Implemented ci with proper lint, format, test running#157
Open
agsaru wants to merge 3 commits into
Open
Conversation
|
@agsaru is attempting to deploy a commit to the s3dfx-cyber's projects Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds project tooling and CI (lint, security, coverage), modernizes typings and formatting across modules, refactors analyzer event validation/queue processing and startup/shutdown, hardens ingest degraded-mode behavior, updates scripts/examples, and adjusts tests. ChangesPlatform and CI/tooling
Analyzer service and model
Services, plugin, scripts, and tests
Sequence Diagram(s) sequenceDiagram
participant Client
participant IngestService
participant Redis
participant AnalyzerService
participant MLModel
Client->>IngestService: POST /v1/events/llm (event payload)
IngestService->>Redis: LPUSH queue, SET event (persist)
AnalyzerService->>Redis: RPOP queue
AnalyzerService->>AnalyzerService: _process_single_event (validate, truncate, sanitize)
AnalyzerService->>MLModel: ml_analysis(prompt) (conditional if model loaded)
MLModel-->>AnalyzerService: classification + confidence
AnalyzerService->>Redis: SET updated event (analysis_details, verdict, risk_score)
AnalyzerService-->>Client: async analysis persisted (event id)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adds project/tooling configuration and expands CI to include linting, security scans, and coverage reporting.
Changes:
- Add
pip-auditto dev requirements for dependency vulnerability auditing. - Introduce
pyproject.tomlwith formatter/linter/test/coverage/mypy configuration. - Expand GitHub Actions CI workflow with lint, security, coverage, and integration test execution; add coverage config file and update README badges.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| requirements-dev.txt | Adds pip-audit for dependency vulnerability scanning. |
| pyproject.toml | Defines build metadata and config for Black/Ruff/Pytest/Coverage/Mypy. |
| README.md | Adds/updates badges for CI, linting, and security scanning. |
| .github/workflows/ci.yml | Adds lint + security jobs, updates test job for coverage and integration startup. |
| .coveragerc | Adds coverage configuration + report output settings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (4)
README.md (1)
5-12: ⚡ Quick winConsider adding a coverage badge.
The CI workflow generates coverage reports with a 75% threshold (as shown in
ci.yml), but no coverage badge is displayed in the README. Adding a coverage badge would provide visibility into test coverage alongside the other CI/CD status indicators.📊 Example coverage badge addition
You could add a coverage badge after the Bandit badge (line 11):
[](https://github.com/TENET-DEV-AI/TENET-AI/actions/workflows/ci.yml)Or integrate with a coverage service like Codecov or Coveralls for dynamic badges.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@README.md` around lines 5 - 12, Add a coverage badge to the README to reflect the 75% threshold defined in the CI; update the badge block (the sequence of shields including "Code Quality: Bandit") to insert a coverage badge (e.g., a static shields.io badge or a link to Codecov/Coveralls) right after the Bandit badge so the README shows coverage alongside the CI/CD and security badges and points to the CI workflow or the coverage service referenced by ci.yml..github/workflows/ci.yml (2)
17-17: ⚡ Quick winConsider setting
persist-credentials: falsefor checkout actions.The
actions/checkoutaction persists GitHub credentials by default, which can be a security risk if subsequent steps or artifacts inadvertently expose them. Settingpersist-credentials: falseis a security best practice unless you explicitly need Git credentials in later steps.🔒 Proposed security hardening
- uses: actions/checkout@v6 + with: + persist-credentials: falseApply this change to checkout actions on lines 17, 44, and 81.
Also applies to: 44-44, 81-81
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 17, The checkout steps currently use actions/checkout@v6 which persists GitHub credentials by default; update each checkout usage (the actions/checkout@v6 entries) to add persist-credentials: false in their step inputs so credentials are not kept unless explicitly required — modify all occurrences referenced in the workflow (the three actions/checkout@v6 steps) to include the persist-credentials: false key in their step configuration.Source: Linters/SAST tools
120-131: ⚡ Quick winConsider adding service health checks before running integration tests.
Lines 120-128 start services in the background with a 10-second sleep, but don't verify they started successfully. If a service fails to start, the integration tests will run against non-existent endpoints and produce confusing failures.
Add HTTP health check polling before running tests to ensure services are ready.
🏥 Proposed enhancement for service readiness checks
# 3. Wait a few seconds for FastAPI to boot up and connect to Redis echo "Waiting for services to initialize..." - sleep 10 + for i in {1..30}; do + if curl -f http://localhost:8100/health > /dev/null 2>&1 && \ + curl -f http://localhost:8000/health > /dev/null 2>&1; then + echo "Services are ready" + break + fi + if [ $i -eq 30 ]; then + echo "Services failed to start" + exit 1 + fi + sleep 1 + done # 4. Run the integration tests pytest tests/integration/test_e2e.py -vNote: This assumes your services expose
/healthendpoints. Adjust the paths if different.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 120 - 131, Replace the fixed sleep with HTTP health-check polling for the two started services (services.analyzer.app on port 8100 and services.ingest.app on port 8000) by repeatedly requesting their /health endpoints until a 200 OK is returned (with a global timeout), and fail the job if either service doesn't become healthy; keep the existing background uvicorn starts, then add a loop that polls http://localhost:8100/health and http://localhost:8000/health (or the correct health paths) with short sleeps between attempts and an overall timeout before running pytest tests/integration/test_e2e.py.requirements-dev.txt (1)
23-23: Bump pip-audit minimum version to get newer vulnerability fixes
pip-audit>=2.6.0onrequirements-dev.txt(line 23) is valid, and the latest release as of 2026-06-10 ispip-audit 2.10.0(released 2025-12-01). Consider raising the minimum version to a newer baseline to pick up recent security/content updates.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@requirements-dev.txt` at line 23, Update the pip-audit minimum version in requirements-dev.txt by replacing the current pip-audit>=2.6.0 entry with a newer baseline (e.g., pip-audit>=2.10.0) so the dev requirements pick up recent vulnerability fixes and content updates; locate the existing pip-audit>=2.6.0 token and bump it to the new version constraint.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 98-100: The coverage gate currently uses a fallback so it never
fails CI; update the "Check coverage threshold" step to remove the "|| echo"
fallback and run the command exactly as "coverage report --fail-under=75" so the
step will exit non-zero and fail the workflow when coverage is below 75%; ensure
no additional shell OR fallbacks are present around the "coverage report
--fail-under=75" invocation.
- Around line 57-63: The CI workflow currently masks failures for the "Run
Bandit security scan" and "Run pip-audit for dependency vulnerabilities" steps
by appending `|| true`; remove the `|| true` fallbacks from those run commands
so Bandit and pip-audit failures fail the job, and instead manage acceptable
findings via tool-specific config/baseline files (e.g., Bandit config or
pip-audit allowlist) and update the steps "Run Bandit security scan" and "Run
pip-audit for dependency vulnerabilities" accordingly.
- Around line 30-37: The CI is currently silencing linter failures; in the "Run
Ruff linter" and "Run Black formatter check" steps remove the fallback operators
so failures propagate: delete the "|| true" from the Ruff run line and delete
the "|| echo \"Formatting issues detected\"" from the Black run line (i.e., edit
the run blocks for the steps titled "Run Ruff linter" and "Run Black formatter
check" to run the commands without the fallback) so the job fails when Ruff or
Black detect issues.
- Line 17: The workflow currently references mutable tags (actions/checkout@v6,
actions/setup-python@v6, actions/upload-artifact@v7) which is a supply-chain
risk; update each uses: entry to point to a specific immutable commit SHA (or
integrate the pin-github-action step to resolve and pin SHAs automatically),
e.g., replace actions/checkout@v6, actions/setup-python@v6, and
actions/upload-artifact@v7 with their verified commit SHAs so the CI.yml only
references fixed SHAs rather than floating tags.
In `@pyproject.toml`:
- Around line 91-121: The coverage configuration is duplicated between
pyproject.toml ([tool.coverage.run] and [tool.coverage.report]) and .coveragerc;
pick a single authoritative location — recommended: keep coverage config in
pyproject.toml and remove .coveragerc — then add the missing migrations exclude
to the omit list in pyproject.toml (add "*/migrations/*" to the omit array under
[tool.coverage.run]) so the combined omit and exclude_lines remain consistent
and you can safely delete the .coveragerc file.
In `@README.md`:
- Line 10: The security badge link uses the wrong repository path
'agsaru/TENET-AI' in the markdown line '[](https://github.com/agsaru/TENET-AI/actions/workflows/ci.yml)';
update that URL to the correct organization repository 'TENET-DEV-AI/TENET-AI'
so the link becomes
'(https://github.com/TENET-DEV-AI/TENET-AI/actions/workflows/ci.yml)', ensuring
the badge points to the same repo referenced by the other badges and the PR.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 17: The checkout steps currently use actions/checkout@v6 which persists
GitHub credentials by default; update each checkout usage (the
actions/checkout@v6 entries) to add persist-credentials: false in their step
inputs so credentials are not kept unless explicitly required — modify all
occurrences referenced in the workflow (the three actions/checkout@v6 steps) to
include the persist-credentials: false key in their step configuration.
- Around line 120-131: Replace the fixed sleep with HTTP health-check polling
for the two started services (services.analyzer.app on port 8100 and
services.ingest.app on port 8000) by repeatedly requesting their /health
endpoints until a 200 OK is returned (with a global timeout), and fail the job
if either service doesn't become healthy; keep the existing background uvicorn
starts, then add a loop that polls http://localhost:8100/health and
http://localhost:8000/health (or the correct health paths) with short sleeps
between attempts and an overall timeout before running pytest
tests/integration/test_e2e.py.
In `@README.md`:
- Around line 5-12: Add a coverage badge to the README to reflect the 75%
threshold defined in the CI; update the badge block (the sequence of shields
including "Code Quality: Bandit") to insert a coverage badge (e.g., a static
shields.io badge or a link to Codecov/Coveralls) right after the Bandit badge so
the README shows coverage alongside the CI/CD and security badges and points to
the CI workflow or the coverage service referenced by ci.yml.
In `@requirements-dev.txt`:
- Line 23: Update the pip-audit minimum version in requirements-dev.txt by
replacing the current pip-audit>=2.6.0 entry with a newer baseline (e.g.,
pip-audit>=2.10.0) so the dev requirements pick up recent vulnerability fixes
and content updates; locate the existing pip-audit>=2.6.0 token and bump it to
the new version constraint.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 6e014673-8048-4d73-b10e-279cfa821860
📒 Files selected for processing (5)
.coveragerc.github/workflows/ci.ymlREADME.mdpyproject.tomlrequirements-dev.txt
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/ci.yml">
<violation number="1" location=".github/workflows/ci.yml:107">
P1: Integration test stage relies on a fixed `sleep 15` instead of verifying actual service readiness, creating CI flakiness risk and potential silent skips.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Contributor
There was a problem hiding this comment.
3 issues found across 6 files
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Contributor
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/ci.yml">
<violation number="1" location=".github/workflows/ci.yml:88">
P2: Coverage threshold was lowered from 75% to 50%, weakening the CI quality gate and allowing less-tested changes to pass.</violation>
</file>
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (2)
services/analyzer/app.py (2)
421-428: 💤 Low valueConsider omitting
user_idfrom diagnostic logs to avoid logging user identifiers.The
safe_summarymetadata includesuser_id, which is a user identifier. Depending on the project's data classification policy, this could be considered PII/sensitive data that shouldn't appear in logs.If user identifiers are acceptable in logs for this project, this can be ignored. Otherwise, consider logging only the presence of user_id (
"has_user_id": bool(event.get("user_id"))) rather than its value.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@services/analyzer/app.py` around lines 421 - 428, safe_summary currently includes the raw user_id value from event which may expose PII; change the construction of safe_summary (where it's defined) to omit event.get("user_id") and instead include a boolean flag like "has_user_id": bool(event.get("user_id")) so callers using safe_summary (e.g., any downstream log/telemetry that reads safe_summary) no longer contain the identifier value; update any references expecting the user_id field accordingly.
399-401: Consider bounding the alerts list to prevent unbounded growth.Malicious events are pushed to
tenet:alertswithout expiration or length limits. If alerts aren't consumed by a downstream process, this list will grow indefinitely.Consider using
LPUSHwithLTRIMto cap the list length, or ensure a consumer process removes alerts after handling.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@services/analyzer/app.py` around lines 399 - 401, The current push to Redis via redis_client.lpush("tenet:alerts", json.dumps(event)) when result.verdict == "malicious" can cause unbounded list growth; modify the write to atomically cap the list length (e.g., LPUSH + LTRIM) so only the most recent N alerts are kept, or use a Redis transaction/pipeline to LPUSH then LTRIM the "tenet:alerts" key; update the block around result.verdict, redis_client.lpush, event and event_id to perform the capped push (and optionally document the chosen max length) so alerts cannot grow indefinitely.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 103-107: Replace the fixed 15s sleep in the "Wait for services to
initialize" CI step by invoking the repository's is_service_running health-check
polling helper to wait for the ingest and analyzer /health endpoints to return
healthy; remove the sleep, call the helper for each service (ingest and
analyzer) and only proceed when both checks succeed, falling back to a sensible
timeout and failing the job if they never become healthy. Ensure you reference
the existing is_service_running helper script/command used by the E2E tests and
use the same health endpoint paths so the CI workflow mirrors test behavior.
- Around line 32-37: The Ruff lint step is referencing a non-existent path;
update the ruff invocation that currently reads "ruff check src/ services/
tenet_plugin/ scripts/ tests/" to remove "src/" so it matches the Black check
and repository layout (i.e., run "ruff check services/ tenet_plugin/ scripts/
tests/"); ensure only the "ruff check" command is changed and leave the "black
--check services/ tenet_plugin/ scripts/ tests/" step as-is.
In `@docker-compose.yml`:
- Around line 27-29: The docker-compose env defaults use an insecure
POSTGRES_PASSWORD value; update the POSTGRES_PASSWORD handling in
docker-compose.yml (and related POSTGRES_USER/POSTGRES_DB if desired) to either
remove the default so the value must be explicitly provided or replace the
default with a stronger generated secret, and document the requirement in
README/ENV samples; ensure references to POSTGRES_PASSWORD (and
POSTGRES_USER/POSTGRES_DB) are updated so local dev uses a secure value and no
weak default can slip into production.
- Around line 48-49: The docker-compose default MINIO_ROOT_PASSWORD is weak
(MINIO_ROOT_PASSWORD: ${MINIO_PASSWORD:-minio123}); update the development
config to remove the insecure fallback or replace it with a stronger
random/default generator and/or enforce explicit configuration: stop using a
hardcoded fallback for MINIO_PASSWORD, require callers to set MINIO_PASSWORD or
validate it at startup, or derive a secure value (e.g., from a generated secret)
and document that MINIO_ROOT_PASSWORD must be explicitly provided in env to
avoid weak defaults.
In `@tests/unit/test_ingest.py`:
- Around line 69-73: The jailbreak test is missing the assertion for the
`verdict` returned by `quick_heuristic_check`; update the loop over
`jailbreak_prompts` to assert that `verdict == "malicious"` (similar to the
prompt injection and data extraction tests) along with the existing `blocked is
True` and `risk_score >= 0.8` checks so the test consistently verifies the third
return value from `quick_heuristic_check`.
---
Nitpick comments:
In `@services/analyzer/app.py`:
- Around line 421-428: safe_summary currently includes the raw user_id value
from event which may expose PII; change the construction of safe_summary (where
it's defined) to omit event.get("user_id") and instead include a boolean flag
like "has_user_id": bool(event.get("user_id")) so callers using safe_summary
(e.g., any downstream log/telemetry that reads safe_summary) no longer contain
the identifier value; update any references expecting the user_id field
accordingly.
- Around line 399-401: The current push to Redis via
redis_client.lpush("tenet:alerts", json.dumps(event)) when result.verdict ==
"malicious" can cause unbounded list growth; modify the write to atomically cap
the list length (e.g., LPUSH + LTRIM) so only the most recent N alerts are kept,
or use a Redis transaction/pipeline to LPUSH then LTRIM the "tenet:alerts" key;
update the block around result.verdict, redis_client.lpush, event and event_id
to perform the capped push (and optionally document the chosen max length) so
alerts cannot grow indefinitely.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: fcd1ff08-a9a6-44f0-a64a-316cc6965ce6
📒 Files selected for processing (21)
.github/tenet_agent/tenet_solve.py.github/tenet_agent/utils.py.github/workflows/ci.ymlREADME.mddocker-compose.ymlexamples/llm_plugin_demo.pypyproject.tomlscripts/train_model.pyscripts/verify_model_artifacts.pyservices/analyzer/app.pyservices/analyzer/model/phishing_model.pyservices/ingest/app.pyservices/security/tenant_security.pyservices/utils/logging_config.pytests/integration/test_e2e.pytests/unit/test_analyzer.pytests/unit/test_ingest.pytests/unit/test_logging.pytests/unit/test_logging_config.pytests/unit/test_model_artifacts.pytests/unit/test_training.py
💤 Files with no reviewable changes (1)
- pyproject.toml
✅ Files skipped from review due to trivial changes (13)
- services/utils/logging_config.py
- services/security/tenant_security.py
- .github/tenet_agent/tenet_solve.py
- scripts/verify_model_artifacts.py
- services/ingest/app.py
- tests/unit/test_model_artifacts.py
- .github/tenet_agent/utils.py
- tests/unit/test_logging_config.py
- tests/unit/test_training.py
- services/analyzer/model/phishing_model.py
- scripts/train_model.py
- tests/integration/test_e2e.py
- tests/unit/test_analyzer.py
🚧 Files skipped from review as they are similar to previous changes (1)
- README.md
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
docker-compose.yml (1)
1-1: 💤 Low valueRemove obsolete
versionattribute.Docker Compose no longer requires the
versionfield and warns it will be ignored. The CI pipeline logs confirm this warning. Remove line 1 to align with current docker-compose best practices.🧹 Proposed fix
-version: '3.8' - services:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker-compose.yml` at line 1, Remove the obsolete top-level version attribute from the docker-compose.yml (the line containing "version: '3.8'"); open the file, delete that "version" line so the compose file relies on the current Compose specification without the ignored version key, and save the file to eliminate the CI warning.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 98-101: The CI job step "Start complete infrastructure via Docker
Compose" runs `docker compose up` without required env vars; add an `env:` block
to that step (or load a `.env.ci` via `--env-file`) to provide POSTGRES_DB,
POSTGRES_USER, POSTGRES_PASSWORD, MINIO_USER, MINIO_PASSWORD, API_KEY, and
CORS_ORIGINS before invoking `docker compose up` so docker-compose interpolation
in the compose file has valid values; update the step that currently runs
`docker compose up -d --build` (the "Start complete infrastructure via Docker
Compose" step) to either include an `env:` mapping for those keys or change the
command to load `.env.ci` (e.g., `docker compose --env-file .env.ci up -d
--build`) and ensure the CI secrets/variables are wired into those values.
---
Nitpick comments:
In `@docker-compose.yml`:
- Line 1: Remove the obsolete top-level version attribute from the
docker-compose.yml (the line containing "version: '3.8'"); open the file, delete
that "version" line so the compose file relies on the current Compose
specification without the ignored version key, and save the file to eliminate
the CI warning.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 2e8d4d4b-b0ba-4f5d-b153-12badc22ee14
📒 Files selected for processing (27)
.coveragerc.github/tenet_agent/tenet_solve.py.github/tenet_agent/utils.py.github/workflows/ci.ymlREADME.mddocker-compose.ymlexamples/llm_plugin_demo.pypyproject.tomlrequirements-dev.txtscripts/train_model.pyscripts/verify_model_artifacts.pyservices/analyzer/app.pyservices/analyzer/model/phishing_model.pyservices/ingest/app.pyservices/security/__init__.pyservices/security/tenant_security.pyservices/utils/logging_config.pytenet_plugin/__init__.pytenet_plugin/client.pytests/integration/test_e2e.pytests/unit/test_analyzer.pytests/unit/test_ingest.pytests/unit/test_logging.pytests/unit/test_logging_config.pytests/unit/test_model_artifacts.pytests/unit/test_tenet_plugin.pytests/unit/test_training.py
✅ Files skipped from review due to trivial changes (13)
- services/security/init.py
- tenet_plugin/init.py
- examples/llm_plugin_demo.py
- README.md
- tests/unit/test_training.py
- .github/tenet_agent/tenet_solve.py
- services/security/tenant_security.py
- tests/unit/test_analyzer.py
- services/utils/logging_config.py
- tests/unit/test_model_artifacts.py
- tests/unit/test_logging_config.py
- .github/tenet_agent/utils.py
- scripts/train_model.py
🚧 Files skipped from review as they are similar to previous changes (7)
- requirements-dev.txt
- scripts/verify_model_artifacts.py
- .coveragerc
- tests/integration/test_e2e.py
- pyproject.toml
- tests/unit/test_ingest.py
- services/analyzer/app.py
Collaborator
|
Cl tests failing pls fix @agsaru |
Contributor
Author
|
@S3DFX-CYBER fixed |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Collaborator
|
@agsaru looks good to me but needs a mentor review @Preetham404 kindly review pls |
Preetham404
reviewed
Jun 12, 2026
Preetham404
left a comment
Preetham404
left a comment
Collaborator
There was a problem hiding this comment.
Thanks for the contribution. The CI workflow and accompanying tests help improve code quality and automation. I reviewed the changes and did not find any major issues. Please ensure all failing checks are addressed before merging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pr adds CI Pipeline with Lint, Tests, Security Scans and Coverage Gates
Key Changes
Related Issue
Fixes #95
Type of Change
How Has This Been Tested?
Checklist
Summary by cubic
Adds full GitHub Actions CI with split lint/format, security, and test jobs; enforces a 50% coverage gate with
coverage.xmlupload; and runs E2E viadocker compose. Finalizes Compose by parameterizing service creds and API/CORS via env vars, centralizes config inpyproject.tomland.coveragerc, and wires required env in CI for consistent service startup. Fixes #95.New Features
lint,security, andtestjobs usingruff,black --check,bandit, andpip-audit..coveragercand uploadcoverage.xml.docker compose(Redis, Postgres, MinIO, Ingest, Analyzer) with health checks/teardown; CI sets required env vars.docker-compose.ymlwithPOSTGRES_*,MINIO_USER/MINIO_PASSWORD,API_KEY, andCORS_ORIGINS.pyproject.toml; add CI andruffbadges in README.Bug Fixes
ruff/banditissues across services, plugin, scripts, and tests so CI passes.Written for commit a227b87. Summary will update on new commits.
Summary by CodeRabbit
New Features
Chores
Documentation