feat(providers): add claude_cli and codex_cli agent-CLI providers#52
Open
AbhiramDwivedi wants to merge 1 commit into
Open
feat(providers): add claude_cli and codex_cli agent-CLI providers#52AbhiramDwivedi wants to merge 1 commit into
AbhiramDwivedi wants to merge 1 commit into
Conversation
Route Stage-2 LLM analysis through a locally-installed, already-authenticated agent CLI (claude, codex) instead of a metered HTTP API. Activated via SKILLSPECTOR_PROVIDER=claude_cli (or codex_cli); no API key is needed — the CLI's own login session is used. Transport seam -------------- The LLM analyzers (meta_analyzer, semantic_*) obtain their model from get_chat_model() and call .invoke() / .with_structured_output(schema).invoke() on it; they never use chat_completion(). So the CLI transport is wired at get_chat_model(), which for CLI providers returns AgentCLIChatModel — a minimal ChatOpenAI-compatible adapter (invoke / ainvoke / with_structured_output) backed by the provider's complete(). Structured output appends the JSON schema to the prompt, then parses + Pydantic-validates the reply (fail-closed). The base class llm_analyzer_base is unchanged. chat_completion() now routes through get_chat_model() too, so there is a single dispatch point. Hardened subprocess helper (providers/_agent_cli.py) ---------------------------------------------------- Single security chokepoint for both CLI providers: - shell=False, argv list only; untrusted prompt delivered via stdin, never argv. - Capability stripping, verified end-to-end against the real CLIs: claude: -p --output-format json --allowed-tools "" (deny-by-default allow-list) --permission-mode dontAsk --strict-mcp-config --disable-slash-commands. codex: exec --json --sandbox read-only --ephemeral --ignore-user-config --ignore-rules. --dangerously-skip-permissions is never used; --bare is not used (it disables keychain reads and breaks auth). - Environment scrubbed of API/SSH/cloud creds; temp CWD; per-call timeout; input/output caps; fail-closed on missing binary / nonzero exit / timeout / unparseable output; model label validated against argument injection. - The prompt is passed through unchanged (parity with the HTTP path); content hardening is the meta_analyzer's responsibility. Providers / wiring ------------------ - providers/claude_cli, providers/codex_cli: AgentCLICapable providers (is_available + complete) with bundled model_registry.yaml. - providers/base.py: AgentCLICapable protocol + has_cli_capability helper. - providers/__init__.py: registers claude_cli/codex_cli; get_active_provider. - llm_utils.py: get_chat_model returns the CLI adapter for CLI providers; is_llm_available delegates to provider.is_available(). HTTP path unchanged. Tests ----- - tests/unit/test_agent_cli.py: subprocess security invariants (shell=False, stdin-only, allow-list deny-by-default, no --bare / --dangerously-skip- permissions, scrubbed env, fail-closed, injection safety). - tests/unit/test_llm_utils.py: get_chat_model CLI dispatch, adapter invoke, structured-output parse/validate + fail-closed, JSON extraction. - tests/unit/test_providers.py: CLI provider selection + metadata. - tests/integration/test_claude_cli_provider.py: opt-in, skipped when claude is absent/unauthed. Verified end-to-end: a real SKILLSPECTOR_PROVIDER=claude_cli scan returns a parsed report with LLM-enriched findings. Docs: README + DEVELOPMENT provider/env tables updated for claude_cli/codex_cli. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Ram Dwivedi <abhiram.dwivedi@yahoo.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #57
What
Two providers that route Stage-2 LLM analysis through a locally-installed, already-authenticated agent CLI (
claude,codex) instead of a metered HTTP API — no API key needed, the CLI's own login session is used. Activated viaSKILLSPECTOR_PROVIDER=claude_cli(orcodex_cli).How
get_chat_model()and use.invoke()/.with_structured_output(schema).invoke(). For CLI providers,get_chat_model()returns a minimalChatOpenAI-compatible adapter backed byprovider.complete(); structured output is produced by prompting for JSON, then Pydantic-validating (fail-closed).llm_analyzer_baseis unchanged; HTTP providers are untouched.providers/_agent_cli.py):shell=False; untrusted prompt via stdin only, never argv; capability stripping verified against the real CLIs (claude:--allowed-tools ""deny-by-default +--permission-mode dontAsk+--strict-mcp-config+--disable-slash-commands; codex:--sandbox read-only+--ephemeral);--dangerously-skip-permissionsnever used; scrubbed environment; temp CWD; per-call timeout; streamed stdout with a hard size cap (process killed on overflow — no unbounded buffering); model-label validated against argument injection; fail-closed on every error path.is_available()does a real local auth probe (claude auth status/codex login status) so a report'sllm_availabledoesn't claim availability when the CLI is logged out.Test
Unit tests for the subprocess invariants, the bounded reader (real subprocesses: normal / overflow-kill / timeout), the adapter + structured-output parsing, and provider selection. Opt-in integration tests skip when the CLI is absent/unauthed. Verified end-to-end: a real
claude_cliscan returns a parsed report with LLM-enriched findings.🤖 Generated with Claude Code