Feat/clean kronn#114
Merged
Merged
Conversation
8831602 to
9ed61ce
Compare
There was a problem hiding this comment.
Pull request overview
This PR bumps Kronn to 0.8.11 and delivers a broad “socle clean” hardening pass: tighter security defaults, more reliable ops behavior for autonomous workflows, and CI guards to prevent common drift/regression classes across backend/frontend.
Changes:
- Security & ops hardening: LAN exposure guardrails, failure notifications, scheduled DB backups, and reconciliation of interrupted workflow runs.
- Workflow/UI improvements: clearer disabled-workflow UX, per-step model tier selection + badges, branch-map readability upgrades, and browser-language-based initial UI locale.
- CI & drift guards: typegen field-drift checker, phantom CSS token guard test, stricter linting in CI, and CI flake prevention for
onnxruntime-node.
Reviewed changes
Copilot reviewed 75 out of 77 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| VERSION | Bump repo version to 0.8.11 |
| Makefile | Enhance typegen target with bindings + drift check messaging |
| frontend/src/types/generated.ts | Backfill missing fields/types to match Rust model drift |
| frontend/src/test/setup.ts | Pin navigator locale for deterministic i18n tests |
| frontend/src/styles/tokens.css | Add compat token aliases + RGB triples; light-theme overrides |
| frontend/src/styles/tests/tokens-defined.test.ts | New test to fail on undefined --kr-* var usage without fallback |
| frontend/src/pages/WorkflowsPage.tsx | Disabled-workflow tooltip + enable toggle hook into detail |
| frontend/src/pages/WorkflowsPage.css | Token usage cleanup; branch-map styling; Interrupted status styling; tier/disabled chips |
| frontend/src/pages/SettingsPage.css | Token usage cleanup (--kr-bg-input without fallback) |
| frontend/src/pages/McpPage.tsx | Minor hook/comment cleanup; file-import typing tweak |
| frontend/src/pages/tests/WorkflowsPage.test.tsx | New UX regression tests for launch modal + disabled workflows + tier select |
| frontend/src/pages/tests/DiscussionsPage.test.tsx | Update fixtures for pin_first_message |
| frontend/src/pages/tests/Dashboard.test.tsx | Update fixtures for pin_first_message |
| frontend/src/lib/kronnToolParser.ts | Regex tweak for agent-native tool trace parsing |
| frontend/src/lib/i18n.ts | Browser-language detection + new translation keys (tour groups, workflow UX, saving state) |
| frontend/src/lib/tests/regression.test.ts | Update fixtures for pin_first_message |
| frontend/src/lib/tests/i18n.test.ts | Test new browser-locale default behavior |
| frontend/src/lib/tests/batchTriage.test.ts | Update fixtures for pin_first_message |
| frontend/src/components/workflows/WorkflowWizard.tsx | Add per-step ModelTier selector |
| frontend/src/components/workflows/WorkflowDetail.tsx | Disabled workflow chip + enable button; tier badges in detail/pipeline |
| frontend/src/components/workflows/StepBranchMap.tsx | Categorized arc coloring + fanned crossings + legend tweaks |
| frontend/src/components/workflows/RunDetail.tsx | Add Interrupted status color |
| frontend/src/components/workflows/tests/WorkflowDetail.actions.test.tsx | Tests for disabled-workflow tooltip/chip/enable + tier badge behavior |
| frontend/src/components/tour/tourSteps.ts | Replace hardcoded group labels with translation keys |
| frontend/src/components/tour/TourOverlay.tsx | Render translated tour group labels |
| frontend/src/components/MessageBubble.tsx | Fix hooks ordering by moving big-content guard after hooks |
| frontend/src/components/MermaidDiagram.tsx | Lint suppression for lazy import typing; adjust print HTML script tag |
| frontend/src/components/tests/TestModeBanner.test.tsx | Update fixtures for pin_first_message |
| frontend/src/components/tests/MessageBubble.seedToggle.test.tsx | Use useState import instead of runtime require |
| frontend/src/components/tests/DiscussionSidebar.sourceBadge.test.tsx | Update fixtures for pin_first_message |
| frontend/src/components/tests/DiscussionSidebar.markAllRead.test.tsx | Update fixtures for pin_first_message |
| frontend/src/components/tests/DiscussionSidebar.grouping.test.tsx | Update fixtures for pin_first_message |
| frontend/src/components/tests/ChatHeader.profileEditor.test.tsx | Update fixtures for pin_first_message |
| frontend/src/components/tests/ChatHeader.pendingFiles.test.tsx | Update fixtures for pin_first_message |
| frontend/scripts/check-types-drift.mjs | New field-level drift guard vs backend/bindings |
| frontend/scripts/assemble-generated-types.mjs | New full-regen assembler script (not wired to overwrite) |
| frontend/pnpm-workspace.yaml | Document onnxruntime-node CI skip rationale |
| frontend/package.json | Bump version; remove obsolete pnpm.neverBuiltDependencies config |
| frontend/Dockerfile | Skip onnxruntime-node CUDA download during install |
| frontend/.npmrc | Belt-and-braces skip for onnxruntime-node install behavior |
| docs/tech-debt/TD-20260701-typegen-generated-aggregate.md | Update status with partial mitigation (drift guard + backfill) |
| docs/tech-debt/TD-20260629-import-downgrade-wipe.md | Mark resolved and document verified behavior |
| docs/tech-debt/TD-20260510-codex-upstream-issue-draft.md | Update status text (“ready to file”) |
| docs/operations/mcp-servers/kronn-internal.md | Document sidecar auth behavior and requirements |
| docs/decisions.md | Add “frozen surfaces” scope decision for 0.8.11 |
| docker-compose.yml | Loopback-by-default port publishing; env knobs for auth/LAN/backup/notify |
| desktop/src-tauri/tauri.conf.json | Bump desktop version |
| desktop/src-tauri/Cargo.toml | Bump desktop crate version |
| desktop/src-tauri/Cargo.lock | Lockfile version bumps |
| desktop/package.json | Bump desktop package version |
| CHANGELOG.md | Add 0.8.11 unreleased changelog entry with audit-driven changes |
| backend/src/workflows/mod.rs | Add failure notification call after scheduled/auto runs |
| backend/src/models/workflows.rs | Add RunStatus::Interrupted |
| backend/src/models/tests.rs | Add tests for coded error code strings + serialization behavior |
| backend/src/models/setup.rs | Add failure_notify_url + run_retention_days to server config |
| backend/src/models/mod.rs | Add typed ApiErrorCode + ApiResponse.error_code + err_coded |
| backend/src/main.rs | Sync KRONN_AUTH_TOKEN env/config; LAN exposure boot guard; run retention purge; backup scheduler |
| backend/src/db/workflows.rs | Add Interrupted parsing; reconcile stale runs; cap unpaginated run listing; run retention purge |
| backend/src/db/tests.rs | Tests for purge + reconcile behaviors |
| backend/src/db/mod.rs | Run reconcile stale workflow runs at boot |
| backend/src/core/run_notify.rs | New webhook notifier for failed/interrupted/guard-stopped runs |
| backend/src/core/net_expose.rs | LAN exposure detection + boot refusal logic (unless authenticated/ack) |
| backend/src/core/mod.rs | Export new core modules (backup, run_notify) |
| backend/src/core/mcp_scanner_test.rs | Add cross-language step-type drift guard; serialize env-mutating tests |
| backend/src/core/host_mcp_discovery.rs | Serialize env-mutating tests |
| backend/src/core/config.rs | Seed defaults for new server config fields |
| backend/src/core/backup.rs | New scheduled backup implementation + pruning + tests |
| backend/src/api/workflows.rs | Adopt err_coded for not-found/internal cases in workflows API |
| backend/src/api/mcp_remote.rs | Treat Interrupted as terminal for stats/logic |
| backend/src/api/contacts.rs | Update server config test fixture with new fields |
| backend/src/agents/runner.rs | Compact skill injection for Ollama; model-aware ctx cap; ctx-limit parsing/caching |
| backend/src/agents/runner_test.rs | Update Ollama body tests; add ctx-cap parsing + model context parsing tests |
| backend/scripts/test_disc_introspection_mcp.py | New tests for sidecar Authorization header behavior |
| backend/Cargo.toml | Bump backend version |
| backend/Cargo.lock | Lockfile version bump |
| backend/.cargo/audit.toml | Document dated ignore policy for cargo-audit ignores |
| .github/workflows/ci-test.yml | Fix label gating across synchronize; enforce lint; add type drift guard; skip onnxruntime-node install flake |
Comment on lines
+113
to
+121
| // 0.8.11 (B5) — same reconcile for workflow_runs: a run that was in | ||
| // flight when the process died stays `Running`/`Pending` forever, | ||
| // poisoning the active-runs badge and cron "last run" checks. Flip | ||
| // anything stuck > 30 min to the terminal `Interrupted` status. | ||
| match workflows::reconcile_stale_runs(&conn, 30 * 60) { | ||
| Ok(0) => {} | ||
| Ok(n) => tracing::info!("Reconciled {} stale workflow_runs (status was 'Running'/'Pending' for > 30 min → Interrupted)", n), | ||
| Err(e) => tracing::warn!("Failed to reconcile stale workflow_runs: {}", e), | ||
| } |
Comment on lines
275
to
277
| return () => window.removeEventListener('keydown', onKey); | ||
| // eslint-disable-next-line react-hooks/exhaustive-deps | ||
| }, [selectedConfigId, editingCustomServerId]); |
Comment on lines
+55
to
+62
| let body = build_payload(&workflow.name, &run.status, &run.id, &run.started_at.to_rfc3339()); | ||
| let client = reqwest::Client::new(); | ||
| let send = client | ||
| .post(&url) | ||
| .header("content-type", "application/json") | ||
| .body(body) | ||
| .send() | ||
| .await; |
| **Server:** `kronn-internal` (Python stdio bridge — `backend/scripts/disc-introspection-mcp.py`) | ||
| **Source:** This repo. Auto-injected by Kronn into every supported CLI's MCP config (`.mcp.json`, `~/.codex/config.toml`, `.gemini/settings.json`, `.kiro/settings/mcp.json`, `.vibe/config.toml`). | ||
| **Auth:** None (local stdio). The bridge talks to the Kronn backend over `KRONN_BACKEND_URL` (default `http://127.0.0.1:3140`). | ||
| **Auth:** stdio itself is unauthenticated (local pipe), but the bridge authenticates to the Kronn backend over `KRONN_BACKEND_URL` (default `http://127.0.0.1:3140`): when the backend has a token configured, it exports `KRONN_AUTH_TOKEN` into the process env, the sidecar inherits it and sends `Authorization: Bearer <token>` on every call. On a loopback-only instance the backend's local-trust bypass makes the token optional; on a LAN-exposed instance (e.g. WSL backend / Mac frontend) it is required — otherwise the sidecar's own calls get a silent 401. `[src:backend/scripts/disc-introspection-mcp.py:1970]` `[src:backend/src/main.rs]` |
Signed-off-by: Romuald Priol <romuald.priol@protonmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clean few things to optimize WF, steps, and local agents, tests...
Changes
Interrupted, not left "Running" forever.