feat: Enhance quick pair dashboard flow and improve code readability

[yacosta738]

This pull request makes significant improvements to the developer experience and security of the project, especially around the Makefile workflow and the agent runtime's pairing process. The Makefile is refactored to use wrapper scripts for consistent cross-platform behavior, and security is enhanced by only displaying sensitive pairing codes and magic links in trusted, interactive environments. Several code formatting and test improvements are also included.

Developer Experience Improvements:

• Refactored the Makefile to use wrapper scripts (gradlew.sh, cli.sh, runtime-compose.sh) for Gradle and Docker commands, ensuring consistent behavior across platforms and simplifying command usage. Added new targets like dev-up-dashboard and improved help output by delegating it to a script. [1] [2] [3] [4] [5]

Security and Pairing Improvements:

• Enhanced the agent runtime's pairing process to only display one-time pairing codes and magic links in interactive terminals. Magic links are now only generated for trusted local dashboard origins, preventing accidental exposure of secrets to untrusted environments. [1] [2]
• Added robust validation and test coverage for trusted dashboard origins and magic link generation, ensuring that only safe URLs are accepted and secrets are not leaked.

Code Quality and Formatting:

• Cleaned up code formatting and simplified expressions in Rust source files, including removing unnecessary line breaks and clarifying logic in tests and implementations. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

Minor Usability Enhancements:

• Improved Makefile comments for Windows users and made small usability tweaks, such as using Node.js for Gradle version extraction and updating help messages. [1] [2]

These changes collectively improve developer workflow consistency, enhance security for sensitive operations, and maintain code quality across the codebase.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a dashboard quick-pair/magic-link flow (frontend + useConfig changes and tests), gateway-origin validation and magic-link helpers, Makefile and script refactors to use CLI wrappers, new runtime/dev compose scripts, localization additions, .gitignore backup-rule removals, and numerous non-functional Rust formatting tweaks.

Changes

Cohort / File(s)	Summary
Build tooling & CLI wrappers Makefile, scripts/gradlew.sh, scripts/print-make-help.sh, scripts/runtime-compose.sh, dev/cli.sh	Introduce DEV_CLI/RUNTIME_CLI, route gradle/docker via wrapper scripts, replace inline make help with print-make-help.sh, add dashboard status command and dev-up-dashboard, standardize bash invocation.
Gateway quick-pair & helpers clients/agent-runtime/src/gateway/mod.rs	Add origin-trust checks, build_magic_link, should_emit_pairing_secrets, conditional emission of pairing secrets and quick-pair magic link, remove startup health/metrics banner lines, and add tests.
Dashboard quick-pair frontend clients/web/apps/dashboard/src/App.vue, clients/web/apps/dashboard/src/composables/useConfig.ts, clients/web/apps/dashboard/src/composables/useConfig.spec.ts	Add QuickPairState, URL-hash parsing (initQuickPair), auto-connect flow with onBeforeConnect hook, expose quickPairState, and add/adjust tests for magic-link, auto-pair and auto-connect behaviors.
Localization clients/web/packages/locales/src/en.json, clients/web/packages/locales/src/es.json	Add quickPairValidating, quickPairConnecting, and quickPairFailed translation keys in EN and ES.
.gitignore .gitignore	Removed multiple backup-ignore rules for agent-related backup patterns, exposing those backup files to version control by default.
Runtime compose & landing dev/landing/index.html, scripts/runtime-compose.sh, clients/agent-runtime/docker-compose.yml*	Translate landing page strings to English, switch health link to relative path, add runtime-compose.sh wrapper and wiring for dashboard profile (up/down/status/logs).
Rust formatting & small refactors clients/agent-runtime/src/... (e.g., agent/memory_loader.rs, channels/*, tools/*, memory/*), clients/agent-runtime/tests/*	Formatting and minor refactors only (single-line reflows, import reorderings, test formatting) with no behavioral changes.
Tests & specs (frontend) clients/web/apps/dashboard/src/composables/useConfig.spec.ts	Expanded test suite for Quick Pair, URL fragment parsing, auto-connect flows, and origin safety; updated test signatures to use typed callbacks.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Dashboard as Dashboard (App.vue)
    participant Config as useConfig
    participant Gateway as Gateway Backend

    User->>Dashboard: Open magic link (/#/quick-pair?gatewayUrl=...&code=...)
    activate Dashboard
    Dashboard->>Config: initQuickPair()
    activate Config
    Config->>Config: Parse URL hash, validate gatewayUrl (is_trusted / isUrlSafeForSecrets)
    Config->>Config: Set quickPairState: validating → pairing
    Config->>Gateway: pairGateway({autoConnect:true})
    activate Gateway
    Gateway->>Gateway: Validate pairing code
    Gateway-->>Config: Pairing success
    deactivate Gateway
    Config->>Config: Set quickPairState: connecting
    Config->>Gateway: connectGateway()
    activate Gateway
    Gateway-->>Config: Connected
    deactivate Gateway
    Config->>Config: Set quickPairState: connected
    Config-->>Dashboard: quickPairState updated
    deactivate Config
    Dashboard-->>User: Show connected state
    deactivate Dashboard

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• refactor: optimize Makefile and expand command coverage #137 — Overlaps Makefile help and wrapper/script extraction (related make help and CLI wiring).
• perf: Enhance Docker setup for dashboard with improved config bindings #151 — Related runtime/dashboard compose and Makefile/dashboard targets changes.
• feat(dashboard): add secure web admin configuration surface #75 — Related frontend/backend pairing and dashboard quick-pair flows.

Suggested reviewers

• yuniel-acosta

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 48.72% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commit format with 'feat:' prefix, is clear and concise at 68 characters, and accurately describes the main changes: enhanced quick pair dashboard flow and improved code readability.
Description check	✅ Passed	Description covers the purpose, developer experience improvements, security enhancements, code quality changes, and usability improvements with detailed explanations and linked references.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/dashboard-pairing-flow

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3064 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	422	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	90%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	159	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-19 to 2026-03-19}

[sentry]

Codecov Report

❌ Patch coverage is 88.33333% with 7 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ts/web/apps/dashboard/src/composables/useConfig.ts	85.71%	7 Missing ⚠️

📢 Thoughts on this report? Let us know!

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	7b0e4c0
Status:	✅  Deploy successful!
Preview URL:	https://40a703ac.corvus-42x.pages.dev
Branch Preview URL:	https://feat-dashboard-pairing-flow.corvus-42x.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

clients/agent-runtime/src/agent/memory_loader.rs (1)

99-106: ⚠️ Potential issue | 🔴 Critical

Add enforce_cerebro_egress check before constructing the Cerebro adapter.

The loader constructs and executes the MCP adapter at line 99 without the deny-by-default egress policy check. All other Cerebro-using paths (memory_store, memory_recall, memory_forget tools) enforce this gate first. Add the same check before adapter construction:

if let Err(error) = enforce_cerebro_egress(endpoint, &self.config, ToolOperation::Read) {
    return Ok(context);  // or appropriate error handling
}

Without this, user messages can reach unapproved Cerebro endpoints, bypassing security policy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/src/agent/memory_loader.rs` around lines 99 - 106, The
code constructs and executes the Cerebro adapter (cerebro::cerebro_tool_adapter
and adapter.execute) without enforcing the deny-by-default egress policy; add an
enforce_cerebro_egress check immediately before constructing the adapter: call
enforce_cerebro_egress(endpoint, &self.config, ToolOperation::Read) and if it
returns Err, short-circuit (e.g., return Ok(context) or the appropriate early
return used by this function) so unapproved Cerebro endpoints are blocked before
adapter creation/execution.

clients/web/apps/dashboard/src/composables/useConfig.ts (1)

220-254: ⚠️ Potential issue | 🟠 Major

Don’t infer quick-pair success from errorMessage.

At Line 224, pairGateway() can return before any network call when the fragment code is blank or whitespace, yet this flow still promotes quickPairState to "connected" because it only checks whether errorMessage was set. The inverse also happens after a "failed" quick pair: manual retries never clear that state, so the failure banner in App.vue can survive a later successful reconnect. Return an explicit success value from the async helpers and drive quickPairState from that instead of shared UI state.

Also applies to: 319-359

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/dashboard/src/composables/useConfig.ts` around lines 220 -
254, pairGateway currently infers success from shared UI state (errorMessage)
and can return early on empty code without signaling failure, causing
quickPairState to be incorrect; change pairGateway (and the other async helpers
referenced around the second block) to return an explicit boolean (true on
success, false on failure) instead of relying on errorMessage, ensure every
early-return path returns false (including blank/whitespace code) and every
successful completion returns true, and update callers (including where
connectGateway is awaited) to set quickPairState based solely on the returned
boolean and to clear previous failure state on success (e.g., set quickPairState
= "connected" only when the helper returns true and reset "failed" when true).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/src/gateway/mod.rs`:
- Around line 1856-1871: build_magic_link currently only validates
dashboard_url, allowing untrusted gateway_url (e.g., tunnel_url) to be embedded;
update build_magic_link to deny-by-default by validating gateway_url as well
before returning a link. Inside build_magic_link (and any callers if needed),
call the existing is_trusted_dashboard_origin (or add a separate
is_trusted_gateway_origin if semantics differ) against gateway_url and return
None if that check fails, so the function only emits links when both
dashboard_url and gateway_url are trusted.

In `@clients/web/apps/dashboard/src/App.vue`:
- Around line 42-49: Update the quick-pair message markup so assistive tech
announces state changes: wrap the validating/connecting branch (where
config.quickPairState.value === 'validating' or 'pairing' and the connecting
branch) in an element with role="status", aria-live="polite" and
aria-atomic="true" (preserve the existing class "quick-pair-state" and use the
same i18n call t("auth.quickPairValidating") / t("auth.quickPairConnecting")),
and change the failed branch (config.quickPairState.value === 'failed') to use
role="alert", aria-live="assertive" and aria-atomic="true" (keep the "error"
class and t("auth.quickPairFailed")). Ensure changes are made in the App.vue
template near the existing config.quickPairState.value checks and keep
composition API/script-setup conventions intact.

In `@dev/cli.sh`:
- Line 133: The docker down command in dev/cli.sh currently uses both --profile
dashboard and --remove-orphans which can cause unrelated containers (e.g.,
caddy-dev, corvus-dev, sandbox) to be removed; update the docker compose
invocation in the line containing "docker compose -f \"$COMPOSE_FILE\" --profile
dashboard down --remove-orphans" to either remove the --profile dashboard flag
so down targets all services regardless of how they were started, or remove the
--remove-orphans flag to avoid deleting services started without the dashboard
profile—pick one of these fixes and apply it to that command in dev/cli.sh.
- Line 202: The clean target in dev/cli.sh is calling docker compose with the
dangerous --remove-orphans flag (docker compose -f "$COMPOSE_FILE" --profile
dashboard down -v --remove-orphans); remove the --remove-orphans option from
that invocation (or make it guarded by an explicit confirmation/CLI flag) so
volumes and unrelated services are not removed unexpectedly; update the docker
compose down call that references COMPOSE_FILE and --profile dashboard
accordingly and ensure any added confirmation logic is clear and tested.

In `@dev/landing/index.html`:
- Around line 120-121: Replace the hardcoded absolute URL
"http://corvus.localhost/api/health" used in the anchor href and the <code>
element with a same-origin relative path (e.g., "/api/health") so the link
follows the current origin and scheme; update the anchor's href attribute and
the displayed code text accordingly to avoid HTTP downgrade and host pinning.

In `@Makefile`:
- Around line 358-361: The .PHONY target continuation lines have inconsistent
leading spaces; edit the Makefile so the wrapped continuation lines under the
.PHONY declaration use consistent indentation (e.g., align all continuation
lines with a single tab or the same number of spaces) to improve
readability—locate the .PHONY declaration and the continuation list (the line
containing "deps deps-app deps-analysis ..." and following wrapped lines) and
normalize the leading whitespace for each continuation entry.
- Line 21: Replace the incorrect SHELL assignment that uses /usr/bin/env with a
direct shell path or a configured detection: change the Makefile's SHELL
variable from "SHELL := /usr/bin/env bash" to a concrete shell path like "SHELL
:= /bin/bash" or implement a detection step (e.g., using a configured variable
or a $(shell ...) probe at configure time) so GNU Make invokes a real shell
executable; update the SHELL assignment in the Makefile accordingly.

---

Outside diff comments:
In `@clients/agent-runtime/src/agent/memory_loader.rs`:
- Around line 99-106: The code constructs and executes the Cerebro adapter
(cerebro::cerebro_tool_adapter and adapter.execute) without enforcing the
deny-by-default egress policy; add an enforce_cerebro_egress check immediately
before constructing the adapter: call enforce_cerebro_egress(endpoint,
&self.config, ToolOperation::Read) and if it returns Err, short-circuit (e.g.,
return Ok(context) or the appropriate early return used by this function) so
unapproved Cerebro endpoints are blocked before adapter creation/execution.

In `@clients/web/apps/dashboard/src/composables/useConfig.ts`:
- Around line 220-254: pairGateway currently infers success from shared UI state
(errorMessage) and can return early on empty code without signaling failure,
causing quickPairState to be incorrect; change pairGateway (and the other async
helpers referenced around the second block) to return an explicit boolean (true
on success, false on failure) instead of relying on errorMessage, ensure every
early-return path returns false (including blank/whitespace code) and every
successful completion returns true, and update callers (including where
connectGateway is awaited) to set quickPairState based solely on the returned
boolean and to clear previous failure state on success (e.g., set quickPairState
= "connected" only when the helper returns true and reset "failed" when true).

🪄 Autofix (Beta)

✅ Autofix completed

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e608f030-f407-4784-b416-87e4de23d0cf

📥 Commits

Reviewing files that changed from the base of the PR and between ecf4aff and 89db4a2.

📒 Files selected for processing (28)

• .gitignore
• Makefile
• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/memory/mod.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/src/tools/mcp/client.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/agent-runtime/tests/memory_cerebro_aliases.rs
• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/memory_comparison.rs
• clients/web/apps/dashboard/src/App.vue
• clients/web/apps/dashboard/src/composables/useConfig.spec.ts
• clients/web/apps/dashboard/src/composables/useConfig.ts
• clients/web/packages/locales/src/en.json
• clients/web/packages/locales/src/es.json
• dev/cli.sh
• dev/landing/index.html
• scripts/gradlew.sh
• scripts/print-make-help.sh
• scripts/runtime-compose.sh

💤 Files with no reviewable changes (3)

• .gitignore
• clients/agent-runtime/tests/memory_comparison.rs
• clients/agent-runtime/src/memory/mod.rs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (10)

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/memory_cerebro_aliases.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/agent-runtime/src/tools/mcp/client.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/memory_cerebro_aliases.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/agent-runtime/src/tools/mcp/client.rs

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/memory_cerebro_aliases.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/web/packages/locales/src/en.json
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/web/apps/dashboard/src/composables/useConfig.ts
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• dev/cli.sh
• Makefile
• scripts/runtime-compose.sh
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/web/apps/dashboard/src/App.vue
• clients/agent-runtime/src/tools/mcp/client.rs
• scripts/gradlew.sh
• scripts/print-make-help.sh
• dev/landing/index.html
• clients/web/packages/locales/src/es.json
• clients/web/apps/dashboard/src/composables/useConfig.spec.ts

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/src/tools/mcp/client.rs

clients/agent-runtime/src/channels/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Implement Channel trait in src/channels/ with consistent send, listen, and health_check semantics and cover auth/allowlist/health behavior with tests

Files:

• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/channels/mod.rs

clients/agent-runtime/src/tools/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Implement Tool trait in src/tools/ with strict parameter schema, validate and sanitize all inputs, and return structured ToolResult without panics in runtime path

Files:

• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/tools/mcp/client.rs

clients/agent-runtime/src/{security,gateway,tools}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Treat src/security/, src/gateway/, src/tools/ as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Files:

• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/tools/mcp/client.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/tools/mcp/client.rs

clients/agent-runtime/src/providers/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Implement Provider trait in src/providers/ and register in src/providers/mod.rs factory when adding a new provider

Files:

• clients/agent-runtime/src/providers/pool.rs

**/*.vue

⚙️ CodeRabbit configuration file

**/*.vue: Enforce Vue 3 Composition API with <script setup>.
Ensure accessibility (A11y) and proper use of Tailwind CSS classes.
Check for proper prop validation and emitted events documentation.

Files:

• clients/web/apps/dashboard/src/App.vue

🧠 Learnings (12)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/memory_cerebro_aliases.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Applied to files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/memory_cerebro_aliases.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/tests/memory_cerebro_integration.rs
• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• Makefile
• clients/agent-runtime/tests/memory_backend_selection.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider

Applied to files:

• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/providers/pool.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/channels/**/*.rs : Implement `Channel` trait in `src/channels/` with consistent `send`, `listen`, and `health_check` semantics and cover auth/allowlist/health behavior with tests

Applied to files:

• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/channels/tests/health.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/tests/memory_backend_selection.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/tests/admin_config_api_integration.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/tests/memory_backend_selection.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow

Applied to files:

• clients/agent-runtime/src/agent/memory_loader.rs
• clients/agent-runtime/src/tools/memory_recall.rs
• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/providers/pool.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• clients/agent-runtime/src/tools/memory_store.rs
• clients/agent-runtime/src/tools/memory_forget.rs
• clients/agent-runtime/src/tools/mcp/client.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• clients/agent-runtime/src/gateway/admin.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/tools/memory_forget.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements

Applied to files:

• clients/agent-runtime/src/gateway/admin.rs

🪛 ast-grep (0.41.1)

dev/landing/index.html

[warning] 120-120: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context: http://corvus.localhost/api/health
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)

🔇 Additional comments (18)

clients/agent-runtime/tests/memory_backend_selection.rs (1)

6-9: LGTM — formatting-only change.

Import reflow with no semantic impact. Consistent with cargo fmt output.

clients/agent-runtime/src/tools/memory_forget.rs (3)

143-154: Error handling remains runtime-safe here.

Line 143 keeps adapter-construction failures on the structured ToolResult path (no panic), which is the right behavior for a tool execution path.

As per coding guidelines, "clients/agent-runtime/src/tools/**/*.rs: ... return structured ToolResult without panics in runtime path".

---

207-218: Consistent non-panic handling for forget adapter init.

Line 207 mirrors the same safe failure mapping pattern, keeping behavior predictable and resilient in the runtime path.

As per coding guidelines, "clients/agent-runtime/src/tools/**/*.rs: ... return structured ToolResult without panics in runtime path".

---

277-277: Test import update looks good.

Line 277 makes the policy types explicit in test scope and keeps the test setup clear.

dev/landing/index.html (1)

110-113: Copy/readability update looks good.

The English text updates are clear and consistent with the page intent, and no behavior change is introduced in these segments.

Also applies to: 118-130

clients/agent-runtime/src/tools/mcp/client.rs (4)

227-227: LGTM: Clean single-line error formatting.

Collapsing the error construction improves compactness without sacrificing readability.

---

243-243: LGTM: Consistent error formatting.

Single-line bail aligns with the error construction style at line 227.

---

266-267: LGTM: Improved readability with line split.

Separating the type annotation from the deserialization call makes the expression easier to scan.

---

227-267: Confirm that cargo fmt --all -- --check and cargo clippy --all-targets -- -D warnings pass.

This is required per coding guidelines before merge. Ensure no new warnings are introduced in this change.

clients/agent-runtime/src/gateway/mod.rs (1)

1122-1123: No action required — the port configuration is correct for dual deployment modes.

The default fallback of http://localhost:1355 is appropriate for local portless development. Compose-based setups that publish on 127.0.0.1:4324 should explicitly override CORVUS_DASHBOARD_URL in their environment (which both the dev documentation and the trusted origin validation explicitly support). This is a secure-by-default pattern with minimal friction for each mode.

clients/agent-runtime/src/tools/memory_recall.rs (2)

88-98: LGTM!

The refactored limit parsing consolidates the nested match into a more compact form while preserving correct validation (1..=100 range) and defensive usize::try_from. No panics in runtime path, no secrets logged.

---

169-180: LGTM!

Adapter construction reformatted for readability with identical error handling behavior. The error.to_string() pattern is appropriate for this security-sensitive surface.

dev/cli.sh (2)

1-1: LGTM!

Portable shebang using env bash is the right approach for cross-platform compatibility.

---

91-91: LGTM!

Adding the status command provides useful visibility into container state. The help text and implementation are consistent.

Also applies to: 151-154

scripts/gradlew.sh (1)

1-10: LGTM!

Clean wrapper script with proper strict mode, portable env bash shebang, and efficient exec to replace the shell process. Windows detection via $OS is the standard approach.

scripts/print-make-help.sh (1)

1-34: LGTM!

Well-structured help generator with proper strict mode and graceful color fallbacks. The regex parsing for section headers (# --- Section ---) and command descriptions (name: ... ## desc) is clean.

Makefile (2)

25-27: LGTM!

The new CLI wrapper variables (DEV_CLI, RUNTIME_CLI, GRADLEW) and their usage across dev/runtime targets cleanly centralize command logic. This improves maintainability and ensures consistent behavior across platforms.

Also applies to: 279-295, 306-314

---

53-53: LGTM!

Delegating help generation to a dedicated script is cleaner than inline awk/sed in the Makefile.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 5 file(s) based on 7 unresolved review comments.

Files modified:

• Makefile
• clients/agent-runtime/src/gateway/mod.rs
• clients/web/apps/dashboard/src/App.vue
• dev/cli.sh
• dev/landing/index.html

Commit: 57c7c6e68972ec62617444f24600d306f52e80d1

The changes have been pushed to the feat/dashboard-pairing-flow branch.

Time taken: 3m 26s

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/src/gateway/mod.rs`:
- Around line 1915-1932: Add a new unit test asserting build_magic_link returns
None when the dashboard_url is trusted but the gateway_url is untrusted: create
a test function (e.g., test_build_magic_link_suppresses_untrusted_gateway) that
calls super::build_magic_link("http://localhost:1355", "123456",
"https://public-tunnel.ngrok.io") and asserts the result is None
(assert!(suppressed.is_none())). This mirrors the existing tests for
dashboard_url suppression and covers the missing gateway_url case for the
build_magic_link function.

In `@Makefile`:
- Line 310: The runtime-down Makefile target currently delegates to
scripts/runtime-compose.sh which invokes "docker compose down --remove-orphans";
remove the --remove-orphans flag (or make it conditional via an env var like
REMOVE_ORPHANS) in the docker compose down invocation inside
scripts/runtime-compose.sh so that runtime-down only tears down services defined
in the Compose file; update the script's docker compose down call and any
related usage of RUNTIME_CLI/runtime-down to respect the new behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 49b22282-9460-4687-969a-163d4ee14f53

📥 Commits

Reviewing files that changed from the base of the PR and between 7ec2013 and 57c7c6e.

📒 Files selected for processing (5)

• Makefile
• clients/agent-runtime/src/gateway/mod.rs
• clients/web/apps/dashboard/src/App.vue
• dev/cli.sh
• dev/landing/index.html

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (7)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• dev/landing/index.html
• clients/web/apps/dashboard/src/App.vue
• dev/cli.sh
• clients/agent-runtime/src/gateway/mod.rs
• Makefile

**/*.vue

⚙️ CodeRabbit configuration file

**/*.vue: Enforce Vue 3 Composition API with <script setup>.
Ensure accessibility (A11y) and proper use of Tailwind CSS classes.
Check for proper prop validation and emitted events documentation.

Files:

• clients/web/apps/dashboard/src/App.vue

clients/agent-runtime/src/{security,gateway,tools}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Treat src/security/, src/gateway/, src/tools/ as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Files:

• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/gateway/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/gateway/mod.rs

🧠 Learnings (5)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs
• Makefile

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs

🔇 Additional comments (8)

dev/landing/index.html (2)

120-121: Security fix correctly applied.

The hardcoded http://corvus.localhost/api/health URL has been replaced with a relative path /api/health. This prevents HTTP downgrade issues and ensures the link respects the current origin's scheme. The Caddyfile confirms /api/* routes are properly reverse-proxied to the backend.

---

110-130: LGTM — copy updates are clear and consistent.

The English text replacements improve clarity. No security, behavioral, or localization regressions introduced.

clients/web/apps/dashboard/src/App.vue (1)

42-70: LGTM — Quick pair flow with proper accessibility.

The ARIA live regions are correctly applied: role="status" with aria-live="polite" for progress states, and role="alert" with aria-live="assertive" for the failure message. This ensures assistive technology announces state transitions appropriately.

clients/agent-runtime/src/gateway/mod.rs (3)

1113-1143: Secure-by-default: pairing secrets gated to interactive terminals only.

Good implementation. Secrets are suppressed in non-interactive contexts (CI, daemons, piped output), preventing accidental exposure in logs.

---

1815-1854: LGTM — Trust validation is deny-by-default.

The origin validation correctly:

• Rejects non-http(s) schemes
• Rejects embedded credentials
• Rejects query parameters and fragments (preventing injection via URL)
• Uses explicit host allowlist

Based on learnings: "Do not silently weaken security policy; keep default behavior secure-by-default with deny-by-default where applicable."

---

1870-1875: No change needed — pairing codes are 6-digit numbers only.

The pairing code is generated as a 6-digit decimal string (000000–999999) and cannot contain special characters like &, =, or #. URL encoding is not necessary and adds no defensive value since the code format guarantees safe characters.

			> Likely an incorrect or invalid review comment.

dev/cli.sh (2)

91-91: Good addition: a first-class status command.

This keeps the shell entrypoint aligned with make dev-status and makes container inspection easier to discover.

Also applies to: 151-153

---

133-133: Safer teardown semantics.

Keeping the dev shutdown paths free of orphan cleanup avoids the surprising “stop one thing, delete others” side effect while preserving the explicit confirmation on clean.

Also applies to: 202-202

[sonarqubecloud]

Quality Gate failed

Failed conditions
64.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud