Conversation
Add brain.NewDirect() and agentic.NewPrep() to MCP service. Update go.mod to core/mcp v0.2.0. Regenerated wails bindings. Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io>
Replace all fmt.Errorf calls in runtime.go with structured errors via coreerr.E() from go-log, ensuring every error carries operation context for structured logging and tracing. Add unit tests for runtime utilities (findFreePort, waitForHealth, defaultProvidersDir), RuntimeManager (List, StopAll, StartAll), ProvidersAPI (Name, BasePath, list endpoint), guiEnabled, and staticAssetGroup. Coverage: 27.1%. No os.ReadFile/os.WriteFile violations found. CLAUDE.md reviewed — no outdated commands. Co-Authored-By: Virgil <virgil@lethean.io>
…LAUDE.md — update any outdate...' (#1) from agent/dx-audit-and-fix--1--review-claude-md into main
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughUpdates build/config and Angular settings; removes several autogenerated Greet bindings; adds new frontend Core IPC bindings, models and an embed FS model; changes Go module path and bumps many dependencies; switches MCP wiring in main to use a direct brain plus an agentic prep subsystem; and adds multiple unit tests. Changes
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
build/Taskfile.yml (1)
81-81: Removal of--strictPortchanges dev server behaviour.Without
--strictPort, Vite will silently fall back to another port if{{.VITE_PORT}}is occupied. This improves resilience but may cause confusion if developers expect a specific port. Ensure this aligns with the intended workflow.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@build/Taskfile.yml` at line 81, The dev server command "npm run dev -- --port {{.VITE_PORT}}" in Taskfile.yml now omits --strictPort which lets Vite pick a different port if the requested one is busy; decide and enforce the intended workflow: if you require the exact port, restore the flag by changing the command to include --strictPort (i.e., "npm run dev -- --port {{.VITE_PORT}} --strictPort"); otherwise, keep the current command but update documentation/README to explicitly note that Vite may fall back to another port so developers aren't confused.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.gitignore:
- Line 7: The ignore pattern
"build/windows/nsis/MicrosoftEdgeWebview2Setup.exeide" is malformed; replace
that string with "build/windows/nsis/MicrosoftEdgeWebview2Setup.exe" so the
WebView2 installer executable is properly ignored by Git—locate the bad pattern
in the .gitignore and correct the trailing "exeide" to ".exe".
---
Nitpick comments:
In `@build/Taskfile.yml`:
- Line 81: The dev server command "npm run dev -- --port {{.VITE_PORT}}" in
Taskfile.yml now omits --strictPort which lets Vite pick a different port if the
requested one is busy; decide and enforce the intended workflow: if you require
the exact port, restore the flag by changing the command to include --strictPort
(i.e., "npm run dev -- --port {{.VITE_PORT}} --strictPort"); otherwise, keep the
current command but update documentation/README to explicitly note that Vite may
fall back to another port so developers aren't confused.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4e255333-5bca-45f7-a92b-535bf527d8a9
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (15)
.gitignorebuild/Taskfile.ymlbuild/darwin/Assets.carbuild/darwin/icons.icnsfrontend/angular.jsonfrontend/bindings/changeme/greetservice.tsfrontend/bindings/embed/index.tsfrontend/bindings/embed/models.tsfrontend/bindings/forge.lthn.ai/core/go/pkg/core/core.tsfrontend/bindings/forge.lthn.ai/core/go/pkg/core/index.tsfrontend/bindings/forge.lthn.ai/core/go/pkg/core/models.tsfrontend/bindings/github.com/host-uk/core/internal/core-ide/greetservice.tsfrontend/bindings/github.com/host-uk/core/internal/core-ide/index.tsgo.modmain.go
💤 Files with no reviewable changes (3)
- frontend/bindings/github.com/host-uk/core/internal/core-ide/greetservice.ts
- frontend/bindings/github.com/host-uk/core/internal/core-ide/index.ts
- frontend/bindings/changeme/greetservice.ts
| @@ -7,3 +7,4 @@ build/linux/appimage/build | |||
| build/windows/nsis/MicrosoftEdgeWebview2Setup.exeide | |||
There was a problem hiding this comment.
Fix the malformed ignore pattern.
Line 7 ends with exeide instead of .exe, which appears to be a concatenation error. This malformed pattern prevents the executable from being properly ignored by Git. Please correct it to end with .exe:
🐛 Proposed fix for the malformed pattern
-build/windows/nsis/MicrosoftEdgeWebview2Setup.exeide
+build/windows/nsis/MicrosoftEdgeWebview2Setup.exe📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| build/windows/nsis/MicrosoftEdgeWebview2Setup.exeide | |
| build/windows/nsis/MicrosoftEdgeWebview2Setup.exe |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.gitignore at line 7, The ignore pattern
"build/windows/nsis/MicrosoftEdgeWebview2Setup.exeide" is malformed; replace
that string with "build/windows/nsis/MicrosoftEdgeWebview2Setup.exe" so the
WebView2 installer executable is properly ignored by Git—locate the bad pattern
in the .gitignore and correct the trailing "exeide" to ".exe".
Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io>
Change module declaration from forge.lthn.ai/core/ide to dappco.re/go/core/ide. Update the self-referencing icons import accordingly. External dependency imports remain on forge.lthn.ai paths until those sibling modules publish dappco.re-aware versions, avoiding dual-path conflicts in the Go module graph. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@go.mod`:
- Line 172: The grpc dependency is pinned to a vulnerable version; update the
module reference for google.golang.org/grpc from v1.79.2 to v1.79.3 or later in
go.mod and regenerate sums (e.g., run the appropriate go tooling to update
go.sum), ensuring any CI or vendoring is refreshed; target the module name
google.golang.org/grpc and confirm the new version is recorded in go.mod and
go.sum before committing.
- Line 44: The go.mod currently pins github.com/buger/jsonparser v1.1.1 which is
vulnerable; update the requirement to v1.1.2 (or newer) so the fix for
GHSA-6g7g-w4f8-9c9x is included. If jsonparser is pulled in indirectly (via
bytedance/sonic or a forge.lthn.ai module), either bump that parent dependency
to a version that depends on jsonparser v1.1.2+, or add a direct require for
github.com/buger/jsonparser v1.1.2 in go.mod and run go get
github.com/buger/jsonparser@v1.1.2 followed by go mod tidy to ensure the updated
version is resolved; then run tests/build to verify no regressions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7ae104c4-be21-4046-b5b3-0c1d8d890d81
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| github.com/bep/debounce v1.2.1 // indirect | ||
| github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect | ||
| github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect | ||
| github.com/buger/jsonparser v1.1.1 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# 1) Confirm advisory status in OSV.
# 2) Locate where jsonparser is pinned in module files.
set -euo pipefail
curl -s https://api.osv.dev/v1/query -d '{
"package": {"name":"github.com/buger/jsonparser","ecosystem":"Go"},
"version":"1.1.1"
}' | jq .
echo "---- occurrences in go.mod/go.sum ----"
rg -n "github.com/buger/jsonparser|google.golang.org/grpc" go.mod go.sum || trueRepository: dAppCore/ide
Length of output: 3155
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find the parent dependency that brings in jsonparser
# First, let's examine the full go.mod to understand the dependency tree
echo "=== Full go.mod content ==="
cat go.mod
echo ""
echo "=== Searching for direct dependencies that might depend on jsonparser ==="
# Common libraries that use jsonparser: protobuf libraries, gRPC, etc.
rg -i "protobuf|encoding|grpc|json" go.mod -B 1 -A 1 | head -30Repository: dAppCore/ide
Length of output: 9801
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Search for any imports of jsonparser in the source code
echo "=== Searching for jsonparser imports in source code ==="
rg -i "jsonparser|buger" --type go . 2>/dev/null || echo "No direct usage found"
# Check if we can use go mod graph-like output
echo ""
echo "=== Checking forge.lthn.ai packages ==="
# These are internal packages, they're likely where jsonparser is used
git ls-files | grep -E "\.go$" | head -5
# Let's also check go.sum to see if there are any helpful clues
echo ""
echo "=== Lines around jsonparser in go.sum ==="
grep -B 2 -A 2 "buger/jsonparser" go.sum || trueRepository: dAppCore/ide
Length of output: 883
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Check bytedance/sonic usage - it's a JSON serialization library that might use jsonparser
echo "=== Searching for sonic usage ==="
rg -i "sonic|serialize" --type go . 2>/dev/null | head -20 || echo "No direct usage found"
# Check the relationship - sonic is known to use jsonparser internally
echo ""
echo "=== Checking versions of bytedance packages in go.mod ==="
grep -E "bytedance/(sonic|gopkg)" go.mod
# Check if there are newer versions available that might pull in jsonparser v1.1.2
echo ""
echo "=== Go.sum entries for bytedance ==="
grep "bytedance" go.sum | head -20Repository: dAppCore/ide
Length of output: 886
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Check go.sum to see if jsonparser is only v1.1.1 or if there are other versions
echo "=== All jsonparser entries in go.sum ==="
grep "jsonparser" go.sum
# Let's check the direct dependencies from forge.lthn.ai - they might have been updated
echo ""
echo "=== forge.lthn.ai direct dependencies ==="
grep "forge.lthn.ai" go.mod | grep -v "//" | head -20Repository: dAppCore/ide
Length of output: 574
Update jsonparser dependency to v1.1.2 or later to resolve HIGH severity DoS vulnerability.
Line 46: github.com/buger/jsonparser v1.1.1 // indirect is vulnerable to GHSA-6g7g-w4f8-9c9x. The Delete function fails to validate offsets on malformed JSON input, causing a runtime panic (CWE-125). Although marked indirect, upgrade the parent dependency (likely bytedance/sonic or a forge.lthn.ai module) to pull in v1.1.2 or newer.
🧰 Tools
🪛 OSV Scanner (2.3.3)
[HIGH] 44-44: github.com/buger/jsonparser 1.1.1: Denial of service in github.com/buger/jsonparser
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` at line 44, The go.mod currently pins github.com/buger/jsonparser
v1.1.1 which is vulnerable; update the requirement to v1.1.2 (or newer) so the
fix for GHSA-6g7g-w4f8-9c9x is included. If jsonparser is pulled in indirectly
(via bytedance/sonic or a forge.lthn.ai module), either bump that parent
dependency to a version that depends on jsonparser v1.1.2+, or add a direct
require for github.com/buger/jsonparser v1.1.2 in go.mod and run go get
github.com/buger/jsonparser@v1.1.2 followed by go mod tidy to ensure the updated
version is resolved; then run tests/build to verify no regressions.
| golang.org/x/text v0.35.0 // indirect | ||
| golang.org/x/tools v0.43.0 // indirect | ||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5 // indirect | ||
| google.golang.org/grpc v1.79.2 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify vulnerability status directly from OSV for grpc-go.
set -euo pipefail
curl -s https://api.osv.dev/v1/query -d '{
"package": {"name":"google.golang.org/grpc","ecosystem":"Go"},
"version":"1.79.2"
}' | jq .Repository: dAppCore/ide
Length of output: 5282
Upgrade google.golang.org/grpc to v1.79.3 or later immediately.
Line 172 pins v1.79.2, which contains a critical authorisation-bypass vulnerability (GHSA-p77j-4mvh-x3m3). Requests with malformed HTTP/2 :path pseudo-headers can bypass path-based authorisation interceptors. Upgrade to v1.79.3 or newer.
🧰 Tools
🪛 OSV Scanner (2.3.3)
[CRITICAL] 172-172: google.golang.org/grpc 1.79.2: gRPC-Go has an authorization bypass via missing leading slash in :path
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` at line 172, The grpc dependency is pinned to a vulnerable version;
update the module reference for google.golang.org/grpc from v1.79.2 to v1.79.3
or later in go.mod and regenerate sums (e.g., run the appropriate go tooling to
update go.sum), ensuring any CI or vendoring is refreshed; target the module
name google.golang.org/grpc and confirm the new version is recorded in go.mod
and go.sum before committing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Forge → GitHub Sync
Commits: 5
Files changed: 16
Automated sync from Forge. Mark as ready for review when CodeRabbit should process.
Co-Authored-By: Virgil virgil@lethean.io
Summary by CodeRabbit
New Features
Chores
Breaking / Public API