fix(quality): reduce cognitive complexity and fix pre-existing bugs#135
Merged
Conversation
Contributor
yacosta738
commented
Mar 4, 2026
yacosta738
commented
- Refactor high-complexity functions across agent-runtime to stay within SonarQube thresholds (extract helpers, flatten nested conditionals, introduce context structs)
- Fix execute_tool_calls stub in channels/mod.rs that was bypassing real tool execution; fix inverted bool in normalize_response call
- Fix pre-existing broken test assertion in channels/telegram.rs (send_text_chunks always returns Ok, test was asserting is_err)
- Remove --all-features flag from cargoClippy in build.gradle.kts to align with main branch and avoid surfacing unrelated surreal feature errors
- Fix unused _parsed parameter warning in web dashboard App.vue
- Fix Biome formatting violations in marketing app (tabs→spaces, inline conditionals)
- Refactor high-complexity functions across agent-runtime to stay within SonarQube thresholds (extract helpers, flatten nested conditionals, introduce context structs) - Fix execute_tool_calls stub in channels/mod.rs that was bypassing real tool execution; fix inverted bool in normalize_response call - Fix pre-existing broken test assertion in channels/telegram.rs (send_text_chunks always returns Ok, test was asserting is_err) - Remove --all-features flag from cargoClippy in build.gradle.kts to align with main branch and avoid surfacing unrelated surreal feature errors - Fix unused _parsed parameter warning in web dashboard App.vue - Fix Biome formatting violations in marketing app (tabs→spaces, inline conditionals)
Contributor
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (15)
📝 WalkthroughWalkthroughThis PR refactors core agent-runtime modules (channels, providers, gateway, CLI) and firmware into modular helper functions, improving code organization and testability. Changes span tool iteration handling, system prompt construction, OAuth login flows, provider credential resolution, message conversion, and notification collection. Web changes are formatting adjustments. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~55 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Resolved conflicts in channels/mod.rs and config/schema.rs, taking main's version - MCP support feature (src/tools/mcp/, tests/mcp_*.rs) brought in from main - Fixed clippy::large_futures in main.rs by wrapping handle_agent_command with Box::pin - All make all checks pass cleanly
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 24
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
clients/agent-runtime/src/channels/mod.rs (2)
1423-1554:⚠️ Potential issue | 🟠 Major
doctor_channelsmisses Mattermost health checks.
build_channel_listomits Mattermost whilebuild_active_channelsincludes it, so configured Mattermost can run but never be health-checked by doctor.🔧 Suggested fix (minimum)
fn build_channel_list(config: &Config) -> Vec<(&'static str, Arc<dyn Channel>)> { let mut channels: Vec<(&'static str, Arc<dyn Channel>)> = Vec::new(); @@ + if let Some(ref mm) = config.channels_config.mattermost { + channels.push(( + "Mattermost", + Arc::new(MattermostChannel::new( + mm.url.clone(), + mm.bot_token.clone(), + mm.channel_id.clone(), + mm.allowed_users.clone(), + mm.thread_replies.unwrap_or(true), + )), + )); + }Based on learnings: Implement
Channeltrait insrc/channels/with consistentsend,listen, andhealth_checksemantics and cover auth/allowlist/health behavior with tests.Also applies to: 1825-1936
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@clients/agent-runtime/src/channels/mod.rs` around lines 1423 - 1554, build_channel_list currently omits Mattermost so configured Mattermost channels never get doctor health checks; update build_channel_list to push a ("Mattermost", Arc::new(MattermostChannel::new(...))) entry mirroring the parameters used in build_active_channels (use the same config fields and clones as other channels) and ensure the MattermostChannel reference (MattermostChannel::new or MattermostChannel::from_config) matches how the channel is constructed elsewhere; this will align doctor_channels health checks with build_active_channels.
1158-1167:⚠️ Potential issue | 🟠 MajorAvoid Discord-only capability text in the global system prompt.
This prompt is shared across channels, but the section asserts Discord-specific runtime behavior. That can skew responses for Telegram/Slack/others.
🔧 Suggested fix
fn append_channel_capabilities(prompt: &mut String) { prompt.push_str("## Channel Capabilities\n\n"); - prompt.push_str( - "- You are running as a Discord bot. You CAN and do send messages to Discord channels.\n", - ); - prompt.push_str("- When someone messages you on Discord, your response is automatically sent back to Discord.\n"); - prompt.push_str("- You do NOT need to ask permission to respond — just respond directly.\n"); + prompt.push_str( + "- You are running as a channel-connected assistant. Your response is delivered through the current channel automatically.\n", + ); + prompt.push_str("- You do NOT need to ask permission to respond — just respond directly.\n"); prompt.push_str("- NEVER repeat, describe, or echo credentials, tokens, API keys, or secrets in your responses.\n"); prompt.push_str("- If a tool output contains credentials, they have already been redacted — do not mention them.\n\n"); }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@clients/agent-runtime/src/channels/mod.rs` around lines 1158 - 1167, The global prompt builder function append_channel_capabilities currently hardcodes Discord-specific behavior which can mislead other channel runtimes; update append_channel_capabilities to either accept a channel identifier (e.g., channel: &str or Channel enum) or remove Discord-specific lines and replace them with neutral, channel-agnostic text such as “You may send messages back to the user via the active channel” and rules about not echoing secrets; locate and change the function append_channel_capabilities to produce generic capability bullets (or branch by channel when given a channel param) so non-Discord channels aren’t given Discord-only instructions.clients/agent-runtime/src/gateway/mod.rs (1)
332-585: 🧹 Nitpick | 🔵 TrivialUse a single restart-detection implementation across gateway modules.
This file now contains a full restart comparison pipeline, while
clients/agent-runtime/src/gateway/admin.rsalso has restart-required collection logic. Maintaining both paths risks drift on security-sensitive restart gating over time.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@clients/agent-runtime/src/gateway/mod.rs` around lines 332 - 585, The restart-detection logic implemented by restart_required_updates and its helpers (compare_root_fields, compare_observability_fields, compare_runtime_fields, compare_autonomy_fields, compare_gateway_fields, compare_scheduler_fields, compare_webhook_fields) should be centralized and reused by the admin path to avoid drift; extract these functions into a shared module (e.g., gateway::restart or gateway::config_compare) and replace the duplicate logic in clients/agent-runtime/src/gateway/admin.rs with a single call into the new shared function (keeping the same function signature or providing an adapter that accepts AdminConfigUpdateRequest and Config), ensuring all callers use the canonical implementation.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@clients/agent-runtime/firmware/corvus-nucleo/src/main.rs`:
- Around line 140-155: process_command currently returns only a String<128> and
duplicates gpio_write handling with the main loop; change process_command to
return a tuple (String<128>, LedAction) or equivalent (response, led_action) so
all parsing and dispatch for gpio_write happens inside process_command (use
parse_arg for "pin" and "value" and call handle_gpio_write(id_str, pin, value)
to get both response and led_action), update handle_gpio_write signature/return
as needed, and remove the special-case gpio_write branch from main so main just
uses the returned led_action from process_command to drive LEDs; ensure other
branches (ping, capabilities, gpio_read, unknown) return a neutral/no-op
LedAction.
- Around line 103-128: In handle_gpio_write, validate the incoming value is
exactly 0 or 1 before treating non-zero as HIGH: if value is not 0 or 1, produce
an error JSON (ok:false, error describing invalid value) and return (resp,
None); only when pin == LED_PIN and value ∈ {0,1} create and return
Some((LED_PIN as i32, value)); apply the same 0|1 validation for other valid
pins (0..=13) so malformed values like -3, 2, 99 are rejected.
In `@clients/agent-runtime/src/channels/telegram.rs`:
- Around line 1899-1901: The test currently asserts success even though
send_text_chunks swallows per-chunk errors; change the implementation so
send_text_chunks returns and propagates the first encountered Err instead of
always Ok, then update finalize_draft (the call site ch.finalize_draft) to
propagate that error to its caller; finally modify the test at
ch.finalize_draft("123", "not-a-number", &long_text) to assert an Err result (or
the specific error variant) instead of Ok, keeping references to
send_text_chunks and finalize_draft so the failure surface is explicit.
- Around line 1705-1729: The listen loop swallows errors from poll_updates and
just logs+retries, preventing the supervisor from detecting failures; change the
Err(e) arm inside listen to propagate the error instead of sleeping
indefinitely—return Err(e.into()) (or map to the function's error type) so
callers can restart or mark unhealthy; locate the match on
self.poll_updates(...) in listen and replace the tracing::warn + sleep branch
with a propagated error return while keeping existing behavior for Ok(updates)
(including parse_update_message, handle_unauthorized_message, send_typing_action
and tx.send).
- Around line 1433-1444: send_typing_action currently sends the full
reply_target string as chat_id which breaks forum topic typing actions; update
send_typing_action to use the existing parse_reply_target helper (same as
send_message and edit_message) to split reply_target into base chat_id and
optional thread id, build the JSON body with "chat_id": chat_id and, if present,
"message_thread_id": <thread_id as integer>, then POST that body to
sendChatAction and await the response; reference send_typing_action,
parse_reply_target, send_message and edit_message to mirror their handling of
message_thread_id.
In `@clients/agent-runtime/src/config/schema.rs`:
- Around line 2270-2274: The code reads an env var into key and only checks
!key.is_empty(), which allows whitespace-only values to overwrite a valid key;
update the logic in the block that uses provider, provider_check, var_name and
target to trim the env value (e.g., key.trim()) before validation and
assignment, and only set *target = Some(trimmed_key.to_string()) when the
trimmed value is non-empty so whitespace-only env vars are ignored.
- Around line 2366-2380: The code checks provider-scoped API keys via
env_override_provider_api_key (GLM_API_KEY, ZAI_API_KEY) before applying
env_override_string for CORVUS_PROVIDER/PROVIDER, so self.api_key can be missed
when provider is only set via env; move the
env_override_string("CORVUS_PROVIDER", "PROVIDER", &mut self.default_provider)
(and optionally the CORVUS_MODEL line) to run before calling
env_override_provider_api_key, ensuring the provider (self.default_provider) is
resolved from env first so env_override_provider_api_key can correctly set
self.api_key for functions env_override_provider_api_key and the
default_provider/self.api_key variables.
In `@clients/agent-runtime/src/gateway/admin.rs`:
- Around line 343-348: The current call to check_and_push with gateway.host
treats whitespace/empty strings as a restart-required change causing a 409
instead of letting apply_gateway_patch return a 400 invalid-input; fix by
validating trimmed gateway.host before calling check_and_push and return a 400
error when the incoming host is empty/only-whitespace, or alternatively change
check_and_push usage so that gateway.host.as_ref().map(|h| h.trim().to_string())
yields None when empty (so it is not treated as a change requiring restart).
Ensure the validation happens in the request handling path (before calling
apply_gateway_patch) or adjust apply_gateway_patch to validate and return 400
for empty trimmed host, and keep the restart/change detection logic
(check_and_push) only for genuine value changes.
In `@clients/agent-runtime/src/main.rs`:
- Around line 1129-1137: The current branch silently falls back to browser/paste
flow when an explicit --device-code request (variable device_code) fails;
instead, when device_code is true and
auth::openai_oauth::start_device_code_flow(&client).await returns Err(e),
propagate or surface an explicit error (return a Result::Err from the
surrounding function or print a clear error and exit) rather than calling the
browser flow; update the match arm that currently prints "Device-code flow
unavailable..." to return or bubble the error with context that device-code
login failed so callers (including CI/headless) are not silently downgraded, and
keep handle_device_code_login only for the Ok(device) path.
- Line 635: Replace the panic in the match arm for Commands::Onboard by
returning a typed dispatch error instead of calling unreachable!(); locate the
Commands::Onboard arm in main.rs and change it to return an Err with the
appropriate error variant used by this module (e.g.,
DispatchError::UnsupportedCommand or DispatchError::RouteNotSupported) or
construct a context-rich error via the crate's error type (including "Onboard"
in the message) so the caller receives an explicit, non-panicking error rather
than a crash.
- Around line 1200-1206: The match arm handling Err(e) currently prints messages
and returns Ok(()), causing a zero exit even though login failed; change this to
return a non-zero error instead. In the Err(e) branch (the "Callback capture
failed" match arm) replace the final return Ok(()) with a proper error
return—e.g., use anyhow::bail! or return Err(anyhow::anyhow!(format!("Callback
capture failed: {}", e)))—so the function returns an Err and the process exits
non‑zero; keep the existing println messages if desired but ensure the error is
propagated (or call std::process::exit(1) if consistent with the surrounding
error handling).
In `@clients/agent-runtime/src/memory/snapshot.rs`:
- Around line 262-274: The function flush_current_entry currently takes
current_content: &mut String but only reads it, so change the signature to take
current_content: &str (remove #[allow(clippy::ptr_arg)]), update the call sites
that pass ¤t_content to pass current_content.as_str() or ¤t_content,
and keep the body using current_content.trim().to_string() so entries.push((key,
content)) still works; ensure current_key is still taken as before and no other
callers rely on it being mutable.
In `@clients/agent-runtime/src/memory/sqlite.rs`:
- Around line 747-776: The query applies LIMIT before filtering by session_id
which can truncate results; update the listing logic in sqlite.rs (the function
that builds and executes the SELECT with row_mapper and DEFAULT_LIST_LIMIT) to
include session_id in the SQL WHERE clause when session_ref is Some, i.e.,
extend the match that constructs query (and the params passed to stmt.query_map)
to add "AND session_id = ?N" (or the equivalent placeholder) when session_ref
exists and bind the session id alongside category and limit so filtering happens
in SQL rather than post-fetch; keep the existing category handling
(category_to_str) and row_mapper usage but ensure the prepared statement and
params include the session value so results are limited correctly by both
session_id and LIMIT.
In `@clients/agent-runtime/src/onboard/wizard.rs`:
- Around line 505-659: The models_for_provider table was reverted to an older
catalog and now diverges from curated_models_for_provider and
default_model_for_provider, causing onboarding regressions; fix by aligning
models_for_provider with the canonical curated/default lists (either by copying
the up-to-date entries from
curated_models_for_provider/default_model_for_provider into models_for_provider
or, better, refactor models_for_provider to delegate to
curated_models_for_provider/default_model_for_provider to avoid duplication),
ensure special-case constants like MINIMAX_ONBOARD_MODELS remain referenced
consistently, and add/update unit/integration tests that exercise
models_for_provider to prevent future regressions.
- Around line 1528-1531: The user-facing print_bullet call currently prints the
raw provider error via style(error.to_string()).yellow(), which can leak
sensitive payloads; change the message to a sanitized, non-sensitive summary
(e.g., "Live fetch failed; using cached/curated list." or include a safe error
kind/status only) and stop interpolating error.to_string() directly into
print_bullet; instead send the full error to a developer/debug log (e.g.,
debug!/trace!) and display only the sanitized summary in print_bullet. Update
the call site that uses print_bullet and style(error.to_string()).yellow() to
use the sanitized text and add a separate debug log that records the full error
for troubleshooting.
- Around line 3355-3360: The parse_allowed_numbers function currently keeps
empty tokens from inputs like "a,,b" which can produce invalid entries; update
parse_allowed_numbers so after splitting on ',' you trim each token and filter
out any empty strings (e.g., skip tokens where s.trim().is_empty()) before
collecting to Vec<String>, while preserving the special-case check for a lone
"*" (input.trim() == "*"); this ensures the allowlist contains only non-empty,
trimmed entries and rejects malformed empty tokens.
- Around line 3342-3352: The WhatsApp connection check in
test_whatsapp_connection spawns a thread with a blocking reqwest Client that has
no timeouts and then calls join(), which can hang; update the code to build the
blocking client using the same pattern as build_model_fetch_client (use
reqwest::blocking::Client::builder() and set a reasonable
timeout/connect_timeout, e.g., Duration::from_secs(10)), perform the GET inside
the spawned thread, then send the boolean result through an std::sync::mpsc
channel and use recv_timeout with a matching Duration to wait for the result
instead of directly calling thread::join(), so the onboarding step will time out
rather than block indefinitely (refer to the spawned closure using phone_id and
token and the thread result handling).
In `@clients/agent-runtime/src/providers/reliable.rs`:
- Around line 228-229: The code currently drops actionable failure reason by
returning a generic "non_retryable"; update the non-retryable exit paths (the
calls around handle_error_actions in reliable.rs, e.g. the code that calls
self.handle_error_actions(provider_name, &error_info) and then returns
"non_retryable") to propagate the original error context instead of the string
literal — for example, attach error_info (or its message/Display) to the
returned Err/AggregatedError or include it in the error kind so callers see
provider/model-specific details; ensure functions like handle_error_actions, the
surrounding match/return, and any AggregatedError constructors accept and
forward that context rather than replacing it with "non_retryable".
- Around line 283-288: The tracing::info call inside the rate-limit handling
must not log any API key material; remove the key suffix interpolation used with
new_key in the log and instead emit a generic message indicating a successful
key rotation (e.g., "rotated API key for provider") using the provider
identifier only. Update the block where self.rotate_key() is called (refer to
rotate_key and provider_name in the reliable.rs provider) to drop any
new_key-derived data from logs and, if desired, log a non-sensitive boolean or
rotation count from the provider state rather than the key itself.
In `@clients/agent-runtime/src/tools/cron_add.rs`:
- Around line 147-166: The shell-job path parses delete_after_run via
Self::parse_delete_after_run but never forwards it; update cron::add_shell_job
to accept a delete_after_run: bool parameter (name it delete_after_run) and
persist that value in the DB insert instead of hardcoding 0, then change the
call in the JobType::Shell branch (currently cron::add_shell_job(&self.config,
name, schedule, command)) to pass the parsed delete_after_run; ensure the
function signature and any uses of add_shell_job are updated accordingly and
return handling still goes through Self::handle_job_result.
- Around line 54-68: The parse functions parse_session_target and parse_delivery
currently return anyhow::Result and propagate errors as Err, which breaks the
expected ToolResult error contract; change both functions to return
Result<SessionTarget, String> and Result<Option<DeliveryConfig>, String>
respectively (map serde_json::Error to a String via .to_string()), then at each
call site replace the `?` propagation with the existing match pattern used
elsewhere (match parse_session_target(...) { Ok(v) => v, Err(e) => return
Ok(Self::error_result(&e)) } and similarly for parse_delivery) so parsing
failures produce Ok(ToolResult { success: false, ... }) instead of Err.
In `@clients/agent-runtime/src/update/mod.rs`:
- Around line 589-598: The sort and dedup keys mismatch on targets: you sort
only by channel and recipient (targets.sort_by) but dedup_by also checks
authorized_sender, so non-adjacent true duplicates can remain; fix by including
authorized_sender in the sort key so duplicates become adjacent (e.g., make the
sort compare channel, recipient, and authorized_sender in the same order used by
dedup_by) and keep the existing dedup_by predicate unchanged.
- Around line 614-628: collect_from_registered_channels currently calls
collectors for 10 channels but omits the collectors for lark, dingtalk, and qq,
so add calls to collect_lark_targets(config, push_target),
collect_dingtalk_targets(config, push_target), and collect_qq_targets(config,
push_target) inside the collect_from_registered_channels function (keeping the
same push_target signature) so the channels supported by build_channel and
is_sender_authorized are actually gathered for updates.
- Around line 739-741: The is_numeric_user validator currently rejects negative
Telegram IDs (e.g., -100200300); update is_numeric_user to accept an optional
leading '-' followed by at least one ASCII digit so signed integers are allowed.
Locate the is_numeric_user function and change its logic to: return true if the
string is all ASCII digits OR if it starts with '-' and the remainder is all
ASCII digits (ensure "-" alone is rejected); this will allow negative
group/supergroup IDs to pass so push_target will be invoked for them.
---
Outside diff comments:
In `@clients/agent-runtime/src/channels/mod.rs`:
- Around line 1423-1554: build_channel_list currently omits Mattermost so
configured Mattermost channels never get doctor health checks; update
build_channel_list to push a ("Mattermost",
Arc::new(MattermostChannel::new(...))) entry mirroring the parameters used in
build_active_channels (use the same config fields and clones as other channels)
and ensure the MattermostChannel reference (MattermostChannel::new or
MattermostChannel::from_config) matches how the channel is constructed
elsewhere; this will align doctor_channels health checks with
build_active_channels.
- Around line 1158-1167: The global prompt builder function
append_channel_capabilities currently hardcodes Discord-specific behavior which
can mislead other channel runtimes; update append_channel_capabilities to either
accept a channel identifier (e.g., channel: &str or Channel enum) or remove
Discord-specific lines and replace them with neutral, channel-agnostic text such
as “You may send messages back to the user via the active channel” and rules
about not echoing secrets; locate and change the function
append_channel_capabilities to produce generic capability bullets (or branch by
channel when given a channel param) so non-Discord channels aren’t given
Discord-only instructions.
In `@clients/agent-runtime/src/gateway/mod.rs`:
- Around line 332-585: The restart-detection logic implemented by
restart_required_updates and its helpers (compare_root_fields,
compare_observability_fields, compare_runtime_fields, compare_autonomy_fields,
compare_gateway_fields, compare_scheduler_fields, compare_webhook_fields) should
be centralized and reused by the admin path to avoid drift; extract these
functions into a shared module (e.g., gateway::restart or
gateway::config_compare) and replace the duplicate logic in
clients/agent-runtime/src/gateway/admin.rs with a single call into the new
shared function (keeping the same function signature or providing an adapter
that accepts AdminConfigUpdateRequest and Config), ensuring all callers use the
canonical implementation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 14f704bf-3061-4381-ba19-b9b1a86c1ec1
⛔ Files ignored due to path filters (1)
clients/agent-runtime/firmware/corvus-nucleo/Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (20)
clients/agent-runtime/build.gradle.ktsclients/agent-runtime/firmware/corvus-nucleo/src/main.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/gateway/mod.rsclients/agent-runtime/src/main.rsclients/agent-runtime/src/memory/snapshot.rsclients/agent-runtime/src/memory/sqlite.rsclients/agent-runtime/src/onboard/wizard.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/providers/mod.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/update/mod.rsclients/web/apps/dashboard/src/App.vueclients/web/apps/marketing/src/layouts/MarketingLayout.astroclients/web/apps/marketing/src/pages/index.astroclients/web/apps/marketing/src/styles/global.css
💤 Files with no reviewable changes (1)
- clients/agent-runtime/build.gradle.kts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Cloudflare Pages
🧰 Additional context used
📓 Path-based instructions (11)
clients/agent-runtime/src/{security,gateway,tools}/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
Treat
src/security/,src/gateway/,src/tools/as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks
Files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rs
clients/agent-runtime/src/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency
Files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/memory/sqlite.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/memory/snapshot.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/main.rsclients/agent-runtime/src/onboard/wizard.rsclients/agent-runtime/src/update/mod.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rsclients/agent-runtime/src/providers/mod.rs
clients/agent-runtime/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
Run
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo testfor code validation, or document which checks were skipped and why
Files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/memory/sqlite.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/memory/snapshot.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/main.rsclients/agent-runtime/firmware/corvus-nucleo/src/main.rsclients/agent-runtime/src/onboard/wizard.rsclients/agent-runtime/src/update/mod.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rsclients/agent-runtime/src/providers/mod.rs
clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable
Files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rs
**/*.rs
⚙️ CodeRabbit configuration file
**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.
Files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/memory/sqlite.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/memory/snapshot.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/main.rsclients/agent-runtime/firmware/corvus-nucleo/src/main.rsclients/agent-runtime/src/onboard/wizard.rsclients/agent-runtime/src/update/mod.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rsclients/agent-runtime/src/providers/mod.rs
**/*
⚙️ CodeRabbit configuration file
**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.
Files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/memory/sqlite.rsclients/web/apps/marketing/src/pages/index.astroclients/web/apps/marketing/src/styles/global.cssclients/web/apps/dashboard/src/App.vueclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/memory/snapshot.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/main.rsclients/agent-runtime/firmware/corvus-nucleo/src/main.rsclients/web/apps/marketing/src/layouts/MarketingLayout.astroclients/agent-runtime/src/onboard/wizard.rsclients/agent-runtime/src/update/mod.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rsclients/agent-runtime/src/providers/mod.rs
**/*.vue
⚙️ CodeRabbit configuration file
**/*.vue: Enforce Vue 3 Composition API with <script setup>.
Ensure accessibility (A11y) and proper use of Tailwind CSS classes.
Check for proper prop validation and emitted events documentation.
Files:
clients/web/apps/dashboard/src/App.vue
clients/agent-runtime/src/providers/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
Implement
Providertrait insrc/providers/and register insrc/providers/mod.rsfactory when adding a new provider
Files:
clients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/providers/mod.rs
clients/agent-runtime/src/channels/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
Implement
Channeltrait insrc/channels/with consistentsend,listen, andhealth_checksemantics and cover auth/allowlist/health behavior with tests
Files:
clients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rs
clients/agent-runtime/src/main.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
clients/agent-runtime/src/main.rs: Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths
Keep startup path lean and avoid heavy initialization in command parsing flow
Files:
clients/agent-runtime/src/main.rs
clients/agent-runtime/src/tools/**/*.rs
📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)
Implement
Tooltrait insrc/tools/with strict parameter schema, validate and sanitize all inputs, and return structuredToolResultwithout panics in runtime path
Files:
clients/agent-runtime/src/tools/cron_add.rs
🧠 Learnings (11)
📓 Common learnings
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/channels/**/*.rs : Implement `Channel` trait in `src/channels/` with consistent `send`, `listen`, and `health_check` semantics and cover auth/allowlist/health behavior with tests
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/memory/sqlite.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/memory/snapshot.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/main.rsclients/agent-runtime/firmware/corvus-nucleo/src/main.rsclients/agent-runtime/src/update/mod.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rsclients/agent-runtime/src/providers/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/main.rsclients/agent-runtime/src/gateway/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/main.rsclients/agent-runtime/src/tools/cron_add.rsclients/agent-runtime/src/gateway/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/gateway/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/channels/**/*.rs : Implement `Channel` trait in `src/channels/` with consistent `send`, `listen`, and `health_check` semantics and cover auth/allowlist/health behavior with tests
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/channels/telegram.rsclients/agent-runtime/src/update/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/memory/sqlite.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/main.rsclients/agent-runtime/src/update/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/main.rsclients/agent-runtime/firmware/corvus-nucleo/src/main.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions
Applied to files:
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/tools/cron_add.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider
Applied to files:
clients/agent-runtime/src/config/schema.rsclients/agent-runtime/src/providers/reliable.rsclients/agent-runtime/src/providers/mod.rs
📚 Learning: 2026-02-17T12:31:17.076Z
Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path
Applied to files:
clients/agent-runtime/src/channels/mod.rsclients/agent-runtime/src/providers/copilot.rsclients/agent-runtime/src/tools/cron_add.rs
🔇 Additional comments (18)
clients/web/apps/marketing/src/layouts/MarketingLayout.astro (1)
7-8: Formatting-only update looks safe.This preserves existing behavior, including canonical URL generation, with no security or contract regression detected.
Also applies to: 12-13, 16-16
clients/web/apps/marketing/src/pages/index.astro (1)
5-20: Array reformatting is non-functional and safe.No content or rendering-path changes; this should not affect behavior.
Also applies to: 24-38
clients/web/apps/marketing/src/styles/global.css (1)
19-19: CSS normalization is safe and behavior-preserving.Gradient and keyframe changes are formatting-only with unchanged values/order.
Also applies to: 524-531, 535-542
clients/web/apps/dashboard/src/App.vue (1)
456-456: Good no-op cleanup for lint compliance.Renaming to
_parsedmakes the intent explicit and resolves the unused-parameter warning without changing behavior.clients/agent-runtime/src/memory/snapshot.rs (3)
229-245: LGTM — Clean extraction of key parsing logic.The guard on line 231 followed by
strip_prefix/strip_suffixcorrectly handles edge cases (empty key returnsNone). Logic is sound.
247-260: LGTM — Helpers are focused and correct.
is_metadata_linecorrectly matches the export format.append_content_linepreserves original whitespace while skipping leading blank lines — good for round-trip fidelity.
207-227: Refactoredparse_snapshotis clean and maintains behavior.The extraction of helpers improves readability and testability. The flush-on-new-key + final-flush pattern correctly handles all entries including the last one.
clients/agent-runtime/firmware/corvus-nucleo/src/main.rs (2)
65-138: Good extraction of command handlers.This split keeps command behavior readable and reduces branching in the read loop without changing protocol shape.
65-244: Please confirm required Rust quality gates were run for this change.I don’t see evidence in this PR context that firmware changes were validated with the required checks. Please confirm results (or document skips and reason):
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings,cargo test.As per coding guidelines
clients/agent-runtime/**/*.rs: "Runcargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo testfor code validation, or document which checks were skipped and why".clients/agent-runtime/src/channels/telegram.rs (1)
1379-1415: Good extraction of polling and API error parsingThis split reduces nesting in
listenand makes API error mapping easier to reason about.Also applies to: 1417-1431
clients/agent-runtime/src/main.rs (2)
633-724: Please provide required Rust validation results for this refactor.Share outputs (or explicit skip reasons) for
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo test.Based on learnings: Run
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo testfor code validation, or document which checks were skipped and why.
1251-1261: Good CSRF/PKCE safety in paste-redirect flow.State is validated before code exchange, which is the correct security boundary for this path.
clients/agent-runtime/src/tools/cron_add.rs (1)
19-53: Nice refactor for complexity reduction and clearer validation flow.The helper extraction plus early-return branches make
executeeasier to reason about.Also applies to: 132-145
clients/agent-runtime/src/onboard/wizard.rs (1)
1454-1458: Please confirm Rust validation checks for this refactor.Given the new onboarding/live-fetch logic, please confirm
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo testwere run, or document which checks were skipped and why.Based on learnings Run
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo testfor code validation, or document which checks were skipped and why.clients/agent-runtime/src/providers/copilot.rs (1)
352-429: Role-based message conversion looks solid.The helper split is clear, and the fallback path keeps malformed payloads from breaking request construction.
clients/agent-runtime/src/providers/mod.rs (1)
294-356: Credential resolution refactor is clean and behaviorally consistent.Good extraction of env-var lookup and provider-specific candidate mapping while preserving fallback order.
clients/agent-runtime/src/config/schema.rs (1)
2363-2482: Please attach Rust validation results for this refactor.I don’t see evidence in the provided context that formatting, lint, and test checks were rerun after these config-path changes. Please attach results (or explicitly document skipped checks and rationale).
Based on learnings: Run
cargo fmt --all -- --check,cargo clippy --all-targets -- -D warnings, andcargo testfor code validation, or document which checks were skipped and why.clients/agent-runtime/src/gateway/mod.rs (1)
332-345: Good decomposition with deterministic output.The helper split keeps restart field computation readable, and final
sort_unstable + deduppreserves deterministic responses.
Contributor
✅ Contributor ReportUser: @yacosta738
Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-04 to 2026-03-04 |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
- validate gpio value range (0/1) in firmware nucleo handler - propagate telegram chunk send errors; add thread_id to typing action - move CORVUS_PROVIDER/MODEL env overrides before GLM/ZAI key blocks - replace unreachable!/silent fallthrough with explicit errors in main - tighten flush_current_entry signature to &str (not &mut String) - filter memory list in SQL instead of post-fetch Rust loop - redact API key suffix from rate-limit log; include reason in non-retryable error - add delete_after_run param to add_shell_job; fix all call sites in cron - handle cron_add parse errors as ToolResult instead of propagating Err - add collect_lark/dingtalk/qq_targets; fix is_numeric_user for negative IDs - add Mattermost to doctor_channels; replace Discord-specific prompt wording - delegate models_for_provider to curated_models_for_provider - hide raw API error from user in live model fetch failure log - filter empty tokens in parse_allowed_numbers - add timeout + recv_timeout to test_whatsapp_connection
Deploying corvus with
|
| Latest commit: |
4c7eb15
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://4a01eabf.corvus-42x.pages.dev |
| Branch Preview URL: | https://fix-ss-qa.corvus-42x.pages.dev |
|
Merged
This was referenced Mar 24, 2026
This was referenced Apr 9, 2026
Merged
Merged
Merged
This was referenced Apr 19, 2026
This was referenced Apr 29, 2026
8 tasks
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.