feat: Comet-style TUI + rigorous CI#6
Merged
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Add an interactive terminal UI that maps Perplexity Comet's browser features onto the existing security-hardened MCP server, plus a multi-job CI pipeline. TUI (optional `tui` extra, `perplexity-agent tui`): - Textual app: assistant chat sidebar, content pane, tab bar, command palette. - Commands: /search (answer-first), /open + /summary + /ask + /translate (page interaction), /tabs + /group + cross-tab synthesis, /research, /space (Spaces), /task + /untask (background monitors). - assistant.py orchestrates Search/Sonar/deep-research; memory.py is a local SQLite store; tasks.py runs asyncio change-detection monitors. - fetch.py is an SSRF-hardened page fetcher (scheme allowlist, private-IP rejection re-checked on every redirect hop, size/time caps, injection flagging). Reachable only from the TUI — the MCP tool surface is unchanged. - Out of scope by physics: voice and real web actions (clicking/booking/buying). CI: - Split into lint / typecheck / test (3.11-3.13 matrix) / security jobs with uv caching, least-privilege permissions, and concurrency cancellation. - Coverage gate at 85% (currently 87%); CI now syncs --extra tui so TUI tests run. Added CodeQL SAST, gitleaks secret scan (+ allowlist for placeholder keys), and Dependabot for uv + actions. Tests: 80 passing (added fetch/assistant/memory/tasks/tui/main and in-memory MCP server integration tests; server.py now 100% covered). ruff + mypy strict clean. Docs: README feature map + TUI usage, SECURITY.md fetcher egress section, CHANGELOG entry. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The gitleaks generic-api-key rule flagged the fake `pplx-abcdef123456` key in tests/test_security.py (a fixture for the redaction unit test — not a real secret). Broaden the allowlist to cover hex placeholder keys and match against the whole line so allowlisting is robust to how each rule captures its secret. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds this feature branch to CodeQL's push trigger (and a workflow_dispatch) so the SAST setup runs once before merge. Reverts to main-only after results are confirmed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
CodeQL validated clean (0 alerts) on the feature branch. Restore the intended trigger set: push/PR to main, weekly schedule, plus workflow_dispatch for manual runs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
CryptoJones
force-pushed
the
feat/comet-tui-and-ci
branch
from
16f66c8 to
23f044d
Compare
CodeQL's first full run surfaced 10 alerts — all in test files, none in shipped code: - 2 "high" py/incomplete-url-substring-sanitization on `"https://…" in <json>` test assertions (benign in tests) - 2 py/side-effect-in-assert on `assert mgr.remove(...)` / `assert await run_once(...)` (these silently skip under `python -O`) - 6 py/import-and-import-from notes on test_fetch.py's mixed import style Scope SAST to the shipped package via a CodeQL config (paths: src) so findings stay actionable, and fix the genuine assert-with-side-effect anti-pattern by assigning before asserting. src/ remains clean (0 alerts). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an interactive Comet-style terminal UI on top of the existing security-hardened Perplexity MCP server, and builds out a rigorous multi-job CI pipeline. The MCP tool surface is unchanged — the TUI and its page fetcher are additive and never reachable from an MCP tool.
TUI (
perplexity-agent tui, optionaltuiextra)Maps Perplexity Comet's browser features onto the terminal, backed by the existing Search / Sonar / deep-research client:
/search/open/summary/ask/translate/summary(all tabs),/group/research/space(SQLite store)/task/untaskfetch.py— SSRF-hardened page fetcher: scheme allowlist, private/loopback/link-local IP rejection re-checked on every redirect hop, size/time caps, indirect-prompt-injection flagging. Documented inSECURITY.md.CI
--extra dev, so the new TUI tests (importtextual) would fail. Now syncs--extra tui.permissions, and concurrency cancellation..gitleaks.tomlallowlisting placeholder keys), and Dependabot (uv + actions).Tests
80 passing — added fetch / assistant / memory / tasks / tui / main suites plus in-memory MCP server integration tests (
server.py19% → 100%).ruff+mypy --strictclean.Verified locally
ruff check✓ ·mypy src✓ · 80 tests ✓ · coverage 87.34% ✓ · workflow YAML validates ✓. gitleaks runs in CI (no Docker locally; manual scan found no real keys).🤖 Generated with Claude Code