fix(security): remove tracked .env files, migrate to Infisical#2187
Open
ashsolei wants to merge 50 commits intoCanner:mainfrom
Open
fix(security): remove tracked .env files, migrate to Infisical#2187ashsolei wants to merge 50 commits intoCanner:mainfrom
ashsolei wants to merge 50 commits intoCanner:mainfrom
Conversation
16 core agents (Layer 0 + Layer 1) for Copilot Coding Agent. Source: AiFeatures/agent-hub/copilot-agents/
16 core agents (Layer 0 + Layer 1) for Copilot Coding Agent. Path: .github/agents/*.agent.md Source: AiFeatures/agent-hub/copilot-agents/
These were deployed to the wrong path. Correct path is .github/agents/*.agent.md
Universal environment setup for Copilot's coding agent. Configures Node.js 22, Python 3.12, and Go (stable). Docs: https://docs.github.com/en/copilot/customizing-copilot/customizing-the-development-environment-for-copilot-coding-agent
iAiFy enterprise governance — standardized Copilot instructions.
iAiFy enterprise governance — Claude Code context file.
iAiFy enterprise governance — AI agent instructions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
chore: sync CLAUDE.md and copilot-instructions docs
Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.13. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.13) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.2 to 1.4.0. - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.2...v1.4.0) --- updated-dependencies: - dependency-name: node-forge dependency-version: 1.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#12) Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to 6.5.5. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](tornadoweb/tornado@v6.5.2...v6.5.5) --- updated-dependencies: - dependency-name: tornado dependency-version: 6.5.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…10) Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](pygments/pygments@2.19.2...2.20.0) --- updated-dependencies: - dependency-name: pygments dependency-version: 2.20.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.25.1 to 0.28.1. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.25.1...v0.28.1) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-version: 0.28.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [next](https://github.com/vercel/next.js) from 14.2.35 to 15.5.14. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.35...v15.5.14) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.14 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.6.2 to 0.6.3. - [Release notes](https://github.com/pyasn1/pyasn1/releases) - [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst) - [Commits](pyasn1/pyasn1@v0.6.2...v0.6.3) --- updated-dependencies: - dependency-name: pyasn1 dependency-version: 0.6.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.1 to 3.4.2. - [Commits](WebReflection/flatted@v3.3.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [nltk](https://github.com/nltk/nltk) from 3.9.3 to 3.9.4. - [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog) - [Commits](nltk/nltk@3.9.3...3.9.4) --- updated-dependencies: - dependency-name: nltk dependency-version: 3.9.4 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Document active-dev fork governance for AiFeatures/WrenAI: upstream Canner/WrenAI, sync cadence monthly, owner @ashsolei. Standardizes per enterprise fork-governance.md and the fork-upstream-merge runbook.
…, flagged) (#19) Co-authored-by: ashsolei <ash@iaify.dev>
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ice (#7) Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tlptracehttp (#21) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…otlpmetrichttp (#20) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [streamlit](https://github.com/streamlit/streamlit) from 1.51.0 to 1.54.0. - [Release notes](https://github.com/streamlit/streamlit/releases) - [Commits](streamlit/streamlit@1.51.0...1.54.0) --- updated-dependencies: - dependency-name: streamlit dependency-version: 1.54.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.5...v1.15.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…nfisical - Remove wren-ai-service/tools/dev/.env (18 keys) from git - Add .env.example with placeholders - Secrets migrated to Infisical (project: AiFeatures, prefix: WREN_) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
WalkthroughThis PR establishes AI agent-driven development governance, removes legacy CI/CD release workflows, introduces query audit trail functionality in wren-ai-service, updates dependencies across services, and adds fork management and Copilot configuration documentation. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 19
🧹 Nitpick comments (19)
wren-launcher/go.mod (1)
24-212: Extensive transitive dependency refresh requires thorough testing.This change updates a large number of indirect dependencies across multiple ecosystems (AWS SDK v2, Docker/containerd, OpenTelemetry, Kubernetes, supply chain security). While the code snippets confirm these are transitive dependencies not directly imported by the launcher code, the broad scope increases the surface area for potential issues.
Recommendations:
- Run the full test suite to validate compatibility
- Test Docker Compose operations (the primary use case per
utils/docker.go)- Verify launcher functionality in development and staging environments before merge
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@wren-launcher/go.mod` around lines 24 - 212, The PR updates many indirect dependencies in go.mod which can introduce regressions; run the full test suite, exercise Docker Compose flows (particularly the functions in utils/docker.go), and validate launcher end-to-end in development and staging to catch compatibility issues; if tests or Compose scenarios fail, identify the offending transitive upgrade by bisecting changes in go.mod and pin or rollback the specific module(s) causing failures, then re-run tests and environment validations before merging..gitignore (1)
84-87: Consolidate duplicated.envrules to reduce precedence mistakes.Line 105-106 overlaps with earlier
.env*rules (Line 84-86). Keeping a single env-ignore block will make future maintenance safer and clearer.Also applies to: 102-107
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.gitignore around lines 84 - 87, Consolidate the duplicate .env ignore entries by removing repeated patterns and keeping a single, clear block that covers all variants (e.g., .env*, .env*.local, .env.ai) so precedence mistakes are avoided; update the existing .gitignore entries that reference ".env*", ".env*.local" and ".env.ai" to a single grouped section and remove the redundant lines elsewhere in the file.FORK-CUSTOMIZATIONS.md (1)
1-1: Rename file to kebab-case.Please rename this file (for example,
fork-customizations.md) to satisfy the repository naming convention.As per coding guidelines
**/*: All file names must use kebab-case.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@FORK-CUSTOMIZATIONS.md` at line 1, The file FORK-CUSTOMIZATIONS.md uses non-kebab-case; rename it to fork-customizations.md to comply with the repository naming convention, update any internal references (links/imports) that point to FORK-CUSTOMIZATIONS.md to the new kebab-case name, and perform the change with git mv and a clear commit message (e.g., "rename: FORK-CUSTOMIZATIONS.md -> fork-customizations.md")..github/agents/tester.agent.md (1)
53-67: Specify language for fenced code block.The output format template should have a language identifier for proper rendering and linting compliance.
📝 Proposed fix
-``` +```text TEST REPORT Framework: [pytest/jest/vitest/etc] Suites: N | Tests: N | Passed: N | Failed: N | Skipped: N🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/tester.agent.md around lines 53 - 67, Update the fenced code block in the tester.agent.md template to include a language identifier (e.g., "text") so it renders and lints correctly; locate the triple-backtick block in .github/agents/tester.agent.md (the TEST REPORT template) and change the opening fence from ``` to ```text so the block is explicitly marked as plain text..github/agents/developer.agent.md (1)
40-45: Specify language for fenced code block.The verification steps should have a language identifier for proper rendering and linting compliance.
📝 Proposed fix
-``` +```text 1. Syntax check (language-appropriate) 2. Lint check (if configured) 3. Build check (if applicable) 4. Run relevant tests🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/developer.agent.md around lines 40 - 45, The fenced code block containing the numbered verification steps lacks a language identifier; update the triple-backtick fence that wraps the list in .github/agents/developer.agent.md to include a language tag (e.g., ```text) so the block renders and lints correctly, ensuring the existing lines "1. Syntax check..." through "4. Run relevant tests" remain unchanged..github/agents/troubleshoot.agent.md (2)
22-42: Specify language for fenced code block.The decision tree diagram should have a language identifier for proper rendering and linting compliance.
📝 Proposed fix
-``` +```text Error received ├── Syntax/compile error? │ → Read error message, fix at indicated line🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/troubleshoot.agent.md around lines 22 - 42, The fenced code block containing the decision-tree diagram is missing a language identifier; update the opening backticks for that block (the triple-backtick fence used for the decision tree) to include a language such as "text" (e.g., change ``` to ```text) so the diagram renders and lints correctly; locate the decision-tree diagram in .github/agents/troubleshoot.agent.md and add the identifier to the opening fence.
62-69: Specify language for fenced code block.The incident report template should have a language identifier for proper rendering and linting compliance.
📝 Proposed fix
-``` +```text INCIDENT REPORT Symptom: [what the user sees] Root Cause: [why it happened]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/troubleshoot.agent.md around lines 62 - 69, Update the fenced code block that begins with the text "INCIDENT REPORT" to include a language identifier (use "text") so the block starts with ```text instead of ```, ensuring proper rendering and linting; search for the block containing the "INCIDENT REPORT" header in the agent troubleshooting doc and replace the opening fence accordingly (also update any other identical incident-report blocks in that section)..github/agents/reviewer.agent.md (1)
64-82: Specify language for fenced code block.The output format template should have a language identifier for proper rendering and linting compliance.
📝 Proposed fix
-``` +```text CODE REVIEW Files reviewed: N | Lines changed: +N / -N CRITICAL: N | WARNING: N | SUGGESTION: N🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/reviewer.agent.md around lines 64 - 82, Update the fenced code block in .github/agents/reviewer.agent.md to include a language identifier by replacing the opening triple backticks with ```text (so the template block begins with ```text and ends with ```), ensuring the CODE REVIEW template renders and lints correctly; edit the existing template block containing "CODE REVIEW\nFiles reviewed: N | Lines changed: +N / -N" to use the language-tagged fence..github/agents/orchestrator.agent.md (1)
48-54: Specify language for fenced code block.The execution plan template should have a language identifier for proper rendering and linting compliance.
📝 Proposed fix
-``` +```text EXECUTION PLAN: <Feature Name> Step 1: [DOMAIN] → Agent: <name> Task: <specific work>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/orchestrator.agent.md around lines 48 - 54, The fenced code block for the "EXECUTION PLAN" template is missing a language identifier; update the opening fence for that block (the one starting with ``` above the "EXECUTION PLAN: <Feature Name>" content) to include a language token such as text (e.g., change ``` to ```text) so the block renders and lints correctly while preserving the existing template lines like "EXECUTION PLAN: <Feature Name>" and "Step 1: [DOMAIN] → Agent: <name>"..github/copilot-instructions.md (1)
17-24: Remove redundant kebab-case convention.Lines 19 and 23 both specify the kebab-case naming convention for files. Consider consolidating to avoid duplication.
♻️ Proposed fix
## Conventions - Use kebab-case for file and directory names - Use conventional commits (feat:, fix:, chore:, docs:, refactor:, test:) - All PRs require review before merge - Branch from main, merge back to main -- All file names in kebab-case🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/copilot-instructions.md around lines 17 - 24, Remove the duplicate kebab-case rule by consolidating the two bullets into one: keep either "- Use kebab-case for file and directory names" or "- All file names in kebab-case" and delete the other so the conventions list contains a single, clear kebab-case entry; update the remaining bullet to cover both files and directories if needed (e.g., use the first form) to avoid redundancy..github/agents/code-quality.agent.md (1)
61-63: Align Black line length with repository lint baseline.At Line 62,
black --line-length 100conflicts withwren-ai-service/ruff.toml(line-length = 88, Black-compatible). This will create unnecessary formatting churn between tools.Suggested fix
-which black && black --check . --line-length 100 +which black && black --check . --line-length 88🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/code-quality.agent.md around lines 61 - 63, Update the Black CLI invocation so its line length matches the repository lint baseline: replace the current "black --line-length 100" usage in the .github/agents/code-quality.agent.md workflow fragment with the Black configuration that uses 88 columns to match wren-ai-service/ruff.toml; ensure the literal "black --line-length 100" string is removed/updated so Black and Ruff share "line-length = 88"..github/agents/planner.agent.md (5)
166-173: Consider adding language identifier to NEVER rules block.The fenced code block is missing a language identifier, which triggers markdown linting warnings.
📝 Suggested improvement
-``` +```text ✗ Skip risk assessment🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/planner.agent.md around lines 166 - 173, The fenced NEVER rules block in .github/agents/planner.agent.md is missing a language identifier which triggers lint warnings; update the triple-backtick opener for that block (the one containing the list entries like "✗ Skip risk assessment", "✗ Create a plan without checking existing code", etc.) to include a language (e.g., change ``` to ```text) so the markdown linter treats it as a plain text code block.
22-28: Consider adding language identifier to fenced code block.The pre-flight checklist uses a fenced code block without a language identifier. While this works, adding a language (e.g.,
textormarkdown) improves markdown linting compliance.📝 Suggested improvement
-``` +```text ☐ Understand the full scope of the request🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/planner.agent.md around lines 22 - 28, The fenced code block containing the checklist (the block that begins with "☐ Understand the full scope of the request" and lists checklist items) lacks a language identifier; update that block to include a language such as text or markdown (e.g., change ``` to ```text) so markdown linters recognize it properly and improve linting compliance while leaving the checklist content unchanged.
57-89: Consider adding language identifier and secret verification to template.Two minor improvements:
- The fenced code block is missing a language identifier (markdown linting)
- Phase 4 security audit (line 79) should include verifying no hardcoded secrets are present
Based on learnings, secret management is a critical security practice.
📝 Suggested improvements
-``` +```text Phase 1: Foundation (→ database, developer)And for the security audit line:
- □ Security audit (auth, RLS, input validation) + □ Security audit (auth, RLS, input validation, no hardcoded secrets)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/planner.agent.md around lines 57 - 89, The fenced code block in the planner template is missing a language identifier which trips markdown linters and reduces clarity—add a language tag (e.g., "text") to the opening ``` fence for the block shown under "Phase 1: Foundation"; and update the "Phase 4: Quality" checklist item "Security audit (auth, RLS, input validation)" to explicitly include secret verification (e.g., "verify no hardcoded secrets / secret management") so the security audit step covers checking for hardcoded credentials and proper secret management.
99-107: Consider adding secret management to risk assessment.The risk assessment covers auth, RLS, performance, i18n, and type safety, but doesn't mention hardcoded secrets or improper secret management. Given this PR's focus on migrating to Infisical, this risk should be included.
🔐 Suggested addition
- **Type safety**: Files using `@ts-nocheck` instead of targeted casts +- **Secret exposure**: Hardcoded secrets, API keys, or credentials instead of environment variables🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/planner.agent.md around lines 99 - 107, Update the "### 5. Risk Assessment" section by adding a new bullet about secret management to the existing "Flag these common risks" list: add "- **Secret management**: Hardcoded credentials, improper rotation, secrets in repo or logs, and lack of a secrets manager (e.g., Infisical) increase breach risk; verify use of secure secret storage, encryption, rotation, and access controls." This will explicitly surface hardcoded secrets and improper secret handling as a named risk alongside the existing bullets.
50-50: Consider adding secret management to security audit scope.The security audit row mentions OWASP checks and RLS verification but doesn't include checking for hardcoded secrets or verifying proper use of environment variables/Infisical. Given this PR migrates to Infisical, the security audit should validate secret management practices. Based on learnings, no hardcoded secrets should be allowed.
🔐 Suggested improvement
-| Security audit | All new files | OWASP checks, RLS verification | security | +| Security audit | All new files | OWASP checks, RLS verification, no hardcoded secrets | security |🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/planner.agent.md at line 50, Update the "Security audit" row in the planner.agent.md table (the row currently showing "All new files | OWASP checks, RLS verification") to explicitly include secret management checks: add validation for hardcoded secrets, verification of environment variable usage, and confirmation that Infisical (or other secret manager) is correctly integrated and referenced; ensure the row text mentions "hardcoded secrets", "env var usage/validation", and "Infisical secret management verification" so reviewers know to run those checks..github/agents/deploy.agent.md (1)
50-50: Consider specifying Infisical in the secrets checklist item.The checklist mentions "Config/secrets in place" but doesn't specify the secret management approach. Given this PR migrates to Infisical for secret management, consider making this more specific to align with the new security approach.
📝 Suggested improvement
-- [ ] Config/secrets in place +- [ ] Config/secrets verified (Infisical or environment variables)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/agents/deploy.agent.md at line 50, Update the checklist item "Config/secrets in place" to explicitly reference Infisical so reviewers know the expected secret management solution; replace or augment that line (the checklist entry "Config/secrets in place") with a clear item such as "Infisical secrets configured and accessible" and optionally include a brief pointer to required Infisical env vars or setup steps to validate access.wren-ai-service/src/audit_trail.py (2)
60-64: Consider thread-safety forenable()/disable()toggles.The
_enabledflag is read/written without lock protection, while_entriesoperations are protected. In Python, simple boolean assignments are atomic due to the GIL, so this is safe in CPython. However, if this code ever runs on alternative Python implementations or the enable/disable calls interleave withrecord()checks, subtle races could occur.For an append-only audit trail that's disabled by default, this is low-risk in practice.
🔒 Optional: Protect enable/disable with the existing lock
def enable(self) -> None: - self._enabled = True + with self._lock: + self._enabled = True def disable(self) -> None: - self._enabled = False + with self._lock: + self._enabled = False🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@wren-ai-service/src/audit_trail.py` around lines 60 - 64, The _enabled flag is toggled in enable() and disable() without using the same lock that protects _entries, which can create a race with record(); wrap the assignments to self._enabled inside the existing lock (use the same lock object used by record(), e.g. self._lock) so enable() and disable() acquire the lock, set the boolean, then release it to ensure atomic visibility with record() checks.
73-78: Linear scan inget()may not scale for high-volume usage.The current implementation iterates through all entries to find a match, which is O(n). For a feature-flagged, append-only audit log with modest volume, this is acceptable. If query volume grows significantly, consider adding a
dict[str, AuditEntry]index alongside the list.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@wren-ai-service/src/audit_trail.py` around lines 73 - 78, The get() method performs a linear scan over self._entries under self._lock which is O(n); add an auxiliary dictionary index (e.g., self._index: dict[str, AuditEntry]) kept in sync with append/remove operations to enable O(1) lookups: update the code paths that add entries (where self._entries is appended) to also set self._index[e.query_id] = e, update any deletion/truncation to remove keys from self._index, and change get(self, query_id) to return self._index.get(query_id) while still using self._lock to protect both structures; ensure AuditEntry.query_id is used as the dict key and preserve existing thread-safety semantics.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/agents/architect.agent.md:
- Around line 34-50: The fenced code block under the "ARCHITECTURE REVIEW"
section in .github/agents/architect.agent.md is missing a language tag; update
that triple-backtick fence (the block containing "ARCHITECTURE REVIEW", "Scope",
"Verdict", etc.) to include a language identifier such as text or md (e.g.,
change ``` to ```text) to satisfy markdownlint rule MD040.
In @.github/agents/code-quality.agent.md:
- Around line 173-215: The fenced code block that starts with the "CODE QUALITY
REPORT" header is missing a language tag which triggers markdownlint MD040;
update the opening triple-backtick fence (the one immediately before "CODE
QUALITY REPORT") to include a language identifier such as text or plaintext
(e.g., change ``` to ```text) so the block is explicitly typed and the linter
warning is resolved.
In @.github/agents/docker.agent.md:
- Around line 256-257: The checklist claims a multi-stage build but the
"Dockerfile example" is single-stage; either update the checklist or convert the
example to a proper multi-stage Dockerfile. To fix: edit the Dockerfile example
to add a builder stage (e.g., "FROM node:XX AS builder"), run build steps there,
then add a minimal runtime stage (e.g., "FROM alpine" or "FROM node:alpine") and
"COPY --from=builder" the built artifacts into it; keep the checklist items "- [
] **Dockerfile optimized**" and "- [ ] **Minimal base image**" consistent with
the example. Ensure the example shows layer-friendly steps (install
dependencies, build, then copy artifacts) and uses a minimal runtime image in
the final stage.
- Around line 8-23: Replace the Homey Automation–specific header and service
list with repo-agnostic or WrenAI-specific guidance: remove the "Docker
Specialist — Homey Automation" title and any mentions of the Homey project,
replace the enumerated services ("dashboard", "scheduler", "watchtower") with
either generic multi-service roles or WrenAI-relevant service examples, and keep
the filenames referenced (Dockerfile, docker-compose.yml, .dockerignore) but
describe their purpose generically (Node.js build, orchestration, ignore
patterns); ensure the introduction focuses on multi-service orchestration,
healthchecks, and resource-constrained deployments rather than project-specific
commands so automated agents are not misdirected.
In @.github/agents/git.agent.md:
- Around line 172-179: The fenced code block that lists gitignore entries is
missing a language tag (causing markdownlint MD040); update the opening fence
for that block (the ``` line above the node_modules/.env/.DS_Store entries) to
include an appropriate language identifier such as gitignore or text so the
block becomes ```gitignore (or ```text) and resolves the lint warning.
- Line 84: The branch example uses the wrong prefix "feat/<feature-name>";
update the example command (the line containing "git checkout -b
feat/<feature-name>") to use the documented convention by changing it to "git
checkout -b feature/<feature-name>" so feature branches follow the `feature/*`
pattern.
- Around line 14-17: The agent instructions currently hardcode repository
identity strings ("**Remote:** `github.com/ashsolei/cncf-kubernetes-dashboard`",
"**Default branch:** `main`", "**CLI:** `gh`"), which can cause wrong
operations; update the `.github/agents/git.agent.md` content to remove these
hardcoded values and replace them with generic placeholders or dynamic detection
instructions (e.g., use git remote get-url origin, environment variables, or gh
repo view to determine remote and branch) and reference the existing markers
"**Remote:**", "**Default branch:**" and "**CLI:**" so the agent uses
runtime-detected repository/branch/CLI context instead of the fixed values.
- Around line 82-97: The docs currently tell contributors to run direct commands
like "git merge feat/<feature-name>" and "git push origin main"; change that to
require a PR-based flow: instruct contributors to push their feature branch
(e.g., feat/<feature-name>) to origin, open a pull request targeting main (via
the web UI or gh/CLI), wait for CI and reviews, then merge the PR through the
protected-branch workflow and delete the feature branch after merge; replace the
direct merge/push guidance and any references to deleting branches locally
(e.g., git branch -d feat/<feature-name>) with the PR review-and-merge process
and mention protecting main with branch protections and required checks.
In @.github/agents/performance.agent.md:
- Around line 51-63: The Markdown fenced block that begins with "PERFORMANCE
REPORT" should include a language identifier to satisfy MD040; change the
opening fence from ``` to a tagged fence like ```text (or ```markdown) so the
block is explicitly labeled. Locate the fenced code block in
.github/agents/performance.agent.md that contains the "PERFORMANCE REPORT"
header and update the opening fence to include the chosen language identifier.
In @.github/agents/refactorer.agent.md:
- Around line 44-53: The code fence for the REFACTORING REPORT block currently
has no language tag; update the opening fence from ``` to include a language
(e.g., ```text or ```markdown) so markdownlint passes and docs remain
consistent, locating the fenced block that starts with "REFACTORING REPORT" and
changing the triple-backtick opening to include the chosen language.
In @.github/agents/security.agent.md:
- Around line 61-71: The fenced code block in the SECURITY AUDIT REPORT template
(the triple-backtick block starting at the report header) lacks a language
identifier, causing markdownlint MD040; update the opening fence to include a
language (e.g., add "text" after the backticks) so the block becomes a labeled
fenced code block and re-run linting to confirm the MD040 issue is resolved.
In @.github/CODEOWNERS:
- Line 4: Replace the single-user CODEOWNERS entry "* `@ashsolei`" with the
documented engineering team owner by updating that line to use the team
identifier "AiFeatures/ai-engineering" (replace the exact token "* `@ashsolei`"
found in the CODEOWNERS file with the team string), ensuring future PRs route
reviews to the shared team rather than an individual.
In @.github/copilot-setup-steps.yml:
- Around line 1-34: The repository has two divergent Copilot setup workflows
(the workflow named "Copilot Setup Steps" with the job "setup" and steps like
"Install Node dependencies", "Install Python dependencies", and "Install Go
dependencies") causing duplication and drift; consolidate by keeping a single
source-of-truth workflow: either remove this duplicate workflow file or merge
its intended steps into the existing copilot setup workflow, ensuring identical
install behavior (node, python, go steps) and consistent versions/flags across
the retained workflow; update or delete the redundant "Copilot Setup Steps"
workflow so only one workflow defines the copilot setup logic.
In @.github/workflows/copilot-setup-steps.yml:
- Around line 10-55: Replace the bespoke setup job and its steps (the jobs:
setup block that contains steps like "Checkout repository", "Setup Node.js",
"Install npm dependencies", "Setup Python", "Install Python dependencies",
"Setup Go", "Install Go modules") with calls to the mandated reusable enterprise
workflow and composite actions: invoke Ai-road-4-You/enterprise-ci-cd@v1 for the
CI setup (using its reusable workflow entry) and call
Ai-road-4-You/github-actions@v1 composite actions for language/runtime setup
where required, removing the manual actions/install commands and mapping any
inputs (node-version, python-version, go-version, etc.) to the approved workflow
inputs so the job delegates to the enterprise implementations instead of running
custom install steps.
- Around line 25-55: The workflow currently hides errors by redirecting stderr
and masking failures (patterns '2>/dev/null' and '|| true') in the steps named
"Install npm dependencies", "Install Python dependencies", and "Install Go
modules"; update those steps to remove the '2>/dev/null' redirections and the
'|| true' fallbacks so that dependency installation commands (npm ci/npm
install, pip install, go mod download) fail the job on error (i.e., let the
commands exit non‑zero), or explicitly handle errors by failing (e.g., replace
'|| true' with a failing safeguard), ensuring failures are surfaced instead of
being swallowed.
In `@AGENTS.md`:
- Around line 1-49: The file name AGENTS.md violates the repository kebab-case
rule — rename the file from "AGENTS.md" to "agents.md" and update any references
to it (e.g., README links or docs lists) so they point to "agents.md"; ensure
the change is made on a feature branch and follows conventional commit messaging
(e.g., "chore: rename AGENTS.md to agents.md") and run lint/tests before pushing
the PR.
In `@CLAUDE.md`:
- Line 25: The CLAUDE.md line that lists supported conventional commit types
currently omits two learned types; update the text that begins "Conventional
commits:" (the line listing commit types) to include refactor: and test: so it
reads: feat:, fix:, chore:, docs:, refactor:, test:.
- Around line 13-15: Update the contradictory branch-policy guidance by removing
or replacing the line "Local changes live on the main branch" in CLAUDE.md and
instead state that direct pushes to main are prohibited and all changes must be
submitted via pull requests (PRs) against protected main with required reviews;
keep the other bullets (Do NOT create PRs back to upstream / Upstream sync
managed by Ai-road-4-You/fork-sync) consistent with that flow and ensure the
language explicitly references "protected main — PRs required" and "never push
directly to main".
In `@wren-ui/package.json`:
- Line 32: Update the package.json dependency for "eslint-config-next" to match
the "next" version declared ("15.5.14") to keep versions consistent; locate the
dependencies block where "next": "15.5.14" and "eslint-config-next": "14.2.21"
are declared and change the "eslint-config-next" value to "15.5.14" (or to the
exact matching range used for "next") so lint rules align with Next.js 15.
---
Nitpick comments:
In @.github/agents/code-quality.agent.md:
- Around line 61-63: Update the Black CLI invocation so its line length matches
the repository lint baseline: replace the current "black --line-length 100"
usage in the .github/agents/code-quality.agent.md workflow fragment with the
Black configuration that uses 88 columns to match wren-ai-service/ruff.toml;
ensure the literal "black --line-length 100" string is removed/updated so Black
and Ruff share "line-length = 88".
In @.github/agents/deploy.agent.md:
- Line 50: Update the checklist item "Config/secrets in place" to explicitly
reference Infisical so reviewers know the expected secret management solution;
replace or augment that line (the checklist entry "Config/secrets in place")
with a clear item such as "Infisical secrets configured and accessible" and
optionally include a brief pointer to required Infisical env vars or setup steps
to validate access.
In @.github/agents/developer.agent.md:
- Around line 40-45: The fenced code block containing the numbered verification
steps lacks a language identifier; update the triple-backtick fence that wraps
the list in .github/agents/developer.agent.md to include a language tag (e.g.,
```text) so the block renders and lints correctly, ensuring the existing lines
"1. Syntax check..." through "4. Run relevant tests" remain unchanged.
In @.github/agents/orchestrator.agent.md:
- Around line 48-54: The fenced code block for the "EXECUTION PLAN" template is
missing a language identifier; update the opening fence for that block (the one
starting with ``` above the "EXECUTION PLAN: <Feature Name>" content) to include
a language token such as text (e.g., change ``` to ```text) so the block renders
and lints correctly while preserving the existing template lines like "EXECUTION
PLAN: <Feature Name>" and "Step 1: [DOMAIN] → Agent: <name>".
In @.github/agents/planner.agent.md:
- Around line 166-173: The fenced NEVER rules block in
.github/agents/planner.agent.md is missing a language identifier which triggers
lint warnings; update the triple-backtick opener for that block (the one
containing the list entries like "✗ Skip risk assessment", "✗ Create a plan
without checking existing code", etc.) to include a language (e.g., change ```
to ```text) so the markdown linter treats it as a plain text code block.
- Around line 22-28: The fenced code block containing the checklist (the block
that begins with "☐ Understand the full scope of the request" and lists
checklist items) lacks a language identifier; update that block to include a
language such as text or markdown (e.g., change ``` to ```text) so markdown
linters recognize it properly and improve linting compliance while leaving the
checklist content unchanged.
- Around line 57-89: The fenced code block in the planner template is missing a
language identifier which trips markdown linters and reduces clarity—add a
language tag (e.g., "text") to the opening ``` fence for the block shown under
"Phase 1: Foundation"; and update the "Phase 4: Quality" checklist item
"Security audit (auth, RLS, input validation)" to explicitly include secret
verification (e.g., "verify no hardcoded secrets / secret management") so the
security audit step covers checking for hardcoded credentials and proper secret
management.
- Around line 99-107: Update the "### 5. Risk Assessment" section by adding a
new bullet about secret management to the existing "Flag these common risks"
list: add "- **Secret management**: Hardcoded credentials, improper rotation,
secrets in repo or logs, and lack of a secrets manager (e.g., Infisical)
increase breach risk; verify use of secure secret storage, encryption, rotation,
and access controls." This will explicitly surface hardcoded secrets and
improper secret handling as a named risk alongside the existing bullets.
- Line 50: Update the "Security audit" row in the planner.agent.md table (the
row currently showing "All new files | OWASP checks, RLS verification") to
explicitly include secret management checks: add validation for hardcoded
secrets, verification of environment variable usage, and confirmation that
Infisical (or other secret manager) is correctly integrated and referenced;
ensure the row text mentions "hardcoded secrets", "env var usage/validation",
and "Infisical secret management verification" so reviewers know to run those
checks.
In @.github/agents/reviewer.agent.md:
- Around line 64-82: Update the fenced code block in
.github/agents/reviewer.agent.md to include a language identifier by replacing
the opening triple backticks with ```text (so the template block begins with
```text and ends with ```), ensuring the CODE REVIEW template renders and lints
correctly; edit the existing template block containing "CODE REVIEW\nFiles
reviewed: N | Lines changed: +N / -N" to use the language-tagged fence.
In @.github/agents/tester.agent.md:
- Around line 53-67: Update the fenced code block in the tester.agent.md
template to include a language identifier (e.g., "text") so it renders and lints
correctly; locate the triple-backtick block in .github/agents/tester.agent.md
(the TEST REPORT template) and change the opening fence from ``` to ```text so
the block is explicitly marked as plain text.
In @.github/agents/troubleshoot.agent.md:
- Around line 22-42: The fenced code block containing the decision-tree diagram
is missing a language identifier; update the opening backticks for that block
(the triple-backtick fence used for the decision tree) to include a language
such as "text" (e.g., change ``` to ```text) so the diagram renders and lints
correctly; locate the decision-tree diagram in
.github/agents/troubleshoot.agent.md and add the identifier to the opening
fence.
- Around line 62-69: Update the fenced code block that begins with the text
"INCIDENT REPORT" to include a language identifier (use "text") so the block
starts with ```text instead of ```, ensuring proper rendering and linting;
search for the block containing the "INCIDENT REPORT" header in the agent
troubleshooting doc and replace the opening fence accordingly (also update any
other identical incident-report blocks in that section).
In @.github/copilot-instructions.md:
- Around line 17-24: Remove the duplicate kebab-case rule by consolidating the
two bullets into one: keep either "- Use kebab-case for file and directory
names" or "- All file names in kebab-case" and delete the other so the
conventions list contains a single, clear kebab-case entry; update the remaining
bullet to cover both files and directories if needed (e.g., use the first form)
to avoid redundancy.
In @.gitignore:
- Around line 84-87: Consolidate the duplicate .env ignore entries by removing
repeated patterns and keeping a single, clear block that covers all variants
(e.g., .env*, .env*.local, .env.ai) so precedence mistakes are avoided; update
the existing .gitignore entries that reference ".env*", ".env*.local" and
".env.ai" to a single grouped section and remove the redundant lines elsewhere
in the file.
In `@FORK-CUSTOMIZATIONS.md`:
- Line 1: The file FORK-CUSTOMIZATIONS.md uses non-kebab-case; rename it to
fork-customizations.md to comply with the repository naming convention, update
any internal references (links/imports) that point to FORK-CUSTOMIZATIONS.md to
the new kebab-case name, and perform the change with git mv and a clear commit
message (e.g., "rename: FORK-CUSTOMIZATIONS.md -> fork-customizations.md").
In `@wren-ai-service/src/audit_trail.py`:
- Around line 60-64: The _enabled flag is toggled in enable() and disable()
without using the same lock that protects _entries, which can create a race with
record(); wrap the assignments to self._enabled inside the existing lock (use
the same lock object used by record(), e.g. self._lock) so enable() and
disable() acquire the lock, set the boolean, then release it to ensure atomic
visibility with record() checks.
- Around line 73-78: The get() method performs a linear scan over self._entries
under self._lock which is O(n); add an auxiliary dictionary index (e.g.,
self._index: dict[str, AuditEntry]) kept in sync with append/remove operations
to enable O(1) lookups: update the code paths that add entries (where
self._entries is appended) to also set self._index[e.query_id] = e, update any
deletion/truncation to remove keys from self._index, and change get(self,
query_id) to return self._index.get(query_id) while still using self._lock to
protect both structures; ensure AuditEntry.query_id is used as the dict key and
preserve existing thread-safety semantics.
In `@wren-launcher/go.mod`:
- Around line 24-212: The PR updates many indirect dependencies in go.mod which
can introduce regressions; run the full test suite, exercise Docker Compose
flows (particularly the functions in utils/docker.go), and validate launcher
end-to-end in development and staging to catch compatibility issues; if tests or
Compose scenarios fail, identify the offending transitive upgrade by bisecting
changes in go.mod and pin or rollback the specific module(s) causing failures,
then re-run tests and environment validations before merging.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: e4ec75b7-8acd-4a99-b0d6-02bc29d35ca4
⛔ Files ignored due to path filters (3)
wren-ai-service/poetry.lockis excluded by!**/*.lockwren-launcher/go.sumis excluded by!**/*.sumwren-ui/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (45)
.github/CODEOWNERS.github/agents/api.agent.md.github/agents/architect.agent.md.github/agents/code-quality.agent.md.github/agents/deploy.agent.md.github/agents/developer.agent.md.github/agents/docker.agent.md.github/agents/docs.agent.md.github/agents/git.agent.md.github/agents/orchestrator.agent.md.github/agents/performance.agent.md.github/agents/planner.agent.md.github/agents/refactorer.agent.md.github/agents/reviewer.agent.md.github/agents/security.agent.md.github/agents/tester.agent.md.github/agents/troubleshoot.agent.md.github/copilot-instructions.md.github/copilot-setup-steps.yml.github/dependabot.yml.github/workflows/ai-service-release-image.yaml.github/workflows/ai-service-release-nightly-image.yaml.github/workflows/ai-service-release-stable-image.yaml.github/workflows/ai-service-test.yaml.github/workflows/copilot-setup-steps.yml.github/workflows/create-rc-release-pr.yaml.github/workflows/create-rc-release.yaml.github/workflows/pr-tagger.yaml.github/workflows/pull-request-title-validator.yaml.github/workflows/ui-lint.yaml.github/workflows/ui-release-image-stable.yaml.github/workflows/ui-release-image.yaml.github/workflows/ui-test.yaml.github/workflows/wren-launcher-ci.yaml.gitignoreAGENTS.mdCLAUDE.mdFORK-CUSTOMIZATIONS.mdwren-ai-service/pyproject.tomlwren-ai-service/src/audit_trail.pywren-ai-service/tests/test_audit_trail.pywren-ai-service/tools/dev/.envwren-ai-service/tools/dev/.env.examplewren-launcher/go.modwren-ui/package.json
💤 Files with no reviewable changes (14)
- wren-ai-service/tools/dev/.env
- .github/workflows/pull-request-title-validator.yaml
- .github/workflows/ui-test.yaml
- .github/workflows/create-rc-release.yaml
- .github/workflows/ai-service-release-nightly-image.yaml
- .github/workflows/create-rc-release-pr.yaml
- .github/workflows/pr-tagger.yaml
- .github/workflows/ui-release-image.yaml
- .github/workflows/ai-service-test.yaml
- .github/workflows/ui-release-image-stable.yaml
- .github/workflows/ai-service-release-stable-image.yaml
- .github/workflows/wren-launcher-ci.yaml
- .github/workflows/ui-lint.yaml
- .github/workflows/ai-service-release-image.yaml
Comment on lines
+34
to
+50
| ``` | ||
| ARCHITECTURE REVIEW | ||
| Scope: [what was analyzed] | ||
| Verdict: APPROVED / CONCERNS / BLOCKED | ||
|
|
||
| Strengths: | ||
| - ... | ||
|
|
||
| Concerns: | ||
| | # | Area | Issue | Impact | Recommendation | | ||
| |---|------|-------|--------|---------------| | ||
|
|
||
| Decision Record: | ||
| - Context: [why this decision matters] | ||
| - Decision: [what is recommended] | ||
| - Consequences: [trade-offs accepted] | ||
| ``` |
Contributor
There was a problem hiding this comment.
Specify a language on the architecture output-format fence.
The fenced block starting at Line 34 should include a language tag (e.g., text) to satisfy markdownlint MD040.
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 34-34: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/agents/architect.agent.md around lines 34 - 50, The fenced code
block under the "ARCHITECTURE REVIEW" section in
.github/agents/architect.agent.md is missing a language tag; update that
triple-backtick fence (the block containing "ARCHITECTURE REVIEW", "Scope",
"Verdict", etc.) to include a language identifier such as text or md (e.g.,
change ``` to ```text) to satisfy markdownlint rule MD040.
Comment on lines
+173
to
+215
| ``` | ||
| CODE QUALITY REPORT | ||
| =================== | ||
| Project: [path] | Date: [date] | ||
|
|
||
| PYTHON | ||
| ------ | ||
| ruff: 12 issues found, 10 auto-fixed | ||
| mypy: 3 type errors (manual fix required) | ||
| - backend/api/routes.py:45: Argument 1 has incompatible type "str"; expected "int" | ||
|
|
||
| JAVASCRIPT/TYPESCRIPT | ||
| --------------------- | ||
| ESLint: 5 issues found, 3 auto-fixed | ||
| Prettier: 8 files reformatted | ||
| tsc: 0 errors | ||
|
|
||
| GO | ||
| -- | ||
| go vet: 0 issues | ||
| gofmt: 2 files reformatted | ||
|
|
||
| SHELL | ||
| ----- | ||
| shellcheck: 2 warnings | ||
| - scripts/deploy.sh:15: Double quote to prevent globbing [SC2086] | ||
|
|
||
| YAML | ||
| ---- | ||
| yamllint: 1 warning | ||
| - docker-compose.yml:8: wrong indentation: expected 4 but found 2 | ||
|
|
||
| DOCKERFILE | ||
| ---------- | ||
| hadolint: 1 warning | ||
| - Dockerfile:3: DL3008 Pin versions in apt-get install | ||
|
|
||
| SUMMARY | ||
| ------- | ||
| Auto-fixed: 23 issues across 8 files | ||
| Manual fix: 6 issues remaining (see above) | ||
| Files modified: [list] | ||
| ``` |
Contributor
There was a problem hiding this comment.
Specify a language for the report template fence.
The fenced block beginning at Line 173 should include a language tag (e.g., text) to satisfy markdownlint MD040.
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 173-173: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/agents/code-quality.agent.md around lines 173 - 215, The fenced code
block that starts with the "CODE QUALITY REPORT" header is missing a language
tag which triggers markdownlint MD040; update the opening triple-backtick fence
(the one immediately before "CODE QUALITY REPORT") to include a language
identifier such as text or plaintext (e.g., change ``` to ```text) so the block
is explicitly typed and the linter warning is resolved.
Comment on lines
+8
to
+23
| # Docker Specialist — Homey Automation | ||
|
|
||
| You are a Docker expert specializing in multi-service orchestration, healthchecks, and resource-constrained deployments. | ||
|
|
||
| ## Project Context | ||
|
|
||
| Docker files: | ||
| - `Dockerfile` — Node.js container build | ||
| - `docker-compose.yml` — Multi-service orchestration | ||
| - `.dockerignore` — Files to exclude from build | ||
|
|
||
| Services: | ||
| - **dashboard** — Express + Socket.IO server (port 3001) | ||
| - **scheduler** — node-cron automation runner | ||
| - **watchtower** — Auto-restart on image rebuild | ||
|
|
Contributor
There was a problem hiding this comment.
Replace unrelated project-specific context with repo-agnostic or WrenAI-specific guidance.
Lines 8–23 are scoped to “Homey Automation” and services not present in this PR context, which can misdirect automated changes and operational commands.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/agents/docker.agent.md around lines 8 - 23, Replace the Homey
Automation–specific header and service list with repo-agnostic or
WrenAI-specific guidance: remove the "Docker Specialist — Homey Automation"
title and any mentions of the Homey project, replace the enumerated services
("dashboard", "scheduler", "watchtower") with either generic multi-service roles
or WrenAI-relevant service examples, and keep the filenames referenced
(Dockerfile, docker-compose.yml, .dockerignore) but describe their purpose
generically (Node.js build, orchestration, ignore patterns); ensure the
introduction focuses on multi-service orchestration, healthchecks, and
resource-constrained deployments rather than project-specific commands so
automated agents are not misdirected.
Comment on lines
+256
to
+257
| - [ ] **Dockerfile optimized** — Multi-stage build, layer caching | ||
| - [ ] **Minimal base image** — Alpine Linux |
Contributor
There was a problem hiding this comment.
Checklist says multi-stage build, but the provided Dockerfile example is single-stage.
This inconsistency makes the guidance self-contradictory; either update the example to multi-stage or relax the checklist item.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/agents/docker.agent.md around lines 256 - 257, The checklist claims
a multi-stage build but the "Dockerfile example" is single-stage; either update
the checklist or convert the example to a proper multi-stage Dockerfile. To fix:
edit the Dockerfile example to add a builder stage (e.g., "FROM node:XX AS
builder"), run build steps there, then add a minimal runtime stage (e.g., "FROM
alpine" or "FROM node:alpine") and "COPY --from=builder" the built artifacts
into it; keep the checklist items "- [ ] **Dockerfile optimized**" and "- [ ]
**Minimal base image**" consistent with the example. Ensure the example shows
layer-friendly steps (install dependencies, build, then copy artifacts) and uses
a minimal runtime image in the final stage.
Comment on lines
+14
to
+17
| - **Remote:** `github.com/ashsolei/cncf-kubernetes-dashboard` (private) | ||
| - **Default branch:** `main` | ||
| - **CLI:** `gh` (GitHub CLI, authenticated as `ashsolei`) | ||
|
|
Contributor
There was a problem hiding this comment.
Remove hardcoded repository identity from agent instructions.
Lines 14–17 hardcode a different repository context (cncf-kubernetes-dashboard), which can cause incorrect remote/CLI operations in this repo.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/agents/git.agent.md around lines 14 - 17, The agent instructions
currently hardcode repository identity strings ("**Remote:**
`github.com/ashsolei/cncf-kubernetes-dashboard`", "**Default branch:** `main`",
"**CLI:** `gh`"), which can cause wrong operations; update the
`.github/agents/git.agent.md` content to remove these hardcoded values and
replace them with generic placeholders or dynamic detection instructions (e.g.,
use git remote get-url origin, environment variables, or gh repo view to
determine remote and branch) and reference the existing markers "**Remote:**",
"**Default branch:**" and "**CLI:**" so the agent uses runtime-detected
repository/branch/CLI context instead of the fixed values.
Comment on lines
+25
to
+55
| - name: Install npm dependencies | ||
| run: | | ||
| if [ -f package-lock.json ] || [ -f package.json ]; then | ||
| npm ci --ignore-scripts 2>/dev/null || npm install --ignore-scripts 2>/dev/null || true | ||
| fi | ||
|
|
||
| # ── Python ── | ||
| - name: Setup Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.12" | ||
|
|
||
| - name: Install Python dependencies | ||
| run: | | ||
| if [ -f requirements.txt ]; then | ||
| pip install -r requirements.txt 2>/dev/null || true | ||
| elif [ -f pyproject.toml ]; then | ||
| pip install -e ".[dev]" 2>/dev/null || pip install -e . 2>/dev/null || true | ||
| fi | ||
|
|
||
| # ── Go ── | ||
| - name: Setup Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: "stable" | ||
|
|
||
| - name: Install Go modules | ||
| run: | | ||
| if [ -f go.mod ]; then | ||
| go mod download 2>/dev/null || true | ||
| fi |
Contributor
There was a problem hiding this comment.
Do not swallow dependency setup failures.
2>/dev/null plus || true hides real breakages and can leave the environment partially configured without visibility. Fail fast here so setup problems are actionable.
Suggested hardening
- npm ci --ignore-scripts 2>/dev/null || npm install --ignore-scripts 2>/dev/null || true
+ npm ci --ignore-scripts || npm install --ignore-scripts
@@
- pip install -r requirements.txt 2>/dev/null || true
+ pip install -r requirements.txt
@@
- pip install -e ".[dev]" 2>/dev/null || pip install -e . 2>/dev/null || true
+ pip install -e ".[dev]" || pip install -e .
@@
- go mod download 2>/dev/null || true
+ go mod download🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/copilot-setup-steps.yml around lines 25 - 55, The workflow
currently hides errors by redirecting stderr and masking failures (patterns
'2>/dev/null' and '|| true') in the steps named "Install npm dependencies",
"Install Python dependencies", and "Install Go modules"; update those steps to
remove the '2>/dev/null' redirections and the '|| true' fallbacks so that
dependency installation commands (npm ci/npm install, pip install, go mod
download) fail the job on error (i.e., let the commands exit non‑zero), or
explicitly handle errors by failing (e.g., replace '|| true' with a failing
safeguard), ensuring failures are surfaced instead of being swallowed.
Comment on lines
+1
to
+49
| # AI Agent Instructions | ||
|
|
||
| ## Repository: WrenAI | ||
|
|
||
| - **Organization**: AiFeatures | ||
| - **Enterprise**: iAiFy | ||
|
|
||
| ## Shared Infrastructure | ||
|
|
||
| | Resource | Reference | | ||
| |---|---| | ||
| | Reusable workflows | `Ai-road-4-You/enterprise-ci-cd@v1` | | ||
| | Composite actions | `Ai-road-4-You/github-actions@v1` | | ||
| | Governance docs | `Ai-road-4-You/governance` | | ||
| | Repo templates | `Ai-road-4-You/repo-templates` | | ||
|
|
||
| ## Conventions | ||
|
|
||
| 1. Use **conventional commits** (`feat:`, `fix:`, `chore:`, `docs:`, `refactor:`, `test:`) | ||
| 2. Create **feature branches** for all changes | ||
| 3. Never push directly to `main` | ||
| 4. Run tests before submitting PR | ||
| 5. Keep dependencies updated via Dependabot | ||
| 6. All file names in **kebab-case** | ||
|
|
||
| ## Quality Gates | ||
|
|
||
| Before merging any PR: | ||
|
|
||
| - [ ] Lint passes | ||
| - [ ] Tests pass (if test suite exists) | ||
| - [ ] No new security vulnerabilities | ||
| - [ ] PR has meaningful description | ||
| - [ ] Conventional commit messages used | ||
|
|
||
| ## Branch Strategy | ||
|
|
||
| - `main` — Production-ready, protected | ||
| - `feature/*` — New features | ||
| - `fix/*` — Bug fixes | ||
| - `chore/*` — Maintenance | ||
|
|
||
| ## Agent Guardrails | ||
|
|
||
| - Maximum autonomous change: single file or single PR | ||
| - No force pushes | ||
| - No branch deletion without approval | ||
| - No secrets in code or commits | ||
| - All agent changes must be traceable via commit author |
Contributor
There was a problem hiding this comment.
Rename file to follow kebab-case convention.
The filename AGENTS.md violates the repository's kebab-case naming convention. It should be agents.md.
As per coding guidelines: "All file names must use kebab-case"
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@AGENTS.md` around lines 1 - 49, The file name AGENTS.md violates the
repository kebab-case rule — rename the file from "AGENTS.md" to "agents.md" and
update any references to it (e.g., README links or docs lists) so they point to
"agents.md"; ensure the change is made on a feature branch and follows
conventional commit messaging (e.g., "chore: rename AGENTS.md to agents.md") and
run lint/tests before pushing the PR.
Comment on lines
+13
to
+15
| - Do NOT create PRs back to upstream | ||
| - Local changes live on the main branch | ||
| - Upstream sync managed by Ai-road-4-You/fork-sync |
Contributor
There was a problem hiding this comment.
Fix branch-policy guidance (currently contradicts protected-main workflow).
Line 14 should not instruct contributors that local changes live on main; this conflicts with required PR-based flow and no direct pushes.
Based on learnings: "Never push directly to main branch" and "Branch protection on main — PRs required".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CLAUDE.md` around lines 13 - 15, Update the contradictory branch-policy
guidance by removing or replacing the line "Local changes live on the main
branch" in CLAUDE.md and instead state that direct pushes to main are prohibited
and all changes must be submitted via pull requests (PRs) against protected main
with required reviews; keep the other bullets (Do NOT create PRs back to
upstream / Upstream sync managed by Ai-road-4-You/fork-sync) consistent with
that flow and ensure the language explicitly references "protected main — PRs
required" and "never push directly to main".
|
|
||
| ## Conventions | ||
|
|
||
| - Conventional commits: feat:, fix:, chore:, docs: |
Contributor
There was a problem hiding this comment.
Expand conventional commit types in the doc.
Line 25 omits refactor: and test: from the learned repo convention set.
Based on learnings: "Use conventional commits with types: feat:, fix:, chore:, docs:, refactor:, test:".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CLAUDE.md` at line 25, The CLAUDE.md line that lists supported conventional
commit types currently omits two learned types; update the text that begins
"Conventional commits:" (the line listing commit types) to include refactor: and
test: so it reads: feat:, fix:, chore:, docs:, refactor:, test:.
| "micro": "^9.4.1", | ||
| "micro-cors": "^0.1.1", | ||
| "next": "14.2.35", | ||
| "next": "15.5.14", |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Next/eslint-config-next compatibility and published versions
npm view next@15.5.14 version
npm view eslint-config-next@15.5.14 version
npm view eslint-config-next@14.2.21 peerDependencies --json
npm view eslint-config-next@15.5.14 peerDependencies --jsonRepository: Canner/WrenAI
Length of output: 208
🏁 Script executed:
cd wren-ui && grep -n "\"next\"\|\"eslint-config-next\"\|\"eslint\"\|\"axios\"\|\"lodash\"" package.json | head -20Repository: Canner/WrenAI
Length of output: 254
🏁 Script executed:
cd wren-ui && sed -n '21p;28p;32p;71p;99p;109p' package.jsonRepository: Canner/WrenAI
Length of output: 212
Update eslint-config-next to match next version for consistency.
Line 32 upgrades Next.js to 15.5.14, but eslint-config-next remains at 14.2.21. While the peer dependencies are currently satisfied (eslint ^8 works with both), this version mismatch creates unnecessary divergence during dependency resolution and may not receive lint configurations tailored for Next.js 15.
Suggested fix
- "eslint-config-next": "14.2.21",
+ "eslint-config-next": "15.5.14",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@wren-ui/package.json` at line 32, Update the package.json dependency for
"eslint-config-next" to match the "next" version declared ("15.5.14") to keep
versions consistent; locate the dependencies block where "next": "15.5.14" and
"eslint-config-next": "14.2.21" are declared and change the "eslint-config-next"
value to "15.5.14" (or to the exact matching range used for "next") so lint
rules align with Next.js 15.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.envfiles with real secrets from git tracking.env.examplefiles with placeholder values.gitignoreto prevent future .env commitsAfter merge
infisical loginto authenticateinfisical export --env=dev > .envto get secrets locallyinfisical run --env=dev -- docker compose upfor direct injectionSecurity
git filter-repoto purge history🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Chores
aiohttp,streamlit,axios,lodash,Next.js, and Go modules for security and performance improvements.