Skip to content

Copilot/explore codebase implementation plan again#798

Merged
Bryan-Roe merged 5 commits into
mainfrom
copilot/explore-codebase-implementation-plan-again
Jul 7, 2026
Merged

Copilot/explore codebase implementation plan again#798
Bryan-Roe merged 5 commits into
mainfrom
copilot/explore-codebase-implementation-plan-again

Conversation

@Bryan-Roe

@Bryan-Roe Bryan-Roe commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Changes

Testing

Checklist

  • I added or updated tests for new behavior
  • I updated relevant documentation (README, .github/copilot-instructions.md, instruction files)
  • All unit tests pass locally (python scripts/test_runner.py --unit)
  • No hardcoded secrets or API keys introduced
  • PR title clearly describes the change (not a generic codespace/branch name)

Note

Medium Risk
Touches core detect_provider auto-selection and default provider priority, which can change which backend serves chat when multiple keys are configured; behavior is well-tested but affects hot API paths.

Overview
Groq is added as a first-class chat backend so CLI/API callers can use --provider groq or rely on auto-detection when GROQ_API_KEY is set and the API is reachable.

The new GroqProvider uses Groq’s OpenAI-compatible endpoint (default llama-3.1-8b-instant, overridable via GROQ_MODEL / GROQ_BASE_URL) with streaming and user-facing errors for connection, auth, and missing models. Auto mode now probes after OpenAI and before local echo, with _check_groq_available (30s cache, /models probe) and Groq fields included in provider-detection cache keys.

shared/config default priority and health summary() gain groq / groq_ready; shared/chat_providers re-exports GroqProvider. Docs and local.settings.json.example document the new env vars. New tests/test_groq_provider.py plus updates to test_provider_fallback.py cover detection, aliases, and caching.

Reviewed by Cursor Bugbot for commit a49e7aa. Bugbot is set up for automated code reviews on this repo. Configure here.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @Bryan-Roe, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_e8ac8043-09ec-4978-8392-b632ca44256a)

@github-actions github-actions Bot added documentation Improvements or additions to documentation tests chat-interface labels Jul 7, 2026
Comment on lines +1313 to +1319
resp = self.client.chat.completions.create(
model=self.model,
messages=normalized_messages,
temperature=self.temperature,
max_tokens=self.max_output_tokens,
stream=stream,
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.

You can view more details about this finding in the Semgrep AppSec Platform.

resolved_key = api_key or os.getenv("GROQ_API_KEY")
if not resolved_key:
raise RuntimeError("Groq provider requires GROQ_API_KEY to be set.")
self.client = OpenAI(base_url=base_url, api_key=resolved_key)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.

You can view more details about this finding in the Semgrep AppSec Platform.

models_url = server_url.rstrip("/") + "/models"
headers = {"User-Agent": "QAI", "Authorization": "Bearer " + groq_api_key}
request = urllib.request.Request(models_url, headers=headers)
urllib.request.urlopen(request, timeout=3)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
The application was found passing in a non-literal value to the urllib methods which issue
requests. urllib supports the file:// scheme, which may allow an adversary who can control
the URL value to read arbitrary files on the file system.

To remediate this issue either hardcode the URLs being used in urllib or use the requests
module instead.

Example using the requests module to issue an HTTPS request:

import requests
# Issue a GET request to https://example.com with a timeout of 10 seconds
response = requests.get('https://example.com', timeout=10)
# Work with the response object
# ...

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by B310-1.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment on lines +1029 to +1031
with urllib.request.urlopen(
req, timeout=timeout_seconds
) as resp: # noqa: S310 - local configurable endpoint

@bryan-roe-bot bryan-roe-bot Bot Jul 7, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The application was found passing in a non-literal value to the urllib methods which issue
requests. urllib supports the file:// scheme, which may allow an adversary who can control
the URL value to read arbitrary files on the file system.

To remediate this issue either hardcode the URLs being used in urllib or use the requests
module instead.

Example using the requests module to issue an HTTPS request:

import requests
# Issue a GET request to https://example.com with a timeout of 10 seconds
response = requests.get('https://example.com', timeout=10)
# Work with the response object
# ...

🍰 Fixed in commit d8276a9 🍰

models_url = server_url.rstrip("/") + "/models"
headers = {"User-Agent": "QAI", "Authorization": "Bearer " + groq_api_key}
request = urllib.request.Request(models_url, headers=headers)
urllib.request.urlopen(request, timeout=3)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dynamic-urllib-use-detected.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment on lines +1029 to +1031
with urllib.request.urlopen(
req, timeout=timeout_seconds
) as resp: # noqa: S310 - local configurable endpoint

@bryan-roe-bot bryan-roe-bot Bot Jul 7, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.

🎈 Fixed in commit d8276a9 🎈

@bryan-roe-bot

bryan-roe-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Semgrep found 26 detect-generic-ai-oai findings:

Possibly found usage of AI: OpenAI

assert p.model == "mixtral-8x7b-32768"
assert p.base_url == "https://custom.groq.example/v1"
assert p.temperature == 0.3
assert p.max_output_tokens == 512
monkeypatch.setenv("GROQ_API_KEY", "gsk-test")
key_with = _build_provider_detect_cache_key("auto", None, None, None)

assert key_without != key_with
monkeypatch.setenv("GROQ_API_KEY", "gsk-test")
key_with = _build_provider_detect_cache_key("auto", None, None, None)

assert key_without != key_with
monkeypatch.setenv("GROQ_MODEL", "mixtral-8x7b-32768")
key_b = _build_provider_detect_cache_key("groq", None, None, None)

assert key_a != key_b
monkeypatch.setenv("GROQ_MODEL", "mixtral-8x7b-32768")
key_b = _build_provider_detect_cache_key("groq", None, None, None)

assert key_a != key_b
monkeypatch.setenv("GROQ_BASE_URL", "https://custom.groq.example/v1")
key_custom = _build_provider_detect_cache_key("groq", None, None, None)

assert key_default != key_custom
monkeypatch.setenv("GROQ_BASE_URL", "https://custom.groq.example/v1")
key_custom = _build_provider_detect_cache_key("groq", None, None, None)

assert key_default != key_custom
@pytest.mark.unit
def test_groq_provider_requires_openai_package(monkeypatch):
"""GroqProvider raises RuntimeError when openai is not installed."""
import chat_providers as cp
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔐 CodeQL — Open Alerts on this PR

Severity Count
error 7
note 2

Copilot Autofix suggestions (if enabled) appear as inline review comments on the affected lines.
See the full list in the Security tab.

@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_7e9376d7-4e54-461c-abff-bea56d85bf68)

@Bryan-Roe Bryan-Roe merged commit 3ad2c8d into main Jul 7, 2026
36 of 54 checks passed
@Bryan-Roe Bryan-Roe deleted the copilot/explore-codebase-implementation-plan-again branch July 7, 2026 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chat-interface documentation Improvements or additions to documentation tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants