Feature/gemini support and cli ux#7
Open
saeed-vayghan wants to merge 9 commits into
Open
Conversation
rng1995
requested changes
Jun 22, 2026
rng1995
left a comment
rng1995
left a comment
Collaborator
There was a problem hiding this comment.
Request changes — the CLI streaming rewrite itself is correct and the stdout/stderr split is a genuine improvement, but two concrete issues should be fixed before merge, and bundling several unrelated changes makes this harder to review/revert.
What's good ✅
- The non-verbose streaming path is functionally sound:
resultaccumulates exactly the keys the CLI consumes downstream —report_body/sarif_report(_write_result),temp_dir_for_cleanup(_cleanup_result), andrisk_score(exit code). It keys on output presence rather than node names, so it stays robust to graph changes.total_steps = 4 + len(ANALYZER_NODE_IDS)matches the actual non-analyzer nodes (resolve_input,build_context,meta_analyzer,report), andANALYZER_NODE_IDSis exported. Existingtests/unit/test_cli.pyruns the default (non-verbose) path, so output correctness is covered. - Routing the progress UI / file tree to a
stderrconsole sostdoutstays clean for--format jsonis the right call.
Please address (blocking)
.gitignore: report*is unanchored. A gitignore entry without a leading slash matches that basename at any depth, soreport*also matchessrc/skillspector/nodes/report.pyand will silently ignore any futurereport*source/test file. Please anchor to the generated artifacts, e.g./report*at repo root, or better, target the actual outputs (/report*.json,/report*.sarif).- Trailing whitespace fails
ruff check.pyproject.tomlselects theWruleset (onlyE501is ignored), and the new CLI block adds ~8 blank lines with trailing whitespace (W293). Please strip them so the change is lint-clean.
Non-blocking suggestions
- Scope/bundling: this PR mixes Gemini model-registry entries, the CLI UX rewrite, a
.gitignorechange, and an exception-logging tweak. Splitting them would make review and rollback safer. warnings.filterwarnings("ignore", category=UserWarning, module="pydantic")is a process-wide, persistent filter. Consider a scopedwith warnings.catch_warnings():around the graph run (or narrowing the message) so unrelated warnings aren't hidden.mcp_tool_poisoning.pyTP4 handler: switching fromexc_info=Trueto": %s"drops the traceback. For a security analyzer, keepingexc_info=True(optionally gated on debug level) preserves debuggability when the LLM check fails.nv_build/model_registry.yaml: addinggemini-3.5-flashto the nv_build provider registry reads as semantically off, since Gemini is reached via the OpenAI-compatible path; harmless for token budgeting but potentially misleading.- Minor: the
.gitignore(and a couple of the YAML files) end without a trailing newline; the inline imports in theelseblock could move to module top.
Thanks for the work here — happy to re-review once the gitignore pattern and the lint issues are addressed.
Author
|
@rng1995 Thanks for the thorough review! I've addressed everything in two commits: Blocking issues (fixed):
Non-blocking suggestions (also fixed):
On scope/bundling: Good point — I'll keep this in mind for future PRs. For this one, the changes are already pushed as separate commits so they can be reverted independently if needed. Ready for re-review when you get a chance. |
This commit adds 'gemini-3.5-flash' to the model registries across various providers to prevent token-limit warnings. It also updates the exception handling in mcp_tool_poisoning to gracefully catch non-fatal LLM check failures without printing noisy tracebacks.
…overy - Swapped the synchronous graph invoke for a streamed execution when verbose mode is off. - Integrated rich.progress to provide immediate feedback to users during long-running security scans. - Added a file tree breakdown right after the context is built, so users know exactly which files are being picked up for analysis. - Explicitly suppressed Pydantic's serializer warnings that were cluttering the terminal output during structured LLM generation. - The UI now actively ticks off the analyzer rules as they finish, removing the guesswork when waiting on slower LLM checks.
- Provided a clear snippet for using the Gemini API via the OpenAI compatibility layer.
- Prevented the new progress UI from corrupting stdout when using --format json or sarif.
- Added `report*` to .gitignore to prevent accidentally committing local scan reports.
…in cli.py - .gitignore: anchor report* to repo root with specific extensions (/report*.md, /report*.json, /report*.sarif) so source files like src/skillspector/nodes/report.py are no longer silently ignored - cli.py: strip trailing whitespace from blank lines to pass ruff W293
…mini entry - cli.py: replace process-wide warnings.filterwarnings() with scoped warnings.catch_warnings() so Pydantic suppression only lives during the graph run; move inline imports to module level (ruff I001 clean) - mcp_tool_poisoning.py: restore exc_info=True on TP4 exception handler to preserve full tracebacks when LLM check fails - nv_build/model_registry.yaml: remove gemini-3.5-flash — Gemini is accessed via OpenAI-compatible path, not NVIDIA build endpoints; entry remains in openai/ and root registries where it belongs
saeed-vayghan
force-pushed
the
feature/gemini-support-and-cli-ux
branch
from
3591d39 to
17883c1
Compare
rng1995
approved these changes
Jun 24, 2026
rng1995
left a comment
rng1995
left a comment
Collaborator
There was a problem hiding this comment.
[Automated SkillSpector Review]
Re-review: both blockers resolved — approving.
.gitignoreis now anchored to repo root with specific extensions (/report*.md|json|sarif), sosrc/skillspector/nodes/report.pyis no longer matched.- The trailing-whitespace block in
cli.pyis cleaned (ruffW293).
All non-blocking items were also handled: the Pydantic warnings filter is now scoped via with warnings.catch_warnings() (no longer process-wide), the TP4 exc_info change was reverted (file no longer in the diff), and gemini-3.5-flash moved out of the nv_build registry into the OpenAI-compatible path. The non-verbose streaming path still accumulates exactly the keys the CLI consumes and routes UI to stderr. Minor cosmetic nit: .gitignore has no trailing newline. Approving.
Author
|
@rng1995 It seems for some reason I have no access to Merge Button. Could you please do it? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feature: Gemini Support & CLI UX Improvements
Overview
This PR adds support for
gemini-3.5-flashand significantly improves the CLI by adding real-time visual progress tracking for long scans.Key Changes
stderr, ensuringstdoutremains perfectly clean when using--format json.gemini-3.5-flashto prevent token limit errors and added a setup example to theREADME.md.report*to.gitignore.Testing
skillspector scan ./my-skill/to see the new progress bar.skillspector scan ./my-skill/ --format json > out.jsonto verify the JSON output remains uncorrupted.