2 Commits

Author SHA1 Message Date
Steve Dudenhoeffer ec9b9a9a94 ci: inherit gadfly's default swarm (slim caller, re-pin @b02b11d)
CI / Tidy (pull_request) Successful in 9m26s
CI / Build & Test (pull_request) Successful in 9m56s
steve/gadfly#10 moved the curated swarm (3 cloud + Claude Code sonnet/opus/
opus:max, 5-lens suite) into the reusable workflow's input defaults. Drop this
repo's explicit `with:` swarm block and inherit it — only the consumer-specific
allow-list remains. Re-pin to the post-merge gadfly commit (@b02b11d).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 22:26:13 -04:00
Steve Dudenhoeffer ecf39087a9 ci: switch gadfly review to the reusable workflow (curated swarm, 5 lenses)
Adversarial Review (Gadfly) / review (pull_request) Successful in 8m49s
CI / Tidy (pull_request) Successful in 9m37s
CI / Build & Test (pull_request) Successful in 10m14s
Replace majordomo's full self-contained Gadfly stub with a thin caller of
steve/gadfly's reusable workflow, matching mort/executus's hardened pattern:
- explicit secret forwarding (least privilege); GITEA_TOKEN is the auto token.
- pinned to an immutable gadfly commit (@20a5c43), not @main.

Curated swarm tuned for majordomo:
- 3 strong cloud models (minimax-m3, glm-5.2, deepseek-v4-pro) — dropped
  qwen3-coder:480b, nemotron-3-super, glm-5.1.
- Claude Code engine (sonnet, opus, opus:max), claude-code=3 so all three
  claudes run at once.
- 5-lens default suite (security, correctness, maintainability, performance,
  error-handling) for every model (lenses are global).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 21:58:23 -04:00
8 changed files with 78 additions and 264 deletions
+12 -14
View File
@@ -1,8 +1,8 @@
# Gadfly adversarial review — subscribes to steve/gadfly's reusable workflow and
# INHERITS its default swarm. This stub holds only the triggers, the actor gate,
# secret forwarding, and the allow-list; the swarm config (models, lenses,
# concurrency, timeouts) lives centrally in gadfly's review-reusable.yml so it is
# tuned in ONE place. Advisory only — never blocks a merge.
# INHERITS its default swarm (3 cloud models + Claude Code sonnet/opus/opus:max,
# 5-lens suite). This stub holds only the triggers, the actor gate, secret
# forwarding, and the allow-list; the swarm config lives centrally in gadfly's
# review-reusable.yml. Advisory only — never blocks a merge.
name: Adversarial Review (Gadfly)
@@ -29,26 +29,24 @@ concurrency:
jobs:
review:
# Security: only trusted users may trigger a secret-bearing run via a PR
# comment (pull_request + workflow_dispatch are already trusted). Mirrors the
# allowed_users input below (the in-container belt-and-suspenders check) — both
# lists must stay in sync; a workflow if: can't read a workflow_call input.
# comment (pull_request + workflow_dispatch are already trusted). Mirrors
# the allowed_users input below (the in-container belt-and-suspenders check).
if: >-
github.event_name != 'issue_comment'
|| (github.event.issue.pull_request
&& (github.actor == 'steve'
|| github.actor == 'fizi'
|| github.actor == 'dazed'))
# Tracks gadfly's v1 release tag — a curated pointer re-moved on each release
# (unlike @main, which moves on every push). Central swarm tuning propagates
# here automatically; the tradeoff vs a full sha pin is that v1 is mutable.
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@7bc3c982fa7b72367034c673f7812bf05e9c503e
# Least privilege: forward only the review secrets (not `secrets: inherit`,
# which would expose every repo secret). GITEA_TOKEN is the automatic token.
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
# silently change the code that runs with our forwarded secrets.
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
# Least privilege: forward ONLY the secrets the swarm uses (GITEA_TOKEN is auto).
secrets:
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
with:
# Consumer-specific allow-list; everything else is inherited.
# Inherit the default swarm from gadfly's review-reusable.yml; only the
# consumer-specific allow-list is set here.
allowed_users: "steve,fizi,dazed"
+3 -5
View File
@@ -142,11 +142,9 @@ Ship work through PRs and let Gadfly review it before merge:
- **Push to a PR, never straight to `main`.** Branch, push, open a PR.
`.gitea/workflows/adversarial-review.yml` runs Gadfly (the standalone
agentic adversarial reviewer) by subscribing to gadfly's reusable workflow
and inheriting its default swarm — 3 cloud models + the Claude Code engine
(sonnet/opus/opus:max), each running the 5-lens suite (security, correctness,
maintainability, performance, error-handling). The swarm is tuned centrally
in gadfly, not here. Advisory only; it never blocks the merge.
agentic adversarial reviewer) — a fleet of 6 ollama-cloud models, each
running the 3-lens suite (security, correctness, error-handling). Advisory
only; it never blocks the merge.
- **Wait for Gadfly to finish, then read its output.** Don't merge while the
review is still running. Each model posts one consolidated comment; weigh
every finding on its merits and fix the real ones (Gadfly is a simple
-19
View File
@@ -42,22 +42,3 @@ asked for "a new ai image interface as opposed to llm".
callers (additive fields/options).
- No health/failover for image models yet; if needed it can be added as a
separate chain type rather than retrofitting the chat chain.
## Update — optional per-request settings
`Request` gained additive optional overrides — `Steps *int`, `CFGScale *float64`,
`NegativePrompt string`, `Sampler string`, `Seed *int64` — with mirror options
(`WithSteps`, …). nil/"" means "leave the backend's per-model default", so the v1
contract is unchanged for callers that don't set them. `provider/llamaswap`
forwards them to sd-server as `steps`/`cfg_scale`/`negative_prompt`/`sample_method`/
`seed` (omitempty). This realizes the "seeds/steps … additive fields" note above;
img2img/masks/streaming remain deferred.
## Update — A1111 txt2img endpoint (seed support)
`provider/llamaswap` now POSTs to sd-server's **`/sdapi/v1/txt2img`** (A1111)
instead of the OpenAI `/v1/images/generations`. That OpenAI endpoint **ignores
`seed`** on the stable-diffusion.cpp build we run — every render of a prompt is
byte-identical, so a batch of N collapses to one image. `/sdapi/v1/txt2img`
honours `seed`, restoring real per-render variety. llama-swap still routes by
the `model` field in the body; `Size` is split into `width`/`height`.
-38
View File
@@ -38,29 +38,6 @@ type Request struct {
// Size is the requested resolution, e.g. "512x512" or "1024x1024";
// "" = provider default.
Size string
// The fields below are optional per-request overrides. Their zero value
// (nil pointer or empty string) means "leave the backend's own default" —
// for stable-diffusion.cpp that is the per-model default baked into the
// llama-swap launch flags. A caller overrides only what it explicitly sets.
// Steps is the number of diffusion steps; nil = backend default.
Steps *int
// CFGScale is the classifier-free-guidance scale; nil = backend default.
// Architecture-sensitive (SDXL likes ~7, Flux wants 1), so prefer leaving
// it nil unless the caller knows the target model.
CFGScale *float64
// NegativePrompt steers generation away from concepts; "" = none.
NegativePrompt string
// Sampler selects the sampling method (e.g. "euler", "euler_a");
// "" = backend default.
Sampler string
// Seed fixes the RNG seed for reproducible output; nil = random.
Seed *int64
}
// Result is the canonical image-generation result.
@@ -83,21 +60,6 @@ func WithN(n int) Option { return func(r *Request) { r.N = n } }
// WithSize sets the requested resolution (e.g. "1024x1024").
func WithSize(size string) Option { return func(r *Request) { r.Size = size } }
// WithSteps overrides the number of diffusion steps.
func WithSteps(n int) Option { return func(r *Request) { r.Steps = &n } }
// WithCFGScale overrides the classifier-free-guidance scale.
func WithCFGScale(s float64) Option { return func(r *Request) { r.CFGScale = &s } }
// WithNegativePrompt sets a negative prompt.
func WithNegativePrompt(s string) Option { return func(r *Request) { r.NegativePrompt = s } }
// WithSampler overrides the sampling method (e.g. "euler", "euler_a").
func WithSampler(s string) Option { return func(r *Request) { r.Sampler = s } }
// WithSeed fixes the RNG seed for reproducible output.
func WithSeed(seed int64) Option { return func(r *Request) { r.Seed = &seed } }
// Apply returns a copy of the request with all options applied. Providers call
// this once at the top of Generate.
func (r Request) Apply(opts ...Option) Request {
+15 -41
View File
@@ -5,16 +5,10 @@
// already satisfies the target's llm.Capabilities. Images that do not fit
// are decoded, downscaled (never upscaled), and re-encoded into an allowed
// format and byte budget. Anything that cannot honestly be made to fit —
// undecodable formats, impossible byte budgets, images for a text-only
// target — fails with an error wrapping llm.ErrUnsupported so a failover
// chain can advance to a more capable target without a health penalty.
//
// Over-count is the exception: a request carrying more images than
// MaxImagesPerReq does NOT fail — the oldest images are replaced with a short
// text placeholder and the most-recent MaxImagesPerReq are kept, because a hard
// refuse exhausts a chain whose targets share the same cap (e.g. an agent loop
// accumulating a preview image per iteration). MaxImagesPerReq remains the
// per-model knob (0 = no image support).
// undecodable formats, impossible byte budgets, too many images, images for
// a text-only target — fails with an error wrapping llm.ErrUnsupported so a
// failover chain can advance to a more capable target without a health
// penalty.
//
// Why a separate package: every provider would otherwise duplicate the same
// decode/scale/encode pipeline. Providers keep only a cheap capability
@@ -58,21 +52,15 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
if !caps.SupportsImages() {
return llm.Request{}, fmt.Errorf("media: %w: target does not accept image input (request carries %d image(s))", llm.ErrUnsupported, total)
}
// Over-cap images are elided in the same copy-on-write pass below: the
// OLDEST excess are replaced with a placeholder and the most-recent
// MaxImagesPerReq kept (see the package doc for why we elide rather than
// refuse). toElide is how many of the first images, front-to-back, to drop.
toElide := 0
// Why error instead of dropping the overflow: silently removing an image
// changes the question the caller asked; the honest move is to refuse and
// let a chain try a roomier target.
if total > caps.MaxImagesPerReq {
toElide = total - caps.MaxImagesPerReq
return llm.Request{}, fmt.Errorf("media: %w: request carries %d images, target allows at most %d per request", llm.ErrUnsupported, total, caps.MaxImagesPerReq)
}
// Single copy-on-write pass: for each image, the first toElide become a text
// placeholder; the rest are size-normalized against caps. The Messages slice
// and an affected message's Parts slice are copied at most once.
out := req
copiedMessages := false
seen := 0
for mi := range req.Messages {
copiedParts := false
for pi, part := range req.Messages[mi].Parts {
@@ -80,22 +68,13 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
if !ok {
continue
}
seen++
var replacement llm.Part
if seen <= toElide {
replacement = llm.Text(imageOverflowPlaceholder)
} else {
norm, changed, err := normalizeImage(ip, caps)
if err != nil {
return llm.Request{}, fmt.Errorf("media: message %d, part %d: %w", mi, pi, err)
}
if !changed {
continue
}
replacement = norm
norm, changed, err := normalizeImage(ip, caps)
if err != nil {
return llm.Request{}, fmt.Errorf("media: message %d, part %d: %w", mi, pi, err)
}
if !changed {
continue
}
if !copiedMessages {
out.Messages = make([]llm.Message, len(req.Messages))
copy(out.Messages, req.Messages)
@@ -107,17 +86,12 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
out.Messages[mi].Parts = parts
copiedParts = true
}
out.Messages[mi].Parts[pi] = replacement
out.Messages[mi].Parts[pi] = norm
}
}
return out, nil
}
// imageOverflowPlaceholder replaces an image elided to fit a target's
// per-request image cap. It keeps the message turn intact and tells the model
// an earlier image was omitted rather than silently changing the conversation.
const imageOverflowPlaceholder = "[earlier image omitted to fit this model's per-request image limit]"
// Info reports an image part's sniffed format ("jpeg", "png", "gif", or
// "webp") and pixel dimensions. It is a cheap metadata read — the pixels are
// never decoded. webp is recognized by signature but not decodable with the
+9 -39
View File
@@ -149,48 +149,18 @@ func TestNormalizeImagesUnsupported(t *testing.T) {
}
}
func TestNormalizeOverCount(t *testing.T) {
// 3 distinguishable images across 2 messages; cap = 2. Over-count no longer
// errors — the OLDEST image is replaced with a placeholder and the most-recent
// two (the relevant ones in an iterative run) are kept, in order.
a := llm.Image("image/png", encPNG(t, gradient(2, 2))).(llm.ImagePart)
b := llm.Image("image/png", encPNG(t, gradient(4, 4))).(llm.ImagePart)
c := llm.Image("image/png", encPNG(t, gradient(8, 8))).(llm.ImagePart)
func TestNormalizeTooManyImages(t *testing.T) {
img := llm.Image("image/png", encPNG(t, gradient(4, 4)))
req := llm.Request{Messages: []llm.Message{
llm.UserParts(a, b),
llm.UserParts(c),
llm.UserParts(img, img),
llm.UserParts(img),
}}
caps := llm.Capabilities{MaxImagesPerReq: 2, MaxImageDimension: 64, MaxImageBytes: 1 << 20, AllowedImageMIME: []string{"image/png"}}
out, err := Normalize(req, caps)
if err != nil {
t.Fatalf("over-count should not error: %v", err)
_, err := Normalize(req, llm.Capabilities{MaxImagesPerReq: 2})
if !errors.Is(err, llm.ErrUnsupported) {
t.Fatalf("err = %v, want ErrUnsupported", err)
}
var imgs []llm.ImagePart
placeholders := 0
for _, m := range out.Messages {
for _, p := range m.Parts {
switch v := p.(type) {
case llm.ImagePart:
imgs = append(imgs, v)
case llm.TextPart:
if v.Text == imageOverflowPlaceholder {
placeholders++
}
}
}
}
// The exact survivors are the most-recent two, in order: b then c (a elided).
if len(imgs) != 2 || !bytes.Equal(imgs[0].Data, b.Data) || !bytes.Equal(imgs[1].Data, c.Data) {
t.Fatalf("kept %d images; want exactly [b, c] (the most-recent two)", len(imgs))
}
if placeholders != 1 {
t.Errorf("placeholders = %d, want 1 for the elided oldest image", placeholders)
}
// Input request untouched (copy-on-write): the first part is still image a,
// not a placeholder — a len check alone wouldn't catch in-place substitution.
first, ok := req.Messages[0].Parts[0].(llm.ImagePart)
if !ok || !bytes.Equal(first.Data, a.Data) {
t.Errorf("input request was mutated; first part = %+v", req.Messages[0].Parts[0])
if !strings.Contains(err.Error(), "3 images") || !strings.Contains(err.Error(), "at most 2") {
t.Errorf("err message %q lacks the counts", err)
}
}
+32 -62
View File
@@ -5,7 +5,6 @@ import (
"encoding/base64"
"fmt"
"net/http"
"strconv"
"strings"
"gitea.stevedudenhoeffer.com/steve/majordomo/imagegen"
@@ -28,32 +27,25 @@ type imageModel struct {
id string
}
// txt2imgRequest is the stable-diffusion.cpp sd-server A1111 request shape
// (POST /sdapi/v1/txt2img). We use this endpoint rather than the OpenAI
// /v1/images/generations one because that endpoint IGNORES `seed` on this
// sd-server build — every render of a given prompt comes back byte-identical,
// so a batch of N collapses to one image. /sdapi/v1/txt2img honours `seed`,
// giving real variety. llama-swap still routes by the `model` field in the
// body. Optional fields are pointers/omitempty so an unset value falls back to
// the model's baked default (the per-model --steps/--cfg-scale/etc. flags).
type txt2imgRequest struct {
Model string `json:"model"`
Prompt string `json:"prompt"`
NegativePrompt string `json:"negative_prompt,omitempty"`
Seed *int64 `json:"seed,omitempty"`
Steps *int `json:"steps,omitempty"`
CFGScale *float64 `json:"cfg_scale,omitempty"`
Width *int `json:"width,omitempty"`
Height *int `json:"height,omitempty"`
SampleMethod string `json:"sample_method,omitempty"`
BatchCount int `json:"batch_count,omitempty"`
// imageRequest is the OpenAI /v1/images/generations request shape. We always
// request b64_json so the bytes come back inline (no second fetch).
type imageRequest struct {
Model string `json:"model"`
Prompt string `json:"prompt"`
N int `json:"n,omitempty"`
Size string `json:"size,omitempty"`
ResponseFormat string `json:"response_format"`
}
type txt2imgResponse struct {
Images []string `json:"images"`
type imageResponse struct {
Created int64 `json:"created"`
Data []struct {
B64JSON string `json:"b64_json"`
URL string `json:"url"`
} `json:"data"`
}
// Generate implements imagegen.Model via POST {base}/sdapi/v1/txt2img.
// Generate implements imagegen.Model via POST {base}/v1/images/generations.
func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ...imagegen.Option) (*imagegen.Result, error) {
req = req.Apply(opts...)
if strings.TrimSpace(req.Prompt) == "" {
@@ -63,35 +55,32 @@ func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ..
return nil, fmt.Errorf("%w: image count N must be >= 0, got %d", llm.ErrUnsupported, req.N)
}
width, height, err := parseSize(req.Size)
if err != nil {
return nil, fmt.Errorf("%w: %v", llm.ErrUnsupported, err)
}
wire := txt2imgRequest{
wire := imageRequest{
Model: m.id,
Prompt: req.Prompt,
NegativePrompt: req.NegativePrompt,
Seed: req.Seed,
Steps: req.Steps,
CFGScale: req.CFGScale,
Width: width,
Height: height,
SampleMethod: req.Sampler,
BatchCount: req.N,
N: req.N,
Size: req.Size,
ResponseFormat: "b64_json",
}
var resp txt2imgResponse
if err := m.p.doJSON(ctx, http.MethodPost, "/sdapi/v1/txt2img", m.id, &wire, &resp); err != nil {
var resp imageResponse
if err := m.p.doJSON(ctx, http.MethodPost, "/v1/images/generations", m.id, &wire, &resp); err != nil {
return nil, err
}
out := &imagegen.Result{Raw: &resp}
for i, b64 := range resp.Images {
if b64 == "" {
continue
for i, d := range resp.Data {
if d.B64JSON == "" {
// Why error rather than skip: a url-only entry means the backend
// ignored response_format; we don't fetch remote content (mirrors
// llm.ImagePart's bytes-only contract), so surface it.
return nil, &llm.APIError{
Provider: m.p.name,
Model: m.id,
Message: fmt.Sprintf("image %d returned no inline b64_json data", i),
}
}
raw, err := base64.StdEncoding.DecodeString(b64)
raw, err := base64.StdEncoding.DecodeString(d.B64JSON)
if err != nil {
return nil, fmt.Errorf("llama-swap: decode image %d: %w", i, err)
}
@@ -107,25 +96,6 @@ func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ..
return out, nil
}
// parseSize splits a "WxH" string into width/height pointers. "" yields
// (nil, nil) so the model's own default resolution applies.
func parseSize(size string) (*int, *int, error) {
size = strings.TrimSpace(size)
if size == "" {
return nil, nil, nil
}
parts := strings.SplitN(strings.ToLower(size), "x", 2)
if len(parts) != 2 {
return nil, nil, fmt.Errorf("invalid size %q (want WxH)", size)
}
w, err1 := strconv.Atoi(strings.TrimSpace(parts[0]))
h, err2 := strconv.Atoi(strings.TrimSpace(parts[1]))
if err1 != nil || err2 != nil || w <= 0 || h <= 0 {
return nil, nil, fmt.Errorf("invalid size %q (want WxH)", size)
}
return &w, &h, nil
}
// sniffImageMIME identifies the image format from its leading bytes, defaulting
// to image/png (stable-diffusion.cpp emits PNG) when detection is inconclusive.
func sniffImageMIME(data []byte) string {
+7 -46
View File
@@ -166,11 +166,11 @@ func TestRunningRaw(t *testing.T) {
func TestImageGenerate(t *testing.T) {
var gotBody map[string]any
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/sdapi/v1/txt2img" {
if r.URL.Path != "/v1/images/generations" {
t.Errorf("path = %q", r.URL.Path)
}
_ = json.NewDecoder(r.Body).Decode(&gotBody)
_, _ = w.Write([]byte(`{"images":["` + onePixelPNG + `"]}`))
_, _ = w.Write([]byte(`{"created":1,"data":[{"b64_json":"` + onePixelPNG + `"}]}`))
}))
defer srv.Close()
@@ -192,51 +192,12 @@ func TestImageGenerate(t *testing.T) {
if len(res.Images[0].Data) == 0 {
t.Error("decoded image has no bytes")
}
// Size is split into width/height ints for the A1111 endpoint.
if gotBody["width"] != float64(512) || gotBody["height"] != float64(512) {
t.Errorf("width/height = %v/%v, want 512/512", gotBody["width"], gotBody["height"])
// response_format must be forced to b64_json, and options applied.
if gotBody["response_format"] != "b64_json" {
t.Errorf("response_format = %v, want b64_json", gotBody["response_format"])
}
}
func TestImageGenerateSettings(t *testing.T) {
var gotBody map[string]any
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
_ = json.NewDecoder(r.Body).Decode(&gotBody)
_, _ = w.Write([]byte(`{"images":["` + onePixelPNG + `"]}`))
}))
defer srv.Close()
p := New(WithBaseURL(srv.URL), WithHTTPClient(srv.Client()))
im, _ := p.ImageModel("sd")
// Unset overrides must be omitted entirely so sd-server keeps its own
// per-model defaults.
if _, err := im.Generate(context.Background(), imagegen.Request{Prompt: "x"}); err != nil {
t.Fatalf("Generate: %v", err)
}
for _, k := range []string{"steps", "cfg_scale", "negative_prompt", "sample_method", "seed"} {
if v, ok := gotBody[k]; ok {
t.Errorf("unset request sent %q = %v, want omitted", k, v)
}
}
// Set overrides are forwarded with the sd-server-friendly field names.
gotBody = nil
_, err := im.Generate(context.Background(), imagegen.Request{Prompt: "x"},
imagegen.WithSteps(8),
imagegen.WithCFGScale(3.5),
imagegen.WithNegativePrompt("blurry"),
imagegen.WithSampler("euler"),
imagegen.WithSeed(42),
)
if err != nil {
t.Fatalf("Generate: %v", err)
}
want := map[string]any{"steps": float64(8), "cfg_scale": 3.5, "negative_prompt": "blurry", "sample_method": "euler", "seed": float64(42)}
for k, w := range want {
if gotBody[k] != w {
t.Errorf("%s = %v, want %v", k, gotBody[k], w)
}
if gotBody["size"] != "512x512" {
t.Errorf("size = %v, want 512x512", gotBody["size"])
}
}