Claude/elegant leavitt dc490e#42
Conversation
- Delete raw AI session transcripts and binary planning files (convo.txt, chatgpt covo.txt, Repo Name Suggestions.docx/.pdf) from dev/planning/ - Archive dev/planning/ → docs/planning/ with historical-context README - Relocate .full-review/ → docs/review-process/; gitignore state.json - Add PORTFOLIO.md: stack context, where to start, design decisions, CI facts - Add README "For Reviewers" section linking arch.md, anti-scope, examples - Add docs/adr/README.md stub (Sprint 2 will populate with 3 ADRs) - Add dev/PORTFOLIO_BACKLOG.md: 16-item sprint-planned portfolio backlog - Strip 57 redundant @pytest.mark.asyncio decorators (asyncio_mode=auto) 387 tests pass, 85% coverage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… hardening ADRs (PB-02): - docs/adr/001-structural-protocols.md: PEP 544 protocols over ABC - docs/adr/002-flat-layout.md: flat layout over src/ wrapper - docs/adr/003-single-provider.md: single OpenAI-compatible Provider over adapter matrix - docs/adr/README.md: replace placeholder stub with proper index table Supply-chain security: - requirements.lock: pin all 30 dev deps via uv pip compile (PB-08) - .github/workflows/ci.yml: add pip-audit step to security job (PB-08) - .github/workflows/codeql.yml: new CodeQL SAST workflow for Python (PB-09) - sbom.json: CycloneDX 1.6 SBOM, 372 components (PB-10) - .github/workflows/publish.yml: regenerate SBOM on each release (PB-10) Type coverage (PB-15): - pyproject.toml: remove examples/ from mypy --strict exclusion list - examples/react_tool_use.py: fix 5 mypy errors (split _SAFE_OPS into typed Callable dicts, annotate provider params as ToolCallingProvider); fix 3 ruff errors (UP035 Callable import, TC006 cast quote) Note: PB-11 (OIDC trusted publishing) was already implemented in publish.yml. Sprint 2 Definition of Done: - 387 tests pass, 85% coverage - mypy --strict clean across 26 source files (executionkit/ + examples/) - ruff clean across all files Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e3335a72c4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Generate SBOM | ||
| run: | | ||
| pip install cyclonedx-bom | ||
| cyclonedx-py environment --of JSON --output-file sbom.json |
There was a problem hiding this comment.
In this release workflow, cyclonedx-py environment inventories the packages installed in the selected Python environment; at this point the build job has only installed build and then cyclonedx-bom, not ExecutionKit's runtime/dev environment from the lockfile. The SBOM artifact produced on tags will therefore describe the runner/tooling environment rather than the package being released, which can omit real dependencies and add unrelated ones. Install the project/locked requirements into an isolated environment before generating the SBOM, or generate from the requirements file instead.
Useful? React with 👍 / 👎.
| run: bandit -r executionkit/ -c pyproject.toml | ||
|
|
||
| - name: Dependency audit (pip-audit) | ||
| run: pip install pip-audit && pip-audit --requirement requirements.lock |
There was a problem hiding this comment.
The new audit checks requirements.lock, but the CI/test and publish jobs still install dev dependencies with pip install -e ".[dev]", so pip can resolve newer versions than the pinned lock while the audit continues to pass against stale pins. This creates a false negative whenever an allowed transitive/dev version gets a vulnerability after the lock was generated. Either install from the lockfile in the jobs being audited or audit the resolved environment that was actually installed.
Useful? React with 👍 / 👎.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the project's documentation and tooling by introducing a portfolio orientation guide, a strategic backlog, and formal Architecture Decision Records (ADRs). It also improves code quality by adding a requirements lockfile and enabling strict mypy checks for the examples directory. Review feedback focused on minor cleanups, specifically removing a redundant entry in .gitignore and simplifying the react_tool_use.py example by eliminating an unnecessary type cast and its associated import.
|
|
||
| # Local review artifacts | ||
| .full-review/ | ||
| .full-review/state.json |
There was a problem hiding this comment.
This entry is redundant because the entire .full-review/ directory is already ignored on line 57.
| import os | ||
| from typing import Any | ||
| from collections.abc import Callable | ||
| from typing import cast |
There was a problem hiding this comment.
This import becomes unnecessary if the redundant cast on line 180 is removed.
| provider = cast( | ||
| "ToolCallingProvider", | ||
| Provider( | ||
| base_url="https://api.openai.com/v1", | ||
| api_key=os.environ["OPENAI_API_KEY"], | ||
| model="gpt-4o-mini", | ||
| ), | ||
| ) |
There was a problem hiding this comment.
The cast to ToolCallingProvider is redundant. The Provider class already satisfies the ToolCallingProvider protocol structurally as it implements the required complete method and has the supports_tools attribute. Removing the cast simplifies the example code for users.
provider = Provider(
base_url="https://api.openai.com/v1",
api_key=os.environ["OPENAI_API_KEY"],
model="gpt-4o-mini",
)2 participants
No description provided.