chore(deps): consolidate dependency updates and scanning fixes

[yacosta738]

Related Issues

N/A

---

Summary

• Consolidates pending dependency updates across Rust, web, and Gradle-managed components on chore/deps-consolidation.
• Fixes code-scanning-related quality issues by replacing Detekt-reported magic numbers with named constants in build logic utilities.
• Restores Rust compilation and webhook test compatibility by importing hmac::KeyInit where new_from_slice is used and switching SHA-256 hex rendering to hex::encode.

---

Tested Information

• ./gradlew :build-logic:compileKotlin
• cargo check -p corvus
• cargo test -p corvus --test whatsapp_webhook_security --no-run
• Manually executed the Rust portion of the pre-push hook:
  • cargo fmt --check
  • cargo clippy --all-targets -- -D warnings
  • cargo test --lib --quiet

---

Documentation Impact

• Docs updated in:
• No docs update required because these changes are dependency maintenance and internal code quality fixes; they do not change documented user-facing behavior, setup steps, APIs, or operational workflows.
• I verified the documentation matches the current behavior.

---

Breaking Changes

None.

---

Checklist

• I have checked that there isn’t already a PR solving the same problem.
• I have read the Contributing Guidelines and followed the project conventions.
• I have tested my changes locally or explained why tests were not applicable.
• I have reviewed the diff for accidental secrets, generated noise, and unrelated changes.
• I have considered documentation impact and updated docs or explained why no updates were needed.
• I confirm this PR does not introduce breaking changes, or I have clearly documented them above.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (2)

• wip
• do-not-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 279ec0d1-dd1d-4de1-86fb-d0ecab1637dd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR addresses dependency updates for Compose Multiplatform and Material3, refactors Gradle build logic to extract magic numbers into named constants, optimizes dependency locking provider operations, and adjusts import scoping for HMAC signature verification in agent-runtime.

Changes

Cohort / File(s)	Summary
Compose & Material3 Version Updates gradle/libs.versions.toml, clients/composeApp/buildscript-gradle.lockfile	Bumps Compose Multiplatform from 1.10.2 to 1.10.3 and Material3 from 1.10.0-alpha05 to 1.11.0-alpha07. Lockfile auto-updates corresponding plugin classpath coordinates.
Gradle Build Logic Constants Refactoring gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt, gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt	Extracts hardcoded timeout values, string literals, and magic numbers into named constants (e.g., DEFAULT_CONNECT_TIMEOUT_MINUTES, RANDOM_FILENAME_SEPARATOR, surrogate ranges, control character thresholds) for improved maintainability.
Dependency Locking Optimization gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts	Introduces shared dynamicVersionCacheDurationDays constant, refactors lockFilesProvider to explicit typing, and precomputes lock/backup file mappings and OS detection outside task actions for performance.
HMAC Signature Import Refactoring clients/agent-runtime/src/gateway/mod.rs	Moves KeyInit import from file-level to function-local scope within verify_whatsapp_signature for tighter trait availability where Hmac::new_from_slice is invoked.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• chore(deps): consolidate verified dependency updates #656: Modifies agent-runtime WhatsApp HMAC code to ensure hmac::KeyInit trait is in scope for Hmac::new_from_slice via function-level import changes.

Suggested labels

area:kotlin

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 61.54% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits style with 'chore(deps)' prefix, uses imperative phrasing, and is well under the 72 character limit at 62 characters.
Description check	✅ Passed	The PR description is comprehensive, addressing all major template sections including Related Issues, Summary, Tested Information, Documentation Impact, Breaking Changes, and a detailed Checklist.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deps-consolidation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

gradle/build-logic/gradle.lockfile (1)

4-147: ⚠️ Potential issue | 🟠 Major

Refresh lock configurations to resolve split plugin versions across testCompileClasspath and compileClasspath.

The lock file shows mismatched plugin versions: dependency-analysis-gradle-plugin (3.6.1 on testCompileClasspath vs 3.9.0 on compileClasspath), plus five others (spotbugs, ksp, shadow, cyclonedx, openrewrite) with the same pattern. Tests will execute against older plugin APIs while build-logic compiles against newer ones—risking false-positive test results.

No explicit version pins for these old releases were found in gradle/build-logic/build.gradle.kts, so the split likely comes from transitive dependency resolution or plugin classpath configuration divergence. Re-run ./gradlew :build-logic:writeLocksAll to refresh both classpaths uniformly and verify lock stability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@gradle/build-logic/gradle.lockfile` around lines 4 - 147, The lockfile shows
split plugin versions between testCompileClasspath and compileClasspath for
plugins like com.autonomousapps:dependency-analysis-gradle-plugin,
com.github.spotbugs:spotbugs-gradle-plugin,
com.google.devtools.ksp:symbol-processing-gradle-plugin,
com.gradleup.shadow:shadow-gradle-plugin,
org.cyclonedx.bom:org.cyclonedx.bom.gradle.plugin and
org.openrewrite.rewrite:org.openrewrite.rewrite.gradle.plugin; fix by
regenerating consistent locks for the build-logic classpaths: run the Gradle
lock writer (e.g. ./gradlew :build-logic:writeLocksAll) so both compileClasspath
and testCompileClasspath entries are unified, then commit the updated lockfile
and verify no older versions remain in the entries for those plugin coordinates.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/Cargo.toml`:
- Line 219: The Cargo.toml currently pins wat = "=1.247.0" but there is no check
that wat-produced binaries are compatible with the runtime dependency wasmi =
"1.0"; add a small CI sanity test that uses the wat crate to assemble a minimal
wasm module and then loads/parses it with wasmi (referencing the wat and wasmi
deps in Cargo.toml) to fail CI if compatibility breaks, or alternatively add a
comment next to the wat entry and an automated job that ensures the wat version
is updated in lockstep with wasmi; locate the wat and wasmi entries in
Cargo.toml to implement the test or update the dependency note.
- Line 128: The Cargo.toml currently adds a direct dependency on const-oid =
"0.10" which isn't referenced by code and conflicts with const-oid = "0.9"
pulled in by x509-cert/sigstore; remove the const-oid = "0.10" entry from the
clients/agent-runtime Cargo.toml so Cargo resolves only the 0.9 series, or if
you intentionally need 0.10, document and justify it in a comment and update any
public APIs to avoid crossing const_oid::ObjectIdentifier types between your
crate and x509-cert/sigstore (or alternatively add a #[allow(dead_code)] wrapper
or explicit dependency override to unify versions). Ensure references to
const-oid in code (if any) are updated to the chosen major version.

In `@clients/agent-runtime/tests/whatsapp_webhook_security.rs`:
- Line 9: The whatsapp.rs file is missing the KeyInit trait import required by
hmac 0.13 for using Hmac::new_from_slice; update the imports at the top of
clients/agent-runtime/src/gateway/whatsapp.rs to include KeyInit alongside Hmac
and Mac (i.e., import Hmac, KeyInit, Mac) so the call to Hmac::new_from_slice
(around the code that constructs/verifies the HMAC) compiles.

In
`@gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt`:
- Around line 26-27: The constants RANDOM_FILENAME_SEPARATOR and
RANDOM_FILENAME_REPLACEMENT are named for their usage rather than their values;
rename them to something that reflects the actual value and intent (e.g.,
UUID_DASH = "-" and UUID_DASH_REMOVAL = "" or simply inline .replace("-", "")
where UUID.toString() is cleaned) in HttpUtil.kt and at the other occurrence
(line ~116) so callers that remove dashes from UUIDs are clearer; update all
references to RANDOM_FILENAME_SEPARATOR and RANDOM_FILENAME_REPLACEMENT (and any
related functions that call UUID.toString().replace(...)) to use the new names
or the inline replacement.
- Line 23: The constant DEFAULT_CONNECT_TIMEOUT_MINUTES is used both for the
HTTP client's connect timeout and as the default request timeout for
get/download; split them by introducing DEFAULT_REQUEST_TIMEOUT_MINUTES, keep
DEFAULT_CONNECT_TIMEOUT_MINUTES for the OkHttpClient.Builder.connectTimeout
usage (where DEFAULT_CONNECT_TIMEOUT_MINUTES is referenced) and change the
default timeout parameters in the get and download functions to
DEFAULT_REQUEST_TIMEOUT_MINUTES so request deadlines and connect timeouts can be
tuned independently.

In
`@gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt`:
- Around line 159-166: Extract a new constant UNICODE_ESCAPE_PREFIX_LENGTH = 2
and use it to replace the literal 2 usages around the Unicode escape handling:
replace occurrences of "+ 2" in the bounds check (currently using
UNICODE_ESCAPE_LENGTH + 2), and replace "index += 2" and "col += 2" with "index
+= UNICODE_ESCAPE_PREFIX_LENGTH" and "col += UNICODE_ESCAPE_PREFIX_LENGTH" so
the \u prefix length is not a magic number; keep existing UNICODE_ESCAPE_LENGTH
(the total escape length) as-is and update any related arithmetic to use the new
UNICODE_ESCAPE_PREFIX_LENGTH alongside UNICODE_ESCAPE_LENGTH where appropriate.
- Around line 14-19: Replace the hand-rolled surrogate constants
(HIGH_SURROGATE_MIN, HIGH_SURROGATE_MAX, LOW_SURROGATE_MIN, LOW_SURROGATE_MAX,
CODE_POINT_OFFSET, SURROGATE_MULTIPLIER) and any manual code-point arithmetic
with the stdlib Character equivalents: use Character.MIN_HIGH_SURROGATE /
MAX_HIGH_SURROGATE and Character.MIN_LOW_SURROGATE / MAX_LOW_SURROGATE to define
ranges, and replace any manual code-point computation that uses
CODE_POINT_OFFSET or SURROGATE_MULTIPLIER with
Character.toCodePoint(highSurrogateChar, lowSurrogateChar); update the functions
that perform surrogate checks/combination to rely on these Character constants
and toCodePoint so the logic is clearer and the magic-number literals are
removed.

In `@gradle/libs.versions.toml`:
- Line 24: The catalog bump to netty 4.2.12.Final is being overridden by the
enforcement constant safeNettyVersion and the rule that forces all io.netty:*
coordinates to that value; update the enforcement constant safeNettyVersion to
"4.2.12.Final" in the locking/enforcement script (the symbol safeNettyVersion
and the rule that applies to io.netty:*) so the catalog change takes effect, or
if you prefer to keep policy unchanged revert the catalog entry back to
"4.1.132.Final" so the catalog and enforcement stay consistent.

In `@modules/cerebro/Cargo.toml`:
- Line 34: The toml dependency is missing the "serde" feature required for
deserializing into your Serde type; update the Cargo.toml toml dependency entry
(the line currently: toml = { version = "1.1", default-features = false,
features = ["parse"] }) to include "serde" in the features array so
toml::from_str(&contents) can deserialize into CerebroConfig without relying on
transitive features.

---

Outside diff comments:
In `@gradle/build-logic/gradle.lockfile`:
- Around line 4-147: The lockfile shows split plugin versions between
testCompileClasspath and compileClasspath for plugins like
com.autonomousapps:dependency-analysis-gradle-plugin,
com.github.spotbugs:spotbugs-gradle-plugin,
com.google.devtools.ksp:symbol-processing-gradle-plugin,
com.gradleup.shadow:shadow-gradle-plugin,
org.cyclonedx.bom:org.cyclonedx.bom.gradle.plugin and
org.openrewrite.rewrite:org.openrewrite.rewrite.gradle.plugin; fix by
regenerating consistent locks for the build-logic classpaths: run the Gradle
lock writer (e.g. ./gradlew :build-logic:writeLocksAll) so both compileClasspath
and testCompileClasspath entries are unified, then commit the updated lockfile
and verify no older versions remain in the entries for those plugin coordinates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d58f11d0-e9dc-4812-87ea-d043e27cc6cc

📥 Commits

Reviewing files that changed from the base of the PR and between 0b78882 and fb5cb53.

⛔ Files ignored due to path filters (3)

• clients/agent-runtime/Cargo.lock is excluded by !**/*.lock
• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• modules/cerebro/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (17)

• clients/agent-runtime/Cargo.toml
• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/composeApp/buildscript-gradle.lockfile
• clients/web/apps/docs/package.json
• clients/web/apps/marketing/package.json
• clients/web/pnpm-workspace.yaml
• gradle/build-logic/gradle.lockfile
• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts
• gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt
• gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt
• gradle/libs.versions.toml
• modules/cerebro/Cargo.toml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (9)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/marketing/package.json
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/web/apps/docs/package.json
• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/composeApp/buildscript-gradle.lockfile
• clients/agent-runtime/src/memory/response_cache.rs
• modules/cerebro/Cargo.toml
• clients/agent-runtime/src/security/pairing.rs
• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts
• clients/agent-runtime/src/search/index.rs
• clients/web/pnpm-workspace.yaml
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/Cargo.toml
• gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt
• gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt
• gradle/build-logic/gradle.lockfile
• gradle/libs.versions.toml

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/**/Cargo.toml

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/**/Cargo.toml: Preserve release-size profile assumptions in Cargo.toml and avoid adding heavy dependencies unless clearly justified
Do not add heavy dependencies for minor convenience; justify new crate additions

Files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/agent-runtime/Cargo.toml

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Treat src/security/, src/gateway/, src/tools/ as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Files:

• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/mod.rs

**/*.gradle.kts

⚙️ CodeRabbit configuration file

**/*.gradle.kts: Prefer tasks.register/configureEach, avoid afterEvaluate, and preserve configuration cache.
Ensure dependencies come from version catalogs and avoid eager task realization.
Review plugin/config changes for supply-chain and reproducibility risks.

Files:

• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts

**/*.kt

⚙️ CodeRabbit configuration file

**/*.kt: Enforce null safety (no !!), structured concurrency, and non-blocking suspend code.
Prefer idiomatic Kotlin (expression bodies, sealed types, value classes when justified).
Verify tests follow TDD intent and use backtick test names where applicable.

Files:

• gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt
• gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• modules/cerebro/Cargo.toml
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• modules/cerebro/Cargo.toml
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/Cargo.toml

🔇 Additional comments (19)

clients/web/apps/marketing/package.json (1)

31-31: Looks good for local pin alignment.

This app-level bump is consistent with the workspace-wide tooling upgrade. No file-local issue found.

clients/web/apps/docs/package.json (1)

30-30: LGTM for dependency sync.

This update is consistent with the broader web workspace dependency consolidation.

clients/web/pnpm-workspace.yaml (1)

22-32: Vite 8 major bump is compatible—no explicit verification needed.

Verification confirms Astro 6.1.6 and Vite 8.0.10 are compatible. Node engine requirements align (both support >=22.12.0), and the loadEnv API used by Astro config files has no breaking changes in Vite 8. The bump is safe to merge.

gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt (1)

23-37: LGTM on the constant extraction.

Timeout/prefix/factory-counter values are unchanged, so behavior is preserved. Virtual-thread factory naming via Thread.ofVirtual().name(prefix, start) (JDK 21+) is correct.

gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts (1)

11-11: LGTM — magic number freed from captivity.

Constant name is descriptive and reused at both locking sites (lines 115, 127). No behavioral change.

clients/composeApp/buildscript-gradle.lockfile (1)

117-118: LGTM — lockfile mirrors the catalog bump.

Compose plugin coordinates correctly synced to 1.10.3. (Cross-reference: netty entries on lines 83–93 remain on 4.1.132.Final, which is consistent with enforceSafeNettyVersion() overriding the catalog — see the critical comment on gradle/libs.versions.toml:24.)

gradle/libs.versions.toml (2)

23-23: Run visual/screenshot tests after Material3 upgrade to 1.11.0-alpha07 as a precaution.

Material3 bumps from 1.10.0-alpha05 → 1.11.0-alpha07 (alpha-to-alpha across a minor version). No documented breaking changes found for this specific version, but alpha releases can harbor undocumented changes. Verify that composeApp renders correctly.

---

80-92: KSP 2.3.6 is compatible with Kotlin 2.3.20; focus testing on dependency-analysis 3.9.0.

• Line 88: KSP 2.3.6 is compatible with kotlin = 2.3.20. KSP 2.x versioning (since 2.3.0) is independent of specific Kotlin compiler versions and supports the entire 2.3.x series.

• Line 83: dependency-analysis upgrade from 3.6.1 → 3.9.0 (3-minor jump) requires testing. Run ./gradlew :buildHealth and verify qualityCheck passes before merging; changelog unavailable but larger version gap warrants validation.

• Lines 80/85/86/92: Minor bumps (shadow, cyclonedx, spotbugs, openrewrite) are safe; confirm CI passes.

    		> Likely an incorrect or invalid review comment.
  

clients/agent-runtime/Cargo.toml (4)

106-109: rusqlite 0.39 and cron 0.16 minor bumps — LGTM, but spot-check Connection::open_with_flags and Schedule::after shapes.

Per the relevant snippets, the consumer code uses Connection, Transaction, params, params_from_iter, OptionalExtension (rusqlite) and cron::Schedule::from_str + .after(&from).next() (cron). Both crates have kept those APIs across these bumps, so this should be drop-in. No fix requested — flagging only as a 30-second verification target since you're consolidating many bumps in one PR.

---

122-122: rustls-tls-webpki-roots feature is confirmed in tokio-tungstenite 0.29.

The feature name remains correct across the 0.28→0.29 update. No action needed.

---

72-72: The hmac 0.13.0 stable version is published as of 2026-03-29. The caret constraint ^0.13 will correctly resolve to this stable release; the pre-release concern is no longer applicable.

---

73-73: sha2 0.11 + hmac 0.13 trait compatibility — confirmed correct.

All Hmac::<Sha256>::new_from_slice() call sites in webhook code (gateway/whatsapp.rs, gateway/mod.rs, tests) properly import and use the KeyInit trait. The free-function Sha256::digest() API remains unchanged in both lockfile.rs and JWT signing paths (openai_oauth.rs). Call-by-handle patterns (Sha256::new() → update() → finalize()) across channels, gateway, and memory modules are compatible. Constant-time MAC verification via Mac::verify_slice() is in place.

clients/agent-runtime/crates/robot-kit/Cargo.toml (1)

61-61: rppal 0.19 → 0.22 is a 3-major leap; safe today only because no code calls it.

Per drive.rs and sense.rs, the GPIO backend is commented out and ultrasonic/PIR paths shell out / read sysfs. So this bump is essentially a no-op behaviorally. Just be aware the moment someone uncomments GpioDrive::new(&config), they'll hit rppal's API churn between 0.19 → 0.22 (Pin/InputPin/OutputPin builder ergonomics changed). Not a blocker; calling it out so it doesn't surprise the next contributor.

modules/cerebro/Cargo.toml (1)

29-29: sha2 0.11 migrated cleanly—no breaking patterns detected.

The code uses only the stable Digest trait API (new, update, finalize) in modules/cerebro/src/migration/checksum.rs. This core interface is preserved across 0.11, and there is no consumption of renamed types, associated types (OutputSize), or internal reorganizations (block_api, HmacReset/SimpleHmac). No changes needed.

clients/agent-runtime/src/gateway/mod.rs (2)

3136-3137: Correct trait import for upgraded HMAC constructor.

This update is correct for new_from_slice usage and preserves the existing fail-closed verification behavior.

---

8006-8011: Test helper update is aligned with production verification path.

Good parity with runtime HMAC construction after the dependency upgrade, and signature test coverage remains strong.

clients/agent-runtime/src/search/index.rs (1)

769-769: LGTM — hex::encode is byte-identical to the prior format!("{:x}", ...) for SHA-256 digests.

Both produce 64-char lowercase, zero-padded hex, so workspace_fingerprint and content_sha256 strings remain stable across the upgrade. Existing on-disk metadata will continue to match in compatibility_decision, avoiding spurious rebuilds. Bonus: removes any latent ambiguity around LowerHex byte padding.

Also applies to: 773-773

clients/agent-runtime/src/security/pairing.rs (1)

205-205: LGTM — token-hash format preserved; persisted bearer tokens stay valid.

hex::encode(Sha256::digest(...)) yields the same 64-char lowercase hex as the prior format!("{:x}", ...), so existing on-disk hashes still match in is_authenticated and is_token_hash continues to detect them. No auth regression.

clients/agent-runtime/src/memory/response_cache.rs (1)

75-75: LGTM — equivalent output, cleaner intent.

hex::encode(hash) matches the prior 64-char lowercase output of format!("{:064x}", hash) (the width spec was effectively redundant since Output<Sha256> already prints as 64 hex chars). Existing prompt_hash PRIMARY KEY entries in response_cache.db will continue to resolve.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Pinned wat =1.247.0 — make sure it stays in sync with wasmi.

wat is the WebAssembly text → bytes assembler used by tests; if it ever produces a wasm binary using a feature that the runtime wasmi = "1.0" (line 97) doesn't accept, your tests break opaquely. Just worth a sanity-test in CI that wasmi still parses what wat emits.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/Cargo.toml` at line 219, The Cargo.toml currently pins
wat = "=1.247.0" but there is no check that wat-produced binaries are compatible
with the runtime dependency wasmi = "1.0"; add a small CI sanity test that uses
the wat crate to assemble a minimal wasm module and then loads/parses it with
wasmi (referencing the wat and wasmi deps in Cargo.toml) to fail CI if
compatibility breaks, or alternatively add a comment next to the wat entry and
an automated job that ensures the wat version is updated in lockstep with wasmi;
locate the wat and wasmi entries in Cargo.toml to implement the test or update
the dependency note.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Misleading constant name: DEFAULT_CONNECT_TIMEOUT_MINUTES is doing double duty.

The same constant is used both as the actual HTTP connectTimeout (line 37) and as the default request timeout for get/download (lines 63, 110). They're conceptually different deadlines that just happen to share a value today; if anyone later tunes the connect timeout down, the request timeout will silently follow. Either rename to a neutral DEFAULT_TIMEOUT_MINUTES or split into two constants.

♻️ Suggested split

-private const val DEFAULT_CONNECT_TIMEOUT_MINUTES = 10L
+private const val DEFAULT_REQUEST_TIMEOUT_MINUTES = 10L
+private const val DEFAULT_CONNECT_TIMEOUT_MINUTES = 10L
@@
-    .connectTimeout(Duration.ofMinutes(DEFAULT_CONNECT_TIMEOUT_MINUTES))
+    .connectTimeout(Duration.ofMinutes(DEFAULT_CONNECT_TIMEOUT_MINUTES))
@@
-    timeout: Duration = Duration.ofMinutes(DEFAULT_CONNECT_TIMEOUT_MINUTES),
+    timeout: Duration = Duration.ofMinutes(DEFAULT_REQUEST_TIMEOUT_MINUTES),

(apply the DEFAULT_REQUEST_TIMEOUT_MINUTES change to both get and download.)

Also applies to: 63-63, 110-110

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt`
at line 23, The constant DEFAULT_CONNECT_TIMEOUT_MINUTES is used both for the
HTTP client's connect timeout and as the default request timeout for
get/download; split them by introducing DEFAULT_REQUEST_TIMEOUT_MINUTES, keep
DEFAULT_CONNECT_TIMEOUT_MINUTES for the OkHttpClient.Builder.connectTimeout
usage (where DEFAULT_CONNECT_TIMEOUT_MINUTES is referenced) and change the
default timeout parameters in the get and download functions to
DEFAULT_REQUEST_TIMEOUT_MINUTES so request deadlines and connect timeouts can be
tuned independently.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Naming nit: RANDOM_FILENAME_SEPARATOR / RANDOM_FILENAME_REPLACEMENT describe the call site, not the value.

These constants only exist to strip dashes out of UUID.toString(). Names like UUID_DASH = "-" (or just inlining .replace("-", ""), which Detekt typically doesn't flag for trivial string literals) would read more naturally. Optional cleanup.

Also applies to: 116-116

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/HttpUtil.kt`
around lines 26 - 27, The constants RANDOM_FILENAME_SEPARATOR and
RANDOM_FILENAME_REPLACEMENT are named for their usage rather than their values;
rename them to something that reflects the actual value and intent (e.g.,
UUID_DASH = "-" and UUID_DASH_REMOVAL = "" or simply inline .replace("-", "")
where UUID.toString() is cleaned) in HttpUtil.kt and at the other occurrence
(line ~116) so callers that remove dashes from UUIDs are clearer; update all
references to RANDOM_FILENAME_SEPARATOR and RANDOM_FILENAME_REPLACEMENT (and any
related functions that call UUID.toString().replace(...)) to use the new names
or the inline replacement.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Lean on java.lang.Character instead of redefining surrogate math.

Since you're already touching this for the magic-number cleanup, consider replacing the hand-rolled surrogate constants and code-point arithmetic with the standard library equivalents — they're identical in value, self-documenting, and remove a tiny pile of 0x... literals that Detekt would otherwise re-flag if anyone tweaks them.

♻️ Optional: use `Character.*` constants and `toCodePoint`

-    private const val UNICODE_ESCAPE_LENGTH = 4
-    private const val HIGH_SURROGATE_MIN = 0xD800
-    private const val HIGH_SURROGATE_MAX = 0xDBFF
-    private const val LOW_SURROGATE_MIN = 0xDC00
-    private const val LOW_SURROGATE_MAX = 0xDFFF
-    private const val CODE_POINT_OFFSET = 0x10000
-    private const val SURROGATE_MULTIPLIER = 0x400
+    private const val UNICODE_ESCAPE_LENGTH = 4
+    private const val UNICODE_ESCAPE_PREFIX_LENGTH = 2 // for "\u"
@@
-          in HIGH_SURROGATE_MIN..HIGH_SURROGATE_MAX -> {
+          in Character.MIN_HIGH_SURROGATE.code..Character.MAX_HIGH_SURROGATE.code -> {
@@
-            if (lowCode !in LOW_SURROGATE_MIN..LOW_SURROGATE_MAX) {
+            if (lowCode !in Character.MIN_LOW_SURROGATE.code..Character.MAX_LOW_SURROGATE.code) {
@@
-            val fullCode =
-              CODE_POINT_OFFSET +
-                (codePoint - HIGH_SURROGATE_MIN) * SURROGATE_MULTIPLIER +
-                (lowCode - LOW_SURROGATE_MIN)
-            sb.append(Character.toChars(fullCode))
+            sb.append(Character.toChars(Character.toCodePoint(codePoint.toChar(), lowCode.toChar())))
@@
-          in LOW_SURROGATE_MIN..LOW_SURROGATE_MAX -> {
+          in Character.MIN_LOW_SURROGATE.code..Character.MAX_LOW_SURROGATE.code -> {

Also applies to: 157-178

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt`
around lines 14 - 19, Replace the hand-rolled surrogate constants
(HIGH_SURROGATE_MIN, HIGH_SURROGATE_MAX, LOW_SURROGATE_MIN, LOW_SURROGATE_MAX,
CODE_POINT_OFFSET, SURROGATE_MULTIPLIER) and any manual code-point arithmetic
with the stdlib Character equivalents: use Character.MIN_HIGH_SURROGATE /
MAX_HIGH_SURROGATE and Character.MIN_LOW_SURROGATE / MAX_LOW_SURROGATE to define
ranges, and replace any manual code-point computation that uses
CODE_POINT_OFFSET or SURROGATE_MULTIPLIER with
Character.toCodePoint(highSurrogateChar, lowSurrogateChar); update the functions
that perform surrogate checks/combination to rely on these Character constants
and toCodePoint so the logic is clearer and the magic-number literals are
removed.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Stray 2 literals for the \u prefix.

If Detekt is flagging magic numbers, the + 2 on line 159 and the index += 2 / col += 2 on lines 165–166 (the \u prefix length) are likely to come back next sweep. Worth extracting a UNICODE_ESCAPE_PREFIX_LENGTH = 2 for consistency with the rest of this refactor.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@gradle/build-logic/src/main/kotlin/com/profiletailors/plugin/utils/JsonParser.kt`
around lines 159 - 166, Extract a new constant UNICODE_ESCAPE_PREFIX_LENGTH = 2
and use it to replace the literal 2 usages around the Unicode escape handling:
replace occurrences of "+ 2" in the bounds check (currently using
UNICODE_ESCAPE_LENGTH + 2), and replace "index += 2" and "col += 2" with "index
+= UNICODE_ESCAPE_PREFIX_LENGTH" and "col += UNICODE_ESCAPE_PREFIX_LENGTH" so
the \u prefix length is not a magic number; keep existing UNICODE_ESCAPE_LENGTH
(the total escape length) as-is and update any related arithmetic to use the new
UNICODE_ESCAPE_PREFIX_LENGTH alongside UNICODE_ESCAPE_LENGTH where appropriate.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm the enforcement constant and find any other hardcoded netty pins
rg -nP '\bsafeNettyVersion\b|"4\.1\.132\.Final"|"4\.2\.12\.Final"' --type kotlin --type toml
# Confirm what actually got locked after the bump
rg -nP '^io\.netty:' clients/composeApp/buildscript-gradle.lockfile gradle/build-logic/gradle.lockfile 2>/dev/null

Repository: dallay/corvus

Length of output: 1785

---

🌐 Web query:

Netty 4.2.12.Final release notes SslHandler native crash CVE

💡 Result:

Netty 4.2.12.Final release notes: This is a bug-fix release that fixes a regression introduced in 4.2.11.Final by reverting "Eliminate redundant bounds checks in CompositeByteBuf accessors" (PR #16550). It strongly recommends upgrading from earlier versions to retain security fixes from 4.2.11.Final, which addressed CVE-2026-33871 (HTTP/2 CONTINUATION frame flood DoS) and CVE-2026-33870 (HTTP/1.1 Request Smuggling in chunked encoding). No mention of SslHandler or native crashes. No SslHandler native crash CVE is associated with Netty 4.2.12.Final. The relevant vulnerability is CVE-2025-24970 (published Feb 2025), affecting netty-handler versions 4.1.91.Final to 4.1.117.Final, where SslHandler fails to properly validate specially crafted packets, leading to native crashes with native SSLEngine (CVSS 7.5 High). Fixed in 4.1.118.Final and 4.2.0.RC3+. Netty 4.2.x (including 4.2.12.Final, released Mar 2026) postdates the fix and is not vulnerable per vulnerability databases (e.g., no advisories for 4.2.12). Workaround: Disable native SSLEngine or manually create SSLEngine before SslHandler.

Citations:

• 1: https://netty.io/news/2026/03/24/4-2-12-Final.html
• 2: https://github.com/netty/netty/releases
• 3: GHSA-4g8c-wm8x-jfhw
• 4: https://nvd.nist.gov/vuln/detail/CVE-2025-24970
• 5: https://security.snyk.io/package/maven/io.netty%3Anetty-handler/4.1.112.Final
• 6: netty/netty@netty-4.2.11.Final...netty-4.2.12.Final
• 7: https://www.cybersecurity-help.cz/vdb/soft/netty/netty/4.2.12/
• 8: https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-8707739

---

Netty version bump is silently overridden by the enforcement script.

The catalog upgrade to 4.2.12.Final has no effect: com.profiletailors.check.locking.gradle.kts (line 8) hardcodes safeNettyVersion = "4.1.132.Final" and the enforcement rule at lines 64–66 forces all io.netty:* dependencies back to that version. Your lockfile (lines 83–93) confirms all netty entries are still locked at 4.1.132.Final.

4.2.12.Final does include the SslHandler native crash fix (CVE-2025-24970), but you must update safeNettyVersion to 4.2.12.Final in the enforcement script for this bump to take effect. Otherwise, revert the catalog entry to keep the policy consistent. A silent no-op creates confusion and maintenance risk.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@gradle/libs.versions.toml` at line 24, The catalog bump to netty 4.2.12.Final
is being overridden by the enforcement constant safeNettyVersion and the rule
that forces all io.netty:* coordinates to that value; update the enforcement
constant safeNettyVersion to "4.2.12.Final" in the locking/enforcement script
(the symbol safeNettyVersion and the rule that applies to io.netty:*) so the
catalog change takes effect, or if you prefer to keep policy unchanged revert
the catalog entry back to "4.1.132.Final" so the catalog and enforcement stay
consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm cerebro builds with ONLY the declared features (no resolver bleed).
cargo tree -p cerebro -e features --no-default-features 2>/dev/null | rg -n 'toml ' -A2 -B1 || true

# 2) Show all toml usage in cerebro to confirm whether serde-based de/ser is actually needed.
rg -nP --type=rust '\btoml::(from_str|to_string|to_string_pretty|Deserializer|Serializer|from_slice|Value)\b' modules/cerebro

Repository: dallay/corvus

Length of output: 161

---

🌐 Web query:

What features does the tomlcrate v1.1 expose, and is theserdefeature required fortoml::from_strto deserialize into types implementingserde::Deserializewhendefault-features = false?

💡 Result:

The toml crate v1.1 exposes the following features: default (enables std, serde, parse, display), debug, display (dep: toml_writer), fast_hash (preserve_order, dep: foldhash), parse (dep: toml_parser, dep: winnow), preserve_order (dep: indexmap, std), serde (dep: serde_core, toml_datetime/serde, serde_spanned/serde), std (various /std), unbounded. Yes, the serde feature is required for toml::from_str to deserialize into types implementing serde::Deserialize when default-features = false. The from_str function is only available when both the parse and serde features are enabled, as indicated by its conditional compilation attributes #[cfg(feature = "parse")] and #[cfg(feature = "serde")]. With default-features = false, none of the default features (std, serde, parse, display) are enabled, so serde must be explicitly enabled along with parse for serde deserialization to work. The crate docs and examples demonstrate from_str usage with serde::Deserialize only under the default feature set.

Citations:

• 1: https://crates.io/crates/toml
• 2: https://docs.rs/toml
• 3: https://docs.rs/crate/toml/latest/features
• 4: https://docs.rs/toml/latest/src/toml/lib.rs.html
• 5: https://docs.rs/toml/latest/toml/de/fn.from_str.html

---

🏁 Script executed:

# Check if cerebro Cargo.toml has other deps that might pull in toml/serde
cat modules/cerebro/Cargo.toml

# Try to build with minimal features to confirm the issue
cd modules/cerebro && cargo check --no-default-features --features parse 2>&1 | head -50 || true

Repository: dallay/corvus

Length of output: 2038

---

🏁 Script executed:

# Show context around the toml::from_str usage
sed -n '195,215p' modules/cerebro/src/config.rs

Repository: dallay/corvus

Length of output: 933

---

🏁 Script executed:

# Get broader context of the function containing the match statement
sed -n '180,225p' modules/cerebro/src/config.rs

Repository: dallay/corvus

Length of output: 1761

---

Add serde feature to toml dependency—from_str requires it for deserialization.

toml::from_str(&contents) at src/config.rs:205 deserializes into CerebroConfig (a serde type). In toml 1.x with default-features = false, the from_str function is gated behind both parse AND serde features. Your current config enables only parse, which will either fail to compile or silently rely on a transitive dependency to pull in toml/serde—creating a brittle resolution that can break later.

Fix

-toml = { version = "1.1", default-features = false, features = ["parse"] }
+toml = { version = "1.1", default-features = false, features = ["parse", "serde"] }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	toml = { version = "1.1", default-features = false, features = ["parse"] }
	toml = { version = "1.1", default-features = false, features = ["parse", "serde"] }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/cerebro/Cargo.toml` at line 34, The toml dependency is missing the
"serde" feature required for deserializing into your Serde type; update the
Cargo.toml toml dependency entry (the line currently: toml = { version = "1.1",
default-features = false, features = ["parse"] }) to include "serde" in the
features array so toml::from_str(&contents) can deserialize into CerebroConfig
without relying on transitive features.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	dd84942
Status:	✅  Deploy successful!
Preview URL:	https://f5aaab28.corvus-42x.pages.dev
Branch Preview URL:	https://chore-deps-consolidation.corvus-42x.pages.dev

View logs

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	92%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	11	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3102 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	604	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	93%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	279	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-04-26 to 2026-04-26}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts`:
- Around line 206-211: lockFilesProvider is being realized at configuration time
because callers call lockFilesProvider.get() and
layout.buildDirectory.file(...).get().asFile during task configuration; to defer
evaluation, remove any .get() calls from the task configuration and move
resolution into the task action (e.g., writeLocks.doFirst { val lockFiles =
lockFilesProvider.get(); val outDir = layout.buildDirectory.file("...").asFile;
... } or use doLast for checkLocks), so update both writeLocks and checkLocks to
compute lockFiles and buildDirectory file inside their doFirst/doLast blocks
rather than at configuration time, keeping the Provider declarations unchanged.

In `@gradle/libs.versions.toml`:
- Line 23: The Material3 dependency entry material3 = "1.11.0-alpha07" is
incompatible with the project's compose-multiplatform 1.10.3; either update the
compose-multiplatform dependency to at least 1.11.0-beta03 (where Material3
1.11.0-alpha07 is supported) or change the material3 entry to a
1.10.x-compatible alpha version; locate and update the material3 key in
libs.versions.toml or bump the compose-multiplatform version entry to
1.11.0-beta03 to resolve the mismatch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bd785318-61ea-4fa6-970c-b02932fb558a

📥 Commits

Reviewing files that changed from the base of the PR and between fb5cb53 and c7a16d1.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• clients/agent-runtime/src/gateway/mod.rs
• clients/composeApp/buildscript-gradle.lockfile
• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts
• gradle/libs.versions.toml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: scan-pr / osv-scan
• GitHub Check: submit-gradle
• GitHub Check: pr-checks-build-logic
• GitHub Check: core-checks
• GitHub Check: pr-checks
• GitHub Check: dashboard-a11y
• GitHub Check: Scan
• GitHub Check: sonar
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (7)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/composeApp/buildscript-gradle.lockfile
• gradle/libs.versions.toml
• clients/agent-runtime/src/gateway/mod.rs
• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts

clients/agent-runtime/src/{security,gateway,tools}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Treat src/security/, src/gateway/, src/tools/ as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Files:

• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/gateway/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/gateway/mod.rs

**/*.gradle.kts

⚙️ CodeRabbit configuration file

**/*.gradle.kts: Prefer tasks.register/configureEach, avoid afterEvaluate, and preserve configuration cache.
Ensure dependencies come from version catalogs and avoid eager task realization.
Review plugin/config changes for supply-chain and reproducibility risks.

Files:

• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts

🧠 Learnings (2)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• gradle/libs.versions.toml
• clients/agent-runtime/src/gateway/mod.rs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/gateway/mod.rs

🔇 Additional comments (6)

clients/agent-runtime/src/gateway/mod.rs (1)

3128-3128: Scoped KeyInit import is correct.

Line 3128 correctly brings KeyInit into scope for Hmac::<Sha256>::new_from_slice(...) while preserving fail-closed signature verification behavior.

gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts (3)

13-13: Magic-number extraction is clean.

dynamicVersionCacheDurationDays = 7 is Int, which matches cacheDynamicVersionsFor(Int, TimeUnit) overload at lines 177 and 193. Good Detekt fix.

---

216-259: writeLocks refactor preserves behavior — LGTM.

Capturing isUnix at config time and iterating RegularFile lock entries is equivalent to the prior File-based logic; line-ending normalization on non-Unix and pre-exec backups are intact. No regression introduced.

Pre-existing (not from this PR, just flagging once): if a lockfile is missing before writeLocks runs, no backup is produced, and checkLocks' guard if (backup.exists() && file.exists()) silently passes even when the lockfile is newly created. If you ever want CI to fail on "lockfile appeared but wasn't committed", that branch is the place to enforce it — feel free to ignore for this PR.

---

261-288: checkLocks LGTM.

dependsOn(writeLocks) ensures backups exist before comparison, and the precomputed backupFiles map keeps the doLast body tight. Behavior matches the prior implementation.

clients/composeApp/buildscript-gradle.lockfile (1)

118-119: LGTM - Lockfile correctly reflects catalog update.

The compose gradle plugin lockfile entries are consistent with the compose-multiplatform 1.10.3 version bump in the catalog.

gradle/libs.versions.toml (1)

20-20: No action needed. Version 1.10.3 is a stable bugfix release with Kotlin 2.3.20 exceeding the minimum 2.2.20 requirement for the 1.10 series.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Jetbrains Compose Material3 1.11.0-alpha07 release notes breaking changes compatibility

💡 Result:

JetBrains Compose Multiplatform Material3 version 1.11.0-alpha07 is included in the Compose Multiplatform 1.11.0-beta03 release (published April 21, 2026). It is a direct re-export/wrapper of Jetpack Compose Material3 1.5.0-alpha17. No specific release notes, breaking changes, or migration notes are listed for Material3 1.11.0-alpha07 itself in the official JetBrains Compose Multiplatform changelog or release pages. The 1.11.0-beta03 release primarily includes features like drag-to-scroll in SelectionContainer and various fixes across platforms (e.g., mouse clicks, crashes, iOS/Web/Desktop issues), but nothing Material3-specific. Breaking changes and migration notes in the 1.11.0 series (e.g., Shader API changes, Key mappings, deprecations in Paint/Canvas) are in core/UI modules (like 1.11.0-alpha04), not attributed to Material3. Material3 upgrades follow Jetpack versions without additional JetBrains-specific breaks noted. Compatibility: Requires Compose Multiplatform 1.11.0-beta03 or compatible. Based on Jetpack Material3 1.5.0-alpha17, so inherits its compatibility (Android API levels, Compose BOM alignment). Use org.jetbrains.compose.material3:material3:* (all variants):1.11.0-alpha07. For Jetpack Material3 1.5.0-alpha17 details, check Android developer docs, but no explicit breaking changes found in search results for that version.

Citations:

• 1: https://github.com/JetBrains/compose-multiplatform/releases
• 2: https://github.com/JetBrains/compose-multiplatform/blob/master/CHANGELOG.md
• 3: https://github.com/JetBrains/compose-multiplatform/releases/tag/v1.11.0-alpha04
• 4: https://github.com/JetBrains/compose-multiplatform/releases/tag/v1.11.0-beta01
• 5: https://github.com/JetBrains/compose-multiplatform/releases/tag/v1.11.0-beta02
• 6: https://github.com/JetBrains/compose-multiplatform/releases/tag/v1.11.0-beta03

---

🏁 Script executed:

# First, check the gradle/libs.versions.toml file to see the full context
cat gradle/libs.versions.toml

Repository: dallay/corvus

Length of output: 6384

---

🏁 Script executed:

# Check for compose-multiplatform version in the gradle file
rg "compose-multiplatform|compose" gradle/libs.versions.toml

Repository: dallay/corvus

Length of output: 1655

---

🏁 Script executed:

# Check if there's a build.gradle.kts or settings.gradle that shows how these versions are used
fd -e "build.gradle.kts|settings.gradle" | head -10 | xargs cat

Repository: dallay/corvus

Length of output: 39

---

Material3 1.11.0-alpha07 is incompatible with compose-multiplatform 1.10.3.

Material3 1.11.0-alpha07 requires Compose Multiplatform 1.11.0-beta03 or later, but the project uses 1.10.3. Either upgrade compose-multiplatform to 1.11.0-beta03 or downgrade material3 to a compatible 1.10.x alpha version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@gradle/libs.versions.toml` at line 23, The Material3 dependency entry
material3 = "1.11.0-alpha07" is incompatible with the project's
compose-multiplatform 1.10.3; either update the compose-multiplatform dependency
to at least 1.11.0-beta03 (where Material3 1.11.0-alpha07 is supported) or
change the material3 entry to a 1.10.x-compatible alpha version; locate and
update the material3 key in libs.versions.toml or bump the compose-multiplatform
version entry to 1.11.0-beta03 to resolve the mismatch.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud