":   config.CookieSigningSalt.Value,
 		"PROXY_URL":             proxyURL,
+		"HTTP_CLIENT_TIMEOUT":   config.HTTPClientTimeout.Value,
 		"EXTERNAL_SSL_CA_PATH":  config.ExternalSSLCAPath.Value,
 		"EXTERNAL_SSL_INSECURE": config.ExternalSSLInsecure.Value,
 		"PENTAGI_SSL_DIR":       config.SSLDir.Value,
@@ -2025,6 +2030,7 @@ func (c *controller) ResetServerSettingsConfig() *ServerSettingsConfig {
 		"CORS_ORIGINS",
 		"COOKIE_SIGNING_SALT",
 		"PROXY_URL",
+		"HTTP_CLIENT_TIMEOUT",
 		"EXTERNAL_SSL_CA_PATH",
 		"EXTERNAL_SSL_INSECURE",
 		"PENTAGI_SSL_DIR",

backend/cmd/installer/wizard/locale/locale.go

@@ -1199,6 +1199,9 @@ const (
 	ServerSettingsProxyPassword     = "Proxy Password"
 	ServerSettingsProxyPasswordDesc = "Password for proxy authentication (optional)"
 
+	ServerSettingsHTTPClientTimeout     = "HTTP Client Timeout"
+	ServerSettingsHTTPClientTimeoutDesc = "Timeout in seconds for external API calls (LLM providers, search engines, etc.)"
+
 	ServerSettingsExternalSSLCAPath     = "Custom CA Certificate Path"
 	ServerSettingsExternalSSLCAPathDesc = "Path inside container to custom root CA cert (e.g., /opt/pentagi/ssl/ca-bundle.pem)"
 
@@ -1223,6 +1226,7 @@ const (
 	ServerSettingsProxyURLHint            = "Proxy URL"
 	ServerSettingsProxyUsernameHint       = "Proxy Username"
 	ServerSettingsProxyPasswordHint       = "Proxy Password"
+	ServerSettingsHTTPClientTimeoutHint   = "HTTP Timeout"
 	ServerSettingsExternalSSLCAPathHint   = "Custom CA Path"
 	ServerSettingsExternalSSLInsecureHint = "Skip SSL Verification"
 	ServerSettingsSSLDirHint              = "SSL Directory"
@@ -1256,6 +1260,16 @@ Examples:
 
 	ServerSettingsProxyURLHelp = `HTTP or HTTPS proxy for outbound requests to LLM providers and external tools. Not used for Docker API communication.`
 
+	ServerSettingsHTTPClientTimeoutHelp = `Timeout in seconds for all external HTTP/HTTPS API calls including:
+• LLM provider requests (OpenAI, Anthropic, Bedrock, etc.)
+• Search engine queries (Google, Tavily, Perplexity, etc.)
+• External tool integrations
+• Embedding generation requests
+
+Default: 600 seconds (10 minutes)
+Setting to 0 disables timeout (not recommended in production)
+Too low values may cause legitimate long-running requests to fail.`
+
 	ServerSettingsExternalSSLCAPathHelp = `Path to custom CA certificate file (PEM format) inside the container.
 
 Must point to /opt/pentagi/ssl/ directory, which is mounted from pentagi-ssl volume on the host.
@@ -2248,6 +2262,7 @@ const (
 	EnvDesc_CORS_ORIGINS                      = "PentAGI CORS Origins"
 	EnvDesc_COOKIE_SIGNING_SALT               = "PentAGI Cookie Signing Salt"
 	EnvDesc_PROXY_URL                         = "HTTP/HTTPS Proxy URL"
+	EnvDesc_HTTP_CLIENT_TIMEOUT               = "HTTP Client Timeout (seconds)"
 	EnvDesc_EXTERNAL_SSL_CA_PATH              = "Custom CA Certificate Path"
 	EnvDesc_EXTERNAL_SSL_INSECURE             = "Skip SSL Verification"
 	EnvDesc_PENTAGI_SSL_DIR                   = "PentAGI SSL Directory"

backend/cmd/installer/wizard/models/server_settings_form.go

@@ -94,6 +94,14 @@ func (m *ServerSettingsFormModel) BuildForm() tea.Cmd {
 		true,
 	))
 
+	// http client timeout
+	fields = append(fields, m.createTextField("http_client_timeout",
+		locale.ServerSettingsHTTPClientTimeout,
+		locale.ServerSettingsHTTPClientTimeoutDesc,
+		config.HTTPClientTimeout,
+		false,
+	))
+
 	// external ssl settings
 	fields = append(fields, m.createTextField("external_ssl_ca_path",
 		locale.ServerSettingsExternalSSLCAPath,
@@ -265,6 +273,14 @@ func (m *ServerSettingsFormModel) GetCurrentConfiguration() string {
 		sections = append(sections, fmt.Sprintf("• %s: %s", locale.ServerSettingsProxyPasswordHint, proxyPassword))
 	}
 
+	if httpTimeout := cfg.HTTPClientTimeout.Value; httpTimeout != "" {
+		httpTimeout = m.GetStyles().Info.Render(httpTimeout + "s")
+		sections = append(sections, fmt.Sprintf("• %s: %s", locale.ServerSettingsHTTPClientTimeoutHint, httpTimeout))
+	} else if httpTimeout := cfg.HTTPClientTimeout.Default; httpTimeout != "" {
+		httpTimeout = m.GetStyles().Muted.Render(httpTimeout + "s")
+		sections = append(sections, fmt.Sprintf("• %s: %s", locale.ServerSettingsHTTPClientTimeoutHint, httpTimeout))
+	}
+
 	if externalSSLCAPath := cfg.ExternalSSLCAPath.Value; externalSSLCAPath != "" {
 		externalSSLCAPath = m.GetStyles().Info.Render(externalSSLCAPath)
 		sections = append(sections, fmt.Sprintf("• %s: %s", locale.ServerSettingsExternalSSLCAPathHint, externalSSLCAPath))
@@ -334,6 +350,8 @@ func (m *ServerSettingsFormModel) GetHelpContent() string {
 			sections = append(sections, locale.ServerSettingsCORSOriginsHelp)
 		case "proxy_url":
 			sections = append(sections, locale.ServerSettingsProxyURLHelp)
+		case "http_client_timeout":
+			sections = append(sections, locale.ServerSettingsHTTPClientTimeoutHelp)
 		case "external_ssl_ca_path":
 			sections = append(sections, locale.ServerSettingsExternalSSLCAPathHelp)
 		case "external_ssl_insecure":
@@ -363,6 +381,7 @@ func (m *ServerSettingsFormModel) HandleSave() error {
 		CorsOrigins:         cfg.CorsOrigins,
 		CookieSigningSalt:   cfg.CookieSigningSalt,
 		ProxyURL:            cfg.ProxyURL,
+		HTTPClientTimeout:   cfg.HTTPClientTimeout,
 		ExternalSSLCAPath:   cfg.ExternalSSLCAPath,
 		ExternalSSLInsecure: cfg.ExternalSSLInsecure,
 		SSLDir:              cfg.SSLDir,
@@ -402,6 +421,15 @@ func (m *ServerSettingsFormModel) HandleSave() error {
 			newCfg.ProxyUsername = value
 		case "proxy_password":
 			newCfg.ProxyPassword = value
+		case "http_client_timeout":
+			if value != "" {
+				if timeout, err := strconv.Atoi(value); err != nil {
+					return fmt.Errorf("invalid HTTP client timeout: must be a number")
+				} else if timeout < 0 {
+					return fmt.Errorf("invalid HTTP client timeout: must be >= 0")
+				}
+			}
+			newCfg.HTTPClientTimeout.Value = value
 		case "external_ssl_ca_path":
 			newCfg.ExternalSSLCAPath.Value = value
 		case "external_ssl_insecure":

backend/docs/config.md

@@ -1437,15 +1437,16 @@ These settings enable:
 
 Having multiple search engine options ensures redundancy and provides different search algorithms for varied information needs. Sploitus is specifically designed for security research, providing comprehensive exploit and vulnerability information essential for penetration testing. Searxng is particularly useful as it provides aggregated results from multiple search engines while offering enhanced privacy and customization options.
 
-## Proxy Settings
+## Network and Proxy Settings
 
-These settings control the HTTP proxy used for outbound connections, which is important for network security and access control.
+These settings control HTTP proxy, SSL configuration, and network timeouts for outbound connections, which are important for network security and access control.
 
 | Option              | Environment Variable    | Default Value | Description                                                      |
 | ------------------- | ----------------------- | ------------- | ---------------------------------------------------------------- |
 | ProxyURL            | `PROXY_URL`             | *(none)*      | URL for HTTP proxy (e.g., `http://user:pass@proxy:8080`)         |
 | ExternalSSLCAPath   | `EXTERNAL_SSL_CA_PATH`  | *(none)*      | Path to trusted CA certificate for external LLM SSL connections  |
 | ExternalSSLInsecure | `EXTERNAL_SSL_INSECURE` | `false`       | Skip SSL certificate verification for external connections       |
+| HTTPClientTimeout   | `HTTP_CLIENT_TIMEOUT`   | `600`         | Timeout in seconds for external API calls (0 = no timeout)       |
 
 ### Usage Details
 
@@ -1503,6 +1504,26 @@ The SSL settings provide additional security configuration:
   ```
   **Warning**: Only use this in development or trusted environments. Skipping certificate verification exposes connections to man-in-the-middle attacks.
 
+- **HTTPClientTimeout**: Sets the timeout for all external HTTP requests (LLM providers, search engines, etc.):
+  ```go
+  // Used in pkg/system/utils.go for HTTP client configuration
+  timeout := defaultHTTPClientTimeout
+  if cfg.HTTPClientTimeout > 0 {
+      timeout = time.Duration(cfg.HTTPClientTimeout) * time.Second
+  }
+
+  httpClient := &http.Client{
+      Timeout: timeout,
+  }
+  ```
+  The default value of 600 seconds (10 minutes) is suitable for most LLM API calls, including long-running operations. Setting this to 0 disables the timeout (not recommended in production), while very low values may cause legitimate requests to fail. This setting affects:
+  - All LLM provider API calls (OpenAI, Anthropic, Bedrock, etc.)
+  - Search engine requests (Google, Tavily, Perplexity, etc.)
+  - External tool integrations
+  - Embedding generation requests
+
+  Adjust this value based on your network conditions and the complexity of operations being performed.
+
 ## Graphiti Knowledge Graph Settings
 
 These settings control the integration with Graphiti, a temporal knowledge graph system powered by Neo4j, for advanced semantic understanding and relationship tracking of AI agent operations.

backend/go.mod

@@ -54,22 +54,22 @@ require (
 	github.com/vxcontrol/langchaingo v0.1.14-update.5
 	github.com/wasilibs/go-re2 v1.10.0
 	github.com/xeipuuv/gojsonschema v1.2.0
-	go.opentelemetry.io/otel v1.38.0
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.9.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.34.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0
-	go.opentelemetry.io/otel/log v0.9.0
-	go.opentelemetry.io/otel/metric v1.38.0
-	go.opentelemetry.io/otel/sdk v1.36.0
-	go.opentelemetry.io/otel/sdk/log v0.9.0
-	go.opentelemetry.io/otel/sdk/metric v1.36.0
-	go.opentelemetry.io/otel/trace v1.38.0
-	golang.org/x/crypto v0.44.0
-	golang.org/x/net v0.47.0
-	golang.org/x/oauth2 v0.30.0
+	go.opentelemetry.io/otel v1.39.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0
+	go.opentelemetry.io/otel/log v0.14.0
+	go.opentelemetry.io/otel/metric v1.39.0
+	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk/log v0.14.0
+	go.opentelemetry.io/otel/sdk/metric v1.39.0
+	go.opentelemetry.io/otel/trace v1.39.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/net v0.48.0
+	golang.org/x/oauth2 v0.34.0
 	golang.org/x/sys v0.40.0
 	google.golang.org/api v0.238.0
-	google.golang.org/grpc v1.73.0
+	google.golang.org/grpc v1.79.3
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -78,7 +78,7 @@ require (
 	cloud.google.com/go/aiplatform v1.85.0 // indirect
 	cloud.google.com/go/auth v0.16.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
 	cloud.google.com/go/longrunning v0.6.7 // indirect
 	cloud.google.com/go/vertexai v0.12.0 // indirect
@@ -108,7 +108,8 @@ require (
 	github.com/bytedance/sonic v1.11.6 // indirect
 	github.com/bytedance/sonic/loader v0.1.1 // indirect
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/colorprofile v0.3.1 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
@@ -127,7 +128,7 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
 	github.com/gage-technologies/mistral-go v1.1.0 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -148,7 +149,7 @@ require (
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/gorilla/sessions v1.2.2 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
@@ -214,22 +215,22 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	google.golang.org/genai v1.42.0 // indirect
 	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )