Merge branch 'main' into smoketest2

Author: kevinbackhouse

.devcontainer/post-attach.sh

@@ -7,8 +7,8 @@ if [ -v CODESPACES ]; then
     if [ ! -v AI_API_TOKEN ]; then
         echo "⚠️ Running in Codespaces - please add AI_API_TOKEN to your Codespaces secrets"
     fi
-    if [ ! -v GITHUB_PERSONAL_ACCESS_TOKEN ]; then
-        echo "⚠️ Running in Codespaces - please add GITHUB_PERSONAL_ACCESS_TOKEN to your Codespaces secrets"
+    if [ ! -v GH_TOKEN ]; then
+        echo "⚠️ Running in Codespaces - please add GH_TOKEN to your Codespaces secrets"
     fi
 fi
 

.github/workflows/ci.yml

@@ -35,8 +35,7 @@ jobs:
 
     - name: Run static analysis
       run: |
-        # hatch fmt --check
-        echo linter errors will be fixed in a separate PR
+        hatch fmt --linter --check
 
     - name: Run tests
       run: hatch test --python ${{ matrix.python-version }} --cover --randomize --parallel --retries 2 --retry-delay 1

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 GitHub
+Copyright GitHub, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,11 +1,9 @@
-# Seclab Taskflow Agent
+# GitHub Security Lab Taskflow Agent
 
 The Security Lab Taskflow Agent is an MCP enabled multi-Agent framework.
 
 The Taskflow Agent is built on top of the [OpenAI Agents SDK](https://openai.github.io/openai-agents-python/).
 
-While the Taskflow Agent does not integrate into the GitHub Dotcom Copilot UX, it does operate using the Copilot API (CAPI) as its backend, similar to Copilot IDE extensions.
-
 ## Core Concepts
 
 The Taskflow Agent leverages a GitHub Workflow-esque YAML based grammar to perform a series of tasks using a set of Agents.
@@ -16,38 +14,48 @@ Agents are defined through [personalities](examples/personalities/), that receiv
 
 Agents can cooperate to complete sequences of tasks through so-called [taskflows](doc/GRAMMAR.md).
 
-You can find a detailed overview of the taskflow grammar [here](taskflows/GRAMMAR.md) and example taskflows [here](examples/taskflows/).
+You can find a detailed overview of the taskflow grammar [here](doc/GRAMMAR.md) and example taskflows [here](examples/taskflows/).
 
 ## Use Cases and Examples
 
 The Seclab Taskflow Agent framework was primarily designed to fit the iterative feedback loop driven work involved in Agentic security research workflows and vulnerability triage tasks.
 
 Its design philosophy is centered around the belief that a prompt level focus of capturing vulnerability patterns will greatly improve and scale security research results as frontier model capabilities evolve over time.
 
-While the maintainer himself primarily uses this framework as a code auditing tool it also serves as a more generic swiss army knife for exploring Agentic workflows. For example, the GitHub Security Lab also uses this framework for automated code scanning alert triage.
+At GitHub Security Lab, we primarily use this framework as a code auditing tool, but it can also serve as a more generic swiss army knife for exploring Agentic workflows. For example, we also use this framework for automated code scanning alert triage.
 
 The framework includes a [CodeQL](https://codeql.github.com/) MCP server that can be used for Agentic code review, see the [CVE-2023-2283](examples/taskflows/CVE-2023-2283.yaml) taskflow for an example of how to have an Agent review C code using a CodeQL database ([demo video](https://www.youtube.com/watch?v=eRSPSVW8RMo)).
 
 Instead of generating CodeQL queries itself, the CodeQL MCP Server is used to provide CodeQL-query based MCP tools that allow an Agent to navigate and explore code. It leverages templated CodeQL queries to provide targeted context for model driven code analysis.
 
 ## Requirements
 
-Python >= 3.9 or Docker
+Python >= 3.10 or Docker
 
 ## Configuration
 
-Provide a GitHub token for an account that is entitled to use [GitHub Models](https://models.github.ai) via the `AI_API_TOKEN` environment variable. Further configuration is use case dependent, i.e. pending which MCP servers you'd like to use in your taskflows.
+Provide a GitHub token for an account that is entitled to use [GitHub Models](https://models.github.ai) via the `AI_API_TOKEN` environment variable. Further configuration is use case dependent, i.e. pending which MCP servers you'd like to use in your taskflows. In a terminal, you can add `AI_API_TOKEN` to the environment like this:
+
+```sh
+export AI_API_TOKEN=<your_github_token>
+```
+
+Or, if you are using GitHub Codespaces, then you can [add a Codespace secret](https://github.com/settings/codespaces/secrets/new) so that `AI_API_TOKEN` is automatically available when working in a Codespace.
+
+Many of the MCP servers in the [seclab-taskflow](https://github.com/GitHubSecurityLab/seclab-taskflows) repo also need an environment variable named `GH_TOKEN` for accessing the GitHub API. You can use two separate PATs if you want, or you can use one PAT for both purposes, like this:
+
+```sh
+export GH_TOKEN=$AI_API_TOKEN
+```
 
-You can set persisting environment variables via an `.env` file in the project root.
+We do not recommend storing secrets on disk, but you can persist non-sensitive environment variables by adding a `.env` file in the project root.
 
 Example:
 
 ```sh
-# Tokens
-AI_API_TOKEN=<your_github_token>
 # MCP configs
-GITHUB_PERSONAL_ACCESS_TOKEN=<your_github_token>
 CODEQL_DBS_BASE_PATH="/app/my_data/codeql_databases"
+AI_API_ENDPOINT="https://models.github.ai/inference"
 ```
 
 ## Deploying from Source
@@ -318,7 +326,7 @@ seclab-taskflow-agent:
 
 taskflow:
   - task:
-      # taskflows can optionally choose any of the support CAPI models for a task
+      # taskflows can optionally choose any of the models supported by your API for a task
       model: gpt-4.1
       # taskflows can optionally limit the max allowed number of Agent task loop
       # iterations to complete a task, this defaults to 50 when not provided
@@ -384,7 +392,7 @@ taskflow:
 
 Taskflows support [Agent handoffs](https://openai.github.io/openai-agents-python/handoffs/). Handoffs are useful for implementing triage patterns where the primary Agent can decide to handoff a task to any subsequent Agents in the `Agents` list.
 
-See the [taskflow examples](taskflows/examples) for other useful Taskflow patterns such as repeatable and asynchronous templated prompts.
+See the [taskflow examples](examples/taskflows) for other useful Taskflow patterns such as repeatable and asynchronous templated prompts.
 
 
 You can run a taskflow from the command line like this:

docker/run.sh

@@ -19,6 +19,6 @@ touch -a .env
 
 docker run -i \
        --mount type=bind,src="$PWD",dst=/app \
-       -e GITHUB_PERSONAL_ACCESS_TOKEN="$GITHUB_PERSONAL_ACCESS_TOKEN" \
+       -e GH_TOKEN="$GH_TOKEN" \
        -e AI_API_TOKEN="$AI_API_TOKEN" \
        "ghcr.io/githubsecuritylab/seclab-taskflow-agent" "$@"

pyproject.toml

@@ -7,7 +7,7 @@ name = "seclab-taskflow-agent"
 dynamic = ["version"]
 description = "A taskflow agent for the SecLab project, enabling secure and automated workflow execution."
 readme = "README.md"
-requires-python = ">=3.9"
+requires-python = ">=3.10"
 license = "MIT"
 keywords = []
 authors = [
@@ -16,8 +16,6 @@ authors = [
 classifiers = [
   "Development Status :: 4 - Beta",
   "Programming Language :: Python",
-  "Programming Language :: Python :: 3.8",
-  "Programming Language :: Python :: 3.9",
   "Programming Language :: Python :: 3.10",
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
@@ -29,7 +27,7 @@ dependencies = [
   "annotated-types==0.7.0",
   "anyio==4.9.0",
   "attrs==25.3.0",
-  "Authlib==1.6.5",
+  "Authlib==1.6.6",
   "certifi==2025.6.15",
   "cffi==2.0.0",
   "charset-normalizer==3.4.2",
@@ -83,7 +81,7 @@ dependencies = [
   "python-dotenv==1.1.1",
   "python-lsp-jsonrpc==1.1.2",
   "python-lsp-server==1.12.2",
-  "python-multipart==0.0.20",
+  "python-multipart==0.0.22",
   "PyYAML==6.0.2",
   "referencing==0.36.2",
   "requests==2.32.4",
@@ -104,7 +102,7 @@ dependencies = [
   "typing-inspection==0.4.1",
   "typing_extensions==4.14.1",
   "ujson==5.10.0",
-  "urllib3==2.5.0",
+  "urllib3==2.6.3",
   "uvicorn==0.35.0",
   "zipp==3.23.0",
 ]
@@ -145,3 +143,91 @@ exclude_lines = [
   "if __name__ == .__main__.:",
   "if TYPE_CHECKING:",
 ]
+
+[tool.ruff]
+# Set target version to 3.10 to support match statements
+target-version = "py310"
+
+[tool.ruff.lint]
+# Suppress all current linter errors to establish a baseline
+ignore = [
+  "A001",     # Variable shadows built-in
+  "A002",     # Argument shadows built-in
+  "A004",     # Import shadows built-in
+  "ARG001",   # Unused function argument
+  "B006",     # Mutable default argument
+  "B007",     # Unused loop control variable
+  "B008",     # Function call in argument defaults
+  "B023",     # Function uses loop variable
+  "B904",     # raise-without-from-inside-except
+  "BLE001",   # Blind except
+  "C405",     # Unnecessary literal set
+  "C416",     # Unnecessary comprehension
+  "E721",     # Type comparison using ==
+  "E722",     # Bare except
+  "E741",     # Ambiguous variable name
+  "EM101",    # Exception string literal
+  "EM102",    # Exception f-string
+  "F541",     # f-string without placeholders
+  "F811",     # Redefinition of unused name
+  "F821",     # Undefined name
+  "F841",     # Unused variable
+  "FA100",    # Missing from __future__ import annotations
+  "FA102",    # Missing from __future__ import annotations in stub
+  "FBT001",   # Boolean positional arg in function definition
+  "FBT002",   # Boolean default value in function definition
+  "FURB188",  # Prefer removeprefix over conditional slice
+  "G004",     # Logging with f-string
+  "I001",     # Import block unsorted or unformatted
+  "INP001",   # Implicit namespace package
+  "LOG015",   # root logger usage
+  "N801",     # Class name should use CapWords convention
+  "N802",     # Function name should be lowercase
+  "N806",     # Variable in function should be lowercase
+  "N818",     # Exception name should end with Error
+  "PERF102",  # Use keys() or values() instead of items()
+  "PERF401",  # Use list comprehension
+  "PIE790",   # Unnecessary pass statement
+  "PLC0415",  # Import should be at top of file
+  "PLC1802",  # Use of len(x) == 0
+  "PLR2004",  # Magic value used in comparison
+  "PLW0602",  # Global variable not assigned
+  "PLW0603",  # Using global statement
+  "PLW1508",  # Invalid envvar default
+  "PLW2901",  # Outer loop variable overwritten
+  "PT011",    # pytest.raises too broad
+  "PYI041",   # Use float instead of int | float
+  "RET503",   # Missing explicit return
+  "RET504",   # Unnecessary assignment before return
+  "RET505",   # Unnecessary else after return
+  "RET506",   # Unnecessary else after raise
+  "RUF005",   # Unpack instead of concatenation
+  "RUF010",   # Use explicit conversion flag
+  "RUF015",   # Prefer next() over single element slice
+  "RUF059",   # Use of private function/attribute
+  "RUF100",   # Unused noqa directive
+  "S108",     # Hardcoded temp file/directory
+  "S607",     # Starting process with partial path
+  "SIM102",   # Use single if statement
+  "SIM115",   # Use context handler for file
+  "SIM210",   # Use ternary operator
+  "SLF001",   # Private member access
+  "T201",     # print found
+  "TID252",   # Relative imports from parent modules
+  "TRY003",   # Raise vanilla args
+  "TRY004",   # Prefer TypeError for wrong type
+  "TRY300",   # Consider moving statement to else
+  "TRY301",   # Abstract raise to inner function
+  "TRY400",   # Use logging.exception instead of logging.error
+  "UP004",    # Use X | Y for union types
+  "UP006",    # Use X | Y for union types in isinstance
+  "UP009",    # UTF-8 encoding declaration
+  "UP015",    # Unnecessary mode argument
+  "UP020",    # Use builtin open
+  "UP024",    # Replace aliased errors with OSError
+  "UP032",    # Use f-string
+  "UP035",    # Import from collections.abc
+  "UP045",    # Use X | None for type annotations
+  "W291",     # Trailing whitespace
+  "W293",     # Blank line contains whitespace
+]

release_tools/copy_files.py

@@ -3,18 +3,20 @@
 
 import os
 import shutil
-import sys
 import subprocess
+import sys
+
 
 def read_file_list(list_path):
     """
     Reads a file containing file paths, ignoring empty lines and lines starting with '#'.
     Returns a list of relative file paths.
     """
-    with open(list_path, "r") as f:
+    with open(list_path) as f:
         lines = [line.strip() for line in f]
     return [line for line in lines if line and not line.startswith("#")]
 
+
 def copy_files(file_list, dest_dir):
     """
     Copy files listed in file_list to dest_dir, preserving their relative paths.
@@ -29,6 +31,7 @@ def copy_files(file_list, dest_dir):
         shutil.copy2(abs_src, abs_dest)
         print(f"Copied {abs_src} -> {abs_dest}")
 
+
 def ensure_git_repo(dest_dir):
     """
     Initializes a git repository in dest_dir if it's not already a git repo.
@@ -56,6 +59,7 @@ def ensure_git_repo(dest_dir):
             print(f"Failed to ensure 'main' branch in {dest_dir}: {e}")
             sys.exit(1)
 
+
 def git_add_files(file_list, dest_dir):
     """
     Runs 'git add' on each file in file_list within dest_dir.
@@ -72,6 +76,7 @@ def git_add_files(file_list, dest_dir):
     finally:
         os.chdir(cwd)
 
+
 if __name__ == "__main__":
     if len(sys.argv) != 3:
         print("Usage: python copy_files.py <file_list.txt> <dest_dir>")

release_tools/publish_docker.py

@@ -1,36 +1,37 @@
 # SPDX-FileCopyrightText: 2025 GitHub
 # SPDX-License-Identifier: MIT
 
-import os
-import shutil
 import subprocess
 import sys
 
+
 def get_image_digest(image_name, tag):
     result = subprocess.run(
         ["docker", "buildx", "imagetools", "inspect", f"{image_name}:{tag}"],
-        stdout=subprocess.PIPE, check=True, text=True
+        stdout=subprocess.PIPE,
+        check=True,
+        text=True,
     )
     for line in result.stdout.splitlines():
         if line.strip().startswith("Digest:"):
             return line.strip().split(":", 1)[1].strip()
     return None
 
+
 def build_and_push_image(dest_dir, image_name, tag):
     # Build
-    subprocess.run([
-        "docker", "buildx", "build", "--platform", "linux/amd64", "-t", f"{image_name}:{tag}", dest_dir
-    ], check=True)
+    subprocess.run(
+        ["docker", "buildx", "build", "--platform", "linux/amd64", "-t", f"{image_name}:{tag}", dest_dir], check=True
+    )
     # Push
-    subprocess.run([
-        "docker", "push", f"{image_name}:{tag}"
-    ], check=True)
+    subprocess.run(["docker", "push", f"{image_name}:{tag}"], check=True)
     print(f"Pushed {image_name}:{tag}")
     digest = get_image_digest(image_name, tag)
     print(f"Image digest: {digest}")
     with open("/tmp/digest.txt", "w") as f:
         f.write(digest)
 
+
 if __name__ == "__main__":
     if len(sys.argv) != 3:
         print("Usage: python build_and_publish_docker.py <ghcr_username/repo> <tag>")

src/seclab_taskflow_agent/__about__.py

@@ -1,3 +1,3 @@
 # SPDX-FileCopyrightText: 2025 GitHub
 # SPDX-License-Identifier: MIT
-__version__ = "0.0.7"
+__version__ = "0.0.10"