Commit Graph

538 Commits

Author SHA1 Message Date
1b89f5fd28 chore: update qa-tester agent model to mimo-v2.5-pro 2026-06-01 08:23:45 +03:00
83e6181bf5 fix(validation): fallback chunk size when max_images=0 or None
When max_images could not be detected (e.g. Kilo gateway doesn't
support OpenAI image format, probe returned 0), chunking was
disabled entirely and all screenshots sent in a single request.
Nvidia NeMo still enforces an 8-image limit regardless of the
gateway, causing 400 errors.

Fix: default to 8 images per chunk when max_images is 0 or None,
so chunking always applies for multi-tab dashboards.
2026-05-31 23:10:16 +03:00
ab90755fa1 fix(validation): process all dashboards in a run, not just the first one
Root cause of stuck 'running' runs: the plugin's execute() method
only processed dashboard_ids[0] and returned. The remaining N-1
dashboards were never processed, and _update_run_status was called
after each single dashboard without checking dashboard_count.

Fixes:
- execute() now loops over ALL dashboard_ids and processes each
  via _execute_path_a or _execute_path_b
- _update_run_status is called once AFTER the loop finishes
- _update_run_status now checks that len(records) >= dashboard_count
  before marking the run as finished (prevents premature completion)
- Per-dashboard _update_run_status calls removed from _execute_path_a
  and _execute_path_b (the parent loop owns it now)
- Test updated for new batch return format {dashboards: [...], total: N}
2026-05-31 23:03:46 +03:00
c8e81747fc fix(validation): auto-cleanup stuck validation runs on backend startup
When the backend restarts (deploy, crash, reload), the in-memory
TaskManager loses its queue. ValidationRun records left 'running'
in the DB would hang forever, blocking re-runs.

Fix: during lifespan startup, query all ValidationRun with
status='running' and force-stop them as FAIL with a clear summary.

This prevents the 'already has a running run' error after restarts.
2026-05-31 23:00:35 +03:00
7f7a85b2c5 refactor(validation): deduplicate image optimization, fix quality-reduction-before-chunking, unify chunk_count key
- Extract _optimize_images() helper to eliminate duplicate
  optimization code (was duplicated between initial pass and
  quality-reduction fallback)
- Move quality-reduction estimate to only apply when NOT chunking
  (each chunk fits the image limit by definition)
- Fix _merge_chunk_results to return 'chunk_count' instead of 'chunks'
  for consistency with plugin.py
- Simplify plugin.py: analysis.get('chunk_count', 1) instead of
  fallback chain
- Document that Kilo API gateway is incompatible with AsyncOpenAI
  image format (probe returns 0)
2026-05-31 22:57:58 +03:00
2760fa09ea feat(validation): chunk screenshots by max_images limit + fix websocket crash
- analyze_dashboard_multimodal now splits screenshots into chunks
  of max_images (from provider config) and sends them in parallel
- Results merged: worst status, deduped issues by (severity, msg, loc)
- New helper methods: _deduplicate_issues, _merge_chunk_results, _call_llm_for_images
- Plugin passes db_provider.max_images to the LLM client
- Report UI shows 'Chunked ×N' badge when analysis used multiple chunks
- i18n: added 'chunked' / 'По частям' key to validation.json
- Fix: isinstance(StopIteration) -> isinstance(_ws_exc, StopIteration)
  which crashed the websocket and broke task execution mid-flight
- Fix: update test mocks (_FakeLLMClient, _FakeScreenshotService)
2026-05-31 22:43:06 +03:00
9b938fcb81 chore: stop tracking auto-generated semantic index 2026-05-31 22:32:52 +03:00
4c429a74ed chore: add .axiom/ and audit reports to .gitignore 2026-05-31 22:32:44 +03:00
05ef6cdff8 docs(validation): update agent configs, skills, ADRs, specs
- qa-tester: add validation v2 testing checklist
- speckit.plan: add component reuse scan for frontend
- molecular-cot-logging: add Svelte logger + CLI reader
- semantics-svelte: add RSM model-first protocol, frontend stack
- templates: update plan/tasks/ux-reference templates
- ADR-0004: add llm_dashboard_validation plugin registration
- ADR-0008: add assistant tool registry for v2 validation
- Specs: update 017 tasks from 51 to 99
2026-05-31 22:32:32 +03:00
40c9f849b2 feat(validation): v2 frontend — pages, components, stores, i18n
Frontend implementation for v2 LLM dashboard validation:
- validation-tasks/ pages (list, create, edit, detail, runs, history)
- ValidationTaskForm with 5-step wizard, LLM provider selector
- ValidationTaskReport with collapsible dashboard issue cards
- WebSocket task drawer with progress tracking and reconnect logic
- Dashboard page integration with validation status, history, health
- API layer: fetchApi/requestApi wrappers with trace_id propagation
- CoT logger (frontend) for structured JSON logging
- i18n: validation.json with 117 keys each for en/ru
- Settings refactor: consolidated admin settings, provider bindings
- ScheduleAtAGlance health widget, sidebar navigation update
2026-05-31 22:32:27 +03:00
d2b53c2a79 feat(validation): v2 LLM dashboard validation — plugin, routes, services
Core implementation of the v2 LLM dashboard validation pipeline:
- LLM plugin with Path A (screenshots) and Path B (logs-only) execution
- Validation task management (CRUD, schedule, run)
- WebSocket task progress with Python 3.13 asyncio fix
- Cross-task runs listing (GET /validation-tasks/runs/all)
- RecordResponse schema for validation records
- JSON prompt helper, per-dashboard status aggregation
- Prompt templates with docs/git-commit/validation presets
- Migration: v2 validation models + description column
- Tests: plugin persistence, prompt templates, batch, payload, url
2026-05-31 22:32:20 +03:00
431330231f cleanup(validation): remove v1 validation routes and frontend pages
Delete deprecated code that has been fully replaced by v2:
- backend: validation.py routes, validation_run_service.py
- frontend: validation.js API module, validation/ pages
2026-05-31 22:32:14 +03:00
5e5f958eaa feat(llm): auto-detect max images per request for LLM providers
Add binary-search probe endpoint POST /providers/{id}/probe-max-images
that discovers the per-request image limit by sending incrementally
more 1x1 JPEGs via the provider's own API. Result is cached in the
new max_images column on the provider config.

- LLMProviderConfig: add max_images: int | None
- LLMProvider (SQLAlchemy): add max_images column
- Migration ed28d34edde7: clean ADD COLUMN
- LLMProviderService: create/update/set_max_images
- POST /providers/{id}/probe-max-images: binary search + error parsing
- ProviderConfig.svelte: 'Detect' button in edit modal + HelpTooltip
- i18n (en/ru): 11 new keys for probe UI
2026-05-31 22:31:36 +03:00
652de471d2 tasks 2026-05-31 17:38:43 +03:00
e17f4f64a9 websocket add 2026-05-31 17:17:30 +03:00
18f88a6928 fix(translate): repair dialect detection — UPSERT routing, whitespace, MySQL quoting, dead code
CRITICAL BUG-1: UPSERT routing generated invalid ON CONFLICT for MySQL,
MSSQL, Snowflake, Oracle, DuckDB. Now uses explicit UPSERT_SUPPORTED_DIALECTS
({'postgresql', 'redshift'}) — unknown dialects get plain INSERT.

BUG-2: _extract_dialect did not strip whitespace, inconsistent with
get_dialect_from_database. Fixed guard + normalized value.

BUG-3: Whitespace-only input ('   ', '\n') returned itself instead of 'unknown'.

BUG-4: Dead code — removed 'greenplum' from POSTGRESQL_DIALECTS
(always normalized to 'postgresql').

BUG-5: MySQL identifier quoting used double quotes instead of native backticks.
Added BACKTICK_DIALECTS set.

MOCK-FIX: test_at_least_one_row_per_batch patched wrong path
(executor.estimate_token_budget -> _batch_sizer.estimate_token_budget).

Adds 131 orthogonal tests covering all 4 dialect detection code paths
across input formats, normalization, routing, quoting, encoding,
schema validation, and cross-component consistency.
2026-05-31 10:26:03 +03:00
15b466a918 feat(translate): move write settings to Target Config tab + fix datasource name lookup
Fixes:
- Move batch size, upsert strategy, include source reference
  from Config tab to Target Config tab (Write Settings section)
- Fix 'Dataset #26' fallback — look up real datasource name
  via API when source_table is not saved in job data
- Persist include_source_reference in save payload and
  restore from job data on load (was a pre-existing gap)

QA review fixes:
- Update @BRIEF contracts for both tabs
- Fix import indentation in +page.svelte

Other: help tooltips on translate pages, flow hint on list page,
git migration manager components, dashboard hub pages,
migration settings pages
2026-05-31 09:59:09 +03:00
c528a37987 agents ai native front 2026-05-29 22:16:39 +03:00
9ef9fae206 fix: critical QA findings — dead code and prop mismatch
1. Remove get_config_manager() call from translate_run_websocket
   (@app.websocket /ws/translate/run/{run_id}) — was not imported
   and unused. Also remove unused from sqlalchemy.orm import Session.
2. Fix prop name mismatch: showBulkReplace -> showPageBulkReplace
   in RunTabContent. Use () for reactive two-way binding.
3. Add ('DRAFT') for status prop in RunTabContent.
2026-05-29 16:47:50 +03:00
db7e5e3863 feat(translate): add WebSocket endpoint for real-time run progress
Backend:
- Add /ws/translate/run/{run_id} WebSocket endpoint in app.py
- Streams structured run status every second (total_records,
  successful_records, failed_records, progressPct, batch_count, etc.)
- Auto-detects terminal states (COMPLETED, FAILED, CANCELLED) and closes
- Authenticated via JWT/API key token query param

Frontend:
- Add getTranslateRunWsUrl() URL builder in api.js
- Update translationRunStore to use WebSocket instead of log stream
- WebSocket receives structured status JSON, updates store reactively
- Falls back to polling silently if WebSocket fails
- Keep polling as fallback for insert phase
2026-05-29 16:42:59 +03:00
1aceba465b fix: remove orphaned functions, add for auto-load columns
Clean up remaining orphaned references after tab extraction:
- Remove loadColumnsForDatasource, searchDatasources, selectDatasource
  etc. from page (moved to ConfigTabForm)
- Add  on datasourceId in ConfigTabForm for auto-loading
  columns when parent sets datasourceId (loadJob)
- Fix stray braces, remove dead isVirtual function
- Page now 779 lines (down from 1519, -49%)
2026-05-29 16:35:50 +03:00
ffa6234a36 refactor: remove orphaned functions after tab extraction
Remove loadColumnsForDatasource, searchDatasources, selectDatasource,
toggleContextColumn, toggleSourceKeyCol, updateTargetKeyCol, isVirtual
from page — all moved to ConfigTabForm.svelte.

Add  on datasourceId in ConfigTabForm to auto-load columns
when parent sets datasourceId (loadJob) or user selects a datasource.
2026-05-29 16:33:15 +03:00
ebc00bbb0e refactor(translate): extract ConfigTabForm, TargetTabForm, RunTabContent from page
Page reduced from 1519 to 909 lines (-40%). Extracted:
- ConfigTabForm.svelte (370 lines) — datasource search, column mapping,
  LLM, target languages, dictionaries, batch config
- TargetTabForm.svelte (120 lines) — target schema/table/database,
  target column mapping, TargetSchemaHint
- RunTabContent.svelte (170 lines) — run cards, progress, history

All three components use () props for seamless parent
state sync. Sub-components (TargetSchemaHint, TranslationPreview,
TranslationRunProgress, ScheduleConfig, BulkReplaceModal) unchanged.
2026-05-29 16:30:09 +03:00
05fda8310d refactor(translate): add UX contracts to translation job page
Add comprehensive UX contract header documenting:
- @UX_STATE: all states of the page-level state machine (idle, loading,
  configured, saving, validation_error, datasource_unavailable, error)
- @UX_STEP: 5 logically separated steps/tabs (Config, Preview, Target, Run, Schedule)
- @UX_FEEDBACK: toasts, modals, inline progress, schema validation
- @UX_RECOVERY: retry paths for save/preview/run failures
- @UX_REACTIVITY: props, local state, derived, effects, store bindings
- @UX_DEPENDENCY: data flow between datasource selection, env switching,
  config validity, and tab availability
- @UX_TEST: test scenarios for the automated Judge Agent

Also remove leftover sourceDialect/targetDialect selects from UI
(now sent as sensible defaults in save payload).

Sub-components (TargetSchemaHint, TranslationPreview, TranslationRunProgress,
ScheduleConfig, BulkReplaceModal) already have UX contracts.
2026-05-29 16:25:14 +03:00
c9fb994728 fix(translate): remove source/target dialect selects from UI
These fields were showing database types (PostgreSQL, ClickHouse)
as human language options for the LLM prompt, which was confusing.
Now sending sensible defaults (source='SQL', target='en') directly
in the save payload without exposing them in the UI.

The backend already has fallbacks:
  _llm_call.py: source_language = job.source_dialect or 'SQL'
  _batch_proc.py: target_langs = or [job.target_dialect or 'en']
2026-05-29 16:16:05 +03:00
5deb01e182 fix 2026-05-29 16:15:41 +03:00
e7d4121dc9 fix(translate): replace DB types with human languages in source/target dialect selects
sourceDialect/targetDialect select options contained database types
(PostgreSQL, ClickHouse, MySQL...) while these fields are used as
human language indicators for the LLM prompt:
  _llm_call.py: source_language = job.source_dialect or 'SQL'

Changed to use the existing LANGUAGES list (from LANGUAGE_LABELS:
ru, en, de, fr, es, etc.) plus 'SQL' option for source dialect.
Defaults updated: source='SQL' (SQL-like expressions), target='en'.
2026-05-29 16:14:49 +03:00
b850fad7a7 fix(translate): restore environmentId before loading databases in loadJob
Bug: loadDatabases() was called at line 374 while environmentId still
held the FIRST environment from initialization (line 259), because
environmentId = j.environment_id was not set until line 391 (inside
the datasource block). Only after that was environmentId correct.

This caused the database dropdown to show databases from a different
environment than the job's actual environment. For example, db_id=2
is DEV Greenplum in 'dev' but Prod Clickhouse in 'preprod'. The user
would select Greenplum from the dev list, but the job would use
preprod where db_id=2 is ClickHouse.

Fix: set environmentId from the job's stored environment BEFORE
calling loadDatabases(), and outside the datasource conditional
so it runs for all existing jobs.
2026-05-29 16:11:10 +03:00
525e0a56af fix(translate): add database_id to datasources response + auto-select on frontend
Root cause: fetch_available_datasources did not return database_id,
so frontend could not auto-set target_database_id when user selected
a datasource. User then had to manually pick a database on Target Config
tab — and could accidentally select the wrong one.

Backend changes:
- Add 'database_id' field to datasources response (from db_info.get('id'))
- Add _database_name tracking in SupersetSqlLabExecutor with getter
- Add database_name + database_backend to TargetSchemaValidationResponse
- Enrich resolve_database_id logging with database_name and all_keys

Frontend changes:
- In selectDatasource(), auto-set targetDatabaseId from ds.database_id
  when present, so the correct target DB is used for schema checks.
2026-05-29 15:36:36 +03:00
443751741b fix: .pem -> .crt extension for downloaded certs, remove stale check_llm_certs.txt 2026-05-29 14:32:45 +03:00
6743b67605 fix(translate): normalize backend dialect detection with explicit mapping
- Replace fragile substring check (any(kw in backend for kw in ('clickhouse', 'ch')))
  with a proper _backend_normalize mapping + exact comparison.
  Fixes misdetection of Greenplum (postgresql) and other backends.
- Add 'clickhousedb' to CLICKHOUSE_DIALECTS so SQL generator uses
  backtick quoting and correct INSERT strategy for ClickHouse.
- Normalize _extract_dialect to map 'clickhousedb' -> 'clickhouse'
  and 'greenplum' -> 'postgresql'.
2026-05-29 14:32:00 +03:00
745c9e7ef2 docs: update ADR-0009 with complete discovery journey
Added Phase 1-3 discovery timeline (certifi → .pem→.crt → cafile→capath),
OpenSSL 3.x cafile limitation analysis, diagnostic matrix,
test commands, version history. All 8 findings documented.
2026-05-29 14:30:33 +03:00
d294e0295b fix: QA findings — GRACE contracts for _get_verify, fix _llm_http.py structure
- Added #region/#endregion contracts with @RATIONALE/@REJECTED to
  _get_verify() in both translate plugins (P1 HIGH, P2 MEDIUM)
- Removed orphaned duplicates #endregion in _llm_http.py (P1 HIGH, P6 HIGH)
2026-05-29 11:10:11 +03:00
8ecea09222 fix: capath instead of cafile for all LLM clients
OpenSSL 3.x ignores intermediate CA certs in -CAfile (verify code 20)
but correctly builds chains with -CApath (verify code 0).
All three clients now use capath:
  - service.py: ssl.create_default_context(capath=...)
  - _llm_http.py: verify='/etc/ssl/certs/'
  - preview_llm_client.py: verify='/etc/ssl/certs/'
check_llm_certs.py rewritten for clarity.
2026-05-29 11:02:48 +03:00
802727b58a fix: check_llm_certs.py — fixes from user review
- openssl s_client: stdin=EOF to prevent hang (input='')
- argparse for --target CLI argument
- in_bundle check: awk+openssl per-cert fingerprint comparison
- NamedTemporaryFile: mode='wb' for binary writes
- Added httpx_capath and requests_cafile_capath tests
- Graceful handling of empty ca-certificates.crt
2026-05-28 23:22:53 +03:00
8a815ab1b1 fix: check_llm_certs.py — handle DER files, openssl timeout 20s, binary PEM reads 2026-05-28 23:10:18 +03:00
05f42d5489 fix: check_llm_certs.py — clean main() structure, safe imports 2026-05-28 22:58:37 +03:00
ed4ac88c3d feat: rewrite SSL diag in Python — tests all real libraries
Tests all 4 SSL methods with actual project libraries:
  - httpx (verify=True/False/SSLContext cafile/cafile+capath)
  - requests (verify=True/False/cafile/capath)
  - openssl s_client (default/CAfile/CApath/chain bundle)
  - certutil (NSS/Chromium)
  - certifi vs system CA comparison
Outputs JSON summary with AI diagnosis hint.
2026-05-28 22:57:08 +03:00
2cc2896740 fix: rewrite check_llm_certs.sh — tests all methods AI needs
Tests 4 variants: openssl s_client (CAfile, CApath, default),
Python httpx (cafile, cafile+capath), requests (cafile, capath),
NSS certutil. Output format is machine-parseable for AI diagnosis.
2026-05-28 22:56:19 +03:00
2d4b60cef9 feat: add SSL certificate diag script (check_llm_certs.sh)
Runs from inside Docker container to verify all 4 SSL layers:
1. System CA store (openssl s_client)
2. NSS database (certutil) for Chromium
3. Python httpx (SSLContext with cafile)
4. Python requests (verify with system CA path)
Reads LLM_SSL_VERIFY and CA paths from .env.enterprise-clean
2026-05-28 12:13:44 +03:00
19dd447345 feat: ADR-0009 SSL cert management, fix certifi vs system CA
- ADR-0009: comprehensive SSL certificate management strategy
- _get_ssl_verify() returns SSLContext with cafile= instead of bool True
  (httpx deprecates verify=<str>, requests needs system CA, not certifi)
- _get_verify() in translate plugin returns system CA path
- All tests updated for SSLContext return type
- All QA findings C1-C3, H1-H4, M1 incorporated into ADR
2026-05-28 12:06:42 +03:00
60333bdb95 fix: add LLM_SSL_VERIFY support to translate plugin HTTP clients
preview_llm_client.py and _llm_http.py both use requests.post()
without verify=, causing SSLError when corporate CA not in trust store.
Added _get_verify() helper that reads LLM_SSL_VERIFY env var.
2026-05-28 11:53:17 +03:00
477e30a9f2 git 2026-05-27 23:24:12 +03:00
d2c60c87e2 fix: QA findings C1-C3, H1-H4, M1 — cert install hardening
C1: fingerprint (SHA256) вместо grep -qF для детекции сертификатов в bundle
    — исключает ложные срабатывания и бесконечный рост ca-certificates.crt
C2: hash symlink collision — поддержка .0, .1, .2 суффиксов вместо
    перезаписи единственного .0
C3: NSS nickname collision — дедупликация по fingerprint, префикс
    директории (llm-/custom-) в nickname, fallback с хешем при коллизии
H1: DER->PEM конвертация — добавлена || проверка ошибки
H2: Удалён install_playwright из entrypoint (Chromium уже baked в Dockerfile)
H3: NSS DB path — sql: префикс, проверка существования и пересоздание
    при повреждении
H4: Chicken-and-egg TLS — curl fallback с --insecure при первом скачивании
    корп. CA сертификата
M1: nullglob для install_certificates — безопасная итерация по файлам
2026-05-27 21:50:07 +03:00
3619a2ae78 feat(assistant): implement tool registry and expand assistant capabilities
Introduce a centralized tool registry system for the assistant to manage
executable operations, permissions, and tool catalogs. This refactors
the assistant dispatch logic from a monolithic approach to a modular,
decorator-based registry.

Key changes:
- Implement `AssistantToolRegistry` to handle tool registration,
  permission checks, and safe operation identification.
- Add a suite of new assistant tools: backup, commit, branch creation,
  deployment, health summary, environment listing, LLM operations,
  maintenance, migration, and dashboard searching.
- Refactor `_dispatch.py` and `_llm_planner.py` to utilize the new
  registry for intent resolution and tool catalog building.
- Enhance the LLM planner to support more descriptive clarification
  responses in Russian when intents are ambiguous.
- Update the frontend to support the new tool-based workflow, including
  improved i18n labels for assistant operations and a new step-by-step
  wizard for the migration page.
- Add ADR-0008 to document the architectural decision for the tool
  registry.
2026-05-27 18:05:28 +03:00
8db2b1bb6b fix: replace hardcoded UI labels with i18n translations
- Add missing i18n keys to common.json, reports.json, dashboard.json,
  tasks.json, git.json (EN + RU)
- Replace all hardcoded labels in LLM report page with .reports.* keys
- Replace hardcoded tab labels (Linked resources, Git history) in
  DashboardDetail page
- Replace hardcoded RU text in DashboardGitManager with .git.* keys
- Remove hardcoded fallback strings from DashboardHeader, DashboardTaskHistory
2026-05-27 16:53:20 +03:00
040d333d7d fix: QA findings — Dockerfile #endregion dedup, @RATIONALE, grep -qF
- Removed duplicate #endregion in backend.Dockerfile (P6 critical)
- Added @RATIONALE and @REJECTED to install_ca_to_nss and install_llm_ca_certs
- Changed grep -q to grep -qF in install_llm_ca_certs validation
2026-05-27 16:12:37 +03:00
ce49760e5a date fx 2026-05-27 16:05:04 +03:00
0d05a0bd6d fix: add NSS cert import for Chromium Playwright + libnss3-tools
- install_ca_to_nss() — imports corporate CA certs into Chromium's NSS
  database (~/.pki/nssdb), fixing ERR_CERT_AUTHORITY_INVALID in Playwright
- libnss3-tools added to Dockerfile for certutil binary
2026-05-27 15:43:27 +03:00
79370f3451 fix: pass LLM_SSL_VERIFY env var through docker-compose to container 2026-05-27 15:26:38 +03:00