Conversation
… error handling - Index entire clarifai package (not just cli/client/utils) - Add graceful error handling for model unavailability - Improve RAG system to handle all CLI-related questions - Support conversation history queries - Add rich markdown rendering for responses - Support chat history commands (history, clear) - Better system prompts for pipeline/model/deployment CLI support - Add rich library dependency for formatted output
- New clarifai/cli/agent.py: Core agent framework * Tool and ClarifaiAgent classes * 7 registered tools for app, model, dataset, and workflow operations * Tool registry with JSON schema formatting for LLM function calling * Tool execution framework with error handling and validation * LLM response parsing for tool calls in <tool_call> JSON blocks * Dynamic system prompt generation with tool descriptions - Updated clarifai/cli/chat.py: Agent integration * Agent initialization with user PAT and user ID * Tool call detection and parsing from LLM responses * Sequential tool execution with visual feedback * Follow-up LLM response after tool execution for result summaries * Graceful error handling for tool execution failures Features: - Fixed create_app to use User.create_app() API (actually creates app) - All code passes ruff linting and formatting standards - Complete error handling and validation - Ready for production use
- Replace hardcoded tool registration with automatic introspection - Auto-discover 158+ tools from clarifai.client module classes - Tools generated from public methods: User, App, Model, Dataset, Inputs, Workflow, Pipeline, Search - Each tool is properly namespaced (e.g., 'user_create_app', 'model_predict') - Parameter extraction from function signatures (required vs optional) - Docstring parsing for tool descriptions - Smart method wrappers handle proper class instantiation with credentials - Generators automatically converted to lists for JSON serialization - Removes ~200 lines of manual tool registration code This enables the agent to access the full Clarifai SDK API surface dynamically, providing 22x more capabilities than the previous hardcoded approach.
…alization errors" This reverts commit 95b37fc.
…tead of truncating
Updated build_agent_system_prompt to detect when users ask about interactive CLI commands (login, model init, pipeline init, etc.) and provide clear terminal instructions instead of trying to execute them from chat. Interactive commands covered: - clarifai login - clarifai chat - clarifai config create-context - clarifai artifact delete / clarifai af rm - clarifai model upload (when config.yaml missing) - clarifai model init - clarifai model local-runner - clarifai pipeline init
muldercw
force-pushed
the
cli-assistant
branch
from
f9b796b to
91a9a2e
Compare
Added two new config subcommands: - clarifai config set <key> <value> - Set a config value (e.g., chat_model_url) - clarifai config get <key> - Get a config value Both support -c/--context flag to target a specific context. Example usage: clarifai config set chat_model_url https://clarifai.com/openai/chat-completion/models/gpt-4o clarifai config get chat_model_url
- Added status spinner while connecting to AI model - Improved formatting with Rich console - Added quick commands reference bar - Better visual hierarchy with separators
muldercw
force-pushed
the
cli-assistant
branch
from
45ad477 to
6246b09
Compare
- Added get_cli_command_for_tool() to map agent tools to CLI commands - Display 'CLI equivalent: clarifai ...' instead of internal tool names - Users can now see the actual commands they would run manually - Clear command also clears terminal screen
Enhances the login flow to be more developer-friendly while maintaining security. Key improvements include: - Check for CLARIFAI_PAT environment variable first before prompting - Use masked input (asterisks) for PAT entry with visual feedback - Support terminal shortcuts (Ctrl+U, Ctrl+W, backspace) - Simplify success messages and remove verbose context explanations - Auto-create 'default' context without prompting first-time users - Change default log level from INFO to WARNING for cleaner output - Add comprehensive test coverage (30 new tests) The new login flow conditionally shows instructions only when needed, provides better guidance about environment variables, and offers a cleaner, less overwhelming experience for new users while preserving power-user features. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Major improvements to the CLI chat assistant: - Reorganize chat code into clarifai/cli/chat/ module - Add action-based SDK execution (actions.py) that directly calls SDK methods instead of generating Python code - more reliable and secure - Add JSON action format for SDK operations (list_apps, delete_app, etc.) - Support 15 SDK actions: list_apps, list_models, delete_app, create_app, list_datasets, list_workflows, list_pipelines, etc. - Auto-substitute YOUR_USER_ID placeholder in CLI commands - Fix Windows Unicode encoding issues (ASCII-safe output) - Add skill documentation system with examples/ and references/ subdirectories - Parse actions only from explicit json code blocks (avoid false positives)
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| target_context['env'][env_key] = value | ||
|
|
||
| ctx.obj.to_yaml() | ||
| click.secho(f"✓ Set '{key}' = '{value}' in context '{context_name}'", fg='green') |
There was a problem hiding this comment.
New set command shadows Python builtin, breaks existing code
High Severity
The new config set command defines a function named set at module scope, which shadows Python's builtin set(). The existing get_contexts function (line 165) uses additional_columns = set() to create an empty set. At runtime, after the module is fully loaded, set in the global scope refers to the Click Command object, not the builtin. This causes clarifai config list (wide format) to crash when calling set(), since it invokes the Click command machinery instead of creating an empty set. Renaming the function (e.g., set_value) while keeping the Click command name would fix it.
Additional Locations (1)
| r'\brmtree\s*\(', | ||
| r'\bremove\s*\(', | ||
| r'\bunlink\s*\(', | ||
| ] |
There was a problem hiding this comment.
Safety check missing __import__ allows auto-execution bypass
Medium Severity
BLOCKED_PYTHON_PATTERNS doesn't include __import__, allowing LLM-generated code to bypass the safety check via patterns like __import__('os').system(...) or __import__('subprocess').run(...). Code containing such patterns alongside a safe pattern (e.g., .list_apps() would pass is_safe_python_code and be auto-executed in the main process via exec() without user confirmation.
|
|
||
| # 1. Sanitize any 32-character hex string that looks like a PAT/token | ||
| # This is the most aggressive pattern - catch bare hex values | ||
| text = re.sub(r'\b[a-f0-9]{32}\b', lambda m: '*' * 32, text, flags=re.IGNORECASE) |
There was a problem hiding this comment.
Sanitization regex masks all 32-char hex strings indiscriminately
Medium Severity
The first sanitization regex r'\b[a-f0-9]{32}\b' replaces every 32-character hex string in the response with asterisks. This masks legitimate values like UUIDs (without dashes), MD5 hashes, and resource identifiers that may appear in command output or LLM explanations. It also makes all subsequent more-targeted patterns (2–7) redundant since they'll never find an unmasked 32-char hex string.
| chat_model_url = current_context.get('chat_model_url', DEFAULT_CHAT_MODEL_URL) | ||
|
|
||
| # Try to initialize the model | ||
| model_available = True |
There was a problem hiding this comment.
Unused variable model_available is dead code
Low Severity
model_available is assigned True but never read or referenced anywhere in the chat function. This is dead code that adds confusion about whether model availability tracking was intended but left incomplete.
| '', | ||
| assistant_message, | ||
| flags=re.DOTALL, | ||
| ) |
There was a problem hiding this comment.
Broad tag regex makes skill/tool cleanup dead code
Low Severity
The regex r'</?[a-z_]+>' on line 333 strips all simple XML-like tags including <skill_call> and <tool_call>, running before the specific <skill_call>...</skill_call> and <tool_call>...</tool_call> block-removal regexes on lines 336–347. This makes those block-removal steps dead code — they can never match because the opening/closing tags are already gone, causing any content between the tags to leak into the displayed output.
…inal interaction)
Minimum allowed line rate is |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
|
|
||
| # Parse and execute commands from the response | ||
| # First try to parse JSON actions (preferred method) | ||
| action_data = parse_action_from_response(assistant_message) |
There was a problem hiding this comment.
Sanitization corrupts action/command params before parsing
Medium Severity
sanitize_sensitive_data is applied to assistant_message before parse_action_from_response and parse_commands_from_response are called on the same variable. The sanitizer's aggressive first rule replaces any 32-character hex string with asterisks. This means if the LLM produces a JSON action or CLI command containing a 32-char hex resource ID as a parameter, it gets silently corrupted to ******************************** before execution. Sanitization for display and data used for parsing need to be kept separate.
Additional Locations (1)
| context_data = context.to_serializable_dict() | ||
| # Add defaults for known configurable values if not explicitly set | ||
| if 'CLARIFAI_CHAT_MODEL_URL' not in context_data: | ||
| context_data['CLARIFAI_CHAT_MODEL_URL'] = f'{DEFAULT_CHAT_MODEL_URL} (default)' |
There was a problem hiding this comment.
Config view misdetects manually-set chat model URL
Low Severity
The config view command checks for CLARIFAI_CHAT_MODEL_URL in the serialized context data, but the README instructs users to set the key as chat_model_url (without prefix) in their YAML config. When following the README, config view fails to detect the existing value and incorrectly appends a CLARIFAI_CHAT_MODEL_URL ... (default) entry, showing both the user's value and a spurious default simultaneously.
Additional Locations (1)
3 participants
Why
How
Tests
Notes
Note
Medium Risk
Introduces a large new CLI execution surface (LLM-driven command/Python/SDK actions) and changes default CLI behavior to start chat, so regressions could affect user workflows despite added safety checks and tests.
Overview
Adds a new interactive
clarifai chatassistant (now the default when runningclarifaiwith no subcommand) that calls a configurable chat model, injects lightweight RAG context from the local codebase, and can optionally execute suggested CLI commands / Python SDK snippets with safety/confirmation checks.Improves authentication and config UX:
loginnow prefersCLARIFAI_PATwith an explicit prompt, uses a newmasked_inputfor manual PAT entry, always writes to thedefaultcontext, and addslogoutto clear the current context PAT;configgainsget/setfor per-context values (e.g.chat_model_url) andconfig shownow displays defaultedCLARIFAI_CHAT_MODEL_URL.Introduces a chat action registry for direct SDK operations (list/create/delete apps/datasets/models/workflows, etc.), adds extensive markdown “skills” docs used to guide the assistant, adds
richas a dependency for chat rendering, and adds/updates tests covering login/context creation, masked input, and logging formatter assertions.Written by Cursor Bugbot for commit bb2b0ba. This will update automatically on new commits. Configure here.