chore(ci): include Rust & JS/TS in CodeQL; pin Detekt actions; extend cargo-deny to firmware

[yacosta738]

This pull request updates several GitHub workflow files to improve CI coverage, security audits, and dependency analysis for multiple languages and components. The main changes include expanding the CodeQL analysis to additional languages, enhancing the Rust security audit to cover multiple manifests, and pinning action versions for improved reliability.

CI/CD Workflow Improvements

• Expanded CodeQL analysis to run on pull requests targeting main and minor branches, in addition to scheduled and manual triggers.
• Added support for javascript-typescript and rust languages in CodeQL analysis, ensuring broader code scanning coverage.

Security Audit Enhancements

• Modified the Rust security audit job to run against a matrix of multiple manifests, covering agent-runtime and all its firmware variants. This ensures each Rust component is checked individually.
• Updated the cargo-deny step to use a matrix manifest path and a specific config file, enabling targeted advisory checks for each Rust project.

Reliability and Version Pinning

• Pinned action versions in detekt.yml for actions/checkout and github/codeql-action/upload-sarif to specific commit SHAs, improving reproducibility and security. [1] [2]

Summary by CodeRabbit

• New Features

  • Added a fast-fail parallel runner to speed up concurrent CI targets.

• Chores

  • Enhanced CodeQL workflow to run on pull requests and added extra language targets with Java steps gated to Java matrix.
  • Expanded security-audit to a matrix-driven manifest strategy.
  • Pinned action references for reproducible workflows and adjusted docs build caching.
  • Makefile: introduced configurable tool checks, fast-fail vs full CI targets, and updated task behaviors.
  • Dependency tooling: added workspace shared package and Vite; minor lint and small runtime simplifications.

[coderabbitai]

Warning

Rate limit exceeded

@yacosta738 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 32 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 268e1e4 and 1652376.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• .agents/agentsync.toml
• .agents/skills/github-actions/SKILL.md
• .gitignore
• Makefile
• clients/agent-runtime/src/agent/loop_.rs
• clients/agent-runtime/src/channels/irc.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/config/mod.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/hardware/introspect.rs
• clients/agent-runtime/src/hardware/mod.rs
• clients/agent-runtime/src/memory/mod.rs
• clients/agent-runtime/src/memory/sqlite.rs
• clients/agent-runtime/src/memory/surreal.rs
• clients/agent-runtime/src/observability/prometheus.rs
• clients/agent-runtime/src/providers/anthropic.rs
• clients/agent-runtime/src/providers/copilot.rs
• clients/agent-runtime/src/rag/mod.rs
• clients/agent-runtime/src/security/landlock.rs
• clients/agent-runtime/src/tools/hardware_board_info.rs
• clients/agent-runtime/src/tools/hardware_memory_map.rs
• clients/agent-runtime/src/tools/hardware_memory_read.rs
• clients/agent-runtime/src/tools/http_request.rs
• clients/agent-runtime/src/tools/web_search_tool.rs
• clients/web/apps/docs/astro.config.mjs
• clients/web/apps/docs/package.json
• dev/make-fast-fail.py

📝 Walkthrough

Walkthrough

CI workflows updated (CodeQL triggers/matrix, detekt action pins, matrixed cargo-deny); Makefile targets and flags changed and a parallel fast-fail runner added; frontend package dev deps updated; minor Rust lint and control-flow simplifications in clients/agent-runtime.

Changes

Cohort / File(s)	Summary
CodeQL workflow .github/workflows/codeql-analysis.yml	Added pull_request trigger for main/minor branches; expanded matrix with javascript-typescript and rust (build-mode: none); gated Java-specific steps with if: matrix.language == 'java-kotlin'.
Detekt workflow pinning .github/workflows/detekt.yml	Replaced generic action versions with pinned commit SHAs for actions/checkout and github/codeql-action/upload-sarif.
Security dependencies (cargo-deny) matrix .github/workflows/security-dependencies.yml	Converted Rust audit job to a matrix over manifest-path entries, added contents: read permission, and updated cargo-deny invocation to use matrix.manifest-path; job name made dynamic.
Deploy docs cache path .github/workflows/deploy-docs.yml	Changed pnpm cache key path from clients/web/apps/docs/pnpm-lock.yaml to clients/web/pnpm-lock.yaml.
Makefile & CI orchestration Makefile, dev/make-fast-fail.py	Added global MAKEFLAGS/.SHELLFLAGS and CHECK_TOOLS flag; introduced all-full and changed all/quick behaviors; added dev/make-fast-fail.py to run make targets in parallel with fast-fail semantics.
Frontend package updates clients/web/apps/docs/package.json	Added dependency @corvus/shared (workspace) and devDependency vite@6.4.1; adjusted devDeps entries.
Rust lint & small logic tweaks clients/agent-runtime/src/lib.rs, clients/agent-runtime/src/main.rs, clients/agent-runtime/src/service/mod.rs	Enabled clippy::large_stack_arrays; simplified expiry mapping in format_expiry; flattened Linux restart logic and updated non-Linux test type assertions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(ci): desplegar docs en release publicado #15: modifies deploy-docs workflow and cache/paths—overlaps with this PR's docs workflow change.
• ci: Set up automated dependency vulnerability checks for Rust and Kotlin #104: changes security-dependencies.yml and cargo-deny usage—strongly related to the matrixed Rust audit updates.

Suggested labels

codex

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and specifically summarizes the main changes: expanding CodeQL to Rust & JS/TS, pinning Detekt actions, and extending cargo-deny to firmware.
Description check	✅ Passed	The pull request description is comprehensive and well-structured, covering the purpose, changes made, and including all key sections such as summary and organized subsections addressing workflow improvements, security enhancements, and reliability measures.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/ci/codeql-rust-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	88%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3047 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	381	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	91%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	88	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-01 to 2026-03-01}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/codeql-analysis.yml (1)

37-40: Gate JVM-only setup steps now that matrix includes JS/TS and Rust.

With additional languages, JVM setup runs unnecessarily on non-java-kotlin rows, increasing CI time/cost.

♻️ Suggested workflow refinement

       - name: ☕ Setup Java
+        if: matrix.language == 'java-kotlin'
         uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           java-version: "25"
           distribution: "corretto"

       - name: 🐘 Setup Gradle
+        if: matrix.language == 'java-kotlin'
         uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
         with:
           gradle-version: wrapper

       - name: 🔧 Ensure gradlew is executable
+        if: matrix.language == 'java-kotlin'
         run: chmod +x ./gradlew

       - name: 🔧 Show Gradle version
+        if: matrix.language == 'java-kotlin'
         run: ./gradlew --version

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 37 - 40, The workflow
currently runs JVM setup on all matrix rows (including language:
javascript-typescript and language: rust); restrict those JVM/JDK setup steps
(e.g., the steps that call actions/setup-java or install a JDK) to only run when
matrix.language == 'java-kotlin' by adding a conditional (if: matrix.language ==
'java-kotlin') to each JVM-related step so non-JVM matrix rows skip the
Java/Kotlin setup and avoid unnecessary CI time.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/security-dependencies.yml:
- Around line 14-17: The rust-audit workflow job "rust-audit" must explicitly
declare least-privilege GitHub Actions permissions; add a permissions block
under the rust-audit job (the job named rust-audit) with at minimum "contents:
read" (and any other specific minimal permissions needed by the audit steps) so
the job does not rely on default token permissions.

---

Nitpick comments:
In @.github/workflows/codeql-analysis.yml:
- Around line 37-40: The workflow currently runs JVM setup on all matrix rows
(including language: javascript-typescript and language: rust); restrict those
JVM/JDK setup steps (e.g., the steps that call actions/setup-java or install a
JDK) to only run when matrix.language == 'java-kotlin' by adding a conditional
(if: matrix.language == 'java-kotlin') to each JVM-related step so non-JVM
matrix rows skip the Java/Kotlin setup and avoid unnecessary CI time.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fe371a7 and 73365a6.

📒 Files selected for processing (3)

• .github/workflows/codeql-analysis.yml
• .github/workflows/detekt.yml
• .github/workflows/security-dependencies.yml

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	1652376
Status:	✅  Deploy successful!
Preview URL:	https://f2e94520.corvus-42x.pages.dev
Branch Preview URL:	https://chore-ci-codeql-rust-audit.corvus-42x.pages.dev

View logs

[coderabbitai]

🧹 Nitpick comments (2)

clients/agent-runtime/src/main.rs (1)

2-34: Narrow clippy::large_stack_arrays suppression to item scope.

Applying this at crate level can hide future stack-allocation regressions in unrelated code. Prefer local #[allow(clippy::large_stack_arrays)] only on the specific item(s) that require it.

♻️ Proposed refactor

 #![allow(
@@
-    clippy::large_stack_arrays,
     dead_code
 )]

// Apply only where needed:
#[allow(clippy::large_stack_arrays)]
fn offending_function(...) { ... }

Based on learnings clients/agent-runtime/**/*.rs: Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/src/main.rs` around lines 2 - 34, Remove
clippy::large_stack_arrays from the crate-level #[allow(...)] block at the top
of main.rs and instead add #[allow(clippy::large_stack_arrays)] directly to the
specific function(s) or item(s) that actually allocate large stack arrays
(search for functions that create big local arrays or stack buffers and annotate
those items). Update the top-level attribute to omit clippy::large_stack_arrays,
add the item-level attribute to the offending function(s), run cargo fmt --all
-- --check, cargo clippy --all-targets -- -D warnings, and cargo test to verify;
if any remaining violations prevent fixes, document which items still need
attention.

.github/workflows/codeql-analysis.yml (1)

48-51: Consider gating Node.js setup to relevant languages.

The Node.js setup currently runs for all matrix entries, including rust and java-kotlin where it's not needed. While the overhead is minimal, you could optimize by conditionally running it only for JavaScript/TypeScript and Actions analysis.

♻️ Optional optimization

       - name: 📦 Setup Node
+        if: matrix.language == 'javascript-typescript' || matrix.language == 'actions'
         uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: "24"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 48 - 51, The "📦 Setup
Node" step currently runs unconditionally for all matrix entries; update the
step (the one using actions/setup-node and named "📦 Setup Node") to include an
if condition so it only executes for JS/TS/Actions matrix entries (e.g., check
matrix.language == 'javascript' || matrix.language == 'typescript' ||
matrix.language == 'actions'), thereby skipping Node setup for rust and
java-kotlin entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql-analysis.yml:
- Around line 48-51: The "📦 Setup Node" step currently runs unconditionally for
all matrix entries; update the step (the one using actions/setup-node and named
"📦 Setup Node") to include an if condition so it only executes for
JS/TS/Actions matrix entries (e.g., check matrix.language == 'javascript' ||
matrix.language == 'typescript' || matrix.language == 'actions'), thereby
skipping Node setup for rust and java-kotlin entries.

In `@clients/agent-runtime/src/main.rs`:
- Around line 2-34: Remove clippy::large_stack_arrays from the crate-level
#[allow(...)] block at the top of main.rs and instead add
#[allow(clippy::large_stack_arrays)] directly to the specific function(s) or
item(s) that actually allocate large stack arrays (search for functions that
create big local arrays or stack buffers and annotate those items). Update the
top-level attribute to omit clippy::large_stack_arrays, add the item-level
attribute to the offending function(s), run cargo fmt --all -- --check, cargo
clippy --all-targets -- -D warnings, and cargo test to verify; if any remaining
violations prevent fixes, document which items still need attention.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 73365a6 and b5c762a.

📒 Files selected for processing (5)

• .github/workflows/codeql-analysis.yml
• .github/workflows/security-dependencies.yml
• clients/agent-runtime/src/lib.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/service/mod.rs

✅ Files skipped from review due to trivial changes (1)

• clients/agent-runtime/src/lib.rs

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

clients/web/apps/docs/package.json (1)

24-24: Pin typescript to an explicit version instead of latest. The project consistently pins TypeScript to 5.9.3 (root, marketing, dashboard, chat, and clients/web packages), but the docs app deviates with "latest". This creates non-deterministic resolution and will cause CI/docs breakage when TypeScript 6.0 becomes stable, as Astro 5.17.x requires TypeScript 5.x (peer dependency: typescript@^5.0.0).

Use "typescript": "^5.9.3" or "^5.0.0" to match project standards and Astro's compatibility requirements.

Additionally, "@astrojs/check": "latest" should be pinned for the same reasons—align it with the root package.json version ^0.9.6.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/package.json` at line 24, Update the docs app
package.json to stop using floating "latest" versions: replace the "typescript":
"latest" entry with a pinned semver that matches the repo (e.g., "typescript":
"^5.9.3") and replace "@astrojs/check": "latest" with the root-aligned version
(e.g., "@astrojs/check": "^0.9.6"); locate and edit the
dependencies/devDependencies lines for the "typescript" and "@astrojs/check"
keys in clients/web/apps/docs/package.json (preserving JSON formatting) so
installs are deterministic and compatible with Astro 5.x.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@dev/make-fast-fail.py`:
- Around line 44-45: Replace both occurrences of the bare "except Exception:
pass" in dev/make-fast-fail.py with specific exception handling that captures
the exception object and logs the failure (e.g., "except Exception as e:" then
log the error and traceback via logging.exception or write to stderr) so
cleanup/termination errors during the fast-fail run are visible; ensure you
reference the same try/except blocks used for the termination/cleanup logic in
the script and keep behavior deterministic (do not suppress the exception
silently).

In `@Makefile`:
- Around line 342-344: The Makefile target all invokes python3
dev/make-fast-fail.py but the prerequisite target check-tools doesn't verify
Python is installed, so add a prerequisite or explicit check for Python: either
make check-tools depend on a new check-python target or add a check-python
target and make all depend on it; implement check-python to verify python3 is
available (e.g., using a simple shell check like command -v python3) and fail
with a clear message if missing, and update references to the python3 invocation
in the all target to rely on that check.

---

Nitpick comments:
In `@clients/web/apps/docs/package.json`:
- Line 24: Update the docs app package.json to stop using floating "latest"
versions: replace the "typescript": "latest" entry with a pinned semver that
matches the repo (e.g., "typescript": "^5.9.3") and replace "@astrojs/check":
"latest" with the root-aligned version (e.g., "@astrojs/check": "^0.9.6");
locate and edit the dependencies/devDependencies lines for the "typescript" and
"@astrojs/check" keys in clients/web/apps/docs/package.json (preserving JSON
formatting) so installs are deterministic and compatible with Astro 5.x.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b5c762a and 268e1e4.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .github/workflows/deploy-docs.yml
• Makefile
• clients/web/apps/docs/package.json
• dev/make-fast-fail.py

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)
11.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud