chore: consolidate pending improvements

[yacosta738]

This pull request introduces significant UI performance optimizations for the Compose-based chat interface, as well as documentation improvements and minor code cleanups across several modules. The most impactful changes focus on reducing unnecessary recompositions and memory allocations in the chat UI, resulting in smoother user interactions and improved runtime efficiency. Additional changes include the completion of comprehensive tools documentation, minor bug fixes, and code style improvements.

Compose Chat UI Performance & Memory Optimizations:

• Refactored the chat UI to prevent the message list from recomposing on every input keystroke by extracting MessageList and isolating it from the input state. This reduces main-thread work and improves interaction latency. (ChatWorkspace.kt, ChatComponents.kt) [1] [2] [3]
• Used remember to cache expensive Modifier chains and Brush objects in high-frequency components (ChatWorkspace, ChatInputField, AvatarWithGlow), minimizing redundant allocations and GC pressure. (ChatWorkspace.kt, ChatComponents.kt) [1] [2] [3]
• Reworked ChatInputField to use a stable onSend reference via a new ChatInputFieldProps data class, preventing unnecessary lambda allocations and improving Compose stability. (ChatComponents.kt) [1] [2] [3]
• Updated preview and session ID generation to use kotlin.random.Random instead of UUID, simplifying dependencies and improving ID format consistency. (App.kt) [1] [2]

Documentation Improvements:

• Completed a comprehensive Tools Reference section (in both English and Spanish), documenting all built-in tools, their parameters, security tiers, and integration details. Updated docs index pages to reference the new documentation. (scribe-journal.md, index.mdx) [1] [2]

Code Quality & Bug Fixes:

• Fixed a bug in the async message dispatch loop to ensure semaphore permits are properly released only after task completion. (mod.rs)
• Minor test code cleanup in the router provider tests (variable renaming for clarity). (router.rs) [1] [2]
• Added comments to suppress lint warnings for unused variables that are actually used in Vue templates. (App.vue, SessionSidebar.vue) [1] [2] [3] [4]

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Refactors Compose chat UI to reduce recompositions and repeated allocations; adds 14 new Tools Reference docs (English+Spanish); fixes semaphore permit lifetime in Rust async worker tasks; minor test updates; swaps UUID usage in Compose preview to kotlin.uuid.Uuid; adds Vue lint ignores; updates Gradle plugin versions; adds two journal entries.

Changes

Cohort / File(s)	Summary
Compose UI (chat) clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt, .../ChatWorkspace.kt	Extracted MessageList and SendButton; added @Immutable ChatInputFieldProps and refactored ChatInputField to accept props; memoized brushes and top-level Modifier chains with remember; consolidated panel state into ChatPanelState; stabilized callbacks to avoid re-capturing lambdas.
Agent Runtime Tools docs (EN/ES) clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/*, clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/*, .../index.mdx, .../es/.../index.mdx	Added Tools Reference index and 14 documentation pages (Core, Web, Memory, Automation, Media, MCP) with parameter schemas, security-tier model, MCP integration, and English/Spanish parity.
Journal entries .agents/journal/bolt-journal.md, .agents/journal/scribe-journal.md	Added journal notes: bolt-journal documents Compose UI runtime optimizations; scribe-journal documents completion/audit of Tools Reference docs and bilingual parity.
Rust runtime & tests clients/agent-runtime/src/channels/mod.rs, clients/agent-runtime/src/providers/router.rs	Kept semaphore permit held for full worker duration by dropping permit inside spawned async block; tests updated to retain/mock provider instances and assert on them.
Compose app preview UUID change clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt	Replaced java.util.UUID usage with kotlin.uuid.Uuid and added @OptIn(ExperimentalUuidApi::class) for preview sessionId.
Vue lint directives clients/web/apps/chat/src/App.vue, clients/web/apps/chat/src/components/SessionSidebar.vue	Added biome-ignore comments for template-used refs/helpers to silence unused-variable lint warnings (no runtime behavior change).
Gradle plugin versions / lockfile gradle/build-logic/buildscript-gradle.lockfile, gradle/libs.versions.toml	Bumped com.gradle.plugin-publish 2.0.0 → 2.1.1; added org.gradle.plugin:compatibility-plugin:1.0.0 entry in lockfile.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• perf(compose): optimize chat workspace recompositions #241: Overlapping Compose UI performance refactors (memoized Modifiers, Brush allocation, stable callbacks) in ChatWorkspace/ChatComponents.
• perf: ⚡ Optimize Chat Workspace Performance #80: Related refactor patterns and component extraction in Compose chat UI (MessageList, gradient memoization, callback stabilization).
• perf(compose): optimize UI recompositions and state caching #21: Compose UI memoization/stability hints touching ChatWorkspace; similar performance-focused changes.

Suggested reviewers

• yuniel-acosta

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title "chore: consolidate pending improvements" follows Conventional Commit style with a valid prefix and concise description, accurately reflecting the multi-faceted nature of changes (optimizations, docs, and fixes).
Description check	✅ Passed	The PR description comprehensively addresses most template sections with clear context on motivation, specific changes, and impact; however, it lacks explicit coverage of the "Tested Information" and "Documentation Impact" sections as formally required.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/consolidate-pending-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	10	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3078 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	500	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	91%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	192	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-04-02 to 2026-04-02}

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt (2)

126-144: 🛠️ Refactor suggestion | 🟠 Major

Address Detekt LongParameterList violation.

ChatWorkspace has too many parameters (threshold: 6). Consider grouping callbacks into a dedicated ChatWorkspaceCallbacks data class similar to how ChatInputFieldProps was introduced.

♻️ Sketch: Group callbacks

`@Stable`
data class ChatWorkspaceCallbacks(
  val onRetryBridge: () -> Unit,
  val onLinkSurface: () -> Unit,
  val onStartSession: () -> Unit,
  val onResumeSession: (String) -> Unit,
  val onSendMessage: (String) -> Unit,
  val onDisconnectReset: () -> Unit,
  val onApprove: () -> Unit,
  val onDeny: () -> Unit,
)

`@Composable`
fun ChatWorkspace(
  bridgeSnapshot: MobileBridgeSnapshot,
  platformName: String,
  messages: List<ChatMessage>,
  resumableSessions: List<RuntimeSession>,
  pendingApproval: RuntimeApprovalRequest?,
  callbacks: ChatWorkspaceCallbacks,
  modifier: Modifier = Modifier,
  state: ChatWorkspaceState = ChatWorkspaceDefaults.state(),
  // ... remaining data params
)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt`
around lines 126 - 144, ChatWorkspace currently violates Detekt
LongParameterList; refactor by creating a stable data class
ChatWorkspaceCallbacks that groups all callback parameters (onRetryBridge,
onLinkSurface, onStartSession, onResumeSession, onSendMessage,
onDisconnectReset, onApprove, onDeny), replace those callback parameters in the
ChatWorkspace signature with a single callbacks: ChatWorkspaceCallbacks param,
update all internal uses to call callbacks.<...>properties (e.g.,
callbacks.onSendMessage(...)), and update all callers to construct and pass
ChatWorkspaceCallbacks (preserve default Modifier and state handling like
ChatWorkspaceDefaults.state() and mirror the pattern used for
ChatInputFieldProps).

---

214-286: 🛠️ Refactor suggestion | 🟠 Major

Address Detekt LongMethod violation.

ChatWorkspaceScreen is 64 lines (max: 60). Extract the gradient divider box (lines 241-256) into a small composable like GradientDivider() to bring this under threshold.

♻️ Sketch: Extract divider

`@Composable`
private fun GradientDivider(corvusColors: CorvusColorPalette) {
  Box(
    modifier = Modifier
      .fillMaxWidth()
      .height(1.dp)
      .background(
        brush = Brush.horizontalGradient(
          listOf(
            Color.Transparent,
            corvusColors.glowPurple.copy(alpha = 0.5f),
            corvusColors.glowCyan.copy(alpha = 0.5f),
            Color.Transparent,
          )
        )
      )
  )
}

Then replace lines 241-256 with:

GradientDivider(corvusColors)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt`
around lines 214 - 286, ChatWorkspaceScreen is over the Detekt LongMethod limit
because the gradient divider Box is inline; extract that Box into a small
`@Composable` named GradientDivider (private) that accepts corvusColors:
CorvusColorPalette and builds the same
Modifier.fillMaxWidth().height(1.dp).background(brush =
Brush.horizontalGradient(...)) using the same color stops, then replace the
inline Box in ChatWorkspaceScreen with a call to GradientDivider(corvusColors)
to reduce the method length.

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt (1)

601-633: 🛠️ Refactor suggestion | 🟠 Major

Address Detekt pipeline failures.

Per pipeline logs:

• TooManyFunctions: 18 functions in file (threshold: 11). Consider extracting state description functions (bridgeStateHeadline, bridgeStateDescription, bridgeStateRecovery, onboardingStateLabel) into a separate file like BridgeStateDescriptions.kt.
• CyclomaticComplexMethod: bridgeStateRecovery is at the threshold (15). A small refactor using a lookup map could reduce branching.

♻️ Example: Extract to map-based lookup

// In a separate file or companion object
private val recoveryMessages = mapOf(
  MobileRecoveryKind.NO_TARGET_CONFIGURED to "Select a connection target first...",
  MobileRecoveryKind.TARGET_NOT_REACHABLE to "The selected target is not reachable...",
  // ... etc
)

internal fun bridgeStateRecovery(bridgeState: MobileBridgeUiState): String =
  bridgeState.onboardingState.recoveryKind?.let { recoveryMessages[it] }
    ?: fallbackRecoveryMessage(bridgeState.onboardingState.status)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`
around lines 601 - 633, Detekt flags show this file has too many functions and
bridgeStateRecovery is overly cyclomatic; extract the state-description helpers
(bridgeStateHeadline, bridgeStateDescription, bridgeStateRecovery,
onboardingStateLabel) into a new file (e.g., BridgeStateDescriptions.kt) and
simplify bridgeStateRecovery by replacing the large when chain with a lookup map
(e.g., recoveryMessages: Map<MobileRecoveryKind, String>) and a small fallback
function (e.g., fallbackRecoveryMessage or reuse onboardingStateLabel) to handle
null/ status-based cases; keep the existing function names and signatures so
callers are unchanged and move only the implementation to use the map to reduce
branching and file-level function count.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/journal/bolt-journal.md:
- Around line 16-36: The journal entries in .agents/journal/bolt-journal.md are
out of chronological order: move the "2025-05-24 - Compose - Chat UI
Recomposition & Memory Optimization" block so it comes after (or before,
depending on chosen convention) the "2025-05-23 - Compose - Chat UI
Recomposition Optimization" block to restore consistent ordering; pick a single
ordering convention (newest-first or oldest-first) and apply it across the file,
ensuring the two headings "2025-05-24 - Compose - Chat UI Recomposition & Memory
Optimization" and "2025-05-23 - Compose - Chat UI Recomposition Optimization"
are reordered accordingly and any adjacent metadata or sections remain intact.

In `@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt`:
- Line 158: The sessionId currently set with
Random.nextLong().toULong().toString(radix = 16) produces a raw hex string that
doesn't match the required UUID pattern used by RuntimeSessionId/SessionId
(8-4-4-4-12) and causes IllegalArgumentException in
toRuntimeReadinessSnapshot(); replace that assignment so it produces a valid
UUID-format string (e.g., generate a UUID and use its toString() or format the
hex into 8-4-4-4-12) where sessionId is assigned, ensuring the value passed into
RuntimeSessionId / SessionId constructors conforms to UUID-format.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`:
- Around line 294-308: The sendButtonModifier in SendButton is cached with
remember using only isEnabled and glowColor, so when gradient changes the cached
modifier stays stale; update the remember key list for sendButtonModifier to
include gradient (i.e., remember(isEnabled, glowColor, gradient)) so the
modifier is recomputed when the Brush changes, ensuring background/appearance
updates correctly.

In `@clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md`:
- Around line 15-83: The docs incorrectly claim Authorization/API-Key headers
are redacted; update the http_request tool section to state that only Set-Cookie
headers are redacted in logs (per format_response_headers()), and remove or
reword the sentence claiming "Sensitive headers (Authorization, API-Key) are
redacted in logs." Reference the actual implementation: note that
format_response_headers() is used in the live execution path (execute()) and
that redact_headers_for_display() exists but is only used in tests, so only
Set-Cookie is redacted in production logging.

In
`@clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md`:
- Around line 42-43: The heading "### Acciones de `schedule`" in the
documentation needs a blank line inserted immediately after it to satisfy
markdownlint MD022; edit the block containing the heading (look for the exact
heading text "### Acciones de `schedule`") and add a single empty line before
the following content line ("`create`, `list`, `get`, `cancel`, `pause`,
`resume`.") so the heading is separated from its paragraph.
- Line 49: Replace the user-facing phrase "noticia push" with the correct
Spanish term "notificación push" in the sentence currently reading "Envía una
noticia push al dispositivo móvil del usuario.", and verify the surrounding text
for EN/ES parity and consistency with other occurrences of push notification
terminology in the docs.

In
`@clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md`:
- Line 71: The doc line that currently reads "Solo se permiten esquemas
`http://` y `https://`" must explicitly call out the security risk of plaintext
HTTP: update the text near that sentence to include a clear warning that
`http://` is insecure, can expose credentials and data in transit, and should
only be used in trusted/testing environments; if `http://` is intentionally
supported, add a prominent "Warning" or "Security note" block advising against
normalizing insecure transport and providing mitigation guidance (use HTTPS,
TLS, or explicit opt-in), so readers cannot miss the security implication.
- Line 13: The sentence "Las herramientas web permiten a los agentes recuperar
información..." and the claim that "Todas las herramientas web imponen una
política estricta de **Lista de Dominios Permitidos**" overstates a global
guarantee; update the wording to scope the security control per-tool (e.g.,
"Cada herramienta web debe implementar, según su configuración, una política de
Lista de Dominios Permitidos" or "Por defecto, las herramientas web deben
aplicar... salvo que se indique lo contrario en la sección de cada herramienta")
and ensure the intro aligns with the later tool-specific controls that follow in
the document (reference the sentence and the phrase "Lista de Dominios
Permitidos" to locate and edit).

In `@gradle/build-logic/buildscript-gradle.lockfile`:
- Around line 6-7: The lockfile entry introduces
org.gradle.plugin:compatibility-plugin:1.0.0 which is not verifiable; inspect
the transitive dependencies of
com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:2.1.1 and
com.gradle.publish:plugin-publish-plugin:2.1.1 (check their published POMs) to
confirm whether compatibility-plugin:1.0.0 is actually pulled in, search Maven
Central / Gradle Plugin Portal for org.gradle.plugin:compatibility-plugin:1.0.0
to confirm its existence or identify it as an internal artifact, and then either
remove the spurious compatibility-plugin entry from buildscript-gradle.lockfile
if it’s not a real transitive dependency, add the appropriate repository and
provenance notes if it is internal, or update the commit/PR description to
document why this artifact is present and how it was verified.

---

Outside diff comments:
In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`:
- Around line 601-633: Detekt flags show this file has too many functions and
bridgeStateRecovery is overly cyclomatic; extract the state-description helpers
(bridgeStateHeadline, bridgeStateDescription, bridgeStateRecovery,
onboardingStateLabel) into a new file (e.g., BridgeStateDescriptions.kt) and
simplify bridgeStateRecovery by replacing the large when chain with a lookup map
(e.g., recoveryMessages: Map<MobileRecoveryKind, String>) and a small fallback
function (e.g., fallbackRecoveryMessage or reuse onboardingStateLabel) to handle
null/ status-based cases; keep the existing function names and signatures so
callers are unchanged and move only the implementation to use the map to reduce
branching and file-level function count.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt`:
- Around line 126-144: ChatWorkspace currently violates Detekt
LongParameterList; refactor by creating a stable data class
ChatWorkspaceCallbacks that groups all callback parameters (onRetryBridge,
onLinkSurface, onStartSession, onResumeSession, onSendMessage,
onDisconnectReset, onApprove, onDeny), replace those callback parameters in the
ChatWorkspace signature with a single callbacks: ChatWorkspaceCallbacks param,
update all internal uses to call callbacks.<...>properties (e.g.,
callbacks.onSendMessage(...)), and update all callers to construct and pass
ChatWorkspaceCallbacks (preserve default Modifier and state handling like
ChatWorkspaceDefaults.state() and mirror the pattern used for
ChatInputFieldProps).
- Around line 214-286: ChatWorkspaceScreen is over the Detekt LongMethod limit
because the gradient divider Box is inline; extract that Box into a small
`@Composable` named GradientDivider (private) that accepts corvusColors:
CorvusColorPalette and builds the same
Modifier.fillMaxWidth().height(1.dp).background(brush =
Brush.horizontalGradient(...)) using the same color stops, then replace the
inline Box in ChatWorkspaceScreen with a call to GradientDivider(corvusColors)
to reduce the method length.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 908a5dbe-254a-4b3c-8b5a-1b5a5140b6d2

📥 Commits

Reviewing files that changed from the base of the PR and between 4f5ec99 and 5ff7c51.

📒 Files selected for processing (27)

• .agents/journal/bolt-journal.md
• .agents/journal/scribe-journal.md
• clients/agent-runtime/src/channels/mod.rs
• clients/agent-runtime/src/providers/router.rs
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt
• clients/web/apps/chat/src/App.vue
• clients/web/apps/chat/src/components/SessionSidebar.vue
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/automation.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/index.mdx
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/core.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md
• gradle/build-logic/buildscript-gradle.lockfile
• gradle/libs.versions.toml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: core-checks
• GitHub Check: pr-checks-build-logic
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (9)

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/clients/agent-runtime/index.mdx
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/automation.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/core.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/docs/src/content/docs/clients/agent-runtime/index.mdx
• clients/web/apps/chat/src/components/SessionSidebar.vue
• gradle/libs.versions.toml
• clients/web/apps/chat/src/App.vue
• gradle/build-logic/buildscript-gradle.lockfile
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/index.mdx
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/media.md
• clients/agent-runtime/src/providers/router.rs
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/automation.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/mcp.md
• clients/agent-runtime/src/channels/mod.rs
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/core.md
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

**/*.vue

⚙️ CodeRabbit configuration file

**/*.vue: Enforce Vue 3 Composition API with <script setup>.
Ensure accessibility (A11y) and proper use of Tailwind CSS classes.
Check for proper prop validation and emitted events documentation.

Files:

• clients/web/apps/chat/src/components/SessionSidebar.vue
• clients/web/apps/chat/src/App.vue

**/*.kt

⚙️ CodeRabbit configuration file

**/*.kt: Enforce null safety (no !!), structured concurrency, and non-blocking suspend code.
Prefer idiomatic Kotlin (expression bodies, sealed types, value classes when justified).
Verify tests follow TDD intent and use backtick test names where applicable.

Files:

• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt

clients/agent-runtime/src/providers/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Implement Provider trait in src/providers/ and register in src/providers/mod.rs factory when adding a new provider

Files:

• clients/agent-runtime/src/providers/router.rs

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/providers/router.rs
• clients/agent-runtime/src/channels/mod.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/providers/router.rs
• clients/agent-runtime/src/channels/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/providers/router.rs
• clients/agent-runtime/src/channels/mod.rs

clients/agent-runtime/src/channels/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Implement Channel trait in src/channels/ with consistent send, listen, and health_check semantics and cover auth/allowlist/health behavior with tests

Files:

• clients/agent-runtime/src/channels/mod.rs

🧠 Learnings (10)

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Applied to files:

• .agents/journal/scribe-journal.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/memory.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/automation.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Maintain comprehensive agent metadata including name, description, purpose, and capabilities

Applied to files:

• .agents/journal/scribe-journal.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/media.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/automation.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• .agents/journal/scribe-journal.md
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/index.mdx
• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md

📚 Learning: 2026-02-21T09:07:52.298Z

Learnt from: yacosta738
Repo: dallay/corvus PR: 62
File: .agents/journal/sentinnel-journal.md:1-1
Timestamp: 2026-02-21T09:07:52.298Z
Learning: Branding guideline: The intentional brand name for the security-first agent in the dallay/corvus repository is 'Sentinnel' (with double n). Do not treat it as a typo of 'Sentinel'. Ensure all agent-related docs and journals under .agents/journal consistently use 'Sentinnel' with double n.

Applied to files:

• .agents/journal/scribe-journal.md
• .agents/journal/bolt-journal.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider

Applied to files:

• clients/agent-runtime/src/providers/router.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/channels/**/*.rs : Implement `Channel` trait in `src/channels/` with consistent `send`, `listen`, and `health_check` semantics and cover auth/allowlist/health behavior with tests

Applied to files:

• clients/agent-runtime/src/channels/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/channels/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Applied to files:

• clients/agent-runtime/src/channels/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/core.md

🪛 GitHub Actions: Scan with Detekt

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt

[error] 601-601: detekt: [CyclomaticComplexMethod] Function 'bridgeStateRecovery' is too complex. Cyclomatic complexity: 15 (threshold set to 15).

---

[error] 1-1: detekt: [TooManyFunctions] File has '18' functions. Defined threshold inside files is set to '11'.

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt

[error] 126-126: detekt: [LongParameterList] Function 'ChatWorkspace(... )' has too many parameters. Current threshold is set to 6.

---

[error] 214-214: detekt: [LongMethod] Function 'ChatWorkspaceScreen' is too long (64). Maximum length is 60.

🪛 LanguageTool

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/index.mdx

[grammar] ~18-~18: Corrige la mayúscula.
Context: ...general de componentes - Referencia de Herramientas - Herramientas integr...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/mcp.md

[grammar] ~41-~41: Aquí puede haber un error.
Context: ...ombre_servidor>.<nombre_herramienta> *Ejemplo:* Si el servidorgithub` proporciona un...

(QB_NEW_ES)

---

[grammar] ~43-~43: Corrige la mayúscula.
Context: ...p.github.create_issue`. ## Seguridad y Aprobación Las herramientas MCP se tratan como **De...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~48-~48: Agrega un espacio.
Context: ... tiene un tiempo de espera por defecto (30s) para evitar que el bucle del agente se...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_ORTHOGRAPHY_SPACE)

---

[grammar] ~53-~53: Agrega un signo de puntuación.
Context: ...gra iniciarse, el runtime registrará el error pero continuará operando con otros serv...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_PUNCTUATION)

---

[grammar] ~59-~59: Corrige la mayúscula.
Context: ... bash corvus doctor ## Tipos de Capacidades Soportadas La implementación de Corvus MCP soporta ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~62-~62: Agrega una palabra o signo.
Context: ... de Corvus MCP soporta actualmente: - Herramientas (Tools): Funciones ejecutables (ej. c...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~63-~63: Agrega un espacio.
Context: ..., enviar email). - Recursos (Resources): (Planificado) Fuentes de datos de sol...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_ORTHOGRAPHY_SPACE)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md

[grammar] ~11-~11: Corrige la mayúscula.
Context: ... docType: reference --- # Herramientas Web Las herramientas web permiten a los agen...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[style] ~16-~16: Se recomienda emplear una alternativa al verbo comodín ‘realizar’.
Context: ...os Permitidos**. ## web_search_tool Realiza una búsqueda web para encontrar informa...

(REALIZAR)

---

[grammar] ~19-~19: Elimina el espacio
Context: ...o temas de investigación. - Nivel de Seguridad: Solo Lectura (Segura). - **Proveedores:*...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_ORTHOGRAPHY_SPACE)

---

[grammar] ~19-~19: Corrige la mayúscula.
Context: ...gación. - Nivel de Seguridad: Solo Lectura (Segura). - Proveedores: - duckduckgo (Por def...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~21-~21: Elimina la palabra o signo.
Context: ...ra). - Proveedores: - duckduckgo (Por defecto): Gratuito, no requiere cla...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[style] ~35-~35: En sentido figurado es preferible usar otras expresiones.
Context: ...basado en Playwright ycomputer_use` a nivel de sistema operativo. - **Nivel de Seguri...

(A_NIVEL_DE)

---

[grammar] ~37-~37: Corrige la mayúscula.
Context: ...vel de sistema operativo. - Nivel de Seguridad: De Acción (Con riesgo). - **Backends:...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~37-~37: Corrige la mayúscula.
Context: ...perativo. - Nivel de Seguridad: De Acción (Con riesgo). - Backends: - `agent_bro...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[style] ~41-~41: En sentido figurado es preferible usar otras expresiones.
Context: ...computer_use`: Control de ratón/teclado a nivel de SO vía sidecar. - Restricciones: Ap...

(A_NIVEL_DE)

---

[grammar] ~44-~44: Corrige la mayúscula.
Context: ...browser.allowed_domains`. ### Acciones Comunes | Acción | Descripción | | :--- | :--- |...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~48-~48: Aquí puede haber un error.
Context: ...pen| Navegar a una URL (solo HTTPS). | |snapshot` | Obtener una captura del ár...

(QB_NEW_ES)

---

[grammar] ~49-~49: Aquí puede haber un error.
Context: ...ferencias de elementos (@e1, @e2). | | click | Hacer clic en un elemento por...

(QB_NEW_ES)

---

[grammar] ~50-~50: Aquí puede haber un error.
Context: ...por referencia (ej. @e5) o selector. | | fill | Escribir texto en un campo de ...

(QB_NEW_ES)

---

[grammar] ~51-~51: Aquí puede haber un error.
Context: ...Escribir texto en un campo de entrada. | | screenshot | Capturar una imagen visu...

(QB_NEW_ES)

---

[grammar] ~60-~60: Corrige la mayúscula.
Context: ...navegador Brave del host. - Nivel de Seguridad: De Acción (Con riesgo). - Nota: E...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~60-~60: Corrige la mayúscula.
Context: ...del host. - Nivel de Seguridad: De Acción (Con riesgo). - Nota: Esta herramienta *...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~69-~69: Corrige la mayúscula.
Context: ...ST/JSON) a APIs externas. - Nivel de Seguridad: De Acción (Con riesgo). - **Restricci...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~69-~69: Corrige la mayúscula.
Context: ...externas. - Nivel de Seguridad: De Acción (Con riesgo). - Restricciones: - Solo ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~80-~80: Aquí puede haber un error.
Context: ...ido.** La URL completa de la petición. | | method | string | Método HTTP (GET,...

(QB_NEW_ES)

---

[style] ~81-~81: Considere alternativas para este anglicismo (recomendable sobre todo en contextos más formales).
Context: ...method | string | Método HTTP (GET, POST, PUT, DELETE, etc.). Por defecto: GET...

(POST)

---

[grammar] ~81-~81: Aquí puede haber un error.
Context: ...UT, DELETE, etc.). Por defecto: GET. | | headers | object | Pares clave-valo...

(QB_NEW_ES)

---

[grammar] ~82-~82: Aquí puede haber un error.
Context: ...valor opcionales para los encabezados. | | body | string | Payload opcional pa...

(QB_NEW_ES)

---

[style] ~83-~83: Considere alternativas para este anglicismo (recomendable sobre todo en contextos más formales).
Context: ...ing` | Payload opcional para peticiones POST/PUT. |

(POST)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/index.mdx

[grammar] ~11-~11: Corrige la mayúscula.
Context: ...docType: reference --- # Referencia de Herramientas Los agentes de Corvus interactúan con el...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[style] ~13-~13: Se recomienda emplear una alternativa al verbo comodín ‘realizar’.
Context: ...vocar con parámetros estructurados para realizar acciones, recuperar datos o gestionar s...

(REALIZAR)

---

[grammar] ~21-~21: Agrega una palabra o signo.
Context: ... en cinco categorías principales: - Herramientas Core — Ejecución de comando...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~23-~23: Agrega una palabra o signo.
Context: ...ucturadas a APIs (http_request). - Herramientas de Memoria — Persistencia...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~23-~23: Corrige la mayúscula.
Context: ... (http_request). - Herramientas de Memoria — Persistencia a largo pl...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~24-~24: Agrega una palabra o signo.
Context: ...(memory_store, memory_recall). - Herramientas de Automatización — G...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~24-~24: Corrige la mayúscula.
Context: ... memory_recall). - Herramientas de Automatización — Gestión de reposito...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~25-~25: Agrega una palabra o signo.
Context: ...le) y notificaciones (pushover). - Herramientas Multimedia — Capacidades relacionadas...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~27-~27: Corrige la mayúscula.
Context: ...de metadatos de imágenes. ## Modelo de Seguridad Cada ejecución de herramienta pasa por l...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~32-~32: Agrega un signo de puntuación.
Context: ...ifican el sistema ni el estado externo. Generalmente están permitidas incluso en modos de ba...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_PUNCTUATION)

---

[grammar] ~33-~33: Agrega un espacio.
Context: ...en modos de baja autonomía. - Ejemplos: file_read, memory_recall, `web_searc...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_ORTHOGRAPHY_SPACE)

---

[grammar] ~37-~37: Agrega un espacio.
Context: ...ario en modos supervisados. - Ejemplos: shell, file_write, git_operations,...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_ORTHOGRAPHY_SPACE)

---

[grammar] ~45-~45: Corrige la mayúscula.
Context: ...a Guía de MCP. ## Registro y Descubrimiento Las herramientas se registran durante el...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~49-~49: Oración con errores
Context: ...ra los parámetros. :::tip[Herramientas Personalizadas] Para añadir herramientas personalizada...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_MULTITOKEN)

clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md

[uncategorized] ~41-~41: The official name of this software platform is spelled with a capital “H”.
Context: ...r_name>.<tool_name> *Example:* If thegithubserver provides acreate_issue` tool,...

(GITHUB)

---

[uncategorized] ~41-~41: The official name of this software platform is spelled with a capital “H”.
Context: ...e_issuetool, the agent will see it asmcp.github.create_issue`. ## Security & Approval ...

(GITHUB)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/memory.md

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...la memoria a largo plazo. - Nivel de Seguridad: De Acción (Con riesgo). - **Filtro de...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...go plazo. - Nivel de Seguridad: De Acción (Con riesgo). - **Filtro de Datos Sensibles:...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~19-~19: Aquí puede haber un error.
Context: ...s de API o credenciales. - Categorías: - core: Hechos permanentes (ej. "El usuario viv...

(QB_NEW_ES)

---

[grammar] ~21-~21: Elimina la puntuación
Context: ...El usuario vive en Madrid"). - daily: Notas temporales para la sesión actual....

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_PUNCTUATION)

---

[grammar] ~22-~22: Elimina la puntuación
Context: ...ara la sesión actual. - conversation: Contexto específico del chat. ### Pará...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_PUNCTUATION)

---

[grammar] ~28-~28: Aquí puede haber un error.
Context: ...ra la memoria (ej. user_pref_theme). | | content | string | Requerido. L...

(QB_NEW_ES)

---

[grammar] ~29-~29: Aquí puede haber un error.
Context: ...equerido.** La información a recordar. | | category | string | Categoría opcio...

(QB_NEW_ES)

---

[grammar] ~38-~38: Elimina el espacio
Context: ...n una consulta semántica. - Nivel de Seguridad: Solo Lectura (Segura). - **Recuperación:...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_ORTHOGRAPHY_SPACE)

---

[grammar] ~38-~38: Corrige la mayúscula.
Context: ...ántica. - Nivel de Seguridad: Solo Lectura (Segura). - Recuperación: Utiliza búsqueda híbrida...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~45-~45: Aquí puede haber un error.
Context: ...do.** Palabras clave o frase a buscar. | | limit | integer | Número máximo de ...

(QB_NEW_ES)

---

[grammar] ~54-~54: Corrige la mayúscula.
Context: ...emoria mediante su clave. - Nivel de Seguridad: De Acción (Con riesgo). ### Parámetr...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~54-~54: Corrige la mayúscula.
Context: ...su clave. - Nivel de Seguridad: De Acción (Con riesgo). ### Parámetros | Parámetro |...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/core.md

[grammar] ~11-~11: Corrige la mayúscula.
Context: ... docType: reference --- # Herramientas Core Las herramientas core proporcionan la ba...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~19-~19: Corrige la mayúscula.
Context: ...directorio del workspace. - Nivel de Seguridad: De Acción (Con riesgo). - **Ejecución...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~19-~19: Corrige la mayúscula.
Context: ...orkspace. - Nivel de Seguridad: De Acción (Con riesgo). - Ejecución: Se ejecuta a ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~25-~25: Agrega un signo de puntuación.
Context: ...plícitamente. - Tiempo de espera: Por defecto 60 segundos. - Límite de salida: Trun...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_PUNCTUATION)

---

[grammar] ~32-~32: Aquí puede haber un error.
Context: ...ido.** El comando de shell a ejecutar. | | approved | boolean | Establecer en ...

(QB_NEW_ES)

---

[grammar] ~41-~41: Elimina el espacio
Context: ...ivo dentro del workspace. - Nivel de Seguridad: Solo Lectura (Segura). - **Restricciones...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_ORTHOGRAPHY_SPACE)

---

[grammar] ~41-~41: Corrige la mayúscula.
Context: ...kspace. - Nivel de Seguridad: Solo Lectura (Segura). - Restricciones: - El salto de directo...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~59-~59: Corrige la mayúscula.
Context: ...ivo dentro del workspace. - Nivel de Seguridad: De Acción (Con riesgo). - **Restricci...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~59-~59: Corrige la mayúscula.
Context: ...orkspace. - Nivel de Seguridad: De Acción (Con riesgo). - Restricciones: - Crea ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~69-~69: Aquí puede haber un error.
Context: ...ativa al archivo dentro del workspace. | | content | string | Requerido. E...

(QB_NEW_ES)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/media.md

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...de una región específica. - Nivel de Seguridad: De Acción (Con riesgo) / Sensible. - ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...pecífica. - Nivel de Seguridad: De Acción (Con riesgo) / Sensible. - Devuelve: La ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...e Seguridad:** De Acción (Con riesgo) / Sensible. - Devuelve: La ruta del archivo PNG guar...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~19-~19: Oración con errores
Context: ...i el tamaño lo permite). - Soporte de Plataformas: - macOS: Utiliza screencapture nativo. - **Li...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_MULTITOKEN)

---

[grammar] ~21-~21: Aquí puede haber un error.
Context: ...* Utiliza screencapture nativo. - Linux: Requiere gnome-screenshot, scrot ...

(QB_NEW_ES)

---

[grammar] ~27-~27: Aquí puede haber un error.
Context: ...vo opcional. Guardado en el workspace. | | region | string | (Solo macOS) `sel...

(QB_NEW_ES)

---

[grammar] ~36-~36: Elimina el espacio
Context: ...por modelos multimodales. - Nivel de Seguridad: Solo Lectura (Segura). - **Formatos Sopo...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_ORTHOGRAPHY_SPACE)

---

[grammar] ~36-~36: Corrige la mayúscula.
Context: ...odales. - Nivel de Seguridad: Solo Lectura (Segura). - Formatos Soportados: PNG, JPEG, GIF, W...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~37-~37: Corrige la mayúscula.
Context: ...:** Solo Lectura (Segura). - Formatos Soportados: PNG, JPEG, GIF, WEBP, BMP. - **Metada...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~38-~38: Corrige la mayúscula.
Context: ...NG, JPEG, GIF, WEBP, BMP. - Metadatos Extraídos: Formato, dimensiones (ancho/alto) y t...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~45-~45: Aquí puede haber un error.
Context: ...equerido.** Ruta al archivo de imagen. | | include_base64 | boolean | Incluir ...

(QB_NEW_ES)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...ra tareas comunes de Git. - Nivel de Seguridad: Mixto (Las operaciones de escritura c...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...raciones de escritura como commit son De Acción). - Operaciones Soportadas: status, `dif...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~18-~18: Corrige la mayúscula.
Context: ...commitson De Acción). - **Operaciones Soportadas:**status, diff, log, branch, c...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~25-~25: Aquí puede haber un error.
Context: ...Uno de los comandos de git soportados. | | message | string | Mensaje de commi...

(QB_NEW_ES)

---

[grammar] ~26-~26: Aquí puede haber un error.
Context: ...| Mensaje de commit (paracommit). | | paths|string` | Rutas de archivos ...

(QB_NEW_ES)

---

[grammar] ~35-~35: Corrige la mayúscula.
Context: ...noma basada en el tiempo. - Nivel de Seguridad: De Acción (Con riesgo). - **Capacidad...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~35-~35: Corrige la mayúscula.
Context: ...l tiempo. - Nivel de Seguridad: De Acción (Con riesgo). - Capacidad: Permite al ag...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~37-~37: Aquí puede haber un error.
Context: ...utarse en el futuro. - Programaciones: - cron: Tareas recurrentes (ej. 0 9 * * *). ...

(QB_NEW_ES)

---

[grammar] ~40-~40: Elimina la puntuación
Context: ...imestamp RFC3339 específico. - every: Intervalos fijos en milisegundos. ### ...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_PUNCTUATION)

---

[grammar] ~42-~42: Aquí puede haber un error.
Context: ...fijos en milisegundos. ### Acciones de schedule create, list, get, cancel, pause, `resu...

(QB_NEW_ES)

---

[grammar] ~49-~49: Cambia el sustantivo.
Context: ...resume. --- ## pushover` Envía una noticia push al dispositivo móvil del usuario. ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_NOUN)

---

[grammar] ~51-~51: Corrige la mayúscula.
Context: ...sitivo móvil del usuario. - Nivel de Seguridad: De Acción (Con riesgo). - **Requisito...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~51-~51: Corrige la mayúscula.
Context: ... usuario. - Nivel de Seguridad: De Acción (Con riesgo). - Requisitos: Requiere `PU...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~59-~59: Aquí puede haber un error.
Context: ...uerido.** El texto de la notificación. | | priority | integer | Prioridad de -...

(QB_NEW_ES)

---

[grammar] ~60-~60: Aquí puede haber un error.
Context: ...d de -2 (silencioso) a 2 (emergencia). | | sound | string | Sobrescritura de s...

(QB_NEW_ES)

🪛 markdownlint-cli2 (0.22.0)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

[warning] 42-42: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🔇 Additional comments (18)

clients/agent-runtime/src/providers/router.rs (1)

517-543: LGTM — correct underscore removal.

Both router and mocks are used (router.chat(...) on line 535, mocks[0].chat_call_count() on line 543), so dropping the underscore prefix aligns with Rust convention and silences any "unused variable" warnings correctly.

clients/web/apps/chat/src/App.vue (1)

38-39: Scoped lint suppression is appropriate here.

This is a targeted false-positive suppression for a template-bound ref and does not change runtime behavior.

clients/web/apps/chat/src/components/SessionSidebar.vue (1)

13-53: Template-referenced symbol suppressions are correctly scoped.

These ignores are justified for Vue template usage and keep lint noise down without changing component behavior.

clients/agent-runtime/src/channels/mod.rs (1)

1376-1379: LGTM — correct semaphore permit lifecycle.

The explicit drop(permit) after the await ensures the permit is held for the full duration of process_channel_message, correctly bounding in-flight concurrency. This is a defensive, idiomatic pattern that guards against accidental early release.

gradle/libs.versions.toml (1)

81-81: Plugin version bump is valid and backward compatible.

Version 2.1.1 exists and is a safe upgrade from 2.0.0 with no breaking changes. The update stabilizes the bundled Compatibility Plugin APIs (0.1.0 → 1.0.0) while maintaining full backward compatibility within the 2.x line.

.agents/journal/scribe-journal.md (1)

17-30: Looks good — journal entry is clear and internally consistent.

The completion log, validation notes, and EN/ES parity statement are coherent and actionable for audit/history purposes.

clients/web/apps/docs/src/content/docs/clients/agent-runtime/index.mdx (1)

18-18: Navigation update is correct.

The new “Tools Reference” entry is placed appropriately in the contents list.

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/index.mdx (1)

18-18: Spanish navigation link is good.

“Referencia de Herramientas” aligns with the EN structure and preserves localized clarity.

clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/media.md (1)

1-46: Solid reference page structure and coverage.

Tool purpose, security tiers, and parameter tables are clear and usable.

clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/memory.md (1)

1-60: Memory tools documentation is well-scoped and consistent.

Security-tier framing and parameter documentation are clear for all three memory operations.

clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/mcp.md (1)

47-53: MCP runtime behavior documentation matches implementation evidence.

The defaults and failure-isolation statements are aligned with clients/agent-runtime/src/config/schema.rs:1051-1066 and clients/agent-runtime/src/tools/mod.rs:220-257.

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/memory.md (1)

1-60: Good EN/ES parity for Memory Tools content.

The Spanish page preserves structure, parameter semantics, and security-tier intent from the English version.

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md (1)

1-83: EN/ES parity confirmed for web tools documentation.

Both files are properly aligned: security tiers, domain allowlist policy, SSRF protection, header redaction, and redirect-disabled-by-default are correctly translated with no semantic drift. No translation gaps detected.

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt (2)

154-165: LGTM: Good memoization of the avatar gradient brush.

Caching the Brush.linearGradient with corvusColors.gradientPrimary as the key correctly avoids redundant allocations during recomposition.

---

235-242: LGTM: Clean props grouping with @Immutable.

Consolidating parameters into a stable data class reduces lambda allocations and improves recomposition skipping.

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt (3)

160-167: LGTM: Correct memoization of displayMessages.

Keying on messages and state.welcomeMessage ensures the list is recomputed only when content changes, not on every keystroke.

---

169-195: LGTM: Adding bridgeState to keys fixes stale closure.

sendMessage checks bridgeState.isChatReady. Without this key, the memoized actions.onSend could capture a stale chat-ready state.

---

341-368: LGTM: Well-structured extraction with stable keys.

Extracting MessageList isolates it from query state changes. Using key = { it.id } and contentType = { it.role } enables efficient list diffing.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Candidate web tool implementations =="
fd -i 'web|browser|http' clients/agent-runtime/src/tools

echo
echo "== Tool name() declarations (to validate documented tool IDs) =="
rg -n -C2 --type rust 'fn\s+name\s*\(&self\)\s*->\s*&str' clients/agent-runtime/src/tools

echo
echo "== Returned tool identifiers near name() implementations =="
rg -n -C3 --type rust 'name\(\)\s*->\s*&str|"(web_search_tool|web_search|browser_open|browser|http_request)"' clients/agent-runtime/src/tools

echo
echo "== Security behavior checks for HTTP/browser constraints =="
rg -n -C3 --type rust 'allowed_domains|allowlist|ssrf|private|localhost|redirect|redact|authorization|api[-_]?key|http://|https://' clients/agent-runtime/src/tools clients/agent-runtime/src

Repository: dallay/corvus

Length of output: 50370

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== HTTP request: redirect policy check =="
rg -n -C4 'redirect|redirect_policy|Policy::none|Policy::limited' clients/agent-runtime/src/tools/http_request.rs | head -50

echo
echo "== HTTP request: header redaction in logging =="
rg -n -C3 'redact|Authorization|API.?[Kk]ey|sensitive.*header' clients/agent-runtime/src/tools/http_request.rs | head -40

echo
echo "== Browser: allowed_domains constraint enforcement =="
rg -n -C4 'allowed_domains|host_matches' clients/agent-runtime/src/tools/browser.rs | head -50

echo
echo "== Browser: Supports backends check =="
rg -n -C2 'agent_browser|rust_native|computer_use' clients/agent-runtime/src/tools/browser.rs | head -40

Repository: dallay/corvus

Length of output: 5639

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Browser tool: HTTP vs HTTPS scheme enforcement =="
rg -n -C5 'starts_with.*https|http.*allowed' clients/agent-runtime/src/tools/browser.rs | head -30

echo
echo "== HTTP request: actual use of redact_headers_for_display in logging =="
rg -n 'redact_headers_for_display' clients/agent-runtime/src/tools/http_request.rs

echo
echo "== Browser: agent_browser backend implementation details =="
rg -n -C2 'agent_browser|AgentBrowser' clients/agent-runtime/src/tools/browser.rs | head -40

echo
echo "== Browser open: scheme check (should be HTTPS only) =="
rg -n -C2 'https://' clients/agent-runtime/src/tools/browser_open.rs | head -20

Repository: dallay/corvus

Length of output: 3078

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== HTTP request: where redact_headers_for_display is called in output =="
rg -n -B5 -A3 'format_response_headers|redact_headers_for_display' clients/agent-runtime/src/tools/http_request.rs | grep -A10 -B10 'output\|result\|log\|display'

echo
echo "== HTTP request: format_response_headers implementation =="
rg -n -A10 'fn format_response_headers' clients/agent-runtime/src/tools/http_request.rs

echo
echo "== Web search tool: brave API key header name =="
rg -n 'X-Subscription-Token|brave.*header|api.*key' clients/agent-runtime/src/tools/web_search_tool.rs

Repository: dallay/corvus

Length of output: 2847

---

🏁 Script executed:

#!/bin/bash
set -euo pipeflight

echo "== Verify: is redact_headers_for_display ever used in actual execution path =="
rg -n 'redact_headers_for_display' clients/agent-runtime/src/tools/http_request.rs

echo
echo "== Verify: does execute() or any live path call redact_headers_for_display =="
rg -n 'fn execute\|redact_headers_for_display' clients/agent-runtime/src/tools/http_request.rs | head -20

echo
echo "== Check: what does format_response_headers actually redact =="
rg -n -A15 'fn format_response_headers' clients/agent-runtime/src/tools/http_request.rs

Repository: dallay/corvus

Length of output: 112

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Verify: is redact_headers_for_display ever used in actual execution path =="
rg -n 'redact_headers_for_display' clients/agent-runtime/src/tools/http_request.rs

echo
echo "== Check: what does format_response_headers actually redact =="
rg -n -A15 'fn format_response_headers' clients/agent-runtime/src/tools/http_request.rs

echo
echo "== Check: execute path and where headers are output =="
rg -n -B5 -A10 'fn execute.*async' clients/agent-runtime/src/tools/http_request.rs | head -60

echo
echo "== Verify SSRF check: is_private_or_local_host function =="
rg -n -A15 'fn is_private_or_local_host' clients/agent-runtime/src/tools/http_request.rs

Repository: dallay/corvus

Length of output: 1107

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== HTTP request tool: execute method signature =="
rg -n -A30 'impl Tool for HttpRequestTool' clients/agent-runtime/src/tools/http_request.rs | head -50

echo
echo "== Find execute method and its output handling =="
rg -n -B5 -A25 'async fn execute' clients/agent-runtime/src/tools/http_request.rs | head -80

echo
echo "== Trace response header handling in ToolResult =="
rg -n -B3 -A3 'headers_text\|format_response_headers' clients/agent-runtime/src/tools/http_request.rs

Repository: dallay/corvus

Length of output: 4564

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Full execute method with response output =="
rg -n -A70 'async fn execute\(&self, args: serde_json::Value\)' clients/agent-runtime/src/tools/http_request.rs | head -120

echo
echo "== SSRF check: is_private_or_local_host complete implementation =="
rg -n -A30 'fn is_private_or_local_host' clients/agent-runtime/src/tools/http_request.rs | head -50

Repository: dallay/corvus

Length of output: 4215

---

Correct header redaction claim: only set-cookie is redacted in logs, not Authorization or API-Key.

Lines 15–83 document concrete tool contracts. Tool names, backends, URL scheme constraints, and SSRF protections are accurate. However, the claim on sensitive header redaction is overstated:

• The doc states: "Sensitive headers (Authorization, API-Key) are redacted in logs."
• Actual implementation: Only set-cookie headers are redacted in format_response_headers() (line 42–55 of http_request.rs), which is called in the live execution path (line 373). The function redact_headers_for_display() exists but is only used in tests, not in the actual execute() response output (lines 385–391).

Remove or correct the claim about Authorization/API-Key redaction to match the actual behavior (only set-cookie is redacted).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/src/content/docs/clients/agent-runtime/tools/web.md`
around lines 15 - 83, The docs incorrectly claim Authorization/API-Key headers
are redacted; update the http_request tool section to state that only Set-Cookie
headers are redacted in logs (per format_response_headers()), and remove or
reword the sentence claiming "Sensitive headers (Authorization, API-Key) are
redacted in logs." Reference the actual implementation: note that
format_response_headers() is used in the live execution path (execute()) and
that redact_headers_for_display() exists but is only used in tests, so only
Set-Cookie is redacted in production logging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Scope the security guarantee per tool, not globally.

Line 13 says all web tools enforce strict domain allowlisting, but subsequent sections describe different controls by tool. This can overstate guarantees and create security expectation drift in production docs.

Suggested doc fix

-Las herramientas web permiten a los agentes recuperar información de Internet e interactuar con APIs externas. Todas las herramientas web imponen una política estricta de **Lista de Dominios Permitidos**.
+Las herramientas web permiten a los agentes recuperar información de Internet e interactuar con APIs externas. Los controles de seguridad varían por herramienta (por ejemplo, allowlist de dominios en navegación y controles SSRF/redacción de encabezados en peticiones HTTP).

As per coding guidelines, "**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Las herramientas web permiten a los agentes recuperar información de Internet e interactuar con APIs externas. Todas las herramientas web imponen una política estricta de **Lista de Dominios Permitidos**.
	Las herramientas web permiten a los agentes recuperar información de Internet e interactuar con APIs externas. Los controles de seguridad varían por herramienta (por ejemplo, allowlist de dominios en navegación y controles SSRF/redacción de encabezados en peticiones HTTP).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md`
at line 13, The sentence "Las herramientas web permiten a los agentes recuperar
información..." and the claim that "Todas las herramientas web imponen una
política estricta de **Lista de Dominios Permitidos**" overstates a global
guarantee; update the wording to scope the security control per-tool (e.g.,
"Cada herramienta web debe implementar, según su configuración, una política de
Lista de Dominios Permitidos" or "Por defecto, las herramientas web deben
aplicar... salvo que se indique lo contrario en la sección de cada herramienta")
and ensure the intro aligns with the later tool-specific controls that follow in
the document (reference the sentence and the phrase "Lista de Dominios
Permitidos" to locate and edit).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Document plaintext HTTP risk explicitly.

If http:// is intentionally supported, add an explicit warning to avoid normalizing insecure transport in a security reference.

Suggested doc fix

-  - Solo se permiten esquemas `http://` y `https://`.
+  - Solo se permiten esquemas `http://` y `https://` (**se recomienda `https://` siempre que sea posible por seguridad**).

As per coding guidelines, "**/*: Security first, performance second."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Solo se permiten esquemas `http://` y `https://`.
	- Solo se permiten esquemas `http://` y `https://` (**se recomienda `https://` siempre que sea posible por seguridad**).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/web.md`
at line 71, The doc line that currently reads "Solo se permiten esquemas
`http://` y `https://`" must explicitly call out the security risk of plaintext
HTTP: update the text near that sentence to include a clear warning that
`http://` is insecure, can expose credentials and data in transit, and should
only be used in trusted/testing environments; if `http://` is intentionally
supported, add a prominent "Warning" or "Security note" block advising against
normalizing insecure transport and providing mitigation guidance (use HTTPS,
TLS, or explicit opt-in), so readers cannot miss the security implication.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if compatibility-plugin is a known Gradle plugin dependency
curl -sI "https://repo.gradle.org/gradle/libs-releases-local/org/gradle/plugin/compatibility-plugin/1.0.0/compatibility-plugin-1.0.0.pom" | head -1

Repository: dallay/corvus

Length of output: 79

---

🏁 Script executed:

cd gradle/build-logic && cat -n buildscript-gradle.lockfile | head -30

Repository: dallay/corvus

Length of output: 1983

---

🏁 Script executed:

#!/bin/bash
# Search for compatibility-plugin in Maven Central
curl -s "https://repo.maven.apache.org/maven2/org/gradle/plugin/compatibility-plugin/maven-metadata.xml" 2>&1 | head -20

Repository: dallay/corvus

Length of output: 610

---

🏁 Script executed:

#!/bin/bash
# Try alternative Gradle plugin portal URLs
curl -sI "https://plugins.gradle.org/m2/org/gradle/plugin/compatibility-plugin/1.0.0/compatibility-plugin-1.0.0.pom" | head -5

Repository: dallay/corvus

Length of output: 197

---

🏁 Script executed:

#!/bin/bash
# Search for compatibility-plugin on the Gradle plugin portal
curl -s "https://plugins.gradle.org/search?term=compatibility-plugin" | head -100

Repository: dallay/corvus

Length of output: 4809

---

🏁 Script executed:

#!/bin/bash
# Check the actual POM for plugin-publish 2.1.1 to see its transitive dependencies
curl -s "https://plugins.gradle.org/m2/com/gradle/publish/plugin-publish-plugin/2.1.1/plugin-publish-plugin-2.1.1.pom" | head -100

Repository: dallay/corvus

Length of output: 39

---

🏁 Script executed:

#!/bin/bash
# Alternative: Check Maven Central for plugin-publish to find actual deps
curl -s "https://repo.maven.apache.org/maven2/com/gradle/publish/plugin-publish-plugin/2.1.1/plugin-publish-plugin-2.1.1.pom" | grep -A 20 "<dependencies>"

Repository: dallay/corvus

Length of output: 39

---

🏁 Script executed:

#!/bin/bash
# Search for any mention of compatibility-plugin in the repo
rg "compatibility-plugin" --type-list | head -20

Repository: dallay/corvus

Length of output: 446

---

🏁 Script executed:

#!/bin/bash
# Check git history of the lockfile
git log --oneline gradle/build-logic/buildscript-gradle.lockfile | head -10

Repository: dallay/corvus

Length of output: 127

---

🏁 Script executed:

#!/bin/bash
# Check the actual diff that introduced this dependency
git log -p gradle/build-logic/buildscript-gradle.lockfile | grep -A 5 -B 5 "compatibility-plugin" | head -30

Repository: dallay/corvus

Length of output: 39

---

🏁 Script executed:

#!/bin/bash
# Search for compatibility-plugin anywhere in repo
rg "compatibility-plugin"

Repository: dallay/corvus

Length of output: 158

---

🏁 Script executed:

#!/bin/bash
# Check the actual commit that last modified the lockfile
git show 5ff7c51 --stat

Repository: dallay/corvus

Length of output: 50369

---

🏁 Script executed:

#!/bin/bash
# Check if lockfile is in gitignore
cat .gitignore | grep -i lock

Repository: dallay/corvus

Length of output: 323

---

Flag unverified transitive dependency for security review.

The lockfile adds org.gradle.plugin:compatibility-plugin:1.0.0 (line 23), but this dependency cannot be verified in standard Maven/Gradle repositories. The commit adding this lacks clear justification, and no evidence confirms it's a legitimate transitive dependency of plugin-publish 2.1.1. Before merging, verify:

• Whether plugin-publish 2.1.1 actually introduces this as a transitive dependency
• If the dependency exists in a legitimate repository or is an internal artifact
• Why it was added without explicit documentation in the commit message

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@gradle/build-logic/buildscript-gradle.lockfile` around lines 6 - 7, The
lockfile entry introduces org.gradle.plugin:compatibility-plugin:1.0.0 which is
not verifiable; inspect the transitive dependencies of
com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:2.1.1 and
com.gradle.publish:plugin-publish-plugin:2.1.1 (check their published POMs) to
confirm whether compatibility-plugin:1.0.0 is actually pulled in, search Maven
Central / Gradle Plugin Portal for org.gradle.plugin:compatibility-plugin:1.0.0
to confirm its existence or identify it as an internal artifact, and then either
remove the spurious compatibility-plugin entry from buildscript-gradle.lockfile
if it’s not a real transitive dependency, add the appropriate repository and
provenance notes if it is internal, or update the commit/PR description to
document why this artifact is present and how it was verified.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	b8b93eb
Status:	✅  Deploy successful!
Preview URL:	https://fae3b986.corvus-42x.pages.dev
Branch Preview URL:	https://chore-consolidate-pending-im.corvus-42x.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt (1)

235-320: 🛠️ Refactor suggestion | 🟠 Major

Extract the new chat-input surface into its own file.

Detekt is already flagging clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt for TooManyFunctions. Adding ChatInputFieldProps and SendButton here pushes the same module farther past that limit; please move the input types/composables into a dedicated file instead of growing this one.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`
around lines 235 - 320, Move the chat input UI and its related types into a new
file to reduce function count in ChatComponents.kt: create a new Kotlin source
file and relocate ChatInputFieldProps, the ChatInputField composable, and the
private SendButton composable (including their imports and any used helpers like
CorvusTheme, MaterialTheme, Brush, Color, etc.) from ChatComponents.kt into that
file, then update ChatComponents.kt to import and reference ChatInputField as
before; ensure package declarations match and remove the moved symbols from the
original file so Detekt’s TooManyFunctions violation is resolved.

♻️ Duplicate comments (1)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md (1)

42-43: ⚠️ Potential issue | 🟡 Minor

Fix heading spacing to satisfy markdownlint (MD022).

Line 42 needs a blank line below the heading before content to avoid lint/doc build noise. This issue was flagged in a previous review and remains unfixed.

Suggested fix

 ### Acciones de `schedule`
+
 `create`, `list`, `get`, `cancel`, `pause`, `resume`.

As per coding guidelines, "Verify technical accuracy and that docs stay aligned with code changes."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md`
around lines 42 - 43, The heading "### Acciones de `schedule`" is missing a
blank line beneath it (MD022); insert a single blank line after the heading so
the paragraph "`create`, `list`, `get`, `cancel`, `pause`, `resume`." is
separated from the heading, ensuring the Markdown heading and following content
adhere to lint rules and remain technically accurate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`:
- Line 252: The input field currently trims the value when dispatching the
payload but validates the raw value, causing inconsistent behavior; instead keep
the existing validation that trims (the isEnabled calculation: val isEnabled =
props.enabled && props.value.trim().isNotBlank()) and change the send path to
dispatch the original user input unchanged — i.e., in ChatInputField stop
calling props.onSend(props.value.trim()) and call props.onSend(props.value) so
validation (trim) remains only for enabling the send button while the sent
payload preserves intentional whitespace; also check ChatWorkspace.sendMessage()
to ensure it validates with trim() rather than relying on an untrimmed
isBlank().

---

Outside diff comments:
In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`:
- Around line 235-320: Move the chat input UI and its related types into a new
file to reduce function count in ChatComponents.kt: create a new Kotlin source
file and relocate ChatInputFieldProps, the ChatInputField composable, and the
private SendButton composable (including their imports and any used helpers like
CorvusTheme, MaterialTheme, Brush, Color, etc.) from ChatComponents.kt into that
file, then update ChatComponents.kt to import and reference ChatInputField as
before; ensure package declarations match and remove the moved symbols from the
original file so Detekt’s TooManyFunctions violation is resolved.

---

Duplicate comments:
In
`@clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md`:
- Around line 42-43: The heading "### Acciones de `schedule`" is missing a blank
line beneath it (MD022); insert a single blank line after the heading so the
paragraph "`create`, `list`, `get`, `cancel`, `pause`, `resume`." is separated
from the heading, ensuring the Markdown heading and following content adhere to
lint rules and remain technically accurate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 66007eeb-15cd-4f89-9ed2-a4b0d6924ffe

📥 Commits

Reviewing files that changed from the base of the PR and between 5ff7c51 and de01680.

📒 Files selected for processing (4)

• .agents/journal/bolt-journal.md
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: submit-gradle
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (3)

**/*.kt

⚙️ CodeRabbit configuration file

**/*.kt: Enforce null safety (no !!), structured concurrency, and non-blocking suspend code.
Prefer idiomatic Kotlin (expression bodies, sealed types, value classes when justified).
Verify tests follow TDD intent and use backtick test names where applicable.

Files:

• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt
• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

🧠 Learnings (2)

📚 Learning: 2026-02-21T09:07:52.298Z

Learnt from: yacosta738
Repo: dallay/corvus PR: 62
File: .agents/journal/sentinnel-journal.md:1-1
Timestamp: 2026-02-21T09:07:52.298Z
Learning: Branding guideline: The intentional brand name for the security-first agent in the dallay/corvus repository is 'Sentinnel' (with double n). Do not treat it as a typo of 'Sentinel'. Ensure all agent-related docs and journals under .agents/journal consistently use 'Sentinnel' with double n.

Applied to files:

• .agents/journal/bolt-journal.md

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Applied to files:

• clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

🪛 GitHub Actions: Scan with Detekt

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt

[error] 601-601: detekt [CyclomaticComplexMethod]: Function bridgeStateRecovery appears too complex (Cyclomatic Complexity 15). Threshold is 15.

---

[error] 1-1: detekt [TooManyFunctions]: File 'ChatComponents.kt' has '18' functions. Threshold inside files is set to '11'.

🪛 LanguageTool

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...ra tareas comunes de Git. - Nivel de Seguridad: Mixto (Las operaciones de escritura c...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~17-~17: Corrige la mayúscula.
Context: ...raciones de escritura como commit son De Acción). - Operaciones Soportadas: status, `dif...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~18-~18: Corrige la mayúscula.
Context: ...commitson De Acción). - **Operaciones Soportadas:**status, diff, log, branch, c...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~25-~25: Aquí puede haber un error.
Context: ...Uno de los comandos de git soportados. | | message | string | Mensaje de commi...

(QB_NEW_ES)

---

[grammar] ~26-~26: Aquí puede haber un error.
Context: ...| Mensaje de commit (paracommit). | | paths|string` | Rutas de archivos ...

(QB_NEW_ES)

---

[grammar] ~35-~35: Corrige la mayúscula.
Context: ...noma basada en el tiempo. - Nivel de Seguridad: De Acción (Con riesgo). - **Capacidad...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~35-~35: Corrige la mayúscula.
Context: ...l tiempo. - Nivel de Seguridad: De Acción (Con riesgo). - Capacidad: Permite al ag...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~37-~37: Aquí puede haber un error.
Context: ...utarse en el futuro. - Programaciones: - cron: Tareas recurrentes (ej. 0 9 * * *). ...

(QB_NEW_ES)

---

[grammar] ~40-~40: Elimina la puntuación
Context: ...imestamp RFC3339 específico. - every: Intervalos fijos en milisegundos. ### ...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_PUNCTUATION)

---

[grammar] ~42-~42: Aquí puede haber un error.
Context: ...fijos en milisegundos. ### Acciones de schedule create, list, get, cancel, pause, `resu...

(QB_NEW_ES)

---

[grammar] ~51-~51: Corrige la mayúscula.
Context: ...sitivo móvil del usuario. - Nivel de Seguridad: De Acción (Con riesgo). - **Requisito...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~51-~51: Corrige la mayúscula.
Context: ... usuario. - Nivel de Seguridad: De Acción (Con riesgo). - Requisitos: Requiere `PU...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~59-~59: Aquí puede haber un error.
Context: ...uerido.** El texto de la notificación. | | priority | integer | Prioridad de -...

(QB_NEW_ES)

---

[grammar] ~60-~60: Aquí puede haber un error.
Context: ...d de -2 (silencioso) a 2 (emergencia). | | sound | string | Sobrescritura de s...

(QB_NEW_ES)

🪛 markdownlint-cli2 (0.22.0)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md

[warning] 42-42: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🔇 Additional comments (4)

clients/web/apps/docs/src/content/docs/es/clients/agent-runtime/tools/automation.md (4)

1-11: LGTM: Frontmatter and introduction are clear.

The metadata and introduction accurately describe the document's purpose and scope.

---

47-61: No issues found. Environment variable names and priority range in the documentation match the implementation. The Pushover tool correctly validates input boundaries and loads credentials from the .env file.

---

13-28: Security claim verified; minor EN/ES label inconsistency found.

The shell injection sanitization claim is accurate—code confirms blocking of --exec, -c, --upload-pack=, --receive-pack=, and --pager=. The English and Spanish versions have substantively aligned content and are both accurate to the implementation.

Minor note: English uses "Safety:" as the label for the sanitization bullet while Spanish uses "Seguridad:". For consistency, both versions should use the same label pattern as the first bullet (e.g., "Security" vs "Nivel de Seguridad").

---

31-43: Line 36: Documentation claims unsupported "Agent Job" capability.

The documentation states the tool allows scheduling "un script de shell (Shell Job) o un script de shell (Shell Job)," but ScheduleTool only creates shell jobs. The add_agent_job() function exists in the codebase but is not exposed through the schedule tool's API—all create, add, and once actions call add_shell_job() exclusively.

Security controls for shell execution are in place (SecurityPolicy gating, command injection blocking, isolated execution mode), but the capability scope should match what's actually implemented.

			> Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that ChatInputField trims the prompt and that downstream code forwards it unchanged.
sed -n '248,290p' clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt
printf '\n--- ChatWorkspace.sendMessage ---\n'
sed -n '145,165p' clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatWorkspace.kt
printf '\n--- App send wiring ---\n'
sed -n '95,100p' clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/App.kt

Repository: dallay/corvus

Length of output: 2709

---

Don't mutate user input; separate validation from payload dispatch.

ChatInputField trims the prompt before sending (onSend = { props.onSend(props.value.trim()) }), but ChatWorkspace.sendMessage() validates with isBlank() without trimming. This inconsistency means the validation logic doesn't match the payload transformation. If a user enters intentional whitespace (e.g., indented code), it gets silently stripped. Use trim() only in the validation condition; send the original value unchanged.

Fix

-  val isEnabled = props.enabled && props.value.trim().isNotBlank()
+  val isEnabled = props.enabled && props.value.isNotBlank()

And at line 285:

-      onSend = { props.onSend(props.value.trim()) },
+      onSend = { props.onSend(props.value) },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	val isEnabled = props.enabled && props.value.trim().isNotBlank()
	val isEnabled = props.enabled && props.value.isNotBlank()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/ui/chat/ChatComponents.kt`
at line 252, The input field currently trims the value when dispatching the
payload but validates the raw value, causing inconsistent behavior; instead keep
the existing validation that trims (the isEnabled calculation: val isEnabled =
props.enabled && props.value.trim().isNotBlank()) and change the send path to
dispatch the original user input unchanged — i.e., in ChatInputField stop
calling props.onSend(props.value.trim()) and call props.onSend(props.value) so
validation (trim) remains only for enabling the send button while the sent
payload preserves intentional whitespace; also check ChatWorkspace.sendMessage()
to ensure it validates with trim() rather than relying on an untrimmed
isBlank().

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud