Code Review

Also available: Markdown Β· Plain text

Code Review β€” Gnomad Desktop Assistant

Reviewed: 2026-05-31 (updated after hiring-feedback implementation)
Scope: src/, src-tauri/src/, workflows, agent/security paths

Summary

The app is a Tauri v2 + React 19 desktop assistant: tray/panel, global shortcut, OS context (active window, clipboard), cloud + local LLM chat with an agent tool loop, persistent PTY shell session, filesystem agent tools, Sudo Gate / Path Gate HITL, and structured error payloads end-to-end.

Area Status
Frontend build (npm run build) Pass
Rust tests (cargo test) Pass (error, privilege, shell_session)
LLM orchestration Cloud chat_completion_turn + tools; local Ollama + <gnomad-run> fallback
Structured errors GnomadError β†’ JSON in invoke Err(String); frontend parseInvokeError + AgentErrorBanner
App shell App.tsx ~400 lines; hooks + ChatView / SettingsPanel / gate modals
Elevation hardening Pre-flight injection blocks; Linux pkexec argv-only; macOS per-arg escaping

Architecture (high level)

Tray + Global Shortcut (lib.rs)
        β”‚
        β–Ό
React App shell (App.tsx) ──hooks──► useAgentExecution, useChatSubmit, …
        β”‚                              β”‚
        β–Ό                              β–Ό
ChatView / SettingsPanel ──invoke──► Tauri commands
                                     β”œβ”€β”€ agent_runtime / agent_fs
                                     β”œβ”€β”€ shell_session (PTY)
                                     β”œβ”€β”€ privilege.rs (safety + elevation)
                                     β”œβ”€β”€ error.rs (GnomadError payloads)
                                     └── context, keychain, llm, …

Agent error payload contract

Tauri commands still return Result<T, String>. During migration, error strings are JSON matching:

{
  "code": "safety_blocked",
  "message": "Human-readable summary",
  "detail": "Optional technical detail",
  "hint": "Optional remediation",
  "retryable": false
}

Frontend: src/lib/errors.ts β€” parseInvokeError, executionFailedLabel, formatErrorForUser.
UI: src/components/AgentErrorBanner.tsx on messages with errorPayload.

Stable code values are covered by error::tests::payload_codes_are_stable.

Strengths

  1. Module split β€” Rust agent, shell, privilege, FS; React hooks mirror execution concerns.
  2. HITL β€” Sudo Gate and Path Gate with explicit approve/deny.
  3. Defense in depth β€” Server-side safety before shell; elevation rejects injection patterns.
  4. Cross-platform awareness β€” platformInfo drives labels and capability flags.

Remaining gaps (priority)

P1 β€” Security / product

  1. Wave B error migration β€” βœ“ Shipped on LLM, planner, and chat history paths.
  2. Windows elevation β€” Structured elevation_unsupported; user must use elevated terminal for admin ops.
  3. Path Gate tokens β€” βœ“ Shipped β€” path_token.rs; boolean IPC bypass rejected.

P2 β€” Engineering

  1. Typed invoke errors β€” Optional future: Result<T, AgentErrorPayload> at Tauri boundary once JSON-in-string is stable everywhere.
  2. Vitest β€” βœ“ parseInvokeError tests in CI (npm run test).
  3. GGUF planner + local chat β€” In-process inference via optional embedded-llm feature; Ollama remains fallback.

Suggested next steps

  1. Generate updater signing keys per UPDATER.md and replace the placeholder pubkey in tauri.conf.json.
  2. End-to-end updater test once signing keys are configured.
  3. Snap / Flatpak manifests (community packaging).

File reference

File Role
src/App.tsx Thin shell, providers wiring
src/hooks/useAgentExecution.ts Shell cwd, gates, executeCommandSafely
src/hooks/useChatSubmit.ts Submit orchestration, agent loop
src/components/ChatView.tsx Messages, composer, context footer
src-tauri/src/error.rs GnomadError, AgentErrorPayload
src-tauri/src/privilege.rs Safety + elevation
src-tauri/src/shell_session.rs PTY session + validation