Merge branch 'main' into p--handle-499

Author: kevinbackhouse

.github/workflows/ci.yml

@@ -35,8 +35,7 @@ jobs:
 
     - name: Run static analysis
       run: |
-        # hatch fmt --check
-        echo linter errors will be fixed in a separate PR
+        hatch fmt --linter --check
 
     - name: Run tests
       run: hatch test --python ${{ matrix.python-version }} --cover --randomize --parallel --retries 2 --retry-delay 1

README.md

@@ -22,15 +22,15 @@ The Seclab Taskflow Agent framework was primarily designed to fit the iterative
 
 Its design philosophy is centered around the belief that a prompt level focus of capturing vulnerability patterns will greatly improve and scale security research results as frontier model capabilities evolve over time.
 
-While the maintainer himself primarily uses this framework as a code auditing tool it also serves as a more generic swiss army knife for exploring Agentic workflows. For example, the GitHub Security Lab also uses this framework for automated code scanning alert triage.
+At GitHub Security Lab, we primarily use this framework as a code auditing tool, but it can also serve as a more generic swiss army knife for exploring Agentic workflows. For example, we also use this framework for automated code scanning alert triage.
 
 The framework includes a [CodeQL](https://codeql.github.com/) MCP server that can be used for Agentic code review, see the [CVE-2023-2283](examples/taskflows/CVE-2023-2283.yaml) taskflow for an example of how to have an Agent review C code using a CodeQL database ([demo video](https://www.youtube.com/watch?v=eRSPSVW8RMo)).
 
 Instead of generating CodeQL queries itself, the CodeQL MCP Server is used to provide CodeQL-query based MCP tools that allow an Agent to navigate and explore code. It leverages templated CodeQL queries to provide targeted context for model driven code analysis.
 
 ## Requirements
 
-Python >= 3.9 or Docker
+Python >= 3.10 or Docker
 
 ## Configuration
 

pyproject.toml

@@ -7,7 +7,7 @@ name = "seclab-taskflow-agent"
 dynamic = ["version"]
 description = "A taskflow agent for the SecLab project, enabling secure and automated workflow execution."
 readme = "README.md"
-requires-python = ">=3.9"
+requires-python = ">=3.10"
 license = "MIT"
 keywords = []
 authors = [
@@ -16,8 +16,6 @@ authors = [
 classifiers = [
   "Development Status :: 4 - Beta",
   "Programming Language :: Python",
-  "Programming Language :: Python :: 3.8",
-  "Programming Language :: Python :: 3.9",
   "Programming Language :: Python :: 3.10",
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
@@ -83,7 +81,7 @@ dependencies = [
   "python-dotenv==1.1.1",
   "python-lsp-jsonrpc==1.1.2",
   "python-lsp-server==1.12.2",
-  "python-multipart==0.0.20",
+  "python-multipart==0.0.22",
   "PyYAML==6.0.2",
   "referencing==0.36.2",
   "requests==2.32.4",
@@ -145,3 +143,91 @@ exclude_lines = [
   "if __name__ == .__main__.:",
   "if TYPE_CHECKING:",
 ]
+
+[tool.ruff]
+# Set target version to 3.10 to support match statements
+target-version = "py310"
+
+[tool.ruff.lint]
+# Suppress all current linter errors to establish a baseline
+ignore = [
+  "A001",     # Variable shadows built-in
+  "A002",     # Argument shadows built-in
+  "A004",     # Import shadows built-in
+  "ARG001",   # Unused function argument
+  "B006",     # Mutable default argument
+  "B007",     # Unused loop control variable
+  "B008",     # Function call in argument defaults
+  "B023",     # Function uses loop variable
+  "B904",     # raise-without-from-inside-except
+  "BLE001",   # Blind except
+  "C405",     # Unnecessary literal set
+  "C416",     # Unnecessary comprehension
+  "E721",     # Type comparison using ==
+  "E722",     # Bare except
+  "E741",     # Ambiguous variable name
+  "EM101",    # Exception string literal
+  "EM102",    # Exception f-string
+  "F541",     # f-string without placeholders
+  "F811",     # Redefinition of unused name
+  "F821",     # Undefined name
+  "F841",     # Unused variable
+  "FA100",    # Missing from __future__ import annotations
+  "FA102",    # Missing from __future__ import annotations in stub
+  "FBT001",   # Boolean positional arg in function definition
+  "FBT002",   # Boolean default value in function definition
+  "FURB188",  # Prefer removeprefix over conditional slice
+  "G004",     # Logging with f-string
+  "I001",     # Import block unsorted or unformatted
+  "INP001",   # Implicit namespace package
+  "LOG015",   # root logger usage
+  "N801",     # Class name should use CapWords convention
+  "N802",     # Function name should be lowercase
+  "N806",     # Variable in function should be lowercase
+  "N818",     # Exception name should end with Error
+  "PERF102",  # Use keys() or values() instead of items()
+  "PERF401",  # Use list comprehension
+  "PIE790",   # Unnecessary pass statement
+  "PLC0415",  # Import should be at top of file
+  "PLC1802",  # Use of len(x) == 0
+  "PLR2004",  # Magic value used in comparison
+  "PLW0602",  # Global variable not assigned
+  "PLW0603",  # Using global statement
+  "PLW1508",  # Invalid envvar default
+  "PLW2901",  # Outer loop variable overwritten
+  "PT011",    # pytest.raises too broad
+  "PYI041",   # Use float instead of int | float
+  "RET503",   # Missing explicit return
+  "RET504",   # Unnecessary assignment before return
+  "RET505",   # Unnecessary else after return
+  "RET506",   # Unnecessary else after raise
+  "RUF005",   # Unpack instead of concatenation
+  "RUF010",   # Use explicit conversion flag
+  "RUF015",   # Prefer next() over single element slice
+  "RUF059",   # Use of private function/attribute
+  "RUF100",   # Unused noqa directive
+  "S108",     # Hardcoded temp file/directory
+  "S607",     # Starting process with partial path
+  "SIM102",   # Use single if statement
+  "SIM115",   # Use context handler for file
+  "SIM210",   # Use ternary operator
+  "SLF001",   # Private member access
+  "T201",     # print found
+  "TID252",   # Relative imports from parent modules
+  "TRY003",   # Raise vanilla args
+  "TRY004",   # Prefer TypeError for wrong type
+  "TRY300",   # Consider moving statement to else
+  "TRY301",   # Abstract raise to inner function
+  "TRY400",   # Use logging.exception instead of logging.error
+  "UP004",    # Use X | Y for union types
+  "UP006",    # Use X | Y for union types in isinstance
+  "UP009",    # UTF-8 encoding declaration
+  "UP015",    # Unnecessary mode argument
+  "UP020",    # Use builtin open
+  "UP024",    # Replace aliased errors with OSError
+  "UP032",    # Use f-string
+  "UP035",    # Import from collections.abc
+  "UP045",    # Use X | None for type annotations
+  "W291",     # Trailing whitespace
+  "W293",     # Blank line contains whitespace
+]

release_tools/copy_files.py

@@ -3,18 +3,20 @@
 
 import os
 import shutil
-import sys
 import subprocess
+import sys
+
 
 def read_file_list(list_path):
     """
     Reads a file containing file paths, ignoring empty lines and lines starting with '#'.
     Returns a list of relative file paths.
     """
-    with open(list_path, "r") as f:
+    with open(list_path) as f:
         lines = [line.strip() for line in f]
     return [line for line in lines if line and not line.startswith("#")]
 
+
 def copy_files(file_list, dest_dir):
     """
     Copy files listed in file_list to dest_dir, preserving their relative paths.
@@ -29,6 +31,7 @@ def copy_files(file_list, dest_dir):
         shutil.copy2(abs_src, abs_dest)
         print(f"Copied {abs_src} -> {abs_dest}")
 
+
 def ensure_git_repo(dest_dir):
     """
     Initializes a git repository in dest_dir if it's not already a git repo.
@@ -56,6 +59,7 @@ def ensure_git_repo(dest_dir):
             print(f"Failed to ensure 'main' branch in {dest_dir}: {e}")
             sys.exit(1)
 
+
 def git_add_files(file_list, dest_dir):
     """
     Runs 'git add' on each file in file_list within dest_dir.
@@ -72,6 +76,7 @@ def git_add_files(file_list, dest_dir):
     finally:
         os.chdir(cwd)
 
+
 if __name__ == "__main__":
     if len(sys.argv) != 3:
         print("Usage: python copy_files.py <file_list.txt> <dest_dir>")

release_tools/publish_docker.py

@@ -1,36 +1,37 @@
 # SPDX-FileCopyrightText: 2025 GitHub
 # SPDX-License-Identifier: MIT
 
-import os
-import shutil
 import subprocess
 import sys
 
+
 def get_image_digest(image_name, tag):
     result = subprocess.run(
         ["docker", "buildx", "imagetools", "inspect", f"{image_name}:{tag}"],
-        stdout=subprocess.PIPE, check=True, text=True
+        stdout=subprocess.PIPE,
+        check=True,
+        text=True,
     )
     for line in result.stdout.splitlines():
         if line.strip().startswith("Digest:"):
             return line.strip().split(":", 1)[1].strip()
     return None
 
+
 def build_and_push_image(dest_dir, image_name, tag):
     # Build
-    subprocess.run([
-        "docker", "buildx", "build", "--platform", "linux/amd64", "-t", f"{image_name}:{tag}", dest_dir
-    ], check=True)
+    subprocess.run(
+        ["docker", "buildx", "build", "--platform", "linux/amd64", "-t", f"{image_name}:{tag}", dest_dir], check=True
+    )
     # Push
-    subprocess.run([
-        "docker", "push", f"{image_name}:{tag}"
-    ], check=True)
+    subprocess.run(["docker", "push", f"{image_name}:{tag}"], check=True)
     print(f"Pushed {image_name}:{tag}")
     digest = get_image_digest(image_name, tag)
     print(f"Image digest: {digest}")
     with open("/tmp/digest.txt", "w") as f:
         f.write(digest)
 
+
 if __name__ == "__main__":
     if len(sys.argv) != 3:
         print("Usage: python build_and_publish_docker.py <ghcr_username/repo> <tag>")

src/seclab_taskflow_agent/__about__.py

@@ -1,3 +1,3 @@
 # SPDX-FileCopyrightText: 2025 GitHub
 # SPDX-License-Identifier: MIT
-__version__ = "0.0.9"
+__version__ = "0.0.10"