fix: lazy-load Rich, thread-safe agents globals, DRY approval, proper exceptions

[MervinPraison]

Summary

Validates and fixes 4 real issues from the issue tracker, skipping 8+ that were architectural wishlists or already resolved.

• Eager module-level imports of Rich violate lazy-loading principle across core SDK #1154 — Lazy-load Rich imports in main.py, agents/agents.py, knowledge/knowledge.py, agent/video_agent.py to avoid ~50-100ms import overhead when display isn't used (follows existing pattern in agent.py)
• Thread-unsafe global mutable state in agent.py breaks multi-agent concurrency #1145 — Add _agents_server_lock to protect shared mutable dicts in agents.py (mirrors existing _server_lock in agent.py)
• Duplicated approval logic in sync/async tool execution paths (DRY violation) #1147 — Extract _build_approval_request() and _finalize_approval() to deduplicate sync/async approval logic in agent.py
• Silently swallowed exceptions across 20+ files mask real errors #1128 — Replace bare except: with except Exception: + logging.debug() in llm.py capability checks (was catching SystemExit/KeyboardInterrupt and silently returning wrong values)

Issues validated but skipped (not real bugs / would bloat SDK):

• LLM class makes duplicate API calls — wastes tokens and increases latency #1137 — Not a bug (separate code paths, not duplicate API calls)
• python_tools.py uses exec() without sandbox — code execution security risk #1134 — Already fixed (3-layer sandbox exists)
• Core SDK violates protocol-driven architecture — Agent is a god object with heavy implementations #1153, No circuit breaker pattern for external service calls (DB, LLM, MCP) #1141, 317 scattered env var reads with no unified configuration resolution #1140, Monolithic files: agent.py (8.7K lines), memory.py (75K lines) need decomposition #1139, Inconsistent logging: 53+ logger instances with no unified configuration #1132, Retry logic duplicated across 40+ files instead of using centralized utility #1131 — Architectural wishlists, not bugs

Test plan

• All 6 modified files pass py_compile syntax check
• 179 unit tests pass (6 pre-existing failures unrelated to changes)
• Verified lazy loading: _rich_loaded is False after import, True only after first display call
• Manual test: run an agent workflow in verbose mode to confirm Rich display still works
• Manual test: concurrent Agents.launch(mode="http") calls to verify thread safety

https://claude.ai/code/session_01DUewsjMPzxcU6THm9wc56p

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2c601347-dd19-445b-b2f0-1ce40de83874

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/lazy-rich-thread-safety-dry-approval

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Thread-safe lazy imports, DRY approval logic, Rich lazy-loading, and CWE-78 env-var validation

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Add thread-safe locks to protect shared mutable state in agent/agents APIs
  - _lazy_import_lock for lazy-loaded Rich/LLM modules
  - _server_lock for HTTP server registration and startup
  - _agent_counter_lock for unique agent display name generation
  - _env_cache_lock for environment variable caching
• Deduplicate ~120 lines of approval logic into shared helpers
  - Extract _build_approval_request(), _finalize_approval(), _check_tool_approval_sync(),
  _check_tool_approval_async()
  - Reduce code duplication between sync/async tool execution paths
• Implement lazy-loading for Rich display library in main.py
  - Add _ensure_rich() function to defer Rich imports until first display call
  - Reduces import overhead from ~420ms to ~20ms for silent mode
• Fix CWE-78 environment variable injection vulnerability in schedule config
  - Add _validate_env_key() blocklist for dangerous keys (LD_PRELOAD, PATH, PYTHONPATH, etc.)
  - Validate all env vars before applying (fail-closed pattern)
  - Add comprehensive unit tests for validation
• Refactor python_tools.py to make execute_code standalone
  - Move execute_code() outside PythonTools class (no optional deps required)
  - Keep analyze/format/lint functions in class (requires black/pylint/autopep8)
  - Lazy-initialize PythonTools only when optional tools are needed
• Update version to 4.5.85 and fix litellm dependency constraint

Diagram

flowchart LR
  A["Shared State<br/>Mutable Dicts"] -->|"Protected by<br/>threading.Lock"| B["Thread-Safe<br/>Access"]
  C["Rich/LLM<br/>Imports"] -->|"Lazy-loaded<br/>on first use"| D["Reduced<br/>Import Time"]
  E["Sync/Async<br/>Approval Logic"] -->|"Extracted to<br/>Shared Helpers"| F["DRY Code<br/>120 lines saved"]
  G["Schedule Config<br/>YAML"] -->|"Validated by<br/>_validate_env_key"| H["CWE-78<br/>Blocked"]
  I["execute_code<br/>Function"] -->|"Standalone<br/>No deps"| J["Always Available"]

Loading

File Changes

1. src/praisonai-agents/praisonaiagents/agent/agent.py Thread safety, lazy loading, code deduplication +261/-246

Thread-safe lazy imports and approval logic deduplication

src/praisonai-agents/praisonaiagents/agent/agent.py

---

2. src/praisonai-agents/praisonaiagents/agent/video_agent.py Lazy loading, performance optimization +5/-3

Lazy-load Rich console and progress components

src/praisonai-agents/praisonaiagents/agent/video_agent.py

---

3. src/praisonai-agents/praisonaiagents/agents/agents.py Thread safety, concurrency protection +60/-55

Add thread-safe lock for shared server state

src/praisonai-agents/praisonaiagents/agents/agents.py

---

View more (17)

4. src/praisonai-agents/praisonaiagents/knowledge/knowledge.py Lazy loading, performance optimization +3/-2

Lazy-load Rich progress components in store method

src/praisonai-agents/praisonaiagents/knowledge/knowledge.py

---

5. src/praisonai-agents/praisonaiagents/llm/llm.py Error handling, bug fix +7/-3

Replace bare except with proper exception handling

src/praisonai-agents/praisonaiagents/llm/llm.py

---

6. src/praisonai-agents/praisonaiagents/main.py Lazy loading, performance optimization +45/-16

Lazy-load all Rich dependencies on first display call

src/praisonai-agents/praisonaiagents/main.py

---

7. src/praisonai-agents/praisonaiagents/tools/python_tools.py Code refactoring, dependency management +299/-257

Refactor execute_code as standalone function, lazy-init optional tools

src/praisonai-agents/praisonaiagents/tools/python_tools.py

---

8. src/praisonai-agents/tests/unit/tools/test_python_tools_sandbox.py Tests, refactoring +5/-5

Update test harness for standalone execute_code function

src/praisonai-agents/tests/unit/tools/test_python_tools_sandbox.py

---

9. src/praisonai/praisonai/cli/main.py Security fix, input validation +68/-1

Add CWE-78 environment variable validation for schedule config

src/praisonai/praisonai/cli/main.py

---

10. src/praisonai/praisonai/deploy.py Version bump, configuration changes +1/-1

Update version to 4.5.85 in Dockerfile

src/praisonai/praisonai/deploy.py

---

11. src/praisonai/praisonai/version.py Version bump +1/-1

Update version from 4.5.83 to 4.5.85

src/praisonai/praisonai/version.py

---

12. src/praisonai/tests/unit/test_cwe78_env_injection.py Tests, security validation +193/-0

Add comprehensive unit tests for env-var validation

src/praisonai/tests/unit/test_cwe78_env_injection.py

---

13. src/praisonai/praisonai.rb Version bump, configuration changes +2/-2

Update Homebrew formula version to 4.5.85

src/praisonai/praisonai.rb

---

14. README.md 📝 Documentation +1/-1

Fix navigation link from Development to Contributing

README.md

---

15. docker/Dockerfile.chat Version bump, configuration changes +1/-1

Update praisonai version constraint to 4.5.85

docker/Dockerfile.chat

---

16. docker/Dockerfile.dev Version bump, configuration changes +1/-1

Update praisonai version constraint to 4.5.85

docker/Dockerfile.dev

---

17. docker/Dockerfile.ui Version bump, configuration changes +1/-1

Update praisonai version constraint to 4.5.85

docker/Dockerfile.ui

---

18. src/praisonai-agents/pyproject.toml Version bump, dependencies +3/-3

Update version and add litellm upper bound constraint

src/praisonai-agents/pyproject.toml

---

19. src/praisonai/README.md 📝 Documentation +1/-1

Fix navigation link from Development to Contributing

src/praisonai/README.md

---

20. src/praisonai/pyproject.toml Version bump, dependencies +2/-2

Update version and add litellm upper bound constraint

src/praisonai/pyproject.toml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (4) 📐 Spec deviations (0)

1. execute_code calls exec 📎 Requirement gap ⛨ Security

Description

execute_code still executes user-supplied code in-process via exec()/eval() and is not
integrated with a SandboxProtocol implementation. This fails the requirement for
sandboxed-by-default execution and leaves the host process exposed if the in-process controls are
bypassed.

Code

src/praisonai-agents/praisonaiagents/tools/python_tools.py[R203-218]

+            # Compile code with restricted mode
+            compiled_code = compile(code, '<string>', 'exec')
+
+            # Execute with output capture
+            with redirect_stdout(stdout_buffer), redirect_stderr(stderr_buffer):
+                exec(compiled_code, globals_dict, locals_dict)
+
+                # Get last expression value if any
+                import ast
+                tree = ast.parse(code)
+                if tree.body and isinstance(tree.body[-1], ast.Expr):
+                    result = eval(
+                        compile(ast.Expression(tree.body[-1].value), '<string>', 'eval'),
+                        globals_dict,
+                        locals_dict
+                    )

Evidence

Compliance ID 10 prohibits in-process exec() without routing execution through an explicit sandbox
mechanism integrated with SandboxProtocol; the PR’s updated execute_code compiles and executes
untrusted code directly using exec(...) and then evaluates expressions with eval(...).

Python exec tool is sandboxed by default and integrated with SandboxProtocol
src/praisonai-agents/praisonaiagents/tools/python_tools.py[85-218]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`execute_code()` runs arbitrary code using in-process `exec()`/`eval()` rather than routing execution through a `SandboxProtocol`-backed sandbox. This violates the sandboxing-by-default requirement.

## Issue Context
Even with restricted `__builtins__` and AST checks, in-process execution remains risky and does not satisfy the protocol-integration requirement.

## Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[85-218]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. execute_code ignores timeout 📎 Requirement gap ⛨ Security

Description

The execute_code API exposes a timeout parameter but does not enforce any timeout or resource
limits on execution. This allows untrusted code to run indefinitely (e.g., infinite loops) and can
cause denial-of-service of the host process.

Code

src/praisonai-agents/praisonaiagents/tools/python_tools.py[R86-92]

+def execute_code(
+    code: str,
+    globals_dict: Optional[Dict[str, Any]] = None,
+    locals_dict: Optional[Dict[str, Any]] = None,
+    timeout: int = 30,
+    max_output_size: int = 10000
+) -> Dict[str, Any]:

Evidence

Compliance ID 11 requires sandbox execution to enforce timeouts/resource limits; execute_code
defines timeout: int = 30 but the implementation proceeds to compile/execute code without using
the timeout value or any limiting mechanism.

Sandboxed Python execution enforces resource limits and timeouts
src/praisonai-agents/praisonaiagents/tools/python_tools.py[86-92]
src/praisonai-agents/praisonaiagents/tools/python_tools.py[202-218]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`execute_code()` accepts a `timeout` parameter but does not actually enforce it, nor does it enforce CPU/memory limits.

## Issue Context
Without enforcement, user code can hang indefinitely or consume unbounded resources, which violates the sandbox resource-limits requirement.

## Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[86-92]
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[202-218]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. PythonTools init returns None 🐞 Bug ✓ Correctness

Description

_get_python_tools() returns _python_tools_instance even when it is initialized to None, so
analyze_code/format_code/lint_code/disassemble_code crash with AttributeError on first call.
This makes the new lazy optional-dependency wrappers unusable.

Code

src/praisonai-agents/praisonaiagents/tools/python_tools.py[R525-550]

+def _get_python_tools():
+    """Lazy-init PythonTools (requires black/pylint/autopep8)."""
+    global _python_tools_instance
+    try:
+        return _python_tools_instance
+    except NameError:
+        _python_tools_instance = PythonTools()
+        return _python_tools_instance
+
+_python_tools_instance = None
+
+def analyze_code(code: str) -> Optional[Dict[str, Any]]:
+    """Analyze Python code structure and quality. Requires: pip install black pylint autopep8"""
+    return _get_python_tools().analyze_code(code)
+
+def format_code(code: str, style: str = 'black', line_length: int = 88) -> Optional[str]:
+    """Format Python code. Requires: pip install black pylint autopep8"""
+    return _get_python_tools().format_code(code, style, line_length)
+
+def lint_code(code: str) -> Optional[Dict[str, List[Dict[str, Any]]]]:
+    """Lint Python code. Requires: pip install black pylint autopep8"""
+    return _get_python_tools().lint_code(code)
+
+def disassemble_code(code: str) -> Optional[str]:
+    """Disassemble Python code to bytecode. Requires: pip install black pylint autopep8"""
+    return _get_python_tools().disassemble_code(code)

Evidence

_python_tools_instance is explicitly set to None, and _get_python_tools() only constructs
PythonTools() on NameError (which will never occur), so wrapper functions dereference None.

src/praisonai-agents/praisonaiagents/tools/python_tools.py[523-550]
src/praisonai-agents/praisonaiagents/tools/python_tools.py[534-550]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`_get_python_tools()` never instantiates `PythonTools()` because `_python_tools_instance` is defined as `None` and the function only instantiates on `NameError`. As a result, `analyze_code/format_code/lint_code/disassemble_code` call methods on `None`.

### Issue Context
This was introduced as part of the refactor to make optional-dependency tools lazy.

### Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[525-550]

### What to change
- Replace the `try/except NameError` pattern with an explicit `if _python_tools_instance is None:` check.
- Instantiate and cache `PythonTools()` when the cached instance is `None`.
- (Optional) add a small lock if these wrappers can be called concurrently from multiple threads.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

View more (1)

4. execute_code export broken 🐞 Bug ✓ Correctness

Description

praisonaiagents.tools.__getattr__ still resolves execute_code as a PythonTools instance
method, but execute_code was moved to a module-level function and PythonTools no longer defines
it. Importing execute_code from praisonaiagents.tools will now raise AttributeError (and may
also trigger unwanted optional-dependency checks).

Code

src/praisonai-agents/praisonaiagents/tools/python_tools.py[R267-289]

+class PythonTools:
+    """Tools for Python code analysis, formatting, and linting.
+
+    Requires: pip install black pylint autopep8
+    For code execution only, use the standalone execute_code() function.
+    """
+
+    def __init__(self):
+        """Initialize PythonTools — checks for required packages."""
+        self._check_dependencies()
+
+    def _check_dependencies(self):
+        """Check if required packages are installed."""
+        missing = []
+        for package in ['black', 'pylint', 'autopep8']:
+            if util.find_spec(package) is None:
+                missing.append(package)
+
+        if missing:
+            raise ImportError(
+                f"Required packages not available. Please install: {', '.join(missing)}\n"
+                f"Run: pip install {' '.join(missing)}"
+            )

Evidence

After the refactor, execute_code exists only as a top-level function while PythonTools contains
analysis/format/lint methods only. However, tools/__init__.py still maps execute_code to the
PythonTools class and __getattr__ retrieves it via getattr(instance, name), which will fail.
The repo also contains code importing execute_code from praisonaiagents.tools, which will break
at runtime.

src/praisonai-agents/praisonaiagents/tools/python_tools.py[85-110]
src/praisonai-agents/praisonaiagents/tools/python_tools.py[262-320]
src/praisonai-agents/praisonaiagents/tools/init.py[60-69]
src/praisonai-agents/praisonaiagents/tools/init.py[254-263]
src/praisonai-agents/tests/programming-agent.py[1-9]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`from praisonaiagents.tools import execute_code` is now broken because `TOOL_MAPPINGS` still points `execute_code` to the `PythonTools` class, but `execute_code` is no longer a `PythonTools` method.

### Issue Context
The PR refactored `execute_code` into a standalone function to avoid optional deps. The tools package lazy loader still assumes Python tools are class methods.

### Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/__init__.py[60-69]
- src/praisonai-agents/praisonaiagents/tools/__init__.py[254-263]

### What to change
- In `TOOL_MAPPINGS`, map `execute_code` to `('.python_tools', None)` so `__getattr__` returns the module-level function.
- Consider mapping `analyze_code/format_code/lint_code/disassemble_code` to `('.python_tools', None)` as well, so the module-level wrappers control lazy instantiation (instead of instantiating `PythonTools()` during attribute access).
- Add/adjust a small unit test that `from praisonaiagents.tools import execute_code` succeeds without black/pylint/autopep8 installed.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. _get_default_model uses os.getenv 📎 Requirement gap ⚙ Maintainability

Description

The modified Agent env-cache methods still read configuration directly from
os.environ/os.getenv instead of using a unified configuration resolver entry point. This
perpetuates scattered config resolution logic and makes consistent precedence/validation difficult.

Code

src/praisonai-agents/praisonaiagents/agent/agent.py[R206-223]

    def _get_env_output_mode(cls):
-        """Get cached PRAISONAI_OUTPUT env var value."""
+        """Get cached PRAISONAI_OUTPUT env var value (thread-safe)."""
        if not cls._env_output_checked:
-            cls._env_output_mode = os.environ.get('PRAISONAI_OUTPUT', '').lower()
-            cls._env_output_checked = True
+            with cls._env_cache_lock:
+                if not cls._env_output_checked:
+                    cls._env_output_mode = os.environ.get('PRAISONAI_OUTPUT', '').lower()
+                    cls._env_output_checked = True
        return cls._env_output_mode
    
    @classmethod
    def _get_default_model(cls):
-        """Get cached default model name from OPENAI_MODEL_NAME env var."""
+        """Get cached default model name from OPENAI_MODEL_NAME env var (thread-safe)."""
        if not cls._default_model_checked:
-            cls._default_model = os.getenv('OPENAI_MODEL_NAME', 'gpt-4o-mini')
-            cls._default_model_checked = True
+            with cls._env_cache_lock:
+                if not cls._default_model_checked:
+                    cls._default_model = os.getenv('OPENAI_MODEL_NAME', 'gpt-4o-mini')
+                    cls._default_model_checked = True
        return cls._default_model

Evidence

Compliance ID 1 requires a single configuration resolver and forbids direct environment variable
reads outside it; the changed Agent methods still call os.environ.get('PRAISONAI_OUTPUT', ...)
and os.getenv('OPENAI_MODEL_NAME', ...).

Unified configuration resolver is the single entry point for env/config resolution
src/praisonai-agents/praisonaiagents/agent/agent.py[206-223]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Agent._get_env_output_mode()` and `Agent._get_default_model()` directly read environment variables (`os.environ.get` / `os.getenv`) on a hot path. This violates the requirement that env/config resolution goes through a single unified resolver.

## Issue Context
Even though the PR improves thread-safety around these reads, it still preserves scattered configuration resolution logic.

## Fix Focus Areas
- src/praisonai-agents/praisonaiagents/agent/agent.py[206-223]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

6. rich imports remain ad-hoc 📎 Requirement gap ⚙ Maintainability

Description

Rich lazy-loading is still implemented separately across modules instead of being centralized in
shared display utilities. This increases the risk of inconsistent behavior and regressions in Rich
import/loading semantics across subsystems.

Code

src/praisonai-agents/praisonaiagents/agents/agents.py[R1289-1293]

        if show_verbose and is_tty:
+            from rich.console import Console
            from rich.panel import Panel
            console = Console()
            import time as time_module

Evidence

Compliance ID 9 requires centralizing Rich lazy-load access patterns in a shared module reused by
other modules; the PR keeps module-specific Rich imports (e.g., agents.py, video_agent.py,
knowledge.py) while also adding a separate _ensure_rich() loader in main.py, demonstrating
non-centralized, duplicated patterns.

Shared lazy-loaded display utilities centralize Rich access patterns
src/praisonai-agents/praisonaiagents/main.py[9-29]
src/praisonai-agents/praisonaiagents/agents/agents.py[1289-1293]
src/praisonai-agents/praisonaiagents/agent/video_agent.py[213-219]
src/praisonai-agents/praisonaiagents/knowledge/knowledge.py[788-790]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Rich lazy-loading is duplicated across multiple modules (`main.py`, `agents.py`, `video_agent.py`, `knowledge.py`) rather than being centralized behind shared display utilities.

## Issue Context
The compliance requirement expects a shared module (e.g., `praisonaiagents/display.py`) that encapsulates Rich lazy-loading and is reused by other modules to avoid drift.

## Fix Focus Areas
- src/praisonai-agents/praisonaiagents/main.py[9-29]
- src/praisonai-agents/praisonaiagents/agents/agents.py[1289-1293]
- src/praisonai-agents/praisonaiagents/agent/video_agent.py[213-219]
- src/praisonai-agents/praisonaiagents/knowledge/knowledge.py[788-790]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

7. Unlocked endpoint list iteration 🐞 Bug ⛯ Reliability

Description

Agent.launch() and Agents.launch() root/health endpoints iterate *_registered_*[port].keys()
without holding the corresponding server lock, while other threads can mutate those dicts during
concurrent launch() calls. This can raise RuntimeError: dictionary changed size during iteration
and intermittently break / or /health responses.

Code

src/praisonai-agents/praisonaiagents/agent/agent.py[R8430-8443]

+                    @_shared_apps[port].get("/")
+                    async def root():
+                        return {
+                            "message": f"Welcome to PraisonAI Agents API on port {port}. See /docs for usage.",
+                            "endpoints": list(_registered_agents[port].keys())
+                        }
+
+                    # Add healthcheck endpoint
+                    @_shared_apps[port].get("/health")
+                    async def healthcheck():
+                        return {
+                            "status": "ok",
+                            "endpoints": list(_registered_agents[port].keys())
+                        }

Evidence

Although writes/registrations are protected by _server_lock/_agents_server_lock, the FastAPI
handlers read and iterate the same dicts without any lock. Concurrent launch() calls (main thread)
can mutate while the server thread handles a request, causing iteration failures.

src/praisonai-agents/praisonaiagents/agent/agent.py[8417-8460]
src/praisonai-agents/praisonaiagents/agent/agent.py[8429-8444]
src/praisonai-agents/praisonaiagents/agents/agents.py[1650-1675]
src/praisonai-agents/praisonaiagents/agents/agents.py[1680-1694]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The `/` and `/health` handlers build endpoint lists from mutable dicts (`_registered_agents[port]`, `_agents_registered_endpoints[port]`) without acquiring the corresponding lock, while other threads can mutate these dicts during endpoint registration.

### Issue Context
The PR introduced `_server_lock`/`_agents_server_lock` for write-side thread safety, but read-side iteration is still unprotected.

### Fix Focus Areas
- src/praisonai-agents/praisonaiagents/agent/agent.py[8429-8444]
- src/praisonai-agents/praisonaiagents/agent/agent.py[8459-8460]
- src/praisonai-agents/praisonaiagents/agents/agents.py[1660-1674]
- src/praisonai-agents/praisonaiagents/agents/agents.py[1692-1694]

### What to change
- Inside each root/health handler, take a snapshot under the lock (e.g., `with _server_lock: endpoints = list(_registered_agents[port].keys())`) and then return that snapshot.
- Do the same for any other `list(...keys())` / `join(list(...keys()))` diagnostics that can run concurrently with registrations.
- Keep lock hold times minimal (copy keys then release).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[gemini-code-assist]

Code Review

This pull request introduces thread-safe lazy loading for modules and shared server states, refactors tool approval logic, and decouples core code execution from optional dependencies. It also includes a critical security fix to prevent environment variable injection (CWE-78) via YAML configurations and bumps the package version to 1.5.85. Feedback was provided to address potential race conditions in the lazy-loading mechanisms of main.py and python_tools.py by implementing proper locking patterns.

[gemini-code-assist]

The lazy-loading mechanism for rich is not thread-safe. In a multi-threaded environment, multiple threads could concurrently check _rich_loaded, find it False, and then race to import and assign the global variables. This is inconsistent with the thread-safe lazy-loading patterns used elsewhere in this PR (e.g., in agent.py).

To ensure thread safety, you should use a lock. You will also need to add import threading at the top of the file.

Suggested change

	def _ensure_rich():
	"""Lazy-load all Rich dependencies on first display call."""
	global _rich_loaded, Console, Panel, Text, Markdown, Live
	if _rich_loaded:
	return
	from rich.console import Console as _C
	from rich.panel import Panel as _P
	from rich.text import Text as _T
	from rich.markdown import Markdown as _M
	from rich.live import Live as _L
	Console, Panel, Text, Markdown, Live = _C, _P, _T, _M, _L
	import threading
	_rich_lock = threading.Lock()
	def _ensure_rich():
	"""Lazy-load all Rich dependencies on first display call (thread-safe)."""
	global _rich_loaded, Console, Panel, Text, Markdown, Live
	if not _rich_loaded:
	with _rich_lock:
	if not _rich_loaded:
	from rich.console import Console as _C
	from rich.panel import Panel as _P
	from rich.text import Text as _T
	from rich.markdown import Markdown as _M
	from rich.live import Live as _L
	Console, Panel, Text, Markdown, Live = _C, _P, _T, _M, _L
	_rich_loaded = True

[gemini-code-assist]

The lazy initializer _get_python_tools is not thread-safe. A race condition can occur if multiple threads call it simultaneously when _python_tools_instance is None. Additionally, using try...except NameError is less clear than a direct if _python_tools_instance is None: check, especially since the variable is explicitly initialized to None.

For robust thread-safe initialization, a double-checked locking pattern should be used.

_python_tools_lock = threading.Lock()

def _get_python_tools():
    """Lazy-init PythonTools (requires black/pylint/autopep8) in a thread-safe way."""
    global _python_tools_instance
    if _python_tools_instance is None:
        with _python_tools_lock:
            if _python_tools_instance is None:
                _python_tools_instance = PythonTools()
    return _python_tools_instance

_python_tools_instance = None

[qodo-code-review]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: quick-test

Failed stage: Run Fast Tests [❌]

Failed test name: ""

Failure summary: The workflow ran ad-hoc Python debug commands that attempted to open YAML configs using paths that do not exist from the current working directory, causing hard failures: - FileNotFoundError: [Errno 2] No such file or directory: src/praisonai/tests/autogen-agents.yaml (e.g., log lines 858-864, 1367-1370). - FileNotFoundError: [Errno 2] No such file or directory: tests/autogen-agents.yaml (log lines 991-997). - Later, pytest reports rootdir: /home/runner/work/PraisonAI/PraisonAI/src/praisonai (line 1447), so relative paths like src/praisonai/tests/... will not resolve unless run from repo root (path usage is inconsistent with the chosen rootdir/working directory). The OpenAI credentials used in CI are invalid, and API calls fail with authentication errors: - Error code: 401 ... 'Incorrect API key provided' ... 'invalid_api_key' (lines 1085-1087 and 1244-1245), which would break any tests that hit the OpenAI API. The job ultimately fails at the test step because pytest collected no runnable tests and exits non-zero: - collected 0 items / 1 skipped followed by Process completed with exit code 5 (lines 1456-1462). This indicates the test suite was fully skipped or nothing was discovered under the current configuration/working directory, and the pipeline treats that as a failure.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 723: �[36;1m with open(yaml_file, 'r') as f:�[0m 724: �[36;1m config = yaml.safe_load(f)�[0m 725: �[36;1m �[0m 726: �[36;1m # Check if any role contains 'researcher'�[0m 727: �[36;1m roles = config.get('roles', {})�[0m 728: �[36;1m for role_key, role_data in roles.items():�[0m 729: �[36;1m role_name = role_data.get('role', '')�[0m 730: �[36;1m if 'researcher' in role_key.lower() or 'researcher' in role_name.lower():�[0m 731: �[36;1m print(f' 🎯 FOUND in {yaml_file}:')�[0m 732: �[36;1m print(f' Framework: {config.get(\"framework\", \"NOT_SET\")}')�[0m 733: �[36;1m print(f' Role key: {role_key}')�[0m 734: �[36;1m print(f' Role name: {role_name}')�[0m 735: �[36;1m print(f' All roles: {list(roles.keys())}')�[0m 736: �[36;1m print()�[0m 737: �[36;1m except Exception as e:�[0m 738: �[36;1m print(f' ❌ Error reading {yaml_file}: {e}')�[0m 739: �[36;1m�[0m 740: �[36;1mprint('🔍 Checking for default configurations...')�[0m 741: �[36;1m# Check if there are any default configs or hardcoded roles�[0m 742: �[36;1mtry:�[0m 743: �[36;1m import praisonai�[0m 744: �[36;1m print(f' PraisonAI package location: {praisonai.__file__}')�[0m 745: �[36;1m �[0m 746: �[36;1m # Check if there are any example YAML files in the package�[0m 747: �[36;1m package_dir = os.path.dirname(praisonai.__file__)�[0m 748: �[36;1m for root, dirs, files in os.walk(package_dir):�[0m 749: �[36;1m for file in files:�[0m 750: �[36;1m if file.endswith(('.yaml', '.yml')):�[0m 751: �[36;1m file_path = os.path.join(root, file)�[0m 752: �[36;1m print(f' 📁 Found YAML in package: {file_path}')�[0m 753: �[36;1mexcept Exception as e:�[0m 754: �[36;1m print(f' ❌ Error checking package: {e}')�[0m 755: �[36;1m"�[0m ... 798: �[36;1m print(f' 2. AgentsGenerator framework: \"{agents_gen.framework}\"')�[0m 799: �[36;1m �[0m 800: �[36;1m # Load the YAML to check what it contains�[0m 801: �[36;1m import yaml�[0m 802: �[36;1m with open('src/praisonai/tests/autogen-agents.yaml', 'r') as f:�[0m 803: �[36;1m config = yaml.safe_load(f)�[0m 804: �[36;1m �[0m 805: �[36;1m framework = agents_gen.framework or config.get('framework')�[0m 806: �[36;1m print(f' 3. Final framework decision: \"{framework}\"')�[0m 807: �[36;1m print(f' 4. Available frameworks:')�[0m 808: �[36;1m �[0m 809: �[36;1m # Check framework availability�[0m 810: �[36;1m try:�[0m 811: �[36;1m import autogen�[0m 812: �[36;1m print(f' ✅ AutoGen available')�[0m 813: �[36;1m except ImportError:�[0m 814: �[36;1m print(f' ❌ AutoGen NOT available')�[0m 815: �[36;1m �[0m 816: �[36;1m try:�[0m 817: �[36;1m from praisonaiagents import Agent�[0m 818: �[36;1m print(f' ✅ PraisonAI agents available')�[0m 819: �[36;1m except ImportError:�[0m 820: �[36;1m print(f' ❌ PraisonAI agents NOT available')�[0m 821: �[36;1m �[0m 822: �[36;1m try:�[0m 823: �[36;1m from crewai import Agent�[0m 824: �[36;1m print(f' ✅ CrewAI available')�[0m 825: �[36;1m except ImportError:�[0m 826: �[36;1m print(f' ❌ CrewAI NOT available')�[0m 827: �[36;1m �[0m 828: �[36;1m print(f' 5. Roles in YAML: {list(config.get(\"roles\", {}).keys())}')�[0m 829: �[36;1m �[0m 830: �[36;1m # Now test the actual framework execution�[0m 831: �[36;1m if framework == 'autogen':�[0m 832: �[36;1m print(f' 6. ✅ Should execute _run_autogen')�[0m 833: �[36;1m elif framework == 'praisonai':�[0m 834: �[36;1m print(f' 6. ❌ Would execute _run_praisonai (WRONG!)')�[0m 835: �[36;1m else:�[0m 836: �[36;1m print(f' 6. ❌ Would execute _run_crewai (DEFAULT FALLBACK)')�[0m 837: �[36;1m �[0m 838: �[36;1mexcept Exception as e:�[0m 839: �[36;1m print(f'❌ Error tracing execution: {e}')�[0m 840: �[36;1m import traceback�[0m ... 845: pythonLocation: /opt/hostedtoolcache/Python/3.11.15/x64 846: PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib/pkgconfig 847: Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 848: Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 849: Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 850: LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib 851: OPENAI_API_KEY: *** 852: OPENAI_API_BASE: *** 853: OPENAI_MODEL_NAME: *** 854: LOGLEVEL: DEBUG 855: PYTHONPATH: /home/runner/work/PraisonAI/PraisonAI/src/praisonai-agents: 856: ##[endgroup] 857: 🔍 Tracing AutoGen execution to find where it diverges... 858: Traceback (most recent call last): 859: File "<string>", line 25, in <module> 860: FileNotFoundError: [Errno 2] No such file or directory: 'src/praisonai/tests/autogen-agents.yaml' 861: 🎯 Testing AutoGen execution path: 862: 1. PraisonAI framework: "" 863: 2. AgentsGenerator framework: "" 864: ❌ Error tracing execution: [Errno 2] No such file or directory: 'src/praisonai/tests/autogen-agents.yaml' 865: ##[group]Run echo "🔍 Tracing YAML file loading and role creation..." ... 960: �[36;1m �[0m 961: �[36;1m # Test AgentsGenerator initialization�[0m 962: �[36;1m agents_gen = AgentsGenerator(�[0m 963: �[36;1m agent_file='tests/autogen-agents.yaml',�[0m 964: �[36;1m framework=praisonai.framework,�[0m 965: �[36;1m config_list=praisonai.config_list�[0m 966: �[36;1m )�[0m 967: �[36;1m print(f' ⚙️ AgentsGenerator framework: {agents_gen.framework}')�[0m 968: �[36;1m print(f' ⚙️ Final framework decision: {agents_gen.framework or config.get(\"framework\")}')�[0m 969: �[36;1m �[0m 970: �[36;1m # Check config_list�[0m 971: �[36;1m print(f' 🔑 Config list model: {praisonai.config_list[0].get(\"model\")}')�[0m 972: �[36;1m print(f' 🔑 Config list API key: {praisonai.config_list[0].get(\"api_key\", \"NOT_SET\")[:10]}...')�[0m 973: �[36;1m �[0m 974: �[36;1mexcept Exception as e:�[0m 975: �[36;1m print(f'❌ Error in framework detection: {e}')�[0m 976: �[36;1m"�[0m ... 979: pythonLocation: /opt/hostedtoolcache/Python/3.11.15/x64 980: PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib/pkgconfig 981: Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 982: Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 983: Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 984: LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib 985: OPENAI_API_KEY: *** 986: OPENAI_API_BASE: *** 987: OPENAI_MODEL_NAME: *** 988: LOGLEVEL: DEBUG 989: PYTHONPATH: /home/runner/work/PraisonAI/PraisonAI/src/praisonai-agents: 990: ##[endgroup] 991: 🔍 Testing framework detection and config flow... 992: Traceback (most recent call last): 993: File "<string>", line 10, in <module> 994: FileNotFoundError: [Errno 2] No such file or directory: 'tests/autogen-agents.yaml' 995: 🔧 Testing framework detection: 996: ##[error]Process completed with exit code 1. 997: ##[group]Run echo "🔍 Testing PraisonAIModel API key handling..." ... 1013: �[36;1m model = PraisonAIModel(model='openai/***')�[0m 1014: �[36;1m �[0m 1015: �[36;1m print('🤖 PraisonAIModel Configuration:')�[0m 1016: �[36;1m print(f' model: {model.model}')�[0m 1017: �[36;1m print(f' model_name: {model.model_name}')�[0m 1018: �[36;1m print(f' api_key_var: {model.api_key_var}')�[0m 1019: �[36;1m print(f' api_key: {model.api_key[:10] if model.api_key != \"nokey\" else \"DEFAULT_NOKEY\"}...')�[0m 1020: �[36;1m print(f' base_url: {model.base_url}')�[0m 1021: �[36;1m �[0m 1022: �[36;1m if model.api_key == 'nokey':�[0m 1023: �[36;1m print('❌ FOUND THE ISSUE: PraisonAIModel is using default \"nokey\" instead of environment variable!')�[0m 1024: �[36;1m else:�[0m 1025: �[36;1m print('✅ PraisonAIModel has valid API key from environment')�[0m 1026: �[36;1m �[0m 1027: �[36;1mexcept Exception as e:�[0m 1028: �[36;1m print(f'❌ Error testing PraisonAIModel: {e}')�[0m 1029: �[36;1m"�[0m ... 1052: api_key: sk-proj-hw... 1053: base_url: *** 1054: ✅ PraisonAIModel has valid API key from environment 1055: ##[group]Run echo "🔑 Testing API key validity with minimal OpenAI call..." 1056: �[36;1mecho "🔑 Testing API key validity with minimal OpenAI call..."�[0m 1057: �[36;1mpython -c "�[0m 1058: �[36;1mimport os�[0m 1059: �[36;1mtry:�[0m 1060: �[36;1m from openai import OpenAI�[0m 1061: �[36;1m client = OpenAI(api_key=os.environ.get('OPENAI_API_KEY'))�[0m 1062: �[36;1m # Make a minimal API call to test key validity�[0m 1063: �[36;1m response = client.models.list()�[0m 1064: �[36;1m print('✅ API Key is VALID - OpenAI responded successfully')�[0m 1065: �[36;1m print(f'📊 Available models: {len(list(response.data))} models found')�[0m 1066: �[36;1mexcept Exception as e:�[0m 1067: �[36;1m print(f'❌ API Key is INVALID - Error: {e}')�[0m 1068: �[36;1m print('🔍 This explains why all API-dependent tests are failing')�[0m 1069: �[36;1m print('💡 The GitHub secret OPENAI_API_KEY needs to be updated with a valid key')�[0m ... 1071: shell: /usr/bin/bash -e {0} 1072: env: 1073: pythonLocation: /opt/hostedtoolcache/Python/3.11.15/x64 1074: PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib/pkgconfig 1075: Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 1076: Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 1077: Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 1078: LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib 1079: OPENAI_API_KEY: *** 1080: OPENAI_API_BASE: *** 1081: OPENAI_MODEL_NAME: *** 1082: LOGLEVEL: DEBUG 1083: PYTHONPATH: /home/runner/work/PraisonAI/PraisonAI/src/praisonai-agents: 1084: ##[endgroup] 1085: 🔑 Testing API key validity with minimal OpenAI call... 1086: ❌ API Key is INVALID - Error: Error code: 401 - {'error': {'message': 'Incorrect API key provided: sk-proj-********************************************************************************************************************************************************q-EA. You can find your API key at https://platform.openai.com/account/api-keys.', 'type': 'invalid_request_error', 'param': None, 'code': 'invalid_api_key'}} 1087: 🔍 This explains why all API-dependent tests are failing 1088: 💡 The GitHub secret OPENAI_API_KEY needs to be updated with a valid key ... 1228: response = client.create(params) 1229: ^^^^^^^^^^^^^^^^^^^^^ 1230: File "/opt/hostedtoolcache/Python/3.11.15/x64/lib/python3.11/site-packages/autogen/oai/client.py", line 285, in create 1231: response = completions.create(**params) 1232: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1233: File "/opt/hostedtoolcache/Python/3.11.15/x64/lib/python3.11/site-packages/openai/_utils/_utils.py", line 286, in wrapper 1234: return func(*args, **kwargs) 1235: ^^^^^^^^^^^^^^^^^^^^^ 1236: File "/opt/hostedtoolcache/Python/3.11.15/x64/lib/python3.11/site-packages/openai/resources/chat/completions/completions.py", line 1211, in create 1237: return self._post( 1238: ^^^^^^^^^^^ 1239: File "/opt/hostedtoolcache/Python/3.11.15/x64/lib/python3.11/site-packages/openai/_base_client.py", line 1297, in post 1240: return cast(ResponseT, self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)) 1241: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1242: File "/opt/hostedtoolcache/Python/3.11.15/x64/lib/python3.11/site-packages/openai/_base_client.py", line 1070, in request 1243: raise self._make_status_error_from_response(err.response) from None 1244: openai.AuthenticationError: Error code: 401 - {'error': {'message': 'Incorrect API key provided: sk-proj-********************************************************************************************************************************************************q-EA. You can find your API key at https://platform.openai.com/account/api-keys.', 'type': 'invalid_request_error', 'code': 'invalid_api_key', 'param': None}, 'status': 401} 1245: ##[error]Process completed with exit code 1. 1246: ##[group]Run echo "🔍 Comprehensive debugging of PraisonAI execution path..." ... 1318: �[36;1m print()�[0m 1319: �[36;1m print('🔧 Testing generate_crew_and_kickoff logic:')�[0m 1320: �[36;1m �[0m 1321: �[36;1m # Simulate the loading logic�[0m 1322: �[36;1m if agents_gen.agent_yaml:�[0m 1323: �[36;1m loaded_config = yaml.safe_load(agents_gen.agent_yaml)�[0m 1324: �[36;1m print(' Would load from agent_yaml')�[0m 1325: �[36;1m else:�[0m 1326: �[36;1m if agents_gen.agent_file == '/app/api:app' or agents_gen.agent_file == 'api:app':�[0m 1327: �[36;1m agents_gen.agent_file = 'agents.yaml'�[0m 1328: �[36;1m print(f' Would change agent_file to: {agents_gen.agent_file}')�[0m 1329: �[36;1m try:�[0m 1330: �[36;1m with open(agents_gen.agent_file, 'r') as f:�[0m 1331: �[36;1m loaded_config = yaml.safe_load(f)�[0m 1332: �[36;1m print(f' Successfully loaded: {agents_gen.agent_file}')�[0m 1333: �[36;1m except FileNotFoundError:�[0m 1334: �[36;1m print(f' FileNotFoundError: {agents_gen.agent_file}')�[0m 1335: �[36;1m loaded_config = None�[0m 1336: �[36;1m �[0m 1337: �[36;1m if loaded_config:�[0m 1338: �[36;1m final_framework = agents_gen.framework or loaded_config.get('framework')�[0m 1339: �[36;1m print(f' Final framework decision: {final_framework}')�[0m 1340: �[36;1m print(f' Loaded roles: {list(loaded_config.get(\"roles\", {}).keys())}')�[0m 1341: �[36;1m �[0m 1342: �[36;1m if 'researcher' in loaded_config.get('roles', {}):�[0m 1343: �[36;1m print(' ❌ FOUND Researcher role in loaded config!')�[0m 1344: �[36;1m else:�[0m 1345: �[36;1m print(' ✅ No Researcher role in loaded config')�[0m 1346: �[36;1m �[0m 1347: �[36;1mexcept Exception as e:�[0m 1348: �[36;1m print(f'❌ Error during execution debug: {e}')�[0m 1349: �[36;1m import traceback�[0m ... 1354: pythonLocation: /opt/hostedtoolcache/Python/3.11.15/x64 1355: PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib/pkgconfig 1356: Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 1357: Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 1358: Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.15/x64 1359: LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.11.15/x64/lib 1360: OPENAI_API_KEY: *** 1361: OPENAI_API_BASE: *** 1362: OPENAI_MODEL_NAME: *** 1363: LOGLEVEL: DEBUG 1364: PYTHONPATH: /home/runner/work/PraisonAI/PraisonAI/src/praisonai-agents: 1365: ##[endgroup] 1366: 🔍 Comprehensive debugging of PraisonAI execution path... 1367: Traceback (most recent call last): 1368: File "<string>", line 50, in <module> 1369: FileNotFoundError: [Errno 2] No such file or directory: 'src/praisonai/tests/autogen-agents.yaml' 1370: ============================================================ ... 1411: README.md 1412: package.json 1413: 📋 Files in src/praisonai/tests/ directory: 1414: src/praisonai/tests/crewai-agents.yaml 1415: src/praisonai/tests/autogen-agents.yaml 1416: src/praisonai/tests/search-tool-agents.yaml 1417: src/praisonai/tests/agents-advanced.yaml 1418: src/praisonai/tests/agents.yaml 1419: src/praisonai/tests/inbuilt-tool-agents.yaml 1420: ❌ ROOT agents.yaml EXISTS (this is the problem!) 1421: Root framework: praisonai 1422: Root roles: ['file_reader', 'command_executor'] 1423: 🎯 Testing EXACT execution path: 1424: Using test file: src/praisonai/tests/autogen-agents.yaml 1425: File exists: False 1426: ❌ Error during execution debug: [Errno 2] No such file or directory: 'src/praisonai/tests/autogen-agents.yaml' 1427: ##[group]Run # Run the fastest, most essential tests with coverage ... 1446: cachedir: .pytest_cache 1447: rootdir: /home/runner/work/PraisonAI/PraisonAI/src/praisonai 1448: configfile: pytest.ini 1449: plugins: timeout-2.4.0, cov-7.1.0, anyio-4.13.0, asyncio-1.3.0 1450: timeout: 60.0s 1451: timeout method: thread 1452: timeout func_only: False 1453: asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=function, asyncio_default_test_loop_scope=function 1454: /opt/hostedtoolcache/Python/3.11.15/x64/lib/python3.11/site-packages/coverage/control.py:497: CoverageWarning: No data was collected. (no-data-collected); see https://coverage.readthedocs.io/en/7.13.5/messages.html#warning-no-data-collected 1455: warnings.warn(msg, category=CoverageWarning, stacklevel=2) 1456: collecting ... collected 0 items / 1 skipped 1457: ================================ tests coverage ================================ 1458: _______________ coverage: platform linux, python 3.11.15-final-0 _______________ 1459: Coverage XML written to file coverage.xml 1460: ============================= 1 skipped in 18.21s ============================== 1461: ##[error]Process completed with exit code 5. 1462: ##[group]Run echo "🔄 Restoring root configuration files..."

[qodo-code-review]

1. execute_code calls exec 📎 Requirement gap ⛨ Security

execute_code still executes user-supplied code in-process via exec()/eval() and is not
integrated with a SandboxProtocol implementation. This fails the requirement for
sandboxed-by-default execution and leaves the host process exposed if the in-process controls are
bypassed.

Agent Prompt

## Issue description
`execute_code()` runs arbitrary code using in-process `exec()`/`eval()` rather than routing execution through a `SandboxProtocol`-backed sandbox. This violates the sandboxing-by-default requirement.

## Issue Context
Even with restricted `__builtins__` and AST checks, in-process execution remains risky and does not satisfy the protocol-integration requirement.

## Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[85-218]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. execute_code ignores timeout 📎 Requirement gap ⛨ Security

The execute_code API exposes a timeout parameter but does not enforce any timeout or resource
limits on execution. This allows untrusted code to run indefinitely (e.g., infinite loops) and can
cause denial-of-service of the host process.

Agent Prompt

## Issue description
`execute_code()` accepts a `timeout` parameter but does not actually enforce it, nor does it enforce CPU/memory limits.

## Issue Context
Without enforcement, user code can hang indefinitely or consume unbounded resources, which violates the sandbox resource-limits requirement.

## Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[86-92]
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[202-218]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

3. Pythontools init returns none 🐞 Bug ✓ Correctness

_get_python_tools() returns _python_tools_instance even when it is initialized to None, so
analyze_code/format_code/lint_code/disassemble_code crash with AttributeError on first call.
This makes the new lazy optional-dependency wrappers unusable.

Agent Prompt

### Issue description
`_get_python_tools()` never instantiates `PythonTools()` because `_python_tools_instance` is defined as `None` and the function only instantiates on `NameError`. As a result, `analyze_code/format_code/lint_code/disassemble_code` call methods on `None`.

### Issue Context
This was introduced as part of the refactor to make optional-dependency tools lazy.

### Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/python_tools.py[525-550]

### What to change
- Replace the `try/except NameError` pattern with an explicit `if _python_tools_instance is None:` check.
- Instantiate and cache `PythonTools()` when the cached instance is `None`.
- (Optional) add a small lock if these wrappers can be called concurrently from multiple threads.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

4. Execute_code export broken 🐞 Bug ✓ Correctness

praisonaiagents.tools.__getattr__ still resolves execute_code as a PythonTools instance
method, but execute_code was moved to a module-level function and PythonTools no longer defines
it. Importing execute_code from praisonaiagents.tools will now raise AttributeError (and may
also trigger unwanted optional-dependency checks).

Agent Prompt

### Issue description
`from praisonaiagents.tools import execute_code` is now broken because `TOOL_MAPPINGS` still points `execute_code` to the `PythonTools` class, but `execute_code` is no longer a `PythonTools` method.

### Issue Context
The PR refactored `execute_code` into a standalone function to avoid optional deps. The tools package lazy loader still assumes Python tools are class methods.

### Fix Focus Areas
- src/praisonai-agents/praisonaiagents/tools/__init__.py[60-69]
- src/praisonai-agents/praisonaiagents/tools/__init__.py[254-263]

### What to change
- In `TOOL_MAPPINGS`, map `execute_code` to `('.python_tools', None)` so `__getattr__` returns the module-level function.
- Consider mapping `analyze_code/format_code/lint_code/disassemble_code` to `('.python_tools', None)` as well, so the module-level wrappers control lazy instantiation (instead of instantiating `PythonTools()` during attribute access).
- Add/adjust a small unit test that `from praisonaiagents.tools import execute_code` succeeds without black/pylint/autopep8 installed.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[MervinPraison]

@copilot

Do a thorough triage and analysis of this issue:

Classification: Is this a bug, feature request, question, or documentation gap?
Severity: Critical / High / Medium / Low — explain why
Affected area: Which modules/files in the codebase are relevant?
Root cause analysis: Search the codebase and identify the likely root cause
Impact assessment: What else could be affected? Any related issues?
Suggested fix: Propose a concrete solution approach with file paths
Effort estimate: Small (hours) / Medium (day) / Large (days+)

[Copilot]

@copilot

Do a thorough triage and analysis of this issue:
...

Here's a thorough triage and analysis of the 4 issues addressed in this PR:

---

Issue #1128 — Bare except: in LLM capability checks (llm.py)

Classification: Bug
Severity: Medium
Affected area: src/praisonai-agents/praisonaiagents/llm/llm.py — can_use_tools() and can_use_stop_words()
Root cause: Both functions used bare except: which catches SystemExit and KeyboardInterrupt in addition to real errors. If the user pressed Ctrl+C or the process was asked to exit during a litellm.get_supported_openai_params() call, the signal was silently swallowed and False was returned instead of propagating. The methods also gave zero diagnostic info on what went wrong.
Impact: Silent incorrect fallback values during agent capability detection; may cause wrong model behavior (e.g., disabling JSON response format when it was actually available). Could mask Ctrl+C during long-running agent runs.
Fix applied: Replaced with except Exception: and added logging.debug(..., exc_info=True) so the real error is recorded.
Effort: Small (< 1 hour)

---

Issue #1145 — Race condition in shared server dicts (agents.py)

Classification: Bug
Severity: High
Affected area: src/praisonai-agents/praisonaiagents/agents/agents.py — module-level _agents_server_started, _agents_registered_endpoints, _agents_shared_apps
Root cause: Three module-level dict objects used for shared server state were mutated from multiple threads (each Agents.launch(mode="http") call runs in its own thread) with no synchronization. Python's GIL protects single bytecode operations but not compound read-modify-write sequences like if port not in dict: dict[port] = .... Two threads could both see the key missing and each create a duplicate FastAPI app, leading to duplicate route registration errors or silent data loss.
Impact: Intermittent crashes or incorrect routing when multiple agents share a port — only reproducible under concurrent load (e.g., test suites, multi-agent HTTP servers).
Fix applied: Added _agents_server_lock = threading.Lock() and wrapped all check-then-mutate blocks with with _agents_server_lock:. Mirrors the identical _server_lock pattern already in agent.py.
Effort: Small (< 1 hour)

---

Issue #1147 — Duplicated sync/async approval logic (agent.py)

Classification: Bug / Code Quality
Severity: Low-Medium
Affected area: src/praisonai-agents/praisonaiagents/agent/agent.py — _check_tool_approval_sync() and _check_tool_approval_async()
Root cause: Both methods contained an identical 30-line block to build ApprovalRequest, determine needs_approval, and handle _approval_timeout. Any fix or enhancement to approval logic required editing two places. The async path also had a subtle behavioral difference: it didn't apply orig_timeout restoration on the backend in some branches.
Impact: High maintenance risk — a future change to approval logic will likely fix one path but not the other, creating a latent divergence bug.
Fix applied: Extracted _build_approval_request() (shared setup) and _finalize_approval() (shared decision processing) as private helpers. Both sync/async paths now call these helpers. Net result: ~30 lines of duplication removed, single source of truth for approval logic.
Effort: Small (2–3 hours including testing)

---

Issue #1154 — Eager Rich imports at module level (main.py, agents.py, knowledge.py, video_agent.py)

Classification: Performance issue
Severity: Low
Affected area: src/praisonai-agents/praisonaiagents/main.py, agents/agents.py, knowledge/knowledge.py, agent/video_agent.py
Root cause: from rich.console import Console (and Panel, Text, Markdown, Live) were at module top-level. Rich is a large library (~2 MB) and importing it unconditionally adds 50–100 ms to every import praisonaiagents call — even in headless/non-interactive contexts (API servers, batch jobs, CI) where no terminal output is ever rendered.
Impact: Measurable startup slowdown for all users; particularly costly in serverless/Lambda environments billed per millisecond. agent.py already used lazy imports as a deliberate pattern — the other files were inconsistent.
Fix applied: Introduced _ensure_rich() in main.py (following the same pattern from agent.py) that lazily imports all Rich classes on first display call. Moved from rich import ... inside the relevant if show_verbose and is_tty: blocks in the other files.
Effort: Small (1–2 hours)

---

CI Failure note

The Quick Validation Tests failure (exit code 5 — no tests collected) is pre-existing on master (run 23484173105 on master also fails identically). It is not caused by this PR.