Skip to content

feat: complete GemmaForge integration (worklist injection, streaming Ollama, real hunt lane)#372

Merged
peaktwilight merged 1 commit into
mainfrom
feat/seed-findings-worklist
May 18, 2026
Merged

feat: complete GemmaForge integration (worklist injection, streaming Ollama, real hunt lane)#372
peaktwilight merged 1 commit into
mainfrom
feat/seed-findings-worklist

Conversation

@peaktwilight
Copy link
Copy Markdown
Collaborator

@peaktwilight peaktwilight commented May 18, 2026

Follow-up to #371. Replaces the three TODOs that ship merged with a stub:

Piece What this PR does
#368 worklist injection `unified-pipeline.ts` converts external `SeedFinding[]` to `SemgrepFinding` shape (severity bucketed from producer confidence, `ruleId` prefixed `.` for visible provenance, full payload preserved in `metadata`), prepends to `semgrepFindings` so the agent sees them first, honours `seedOnly` by skipping the static scan. `seedFindingsToSemgrepShape` is exported + 9 unit tests.
#369 streaming Ollama `OllamaRuntime` defaults to `stream: true`, consumes Ollama's ND-JSON chunked body, fires per-token `onDelta("assistant_response", …)` and one terminal `onUsage`. `stream: false` path preserved for legacy callers / tests. 4 new tests → 16/16 green on the runtime suite.
#370 hunt lane New SSE channel `?huntEvents=` on `/live`. New `lib/hunt-stream.ts` parser accepts both `pwnkit.events/v1` and raw `{type,payload}` shapes (`tool_use` / `finding` / `stage`). Click a hunt card with a file:line and it resolves to its originating lead (suffix match, ±20 lines). `scripts/serve-events.mjs --pwnkit-log ` bridges pwnkit's `PWNKIT_EVENT_*` stdout lines without touching core. Placeholder copy gone.

Test plan

  • `pnpm --filter @pwnkit/core test` — 1423/1425 green (2 unrelated skips)
  • `pnpm --filter @pwnkit/core build` clean
  • `pnpm --filter pwnkit-cli exec tsc --noEmit` clean
  • `pnpm --filter @pwnkit/dashboard build` clean
  • No `TODO(pwnkit#36[89]|370)` strings remain in the integration code

Notes for the reviewer

  • The hunt-lane wiring chose a file-tail bridge over an in-process SSE endpoint to avoid changes inside `packages/core/`. The parser is forgiving enough that a future in-process WebSocket / SSE on `@pwnkit/core`'s `eventBus` would drop straight in.
  • `OllamaRuntime` keeps its options API additive: `stream?: boolean` (default true) so existing tests pass unchanged; `fetchImpl` injection is preserved.
  • Worklist injection is purely additive: when `seedFindings` is empty (the existing 99% case), behaviour is byte-identical to today.

Companion: peaktwilight/gemmaforge (probe + scan side, already on main).

@peaktwilight
feat: remove the 3 GemmaForge-integration TODOs (worklist, streaming,…
4dddff0 
… hunt-lane)

Follow-up to #371. The three pieces that were left as stubs are now real:

(1) `--seed-findings` actually drives the agent's worklist
    `unified-pipeline.ts` now converts external `SeedFinding[]` to the
    `SemgrepFinding` shape the prompt-builder already consumes (severity
    bucketed from producer confidence, ruleId prefixed with producer name
    so the prompt visibly cites provenance, full payload preserved in
    `metadata`), prepends them to `semgrepFindings`, and honours
    `seedOnly` by skipping the static scan when both flags are set.
    `seedFindingsToSemgrepShape` is exported and covered by 9 new tests.

(2) Ollama runtime streams
    `OllamaRuntime` defaults to `stream: true` and consumes Ollama's
    ND-JSON chunked body. Per-chunk content deltas fire
    `NativeStreamCallbacks.onDelta("assistant_response", …)`; `onUsage`
    fires exactly once on the terminal frame. The non-streaming path
    is preserved for tests (`stream: false`). 4 new streaming tests
    bring the runtime suite to 16/16 green.

(3) Hunt lane is wired
    The dashboard `/live` view's Hunt lane now subscribes to a second
    SSE channel for pwnkit's own scan events (`pwnkit.events/v1`,
    accepted in both wire shapes). New `lib/hunt-stream.ts` parser,
    `?huntEvents=<URL>` query param, and bidirectional provenance
    (clicking a hunt tool_use card resolves to its originating lead
    by file:line ±20). `scripts/serve-events.mjs` gains an optional
    `--pwnkit-log <path>` to bridge pwnkit's `PWNKIT_EVENT_*` stdout
    lines onto `/hunt-events` without touching core.

Full suite: 1423/1425 green. Builds: core, cli, dashboard all clean.

Closes the three checkboxes on #371's task list. Refs #368 #369 #370.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 18, 2026

Warning

Rate limit exceeded

@peaktwilight has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 47 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ec645f51-36e3-49be-b8c8-c14b6f105b32

📥 Commits

Reviewing files that changed from the base of the PR and between 21b8fa6 and 4dddff0.

📒 Files selected for processing (8)
  • packages/cli/src/commands/run.ts
  • packages/core/src/runtime/ollama.test.ts
  • packages/core/src/runtime/ollama.ts
  • packages/core/src/seed-findings.pipeline.test.ts
  • packages/core/src/unified-pipeline.ts
  • packages/dashboard/src/lib/hunt-stream.ts
  • packages/dashboard/src/pages/live-page.tsx
  • scripts/serve-events.mjs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/seed-findings-worklist

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@peaktwilight peaktwilight merged commit 5f5fdcf into main May 18, 2026
1 check was pending
@peaktwilight peaktwilight deleted the feat/seed-findings-worklist branch May 18, 2026 17:23
@peaktwilight peaktwilight mentioned this pull request May 18, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peaktwilight