refactor(runtime): complete Sonar remediation batches

[yacosta738]

Related Issues

• Resolves the current SonarQube remediation batches for dallay_corvus.

---

Summary

This PR closes the staged Sonar remediation work across backend runtime code, frontend/dashboard accessibility fixes, and shell/Kotlin maintainability cleanup. The changes preserve runtime and UI behavior while reducing complexity, stabilizing validation/configuration paths, and bringing the remediation planning docs into the docs app metadata contract.

---

Tested Information

• Rust runtime remediation:
  • pre-push Rust checks passed (cargo fmt --check, cargo clippy --all-targets -- -D warnings, cargo test --lib --quiet via hook)
• Dashboard:
  • pnpm check
  • pnpm test:a11y
  • pnpm build
• Rook dashboard:
  • pnpm check
  • pnpm test
  • pnpm build
• Scripts/Kotlin:
  • bash -n scripts/mobile-smoke-test.sh
  • bash -n scripts/check-tools.sh
  • ./gradlew :composeApp:jvmTest
• Docs validation:
  • pnpm --filter @corvus/docs check
  • pnpm check in clients/web
• Sonar verification:
  • Queried open Sonar issues for dallay_corvus with statuses OPEN and CONFIRMED
  • Result returned 0 issues

---

Documentation Impact

• Docs updated in:
  • clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md
  • clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
  • clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
  • clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
  • clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
  • clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
  • clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• No docs update required because: n/a
• I verified the documentation matches the current behavior.

---

Breaking Changes

• None.

---

Checklist

• I have checked that there isn’t already a PR solving the same problem.
• I have read the Contributing Guidelines.
• I ensured my code follows the project's style guidelines.
• I have added or updated tests that prove my fix is effective or that my feature works.
• I have updated the documentation, or I explained above why no documentation update is needed.
• I verified the documentation matches the current behavior.
• I have documented any breaking changes in the Breaking Changes section.
• I have linked the related issue (if any).

[coderabbitai]

Warning

Rate limit exceeded

@yacosta738 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 2 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 110d276c-4772-4a3d-b715-6b63ad94c3c7

📥 Commits

Reviewing files that changed from the base of the PR and between e5a35a6 and 5d16d9f.

📒 Files selected for processing (7)

• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt
• clients/web/apps/dashboard/vitest.config.ts
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-remediation-plan.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md

📝 Walkthrough

Walkthrough

This PR refactors multiple components across the runtime, web dashboard, mobile app, and scripts by extracting repeated logic into helper functions. The Rust runtime consolidates webhook/SSE session handling, validation, and dispatcher execution. Web dashboard components and composables derive state helpers. Mobile coordinator simplifies snapshot construction. Shell scripts localize variables. Documentation introduces SonarQube remediation batches.

Changes

Cohort / File(s)	Summary
Rust Runtime Gateway & Webhook clients/agent-runtime/src/gateway/mod.rs, clients/agent-runtime/src/gateway/webhook_dispatch.rs	Refactors webhook and SSE handlers into new helper functions: session tracking, idempotency-key release, persisted activity updates, dispatcher execution, and request preparation now isolated in dedicated helpers. Fast-path ingress handling extraction in webhook dispatcher.
Rust Runtime Main & Security clients/agent-runtime/src/main.rs, clients/agent-runtime/src/security/policy.rs	Delegates handle_code_command orchestration and session-cost logic to helpers. Extracts path-validation logic in security policy into three helpers: is_likely_path, effective_path_arg, and is_path_argument_safe with new test covering absolute-path rejection.
Rust Runtime Tools clients/agent-runtime/src/tools/delegate_launch.rs	Extracts input validation and child request construction into helpers: array parsing, field validation, child_id/agent_name/prompt extraction, and execution metadata deserialization, with new test for empty agent_name validation.
Kotlin Mobile clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt	Centralizes bridge snapshot and session mutation logic into private helpers: buildBridgeSnapshot, bridgeSnapshotForSession, clearedSessionBridgeSnapshot, replaceOrAppendSession, replaceExistingSession.
Web Dashboard Config & Package clients/web/apps/dashboard/package.json, clients/web/apps/dashboard/vite.config.js, clients/web/apps/dashboard/vite.config.ts, clients/web/apps/dashboard/vitest.config.ts	Consolidates Vite config from JS to TS; deletes custom chunking rules and test config from vite.config.ts; introduces dedicated vitest.config.ts with Vue plugin, alias, happy-dom environment, and filesystem allowlist. Updates npm scripts to include vitest.config.ts in formatting.
Web Dashboard Components & Composables clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.vue, clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.spec.ts, clients/web/apps/dashboard/src/composables/useAdmin.ts, clients/web/apps/dashboard/src/composables/useAdmin.spec.ts, clients/web/apps/dashboard/src/utils/playwrightEnv.ts	Extracts tool state/message helpers in Vue component for disabled/label computation; adds stricter button-count/text validation in tests. Introduces resolvePageOffset helper in useAdmin for pagination; adds test for page-1 offset calculation. Adds readDefaultEnv helper for safer environment access in playwright utils.
Web Dashboard Styles clients/web/apps/rook-dashboard/src/style.css	Updates muted text, accent, and state-banner colors to higher-contrast lighter shades.
Shell Scripts scripts/check-tools.sh, scripts/mobile-smoke-test.sh	Adds has_command helper and refactors tool checks to use it. Localizes variables and modernizes test syntax in mobile smoke tests (DEVICE_COUNT/DEVICE_LIST → local variables, [[ ... ]] conditionals).
SonarQube Documentation & Spanish Translations clients/web/apps/docs/src/content/docs/plans/..., clients/web/apps/docs/src/content/docs/es/plans/...	Introduces comprehensive SonarQube remediation plan (164 lines) with four sequential batch definitions (backend critical, frontend critical/accessibility, scripts/kotlin/CSS, etc.) plus task checklists, constraints, and verification steps. Adds Spanish translation stubs for all three batches.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix(security): prevent path validation bypass via command flags #516: Directly related; both modify clients/agent-runtime/src/security/policy.rs to extract and validate path values embedded in flag arguments (e.g., --file=/etc/passwd).
• fix(security): harden path validation and block shell input redirection #357: Related; both harden path-validation logic in policy.rs by extracting helpers and adding test coverage for blocked absolute paths.
• refactor(gateway): consolidate admin auth/origin validation paths #170: Related; both adjust gateway auth/token handling in clients/agent-runtime/src/gateway/mod.rs—this PR respects bearer-token presence in webhook/SSE session logic.

Suggested labels

area:rust, area:web, area:kotlin, area:docs, risk:high

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows Conventional Commits style with 'refactor' prefix and clearly describes the main change: completing SonarQube remediation batches across the runtime.
Description check	✅ Passed	The PR description is comprehensive and follows the template structure, including related issues, summary, tested information, documentation impact, breaking changes, and completed checklist.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch maintenance/sonarqube-remediation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 22 minutes and 2 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt (1)

166-175: ⚠️ Potential issue | 🟠 Major

Keep the resumed session in resumableSessions.

replaceExistingSession() silently drops a session if it is not already present in state.resumableSessions. That leaves the local state stale after a successful resume. Use replaceOrAppendSession(...) here instead.

Proposed fix

-            resumableSessions = replaceExistingSession(state.resumableSessions, session),
+            resumableSessions = replaceOrAppendSession(state.resumableSessions, session),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt`
around lines 166 - 175, The resumeSession handler currently updates state using
replaceExistingSession which drops the resumed session when it wasn't already in
state.resumableSessions; change the update to use replaceOrAppendSession so the
resumed session is either replaced or appended. Specifically, in resumeSession
(the runCatching/onSuccess block after facade.resumeSession and
persistence.saveActiveSessionId), replace the call to
replaceExistingSession(state.resumableSessions, session) with
replaceOrAppendSession(state.resumableSessions, session) and keep the other
state updates (bridgeSnapshotForSession(session.id), activeSessionId,
pendingApproval) the same.

clients/agent-runtime/src/main.rs (1)

1716-1730: ⚠️ Potential issue | 🟠 Major

Avoid finalizing the code session twice on blocking errors.

The helper already records the end event and prints the code-session summary before returning Err(...). The unconditional block after run_code_message_or_interactive() will duplicate both on the same failure path. Return a small finalized flag from the helper, or move the summary/end-event bookkeeping into one place only.

Suggested shape for the fix

-    let run_result = run_code_message_or_interactive(
+    let (run_result, finalized) = run_code_message_or_interactive(
         &mut agent,
         message,
         &provider_name,
         &model_name,
         session_start,
     )
     .await;
 
-    let summary_result = agent.session_cost_summary(chrono::Utc::now());
-    agent.record_agent_end_event(&provider_name, &model_name, session_start.elapsed());
-    match summary_result {
-        Ok(summary) => print_cli_session_summary(summary, CliSessionSurface::Code),
-        Err(error) => tracing::warn!("Failed to load code session cost summary: {error}"),
+    if !finalized {
+        let summary_result = agent.session_cost_summary(chrono::Utc::now());
+        agent.record_agent_end_event(&provider_name, &model_name, session_start.elapsed());
+        match summary_result {
+            Ok(summary) => print_cli_session_summary(summary, CliSessionSurface::Code),
+            Err(error) => tracing::warn!("Failed to load code session cost summary: {error}"),
+        }
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/src/main.rs` around lines 1716 - 1730, The post-run
bookkeeping (agent.record_agent_end_event and
agent.session_cost_summary/print_cli_session_summary) is being executed
unconditionally after calling run_code_message_or_interactive, which causes
duplicate finalization when the helper already finalizes on errors; modify
run_code_message_or_interactive to return a small finalized flag (e.g.,
Result<(...), ...> -> Result<(..., bool), ...>) or change it to not finalize so
that finalization happens in one place only; update the call site to check the
returned finalized flag (or rely on the helper not finalizing) before calling
agent.record_agent_end_event and
agent.session_cost_summary/print_cli_session_summary to ensure end-event and
summary are recorded exactly once.

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md (2)

136-165: ⚠️ Potential issue | 🟠 Major

Add an explicit rollback strategy section for high-risk batches.

You list risks/mitigations, but there is no rollback plan for runtime/gateway/security regressions. Add concrete rollback steps per batch (revert scope, restore prior config/handlers, re-run targeted verification).

Based on learnings "Include threat/risk notes and rollback strategy for security, runtime, and gateway changes; add or update tests for boundary checks and failure modes".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md`
around lines 136 - 165, The document lacks an explicit rollback strategy for
high-risk batches; add a new "Rollback strategy" section after "Risks and
mitigations" (or under "Planned next step") that specifies per-batch concrete
rollback steps for "Batch 1 — Backend critical" and future batches: define the
minimal revert scope, instructions to restore prior configs/handlers/services,
how to toggle feature flags/traffic routing, and steps to re-run targeted
verification (smoke tests, gateway checks, security scans); also include short
threat/risk notes for security/runtime/gateway regressions and add a checklist
to update or add boundary/failure-mode tests as part of each batch closure.

---

1-165: ⚠️ Potential issue | 🔴 Critical

Add the missing Spanish locale counterpart for this user-facing plan.

The docs pipeline reports missing clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-remediation-plan.md. Add the ES mirror (can be a stub if your docs contract allows stubs) so EN/ES parity is preserved.

As per coding guidelines "**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes. For user-facing docs, check EN/ES parity or explicitly note pending translation gaps."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md`
around lines 1 - 165, Create the missing Spanish mirror for the document titled
"SonarQube remediation plan" by adding a new ES markdown file named
2026-04-26-sonarqube-remediation-plan.md that mirrors the original frontmatter
(title/date/last_updated/tags/status/summary) but with Spanish values (e.g.,
title "Plan de remediación SonarQube", summary in Spanish) and include a stubbed
Spanish body that replicates the EN structure (Objetivo, Alcance, Estrategia de
ejecución, Plan por lotes, Restricciones, Criterios de éxito, Riesgos y
mitigaciones, Siguiente paso) plus a short top-line note stating it's a
translation stub pending full localization; preserve tags and status as in the
original and keep content user-facing and reviewable for parity checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/src/gateway/mod.rs`:
- Around line 2322-2346: The preview fast-path (guarded by is_preview &&
!dispatcher_enabled) can return early via maybe_execute_legacy_http_ingress and
bypass the token-scoped session gate in ensure_webhook_session; to fix, call
ensure_webhook_session(&state, &session_id, token_hash.as_deref(),
reserved_idempotency_key.as_deref()).await and return its Some(response) result
before invoking maybe_execute_legacy_http_ingress, so the session upsert/check
always runs for ingress handling (referencing maybe_execute_legacy_http_ingress,
ensure_webhook_session, is_preview, dispatcher_enabled, session_id, token_hash,
reserved_idempotency_key).

In `@clients/agent-runtime/src/tools/delegate_launch.rs`:
- Around line 70-151: parse_child_request currently coerces launch_index
overflow to u32::MAX which can collapse distinct indices; change the conversion
to fail instead: replace the unwrap_or(u32::MAX) behavior when setting
launch_index in ChildLaunchRequest with a checked conversion that returns an
anyhow::Error on overflow (use u32::try_from(launch_index).map_err(...) or
equivalent) so parse_child_request returns an error for oversized launch_index
rather than saturating to u32::MAX.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt`:
- Around line 88-102: MobileRuntimeCoordinator exceeds the allowed function
count due to private helper methods (e.g., buildBridgeSnapshot); extract these
helpers into a new class or object (for example MobileBridgeFactory or
MobileRuntimeHelpers) and move buildBridgeSnapshot and the other private helper
methods referenced around the same area into that new type as public or internal
functions, update MobileRuntimeCoordinator to call
MobileBridgeFactory.buildBridgeSnapshot(...) (preserving parameter list and
return type MobileBridgeSnapshot), and ensure tests and usages compile; this
consolidation reduces MobileRuntimeCoordinator's method count while keeping
behavior identical.

In `@clients/web/apps/dashboard/vitest.config.ts`:
- Around line 19-34: The vitest config currently nests server.fs.allow under
test.server so Vite's file-serving allowlist is ignored; hoist the fs allowlist
to the top-level server config (server.fs.allow) in the exported config object,
remove the nested test.server.fs.allow entry, and preserve the same conditional
logic using isTestMode and repoRoot so the allowlist values (including
path.join(repoRoot, ...), "openspec", "tmp", and "clients/composeApp") remain
identical to the original behavior while keeping
test.{environment,include,exclude} under the test section.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md`:
- Around line 17-23: Add a new "Rollback & Risk Criteria" section to the plan
(near the Goal/Architecture/Tech Stack blocks) that lists concrete failure
signals (e.g., auth/session regressions, webhook error rate/latency spikes,
increased crash/signal counts), explicit immediate rollback action (e.g., revert
the specific commits/PRs or redeploy previous artifact and disable the
refactored module), and a short post-rollback verification checklist (smoke
tests for auth, webhook delivery, gateway latency, and security policy
enforcement); also include brief threat/risk notes for security/runtime/gateway
changes and call out adding/updating unit/integration tests for boundary checks
and failure modes referenced in main.rs, gateway/mod.rs,
gateway/webhook_dispatch.rs, security/policy.rs, and tools/delegate_launch.rs.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md`:
- Line 27: The MD022/MD031 lint errors are caused by missing blank lines around
headings and fenced code blocks (e.g., the "#### Dashboard app" heading and the
adjacent bash fenced block); fix by inserting a blank line before and after each
flagged heading and before and after each fenced code block, applying the same
pattern to the other flagged locations (lines referenced such as 41, 48, 57,
etc.) so the docs have an empty line surrounding headings and triple-backtick
blocks to satisfy markdownlint.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md`:
- Around line 23-45: The Markdown file fails MD022/MD031 due to missing blank
lines around headings and fenced code blocks; fix by adding a single blank line
before and after every section heading (e.g., lines around "## File Structure",
"### Files to modify", etc.) and ensure fenced blocks (the bash language fence
shown) are surrounded by blank lines throughout the document (apply the same
normalization to the other ranges noted: 48-75, 78-124, 137-143); run a markdown
linter locally and re-run the CI checks to confirm all MD022/MD031 violations
are resolved while leaving content and code examples unchanged.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md`:
- Around line 59-64: Update the "Validation expectations" section to replace the
generic items with explicit Rust commands and required policy: state that
contributors must run `cargo fmt --all -- --check`, `cargo clippy --all-targets
-- -D warnings`, and `cargo test` for touched modules (or full workspace where
applicable), and require documenting any skipped checks and rationale; refer to
the "Validation expectations" block and the Batch 1 runtime/security scope
wording so the bullets explicitly include these commands and the requirement to
not weaken gateway or policy code and to list skipped checks with justification.
- Around line 1-8: The Markdown frontmatter for the document titled "SonarQube
remediation plan" is missing required metadata keys; add the following keys to
the YAML frontmatter block for this file: description (short string summary),
owner (string or team identifier), lastReviewed (ISO date, e.g. 2026-04-26),
appliesTo (array of affected components or teams), and docType (string, e.g.
"remediation-plan" or "guidance"); ensure values are populated appropriately and
follow existing docs conventions for types and formatting so the Docs Quality
metadata contract is satisfied.

---

Outside diff comments:
In `@clients/agent-runtime/src/main.rs`:
- Around line 1716-1730: The post-run bookkeeping (agent.record_agent_end_event
and agent.session_cost_summary/print_cli_session_summary) is being executed
unconditionally after calling run_code_message_or_interactive, which causes
duplicate finalization when the helper already finalizes on errors; modify
run_code_message_or_interactive to return a small finalized flag (e.g.,
Result<(...), ...> -> Result<(..., bool), ...>) or change it to not finalize so
that finalization happens in one place only; update the call site to check the
returned finalized flag (or rely on the helper not finalizing) before calling
agent.record_agent_end_event and
agent.session_cost_summary/print_cli_session_summary to ensure end-event and
summary are recorded exactly once.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt`:
- Around line 166-175: The resumeSession handler currently updates state using
replaceExistingSession which drops the resumed session when it wasn't already in
state.resumableSessions; change the update to use replaceOrAppendSession so the
resumed session is either replaced or appended. Specifically, in resumeSession
(the runCatching/onSuccess block after facade.resumeSession and
persistence.saveActiveSessionId), replace the call to
replaceExistingSession(state.resumableSessions, session) with
replaceOrAppendSession(state.resumableSessions, session) and keep the other
state updates (bridgeSnapshotForSession(session.id), activeSessionId,
pendingApproval) the same.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md`:
- Around line 136-165: The document lacks an explicit rollback strategy for
high-risk batches; add a new "Rollback strategy" section after "Risks and
mitigations" (or under "Planned next step") that specifies per-batch concrete
rollback steps for "Batch 1 — Backend critical" and future batches: define the
minimal revert scope, instructions to restore prior configs/handlers/services,
how to toggle feature flags/traffic routing, and steps to re-run targeted
verification (smoke tests, gateway checks, security scans); also include short
threat/risk notes for security/runtime/gateway regressions and add a checklist
to update or add boundary/failure-mode tests as part of each batch closure.
- Around line 1-165: Create the missing Spanish mirror for the document titled
"SonarQube remediation plan" by adding a new ES markdown file named
2026-04-26-sonarqube-remediation-plan.md that mirrors the original frontmatter
(title/date/last_updated/tags/status/summary) but with Spanish values (e.g.,
title "Plan de remediación SonarQube", summary in Spanish) and include a stubbed
Spanish body that replicates the EN structure (Objetivo, Alcance, Estrategia de
ejecución, Plan por lotes, Restricciones, Criterios de éxito, Riesgos y
mitigaciones, Siguiente paso) plus a short top-line note stating it's a
translation stub pending full localization; preserve tags and status as in the
original and keep content user-facing and reviewable for parity checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 40e783f5-e683-4d83-be03-3e8c3583f972

📥 Commits

Reviewing files that changed from the base of the PR and between 3e09dff and e5a35a6.

📒 Files selected for processing (25)

• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt
• clients/web/apps/dashboard/package.json
• clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.spec.ts
• clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.vue
• clients/web/apps/dashboard/src/composables/useAdmin.spec.ts
• clients/web/apps/dashboard/src/composables/useAdmin.ts
• clients/web/apps/dashboard/src/utils/playwrightEnv.ts
• clients/web/apps/dashboard/vite.config.js
• clients/web/apps/dashboard/vite.config.ts
• clients/web/apps/dashboard/vitest.config.ts
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md
• clients/web/apps/rook-dashboard/src/style.css
• scripts/check-tools.sh
• scripts/mobile-smoke-test.sh

💤 Files with no reviewable changes (1)

• clients/web/apps/dashboard/vite.config.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: report / Contributor Quality Report
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: submit-gradle
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (11)

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-1-backend-critical.md

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md
• clients/web/apps/dashboard/src/composables/useAdmin.spec.ts
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/dashboard/package.json
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.spec.ts
• clients/web/apps/dashboard/vite.config.js
• clients/web/apps/dashboard/src/composables/useAdmin.ts
• clients/web/apps/dashboard/vitest.config.ts
• clients/web/apps/dashboard/src/utils/playwrightEnv.ts
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.vue
• clients/web/apps/rook-dashboard/src/style.css
• clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• scripts/check-tools.sh
• scripts/mobile-smoke-test.sh
• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Treat src/security/, src/gateway/, src/tools/ as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Files:

• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/agent-runtime/src/gateway/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/tools/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Implement Tool trait in src/tools/ with strict parameter schema, validate and sanitize all inputs, and return structured ToolResult without panics in runtime path

Files:

• clients/agent-runtime/src/tools/delegate_launch.rs

clients/agent-runtime/src/main.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/main.rs: Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths
Keep startup path lean and avoid heavy initialization in command parsing flow

Files:

• clients/agent-runtime/src/main.rs

**/*.vue

⚙️ CodeRabbit configuration file

**/*.vue: Enforce Vue 3 Composition API with <script setup>.
Ensure accessibility (A11y) and proper use of Tailwind CSS classes.
Check for proper prop validation and emitted events documentation.

Files:

• clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.vue

**/*.kt

⚙️ CodeRabbit configuration file

**/*.kt: Enforce null safety (no !!), structured concurrency, and non-blocking suspend code.
Prefer idiomatic Kotlin (expression bodies, sealed types, value classes when justified).
Verify tests follow TDD intent and use backtick test names where applicable.

Files:

• clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt

🧠 Learnings (12)

📓 Common learnings

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Include threat/risk notes and rollback strategy for security, runtime, and gateway changes; add or update tests for boundary checks and failure modes

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md
• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/main.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/main.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/security/policy.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs
• clients/agent-runtime/src/gateway/webhook_dispatch.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/channels/**/*.rs : Implement `Channel` trait in `src/channels/` with consistent `send`, `listen`, and `health_check` semantics and cover auth/allowlist/health behavior with tests

Applied to files:

• clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md
• clients/agent-runtime/src/main.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• clients/agent-runtime/src/security/policy.rs
• clients/agent-runtime/src/tools/delegate_launch.rs
• clients/agent-runtime/src/main.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/src/security/policy.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Applied to files:

• clients/agent-runtime/src/main.rs

🪛 GitHub Actions: Docs Quality

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md

[error] 1-1: Documentation metadata validation failed: missing required field 'description'.

---

[error] 1-1: Documentation metadata validation failed: missing required field 'owner'.

---

[error] 1-1: Documentation metadata validation failed: missing required field 'lastReviewed'.

---

[error] 1-1: Documentation metadata validation failed: missing required field 'appliesTo'.

---

[error] 1-1: Documentation metadata validation failed: missing required field 'docType'.

---

[error] 1-1: Documentation metadata validation failed: missing locale counterpart 'clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-remediation-plan.md'.

🪛 GitHub Actions: Scan with Detekt

clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt

[error] 25-25: detekt [TooManyFunctions]: Class 'MobileRuntimeCoordinator' with '15' functions detected. Defined threshold inside classes is set to '11'.

🪛 LanguageTool

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md

[grammar] ~132-~132: Use a hyphen to join words.
Context: ... - Shell scripts parse cleanly. - Kotlin touched scope compiles/tests cleanly. - ...

(QB_NEW_EN_HYPHEN)

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md

[style] ~96-~96: The double modal “required Re-run” is nonstandard (only accepted in certain dialects). Consider “to be Re-run”.
Context: ...id broad hue changes unless required 4. Re-run rook-dashboard checks before final comb...

(NEEDS_FIXED)

🪛 markdownlint-cli2 (0.22.1)

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md

[warning] 25-25: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 37-37: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 50-50: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 61-61: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 71-71: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 80-80: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 90-90: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 100-100: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 111-111: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 119-119: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 121-121: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md

[warning] 27-27: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 41-41: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 48-48: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 57-57: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 62-62: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 71-71: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 80-80: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 89-89: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 98-98: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 105-105: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 117-117: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 131-131: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 142-142: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 154-154: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 156-156: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 164-164: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

🔇 Additional comments (21)

clients/web/apps/rook-dashboard/src/style.css (1)

96-114: The contrast updates keep the dark theme coherent.

The copy and banner colors read better on the existing surfaces, and the change stays visual-only.

Also applies to: 294-302

scripts/check-tools.sh (1)

65-68: The helper extraction preserves the tool checks cleanly.

has_command() removes the repeated command -v calls, and the explicit Rust version flag keeps the threshold logic readable without changing the exit behavior.

Also applies to: 71-94, 147-194

scripts/mobile-smoke-test.sh (1)

72-81: Good cleanup of the smoke-test locals and conditionals.

Using locals for the device/config values and switching to [[ ... ]] keeps the Android/iOS probes self-contained while preserving the validation flow.

Also applies to: 125-158

clients/agent-runtime/src/security/policy.rs (1)

460-545: The path-validation split is a solid security cleanup.

The new helpers make the path-arg checks easier to follow, and the regression test covers the embedded-flag bypass case.

Also applies to: 1442-1446

clients/agent-runtime/src/main.rs (1)

1635-1694: The shared fast path and code-session helper are a good extraction.

This keeps the handled-ingress shortcut and the message-vs-interactive flow isolated without changing the call-site shape.

clients/agent-runtime/src/tools/delegate_launch.rs (1)

235-256: The early validation return path is clean.

Bailing out before dispatch on parse/transport errors keeps the orchestration path tight, and the new empty-agent_name test covers the guard.

Also applies to: 411-424

clients/agent-runtime/src/gateway/webhook_dispatch.rs (1)

387-440: The handled-ingress short-circuit still reads cleanly.

Mapping the ingress outcomes through a helper keeps the main execute path simpler, and the new failure-path test covers the response-text contract.

Also applies to: 657-675

clients/agent-runtime/src/gateway/mod.rs (2)

1716-1792: Good extraction of webhook execution seams.

ensure_webhook_session, maybe_execute_legacy_http_ingress, and execute_dispatcher_webhook centralize idempotency release + activity update behavior and reduce branch drift in the main handler.

---

2468-2513: Stream request prep and handled-ingress SSE short-circuit look solid.

The extraction keeps auth/session/tool-snapshot prep cohesive and preserves the handled-ingress no-provider-execution fast path with explicit SSE payload mapping.

clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md (1)

52-75: Validation commands are concrete and release-safe.

Good coverage with fmt, clippy -D warnings, and targeted regression tests for touched modules.

Based on learnings: Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why.

clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-1-backend-critical.md (1)

13-13: Translation gap is clearly signposted.

The explicit pending-translation note keeps EN/ES documentation status transparent.

As per coding guidelines: For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md (1)

13-13: Good EN/ES parity handling for a draft mirror.

Keeping the page live with a clear translation-pending disclaimer is the right interim state.

As per coding guidelines: For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

clients/web/apps/docs/src/content/docs/es/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md (1)

13-13: Paridad EN/ES bien gestionada para este borrador.

El aviso de traducción pendiente evita ambigüedad para lectores en español.

As per coding guidelines: For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.vue (2)

24-41: Looks good.

Centralizing the tool-state, disabled-state, and label logic makes the component easier to follow without changing behavior.

---

83-86: Looks good.

Binding the template to the new helpers avoids duplicated status checks and keeps the render path consistent.

clients/web/apps/dashboard/package.json (1)

14-15: Looks good.

Including vitest.config.ts in the Biome format/check scripts matches the new config layout and keeps the linting scope aligned.

clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.spec.ts (1)

59-66: Good tightening of the UI assertions.

Verifying the exact button count and rendered labels makes this test catch label drift without changing the intended behavior.

clients/web/apps/dashboard/src/composables/useAdmin.spec.ts (1)

65-80: Good coverage addition.

This directly exercises the page: 1 / custom per_page path and protects the new offset calculation from regressions.

clients/web/apps/dashboard/src/composables/useAdmin.ts (1)

63-68: Good refactor.

Centralizing the offset math removes duplicated conditional logic and keeps both list endpoints on the same pagination rule.

Also applies to: 243-244, 331-332

clients/web/apps/dashboard/vite.config.js (1)

1-1: Looks good.

The re-export keeps the JS entrypoint intact while avoiding duplicated config logic.

clients/web/apps/dashboard/src/utils/playwrightEnv.ts (1)

1-10: Looks good.

The fallback makes the env lookup safer in non-Node contexts without changing the allow-mode behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Reduce the MobileRuntimeCoordinator function count before merging.

Detekt is already failing here: MobileRuntimeCoordinator now has 15 functions, over the configured limit of 11. These new private helpers push the class past the threshold, so this needs another extraction or consolidation before release.

Also applies to: 235-250

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/composeApp/src/commonMain/kotlin/com/profiletailors/corvus/runtime/MobileRuntimeCoordinator.kt`
around lines 88 - 102, MobileRuntimeCoordinator exceeds the allowed function
count due to private helper methods (e.g., buildBridgeSnapshot); extract these
helpers into a new class or object (for example MobileBridgeFactory or
MobileRuntimeHelpers) and move buildBridgeSnapshot and the other private helper
methods referenced around the same area into that new type as public or internal
functions, update MobileRuntimeCoordinator to call
MobileBridgeFactory.buildBridgeSnapshot(...) (preserving parameter list and
return type MobileBridgeSnapshot), and ensure tests and usages compile; this
consolidation reduces MobileRuntimeCoordinator's method count while keeping
behavior identical.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit rollback and risk criteria for this high-risk batch.

This plan covers gateway/security/runtime-critical refactors but does not define rollback triggers and rollback steps. Add a short section with failure signals (e.g., auth/session regressions, webhook error spikes), immediate rollback action, and post-rollback verification checklist.

Based on learnings: Include threat/risk notes and rollback strategy for security, runtime, and gateway changes; add or update tests for boundary checks and failure modes.

Also applies to: 871-918

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-1-backend-critical.md`
around lines 17 - 23, Add a new "Rollback & Risk Criteria" section to the plan
(near the Goal/Architecture/Tech Stack blocks) that lists concrete failure
signals (e.g., auth/session regressions, webhook error rate/latency spikes,
increased crash/signal counts), explicit immediate rollback action (e.g., revert
the specific commits/PRs or redeploy previous artifact and disable the
refactored module), and a short post-rollback verification checklist (smoke
tests for auth, webhook delivery, gateway latency, and security policy
enforcement); also include brief threat/risk notes for security/runtime/gateway
changes and call out adding/updating unit/integration tests for boundary checks
and failure modes referenced in main.rs, gateway/mod.rs,
gateway/webhook_dispatch.rs, security/policy.rs, and tools/delegate_launch.rs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdownlint MD022/MD031 violations before merge.

Add blank lines around the flagged headings and fenced code blocks to satisfy docs lint in CI.

Minimal pattern to apply across flagged sections

-#### Dashboard app
+#### Dashboard app
+
 - `clients/web/apps/dashboard/src/components/sessions/CerebroSessionActions.vue`

 **Run from `clients/web/apps/dashboard`:**
+
 ```bash
 pnpm check
 pnpm test
 pnpm test:a11y
 pnpm build

Run from clients/web/apps/rook-dashboard:

</details>



Also applies to: 41-41, 48-48, 57-57, 62-62, 71-71, 80-80, 89-89, 98-98, 105-105, 117-117, 131-131, 142-142, 154-154, 156-156, 164-164

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 27-27: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-2-frontend-critical-accessibility.md
at line 27, The MD022/MD031 lint errors are caused by missing blank lines around
headings and fenced code blocks (e.g., the "#### Dashboard app" heading and the
adjacent bash fenced block); fix by inserting a blank line before and after each
flagged heading and before and after each fenced code block, applying the same
pattern to the other flagged locations (lines referenced such as 41, 48, 57,
etc.) so the docs have an empty line surrounding headings and triple-backtick
blocks to satisfy markdownlint.

</details>

<!-- fingerprinting:phantom:triton:hawk:26046fa5-8d1e-4525-b288-8d441f7f904c -->

<!-- d98c2f50 -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the Markdownlint failures before merging.

This doc still trips MD022/MD031: the section headings and fenced block need surrounding blank lines throughout the file. Please normalize the spacing consistently, not just in one section.

Suggested markdown spacing fix

-### File Structure
+
+### File Structure
+
@@
-```bash
+
+```bash

Also applies to: 48-75, 78-124, 137-143

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 25-25: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 37-37: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-batch-3-scripts-kotlin-residual-css.md`
around lines 23 - 45, The Markdown file fails MD022/MD031 due to missing blank
lines around headings and fenced code blocks; fix by adding a single blank line
before and after every section heading (e.g., lines around "## File Structure",
"### Files to modify", etc.) and ensure fenced blocks (the bash language fence
shown) are surrounded by blank lines throughout the document (apply the same
normalization to the other ranges noted: 48-75, 78-124, 137-143); run a markdown
linter locally and re-run the CI checks to confirm all MD022/MD031 violations
are resolved while leaving content and code examples unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make Rust validation requirements explicit, not generic.

For Batch 1 runtime/security scope, spell out the exact required checks to avoid ambiguity and drift.

Proposed wording update

 Validation expectations:
-- relevant Rust formatting and lint checks
-- targeted Rust tests for touched modules when available
+- `cargo fmt --all -- --check`
+- `cargo clippy --all-targets -- -D warnings`
+- `cargo test` (or explicitly document skipped checks and why)
 - no security posture weakening in gateway or policy code

Based on learnings "Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Validation expectations:
	- relevant Rust formatting and lint checks
	- targeted Rust tests for touched modules when available
	- no security posture weakening in gateway or policy code
	Validation expectations:
	- `cargo fmt --all -- --check`
	- `cargo clippy --all-targets -- -D warnings`
	- `cargo test` (or explicitly document skipped checks and why)
	- no security posture weakening in gateway or policy code

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clients/web/apps/docs/src/content/docs/plans/2026-04-26-sonarqube-remediation-plan.md`
around lines 59 - 64, Update the "Validation expectations" section to replace
the generic items with explicit Rust commands and required policy: state that
contributors must run `cargo fmt --all -- --check`, `cargo clippy --all-targets
-- -D warnings`, and `cargo test` for touched modules (or full workspace where
applicable), and require documenting any skipped checks and rationale; refer to
the "Validation expectations" block and the Batch 1 runtime/security scope
wording so the bullets explicitly include these commands and the requirement to
not weaken gateway or policy code and to list skipped checks with justification.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	5d16d9f
Status:	✅  Deploy successful!
Preview URL:	https://517dc2fc.corvus-42x.pages.dev
Branch Preview URL:	https://maintenance-sonarqube-remedi.corvus-42x.pages.dev

View logs

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
80.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud