From 3ed674de754c82d269b9159bc459973dc3b288e0 Mon Sep 17 00:00:00 2001
From: ComBba <cent@naver.com>
Date: Mon, 9 Feb 2026 22:20:02 +0900
Subject: [PATCH 1/3] feat: enable free public repo evaluation with
 six_sommeliers mode

- Add POST /api/evaluate/public endpoint for anonymous evaluations
- Implement server-side public repo verification via GitHub API
- Add IP-based rate limiting (5/hour) for anonymous requests
- Force gemini-3-flash-preview model, six_sommeliers mode for free tier
- Update stream/result/graph endpoints to allow anonymous access (user_id='anonymous')
- Change frontend default tab to 'Enter URL'
- Enable anonymous submit for public repos + six_sommeliers mode
- Add 'Free evaluation' indicator banner in UI
- Disable Grand Tasting mode for non-authenticated users
---
 backend/app/api/routes/evaluate.py            | 214 ++++++++++++++++--
 backend/app/api/routes/graph.py               |  31 ++-
 backend/app/services/github_service.py        |  40 ++++
 frontend/src/app/evaluate/page.tsx            |  11 +-
 frontend/src/components/EvaluationForm.tsx    |  55 +++--
 .../src/components/EvaluationModeSelector.tsx | 102 ++++++---
 frontend/src/lib/api.ts                       |  20 ++
 7 files changed, 394 insertions(+), 79 deletions(-)

diff --git a/backend/app/api/routes/evaluate.py b/backend/app/api/routes/evaluate.py
index cf30eb3..2680ad0 100644
--- a/backend/app/api/routes/evaluate.py
+++ b/backend/app/api/routes/evaluate.py
@@ -2,6 +2,7 @@
 
 This module provides endpoints for:
 - Starting new evaluations (POST /api/evaluate)
+- Starting anonymous public evaluations (POST /api/evaluate/public)
 - Streaming evaluation progress (GET /api/evaluate/{evaluation_id}/stream)
 - Getting evaluation results (GET /api/evaluate/{evaluation_id}/result)
 """
@@ -11,9 +12,10 @@
 import asyncio
 import json
 import logging
+import time
 from typing import Any
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, Request
 from fastapi.responses import StreamingResponse
 from pydantic import BaseModel, Field
 
@@ -32,6 +34,7 @@
     SommelierProgressEvent,
     create_sommelier_event,
 )
+from app.services.github_service import verify_public_repo
 from app.services.task_registry import register_task
 from app.services.quota import check_quota
 from app.database.repositories.api_key import APIKeyRepository
@@ -40,6 +43,48 @@
 
 router = APIRouter(prefix="/evaluate", tags=["evaluate"])
 
+_anonymous_rate_limit_store: dict[str, list[float]] = {}
+_ANONYMOUS_RATE_LIMIT = 5
+_ANONYMOUS_RATE_WINDOW = 3600
+
+
+def _check_anonymous_rate_limit(client_ip: str) -> bool:
+    """Check if the client IP has exceeded the anonymous evaluation rate limit.
+
+    Args:
+        client_ip: The client's IP address.
+
+    Returns:
+        True if the request is allowed, False if rate limited.
+    """
+    now = time.time()
+    window_start = now - _ANONYMOUS_RATE_WINDOW
+    timestamps = _anonymous_rate_limit_store.get(client_ip, [])
+    timestamps = [ts for ts in timestamps if ts > window_start]
+
+    if len(timestamps) >= _ANONYMOUS_RATE_LIMIT:
+        _anonymous_rate_limit_store[client_ip] = timestamps
+        return False
+
+    timestamps.append(now)
+    _anonymous_rate_limit_store[client_ip] = timestamps
+    return True
+
+
+def _get_client_ip(request: Request) -> str:
+    """Extract the client IP address from the request.
+
+    Args:
+        request: The FastAPI request object.
+
+    Returns:
+        The client's IP address.
+    """
+    forwarded = request.headers.get("X-Forwarded-For")
+    if forwarded:
+        return forwarded.split(",")[0].strip()
+    return request.client.host if request.client else "unknown"
+
 
 class EvaluateRequest(BaseModel):
     """Request model for starting an evaluation."""
@@ -220,10 +265,125 @@ async def run_in_background():
         raise CorkedError(f"Failed to start evaluation: {e!s}") from e
 
 
+@router.post("/public", response_model=EvaluateResponse)
+async def create_public_evaluation(
+    request: EvaluateRequest,
+    req: Request,
+) -> EvaluateResponse:
+    """Start anonymous evaluation for public repositories.
+
+    This endpoint allows unauthenticated users to evaluate public GitHub repositories.
+    Constraints:
+    - Only six_sommeliers mode allowed
+    - Only public GitHub repos (verified server-side)
+    - Forced model: gemini-3-flash-preview
+    - No BYOK/provider/model/temperature overrides
+    - Rate limited by IP (5 evaluations per hour)
+
+    Args:
+        request: The evaluation request containing repo_url and criteria.
+        req: The FastAPI request object for IP-based rate limiting.
+
+    Returns:
+        EvaluateResponse with evaluation_id and status.
+
+    Raises:
+        CorkedError: If rate limit exceeded, repo is private, or evaluation fails.
+    """
+    client_ip = _get_client_ip(req)
+    logger.info(
+        f"[Evaluate Public] Request from {client_ip}: repo_url={request.repo_url}"
+    )
+
+    if not _check_anonymous_rate_limit(client_ip):
+        logger.warning(f"[Evaluate Public] Rate limit exceeded for IP: {client_ip}")
+        raise CorkedError(
+            "Rate limit exceeded. Please try again later or login for unlimited access."
+        )
+
+    await verify_public_repo(request.repo_url)
+
+    try:
+        eval_id = await start_evaluation(
+            repo_url=request.repo_url,
+            criteria=request.criteria,
+            user_id="anonymous",
+            custom_criteria=request.custom_criteria,
+            evaluation_mode="six_sommeliers",
+        )
+
+        event_channel = get_event_channel()
+        await event_channel.create_channel(eval_id)
+
+        async def run_in_background():
+            try:
+                await run_evaluation_pipeline_with_events(
+                    evaluation_id=eval_id,
+                    repo_url=request.repo_url,
+                    criteria=request.criteria,
+                    user_id="anonymous",
+                    evaluation_mode="six_sommeliers",
+                    provider="gemini",
+                    model="gemini-3-flash-preview",
+                    temperature=None,
+                    api_key=None,
+                    github_token=None,
+                )
+            except Exception as e:
+                logger.exception(f"Background evaluation failed: {eval_id}")
+                error_msg = str(e)
+                if "Resource not found" in error_msg or "404" in error_msg:
+                    user_message = "Repository not found or is private. Please check the URL and try again."
+                elif "rate limit" in error_msg.lower():
+                    user_message = (
+                        "GitHub API rate limit exceeded. Please try again later."
+                    )
+                else:
+                    user_message = f"Evaluation failed: {error_msg}"
+                await event_channel.emit(
+                    eval_id,
+                    create_sommelier_event(
+                        evaluation_id=eval_id,
+                        sommelier="system",
+                        event_type=EventType.EVALUATION_ERROR.value,
+                        progress_percent=-1,
+                        message=user_message,
+                    ),
+                )
+                await handle_evaluation_error(eval_id, error_msg)
+            finally:
+                await event_channel.close_channel(eval_id)
+
+        try:
+            task = asyncio.create_task(run_in_background())
+            await register_task(eval_id, task)
+        except Exception as e:
+            await event_channel.close_channel(eval_id)
+            raise CorkedError(f"Failed to start background task: {e!s}") from e
+
+        logger.info(f"[Evaluate Public] Background task started: {eval_id}")
+
+        return EvaluateResponse(
+            evaluation_id=eval_id,
+            status="pending",
+            evaluation_mode="six_sommeliers",
+            estimated_time=30,
+        )
+    except CorkedError as e:
+        logger.error(f"[Evaluate Public] CorkedError: {e.detail}")
+        raise e
+    except Exception as e:
+        logger.error(f"[Evaluate Public] Exception: {type(e).__name__}: {str(e)}")
+        import traceback
+
+        logger.error(f"[Evaluate Public] Traceback: {traceback.format_exc()}")
+        raise CorkedError(f"Failed to start evaluation: {e!s}") from e
+
+
 @router.get("/{evaluation_id}/stream")
 async def stream_evaluation(
     evaluation_id: str,
-    user=Depends(get_current_user),
+    user=Depends(get_optional_user),
 ) -> Any:
     """Stream evaluation progress via Server-Sent Events.
 
@@ -235,13 +395,22 @@ async def stream_evaluation(
     - evaluation_complete: When the entire evaluation is finished
     - evaluation_error: When the entire evaluation fails
     - heartbeat: Keep-alive signal (every 30 seconds)
+
+    Anonymous evaluations (user_id == "anonymous") can be accessed without
+    authentication. Authenticated users can only access their own evaluations.
     """
     try:
         progress = await get_evaluation_progress(evaluation_id)
     except EmptyCellarError:
         raise EmptyCellarError(f"Evaluation not found: {evaluation_id}") from None
 
-    if progress.get("user_id") != user.id:
+    eval_user_id = progress.get("user_id")
+
+    # Allow access if: authenticated owner OR anonymous evaluation without auth
+    if user is None and eval_user_id != "anonymous":
+        raise CorkedError("Authentication required to view this evaluation")
+
+    if user is not None and eval_user_id != user.id:
         raise CorkedError("Access denied: evaluation belongs to another user")
 
     event_channel = get_event_channel()
@@ -304,12 +473,12 @@ async def get_result(
     This endpoint returns the complete evaluation results including
     the final verdict from Jean-Pierre and all sommelier outputs.
 
-    Public demo evaluations (in PUBLIC_DEMO_EVALUATIONS) can be accessed
-    without authentication.
+    Public demo evaluations (in PUBLIC_DEMO_EVALUATIONS) and anonymous
+    evaluations (user_id == "anonymous") can be accessed without authentication.
 
     Args:
         evaluation_id: The evaluation ID.
-        user: The authenticated user (optional for public demos).
+        user: The authenticated user (optional for public access).
 
     Returns:
         The evaluation results.
@@ -318,24 +487,33 @@ async def get_result(
         EmptyCellarError: If the evaluation is not found.
         CorkedError: If the evaluation is still in progress.
     """
-    # Check if this is a public demo evaluation
     is_public_demo = evaluation_id in PUBLIC_DEMO_EVALUATIONS
 
-    # Require auth for non-public evaluations
-    if not is_public_demo and user is None:
-        raise CorkedError("Authentication required to view this evaluation")
+    if is_public_demo:
+        result = await get_evaluation_result(evaluation_id)
+        if result is None:
+            raise EmptyCellarError(f"Evaluation result not found: {evaluation_id}")
+        return ResultResponse(
+            evaluation_id=result["evaluation_id"],
+            final_evaluation=result["final_evaluation"],
+            created_at=str(result["created_at"]),
+        )
 
     try:
-        if not is_public_demo:
-            progress = await get_evaluation_progress(evaluation_id)
-            if progress.get("user_id") != user.id:
-                raise CorkedError("Access denied: evaluation belongs to another user")
-
-        result = await get_evaluation_result(evaluation_id)
+        progress = await get_evaluation_progress(evaluation_id)
     except EmptyCellarError:
         raise EmptyCellarError(f"Evaluation not found: {evaluation_id}") from None
-    except CorkedError:
-        raise
+
+    eval_user_id = progress.get("user_id")
+
+    # Allow access if: authenticated owner OR anonymous evaluation without auth
+    if user is None and eval_user_id != "anonymous":
+        raise CorkedError("Authentication required to view this evaluation")
+
+    if user is not None and eval_user_id != user.id:
+        raise CorkedError("Access denied: evaluation belongs to another user")
+
+    result = await get_evaluation_result(evaluation_id)
 
     if result is None:
         raise EmptyCellarError(f"Evaluation result not found: {evaluation_id}")
diff --git a/backend/app/api/routes/graph.py b/backend/app/api/routes/graph.py
index 5b4ac4f..d73861d 100644
--- a/backend/app/api/routes/graph.py
+++ b/backend/app/api/routes/graph.py
@@ -13,7 +13,7 @@
 
 from fastapi import APIRouter, Depends
 
-from app.api.deps import get_current_user, get_optional_user
+from app.api.deps import get_optional_user
 
 # Demo evaluation IDs that can be accessed without authentication
 PUBLIC_DEMO_EVALUATIONS = {
@@ -53,25 +53,28 @@ async def _get_evaluation(evaluation_id: str) -> dict[str, Any] | None:
 
 
 def _check_ownership(evaluation: dict[str, Any], user, evaluation_id: str) -> None:
-    """Verify user owns the evaluation or it's a public demo.
+    """Verify user owns the evaluation or it's publicly accessible.
 
     Args:
         evaluation: The evaluation document.
-        user: The current authenticated user (can be None for public demos).
+        user: The current authenticated user (can be None for public/anonymous).
         evaluation_id: The evaluation ID.
 
     Raises:
         CorkedError: If user does not own the evaluation and it's not public.
     """
-    # Allow access to public demo evaluations without auth
     if evaluation_id in PUBLIC_DEMO_EVALUATIONS:
         return
 
-    # Require auth for non-public evaluations
+    eval_user_id = evaluation.get("user_id")
+
+    if eval_user_id == "anonymous":
+        return
+
     if user is None:
         raise CorkedError("Authentication required to view this evaluation")
 
-    if evaluation.get("user_id") != user.id:
+    if eval_user_id != user.id:
         raise CorkedError(
             "Access denied: evaluation belongs to another user", status_code=403
         )
@@ -148,24 +151,26 @@ async def get_graph(
 @router.get("/{evaluation_id}/graph/structure", response_model=ReactFlowGraph)
 async def get_graph_structure(
     evaluation_id: str,
-    user=Depends(get_current_user),
+    user=Depends(get_optional_user),
 ) -> ReactFlowGraph:
     """Get static graph structure (topology only, no execution state).
 
     Returns the evaluation workflow topology without any runtime state.
     Use this for displaying the graph structure before execution starts.
+
+    Public demo and anonymous evaluations can be accessed without authentication.
     """
     logger.info(f"[Graph] Getting structure for evaluation: {evaluation_id}")
 
     evaluation = await _get_evaluation(evaluation_id)
     if not evaluation:
         raise EmptyCellarError(f"Evaluation not found: {evaluation_id}")
-    _check_ownership(evaluation, user)
+    _check_ownership(evaluation, user, evaluation_id)
 
     mode = _determine_mode(evaluation)
     if mode == EvaluationMode.FULL_TECHNIQUES:
         graph = build_full_techniques_topology()
-    else:  # SIX_SOMMELIERS, GRAND_TASTING
+    else:
         graph = build_six_sommeliers_topology()
 
     return graph
@@ -174,24 +179,26 @@ async def get_graph_structure(
 @router.get("/{evaluation_id}/graph/execution", response_model=ReactFlowGraph)
 async def get_graph_execution(
     evaluation_id: str,
-    user=Depends(get_current_user),
+    user=Depends(get_optional_user),
 ) -> ReactFlowGraph:
     """Get graph with execution state overlay (status, progress from trace).
 
     Returns the evaluation workflow with runtime state from methodology_trace.
     Node status reflects the execution progress.
+
+    Public demo and anonymous evaluations can be accessed without authentication.
     """
     logger.info(f"[Graph] Getting execution graph for evaluation: {evaluation_id}")
 
     evaluation = await _get_evaluation(evaluation_id)
     if not evaluation:
         raise EmptyCellarError(f"Evaluation not found: {evaluation_id}")
-    _check_ownership(evaluation, user)
+    _check_ownership(evaluation, user, evaluation_id)
 
     mode = _determine_mode(evaluation)
     if mode == EvaluationMode.FULL_TECHNIQUES:
         graph = build_full_techniques_topology()
-    else:  # SIX_SOMMELIERS, GRAND_TASTING
+    else:
         graph = build_six_sommeliers_topology()
 
     methodology_trace = evaluation.get("methodology_trace", [])
diff --git a/backend/app/services/github_service.py b/backend/app/services/github_service.py
index 0a61d56..9c4c28f 100644
--- a/backend/app/services/github_service.py
+++ b/backend/app/services/github_service.py
@@ -328,3 +328,43 @@ async def get_full_repo_context(
             "file_tree": file_tree,
             "readme": readme,
         }
+
+
+async def verify_public_repo(repo_url: str) -> bool:
+    """Verify that a repository is publicly accessible via GitHub API.
+
+    Makes an unauthenticated request to the GitHub API to check if the
+    repository exists and is public. Private repositories will return 404
+    or 403 when accessed without authentication.
+
+    Args:
+        repo_url: The GitHub repository URL to verify.
+
+    Returns:
+        True if the repository is public and accessible.
+
+    Raises:
+        CorkedError: If the repository is not found, is private, or rate limited.
+    """
+    try:
+        owner, repo = parse_github_url(repo_url)
+    except CorkedError:
+        raise CorkedError("Invalid GitHub repository URL")
+
+    url = f"{GITHUB_API_BASE}/repos/{owner}/{repo}"
+
+    async with httpx.AsyncClient() as client:
+        response = await client.get(url, timeout=10.0)
+
+    if response.status_code == 200:
+        return True
+    elif response.status_code == 404:
+        raise CorkedError(
+            "Repository not found or is private. Please login to evaluate private repositories."
+        )
+    elif response.status_code == 403:
+        raise CorkedError(
+            "Repository not found or is private. Please login to evaluate private repositories."
+        )
+    else:
+        raise CorkedError(f"GitHub API error: {response.status_code} - {response.text}")
diff --git a/frontend/src/app/evaluate/page.tsx b/frontend/src/app/evaluate/page.tsx
index 1a39140..4ebba6e 100644
--- a/frontend/src/app/evaluate/page.tsx
+++ b/frontend/src/app/evaluate/page.tsx
@@ -7,9 +7,11 @@ import { EvaluationForm } from '../../components/EvaluationForm';
 import { api } from '../../lib/api';
 import { CriteriaType, EvaluationMode } from '../../types';
 import { Sparkles } from 'lucide-react';
+import { useAuth } from '@/contexts/AuthContext';
 
 export default function EvaluatePage() {
   const router = useRouter();
+  const { isAuthenticated } = useAuth();
   const [isLoading, setIsLoading] = useState(false);
   const [error, setError] = useState<string | null>(null);
 
@@ -18,7 +20,14 @@ export default function EvaluatePage() {
     setError(null);
 
     try {
-      const { id } = await api.startEvaluation(repoUrl, criteria, evaluationMode);
+      let id;
+      if (isAuthenticated) {
+        const result = await api.startEvaluation(repoUrl, criteria, evaluationMode);
+        id = result.id;
+      } else {
+        const result = await api.startPublicEvaluation(repoUrl);
+        id = result.id;
+      }
       router.push(`/progress/${id}?mode=${evaluationMode}`);
     } catch (err) {
       console.error('Evaluation failed:', err);
diff --git a/frontend/src/components/EvaluationForm.tsx b/frontend/src/components/EvaluationForm.tsx
index 2c07ea4..e9db766 100644
--- a/frontend/src/components/EvaluationForm.tsx
+++ b/frontend/src/components/EvaluationForm.tsx
@@ -19,7 +19,7 @@ interface EvaluationFormProps {
 type TabType = 'repos' | 'url';
 
 export const EvaluationForm: React.FC<EvaluationFormProps> = ({ onSubmit, isLoading = false, error = null }) => {
-  const [activeTab, setActiveTab] = useState<TabType>('repos');
+  const [activeTab, setActiveTab] = useState<TabType>('url');
   const [repoUrl, setRepoUrl] = useState('');
   const [criteria, setCriteria] = useState<CriteriaType>('basic');
   const [evaluationMode, setEvaluationMode] = useState<EvaluationMode>('six_sommeliers');
@@ -85,22 +85,34 @@ export const EvaluationForm: React.FC<EvaluationFormProps> = ({ onSubmit, isLoad
     return null;
   };
 
+  const canSubmitAnonymously = !isAuthenticated && 
+    activeTab === 'url' && 
+    validation.status === 'valid' && 
+    evaluationMode === 'six_sommeliers';
+
+  const canSubmit = isAuthenticated || canSubmitAnonymously;
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault();
     setValidationError(null);
 
-    if (!isAuthenticated) {
-      setValidationError("Please login to submit an evaluation.");
-      return;
-    }
-
     const error = validateUrl(repoUrl);
     if (error) {
       setValidationError(error);
       return;
     }
 
-    await onSubmit(repoUrl, criteria, evaluationMode);
+    if (canSubmitAnonymously) {
+      try {
+        await onSubmit(repoUrl, criteria, evaluationMode);
+      } catch (err) {
+        setValidationError(err instanceof Error ? err.message : 'Evaluation failed');
+      }
+    } else if (isAuthenticated) {
+      await onSubmit(repoUrl, criteria, evaluationMode);
+    } else {
+      setValidationError("Please login to submit an evaluation.");
+    }
   };
 
   const handleOAuthLogin = () => {
@@ -176,10 +188,27 @@ export const EvaluationForm: React.FC<EvaluationFormProps> = ({ onSubmit, isLoad
         </div>
       ) : (
         <div className="space-y-4">
-          {!isAuthenticated && (
-            <div className="rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-700">
-              Login is required to submit a repository URL.
-            </div>
+          {!isAuthenticated && activeTab === 'url' && (
+            <>
+              {validation.status === 'valid' && evaluationMode === 'six_sommeliers' ? (
+                <div className="rounded-lg border border-green-200 bg-green-50 px-4 py-3 text-sm text-green-700 flex items-center gap-2">
+                  <CheckCircle className="w-4 h-4" />
+                  Free evaluation available for public repositories
+                </div>
+              ) : validation.status === 'private' ? (
+                <div className="rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-700">
+                  Login required to evaluate private repositories.
+                </div>
+              ) : evaluationMode !== 'six_sommeliers' ? (
+                <div className="rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-700">
+                  Login required for Grand Tasting mode.
+                </div>
+              ) : (
+                <div className="rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-700">
+                  Login to access all features.
+                </div>
+              )}
+            </>
           )}
           <label htmlFor="repoUrl" className="block text-lg font-semibold text-[#722F37]">
             Repository URL
@@ -256,11 +285,11 @@ export const EvaluationForm: React.FC<EvaluationFormProps> = ({ onSubmit, isLoad
 
       <CriteriaSelector value={criteria} onChange={setCriteria} />
 
-      <EvaluationModeSelector value={evaluationMode} onChange={setEvaluationMode} />
+      <EvaluationModeSelector value={evaluationMode} onChange={setEvaluationMode} isAuthenticated={isAuthenticated} />
 
       <button
         type="submit"
-        disabled={isLoading || !repoUrl || !isAuthenticated}
+        disabled={isLoading || !repoUrl || !canSubmit}
         className="w-full flex items-center justify-center gap-2 py-4 px-6 border border-transparent rounded-xl shadow-lg text-lg font-semibold text-white bg-gradient-to-r from-[#722F37] to-[#5A252C] hover:from-[#5A252C] hover:to-[#4A1F24] focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-[#722F37] disabled:opacity-50 disabled:cursor-not-allowed transition-all duration-200 group"
       >
         {isLoading ? (
diff --git a/frontend/src/components/EvaluationModeSelector.tsx b/frontend/src/components/EvaluationModeSelector.tsx
index afe3a11..824021d 100644
--- a/frontend/src/components/EvaluationModeSelector.tsx
+++ b/frontend/src/components/EvaluationModeSelector.tsx
@@ -1,10 +1,11 @@
-import React from 'react';
+import React, { useEffect } from 'react';
 import { EvaluationMode } from '../types';
 import { Wine, Trophy, LucideIcon } from 'lucide-react';
 
 interface EvaluationModeSelectorProps {
   value: EvaluationMode;
   onChange: (value: EvaluationMode) => void;
+  isAuthenticated?: boolean;
 }
 
 interface ModeOption {
@@ -31,8 +32,15 @@ const modeOptions: ModeOption[] = [
   },
 ];
 
-export const EvaluationModeSelector: React.FC<EvaluationModeSelectorProps> = ({ value, onChange }) => {
-  const handleKeyDown = (e: React.KeyboardEvent, optionValue: EvaluationMode) => {
+export const EvaluationModeSelector: React.FC<EvaluationModeSelectorProps> = ({ value, onChange, isAuthenticated = false }) => {
+  useEffect(() => {
+    if (!isAuthenticated && value === 'grand_tasting') {
+      onChange('six_sommeliers');
+    }
+  }, [isAuthenticated, value, onChange]);
+
+  const handleKeyDown = (e: React.KeyboardEvent, optionValue: EvaluationMode, disabled: boolean) => {
+    if (disabled) return;
     if (e.key === 'Enter' || e.key === ' ') {
       e.preventDefault();
       onChange(optionValue);
@@ -43,40 +51,64 @@ export const EvaluationModeSelector: React.FC<EvaluationModeSelectorProps> = ({
     <div className="space-y-4">
       <h3 id="tasting-style-label" className="text-lg font-semibold text-[#722F37]">Select Tasting Style</h3>
       <div className="grid grid-cols-1 md:grid-cols-2 gap-4" role="radiogroup" aria-labelledby="tasting-style-label">
-        {modeOptions.map((option) => (
-          <div
-            key={option.value}
-            role="radio"
-            aria-checked={value === option.value}
-            tabIndex={0}
-            onClick={() => onChange(option.value)}
-            onKeyDown={(e) => handleKeyDown(e, option.value)}
-            className={`cursor-pointer border-2 rounded-lg p-4 transition-all duration-200 flex items-start space-x-3 focus:outline-none focus:ring-2 focus:ring-[#722F37] focus:ring-offset-2 ${
-              value === option.value
-                ? 'border-[#722F37] bg-[#F7E7CE] bg-opacity-30'
-                : 'border-gray-200 hover:border-[#722F37] hover:bg-gray-50'
-            }`}
-          >
-            <div className={`p-2 rounded-full ${value === option.value ? 'bg-[#722F37] text-white' : 'bg-gray-100 text-gray-500'}`}>
-              <option.icon size={20} />
-            </div>
-            <div className="flex-1">
-              <div className="flex items-center gap-2">
-                <h4 className={`font-medium ${value === option.value ? 'text-[#722F37]' : 'text-gray-900'}`}>
-                  {option.label}
-                </h4>
-                {option.badge && (
-                  <span className="text-xs px-2 py-0.5 bg-[#722F37] text-white rounded-full">
-                    {option.badge}
-                  </span>
-                )}
+        {modeOptions.map((option) => {
+          const isDisabled = !isAuthenticated && option.value === 'grand_tasting';
+          
+          return (
+            <div
+              key={option.value}
+              role="radio"
+              aria-checked={value === option.value}
+              aria-disabled={isDisabled}
+              tabIndex={isDisabled ? -1 : 0}
+              onClick={() => !isDisabled && onChange(option.value)}
+              onKeyDown={(e) => handleKeyDown(e, option.value, isDisabled)}
+              className={`border-2 rounded-lg p-4 transition-all duration-200 flex items-start space-x-3 focus:outline-none focus:ring-2 focus:ring-[#722F37] focus:ring-offset-2 ${
+                isDisabled 
+                  ? 'opacity-50 cursor-not-allowed border-gray-200 bg-gray-50'
+                  : value === option.value
+                    ? 'cursor-pointer border-[#722F37] bg-[#F7E7CE] bg-opacity-30'
+                    : 'cursor-pointer border-gray-200 hover:border-[#722F37] hover:bg-gray-50'
+              }`}
+            >
+              <div className={`p-2 rounded-full ${
+                isDisabled 
+                  ? 'bg-gray-200 text-gray-400'
+                  : value === option.value 
+                    ? 'bg-[#722F37] text-white' 
+                    : 'bg-gray-100 text-gray-500'
+              }`}>
+                <option.icon size={20} />
+              </div>
+              <div className="flex-1">
+                <div className="flex items-center gap-2">
+                  <h4 className={`font-medium ${
+                    isDisabled 
+                      ? 'text-gray-400'
+                      : value === option.value 
+                        ? 'text-[#722F37]' 
+                        : 'text-gray-900'
+                  }`}>
+                    {option.label}
+                  </h4>
+                  {option.badge && (
+                    <span className={`text-xs px-2 py-0.5 text-white rounded-full ${isDisabled ? 'bg-gray-400' : 'bg-[#722F37]'}`}>
+                      {option.badge}
+                    </span>
+                  )}
+                  {isDisabled && (
+                    <span className="text-xs px-2 py-0.5 bg-amber-100 text-amber-700 border border-amber-200 rounded-full">
+                      Login Required
+                    </span>
+                  )}
+                </div>
+                <p className={`text-sm mt-1 ${isDisabled ? 'text-gray-400' : 'text-gray-600'}`}>
+                  {option.description}
+                </p>
               </div>
-              <p className="text-sm text-gray-600 mt-1">
-                {option.description}
-              </p>
             </div>
-          </div>
-        ))}
+          );
+        })}
       </div>
     </div>
   );
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts
index 59b75f0..61b5dad 100644
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -141,6 +141,26 @@ export const api = {
     return { id: response.evaluation_id };
   },
 
+  startPublicEvaluation: async (repoUrl: string): Promise<{ id: string }> => {
+    const response = await fetch(`${BASE_API_URL}/api/evaluate/public`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ 
+        repo_url: repoUrl, 
+        criteria: 'basic',
+        evaluation_mode: 'six_sommeliers' 
+      }),
+    });
+    
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      throw new Error(errorData.detail || errorData.message || `API Error: ${response.statusText}`);
+    }
+    
+    const data = await response.json();
+    return { id: data.evaluation_id };
+  },
+
   getEvaluationStream: (evaluationId: string, onMessage: (event: MessageEvent) => void, onError?: (error: Event) => void): EventSource => {
     const token = typeof window !== 'undefined' ? localStorage.getItem(TOKEN_STORAGE_KEY) : null;
     const url = token 

From aabbdf12a8343b288c691bcec1351eaf20fb8007 Mon Sep 17 00:00:00 2001
From: ComBba <cent@naver.com>
Date: Mon, 9 Feb 2026 22:34:25 +0900
Subject: [PATCH 2/3] fix: address code review feedback on public evaluation
 feature

- Use TTLCache for rate limiting to prevent memory leaks
- Add TRUSTED_PROXY setting to prevent IP spoofing attacks
- Use authenticated GitHub API in verify_public_repo (avoid 60/hr limit)
- Merge 404/403 error branches for consistent messaging
- Sanitize error messages (don't expose response.text)
- Add exception chaining (from None) for cleaner tracebacks
- Block custom_criteria for anonymous evaluations
- Fix access control: authenticated users can view anonymous evaluations
---
 backend/app/api/routes/evaluate.py     | 48 +++++++++++++++++---------
 backend/app/core/config.py             |  4 +++
 backend/app/services/github_service.py | 37 +++++++++++---------
 3 files changed, 55 insertions(+), 34 deletions(-)

diff --git a/backend/app/api/routes/evaluate.py b/backend/app/api/routes/evaluate.py
index 2680ad0..ea32e2d 100644
--- a/backend/app/api/routes/evaluate.py
+++ b/backend/app/api/routes/evaluate.py
@@ -13,13 +13,16 @@
 import json
 import logging
 import time
+import traceback
 from typing import Any
 
+from cachetools import TTLCache
 from fastapi import APIRouter, Depends, Request
 from fastapi.responses import StreamingResponse
 from pydantic import BaseModel, Field
 
 from app.api.deps import get_current_user, get_current_user_token, get_optional_user
+from app.core.config import settings
 from app.core.exceptions import CorkedError, EmptyCellarError
 from app.services.evaluation_service import (
     get_evaluation_progress,
@@ -43,14 +46,19 @@
 
 router = APIRouter(prefix="/evaluate", tags=["evaluate"])
 
-_anonymous_rate_limit_store: dict[str, list[float]] = {}
 _ANONYMOUS_RATE_LIMIT = 5
 _ANONYMOUS_RATE_WINDOW = 3600
+# TTL cache with max 10000 entries, auto-expiring after 2x window to handle edge cases
+_anonymous_rate_limit_store: TTLCache = TTLCache(
+    maxsize=10000, ttl=_ANONYMOUS_RATE_WINDOW * 2
+)
 
 
 def _check_anonymous_rate_limit(client_ip: str) -> bool:
     """Check if the client IP has exceeded the anonymous evaluation rate limit.
 
+    Uses a TTL-based cache to prevent unbounded memory growth.
+
     Args:
         client_ip: The client's IP address.
 
@@ -74,15 +82,20 @@ def _check_anonymous_rate_limit(client_ip: str) -> bool:
 def _get_client_ip(request: Request) -> str:
     """Extract the client IP address from the request.
 
+    Only trusts X-Forwarded-For header when TRUSTED_PROXY is enabled in settings.
+    This prevents IP spoofing attacks to bypass rate limiting.
+
     Args:
         request: The FastAPI request object.
 
     Returns:
         The client's IP address.
     """
-    forwarded = request.headers.get("X-Forwarded-For")
-    if forwarded:
-        return forwarded.split(",")[0].strip()
+    # Only trust X-Forwarded-For when running behind a trusted proxy
+    if getattr(settings, "TRUSTED_PROXY", False):
+        forwarded = request.headers.get("X-Forwarded-For")
+        if forwarded:
+            return forwarded.split(",")[0].strip()
     return request.client.host if request.client else "unknown"
 
 
@@ -259,8 +272,6 @@ async def run_in_background():
         raise e
     except Exception as e:
         logger.error(f"[Evaluate] Exception: {type(e).__name__}: {str(e)}")
-        import traceback
-
         logger.error(f"[Evaluate] Traceback: {traceback.format_exc()}")
         raise CorkedError(f"Failed to start evaluation: {e!s}") from e
 
@@ -308,7 +319,7 @@ async def create_public_evaluation(
             repo_url=request.repo_url,
             criteria=request.criteria,
             user_id="anonymous",
-            custom_criteria=request.custom_criteria,
+            custom_criteria=None,  # Anonymous users cannot use custom criteria
             evaluation_mode="six_sommeliers",
         )
 
@@ -374,8 +385,6 @@ async def run_in_background():
         raise e
     except Exception as e:
         logger.error(f"[Evaluate Public] Exception: {type(e).__name__}: {str(e)}")
-        import traceback
-
         logger.error(f"[Evaluate Public] Traceback: {traceback.format_exc()}")
         raise CorkedError(f"Failed to start evaluation: {e!s}") from e
 
@@ -406,11 +415,15 @@ async def stream_evaluation(
 
     eval_user_id = progress.get("user_id")
 
-    # Allow access if: authenticated owner OR anonymous evaluation without auth
-    if user is None and eval_user_id != "anonymous":
+    # Access control logic:
+    # 1. Anonymous evaluations are publicly accessible (no auth required)
+    # 2. Authenticated users can access their own evaluations
+    # 3. Authenticated users can also view anonymous evaluations
+    if eval_user_id == "anonymous":
+        pass  # Public access allowed
+    elif user is None:
         raise CorkedError("Authentication required to view this evaluation")
-
-    if user is not None and eval_user_id != user.id:
+    elif user.id != eval_user_id:
         raise CorkedError("Access denied: evaluation belongs to another user")
 
     event_channel = get_event_channel()
@@ -506,11 +519,12 @@ async def get_result(
 
     eval_user_id = progress.get("user_id")
 
-    # Allow access if: authenticated owner OR anonymous evaluation without auth
-    if user is None and eval_user_id != "anonymous":
+    # Access control: same logic as stream_evaluation
+    if eval_user_id == "anonymous":
+        pass  # Public access allowed
+    elif user is None:
         raise CorkedError("Authentication required to view this evaluation")
-
-    if user is not None and eval_user_id != user.id:
+    elif user.id != eval_user_id:
         raise CorkedError("Access denied: evaluation belongs to another user")
 
     result = await get_evaluation_result(evaluation_id)
diff --git a/backend/app/core/config.py b/backend/app/core/config.py
index 5966680..b8200f8 100644
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -102,6 +102,10 @@ def validate_timeout(cls, v: int) -> int:
     PORT: int = 8000
     DEBUG: bool = False
 
+    # Proxy settings (for IP-based rate limiting)
+    # Set to True when running behind a trusted reverse proxy (e.g., nginx, Cloudflare)
+    TRUSTED_PROXY: bool = False
+
     @property
     def CORS_ORIGINS(self) -> List[str]:
         origins = [self.FRONTEND_URL]
diff --git a/backend/app/services/github_service.py b/backend/app/services/github_service.py
index 9c4c28f..8f839d7 100644
--- a/backend/app/services/github_service.py
+++ b/backend/app/services/github_service.py
@@ -91,9 +91,7 @@ async def _get(self, url: str) -> httpx.Response:
             elif response.status_code == 401:
                 raise CorkedError("GitHub API authentication failed")
             elif not response.is_success:
-                raise CorkedError(
-                    f"GitHub API error: {response.status_code} - {response.text}"
-                )
+                raise CorkedError(f"GitHub API error: {response.status_code}")
 
             return response
 
@@ -246,9 +244,7 @@ async def list_user_repositories(self, access_token: str) -> List[Dict[str, Any]
                 elif response.status_code == 403:
                     raise CorkedError("GitHub API rate limit exceeded or access denied")
                 elif not response.is_success:
-                    raise CorkedError(
-                        f"GitHub API error: {response.status_code} - {response.text}"
-                    )
+                    raise CorkedError(f"GitHub API error: {response.status_code}")
 
                 page_repos = response.json()
 
@@ -333,9 +329,9 @@ async def get_full_repo_context(
 async def verify_public_repo(repo_url: str) -> bool:
     """Verify that a repository is publicly accessible via GitHub API.
 
-    Makes an unauthenticated request to the GitHub API to check if the
-    repository exists and is public. Private repositories will return 404
-    or 403 when accessed without authentication.
+    Uses authenticated requests (when GITHUB_TOKEN is configured) to avoid
+    the strict 60 requests/hour unauthenticated rate limit. Checks the
+    repository's "private" field to determine if it's truly public.
 
     Args:
         repo_url: The GitHub repository URL to verify.
@@ -349,22 +345,29 @@ async def verify_public_repo(repo_url: str) -> bool:
     try:
         owner, repo = parse_github_url(repo_url)
     except CorkedError:
-        raise CorkedError("Invalid GitHub repository URL")
+        raise CorkedError("Invalid GitHub repository URL") from None
 
     url = f"{GITHUB_API_BASE}/repos/{owner}/{repo}"
 
+    # Use authenticated request to avoid 60/hr unauthenticated rate limit
+    headers = {"Accept": "application/vnd.github.v3+json"}
+    if settings.GITHUB_TOKEN:
+        headers["Authorization"] = f"Bearer {settings.GITHUB_TOKEN}"
+
     async with httpx.AsyncClient() as client:
-        response = await client.get(url, timeout=10.0)
+        response = await client.get(url, headers=headers, timeout=10.0)
 
     if response.status_code == 200:
+        # Verify the repo is actually public by checking the private field
+        data = response.json()
+        if data.get("private", False):
+            raise CorkedError(
+                "This repository is private. Please login to evaluate private repositories."
+            )
         return True
-    elif response.status_code == 404:
-        raise CorkedError(
-            "Repository not found or is private. Please login to evaluate private repositories."
-        )
-    elif response.status_code == 403:
+    elif response.status_code in (403, 404):
         raise CorkedError(
             "Repository not found or is private. Please login to evaluate private repositories."
         )
     else:
-        raise CorkedError(f"GitHub API error: {response.status_code} - {response.text}")
+        raise CorkedError(f"GitHub API error: {response.status_code}")

From 65b5147341e9dd396d16e46c5022dc2ebb090c0a Mon Sep 17 00:00:00 2001
From: ComBba <cent@naver.com>
Date: Mon, 9 Feb 2026 22:46:00 +0900
Subject: [PATCH 3/3] fix: add cachetools dependency for TTLCache rate limiting

---
 backend/requirements.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index 8aec4e3..30098ca 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -6,6 +6,7 @@ pydantic-settings>=2.12.0
 python-multipart>=0.0.22
 httpx>=0.28.1
 python-dotenv>=1.2.1
+cachetools>=5.5.0
 
 # Authentication
 python-jose[cryptography]>=3.5.0