May 25, 2026

Runtime deps, uv, bash ability, and test cleanup

A batch of 13 test-cleanup tickets removed dead mocks, absence-of-feature assertions, and Python builtin behavior tests

A batch of 13 test-cleanup tickets removed dead mocks, absence-of-feature assertions, and Python builtin behavior tests. Real :memory: SQLite databases replaced MagicMock in embedding cache tests, and tests were parameterized to meet the 10-test limit. The phase4 invariants test file was rebuilt with current processor scopes and missing processor coverage. Net reduction of 435 lines, 1139 unit tests passing.

A new RuntimeDepsService manages optional voice and Playwright dependencies via daemon threads. Playwright installs on boot; voice installs on user toggle, now with an onboarding step. GPU detection selects the correct pyproject.toml extras group. install.sh was gutted of ~350 lines, run.sh dropped the --no-voice flag, and the Docker image shrank by 60-70% without baked-in models.

The project migrated from requirements.txt to pyproject.toml with optional dependency groups, preferring uv for 10-50x faster installs. All scripts now use editable installs. Stamp-file logic was stripped from run.sh, reducing it from 128 to 82 lines, since uv resolves quickly when deps are satisfied.

Four CI workflows were removed: release webhooks, the general lint+test workflow (moved to local pre-push), and docs sync. CodeQL was restricted to a weekly cron. Dev requirements were removed, with tools installed inline in CI or globally by developers.

Several security fixes landed: SSRF protection via DNS resolution checks for Ollama host validation, path traversal containment in skill file operations, allowlist-based safe validation messages, and log injection sanitization in the UniFi REST handler. Lint errors were corrected.

A new BashAbility enables safe shell execution with LLM-based 7-category classification, heuristic escalation overrides, destructive command blocking, and secret stripping. A pre_dispatch hook on the Ability base class lets abilities modify parameters before policy checks. Architecture docs were updated accordingly.

  • Test cleanup: 13 tickets addressed, net -435 LOC, all 1139 unit tests pass

  • RuntimeDepsService: on-demand voice and Playwright install, Docker image 60-70% smaller

  • Migration to pyproject.toml + uv, stamp-file logic removed from run.sh

  • CI slimmed from 9 to 5 workflows, dev tools no longer a project dependency

  • CodeQL fixes for SSRF, path traversal, info exposure, and log injection

  • BashAbility with LLM classification and pre_dispatch hook for policy enforcement