Skip to content

Salmanap/signals #635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
salmanap wants to merge 20 commits into from
Closed

Salmanap/signals #635

salmanap wants to merge 20 commits into from

Conversation

@salmanap
Copy link
Contributor

@salmanap salmanap commented Dec 17, 2025

This PR adds support for agentic interaction signals that serve as a close and fast proxy of good/bad agentic interactions with users.

Salman Paracha and others added 20 commits December 17, 2025 13:09
adding support for behavior signals
aa78ac4
merged from main and resolved conflicts
d858434
reducing false positives for signals like positive interaction
dfd5886
adding docs. Still need to fix the messages list, but waiting on PR #621
9cebeb7
@MeiyuZhong
Improve frustration detection: normalize contractions and refine punc…
29cd093 
…tuation
@MeiyuZhong
Further refine test cases with longer messages
ab9ef99
@nehcgs
orchestration integration (#623)
5f72239 
* orchestration integration

* Convert compact json to spaced json
@adilhafeez
Use mcp tools for filter chain (#621)
56af336 
* agents framework demo

* more changes

* add more changes

* pending changes

* fix tests

* fix more

* rebase with main and better handle error from mcp

* add trace for filters

* add test for client error, server error and for mcp error

* update schema validate code and rename kind => type in agent_filter

* fix agent description and pre-commit

* fix tests

* add provider specific request parsing in agents chat

* fix precommit and tests

* cleanup demo

* update readme

* fix pre-commit

* refactor tracing

* fix fmt

* fix: handle MessageContent enum in responses API conversion

- Update request.rs to handle new MessageContent enum structure from main
- MessageContent can now be Text(String) or Items(Vec<InputContent>)
- Handle new InputItem variants (ItemReference, FunctionCallOutput)
- Fixes compilation error after merging latest main (#632)

* address pr feedback

* fix span

* fix build

* update openai version
@salmanap
fixed reasoning failures (#634)
8e0ea2b 
* fixed reasoning failures

* adding debugging

* made several fixes for transmission isses for SSeEvents, incomplete handling of json types by anthropic, and wrote a bunch of tests

* removed debugging from supervisord.conf

---------

Co-authored-by: Salman Paracha <[email protected]>
@Spherrrical
feat: redesign archgw -> plano + website in Next.js (#613)
a3ffbd3 
* feat: redesign archgw -> plano + website

* feat(www): refactor landing page sections, add new diagrams and UI improvements

* feat(www): sections enhanced for clarify & diagrams added

* feat(www): improvements to mobile design, layout of diagrams

* feat(www): clean + typecheck

* feat(www): feedback loop changes

* feat(www): fix type error

* fix lib/utils error

* feat(www): ran biome formatting

* feat(www): graphic changes

* feat(www): web analytics

* fea(www): changes

* feat(www): introduce monorepo

This change brings Turborepo monorepo to independently handle the marketing website, the docs website and any other future use cases for mutli-platform support. They are using internal @katanemo package handlers for the design system and logic.

* fix(www): transpiler failure

* fix(www): tsconfig issue

* fix(www): next.config issue

* feat(docs): hold off on docs

* Delete next.config.ts

* feat(www): content fix

* feat(www): introduce blog

* feat(www): content changes

* Update package-lock.json

* feat: update text

* Update IntroSection.tsx

* feat: Turbopack issue

* fix

* Update IntroSection.tsx

* feat: updated Research page

* refactor(www): text clarity, padding adj.

* format(www)

* fix: add missing lib/ files to git - fixes Vercel GitHub deployment

- Updated .gitignore to properly exclude Python lib/ but include Next.js lib/ directories
- Added packages/ui/src/lib/utils.ts (cn utility function)
- Added apps/www/src/lib/sanity.ts (Sanity client configuration)
- Fixes module resolution errors in Vercel GitHub deployments (case-sensitive filesystem)

* Update .gitignore

* style(www): favicon + metadata

* fix(www): links

* fix(www): add analytics

* fix(www): add

* fix(www): fix links + image

* fix(www): fix links + image

* fix(www): fix links

* fix(www): remove from tools testing.md
@Spherrrical
include contact page and restructuring (#640)
c5f5754 
* include contact and navbar changes

* removereact references

* tweak contacts APi route

* change font
@adilhafeez
plano orchestration using plano orchestration 4b model (#637)
4228da2
@salmanap
Update docs to Plano (#639)
275934a
@adilhafeez
rename cli to plano (#647)
be14559
@adilhafeez
rename to planoai (#650)
9a015f0
@adilhafeez
rename plano => planoai
62ca8ff
@adilhafeez
use new config format for llm routing quick start guide
e120b4f
@adilhafeez
update mcp_filter docs and talk about docker build and jaeger ui (#652)
4616616
@adilhafeez
add open-web-ui-ref (#653)
d48bd4a
rebased with main
26da5a0
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 24, 2025
View reviewed changes
apps/www/src/app/api/og/[slug]/route.tsx
}}
>
<img
src={logoUrl}

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 16 days ago

In general, to fix this type of issue you should avoid deriving resource URLs (especially ones used in markup-like contexts) from user-controlled request data. Instead, construct such URLs from trusted configuration, or validate and restrict any dynamic components (for example, enforce allowed schemes/hosts).

Here, the cleanest fix without changing functionality is to stop falling back to request.nextUrl.origin when constructing baseUrl. The logo is a static asset (/Logomark.png), so there is no real need to incorporate the request’s origin; it can safely be served relative to the deployment base URL taken from environment variables. We can therefore:

  • Compute baseUrl only from NEXT_PUBLIC_APP_URL or VERCEL_URL.
  • If neither is set, fall back to a safe relative path rather than using request.nextUrl.origin. For example, set logoUrl to "/Logomark.png" when no trusted base URL is configured.
  • Keep the rest of the JSX and logic unchanged.

Concretely, in apps/www/src/app/api/og/[slug]/route.tsx:

  • Replace the existing baseUrl computation that uses request.nextUrl.origin with one that uses only environment variables.
  • Derive logoUrl conditionally: if baseUrl is defined, use ${baseUrl}/Logomark.png, otherwise just "/Logomark.png".

No new imports or helper functions are required.

Suggested changeset 1
apps/www/src/app/api/og/[slug]/route.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/www/src/app/api/og/[slug]/route.tsx b/apps/www/src/app/api/og/[slug]/route.tsx
--- a/apps/www/src/app/api/og/[slug]/route.tsx
+++ b/apps/www/src/app/api/og/[slug]/route.tsx
@@ -120,8 +120,8 @@
       process.env.NEXT_PUBLIC_APP_URL ||
       (process.env.VERCEL_URL
         ? `https://${process.env.VERCEL_URL}`
-        : request.nextUrl.origin);
-    const logoUrl = `${baseUrl}/Logomark.png`;
+        : null);
+    const logoUrl = baseUrl ? `${baseUrl}/Logomark.png` : "/Logomark.png";
 
     return new ImageResponse(
       <div
EOF
@@ -120,8 +120,8 @@
process.env.NEXT_PUBLIC_APP_URL ||
(process.env.VERCEL_URL
? `https://${process.env.VERCEL_URL}`
: request.nextUrl.origin);
const logoUrl = `${baseUrl}/Logomark.png`;
: null);
const logoUrl = baseUrl ? `${baseUrl}/Logomark.png` : "/Logomark.png";

return new ImageResponse(
<div
Copilot is powered by AI and may make mistakes. Always verify output.
apps/www/src/app/blog/[slug]/layout.tsx
const url = process.env.NEXT_PUBLIC_APP_URL;
if (
url.includes("archgw-tau.vercel.app") ||
url.includes("plano.katanemo.com") ||

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
plano.katanemo.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 16 days ago

In general, to fix incomplete URL substring sanitization, you must avoid checking hostnames with generic string operations (includes, indexOf) on the full URL string. Instead, parse the URL using a standard URL parser, extract the hostname (and optionally the protocol/port), and compare against a strict whitelist of allowed hosts. This ensures that the allowed host cannot be smuggled in via the path/query, or as part of another domain name.

For this specific code in apps/www/src/app/blog/[slug]/layout.tsx, we should stop using url.includes("...") on process.env.NEXT_PUBLIC_APP_URL. The best way, without changing the overall behavior, is:

  • Parse process.env.NEXT_PUBLIC_APP_URL with the built-in URL class.
  • Extract hostname (and possibly protocol) from that parsed object.
  • Define an allowedHosts array: ["archgw-tau.vercel.app", "plano.katanemo.com", "localhost"].
  • Check whether the parsed hostname is exactly in that list.
  • Only if the host is allowed, set baseUrl to the normalized URL string (e.g., urlObj.origin) or to the original env value if we want to preserve scheme and port. For localhost:3000 we should accept localhost with port 3000, so we can additionally check hostname === "localhost" && urlObj.port === "3000" as allowed.
  • Wrap parsing in a try/catch so that an invalid URL in the env var does not crash metadata generation; if parsing fails or host is not allowed, we keep the existing default http://localhost:3000.

This change is localized to the if (process.env.NEXT_PUBLIC_APP_URL) block around lines 53–61. No new external dependencies are required; the standard URL class is available in the Node/Next.js runtime. The VERCEL_URL branch is already using strict equality checks on the hostname and does not need modification.

Suggested changeset 1
apps/www/src/app/blog/[slug]/layout.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/www/src/app/blog/[slug]/layout.tsx b/apps/www/src/app/blog/[slug]/layout.tsx
--- a/apps/www/src/app/blog/[slug]/layout.tsx
+++ b/apps/www/src/app/blog/[slug]/layout.tsx
@@ -51,13 +51,22 @@
     let baseUrl = "http://localhost:3000";
 
     if (process.env.NEXT_PUBLIC_APP_URL) {
-      const url = process.env.NEXT_PUBLIC_APP_URL;
-      if (
-        url.includes("archgw-tau.vercel.app") ||
-        url.includes("plano.katanemo.com") ||
-        url.includes("localhost:3000")
-      ) {
-        baseUrl = url;
+      const urlString = process.env.NEXT_PUBLIC_APP_URL;
+      try {
+        const parsedUrl = new URL(urlString);
+        const hostname = parsedUrl.hostname;
+        const port = parsedUrl.port;
+        const allowedHosts = ["archgw-tau.vercel.app", "plano.katanemo.com", "localhost"];
+
+        const isAllowedHost =
+          allowedHosts.includes(hostname) &&
+          (hostname !== "localhost" || port === "3000");
+
+        if (isAllowedHost) {
+          baseUrl = parsedUrl.origin;
+        }
+      } catch {
+        // If NEXT_PUBLIC_APP_URL is not a valid URL, fall back to the default baseUrl
       }
     } else if (process.env.VERCEL_URL) {
       const hostname = process.env.VERCEL_URL;
EOF
@@ -51,13 +51,22 @@
let baseUrl = "http://localhost:3000";

if (process.env.NEXT_PUBLIC_APP_URL) {
const url = process.env.NEXT_PUBLIC_APP_URL;
if (
url.includes("archgw-tau.vercel.app") ||
url.includes("plano.katanemo.com") ||
url.includes("localhost:3000")
) {
baseUrl = url;
const urlString = process.env.NEXT_PUBLIC_APP_URL;
try {
const parsedUrl = new URL(urlString);
const hostname = parsedUrl.hostname;
const port = parsedUrl.port;
const allowedHosts = ["archgw-tau.vercel.app", "plano.katanemo.com", "localhost"];

const isAllowedHost =
allowedHosts.includes(hostname) &&
(hostname !== "localhost" || port === "3000");

if (isAllowedHost) {
baseUrl = parsedUrl.origin;
}
} catch {
// If NEXT_PUBLIC_APP_URL is not a valid URL, fall back to the default baseUrl
}
} else if (process.env.VERCEL_URL) {
const hostname = process.env.VERCEL_URL;
Copilot is powered by AI and may make mistakes. Always verify output.
@salmanap salmanap closed this Dec 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@salmanap @MeiyuZhong @nehcgs @adilhafeez @Spherrrical