Author SHA1 Message Date
steveandClaude Opus 4.8 98a2164aba ci(gadfly): trim the weakest reviewers from the swarm
Adversarial Review (Gadfly) / review (pull_request) Successful in 5m27s
CI / Tidy (pull_request) Successful in 9m31s
CI / Build & Test (pull_request) Successful in 9m48s
Drop the four lowest-graded reviewers — m5/qwen3.6:35b-mlx, gemma4:cloud,
gpt-oss:120b-cloud, kimi-k2.7-code:cloud. Removing m5/qwen3.6 takes the last
local Mac out, so this is now a cloud-only fleet of 6 ollama-cloud models;
GADFLY_ENDPOINT_M5 and the m5 concurrency entry are gone and the per-job timeout
drops to 45m. README/CLAUDE.md kept in sync.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-06-27 18:07:27 -04:00
steve b2487a1a37 Merge pull request 'feat(llamaswap): llama-swap provider + canonical imagegen interface' (#3) from feat/llama-swap-provider into main
CI / Tidy (push) Successful in 9m24s
CI / Build & Test (push) Successful in 10m11s
2026-06-27 20:14:01 +00:00
steveandClaude Opus 4.8 64642c43c4 fix(llamaswap): address Gadfly review findings
CI / Tidy (pull_request) Successful in 9m25s
CI / Build & Test (pull_request) Successful in 10m15s
- Unload: reject model ids containing path separators (/?#) so a model name
  can't redirect the request to another endpoint; ":" (common in ids) stays
  verbatim.
- doJSON: take a model arg so image/management HTTP errors carry the target id
  (was always ""); add a base-URL guard so management methods fail clearly
  instead of building a bare-path request; cap the success-path JSON decode with
  io.LimitReader (64 MiB) and drain the body when out is nil for conn reuse.
- image: reject negative Request.N before sending.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-06-27 16:04:23 -04:00
steve 3ba2dbefae Merge remote-tracking branch 'origin/main' into feat/llama-swap-provider
CI / Build & Test (pull_request) Successful in 10m15s
CI / Tidy (pull_request) Successful in 10m20s
Adversarial Review (Gadfly) / review (pull_request) Successful in 18m24s
2026-06-27 15:13:07 -04:00
steve 38b4e1a028 Merge pull request 'ci: add Gadfly adversarial PR reviewer + document the review loop' (#2) from ci/gadfly-adversarial-review into main
CI / Tidy (push) Successful in 9m23s
CI / Build & Test (push) Successful in 10m16s
2026-06-27 19:10:53 +00:00
steveandClaude Opus 4.8 43eb155759 ci(gadfly): drop the M1 Mac from the review swarm
CI / Build & Test (pull_request) Successful in 10m33s
CI / Tidy (pull_request) Successful in 9m26s
M1 was consistently slow (26-29 min) for zero real findings, so pull it before
this workflow ever fires. Leaves the 9 ollama-cloud models + the M5 Mac;
removes GADFLY_ENDPOINT_M1 and the m1 concurrency entry. Mirrors the same change
on executus.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-06-27 14:52:11 -04:00
steveandClaude Opus 4.8 8dae9cc941 docs: document the Gadfly adversarial review loop in CLAUDE.md
CI / Build & Test (pull_request) Successful in 10m13s
Adversarial Review (Gadfly) / review (pull_request) Successful in 24m4s
CI / Tidy (pull_request) Successful in 9m26s
Records the PR workflow: push work to a PR (never straight to main), wait for
Gadfly to finish and weigh its findings, then grade each finding back to the
gadfly-reports MCP (record_finding_grade / list_findings / scoreboard) so the
telemetry can measure whether each model earns its keep.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-06-27 14:32:25 -04:00
steveandClaude Opus 4.8 a5adc6f4d1 ci: add Gadfly adversarial PR reviewer workflow
Installs the standalone Gadfly agentic adversarial reviewer (advisory, never
blocks merge), mirroring executus's setup on the latest pinned image
(sha-d7f364d). Reviews majordomo PRs with the full fleet: 9 ollama-cloud models
plus the M1/M5 Macs via foreman, each running the 3-lens suite (security,
correctness, error-handling). Posts one consolidated comment per model.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-06-27 14:31:48 -04:00
5 changed files with 154 additions and 10 deletions
+82
View File
@@ -0,0 +1,82 @@
# Gadfly — agentic adversarial PR reviewer (https://gitea.stevedudenhoeffer.com/steve/gadfly).
#
# Runs the published Gadfly image (pinned to an immutable :sha- tag — act_runner
# caches :latest, and this build is what carries foreman provider-type support)
# as a specialist swarm and posts
# ONE consolidated review comment as gitea-actions. Advisory only — never blocks a
# merge. This reviews majordomo PRs with 6 ollama-cloud models (3-lens suite).
# Gadfly is a simple system — findings are advisory; always double-check before
# acting.
name: Adversarial Review (Gadfly)
on:
pull_request:
types: [opened, reopened, ready_for_review]
issue_comment:
types: [created]
workflow_dispatch:
inputs:
pr_number:
description: "PR number to review"
required: true
permissions:
contents: read
issues: write
pull-requests: write
concurrency:
group: gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }}
cancel-in-progress: true
jobs:
review:
# Security: only trusted users may trigger a secret-bearing run via a PR
# comment (pull_request + workflow_dispatch are already trusted). Mirrors
# GADFLY_ALLOWED_USERS, the in-container belt-and-suspenders check.
if: >-
github.event_name != 'issue_comment'
|| (github.event.issue.pull_request
&& (github.actor == 'steve'
|| github.actor == 'fizi'
|| github.actor == 'dazed'))
runs-on: ubuntu-latest
# Fleet: 6 ollama-cloud models (lens fan-out), no local Macs. (Trimmed the
# weakest reviewers by grade — m5/qwen3.6, gemma4, gpt-oss, kimi-k2.7 — plus
# the earlier M1 drop.) Plenty of headroom for the cloud lanes.
timeout-minutes: 45
steps:
- uses: docker://gitea.stevedudenhoeffer.com/steve/gadfly:sha-d7f364d
env:
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
# Cloud-only fleet (no local Macs). Cloud concurrency lives in the
# LENSES: models run a few at a time (ollama-cloud=3) with their 3 lenses
# concurrent (LENS ollama-cloud=3) so comments land sooner.
GADFLY_MODELS: "minimax-m3:cloud,glm-5.2:cloud,glm-5.1:cloud,deepseek-v4-pro:cloud,nemotron-3-super:cloud,qwen3-coder:480b-cloud"
GADFLY_PROVIDER_CONCURRENCY: "ollama-cloud=3"
GADFLY_PROVIDER_LENS_CONCURRENCY: "ollama-cloud=3"
# Default => the 3-lens suite (security, correctness, error-handling).
# Set the repo var GADFLY_SPECIALISTS to override (csv / "all" / "auto").
GADFLY_SPECIALISTS: ${{ vars.GADFLY_SPECIALISTS || 'security,correctness,error-handling' }}
# Per-lens deadline + bounded steps to keep each reviewer's run sane.
GADFLY_TIMEOUT_SECS: "600"
GADFLY_MAX_STEPS: "14"
# Allow-list for the comment trigger (mirrors the job-level if: guard).
GADFLY_ALLOWED_USERS: "steve,fizi,dazed"
# --- findings telemetry: POST runs + findings to the gadfly-reports store ---
# Advisory & off unless GADFLY_FINDINGS_URL is set; failures only log to
# stderr and never affect the review. GADFLY_REPO / GADFLY_PR are derived
# in-container; the URL + token are user-scope secrets.
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
# --- event context (leave as-is) ---
EVENT_NAME: ${{ github.event_name }}
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
PR_BRANCH: ${{ github.head_ref }}
IS_DRAFT: ${{ github.event.pull_request.draft }}
COMMENT_BODY: ${{ github.event.comment.body }}
COMMENT_ID: ${{ github.event.comment.id }}
ACTOR: ${{ github.actor }}
+21
View File
@@ -135,6 +135,27 @@ CI: `.gitea/workflows/ci.yaml` (Gitea Actions, mirrors foreman). README.md
must match reality in the same commit that changes behavior — no must match reality in the same commit that changes behavior — no
aspirational docs; unbuilt features are marked pending in the matrix. aspirational docs; unbuilt features are marked pending in the matrix.
## Adversarial review loop (Gadfly)
Ship work through PRs and let Gadfly review it before merge:
- **Push to a PR, never straight to `main`.** Branch, push, open a PR.
`.gitea/workflows/adversarial-review.yml` runs Gadfly (the standalone
agentic adversarial reviewer) — a fleet of 6 ollama-cloud models, each
running the 3-lens suite (security, correctness, error-handling). Advisory
only; it never blocks the merge.
- **Wait for Gadfly to finish, then read its output.** Don't merge while the
review is still running. Each model posts one consolidated comment; weigh
every finding on its merits and fix the real ones (Gadfly is a simple
system — findings are advisory, so confirm before acting).
- **Grade the findings back to the Gadfly MCP.** For each finding, call
`mcp__gadfly__record_finding_grade`: `is_real=true` + a `severity`
(trivial|small|medium|high|critical) for a genuine problem, or
`is_real=false` for a false positive; add `notes`/`usefulness` when
useful. Use `mcp__gadfly__list_findings` (`only_ungraded=true`) to find
what still needs grading and `mcp__gadfly__scoreboard` for the per-model
rollup. This telemetry is how we measure whether each model earns its keep.
## Out of scope (anti-creep) ## Out of scope (anti-creep)
No persistent store (health is in-memory behind the registry), no No persistent store (health is in-memory behind the registry), no
+4 -1
View File
@@ -51,6 +51,9 @@ func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ..
if strings.TrimSpace(req.Prompt) == "" { if strings.TrimSpace(req.Prompt) == "" {
return nil, fmt.Errorf("%w: image generation requires a prompt", llm.ErrUnsupported) return nil, fmt.Errorf("%w: image generation requires a prompt", llm.ErrUnsupported)
} }
if req.N < 0 {
return nil, fmt.Errorf("%w: image count N must be >= 0, got %d", llm.ErrUnsupported, req.N)
}
wire := imageRequest{ wire := imageRequest{
Model: m.id, Model: m.id,
@@ -61,7 +64,7 @@ func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ..
} }
var resp imageResponse var resp imageResponse
if err := m.p.doJSON(ctx, http.MethodPost, "/v1/images/generations", &wire, &resp); err != nil { if err := m.p.doJSON(ctx, http.MethodPost, "/v1/images/generations", m.id, &wire, &resp); err != nil {
return nil, err return nil, err
} }
+29 -9
View File
@@ -38,6 +38,11 @@ import (
// DefaultName is the registry name used when WithName is not given. // DefaultName is the registry name used when WithName is not given.
const DefaultName = "llama-swap" const DefaultName = "llama-swap"
// maxResponseBytes caps the JSON body read on the success path. Generous
// enough for a multi-image b64 payload, bounded so a hostile/buggy upstream
// can't make a decode allocate without limit.
const maxResponseBytes = 64 << 20
// Provider is a llama-swap client. It satisfies llm.Provider (chat, delegated // Provider is a llama-swap client. It satisfies llm.Provider (chat, delegated
// to provider/openai) and imagegen.Provider (image generation), and exposes // to provider/openai) and imagegen.Provider (image generation), and exposes
// llama-swap's management endpoints as concrete methods. // llama-swap's management endpoints as concrete methods.
@@ -136,7 +141,7 @@ func (p *Provider) ListModels(ctx context.Context) ([]ModelInfo, error) {
var out struct { var out struct {
Data []ModelInfo `json:"data"` Data []ModelInfo `json:"data"`
} }
if err := p.doJSON(ctx, http.MethodGet, "/v1/models", nil, &out); err != nil { if err := p.doJSON(ctx, http.MethodGet, "/v1/models", "", nil, &out); err != nil {
return nil, err return nil, err
} }
return out.Data, nil return out.Data, nil
@@ -148,7 +153,7 @@ func (p *Provider) ListModels(ctx context.Context) ([]ModelInfo, error) {
// would have to guess. // would have to guess.
func (p *Provider) Running(ctx context.Context) (json.RawMessage, error) { func (p *Provider) Running(ctx context.Context) (json.RawMessage, error) {
var out json.RawMessage var out json.RawMessage
if err := p.doJSON(ctx, http.MethodGet, "/running", nil, &out); err != nil { if err := p.doJSON(ctx, http.MethodGet, "/running", "", nil, &out); err != nil {
return nil, err return nil, err
} }
return out, nil return out, nil
@@ -160,18 +165,30 @@ func (p *Provider) Running(ctx context.Context) (json.RawMessage, error) {
func (p *Provider) Unload(ctx context.Context, model string) error { func (p *Provider) Unload(ctx context.Context, model string) error {
path := "/api/models/unload" path := "/api/models/unload"
if model != "" { if model != "" {
// Why reject rather than percent-escape: llama-swap model ids legitimately
// contain ":" (e.g. "qwen3:14b"), which is path-legal and must reach the
// server verbatim; only path-structure characters are dangerous (they'd
// redirect the request to another endpoint), and those never appear in a
// real model id.
if strings.ContainsAny(model, "/?#") {
return fmt.Errorf("llama-swap: invalid model id %q for unload (contains a path separator)", model)
}
path += "/" + model path += "/" + model
} }
return p.doJSON(ctx, http.MethodPost, path, nil, nil) return p.doJSON(ctx, http.MethodPost, path, "", nil, nil)
} }
// --- shared HTTP helper for management + image endpoints --- // --- shared HTTP helper for management + image endpoints ---
// doJSON performs a request to a llama-swap endpoint relative to baseURL, // doJSON performs a request to a llama-swap endpoint relative to baseURL,
// optionally encoding body and decoding into out (either may be nil). Transport // optionally encoding body and decoding into out (either may be nil). model
// failures are wrapped raw so llm.Classify still sees the underlying net error; // labels the failing target in any *llm.APIError ("" for endpoints that aren't
// non-2xx responses become *llm.APIError. // model-specific). Transport failures are wrapped raw so llm.Classify still
func (p *Provider) doJSON(ctx context.Context, method, path string, body, out any) error { // sees the underlying net error; non-2xx responses become *llm.APIError.
func (p *Provider) doJSON(ctx context.Context, method, path, model string, body, out any) error {
if p.baseURL == "" {
return fmt.Errorf("llama-swap provider %q: no base URL configured (set one via WithBaseURL or an LLM_* env DSN)", p.name)
}
var rdr io.Reader var rdr io.Reader
if body != nil { if body != nil {
b, err := json.Marshal(body) b, err := json.Marshal(body)
@@ -196,12 +213,15 @@ func (p *Provider) doJSON(ctx context.Context, method, path string, body, out an
} }
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode/100 != 2 { if resp.StatusCode/100 != 2 {
return p.apiError(resp, "") return p.apiError(resp, model)
} }
if out != nil { if out != nil {
if err := json.NewDecoder(resp.Body).Decode(out); err != nil { if err := json.NewDecoder(io.LimitReader(resp.Body, maxResponseBytes)).Decode(out); err != nil {
return fmt.Errorf("llama-swap: decode response: %w", err) return fmt.Errorf("llama-swap: decode response: %w", err)
} }
} else {
// Drain (bounded) so the connection can be reused.
_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, maxResponseBytes))
} }
return nil return nil
} }
+18
View File
@@ -127,6 +127,24 @@ func TestUnload(t *testing.T) {
if gotPath != "/api/models/unload" { if gotPath != "/api/models/unload" {
t.Errorf("unload-all path = %q", gotPath) t.Errorf("unload-all path = %q", gotPath)
} }
// A model id with a path separator is rejected before any request.
if err := p.Unload(context.Background(), "../admin"); err == nil {
t.Error("expected error for model id with path separator")
}
}
func TestManagementNoBaseURL(t *testing.T) {
p := New() // no base URL
if _, err := p.ListModels(context.Background()); err == nil {
t.Error("ListModels: expected error for missing base URL")
}
if _, err := p.Running(context.Background()); err == nil {
t.Error("Running: expected error for missing base URL")
}
if err := p.Unload(context.Background(), "m"); err == nil {
t.Error("Unload: expected error for missing base URL")
}
} }
func TestRunningRaw(t *testing.T) { func TestRunningRaw(t *testing.T) {