Skip to content

SBIR awards agent#100

Merged
jbouder merged 20 commits into
mainfrom
custom-agent-sbir
May 21, 2026
Merged

SBIR awards agent#100
jbouder merged 20 commits into
mainfrom
custom-agent-sbir

Conversation

@kenafoster

Copy link
Copy Markdown
Contributor

Reference Issues or PRs

Just copying the pattern in #97 verbatim to build a second agent for a demo

What does this implement/fix?

Put a x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features not to work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe):

Testing

  • Did you test the pull request locally?
  • Did you add new tests?

Documentation

Access-centered content checklist

Text styling

  • The content is written with plain language (where relevant).
  • If there are headers, they use the proper header tags (with only one level-one header: H1 or # in markdown).
  • All links describe where they link to (for example, check the Nebari website).
  • This content adheres to the Nebari style guides.

Non-text content

  • All content is represented as text (for example, images need alt text, and videos need captions or descriptive transcripts).
  • If there are emojis, there are not more than three in a row.
  • Don't use flashing GIFs or videos.
  • If the content were to be read as plain text, it still makes sense, and no information is missing.

Any other comments?

Copilot AI review requested due to automatic review settings May 15, 2026 22:28

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds additional “custom agent” wiring for a demo deployment, primarily by introducing an SBIR awards agent (and also including an Austin permits agent copy), plus some deployment and frontend-generated-file updates.

Changes:

  • Hard-codes Helm chart version/appVersion for a dev deployment.
  • Adds two backend custom agents (sbir_award_agent and austin_permit_agent) that can query Postgres and emit chart/map UI events.
  • Updates generated TanStack Router route typings and expands .gitignore for local config artifacts.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
helm/nebari-chat/Chart.yaml Overrides chart/app versions with a dev value (previously CD-controlled).
frontend/src/routeTree.gen.ts Regenerates TanStack Router route type mappings (including fullPath updates).
backend/src/ravnar_nebari_chat/sbir_award_agent.py Adds SBIR awards agent with schema/query/chart/map tools.
backend/src/ravnar_nebari_chat/austin_permit_agent.py Adds Austin permits agent with schema/query/chart/map tools.
.gitignore Ignores local backend config files and .ravnar_local.
Comments suppressed due to low confidence (3)

backend/src/ravnar_nebari_chat/austin_permit_agent.py:90

  • execute_query runs whatever SQL the model returns. Relying solely on a “read-only mount” is brittle if credentials/DB config ever permit writes, and it also allows potentially dangerous statements (DDL, COPY, etc.) or very expensive queries. Please enforce read-only at the connection/session level (e.g., default_transaction_read_only=on, statement_timeout) and/or validate that the query is a safe read-only statement before executing.
    async def execute_query(query: str) -> list[tuple]:
        """Execute a query against the Austin Permits database.

        The query should not attempt to modify the db in any way.

        The db is mounted as readonly, so queries that attempt to modify it will fail.

        This tool takes a single argument, which is the SQL to execute
        against the db. The db is Postgres, so use Postgres-compatible
        SQL syntax.

        """
        async with await db_conn() as conn, conn.cursor() as cur:
            await cur.execute(query)
            return list(await cur.fetchall())

backend/src/ravnar_nebari_chat/sbir_award_agent.py:177

  • The map popup is explicitly an arbitrary HTML string (feature.properties.popup), and the frontend binds it directly as HTML via Leaflet. If any values interpolated into the popup come from the database (or user input), this can create an XSS vector. Consider switching the tool contract to structured popup fields rendered safely on the frontend, or ensure popup content is HTML-escaped/sanitized before it reaches Leaflet.
        To add a popup, create a 'popup' key in the properties of the
        feature. Use an HTML string to define the contents of the popup.
        Any other key in the properties of a feature besides 'popup' will
        be ignored.

backend/src/ravnar_nebari_chat/austin_permit_agent.py:133

  • create_map requires popup content as an HTML string, and the frontend binds that string directly as HTML in Leaflet. If popup content includes any untrusted values (e.g., from the permits DB), this can become an XSS vector. Consider using structured popup data rendered safely on the frontend, or ensure popup content is escaped/sanitized before rendering.
        Use the 'features' key to define an additional GeoJSON feature
        collection, such as markers with popup metadata, to add to the map.
        This dictionary must be a valid GeoJSON feature collection.

        To add a popup, create a 'popup' key in the properties of the feature.
        Use an HTML string to define the contents of the popup. Any other key
        in the properties of a feature besides 'popup' will be ignored.

        If a link to the permit is available, include it in any popup.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread helm/nebari-chat/Chart.yaml Outdated
Comment thread backend/src/ravnar_nebari_chat/austin_permit_agent.py Outdated
Comment thread backend/src/ravnar_nebari_chat/sbir_award_agent.py Outdated
@kenafoster kenafoster closed this May 20, 2026
@pmeier pmeier reopened this May 20, 2026
@pmeier pmeier changed the title DONOTMERGE - Custom agent sbir SBIR awards agent May 20, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both the Austion Permits and SBIR Awards agent used the exactly same tools with minimal configuration. Thus, I factored out the tools into this common package that can be used by both.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old visualization tools just described the tool schema as part of the docstring. That is way less strict and interpretable by the agent. Instead, I've defined proper input models for the tools, which are automatically picked up by pydantic_ai.

Comment thread backend/src/ravnar_nebari_chat/demo_agents/_austin_permits.py Outdated
Comment thread backend/src/ravnar_nebari_chat/demo_agents/_sbir_awards.py Outdated
Comment thread backend/src/ravnar_nebari_chat/demo_agents/_tools/database.py Outdated
@jbouder jbouder merged commit 055e7e2 into main May 21, 2026
3 checks passed
@jbouder jbouder deleted the custom-agent-sbir branch May 21, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants