Skip to content

feat: Add sentinel-auditor kit#259

Open
aroojrafiq wants to merge 12 commits into
Lamatic:mainfrom
aroojrafiq:feat/sentinel-auditor
Open

feat: Add sentinel-auditor kit#259
aroojrafiq wants to merge 12 commits into
Lamatic:mainfrom
aroojrafiq:feat/sentinel-auditor

Conversation

@aroojrafiq

@aroojrafiq aroojrafiq commented Jul 16, 2026

Copy link
Copy Markdown

Description

This PR introduces the Sentinel AI Auditor, a deployable kit designed to evaluate generative AI models in real-time.

It provides a Next.js workspace that seamlessly connects to a Lamatic workflow to score adversarial prompts and model responses across four dimensions:

  • Jailbreak Resistance
  • Hallucination Risk
  • Refusal Consistency
  • Bias & Stereotypes

All required documentation (README.md, agent.md), configurations (lamatic.config.ts), and environment templates (.env.example) have been included following the repository's updated flat-structure guidelines.


PR Checklist

1. Select Contribution Type

  • Kit
  • Bundle
  • Template

2. General Requirements

  • PR is for one project only (no unrelated changes)
  • No secrets, API keys, or real credentials are committed
  • Folder name uses kebab-case and matches the flow ID
  • All changes are documented in README.md (purpose, setup, usage)

3. File Structure

  • lamatic.config.ts present with valid metadata (name, description, tags, steps, author, links)
  • .env.example with placeholder values only (kits only)
  • No hand‑edited flow node graphs (changes via Lamatic Studio export)

4. Validation

  • npm install && npm run dev works locally
  • PR title is clear
  • GitHub Actions workflows pass (pending CI run)
  • All CodeRabbit or other PR review comments are addressed and resolved (pending review)
  • No unrelated files or projects are modified
  • Added Sentinel AI Auditor kit configuration, documentation, environment templates, and ignore rules:
    • kits/sentinel-auditor/.env.example
    • kits/sentinel-auditor/.gitignore
    • kits/sentinel-auditor/README.md
    • kits/sentinel-auditor/agent.md
    • kits/sentinel-auditor/lamatic.config.ts
    • kits/sentinel-auditor/constitutions/default.md
    • kits/sentinel-auditor/apps/.env.example
    • kits/sentinel-auditor/apps/.gitignore
    • kits/sentinel-auditor/apps/AGENTS.md
    • kits/sentinel-auditor/apps/CLAUDE.md
    • kits/sentinel-auditor/apps/README.md
  • Added a Next.js dashboard app (kits/sentinel-auditor/apps/) connected to the Lamatic workflow:
    • kits/sentinel-auditor/apps/package.json
    • kits/sentinel-auditor/apps/tsconfig.json
    • kits/sentinel-auditor/apps/next.config.mjs
    • kits/sentinel-auditor/apps/eslint.config.mjs
    • kits/sentinel-auditor/apps/postcss.config.mjs
    • kits/sentinel-auditor/apps/app/layout.tsx
    • kits/sentinel-auditor/apps/app/globals.css
    • kits/sentinel-auditor/apps/app/page.tsx (landing page)
    • kits/sentinel-auditor/apps/app/dashboard/page.tsx (audit form + telemetry/results UI)
    • kits/sentinel-auditor/apps/app/actions/audit.ts (server action that executes the Lamatic flow with user_prompt/model_response)
  • Added the Lamatic workflow (kits/sentinel-auditor/flows/ai-model-auditor-flow.ts) and its evaluation components:
    • Workflow nodes and wiring:
      • triggerNode (triggerNode_1) accepts a realtime request with user_prompt: string and model_response: string
      • dynamicNode (InstructorLLMNode_271) generates strict JSON for the audit using:
        • system prompt: kits/sentinel-auditor/prompts/ai-model-auditor-flow_instructor-llmnode-271_system_0.md
        • user template: kits/sentinel-auditor/prompts/ai-model-auditor-flow_instructor-llmnode-271_user_1.md
      • responseNode (responseNode_triggerNode_1) maps the model output into the API response payload (summary, dimensions, and _meta)
      • Edges: defaultEdge (trigger → evaluator → response) and responseEdge (response routing from trigger)
    • Evaluation model + generation config:
      • kits/sentinel-auditor/model-configs/ai-model-auditor-flow_instructor-llmnode-271_generative-model-name.ts (Cohere-backed generative config with low temperature)
    • Flow behavior (high level):
      • Scores the interaction across hallucination risk, refusal consistency, bias/stereotypes signal, and jailbreak resistance on a 1–5 scale with evidence + justifications.
      • Computes summary.overall_score and summary.risk_level from the weakest dimension per the instructor prompt.

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

:robot_face: AgentKit Structural Validation

New Contributions Detected

  • Kit: kits/sentinel-auditor

Check Results

Check Status
No edits to existing kits ✅ Pass
Required root files present ✅ Pass
Flow .ts files present ✅ Pass
lamatic.config.ts valid ✅ Pass
No changes outside kits/ ✅ Pass

🎉 All checks passed! This contribution follows the AgentKit structure.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@aroojrafiq, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 21 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7bff2c59-4dd6-4587-8c3e-75fdba813179

📥 Commits

Reviewing files that changed from the base of the PR and between ab163f9 and a0d8621.

📒 Files selected for processing (1)
  • kits/sentinel-auditor/apps/app/dashboard/page.tsx

Walkthrough

Changes

Sentinel AI Auditor

Layer / File(s) Summary
Audit flow contract and orchestration
kits/sentinel-auditor/flows/..., kits/sentinel-auditor/lamatic.config.ts, kits/sentinel-auditor/.env.example, kits/sentinel-auditor/apps/.env.example
Defines the Lamatic workflow, input and output schemas, node wiring, kit metadata, and environment placeholders.
Scoring rubric and model configuration
kits/sentinel-auditor/constitutions/default.md, kits/sentinel-auditor/prompts/..., kits/sentinel-auditor/model-configs/...
Adds safety rules, four-dimension scoring prompts, structured score calculations, and Cohere model settings.
Workflow API and audit dashboard
kits/sentinel-auditor/apps/app/actions/audit.ts, kits/sentinel-auditor/apps/app/dashboard/page.tsx
Adds server-side Lamatic execution and a validated dashboard with loading, error, score, dimension, and raw telemetry states.
Next.js application shell and setup
kits/sentinel-auditor/apps/app/page.tsx, kits/sentinel-auditor/apps/app/layout.tsx, kits/sentinel-auditor/apps/*, kits/sentinel-auditor/apps/app/globals.css, kits/sentinel-auditor/.gitignore
Creates the landing page, root layout, styling, package configuration, TypeScript and lint settings, ignore rules, and app guidance files.
Kit documentation and quickstart
kits/sentinel-auditor/README.md, kits/sentinel-auditor/agent.md
Documents the kit’s purpose, workflow inputs and outputs, evaluation dimensions, setup steps, environment variables, and troubleshooting guidance.

Suggested reviewers: amanintech, d-pamneja

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly states the main change: adding the sentinel-auditor kit.
Description check ✅ Passed The description includes the required checklist sections and gives a clear summary of purpose, setup, and validation.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

Failure recorded at 2026-07-16T16:53:05Z UTC. If this PR is not fixed within 4 weeks it will be automatically closed.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
kits/sentinel-auditor/apps/jsconfig.json (1)

1-8: 📐 Maintainability & Code Quality | 🟠 Major | 🏗️ Heavy lift

Mission critical: Upgrade workspace to TypeScript and standard components.

Agent, our perimeter scans indicate this app was bootstrapped with JavaScript, violating HQ's strict directive. All Next.js kits must use TypeScript, lucide-react for icons, and shadcn/ui components.

  • kits/sentinel-auditor/apps/jsconfig.json#L1-L8: Delete this file and initialize a proper tsconfig.json to enforce strict typing across the mission.
  • kits/sentinel-auditor/apps/app/page.js#L6-L179: Convert this file to page.tsx, replace the raw SVG with a lucide-react icon, and use shadcn/ui components for your UI elements.
  • kits/sentinel-auditor/apps/app/layout.js#L1-L29: Rename to layout.tsx and add appropriate TypeScript types.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/sentinel-auditor/apps/jsconfig.json` around lines 1 - 8, Upgrade the
Sentinel Auditor app to TypeScript and standard UI components: delete
kits/sentinel-auditor/apps/jsconfig.json and create a strict
kits/sentinel-auditor/apps/tsconfig.json; rename
kits/sentinel-auditor/apps/app/page.js to page.tsx, replace its raw SVG with a
lucide-react icon, and use shadcn/ui components for UI elements; rename
kits/sentinel-auditor/apps/app/layout.js to layout.tsx and add appropriate
TypeScript types.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/sentinel-auditor/agent.md`:
- Around line 13-15: Update the documented trigger fields in the processing
description to use user_prompt and model_response, matching the workflow and
audit action contract in ai-model-auditor-flow and audit.js; leave the remaining
behavior description unchanged.

In `@kits/sentinel-auditor/apps/.gitignore`:
- Around line 33-35: Update the environment-file ignore rules in .gitignore so
.env.example is explicitly unignored while the broader .env* ignore pattern
remains in place, ensuring the example configuration can be tracked.

In `@kits/sentinel-auditor/apps/app/actions/audit.js`:
- Around line 3-59: Replace the raw axios/GraphQL implementation in
runModelAudit with the official lamatic SDK workflow execution API. Remove the
hardcoded x-project-id value and load the project identifier from a required
environment variable alongside the existing Lamatic configuration, passing it
through the SDK client or execution options as required. Preserve the existing
userPrompt/modelResponse inputs and error propagation behavior.

In `@kits/sentinel-auditor/apps/app/dashboard/page.js`:
- Around line 130-141: Update the dashboard rendering around the idle and
loading states to display the captured error state when setError records a
failure. Render the error message visibly instead of falling through to the
“System idle” view, while preserving the existing loading and idle behavior when
no error is present.

In `@kits/sentinel-auditor/apps/app/page.js`:
- Around line 53-55: Update the external GitHub link in the page navigation,
identified by target="_blank", to include rel="noopener noreferrer" while
preserving its existing href, target, classes, and displayed text.

In `@kits/sentinel-auditor/apps/package.json`:
- Around line 11-22: Update the dependencies in package.json to use an approved
Next.js 14–15 version and React 18, keeping react-dom aligned with React. Add
lamatic, typescript, lucide-react, react-hook-form, and zod, and ensure
eslint-config-next exactly matches the selected Next.js version.

---

Outside diff comments:
In `@kits/sentinel-auditor/apps/jsconfig.json`:
- Around line 1-8: Upgrade the Sentinel Auditor app to TypeScript and standard
UI components: delete kits/sentinel-auditor/apps/jsconfig.json and create a
strict kits/sentinel-auditor/apps/tsconfig.json; rename
kits/sentinel-auditor/apps/app/page.js to page.tsx, replace its raw SVG with a
lucide-react icon, and use shadcn/ui components for UI elements; rename
kits/sentinel-auditor/apps/app/layout.js to layout.tsx and add appropriate
TypeScript types.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: cc111a24-6ff6-41e5-96e0-90232fef9aa4

📥 Commits

Reviewing files that changed from the base of the PR and between 0ada432 and 74218b4.

⛔ Files ignored due to path filters (7)
  • kits/sentinel-auditor/apps/app/favicon.ico is excluded by !**/*.ico
  • kits/sentinel-auditor/apps/package-lock.json is excluded by !**/package-lock.json
  • kits/sentinel-auditor/apps/public/file.svg is excluded by !**/*.svg
  • kits/sentinel-auditor/apps/public/globe.svg is excluded by !**/*.svg
  • kits/sentinel-auditor/apps/public/next.svg is excluded by !**/*.svg
  • kits/sentinel-auditor/apps/public/vercel.svg is excluded by !**/*.svg
  • kits/sentinel-auditor/apps/public/window.svg is excluded by !**/*.svg
📒 Files selected for processing (23)
  • kits/sentinel-auditor/.gitignore
  • kits/sentinel-auditor/README.md
  • kits/sentinel-auditor/agent.md
  • kits/sentinel-auditor/apps/.gitignore
  • kits/sentinel-auditor/apps/AGENTS.md
  • kits/sentinel-auditor/apps/CLAUDE.md
  • kits/sentinel-auditor/apps/README.md
  • kits/sentinel-auditor/apps/app/actions/audit.js
  • kits/sentinel-auditor/apps/app/dashboard/page.js
  • kits/sentinel-auditor/apps/app/globals.css
  • kits/sentinel-auditor/apps/app/layout.js
  • kits/sentinel-auditor/apps/app/page.js
  • kits/sentinel-auditor/apps/eslint.config.mjs
  • kits/sentinel-auditor/apps/jsconfig.json
  • kits/sentinel-auditor/apps/next.config.mjs
  • kits/sentinel-auditor/apps/package.json
  • kits/sentinel-auditor/apps/postcss.config.mjs
  • kits/sentinel-auditor/constitutions/default.md
  • kits/sentinel-auditor/flows/ai-model-auditor-flow.ts
  • kits/sentinel-auditor/lamatic.config.ts
  • kits/sentinel-auditor/model-configs/ai-model-auditor-flow_instructor-llmnode-271_generative-model-name.ts
  • kits/sentinel-auditor/prompts/ai-model-auditor-flow_instructor-llmnode-271_system_0.md
  • kits/sentinel-auditor/prompts/ai-model-auditor-flow_instructor-llmnode-271_user_1.md

Comment thread kits/sentinel-auditor/agent.md Outdated
Comment thread kits/sentinel-auditor/apps/.gitignore Outdated
Comment on lines +3 to +59
import axios from "axios";

export async function runModelAudit({ userPrompt, modelResponse }) {
const apiKey = process.env.LAMATIC_API_KEY;
const url = process.env.LAMATIC_ENDPOINT_URL;
const workflowId = process.env.LAMATIC_WORKFLOW_ID;

if (!apiKey || !url || !workflowId) {
throw new Error("Missing Lamatic configuration environment variables in .env.local");
}

const query = `
query ExecuteWorkflow(
$workflowId: String!
$user_prompt: String
$model_response: String
) {
executeWorkflow(
workflowId: $workflowId
payload: {
user_prompt: $user_prompt
model_response: $model_response
}
) {
status
result
}
}`;

const variables = {
workflowId,
user_prompt: userPrompt,
model_response: modelResponse
};

try {
const response = await axios({
method: "POST",
url,
headers: {
Authorization: `Bearer ${apiKey}`,
"Content-Type": "application/json",
"x-project-id": "edb0d31c-5f7b-44cb-b91d-e0c110acf758",
},
data: { query, variables },
});

if (response.data.errors) {
console.error("GraphQL errors:", response.data.errors);
throw new Error(response.data.errors[0]?.message || "GraphQL Execution Error");
}

return response.data.data.executeWorkflow;
} catch (error) {
console.error("Lamatic API Execution Failed:", error?.response?.data || error.message);
throw new Error(error?.response?.data?.errors?.[0]?.message || "Failed to execute model audit flow.");
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Your mission, if you choose to accept it: migrate to the lamatic SDK and neutralize the hardcoded project ID.

Good evening, Agent. Our intel indicates this sector is relying on a rogue axios network infiltration and a hardcoded x-project-id (edb0d31c-5f7b-44cb-b91d-e0c110acf758) to execute workflows. This is a severe breach of protocol and leaves our operations exposed.

As per your operational directives for Next.js applications, you must import and utilize the official lamatic npm package for SDK integration rather than crafting raw GraphQL network requests. Furthermore, hardcoded project identifiers must be scrubbed and supplied securely via environment variables to maintain operational security.

Secure this connection immediately. This message will self-destruct in 5 seconds.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/sentinel-auditor/apps/app/actions/audit.js` around lines 3 - 59, Replace
the raw axios/GraphQL implementation in runModelAudit with the official lamatic
SDK workflow execution API. Remove the hardcoded x-project-id value and load the
project identifier from a required environment variable alongside the existing
Lamatic configuration, passing it through the SDK client or execution options as
required. Preserve the existing userPrompt/modelResponse inputs and error
propagation behavior.

Source: Coding guidelines

Comment on lines +130 to +141
{!auditResult && !loading && (
<div className="flex-1 flex flex-col items-center justify-center text-slate-500 py-12">
<svg className="w-12 h-12 mb-4 text-slate-700 opacity-50" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="1" d="M13 10V3L4 14h7v7l9-11h-7z"></path></svg>
<p>System idle. Waiting for prompt injection.</p>
</div>
)}

{loading && (
<div className="flex-1 flex flex-col items-center justify-center space-y-4 py-12">
<p className="text-blue-400 font-mono text-sm animate-pulse">Analyzing neural dimensions...</p>
</div>
)}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Your mission, if you choose to accept it: expose the hidden error telemetry.

Good evening, Agent. Our diagnostics indicate a critical blind spot in your dashboard's visual feed. When an operation goes sideways and setError captures an anomaly, the error message is completely ghosted from the UI. The dashboard silently reverts to the "System idle" state, leaving field operatives completely unaware that their request failed.

You must patch the interface to render the error state so our team knows when a payload is intercepted or fails to execute. This message will self-destruct in 5 seconds.

🕶️ Proposed extraction of the error state
-            {!auditResult && !loading && (
+            {!auditResult && !loading && !error && (
               <div className="flex-1 flex flex-col items-center justify-center text-slate-500 py-12">
                 <svg className="w-12 h-12 mb-4 text-slate-700 opacity-50" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="1" d="M13 10V3L4 14h7v7l9-11h-7z"></path></svg>
                 <p>System idle. Waiting for prompt injection.</p>
               </div>
             )}
+
+            {!auditResult && !loading && error && (
+              <div className="flex-1 flex flex-col items-center justify-center text-red-400 py-12 animate-fade-in">
+                <p className="font-medium bg-red-500/10 px-4 py-2 rounded border border-red-500/20">{error}</p>
+              </div>
+            )}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{!auditResult && !loading && (
<div className="flex-1 flex flex-col items-center justify-center text-slate-500 py-12">
<svg className="w-12 h-12 mb-4 text-slate-700 opacity-50" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="1" d="M13 10V3L4 14h7v7l9-11h-7z"></path></svg>
<p>System idle. Waiting for prompt injection.</p>
</div>
)}
{loading && (
<div className="flex-1 flex flex-col items-center justify-center space-y-4 py-12">
<p className="text-blue-400 font-mono text-sm animate-pulse">Analyzing neural dimensions...</p>
</div>
)}
{!auditResult && !loading && !error && (
<div className="flex-1 flex flex-col items-center justify-center text-slate-500 py-12">
<svg className="w-12 h-12 mb-4 text-slate-700 opacity-50" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="1" d="M13 10V3L4 14h7v7l9-11h-7z"></path></svg>
<p>System idle. Waiting for prompt injection.</p>
</div>
)}
{!auditResult && !loading && error && (
<div className="flex-1 flex flex-col items-center justify-center text-red-400 py-12 animate-fade-in">
<p className="font-medium bg-red-500/10 px-4 py-2 rounded border border-red-500/20">{error}</p>
</div>
)}
{loading && (
<div className="flex-1 flex flex-col items-center justify-center space-y-4 py-12">
<p className="text-blue-400 font-mono text-sm animate-pulse">Analyzing neural dimensions...</p>
</div>
)}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/sentinel-auditor/apps/app/dashboard/page.js` around lines 130 - 141,
Update the dashboard rendering around the idle and loading states to display the
captured error state when setError records a failure. Render the error message
visibly instead of falling through to the “System idle” view, while preserving
the existing loading and idle behavior when no error is present.

Comment thread kits/sentinel-auditor/apps/app/page.js Outdated
Comment on lines +53 to +55
<a href="#how-it-works" className="hover:text-white transition-colors">How it Works</a>
<a href="https://github.com" target="_blank" className="hover:text-white transition-colors border border-slate-700 px-4 py-1.5 rounded-full hover:bg-slate-800">GitHub PR</a>
</div>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Secure your perimeter against reverse tabnabbing.

Agent, leaving a link with target="_blank" without rel="noopener noreferrer" is like leaving the back door of the safehouse wide open. It exposes our operatives to reverse tabnabbing attacks on older browsers.

Secure the breach by adding rel="noopener noreferrer".

🛡️ Proposed security patch
-          <a href="https://github.com" target="_blank" className="hover:text-white transition-colors border border-slate-700 px-4 py-1.5 rounded-full hover:bg-slate-800">GitHub PR</a>
+          <a href="https://github.com" target="_blank" rel="noopener noreferrer" className="hover:text-white transition-colors border border-slate-700 px-4 py-1.5 rounded-full hover:bg-slate-800">GitHub PR</a>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<a href="#how-it-works" className="hover:text-white transition-colors">How it Works</a>
<a href="https://github.com" target="_blank" className="hover:text-white transition-colors border border-slate-700 px-4 py-1.5 rounded-full hover:bg-slate-800">GitHub PR</a>
</div>
<a href="`#how-it-works`" className="hover:text-white transition-colors">How it Works</a>
<a href="https://github.com" target="_blank" rel="noopener noreferrer" className="hover:text-white transition-colors border border-slate-700 px-4 py-1.5 rounded-full hover:bg-slate-800">GitHub PR</a>
</div>
🧰 Tools
🪛 ast-grep (0.44.1)

[warning] 53-53: target="_blank" without rel="noopener noreferrer" exposes the page to reverse tabnabbing
Context:
Note: [CWE-1022] Use of Web Link to Untrusted Target with window.opener Access.

(jsx-no-target-blank)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/sentinel-auditor/apps/app/page.js` around lines 53 - 55, Update the
external GitHub link in the page navigation, identified by target="_blank", to
include rel="noopener noreferrer" while preserving its existing href, target,
classes, and displayed text.

Source: Linters/SAST tools

Comment thread kits/sentinel-auditor/apps/package.json
@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.env.local:
- Around line 1-3: Remove the committed .env.local file containing
LAMATIC_API_KEY, LAMATIC_ENDPOINT_URL, and LAMATIC_WORKFLOW_ID, and
rotate/revoke the exposed LAMATIC_API_KEY through the secret-management
provider. Ensure local environment files are excluded from version control and
provide only a safe example configuration if the project requires one.

In `@kits/sentinel-auditor/apps/app/dashboard/page.tsx`:
- Around line 30-55: Refactor the dashboard form around the existing handleAudit
flow to use react-hook-form with zod validation and shadcn/ui form controls
instead of native textareas and buttons, while replacing hardcoded utility
colors with the project’s CSS variables. Apply the CSS-variable styling and
relevant shadcn/ui element replacements to
kits/sentinel-auditor/apps/app/page.tsx lines 24-65 as well; both sites require
direct changes, preserving the current userPrompt, modelResponse, and audit
execution behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: c0752b8f-fdde-43aa-a733-e29ebc36299e

📥 Commits

Reviewing files that changed from the base of the PR and between 7778a4b and 7750718.

⛔ Files ignored due to path filters (1)
  • kits/sentinel-auditor/apps/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (11)
  • .env.local
  • kits/sentinel-auditor/.env.example
  • kits/sentinel-auditor/agent.md
  • kits/sentinel-auditor/apps/.env.example
  • kits/sentinel-auditor/apps/.gitignore
  • kits/sentinel-auditor/apps/app/actions/audit.ts
  • kits/sentinel-auditor/apps/app/dashboard/page.tsx
  • kits/sentinel-auditor/apps/app/layout.tsx
  • kits/sentinel-auditor/apps/app/page.tsx
  • kits/sentinel-auditor/apps/package.json
  • kits/sentinel-auditor/apps/tsconfig.json

Comment thread .env.local Outdated
Comment on lines +1 to +3
LAMATIC_API_KEY=lt-9c7eb72fb10a91d48a7b0312b4fe9d65
LAMATIC_ENDPOINT_URL=https://aroojsorganization327-aroojsproject386.lamatic.dev/graphql
LAMATIC_WORKFLOW_ID=163efbc7-595e-4b3a-8b2a-ae8bf3c2a8b0 No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

Remove committed secrets and rotate the API key.

Good morning, agent. Your mission, should you choose to accept it, is to secure our most sensitive intel. We've detected live credentials—specifically the LAMATIC_API_KEY—exposed in this .env.local file, which has been committed to the repository. Headquarters strictly prohibits committing local environment files containing live secrets. Delete this file from the payload immediately and rotate the compromised API key to prevent unauthorized access. This message will self-destruct in five seconds.

🧰 Tools
🪛 Betterleaks (1.6.1)

[high] 1-1: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 dotenv-linter (4.0.0)

[warning] 3-3: [EndingBlankLine] No blank line at the end of the file

(EndingBlankLine)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.env.local around lines 1 - 3, Remove the committed .env.local file
containing LAMATIC_API_KEY, LAMATIC_ENDPOINT_URL, and LAMATIC_WORKFLOW_ID, and
rotate/revoke the exposed LAMATIC_API_KEY through the secret-management
provider. Ensure local environment files are excluded from version control and
provide only a safe example configuration if the project requires one.

Comment on lines +30 to +55
<div className="min-h-screen bg-slate-950 text-slate-200 p-8">
<div className="max-w-5xl mx-auto flex flex-col md:flex-row gap-8">

{/* Left: Input Panel */}
<div className="w-full md:w-1/2 space-y-6">
<h2 className="text-2xl font-bold text-white">Injection Payload</h2>
<textarea
value={userPrompt}
onChange={(e) => setUserPrompt(e.target.value)}
placeholder="Enter the user's prompt here..."
className="w-full h-40 bg-slate-900 border border-slate-700 rounded-lg p-4 focus:border-blue-500 focus:outline-none"
/>
<textarea
value={modelResponse}
onChange={(e) => setModelResponse(e.target.value)}
placeholder="Enter the model's generated response here..."
className="w-full h-40 bg-slate-900 border border-slate-700 rounded-lg p-4 focus:border-purple-500 focus:outline-none"
/>
<button
onClick={handleAudit}
disabled={loading || !userPrompt || !modelResponse}
className="w-full py-4 bg-gradient-to-r from-blue-600 to-purple-600 rounded-lg font-bold hover:opacity-90 disabled:opacity-50 transition-all"
>
{loading ? "Running Security Audit..." : "Execute Evaluation"}
</button>
</div>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | 🏗️ Heavy lift

Adopt the mandated UI component stack.

Good morning, agent. Your mission, should you choose to accept it, is to align our UI assets with headquarters' strict operational specifications. Our directives explicitly mandate the deployment of CSS variables for styling, shadcn/ui components in place of raw HTML elements, and react-hook-form paired with zod for handling application state. Both of your current payloads rely on hardcoded utility colors (e.g., bg-slate-950), native React state, and basic DOM elements.

  • kits/sentinel-auditor/apps/app/dashboard/page.tsx#L30-L55: Refactor the layout and form execution logic to utilize CSS variables, shadcn/ui form components, and react-hook-form with zod validation.
  • kits/sentinel-auditor/apps/app/page.tsx#L24-L65: Replace the hardcoded Tailwind color scales with standard CSS variables and swap out any applicable raw HTML elements for their shadcn/ui equivalents.

This message will self-destruct in five seconds.

📍 Affects 2 files
  • kits/sentinel-auditor/apps/app/dashboard/page.tsx#L30-L55 (this comment)
  • kits/sentinel-auditor/apps/app/page.tsx#L24-L65
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/sentinel-auditor/apps/app/dashboard/page.tsx` around lines 30 - 55,
Refactor the dashboard form around the existing handleAudit flow to use
react-hook-form with zod validation and shadcn/ui form controls instead of
native textareas and buttons, while replacing hardcoded utility colors with the
project’s CSS variables. Apply the CSS-variable styling and relevant shadcn/ui
element replacements to kits/sentinel-auditor/apps/app/page.tsx lines 24-65 as
well; both sites require direct changes, preserving the current userPrompt,
modelResponse, and audit execution behavior.

Source: Coding guidelines

@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/sentinel-auditor/apps/app/dashboard/page.tsx`:
- Around line 117-146: Update the dashboard rendering around data.summary and
data.dimensions to safely handle missing or malformed telemetry by providing
fallback summary values and an empty dimensions collection before property
access or Object.entries. Preserve the existing display for valid workflow
responses, including risk-level styling and dimension cards.
- Around line 23-34: Update the useForm configuration in the dashboard form to
set validation mode to onChange, ensuring formState.isValid updates as the user
populates the fields and the submit button is not permanently disabled.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7296a16-9c7b-4d9f-b57b-4620f649f5f7

📥 Commits

Reviewing files that changed from the base of the PR and between 7750718 and 8e1fbe4.

📒 Files selected for processing (1)
  • kits/sentinel-auditor/apps/app/dashboard/page.tsx

Comment thread kits/sentinel-auditor/apps/app/dashboard/page.tsx
Comment thread kits/sentinel-auditor/apps/app/dashboard/page.tsx
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/sentinel-auditor/apps/app/dashboard/page.tsx`:
- Around line 122-128: Update the risk-level styling logic in the dashboard risk
badge so missing or unknown risk levels use a neutral visual style instead of
the emerald “safe” styling. Preserve the existing High and Medium styles, and
ensure the displayed “Unknown Risk” state matches the neutral fallback.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9719582e-ae2c-4f98-a116-a66c4af94cf3

📥 Commits

Reviewing files that changed from the base of the PR and between 8e1fbe4 and 046773a.

📒 Files selected for processing (1)
  • kits/sentinel-auditor/apps/app/dashboard/page.tsx

Comment thread kits/sentinel-auditor/apps/app/dashboard/page.tsx
@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
kits/sentinel-auditor/apps/app/dashboard/page.tsx (1)

134-146: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Reinforce the perimeter against malformed dimension payloads.

Good morning, agent. While you successfully fortified the outer perimeter against missing telemetry, the inner dimension payloads remain vulnerable. If an unpredictable neural anomaly returns a null or scalar value for a dimension instead of the expected object, accessing value.score will trigger a fatal mission abort (TypeError) and crash the dashboard.

Your mission is to apply defensive optional chaining and fallbacks to these inner properties to ensure our dashboard remains operational even under heavy hallucination fire.

🛡️ Proposed defensive maneuvers
-                {Object.entries(data?.dimensions || {}).map(([key, value]: [string, any]) => (
+                {Object.entries(data?.dimensions || {}).map(([key, value]: [string, any]) => (
                   <div key={key} className="p-4 bg-card border border-border rounded-lg shadow-sm">
                     <div className="flex justify-between items-center mb-2">
                       <h4 className="font-semibold capitalize text-foreground">
                         {key.replace('_', ' ')}
                       </h4>
                       <span className="text-xs font-bold bg-secondary text-secondary-foreground px-2 py-1 rounded">
-                        Score: {value.score}
+                        Score: {value?.score ?? 'N/A'}
                       </span>
                     </div>
-                    <p className="text-sm text-muted-foreground">{value.justification}</p>
+                    <p className="text-sm text-muted-foreground">{value?.justification ?? 'No justification provided.'}</p>
                   </div>
                 ))}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/sentinel-auditor/apps/app/dashboard/page.tsx` around lines 134 - 146,
Harden the dimension rendering in the Object.entries map by safely accessing
each dimension’s score and justification when value is null, scalar, or
otherwise malformed. Update the value.score and value.justification references
to use defensive optional chaining with suitable fallbacks, while preserving the
existing rendering for valid dimension objects.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@kits/sentinel-auditor/apps/app/dashboard/page.tsx`:
- Around line 134-146: Harden the dimension rendering in the Object.entries map
by safely accessing each dimension’s score and justification when value is null,
scalar, or otherwise malformed. Update the value.score and value.justification
references to use defensive optional chaining with suitable fallbacks, while
preserving the existing rendering for valid dimension objects.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: c43913fe-0d3a-4145-bc75-c034c98bd386

📥 Commits

Reviewing files that changed from the base of the PR and between 8e1fbe4 and e7e8b11.

📒 Files selected for processing (1)
  • kits/sentinel-auditor/apps/app/dashboard/page.tsx

@aroojrafiq

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant