agents/types/base_agent.py-12-12 (1)

12-12: ⚠️ Potential issue | 🟡 Minor

Fix non-optional type hints for parameters defaulting to None.

Parameters at lines 12 and 19 have Dict[str, Any] type hints but default to None, which weakens the type contract. Use Optional[Dict[str, Any]] (or Dict[str, Any] | None in Python 3.10+) to properly indicate they accept None.

Typing fix

-from typing import Dict, Any
+from typing import Dict, Any, Optional
 
 class Agent(abc.ABC):
@@
-    def __init__(self, agent_id: str, role: str, config: Dict[str, Any] = None):
+    def __init__(self, agent_id: str, role: str, config: Optional[Dict[str, Any]] = None):
@@
-    def run(self, input_data: Any, context: Dict[str, Any] = None) -> Dict[str, Any]:
+    def run(self, input_data: Any, context: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/types/base_agent.py` at line 12, The __init__ signature in BaseAgent
uses non-optional Dict[str, Any] type hints for parameters that default to None;
update those parameters in BaseAgent.__init__ (e.g., the config parameter and
the other parameter on the same ctor) to Optional[Dict[str, Any]] or the Python
3.10+ union form Dict[str, Any] | None so the type hint matches the default
value of None and static type checkers won't complain.

platform/governance/quotas.py-34-38 (1)

34-38: ⚠️ Potential issue | 🟡 Minor

Quota usage accumulates indefinitely—no reset mechanism.

track_usage increments a Redis key that never resets. Without a TTL or periodic reset (e.g., monthly), users will eventually exhaust their quota permanently.

Would you like me to suggest a mechanism for periodic quota resets (e.g., using Redis key expiry or a scheduled reset job)?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/governance/quotas.py` around lines 34 - 38, track_usage currently
calls r.incrbyfloat(f"{self.key_prefix}{user_id}:usage", actual_hours) with no
expiry so quota accumulates forever; fix by ensuring a reset mechanism: either
set a TTL on the usage key when it's first created (use r.expire or r.set(...,
nx=True, ex=MONTH_SECONDS) after incr in track_usage) or implement a separate
reset method (e.g., reset_monthly_quota(user_id) or reset_all_quotas()) and run
it from a scheduled job/cron to clear or roll over keys; reference the
track_usage method, self.key_prefix and the Redis client r when adding the
expire or creating the scheduled reset.

ui/src/components/GPUHeatmap.tsx-23-26 (1)

23-26: ⚠️ Potential issue | 🟡 Minor

Potential runtime error if node.resources is undefined.

Accessing node.resources.vram_gb will throw if resources is missing or null. Also, the GPU is hardcoded to "NVIDIA A10G" regardless of actual hardware.

🛡️ Defensive access with actual GPU data

       <div className="mt-3 grid grid-cols-2 gap-2 text-[10px]">
-        <div className="text-gray-500">VRAM: <span className="text-gray-300">{node.resources.vram_gb}GB</span></div>
-        <div className="text-gray-500">GPU: <span className="text-gray-300">NVIDIA A10G</span></div>
+        <div className="text-gray-500">VRAM: <span className="text-gray-300">{node.resources?.vram_gb ?? 'N/A'}GB</span></div>
+        <div className="text-gray-500">GPU: <span className="text-gray-300">{node.resources?.gpu ?? 'Unknown'}</span></div>
       </div>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/GPUHeatmap.tsx` around lines 23 - 26, In GPUHeatmap.tsx fix
the unsafe access to node.resources.vram_gb and the hardcoded GPU string: change
the JSX that references node.resources.vram_gb to defensively read the value
(e.g. optional chaining or a fallback like node.resources?.vram_gb ?? '—') and
replace the hardcoded "NVIDIA A10G" with the actual GPU model from the node
(e.g. node.resources?.gpu_model ?? node.gpu?.model ?? 'Unknown GPU') so the
component won't throw when resources is undefined and displays a sensible
fallback.

platform/scheduler/state.py-53-58 (1)

53-58: ⚠️ Potential issue | 🟡 Minor

update_node_status silently fails if node doesn't exist.

If the node was concurrently deleted, hget returns None, and this function does nothing. Callers (like the scheduler after dispatch) may not know the update failed.

🛡️ Consider returning success status or logging

 def update_node_status(node_id, status):
     node_data_str = r.hget("grid_nodes", node_id)
     if node_data_str:
         node_data = json.loads(node_data_str)
         node_data["status"] = status
         r.hset("grid_nodes", node_id, json.dumps(node_data))
+        return True
+    else:
+        logger.warning(f"Cannot update status for missing node: {node_id}")
+        return False

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/scheduler/state.py` around lines 53 - 58, The update_node_status
function currently does nothing when r.hget("grid_nodes", node_id) is None;
change it to return a boolean success flag and surface a warning when the node
is missing: after calling r.hget("grid_nodes", node_id) check for None and if
missing call a logger (or r.logger) to warn that the node_id was not found and
return False; otherwise proceed with json.loads, update node_data["status"],
write back with r.hset and return True; keep function name update_node_status
and the use of "grid_nodes", r.hget, r.hset, json.loads and json.dumps so
callers can detect failure.

platform/audit/observer.py-27-31 (1)

27-31: ⚠️ Potential issue | 🟡 Minor

Incorrect default for missing created_at makes runtime always 0.

If created_at is missing, the code defaults to time.time(), making runtime = time.time() - time.time() ≈ 0. This silently masks the anomaly detection for jobs with missing timestamps.

🔧 Suggested fix

                 # 1. Runtime Anomaly
-                start_time = job_data.get("created_at", time.time())
+                start_time = job_data.get("created_at")
+                if start_time is None:
+                    logger.warning(f"Job {job_data['id']} missing created_at timestamp")
+                    continue
                 runtime = time.time() - start_time

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/audit/observer.py` around lines 27 - 31, The code uses time.time()
as the default for job_data["created_at"], which makes runtime ≈ 0 when the
timestamp is missing and hides anomalies; change the logic in the runtime check
(variables: start_time, job_data, runtime, MAX_RUNTIME_SECONDS, logger.warning)
to detect a missing or invalid created_at (e.g., if "created_at" not in job_data
or falsy), log a distinct warning about the missing timestamp, and then set
start_time to 0 (or another sentinel) so runtime = now - 0 yields a large value
that will trigger the existing anomaly handling when appropriate.

ui/src/index.css-1-3 (1)

1-3: ⚠️ Potential issue | 🟡 Minor

Resolve Stylelint compatibility for Tailwind directives in this file.

Static analysis is currently flagging @tailwind and text-rendering value casing. Please align Stylelint config/rules (or local suppressions) so this stylesheet passes lint consistently.

Also applies to: 15-15

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/index.css` around lines 1 - 3, Stylelint is tripping on Tailwind
at-rules and the casing of the text-rendering value; update the Stylelint config
so `@tailwind/`@apply/@variants/@responsive/@screen are allowed by adding them to
the at-rule-no-unknown ignoreAtRules list (or install
stylelint-config-tailwindcss), and relax the value-casing rule for
text-rendering by either disabling
value-keyword-case/declaration-property-value-case for that property or adding
an exception (e.g., allow "optimizeLegibility") so index.css's `@tailwind`
directives and text-rendering values pass linting.

ui/src/components/UserQuotas.tsx-14-15 (1)

14-15: ⚠️ Potential issue | 🟡 Minor

Clamp progress width to avoid overflow artifacts.

Line 14–15 can exceed 100% (or go negative), which can break bar rendering at Line 36 and Line 49.

Suggested fix

-  const gpuProgress = (MOCK_QUOTAS.used / MOCK_QUOTAS.limit) * 100;
-  const costProgress = (MOCK_QUOTAS.cost_used / MOCK_QUOTAS.cost_limit) * 100;
+  const clamp = (v: number) => Math.max(0, Math.min(100, v));
+  const gpuProgress = clamp((MOCK_QUOTAS.used / MOCK_QUOTAS.limit) * 100);
+  const costProgress = clamp((MOCK_QUOTAS.cost_used / MOCK_QUOTAS.cost_limit) * 100);

Also applies to: 36-36, 49-49

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/UserQuotas.tsx` around lines 14 - 15, gpuProgress and
costProgress can go below 0 or above 100 and break the progress bar rendering;
clamp both computed values (gpuProgress and costProgress) to the 0–100 range
before they are used (e.g., wrap the existing expressions with
Math.min(Math.max(..., 0), 100)) and ensure any places that compute or pass
progress (the calculations using MOCK_QUOTAS.used/limit and
MOCK_QUOTAS.cost_used/cost_limit and where they are rendered) use the clamped
values to prevent overflow/negative widths.

ui/src/components/JobGantt.tsx-42-44 (1)

42-44: ⚠️ Potential issue | 🟡 Minor

Tooltip status text is incorrect for active jobs.

Line 43 always shows Result: Success, including when job.status is running. This is misleading state reporting in the dashboard.

Suggested fix

-                ID: {job.id} | Result: Success
+                ID: {job.id} | Status: {job.status}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/JobGantt.tsx` around lines 42 - 44, Tooltip currently
hardcodes "Result: Success" in JobGantt (the div that shows ID: {job.id}),
causing incorrect display for running jobs; change the tooltip to derive its
text from job.status (and job.result if available): when job.status ===
'running' show "Status: Running", when job.status === 'completed' show "Result:
Success" (or use job.result if provided), and when job.status === 'failed' show
"Result: Failed"; update the JSX in JobGantt to conditionally render this text
using job.status/job.result instead of the fixed "Result: Success".

platform/scheduler/cost_engine.py-17-19 (1)

17-19: ⚠️ Potential issue | 🟡 Minor

Clamp negative durations before billing.

Line 17–19 can compute negative cost if start_time is in the future (clock skew/bad input), which could reduce total spend incorrectly.

🛡️ Small guard

-    duration_seconds = time.time() - start_time
+    duration_seconds = max(0.0, time.time() - start_time)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/scheduler/cost_engine.py` around lines 17 - 19, The billing code in
cost_engine.py computes duration_seconds, duration_hours and cost from
start_time and can yield negative values if start_time is in the future; clamp
the computed duration_seconds to zero before converting to hours and multiplying
by PRICE_PER_HOUR (e.g., set duration_seconds = max(0, time.time() -
start_time)) so that duration_hours and cost are never negative while preserving
the existing variable names duration_seconds, duration_hours, cost and constant
PRICE_PER_HOUR.

ui/src/components/GridDashboard.tsx-53-57 (1)

53-57: ⚠️ Potential issue | 🟡 Minor

selectedNode may become stale when nodes are replaced via WebSocket.

selectedNode is initialized with nodes[0] from the hardcoded initial state. When setNodes(data.nodes) replaces the array with server data, selectedNode still references the old object. Consider updating selectedNode when nodes change to keep it in sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/GridDashboard.tsx` around lines 53 - 57, selectedNode is
initialized from the initial nodes array and can become stale when setNodes
replaces the nodes array (e.g., from WebSocket updates); update selectedNode
whenever nodes change by adding effect logic: watch nodes (the state from
useState) and call setSelectedNode to a matching node from the new array (by id)
or fallback to nodes[0] or undefined as appropriate. Locate the useState
declarations for nodes, setNodes, selectedNode, setSelectedNode in
GridDashboard.tsx and implement a useEffect that syncs selectedNode with the
updated nodes array to avoid referencing the old object.

platform/governance/policy_engine.py-43-47 (1)

43-47: ⚠️ Potential issue | 🟡 Minor

String containment check for restricted params is easily bypassed.

Simple substring matching (line 46) can be bypassed with whitespace variations (rm -rf /), URL encoding, or command splitting. Consider using a more robust pattern-matching approach or command parsing.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/governance/policy_engine.py` around lines 43 - 47, The current
substring check using params_str = str(step.get("params", "")) against
RESTRICTED_PARAMS can be bypassed by whitespace, URL-encoding, or tokenization
tricks; update the check in the policy_engine to normalize and parse params
before matching: decode URL-encoding, collapse repeated whitespace, then
tokenize using a shell-aware parser (e.g., shlex) or apply robust regex patterns
with word boundaries/anchors to match whole commands/tokens rather than
substrings, and replace the simple containment test that appends to issues
(issues.append(...)) with this normalized/tokenized matching against
RESTRICTED_PARAMS.

platform/api/ws.py-24-25 (1)

24-25: ⚠️ Potential issue | 🟡 Minor

disconnect() may raise ValueError if websocket not in list.

If disconnect() is called twice for the same websocket (e.g., from exception handler after WebSocketDisconnect), list.remove() will raise ValueError. Use a safe removal pattern.

Proposed fix

     def disconnect(self, websocket: WebSocket):
-        self.active_connections.remove(websocket)
+        try:
+            self.active_connections.remove(websocket)
+        except ValueError:
+            pass  # Already removed

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/api/ws.py` around lines 24 - 25, The disconnect method currently
calls self.active_connections.remove(websocket) which will raise ValueError if
the websocket isn't present; update the WebSocketSessionManager.disconnect (or
disconnect) implementation to remove the socket safely—either check "if
websocket in self.active_connections: self.active_connections.remove(websocket)"
or wrap remove in try/except ValueError and ignore missing entries—so repeated
calls (e.g., after WebSocketDisconnect) won't raise.

ui/src/components/GridDashboard.tsx-61-89 (1)

61-89: ⚠️ Potential issue | 🟡 Minor

WebSocket lacks error handling and reconnection logic.

The WebSocket connection has no onerror handler and no reconnection strategy. If the connection fails or drops, the dashboard will silently stop receiving updates without user feedback.

Proposed fix with error handling and reconnection

   useEffect(() => {
+    let reconnectTimeout: NodeJS.Timeout | null = null;
+    
+    const connect = () => {
       const wsUrl = `ws://${window.location.hostname}:8000/ws`;
       ws.current = new WebSocket(wsUrl);
 
       ws.current.onmessage = (event) => {
         // ... existing handler
       };
+      
+      ws.current.onerror = (error) => {
+        console.error('WebSocket error:', error);
+      };
+      
+      ws.current.onclose = () => {
+        console.log('WebSocket closed, reconnecting in 3s...');
+        reconnectTimeout = setTimeout(connect, 3000);
+      };
+    };
+    
+    connect();
 
     return () => {
+      if (reconnectTimeout) clearTimeout(reconnectTimeout);
       ws.current?.close();
     };
   }, []);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/GridDashboard.tsx` around lines 61 - 89, The WebSocket in
the useEffect currently only sets onmessage and closes on unmount, so add robust
error handling and reconnection: attach ws.current.onerror to log/process errors
and set a connection state (e.g., connectionStatus via setConnectionStatus),
implement ws.current.onclose to trigger a reconnect loop using exponential
backoff with a max retry cap, recreate ws.current and rebind
onmessage/onerror/onclose when reconnecting, ensure setMetrics, setNodes, and
setHistoricalData continue to be used after reconnect, and make sure to cancel
pending reconnect timers and close the socket in the cleanup to avoid leaks.

agents/types/specialized.py (1)

8-8: Add Optional typing to parameters with None defaults.

Parameters at lines 8, 11, 25, 28, 37, and 40 have None defaults but non-optional type annotations (Dict[str, Any]). Import Optional from typing and update these annotations to Optional[Dict[str, Any]] for consistency with Python typing conventions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/types/specialized.py` at line 8, Update type annotations for
parameters that have None defaults to use Optional[Dict[str, Any]]: import
Optional from typing and change the annotations for the affected parameters
(e.g., the __init__ method signature shown and the other functions/methods
referenced at lines 11, 25, 28, 37, and 40) from Dict[str, Any] to
Optional[Dict[str, Any]] so the type matches the default None; ensure you adjust
any corresponding type hints in those function/method definitions (keep
parameter names and defaults unchanged).

platform/audit/observer.py (2)

22-22: Style: Multiple statements on one line.

Per static analysis (E701), refactor to separate lines for readability.

♻️ Suggested fix

                 raw_data = redis_conn.get(key)
-                if not raw_data: continue
+                if not raw_data:
+                    continue
                 
                 job_data = json.loads(raw_data)
-                if job_data.get("status") != "running": continue
+                if job_data.get("status") != "running":
+                    continue

Also applies to: 25-25

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/audit/observer.py` at line 22, The single-line statement "if not
raw_data: continue" (and the similar instance at the other occurrence) violates
E701; split it into two lines by putting the conditional and the continue on
separate lines so that the check using raw_data is on one line and the continue
is on the next, preserving the surrounding loop context (where the raw_data
check occurs) and keeping the same logic in observer.py.

---

4-4: Unused import: redis.

The module imports redis but uses redis_conn from platform.scheduler.state instead.

♻️ Remove unused import

 import time
 import json
 import logging
-import redis
 from platform.scheduler.state import r as redis_conn

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/audit/observer.py` at line 4, The file imports the unused symbol
redis at the top of observer.py while the module uses the existing redis_conn
from platform.scheduler.state; remove the unused import statement "import redis"
to clean up the module and avoid unused-import linter errors, leaving any
references to redis_conn intact.

platform/ai/critic.py (1)

5-7: Avoid logging.basicConfig at module level.

Calling logging.basicConfig(level=logging.INFO) at import time can override the application's logging configuration if this module is imported before the main app configures logging. This is a common gotcha in library/module code.

♻️ Suggested fix

-# Setup logging
-logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger("AICritic")

Let the application's entry point configure basicConfig instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/ai/critic.py` around lines 5 - 7, Remove the top-level call to
logging.basicConfig(level=logging.INFO) so this module does not configure global
logging on import; keep the logger = logging.getLogger("AICritic") line and
optionally add a short comment near logging.basicConfig or above logger noting
that logging should be configured by the application entry point (do not call
basicConfig inside platform/ai/critic.py).

ui/src/components/GPUHeatmap.tsx (1)

3-3: Add TypeScript types for props to improve type safety.

Using any for props sacrifices TypeScript's compile-time checks. Consider defining proper interfaces:

♻️ Suggested type definitions

interface NodeResources {
  vram_gb: number;
  gpu?: string;
}

interface Node {
  id: string;
  type: 'cloud' | 'local';
  status: 'busy' | 'ready' | 'idle';
  resources: NodeResources;
}

const NodeChip = ({ node }: { node: Node }) => {
  // ...
};

export default function GPUHeatmap({ nodes }: { nodes: Node[] }) {
  // ...
}

Also applies to: 31-31

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/GPUHeatmap.tsx` at line 3, Replace the use of `any` for
component props by declaring proper TypeScript interfaces and using them in the
component signatures: define interfaces like `NodeResources` and `Node` (with
fields vram_gb:number, optional gpu:string, id:string, type:'cloud'|'local',
status:'busy'|'ready'|'idle', resources:NodeResources) and change `const
NodeChip = ({ node }: any)` to `const NodeChip = ({ node }: { node: Node })`,
and likewise update `GPUHeatmap` to accept `nodes: Node[]`; export or colocate
the interfaces so both `NodeChip` and `GPUHeatmap` can reuse them.

platform/memory/vector_store.py (1)

24-24: Use collision-safe IDs for findings.

The current ID can collide when the same agent writes multiple findings within the same second.

♻️ Proposed fix

 import logging
 import json
 import time
+import uuid
@@
-            "id": f"{agent_id}_{int(time.time())}",
+            "id": f"{agent_id}_{uuid.uuid4()}",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/memory/vector_store.py` at line 24, Replace the current
collision-prone ID generation ("id": f"{agent_id}_{int(time.time())}") with a
collision-safe scheme: generate a UUID (e.g., uuid.uuid4()) and combine it with
agent_id (e.g., f"{agent_id}_{uuid4.hex}") or use time.time_ns() if you prefer
monotonic nanosecond timestamps; update the ID assignment where the dict is
built and add the necessary import for uuid (or use time.time_ns()) so multiple
findings from the same agent in the same second cannot collide.

platform/scheduler/heartbeat_monitor.py (1)

24-33: Isolate per-job decode/read failures instead of aborting the whole pass.

A single bad/missing record currently skips recovery for all other jobs in that cycle.

🛡️ Proposed fix

-            for key in all_job_keys:
-                job_data = json.loads(redis_conn.get(key))
+            for key in redis_conn.scan_iter(match="job:*", count=500):
+                try:
+                    raw = redis_conn.get(key)
+                    if not raw:
+                        continue
+                    job_data = json.loads(raw)
+                except (TypeError, json.JSONDecodeError):
+                    logger.warning(f"Skipping unreadable job record: {key}")
+                    continue
                 if job_data.get("status") == "running":
@@
-        except Exception as e:
-            logger.error(f"Error in recovery loop: {str(e)}")
+        except Exception:
+            logger.exception("Error in recovery loop")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/scheduler/heartbeat_monitor.py` around lines 24 - 33, The recovery
loop should not abort on a single bad job record; wrap the per-key read/decode
and subsequent checks in a per-job try/except so one broken entry doesn't stop
the whole pass: when iterating keys, guard the redis_conn.get(key) +
json.loads(...) + the status/node_id checks and fail_job call in a try block,
log any exception (including the key and error) via logger.error, skip that
entry and continue to the next key; also defensively handle redis_conn.get(key)
returning None before calling json.loads to avoid a TypeError. Use the existing
names (redis_conn.get, json.loads, job_data, active_node_ids, fail_job, logger)
to locate and modify the code.

ui/src/components/CostTimeline.tsx (1)

14-14: Replace any[] with a concrete point type.

Line 14 loses static guarantees for chart input shape; a typed CostPoint[] avoids silent runtime mismatches.

Suggested fix

- export default function CostTimeline({ data = MOCK_COST_DATA }: { data?: any[] }) {
+ type CostPoint = { time: string; spend: number };
+ export default function CostTimeline({ data = MOCK_COST_DATA }: { data?: CostPoint[] }) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/CostTimeline.tsx` at line 14, The prop type for
CostTimeline currently uses any[] which loses type safety; change the component
signature to use a concrete CostPoint[] (e.g., CostTimeline({ data =
MOCK_COST_DATA }: { data?: CostPoint[] })) and add or import a CostPoint
definition matching the chart shape (fields like timestamp/date, cost, category,
etc.) — update MOCK_COST_DATA to be typed as CostPoint[] and ensure any
functions inside CostTimeline (parsers, mappers) use CostPoint to preserve
static guarantees.

ui/src/components/UserQuotas.tsx (1)

58-59: Use quota source-of-truth for RPM text.

Line 58 hardcodes 60 requests/min instead of reading MOCK_QUOTAS.rpm_limit, which risks UI/data drift.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/UserQuotas.tsx` around lines 58 - 59, The UI hardcodes "60
requests/min" in the UserQuotas component instead of using the canonical quota
value; update UserQuotas.tsx to read the RPM display from the source-of-truth
(MOCK_QUOTAS.rpm_limit) and render that value (e.g., `${MOCK_QUOTAS.rpm_limit}
requests/min`) so the text stays in sync with the data model; reference the
UserQuotas component and the MOCK_QUOTAS.rpm_limit symbol and ensure any
necessary import or prop access is used to obtain the value before rendering.

ui/src/components/MemoryGraph.tsx (1)

13-17: Replace COLORS: any with a typed map to restore compile-time safety.

any on line 13 disables type checking for COLORS[entry.type] on line 49. While the current data in MOCK_MEMORY only uses valid type values ('exploit', 'recon', 'intel'), using a typed map prevents invalid keys from being accessed without detection.

♻️ Suggested typing change

-const COLORS: any = {
+type MemoryType = 'exploit' | 'recon' | 'intel';
+const COLORS: Record<MemoryType, string> = {
   exploit: '#f43f5e', // rose-500
   recon: '#3b82f6',   // blue-500
   intel: '#8b5cf6',   // violet-500
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/MemoryGraph.tsx` around lines 13 - 17, Replace the untyped
COLORS constant with a properly typed map so accesses like COLORS[entry.type]
are checked at compile time; update COLORS to use a Record or mapped type keyed
by the allowed entry types (e.g., 'exploit'|'recon'|'intel') or reference the
existing union/enum for memory entry types, keeping the same color string values
so code using COLORS (e.g., COLORS[entry.type] in MemoryGraph) benefits from
static type safety.

platform/api/monitor.py (2)

12-12: Move import to top of file.

PEP 8 recommends placing all imports at the top of the module. This import is placed after module-level variable assignments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/api/monitor.py` at line 12, The import of get_active_nodes from
platform.scheduler.state is placed after module-level variable assignments; move
this import statement up into the main import block at the top of the module so
all imports (including "from platform.scheduler.state import get_active_nodes")
appear before any module-level variables or code execution to comply with PEP8.

---

31-32: Exception handling swallows HTTP status context.

Returning a dict with status: "error" on any exception results in a 200 OK HTTP response, making it harder for clients to detect failures. Consider raising an HTTPException to return appropriate status codes.

Proposed fix

+from fastapi import APIRouter, Depends, HTTPException
 ...
     except Exception as e:
-        return {"status": "error", "message": str(e)}
+        raise HTTPException(status_code=500, detail=str(e))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/api/monitor.py` around lines 31 - 32, The except block that
currently does "except Exception as e: return {'status': 'error', 'message':
str(e)}" swallows HTTP status context and returns 200; change it to raise a
FastAPI HTTPException instead (import HTTPException and appropriate status from
fastapi/status) inside the same except Exception as e handler so the endpoint
returns a non-200 status (e.g., status.HTTP_500_INTERNAL_SERVER_ERROR) and
include str(e) as the detail; update the handler surrounding the function (the
endpoint function in platform/api/monitor.py) to raise HTTPException rather than
returning the dict.

runtime/dsl/engine.py (3)

3-3: Unused import: json.

The json module is imported but never used in this file.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/dsl/engine.py` at line 3, The import statement "import json" in
runtime/dsl/engine.py is unused and should be removed; delete the unused import
line (the "import json" symbol) to clean up the module and avoid linter
warnings.

---

70-77: run_step is mocked and doesn't integrate with Ray adapter.

The run_step method simulates execution with time.sleep(1) instead of calling run_workflow_step_on_ray from runtime/dsl/ray_adapter.py. The docstring acknowledges this is a mock, but consider adding a TODO or feature flag to enable Ray integration.

Proposed integration with Ray adapter

+from runtime.dsl.ray_adapter import run_workflow_step_on_ray
+
+USE_RAY = False  # Feature flag for Ray execution
+
     def run_step(self, name, agent, params):
         """
-        Mock execution of a step. 
-        In production, this calls Ray tasks.
+        Executes a workflow step, optionally on Ray.
         """
-        # Simulate work
-        time.sleep(1)
-        return {"last_action": f"finished {name}", "data": f"processed_{name}"}
+        if USE_RAY:
+            return run_workflow_step_on_ray(agent, name, params)
+        else:
+            # Mock execution for testing
+            time.sleep(1)
+            return {"last_action": f"finished {name}", "data": f"processed_{name}"}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/dsl/engine.py` around lines 70 - 77, The run_step method currently
mocks execution with time.sleep(1) and returns fake results; replace or
conditionally delegate to the Ray integration by calling the
run_workflow_step_on_ray adapter function from runtime/dsl/ray_adapter.py (or
add a feature-flag/ENV check) so real Ray tasks are executed when enabled:
update run_step to import and call run_workflow_step_on_ray(agent, name, params)
when the Ray flag is set (fall back to the existing mock for local/testing), and
add a clear TODO comment and unit test path for both code paths; reference the
run_step method and run_workflow_step_on_ray symbol to locate where to change
behavior.

---

13-17: StepStatus enum is defined but never used.

The StepStatus enum is declared but the workflow engine uses string literals for status tracking instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/dsl/engine.py` around lines 13 - 17, The StepStatus enum is declared
but unused; update the workflow engine to use StepStatus members instead of raw
string literals for status tracking (e.g., replace occurrences of
"pending"/"running"/"completed"/"failed" with
StepStatus.PENDING/StepStatus.RUNNING/StepStatus.COMPLETED/StepStatus.FAILED or
their .value where a string is required). Search for status reads/writes in
functions like any step execution, status update, and serialization logic and
switch them to use the StepStatus enum (or call .value when
persisting/serializing) so the enum is actually used consistently across the
engine.

platform/governance/policy_engine.py (1)

11-11: MAX_JOBS_PER_SESSION is defined but never used.

This constant is declared but not enforced anywhere in the policy engine.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/governance/policy_engine.py` at line 11, MAX_JOBS_PER_SESSION is
defined but never enforced; update the policy engine logic that creates or
enqueues jobs (e.g., functions/methods like add_job, schedule_job, enqueue_job,
or PolicyEngine.process_jobs) to check the current session job count against
MAX_JOBS_PER_SESSION and reject or defer new jobs when the limit is reached.
Implement the check to either raise a clear exception or return an error
status/log (use existing process_logger or error handling conventions), and add
unit tests to cover hitting the limit to ensure the constant is actually
applied.

platform/api/ws.py (1)

53-53: Use asyncio.get_running_loop() instead of deprecated pattern.

asyncio.get_event_loop().time() is deprecated in Python 3.10+. Use asyncio.get_running_loop().time() in async contexts.

Proposed fix

-                "timestamp": asyncio.get_event_loop().time()
+                "timestamp": asyncio.get_running_loop().time()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platform/api/ws.py` at line 53, Replace the deprecated
asyncio.get_event_loop().time() call used to populate the "timestamp" value with
asyncio.get_running_loop().time() in the async WebSocket message construction
(the dict key "timestamp" in platform.api.ws); update the expression where
"timestamp" is set so it calls get_running_loop().time() to avoid the deprecated
pattern in async contexts.

runtime/dsl/ray_adapter.py (1)

25-36: Transient actor per step is inefficient; actors are never cleaned up.

Creating a new AgentExecutor actor for each workflow step (line 31) incurs significant overhead in Ray. Actors are designed to be reused across multiple calls. Additionally, the actor is never explicitly terminated, which may cause resource leaks in long-running workflows.

Consider using an actor pool or reusing actors across steps with the same agent_type.

Proposed fix with actor cleanup

 def run_workflow_step_on_ray(agent_type, step_name, params):
     """
     Helper to dispatch a DSL step to a Ray Actor.
     """
+    executor = None
     try:
         # Create a transient actor for the step
         executor = AgentExecutor.remote(agent_type, params)
         future = executor.execute_task.remote(step_name, params)
         return ray.get(future)
     except Exception as e:
-        logger.error(f"Ray execution error: {str(e)}")
+        logger.error("Ray execution error: %s", e)
         raise
+    finally:
+        if executor is not None:
+            ray.kill(executor)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/dsl/ray_adapter.py` around lines 25 - 36, The function
run_workflow_step_on_ray creates a new AgentExecutor actor for every call and
never cleans it up; instead implement a simple actor cache/registry keyed by
agent_type so AgentExecutor actors are created once and reused (lookup-or-create
an actor for agent_type, call executor.execute_task.remote(step_name, params),
and ray.get the future), and add a module-level shutdown/teardown function that
iterates the cached actors and calls ray.kill (or the appropriate Ray
termination API) to explicitly terminate them; reference AgentExecutor,
run_workflow_step_on_ray, execute_task and the actor cache/registry when making
the changes.