不再直接使用pip install 而是使用uv管理venv并安装依赖,避免破坏linux系统依赖

[Uber-Eins]

因为遇到了这个问题，一看代码发现看起来像是uv pip compile的风格，但是残留了一些直接pip install 的部分；在linux上（如Arch Linux）这可能破坏由包管理器管理的系统层级依赖；使用uv的venv是更加现代化的解决方式
2026-05-23_launcher.txt

Summary by Sourcery

将 Linux 和 macOS 的依赖管理切换为使用由 uv 管理的虚拟环境，而不是将包安装到系统自带的 Python 中，并将启动器/图形界面（GUI）接入这一流程。

New Features:

• 添加一个基于 uv 的引导（bootstrap）模块，在运行应用前创建并同步本地 .venv，并根据平台安装对应的依赖。
• 自动检测平台相关的依赖文件，支持通过环境变量覆盖，并为 Linux/macOS 提供平台默认值。
• 自动将 Linux 部署配置重定向为使用本地 .venv 的 Python 可执行文件和平台锁定文件（lockfiles），而不是无界面（headless）requirements。

Enhancements:

• 在部署流水线中优先使用 uv 的 pip 操作，当 uv 不可用时保留安全的 pip 回退机制。
• 更新部署模板、配置更新工具以及安装文档，以说明基于 uv 的工作流以及跨平台使用 .venv 的方式。
• 调整 ADB 和 LLM 的错误消息，引导用户通过基于 uv 的引导模块刷新依赖，而不是手动执行 pip 命令。
• 确保 Linux 部署配置写入时始终使用正确的模板文件和 requirements 覆盖配置。

Original summary in English

Summary by Sourcery

Switch Linux and macOS dependency management to uv-managed virtual environments instead of installing packages into the system Python, and wire the launcher/GUI into this flow.

New Features:

• Add a uv-based bootstrap module that creates and syncs a local .venv with platform-specific requirements before running the app.
• Auto-detect platform-specific requirements files, with environment variable overrides and Linux/macOS-specific defaults.
• Automatically redirect Linux deploy configs to use the local .venv Python executable and platform lockfiles instead of headless requirements.

Enhancements:

• Prefer uv pip operations in the deployment pipeline while retaining a safe pip fallback when uv is unavailable.
• Update deployment templates, config updater, and installer docs to describe the uv-driven workflow and .venv usage across platforms.
• Adjust ADB and LLM error messages to instruct users to refresh dependencies via the uv-based bootstrap instead of manual pip commands.
• Ensure Linux deploy config writes consistently use the correct template file and requirements overrides.

[sourcery-ai]

Reviewer's Guide

将依赖管理切换为由 uv 管理的项目本地虚拟环境，新增 Linux/macOS 上自动 .venv 引导（bootstrap），优先使用 uv pip/sync 而不是直接 pip install，并在避免修改 Linux 上系统 Python 的前提下，让配置/文档和模板与新的工作流保持一致。

通过 ensure_uv_environment 引导 uv 环境的时序图

sequenceDiagram
    participant gui_py
    participant ensure_uv_environment
    participant sync_project_venv
    participant uv_cli
    participant venv_python

    gui_py->>ensure_uv_environment: ensure_uv_environment
    ensure_uv_environment-->>ensure_uv_environment: in_project_venv
    alt already in project venv or NO_BOOTSTRAP_ENV
        ensure_uv_environment-->>gui_py: return
    else needs bootstrap
        ensure_uv_environment->>sync_project_venv: sync_project_venv
        sync_project_venv-->>sync_project_venv: venv_path / venv_python
        sync_project_venv-->>sync_project_venv: requirements_path
        sync_project_venv-->>sync_project_venv: _needs_sync
        alt venv missing or out of date
            sync_project_venv->>uv_cli: _run [uv venv]
            sync_project_venv->>uv_cli: _run [uv pip sync]
        end
        sync_project_venv-->>ensure_uv_environment: complete
        ensure_uv_environment-->>venv_python: execv
    end

Loading

在 pip_install 中优先使用 execute_uv_pip 而不是 execute_pip 的时序图

sequenceDiagram
    participant PipManager as deploy_pip_py
    participant execute_uv_pip
    participant execute_pip
    participant uv_cli
    participant pip_module

    PipManager-->>PipManager: pip_install
    PipManager-->>PipManager: build uv_arg / pip_arg
    alt self.uv is available
        PipManager->>execute_uv_pip: execute_uv_pip(install --python self.python -r requirements_file + uv_arg)
        execute_uv_pip->>uv_cli: uv pip install
        alt uv returns error
            execute_uv_pip-->>PipManager: raise ExecutionError
        else success
            execute_uv_pip-->>PipManager: True
        end
    else uv not available
        alt sys.platform == win32
            PipManager->>execute_uv_pip: execute_uv_pip(install -r requirements_file + pip_arg)
            execute_uv_pip->>execute_pip: execute_pip(install -r requirements_file + pip_arg)
            execute_pip->>pip_module: python -m pip install
        else non-Windows
            PipManager->>execute_uv_pip: execute_uv_pip(install -r requirements_file + pip_arg)
            execute_uv_pip-->>PipManager: raise ExecutionError
        end
    end

Loading

File-Level Changes

Change	Details	Files
引入基于 uv 的环境引导器，并在非 Windows 入口点中使用它，确保代码在项目本地 .venv 中运行。	新增 deploy.uv 模块，用于发现项目根目录、管理 .venv 路径、检测是否在项目内 venv、中选择平台对应的 requirements 文件，并计算/快照 requirements 摘要以决定何时需要同步 实现 sync_project_venv，使用 uv venv 和 uv pip sync，并从 deploy.yaml 中获取镜像/SSL 设置 新增 ensure_uv_environment：在需要时准备 .venv，并在未通过环境变量禁用的情况下，使用 venv 的 python 重新执行脚本 在 gui.py 顶部调用 ensure_uv_environment，使 Linux/macOS GUI 启动时自动引导 .venv	deploy/uv.py gui.py
在部署流水线中优先使用 uv pip 进行依赖安装，并在必要时安全回退到 python -m pip，同时正确映射镜像/SSL 参数。	新增带缓存的 uv 可执行文件解析器，以及 execute_uv_pip 辅助函数，使其在日志和错误处理上与 execute_pip 保持一致 将 pip 镜像/SSL 选项拆分为 uv 专用和 pip 专用的参数列表，在合适的场景下将 trusted-host 映射为 uv 的 --allow-insecure-host 修改 pip_install：当 uv 可用时使用 uv pip install --python -r ，否则回退到使用历史参数的 python -m pip	deploy/pip.py
让部署配置和模板具备平台感知能力，使 Linux 默认使用 uv 管理的 venv 和平台锁定文件。	新增 get_deploy_template，在 Linux 上选择 Linux 专用的部署模板，并在 DeployConfig.read/write 中使用它替代硬编码的 DEPLOY_TEMPLATE 确保 write() 将 template_file 传入 poor_yaml_write，以保留所选模板的结构/注释 在 config_redirect 中，将指向 ./deploy/headless/requirements.txt 的 Linux RequirementsFile 归一化为 requirements-linux.txt，并回写到配置中 更新 Linux 部署模板 YAML，将 PythonExecutable 默认值设为 ./.venv/bin/python，将 RequirementsFile 默认值设为 requirements-linux.txt 更新 generate_deploy_template 在 Linux 下的默认值，使其与新的 venv 路径和 requirements-linux.txt 对齐	deploy/utils.py deploy/config.py config/deploy.template-linux.yaml config/deploy.template-linux-cn.yaml module/config/config_updater.py
将面向用户的文档和错误指引与 uv/.venv 工作流对齐，而不是直接使用 pip 或系统 Python。	更新 CLAUDE.md，描述基于 uv 的依赖管理，使用 uv pip sync 替代 uv pip install，并说明 Linux/macOS 入口点会自动引导 .venv，而不再需要 uv run 在 README.md 中记录 Linux/macOS 的启动行为，说明 python gui.py/alas.py 会创建 .venv 并同步平台 requirements，而不会修改系统 Python 在 deploy/Readme.md 中澄清：安装器通过 uv 引导 .venv 并同步平台 requirements，而不是安装到系统 Python 将 adb 错误恢复建议从手动 pip 卸载/安装改为重新运行启动器，或在 .venv 上使用 uv pip install 搭配 --reinstall-package 将 LLM 导入错误的解决建议从 pip install openai 改为重新运行入口脚本，让 uv 同步依赖 在 CLAUDE.md 中将 CI 描述从 uv pip install 调整为 uv pip sync，以匹配新的工作流	CLAUDE.md README.md deploy/Readme.md deploy/adb.py module/llm.py

Possibly linked issues

• #：该 PR 引入基于 uv 的 .venv 引导和 Linux 模板，直接解决了该 issue 中展示的启动器准备失败问题。

---

Tips and commands

Interacting with Sourcery

• 触发新评审： 在 pull request 中评论 @sourcery-ai review。
• 继续讨论： 直接回复 Sourcery 的评审评论。
• 从评审评论生成 GitHub issue： 在某条评审评论下回复，要求 Sourcery 根据该评论创建 issue。你也可以直接回复 @sourcery-ai issue 来基于该评论创建 issue。
• 生成 pull request 标题： 在 pull request 标题的任意位置写上 @sourcery-ai 即可随时生成标题。也可以在 pull request 中评论 @sourcery-ai title 来（重新）生成标题。
• 生成 pull request 总结： 在 pull request 正文任意位置写上 @sourcery-ai summary，即可在指定位置生成 PR 总结。也可以在 pull request 中评论 @sourcery-ai summary 来随时（重新）生成总结。
• 生成审阅指南： 在 pull request 中评论 @sourcery-ai guide，即可随时（重新）生成审阅指南。
• 一次性解决所有 Sourcery 评论： 在 pull request 中评论 @sourcery-ai resolve，即可将所有 Sourcery 评论标记为已解决。如果你已经处理完所有评论且不想再看到它们，这会很有用。
• 忽略所有 Sourcery 评审： 在 pull request 中评论 @sourcery-ai dismiss，即可忽略所有现有的 Sourcery 评审。如果你想从头开始一次新的评审，这尤其有用 —— 别忘了随后再评论 @sourcery-ai review 来触发新评审！

Customizing Your Experience

访问你的 dashboard 以：

• 启用或禁用评审功能，例如 Sourcery 自动生成的 pull request 总结、审阅指南等。
• 更改评审语言。
• 添加、移除或编辑自定义评审指令。
• 调整其他评审设置。

Getting Help

• 联系我们的支持团队 以获取帮助或反馈意见。
• 访问我们的文档，阅读详细指南和更多信息。
• 通过关注我们的 X/Twitter、LinkedIn 或 GitHub 与 Sourcery 团队保持联系。

Original review guide in English

Reviewer's Guide

Switches dependency management to a uv-managed project-local virtualenv, adds automatic .venv bootstrapping on Linux/macOS, prefers uv pip/sync over direct pip install, and aligns configs/docs and templates with the new workflow while avoiding mutations to system Python on Linux.

Sequence diagram for uv environment bootstrap via ensure_uv_environment

sequenceDiagram
    participant gui_py
    participant ensure_uv_environment
    participant sync_project_venv
    participant uv_cli
    participant venv_python

    gui_py->>ensure_uv_environment: ensure_uv_environment
    ensure_uv_environment-->>ensure_uv_environment: in_project_venv
    alt already in project venv or NO_BOOTSTRAP_ENV
        ensure_uv_environment-->>gui_py: return
    else needs bootstrap
        ensure_uv_environment->>sync_project_venv: sync_project_venv
        sync_project_venv-->>sync_project_venv: venv_path / venv_python
        sync_project_venv-->>sync_project_venv: requirements_path
        sync_project_venv-->>sync_project_venv: _needs_sync
        alt venv missing or out of date
            sync_project_venv->>uv_cli: _run [uv venv]
            sync_project_venv->>uv_cli: _run [uv pip sync]
        end
        sync_project_venv-->>ensure_uv_environment: complete
        ensure_uv_environment-->>venv_python: execv
    end

Loading

Sequence diagram for pip_install preferring execute_uv_pip over execute_pip

sequenceDiagram
    participant PipManager as deploy_pip_py
    participant execute_uv_pip
    participant execute_pip
    participant uv_cli
    participant pip_module

    PipManager-->>PipManager: pip_install
    PipManager-->>PipManager: build uv_arg / pip_arg
    alt self.uv is available
        PipManager->>execute_uv_pip: execute_uv_pip(install --python self.python -r requirements_file + uv_arg)
        execute_uv_pip->>uv_cli: uv pip install
        alt uv returns error
            execute_uv_pip-->>PipManager: raise ExecutionError
        else success
            execute_uv_pip-->>PipManager: True
        end
    else uv not available
        alt sys.platform == win32
            PipManager->>execute_uv_pip: execute_uv_pip(install -r requirements_file + pip_arg)
            execute_uv_pip->>execute_pip: execute_pip(install -r requirements_file + pip_arg)
            execute_pip->>pip_module: python -m pip install
        else non-Windows
            PipManager->>execute_uv_pip: execute_uv_pip(install -r requirements_file + pip_arg)
            execute_uv_pip-->>PipManager: raise ExecutionError
        end
    end

Loading

File-Level Changes

Change	Details	Files
Introduce a uv-based environment bootstrapper and use it on non-Windows entry points to ensure code runs inside a project-local .venv.	Add deploy.uv module to discover project root, manage .venv paths, detect in-project venv, select platform requirements file, and compute/snapshot a requirements digest to decide when to sync Implement sync_project_venv using uv venv and uv pip sync with mirror/SSL settings derived from deploy.yaml Add ensure_uv_environment that prepares the .venv (if needed) and re-execs the script under the venv’s python unless disabled via environment flags Call ensure_uv_environment at the top of gui.py so Linux/macOS GUI startup bootstraps the .venv automatically	deploy/uv.py gui.py
Prefer uv pip for dependency installation in the deploy pipeline, with a safe fallback to python -m pip and proper mirror/SSL flag mapping.	Add cached uv executable resolver and execute_uv_pip helper mirroring execute_pip’s logging and error handling Split pip mirror/SSL options into uv-specific and pip-specific argument lists, mapping trusted-host to uv’s --allow-insecure-host where appropriate Change pip_install to use uv pip install --python -r when uv is available, otherwise fall back to python -m pip with the legacy flags	deploy/pip.py
Make deploy configuration and templates platform-aware so Linux uses the uv-managed venv and platform lockfile by default.	Add get_deploy_template to choose a Linux-specific deploy template on Linux and use it inside DeployConfig.read/write instead of the hardcoded DEPLOY_TEMPLATE Ensure write() passes the template_file into poor_yaml_write to preserve structure/comments from the selected template In config_redirect, normalize Linux RequirementsFile values pointing at ./deploy/headless/requirements.txt to requirements-linux.txt and persist that back into the config Update linux deploy template YAMLs to default PythonExecutable to ./.venv/bin/python and RequirementsFile to requirements-linux.txt Update generate_deploy_template defaults for Linux to align with the new venv path and requirements-linux.txt	deploy/utils.py deploy/config.py config/deploy.template-linux.yaml config/deploy.template-linux-cn.yaml module/config/config_updater.py
Align user-facing docs and error guidance with the uv/.venv workflow instead of direct pip usage or system Python.	Update CLAUDE.md to describe uv-based dependency management, use uv pip sync instead of uv pip install, and explain that Linux/macOS entry points bootstrap .venv automatically instead of requiring uv run Document Linux/macOS startup in README.md, stating that python gui.py/alas.py will create .venv and sync platform requirements without touching system Python Clarify deploy/Readme.md to mention the installer bootstraps .venv with uv and syncs platform requirements instead of installing into system Python Change adb error remediation tips from manual pip uninstall/install steps to rerunning the launcher or invoking uv pip install with --reinstall-package against the .venv Change LLM import error guidance from pip install openai to rerun the entry script so uv syncs dependencies Adjust CI description in CLAUDE.md from uv pip install to uv pip sync to match the new workflow	CLAUDE.md README.md deploy/Readme.md deploy/adb.py module/llm.py

Possibly linked issues

• #: The PR introduces uv-based .venv bootstrapping and Linux templates, directly addressing launcher preparation failures shown in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - 我找到了 4 个安全问题和 1 个其他问题，并留下了一些高层面的反馈：

安全问题：

• 检测到子进程函数 list2cmdline 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 shlex.escape()。(链接)
• 检测到子进程函数 Popen 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 shlex.escape()。(链接)
• 检测到子进程函数 list2cmdline 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 shlex.escape()。(链接)
• 检测到子进程函数 run 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 shlex.escape()。(链接)

总体评论：

• 在 DeployPython.pip_install 中，if self.uv: 的 else 分支在 self.uv 为假时仍然调用 self.execute_uv_pip；在非 Windows 平台上，这将总是触发 logger.critical 并抛出异常，而不是回退到 execute_pip。并且它还把 pip_arg（包括 --disable-pip-version-check）传给了 uv pip 而不是 python -m pip，这看起来像是 uv 路径和旧版路径之间的逻辑混用。
• 更新后的 ADB show_fix_tip 消息将 requirements-linux.txt 和类 Unix 的 venv 路径写死，这可能会让 macOS 或 Windows 用户感到困惑；建议按平台区分指令，或者使用 requirements_path/venv 辅助方法，让给出的命令与当前操作系统相匹配。

面向 AI Agent 的提示

请根据这次代码评审中的评论进行修改：

## 总体评论
- 在 `DeployPython.pip_install` 中，`if self.uv:` 的 `else` 分支在 `self.uv` 为假时仍然调用 `self.execute_uv_pip`；在非 Windows 平台上，这将总是触发 `logger.critical` 并抛出异常，而不是回退到 `execute_pip`。并且它还把 `pip_arg`（包括 `--disable-pip-version-check`）传给了 `uv pip` 而不是 `python -m pip`，这看起来像是 uv 路径和旧版路径之间的逻辑混用。
- 更新后的 ADB `show_fix_tip` 消息将 `requirements-linux.txt` 和类 Unix 的 venv 路径写死，这可能会让 macOS 或 Windows 用户感到困惑；建议按平台区分指令，或者使用 `requirements_path`/venv 辅助方法，让给出的命令与当前操作系统相匹配。

## 单独评论

### 评论 1
<location path="deploy/adb.py" line_range="21-22" />
<code_context>
-    3. Re-open Alas.exe
+    1. Re-run the launcher so uv can refresh the local .venv
+    2. If the problem persists, run:
+        uv pip install --python ./.venv/bin/python --reinstall-package {module} -r requirements-linux.txt
+    3. Re-open AzurPilot
     """)
</code_context>
<issue_to_address>
**suggestion:** 修复提示中硬编码的 Unix 风格 venv 路径可能会让 Windows 用户感到困惑。

这个提示使用了仅适用于 POSIX 的解释器路径（`./.venv/bin/python`），在 Windows 上会失败（应为 `.venv\\Scripts\\python.exe`）。如果这条消息在 Windows 上也会显示，就可能误导用户。请要么让路径/提示按平台区分，要么去掉 `--python`，让 `uv` 自行选择解释器。

```suggestion
    2. If the problem persists, run:
        uv pip install --reinstall-package {module} -r requirements-linux.txt
```
</issue_to_address>

### 评论 2
<location path="deploy/pip.py" line_range="98" />
<code_context>
        command = subprocess.list2cmdline(cmd)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** 检测到子进程函数 `list2cmdline` 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 `shlex.escape()`。

*Source: opengrep*
</issue_to_address>

### 评论 3
<location path="deploy/pip.py" line_range="100" />
<code_context>
        process = subprocess.Popen(cmd, shell=False)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** 检测到子进程函数 `Popen` 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 `shlex.escape()`。

*Source: opengrep*
</issue_to_address>

### 评论 4
<location path="deploy/uv.py" line_range="159" />
<code_context>
    print("+ " + subprocess.list2cmdline([str(part) for part in command]))
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** 检测到子进程函数 `list2cmdline` 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 `shlex.escape()`。

*Source: opengrep*
</issue_to_address>

### 评论 5
<location path="deploy/uv.py" line_range="160" />
<code_context>
    subprocess.run(command, cwd=str(root), check=True)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** 检测到子进程函数 `run` 在使用时没有使用静态字符串。如果这些数据可能被恶意行为者控制，那么可能会造成命令注入风险。请审计该调用的使用场景，确保它不能被外部资源控制。你可以考虑使用 `shlex.escape()`。

*Source: opengrep*
</issue_to_address>

---

Sourcery 对开源项目是免费的——如果你喜欢我们的评审，请考虑分享一下 ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{帮我变得更有用！请在每条评论上点击 👍 或 👎，我会根据你的反馈改进后续评审。}

Original comment in English

Hey - I've found 4 security issues, 1 other issue, and left some high level feedback:

Security issues:

• Detected subprocess function 'list2cmdline' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'Popen' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'list2cmdline' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)

General comments:

• In DeployPython.pip_install, the else branch for if self.uv: still calls self.execute_uv_pip when self.uv is falsy; on non-Windows platforms this will always logger.critical and raise instead of falling back to execute_pip, and it also passes pip_arg (including --disable-pip-version-check) to uv pip rather than to python -m pip, which looks like a logic mix-up between the uv and legacy paths.
• The updated ADB show_fix_tip message hardcodes requirements-linux.txt and a Unix-style venv path, which may confuse macOS or Windows users; consider branching the instructions by platform or using the requirements_path/venv helpers so the suggested command matches the current OS.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `DeployPython.pip_install`, the `else` branch for `if self.uv:` still calls `self.execute_uv_pip` when `self.uv` is falsy; on non-Windows platforms this will always `logger.critical` and raise instead of falling back to `execute_pip`, and it also passes `pip_arg` (including `--disable-pip-version-check`) to `uv pip` rather than to `python -m pip`, which looks like a logic mix-up between the uv and legacy paths.
- The updated ADB `show_fix_tip` message hardcodes `requirements-linux.txt` and a Unix-style venv path, which may confuse macOS or Windows users; consider branching the instructions by platform or using the `requirements_path`/venv helpers so the suggested command matches the current OS.

## Individual Comments

### Comment 1
<location path="deploy/adb.py" line_range="21-22" />
<code_context>
-    3. Re-open Alas.exe
+    1. Re-run the launcher so uv can refresh the local .venv
+    2. If the problem persists, run:
+        uv pip install --python ./.venv/bin/python --reinstall-package {module} -r requirements-linux.txt
+    3. Re-open AzurPilot
     """)
</code_context>
<issue_to_address>
**suggestion:** Hardcoded Unix-style venv path in the remediation tip may confuse Windows users.

This tip uses a POSIX-only interpreter path (`./.venv/bin/python`), which will fail on Windows (where it would be `.venv\Scripts\python.exe`). If this message is shown on Windows too, it could mislead users. Please either make the path/platform-specific or omit `--python` and rely on `uv` to choose the interpreter.

```suggestion
    2. If the problem persists, run:
        uv pip install --reinstall-package {module} -r requirements-linux.txt
```
</issue_to_address>

### Comment 2
<location path="deploy/pip.py" line_range="98" />
<code_context>
        command = subprocess.list2cmdline(cmd)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'list2cmdline' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 3
<location path="deploy/pip.py" line_range="100" />
<code_context>
        process = subprocess.Popen(cmd, shell=False)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'Popen' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 4
<location path="deploy/uv.py" line_range="159" />
<code_context>
    print("+ " + subprocess.list2cmdline([str(part) for part in command]))
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'list2cmdline' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 5
<location path="deploy/uv.py" line_range="160" />
<code_context>
    subprocess.run(command, cwd=str(root), check=True)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request introduces uv for dependency management on Linux and macOS, implementing automatic .venv bootstrapping across the project's entry points. Key additions include deploy/uv.py for environment synchronization and updates to deploy/pip.py to utilize uv for package installation. Deployment templates and documentation have been updated to reflect the shift toward a managed local environment. Review feedback suggests adopting subprocess.run for more concise command execution, improving the robustness of configuration parsing, and clarifying the naming of dependency management methods.

[gemini-code-assist]

Using subprocess.run is generally preferred over Popen and communicate for simple command execution as it is more concise and handles process cleanup automatically.

Suggested change

	process = subprocess.Popen(cmd, shell=False)
	process.communicate()
	process = subprocess.run(cmd, shell=False)

[gemini-code-assist]

The manual YAML parsing using split(':', 1) is fragile. While it matches the 'poor yaml' style used elsewhere in the deployment scripts, it could fail if keys are not at the top level or if the file structure changes. Consider using a more robust parsing method if the configuration file complexity increases.

[gemini-code-assist]

The logic here calls execute_uv_pip regardless of whether uv was found. While execute_uv_pip handles the fallback to pip on Windows, the naming is slightly confusing. It might be clearer to rename execute_uv_pip to something more generic like execute_dependency_manager or explicitly call execute_pip here when self.uv is None.

[Beatrice-betty]

提交到dev分支，master分支不能直接推送

[wess09]

1. 首先 项目本身是基于pip的 只不过启动器是使用了uv
2. 请清理不相关的提交

[wess09]

现在这种方法算是临时的 因为adb什么的还是在 toolkit 里的 工作流也没大改 主要还是为了兼容性考虑

/deploy 基本上是pip的逻辑 uv是直接在启动器里搞的

[sourcery-ai]

New security issues found