refactor(bootstrap): add full/code/lite capability profiles

[yacosta738]

This pull request introduces a new "agent profile" capability to the agent runtime, allowing configuration of different tool and memory behaviors based on the selected profile ("full", "code", or "lite"). It also updates documentation links for consistency and correctness in both English and Spanish docs.

Agent Profile Feature:

• Added an AgentProfile enum (Full, Code, Lite) to control which tools and memory backend are enabled for the agent, with logic to select the profile from config and restrict tool access accordingly. (clients/agent-runtime/src/bootstrap/mod.rs clients/agent-runtime/src/bootstrap/mod.rsR8-R76)
• Updated the agent configuration schema to include a profile field (default: "full"), with validation and defaults, and corresponding unit tests for profile selection and behavior. (clients/agent-runtime/src/config/schema.rs [1] [2] [3] [4] [5] [6]
• Modified the agent bootstrap logic to use the selected profile when initializing memory and filtering available tools, and added comprehensive tests for all profile cases (including error handling for unknown profiles). (clients/agent-runtime/src/bootstrap/mod.rs [1] [2] [3] [4] [5]

Documentation Improvements:

• Updated architecture and guide documentation links to use relative paths for improved navigation and consistency, in both English and Spanish docs. (clients/web/apps/docs/src/content/docs/en/guides/architecture.md [1] clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md [2] [3] [4] clients/web/apps/docs/src/content/docs/en/guides/getting-started.md [5] clients/web/apps/docs/src/content/docs/en/guides/release.md [6] [7] clients/web/apps/docs/src/content/docs/es/guides/architecture.md [8] clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md [9] [10]

[linear]

DALLAY-140 Refactor: Add reusable agent capability profiles (Full/Code/Lite)

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an AgentProfile (full, code, lite) to config, validates it, threads it through bootstrap to choose memory backend and filter tools, updates BootstrapContext to hold filtered tools, and adjusts multiple English/Spanish docs to use consistent relative links.

Changes

Cohort / File(s)	Summary
Agent Runtime: bootstrap & profile clients/agent-runtime/src/bootstrap/mod.rs	Adds AgentProfile and ToolCapability, parsing/validation, compose_memory_config, allows_tool + tool classification, threads profile through initialization, filters tool list, and adds unit tests. BootstrapContext now includes tools: Vec<Box<dyn Tool>>.
Config schema: profile field & validation clients/agent-runtime/src/config/schema.rs	Adds pub profile: String to AgentConfig, default_agent_profile(), is_supported_agent_profile(), updates Default, and validates agent profile in Config::validate_for_runtime().
Docs: link path fixes (EN & ES) clients/web/apps/docs/src/content/docs/en/guides/architecture.md, .../architecture/overview.md, .../getting-started.md, .../release.md, clients/web/apps/docs/src/content/docs/es/guides/architecture.md, .../architecture/overview.md, .../getting-started.md, .../release.md	Rewires multiple documentation links to use consistent relative ./architecture/... and ./ paths in English and Spanish guides; no behavioral changes.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Config as rgba(70,130,180,0.5) Config
participant Bootstrap as rgba(34,139,34,0.5) BootstrapContext
participant Memory as rgba(255,165,0,0.5) MemoryFactory
participant Tools as rgba(128,0,128,0.5) ToolRegistry

Config->>Bootstrap: provide AgentConfig (profile)
Bootstrap->>Config: validate_agent_profile()
Bootstrap->>Memory: compose_memory_config(profile)
Memory-->>Bootstrap: memory backend (or none for lite)
Bootstrap->>Tools: request tool list
Tools-->>Bootstrap: available tools
Bootstrap->>Tools: filter tools via profile.allows_tool()
Bootstrap-->>Caller: initialized BootstrapContext (profile, memory, filtered tools)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• yuniel-acosta

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.83% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits style with 'refactor' prefix and clear scope, accurately describes the main feature addition of capability profiles.
Description check	✅ Passed	Description includes summary of changes, affected files, and related feature details, though it lacks explicit testing information and breaking changes sections.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/dallay-140-refactor-add-reusable-agent-capability-profiles-fullcodelite

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	88%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3054 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	395	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	90%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	127	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-08 to 2026-03-08}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

clients/agent-runtime/src/bootstrap/mod.rs (1)

132-149: 🧹 Nitpick | 🔵 Trivial

Construct only the tools allowed by the selected profile.

all_tools_with_runtime() builds the full tool graph and only then drops disallowed entries. For lite, that means initializing every tool just to keep three of them, and disabled tools still receive config, memory, and credential inputs during construction. Push profile gating into tool creation instead of post-filtering.

As per coding guidelines clients/agent-runtime/src/**/*.rs: Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/src/bootstrap/mod.rs` around lines 132 - 149, The
current code builds the full tool graph via all_tools_with_runtime(...) and then
filters with profile.allows_tool(...), causing unnecessary initialization and
resource passing; change all_tools_with_runtime to accept the profile (or a
predicate/closure) and perform profile.allow checks before constructing each
tool so only allowed tools are built, then update the callsite in mod.rs (where
tools is assigned) to pass the profile instead of post-filtering; ensure the
modified all_tools_with_runtime signature (and its callers) avoid
allocating/cloning heavy resources for disallowed tools and remove the
downstream .into_iter().filter(...).collect() post-filtering.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/src/bootstrap/mod.rs`:
- Around line 192-195: The helper create_memory_and_observer currently hardcodes
AgentProfile::Full and ignores config.agent.profile; change it to derive the
profile from the provided config (e.g., use config.agent.profile or map config
to an AgentProfile) and pass that profile into init_memory_and_observer so
callers (like gateway) respect lite/code profiles; ensure the default remains
secure-by-default (deny-by-default) when mapping missing/invalid profile values.

In `@clients/agent-runtime/src/config/schema.rs`:
- Around line 218-221: The agent.profile field is a free-form String and not
validated in Config::validate_for_runtime(), so typos slip through; change
profile to a typed enum (e.g., AgentProfile with variants Full, Code, Lite and
impl Deserialize/Serialize and Default using default_agent_profile) or, if you
prefer minimal change, add explicit validation in Config::validate_for_runtime()
to reject any value not in {"full","code","lite"} and return an error; update
default_agent_profile to produce the enum/default string and adjust
Config::load_or_init()/Config struct consumers (e.g., any code reading profile)
to use the new AgentProfile type or validated string, and add unit tests to
cover invalid values and the default case.

---

Outside diff comments:
In `@clients/agent-runtime/src/bootstrap/mod.rs`:
- Around line 132-149: The current code builds the full tool graph via
all_tools_with_runtime(...) and then filters with profile.allows_tool(...),
causing unnecessary initialization and resource passing; change
all_tools_with_runtime to accept the profile (or a predicate/closure) and
perform profile.allow checks before constructing each tool so only allowed tools
are built, then update the callsite in mod.rs (where tools is assigned) to pass
the profile instead of post-filtering; ensure the modified
all_tools_with_runtime signature (and its callers) avoid allocating/cloning
heavy resources for disallowed tools and remove the downstream
.into_iter().filter(...).collect() post-filtering.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 93e10aa0-0152-4d55-8981-9630c8427cc8

📥 Commits

Reviewing files that changed from the base of the PR and between eef51d8 and c9d46a9.

📒 Files selected for processing (10)

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs
• clients/web/apps/docs/src/content/docs/en/guides/architecture.md
• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/en/guides/getting-started.md
• clients/web/apps/docs/src/content/docs/en/guides/release.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md
• clients/web/apps/docs/src/content/docs/es/guides/release.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/en/guides/architecture.md
• clients/web/apps/docs/src/content/docs/en/guides/getting-started.md
• clients/web/apps/docs/src/content/docs/en/guides/release.md
• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/agent-runtime/src/bootstrap/mod.rs
• clients/web/apps/docs/src/content/docs/es/guides/architecture.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/en/guides/architecture.md
• clients/agent-runtime/src/config/schema.rs
• clients/web/apps/docs/src/content/docs/en/guides/getting-started.md
• clients/web/apps/docs/src/content/docs/en/guides/release.md
• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/config/schema.rs

🧠 Learnings (11)

📓 Common learnings

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Maintain comprehensive agent metadata including name, description, purpose, and capabilities

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Include version information and compatibility details for agents

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Applied to files:

• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md

🪛 LanguageTool

clients/web/apps/docs/src/content/docs/es/guides/release.md

[grammar] ~12-~12: Agrega una palabra o signo.
Context: ...der publicar, asegúrate de tener: 1. Clave GPG configurada: Sigue la [Guía de Co...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~12-~12: Elimina la palabra o signo.
Context: ...guración GPG](./gpg-setup/) para crear y configurar tu clave de firma 2. **Acceso...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~262-~262: Corrige la mayúscula.
Context: ...a features) ## Ver También - Guía de Configuración GPG - [GitHub Workflows]...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~262-~262: Cambia la palabra o signo.
Context: ...er También - Guía de Configuración GPG - [GitHub Workflows](https://github.com/dal...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

clients/web/apps/docs/src/content/docs/es/guides/architecture.md

[grammar] ~126-~126: Elimina la palabra o signo.
Context: ...verview.md) para más detalles sobre cómo visualizarlos.

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md

[grammar] ~15-~15: Cambia la palabra o signo.
Context: ...es y sistemas externos. - Archivo: context/system-context.mmd - Formato: Mermaid - Descripción: Vi...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~25-~25: Elimina la palabra o signo.
Context: ...ntainer/system-containers.mmd) (Mermaid) - container/system-containers.puml (PlantUML) - Descripción: Muestra lo...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~26-~26: Cambia la palabra o signo.
Context: ...ainer/system-containers.puml) (PlantUML) - Descripción: Muestra los contenedores ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~36-~36: Cambia la palabra o signo.
Context: ...os. ### Agent Core KMP - Archivo: component/agent-core-kmp.mmd - Descripción: Componentes internos del ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~37-~37: Elimina la palabra o signo.
Context: ...ore: Dominio, Casos de Uso, Interfaces e Infraestructura. ## Dependencias entre ...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~40-~40: Corrige la mayúscula.
Context: ...Infraestructura. ## Dependencias entre Módulos Diagrama adicional mostrando las depende...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~44-~44: Cambia la palabra o signo.
Context: ...e Gradle entre módulos. - Archivo: module-dependencies.mmd - Descripción: Muestra cómo los clientes...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

🔇 Additional comments (8)

clients/web/apps/docs/src/content/docs/en/guides/release.md (1)

12-12: LGTM! Correct path normalization.

The GPG setup links now correctly use ./gpg-setup/ instead of ../gpg-setup/, which properly references the file in the same guides/ directory. The Spanish version mirrors this fix.

Also applies to: 257-257

clients/web/apps/docs/src/content/docs/es/guides/release.md (1)

12-12: LGTM! EN/ES parity maintained.

The Spanish release guide correctly updates GPG setup links to ./gpg-setup/, matching the English version. Path normalization is accurate.

Also applies to: 262-262

clients/web/apps/docs/src/content/docs/es/guides/getting-started.md (1)

108-110: LGTM! Navigation links corrected.

The "Siguientes Pasos" links now correctly use ./ paths for same-directory references (structure, features, development). EN/ES parity confirmed.

clients/web/apps/docs/src/content/docs/en/guides/getting-started.md (1)

104-106: LGTM! Next Steps navigation improved.

The relative paths now correctly reference files in the same guides/ directory using ./ instead of ../. This aligns with the Spanish version and improves consistency.

clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md (1)

15-15: LGTM! Architecture diagram paths normalized.

All diagram references now use ./diagrams/ paths relative to the architecture/ directory. Context confirms all target diagram files exist at the expected locations. Spanish version maintains parity.

Also applies to: 25-26, 36-36, 44-44

clients/web/apps/docs/src/content/docs/en/guides/architecture.md (1)

120-125: LGTM! C4 diagram table and overview link updated correctly.

The architecture diagram links now correctly reference ./architecture/diagrams/... from the guides/ level, and the overview link properly points to ./architecture/overview.md. Technical accuracy confirmed; Spanish version maintains parity.

clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md (1)

15-15: LGTM! Spanish architecture overview aligned.

Diagram paths updated to ./diagrams/ relative references, maintaining perfect parity with the English version. Technical accuracy verified.

Also applies to: 25-26, 36-36, 44-44

clients/web/apps/docs/src/content/docs/es/guides/architecture.md (1)

121-126: LGTM! Spanish architecture guide complete.

The C4 diagram table and overview reference now use ./architecture/ relative paths, perfectly mirroring the English version. EN/ES documentation parity maintained across all link updates.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	a9e193c
Status:	✅  Deploy successful!
Preview URL:	https://a3f007b1.corvus-42x.pages.dev
Branch Preview URL:	https://feature-dallay-140-refactor.corvus-42x.pages.dev

View logs

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/src/bootstrap/mod.rs`:
- Around line 48-74: The allows_tool method currently uses a blocklist for
Self::Code which makes new tools allowed by default; change Self::Code to an
explicit allowlist (like Self::Lite) by enumerating permitted tool names or by
consulting a maintained whitelist (e.g., an array or HashSet) instead of
negating matches, and ensure Self::Full remains permissive; additionally add a
unit test that iterates all_tools_with_runtime() and asserts each tool is
explicitly classified (e.g., appears in the allowlist for Code or Lite or is
covered by Full) so adding a new tool will fail CI until it is assigned a
profile.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a3f73bee-a676-47b0-82ed-eb127d51ae54

📥 Commits

Reviewing files that changed from the base of the PR and between c9d46a9 and 5cd0f54.

📒 Files selected for processing (2)

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (5)

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/config/schema.rs

🧠 Learnings (11)

📓 Common learnings

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Maintain comprehensive agent metadata including name, description, purpose, and capabilities

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs
• clients/agent-runtime/src/config/schema.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

🔇 Additional comments (4)

clients/agent-runtime/src/config/schema.rs (1)

218-245: Profile validation correctly addresses the past review concern.

The profile field is now validated at config load time via validate_for_runtime() → validate_agent_profile(). Unknown values are rejected with a clear error message.

One maintainability note: is_supported_agent_profile() here and AgentProfile::from_raw() in bootstrap/mod.rs have duplicate matching logic. Consider extracting to a single source of truth to prevent drift.

Also applies to: 2700-2713

clients/agent-runtime/src/bootstrap/mod.rs (3)

192-197: Past review concern addressed: profile now derived from config.

create_memory_and_observer() correctly reads the profile from config instead of hardcoding Full. Gateway callers will now respect lite and code profiles.

---

37-46: Lite profile memory override looks correct.

Setting backend = "none" for Lite aligns with the minimal-footprint intent. The downstream create_memory() handles "none" by returning NoneMemory.

---

217-272: Tests cover key profile behaviors.

• bootstrap_code_profile_excludes_non_coding_tools: verifies blocklist works
• bootstrap_lite_profile_uses_minimal_tools_and_none_memory: verifies strict allowlist + memory override
• bootstrap_rejects_unknown_profile: verifies validation
• create_memory_and_observer_respects_lite_profile_memory_backend: verifies helper respects profile

Minor nit: line 246's assert_eq!(names, vec!["shell", "file_read", "file_write"]) assumes stable ordering. If all_tools_with_runtime() reorders tools, this test breaks. Consider sorting both sides or using a set comparison.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/src/bootstrap/mod.rs`:
- Around line 296-298: The test's assertion on the exact vector order
(assert_eq!(names, vec!["shell", "file_read", "file_write"])) is brittle; change
it to an order-independent check by either sorting the `names` vector and
comparing to a sorted expected list or converting both `names` and the expected
list into a HashSet for comparison so reordering in `all_tools_with_runtime`
won't break the test — update the assertion in mod.rs accordingly referencing
the `names` variable and the expected tool set.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1f49a9dc-9384-4e18-83a3-2a6dcba1ac1d

📥 Commits

Reviewing files that changed from the base of the PR and between 5cd0f54 and d064e31.

📒 Files selected for processing (1)

• clients/agent-runtime/src/bootstrap/mod.rs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (4)

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/bootstrap/mod.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/bootstrap/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/bootstrap/mod.rs

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/agent-runtime/src/bootstrap/mod.rs

🧠 Learnings (10)

📓 Common learnings

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Maintain comprehensive agent metadata including name, description, purpose, and capabilities

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• clients/agent-runtime/src/bootstrap/mod.rs

🔇 Additional comments (6)

clients/agent-runtime/src/bootstrap/mod.rs (6)

14-61: Clean allowlist-based profile system.

The layered allowlist approach (Lite ⊂ Code ⊂ Full) with classify_tool_capability returning None for unknown tools ensures secure-by-default behavior. New tools will be rejected from Code/Lite profiles until explicitly classified.

---

110-124: Past concern resolved: Code profile now uses allowlist model.

The allows_tool implementation now delegates to classify_tool_capability, which returns None for unlisted tools. Combined with the test at lines 312-379 that fails on unclassified tools, this addresses the previous security regression concern.

---

99-108: LGTM.

Clone is necessary here to avoid mutating the caller's config.

---

242-247: Past concern resolved: Profile now derived from config.

The helper no longer hardcodes AgentProfile::Full, ensuring callers like the gateway respect lite/code profiles.

---

312-379: Excellent guardrail test.

This test ensures CI will fail when a new tool is added without explicit profile classification—exactly the safeguard requested to prevent silent privilege escalation in Code/Lite profiles.

---

196-199: LGTM.

Tool filtering via into_iter().filter().collect() avoids unnecessary allocations and cleanly applies the profile-based allowlist.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
97.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud