Skip to content

feat: Add trustguard-ai kit#235

Open
Tuhin402 wants to merge 15 commits into
Lamatic:mainfrom
Tuhin402:main
Open

feat: Add trustguard-ai kit#235
Tuhin402 wants to merge 15 commits into
Lamatic:mainfrom
Tuhin402:main

Conversation

@Tuhin402

@Tuhin402 Tuhin402 commented Jul 13, 2026

Copy link
Copy Markdown

Summary

This PR adds TrustGuard AI, a production-ready Lamatic AgentKit for detecting phishing, scams, fraudulent emails, SMS messages, URLs, and suspicious text using a multi-stage AI investigation pipeline.

The kit combines Lamatic Flows with a modern Next.js application to provide an end-to-end trust investigation experience.


What this Kit Includes

AI Investigation Pipeline

  • Investigation Planner
  • Evidence Extractor
  • Threat Analyzer
  • Decision Engine

Web Application

  • Modern responsive Next.js interface
  • Single-page investigation dashboard
  • Mobile friendly UI
  • Real-time investigation results
  • Users can perform multiple investigations without refreshing the page

Supported Inputs

  • Email
  • SMS
  • URLs
  • General text
  • Documents (through Lamatic flow support)

Investigation Output

The pipeline returns structured investigation results including:

  • Investigation metadata
  • Normalized content
  • Extracted evidence
  • Threat analysis
  • Final security decision

Tech Stack

  • Lamatic AI
  • Next.js
  • React
  • TypeScript
  • Tailwind CSS
  • Gemini 3 Flash Preview

Included Files

  • lamatic.config.ts
  • README.md
  • agent.md
  • Exported Lamatic Flow
  • Next.js application
  • .env.example
  • Deployment configuration

Local Verification

  • npm install
  • npm run dev

The application runs successfully in local development.


Checklist

  • Kit contribution
  • Single project only
  • No secrets committed
  • README included
  • agent.md included
  • .env.example contains placeholders only
  • Lamatic flow exported
  • Next.js application included
  • Local development verified
  • Added TrustGuard AI kit:

    • kits/trustguard-ai/.gitignore
    • kits/trustguard-ai/README.md
    • kits/trustguard-ai/agent.md
    • kits/trustguard-ai/constitutions/default.md
    • kits/trustguard-ai/lamatic.config.ts
    • kits/trustguard-ai/flows/trustguard-ai.ts (Lamatic flow definition)
  • Added Lamatic flow assets (prompts + model configs for the 4 chained instructor stages):

    • Model configs:
      • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-352_generative-model-name.ts
      • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-381_generative-model-name.ts
      • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-847_generative-model-name.ts
      • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-849_generative-model-name.ts
    • Prompts:
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-381_system_0.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-381_user_1.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-849_system_0.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-849_user_1.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-847_system_0.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-847_user_1.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-352_system_0.md
      • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-352_user_1.md
  • Added TrustGuard AI Next.js dashboard (App Router) + server integration:

    • kits/trustguard-ai/apps/.env.example
    • kits/trustguard-ai/apps/.gitignore
    • kits/trustguard-ai/apps/README.md
    • kits/trustguard-ai/apps/package.json
    • kits/trustguard-ai/apps/package-lock.json
    • kits/trustguard-ai/apps/tsconfig.json
    • kits/trustguard-ai/apps/next.config.ts
    • kits/trustguard-ai/apps/eslint.config.mjs
    • kits/trustguard-ai/apps/postcss.config.mjs
    • kits/trustguard-ai/apps/actions/runInvestigation.ts
    • kits/trustguard-ai/apps/lib/lamatic.ts
    • kits/trustguard-ai/apps/lib/schemas.ts
    • kits/trustguard-ai/apps/lib/types.ts
    • kits/trustguard-ai/apps/lib/utils.ts
    • kits/trustguard-ai/apps/types/response.ts
    • kits/trustguard-ai/apps/app/layout.tsx
    • kits/trustguard-ai/apps/app/loading.tsx
    • kits/trustguard-ai/apps/app/error.tsx
    • kits/trustguard-ai/apps/app/page.tsx
    • kits/trustguard-ai/apps/app/globals.css
    • kits/trustguard-ai/apps/app/favicon.ico
    • UI components:
      • kits/trustguard-ai/apps/components/Header.tsx
      • kits/trustguard-ai/apps/components/Footer.tsx
      • kits/trustguard-ai/apps/components/InputForm.tsx
      • kits/trustguard-ai/apps/components/LoadingSpinner.tsx
      • kits/trustguard-ai/apps/components/Badge.tsx
      • kits/trustguard-ai/apps/components/ResultCards.tsx
      • kits/trustguard-ai/apps/components/EvidenceCard.tsx
      • kits/trustguard-ai/apps/components/ThreatCard.tsx
      • kits/trustguard-ai/apps/components/RiskMeter.tsx
      • kits/trustguard-ai/apps/components/DecisionCard.tsx
    • Static assets:
      • kits/trustguard-ai/apps/public/lamatic-logo.png
      • kits/trustguard-ai/apps/public/trustguard-logo.png
      • kits/trustguard-ai/apps/public/file.svg
      • kits/trustguard-ai/apps/public/globe.svg
      • kits/trustguard-ai/apps/public/window.svg
      • kits/trustguard-ai/apps/public/next.svg
      • kits/trustguard-ai/apps/public/vercel.svg

Flow (no flow.json found; flows/trustguard-ai.ts defines the graph)

  • Node types introduced in the flow:

    • triggerNode (triggerNode_1, “API Request”)
    • dynamicNode (4 chained InstructorLLMNode_* stages)
    • responseNode (responseNode_triggerNode_1, “API Response”)
  • How it works (high level):

    • Trigger takes advance_schema fields: input_type, content, attachment_url, language, memory_enabled, tenant_id, user_id
    • Stage chain:
      1. InstructorLLMNode_381 (Investigation Planner) → outputs investigation + normalized
      2. InstructorLLMNode_849 (Evidence Extractor) → outputs evidence
      3. InstructorLLMNode_847 (Threat Analyzer) → outputs analysis
      4. InstructorLLMNode_352 (Decision Engine) → outputs decision
    • Response mapping (outputMapping) returns:
      • investigation, normalized, evidence, analysis, decision
      • metadata: { workflow: "trustguard-ai", version: "1.0.0" }

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 84491777-70b7-4873-baaf-9ddd0f32c6c0

📥 Commits

Reviewing files that changed from the base of the PR and between 8c2bfc5 and c9adc00.

📒 Files selected for processing (1)
  • kits/trustguard-ai/apps/app/page.tsx

Walkthrough

The change adds a TrustGuard AI kit with a four-stage Lamatic investigation flow, typed and validated server execution, environment and application configuration, and a Next.js interface for submitting investigations and displaying evidence, threat analysis, and decisions.

Changes

TrustGuard AI Kit

Layer / File(s) Summary
Investigation flow and agent contracts
kits/trustguard-ai/flows/..., kits/trustguard-ai/prompts/..., kits/trustguard-ai/model-configs/..., kits/trustguard-ai/constitutions/..., kits/trustguard-ai/README.md, kits/trustguard-ai/agent.md
Defines the four-stage investigation pipeline, prompts, model configurations, response mapping, guardrails, documentation, and kit metadata.
Typed runtime and Lamatic execution
kits/trustguard-ai/apps/types/..., kits/trustguard-ai/apps/lib/..., kits/trustguard-ai/apps/actions/...
Adds response contracts, Zod validation, Lamatic client access, server-action execution, and shared formatting helpers.
Investigation interface and result rendering
kits/trustguard-ai/apps/app/..., kits/trustguard-ai/apps/components/...
Adds the controlled investigation form, loading and error states, navigation, animated result cards, evidence and threat visualizations, decision display, and shared UI components.
Application packaging and developer setup
kits/trustguard-ai/apps/*.config.*, kits/trustguard-ai/apps/tsconfig.json, kits/trustguard-ai/apps/.gitignore, kits/trustguard-ai/apps/.env.example, kits/trustguard-ai/apps/README.md, kits/trustguard-ai/apps/package.json
Adds Next.js, PostCSS, ESLint, TypeScript, dependency, environment, ignore-file, and frontend setup configuration.

Suggested reviewers: amanintech, d-pamneja

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding the TrustGuard AI kit.
Description check ✅ Passed The description covers the kit’s purpose, components, stack, verification, and checklist items, matching the template closely.
Docstring Coverage ✅ Passed Docstring coverage is 82.76% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

:robot_face: AgentKit Structural Validation

New Contributions Detected

  • Kit: kits/trustguard-ai

Check Results

Check Status
No edits to existing kits ✅ Pass
Required root files present ✅ Pass
Flow .ts files present ✅ Pass
lamatic.config.ts valid ✅ Pass
No changes outside kits/ ✅ Pass

⚠️ Warnings

  • kits/trustguard-ai is missing .env.example — bundles and kits should include one

🎉 All checks passed! This contribution follows the AgentKit structure.

@github-actions

Copy link
Copy Markdown
Contributor

Failure recorded at 2026-07-13T12:26:20Z UTC. If this PR is not fixed within 4 weeks it will be automatically closed.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 27

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
kits/trustguard-ai/apps/README.md (1)

1-37: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding TrustGuard AI-specific setup instructions.

This is stock create-next-app boilerplate with no mention of TrustGuard AI, the investigation pipeline, required environment variables (e.g., Lamatic API credentials), or how the app connects to the flow. A developer cloning the repo would need to discover all of this independently.

Adding a short "TrustGuard AI Setup" section covering env vars, the Lamatic flow dependency, and how to run the investigation dashboard would meaningfully improve onboarding.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/README.md` around lines 1 - 37, Add a TrustGuard AI
Setup section to the README alongside the existing Getting Started content,
documenting required environment variables such as Lamatic API credentials, the
dependent Lamatic investigation flow, and the commands or steps needed to run
and access the investigation dashboard. Replace or supplement the generic
boilerplate with project-specific onboarding while retaining useful Next.js
startup details.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/lamatic-update.yml:
- Around line 10-26: Add workflow-level permissions and concurrency controls to
the workflow containing the detect-flow-changes job: restrict GITHUB_TOKEN to
contents: read, and define a concurrency group based on the relevant
workflow/ref context with an appropriate overlap policy so rapid pushes cannot
run sync jobs concurrently. Leave the existing checkout and Lamatic sync
configuration unchanged.

In `@kits/trustguard-ai/apps/.gitignore`:
- Around line 33-34: Update the env ignore rules in the gitignore so the broad
.env* pattern still ignores environment files while explicitly allowing
.env.example to be committed.

In `@kits/trustguard-ai/apps/actions/runInvestigation.ts`:
- Around line 34-35: Replace the unchecked InvestigationResponse cast in the
successful response branch of runInvestigation with runtime validation of
response.result, ensuring required fields and collection values have the
expected shapes before returning data. Reject or handle invalid results through
the existing failure path so downstream consumers such as EvidenceCard only
receive validated InvestigationResponse data.
- Around line 42-46: Sanitize errors in the catch block of runInvestigation
before returning the client-facing error field. Replace raw messages from
getLamaticClient or executeFlow with a generic user-safe message, while
retaining detailed error information only through the established server-side
logging mechanism if available.

In `@kits/trustguard-ai/apps/app/error.tsx`:
- Around line 23-25: Replace the inline warning SVG with the lucide-react
TriangleAlert icon in kits/trustguard-ai/apps/app/error.tsx lines 23-25 and
kits/trustguard-ai/apps/components/ThreatCard.tsx lines 32-34, adding the
required import in each file and preserving the existing icon sizing and
styling.

In `@kits/trustguard-ai/apps/app/globals.css`:
- Line 57: Remove the stale `#__next` selector from the global CSS selector list,
while preserving the main, header, footer, and section selectors and their
existing styles.
- Line 1: The font configuration is split between the Google Fonts CDN and
next/font. In kits/trustguard-ai/apps/app/globals.css lines 1-1 and 36, remove
the CDN `@import` and change the body font-family to var(--font-inter);
kits/trustguard-ai/apps/app/layout.tsx lines 6-10 requires no direct change
because its next/font configuration will then be used.

In `@kits/trustguard-ai/apps/app/page.tsx`:
- Line 83: Update the gradient utility class on the highlighted span in the page
component from bg-gradient-to-r to Tailwind v4’s bg-linear-to-r so the text
retains its intended cyan-blue gradient.

In `@kits/trustguard-ai/apps/components/DecisionCard.tsx`:
- Around line 26-28: Replace the inline SVG checkmark and person icons in
DecisionCard.tsx, including the additional icon near lines 73-75, with the
lucide-react CheckCircle2 and User components. In EvidenceCard.tsx, replace
every emoji in SECTION_CONFIG with the specified lucide-react icon components
and update the icon field type and rendering to accept React components; apply
the changes at DecisionCard.tsx lines 26-28 and EvidenceCard.tsx lines 13-22.

In `@kits/trustguard-ai/apps/components/EvidenceCard.tsx`:
- Line 31: Update the evidence checks in EvidenceCard, including the hasAny
calculation and the corresponding logic around line 56, to safely handle missing
or null section fields before reading their length. Preserve the existing
behavior for present arrays while treating undefined or null values as empty
arrays.

In `@kits/trustguard-ai/apps/components/Header.tsx`:
- Line 34: Update the center title container’s className in the Header
component, replacing the incomplete “hidden sm” combination with the valid
responsive utility “hidden sm:flex” while preserving the remaining positioning
and flex classes.
- Around line 76-89: Update the Lamatic logo error handling in the Header image
and fallback span so an image load failure both hides the broken Image and
reveals the fallback text by removing its hidden state. Keep the normal
successful-image rendering unchanged.

In `@kits/trustguard-ai/apps/components/InputForm.tsx`:
- Line 150: Update the button’s className in InputForm to replace the deprecated
bg-gradient-to-r utility with Tailwind v4’s bg-linear-to-r utility, preserving
all other styling classes unchanged.

In `@kits/trustguard-ai/apps/components/LoadingSpinner.tsx`:
- Around line 14-21: Update the SVG element in LoadingSpinner to include
role="status" and aria-live="polite" alongside the existing aria-label, ensuring
screen readers announce the loading state when the spinner appears.

In `@kits/trustguard-ai/apps/components/ResultCards.tsx`:
- Around line 118-120: Replace the inline search and list SVGs in ResultCards
with the corresponding Search and List icons from lucide-react, preserving their
existing sizing and visual placement. Add lucide-react to the app’s package.json
dependencies and import the icons from it.
- Around line 14-29: Remove the entrance animation props from InfoCard,
including its initial, animate, and transition settings, so CardWrapper is the
sole owner of the card entrance animation. Preserve InfoCard’s layout, styling,
and content behavior, and keep CardWrapper’s animation unchanged for all card
types.

In `@kits/trustguard-ai/apps/components/RiskMeter.tsx`:
- Around line 36-86: Add an accessible label to the root container returned by
RiskMeter so screen readers receive the risk score and its associated label,
including the clamped percentage value. Use an appropriate ARIA labeling
attribute or role on that container without changing the existing visual
rendering.

In `@kits/trustguard-ai/apps/components/ThreatCard.tsx`:
- Around line 16-20: Remove the unused riskScore and confidenceScore
declarations from ThreatCard, and update normalise to clamp the result in both
the decimal-conversion branch and the existing percentage branch, ensuring
negative or out-of-range values cannot produce unbounded percentages.

In `@kits/trustguard-ai/apps/lib/lamatic.ts`:
- Around line 1-5: Add a side-effect import of the "server-only" module at the
top of the Lamatic singleton factory, alongside the existing Lamatic import, so
client-side imports fail at build time while preserving the current server-only
implementation.

In `@kits/trustguard-ai/apps/lib/utils.ts`:
- Around line 81-90: Update getIndicatorLevelColor to include a default fallback
return for unexpected level values, matching the established fallback behavior
of getSeverityColor and getDecisionColor so the badge always receives styling
classes.

In `@kits/trustguard-ai/apps/next.config.ts`:
- Around line 5-6: Resolve the mismatch between the comment and the
`remotePatterns` configuration: if external HTTPS attachment previews are
intended, add the corresponding unrestricted HTTPS remote pattern; otherwise
update the comment to state that no external image sources are currently
allowed. Keep the chosen behavior and comment consistent.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-352_user_1.md`:
- Around line 7-14: In the Decision Engine prompt, remove the Evidence node
entity-output instructions, including the requirement for non-empty entities and
the listed security-relevant examples; keep those instructions only in the
Evidence Extractor prompt. Also replace every needs_human_review reference in
the example or guidance with the schema’s human_review field name, preserving
the existing enum values.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-381_user_1.md`:
- Line 10: Update the investigation creation flow to generate the INV identifier
programmatically rather than asking the LLM for random characters. Keep the
required INV- prefix and eight uppercase alphanumeric characters, and have the
prompt request only the title and category while preserving their existing
constraints.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-847_system_0.md`:
- Around line 24-29: Update the output field list in the system prompt to use
the schema names severity and matched_patterns instead of risk_level and
threat_patterns, and add the indicators object with high, medium, and low
arrays. Keep the existing risk_score, confidence, missing_information, and
reasoning_summary fields unchanged.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-849_user_1.md`:
- Line 1: Reformat the prompt in the trustguard extraction template into a
structured multi-line layout, placing each extraction instruction—URLs, domains,
email addresses, phone numbers, currency amounts, brand names, urgency phrases,
attachments, languages, and named entities—on its own line while preserving the
normalized object reference and JSON-only schema requirement.

In `@kits/trustguard-ai/README.md`:
- Around line 139-145: Update the README folder-structure listing for lib/ to
include the types.ts and utils.ts files alongside lamatic.ts, with concise
descriptions matching their roles in the project.

In `@lamatic/flows/RichNail-7165.ts`:
- Around line 463-475: Remove the unnecessary async declarations from
getNodesAndEdges and getFlowConfig, returning their existing flowConfig values
synchronously. Verify and update any callers that await these functions so they
use the synchronous return contract, unless the surrounding API explicitly
requires Promises.

---

Outside diff comments:
In `@kits/trustguard-ai/apps/README.md`:
- Around line 1-37: Add a TrustGuard AI Setup section to the README alongside
the existing Getting Started content, documenting required environment variables
such as Lamatic API credentials, the dependent Lamatic investigation flow, and
the commands or steps needed to run and access the investigation dashboard.
Replace or supplement the generic boilerplate with project-specific onboarding
while retaining useful Next.js startup details.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 706b4bc9-a94e-4c72-bc44-0162af66237f

📥 Commits

Reviewing files that changed from the base of the PR and between aabc909 and bd9c44d.

⛔ Files ignored due to path filters (9)
  • kits/trustguard-ai/apps/app/favicon.ico is excluded by !**/*.ico
  • kits/trustguard-ai/apps/package-lock.json is excluded by !**/package-lock.json
  • kits/trustguard-ai/apps/public/file.svg is excluded by !**/*.svg
  • kits/trustguard-ai/apps/public/globe.svg is excluded by !**/*.svg
  • kits/trustguard-ai/apps/public/lamatic-logo.png is excluded by !**/*.png
  • kits/trustguard-ai/apps/public/next.svg is excluded by !**/*.svg
  • kits/trustguard-ai/apps/public/trustguard-logo.png is excluded by !**/*.png
  • kits/trustguard-ai/apps/public/vercel.svg is excluded by !**/*.svg
  • kits/trustguard-ai/apps/public/window.svg is excluded by !**/*.svg
📒 Files selected for processing (50)
  • .github/workflows/lamatic-update.yml
  • kits/trustguard-ai/.gitignore
  • kits/trustguard-ai/README.md
  • kits/trustguard-ai/agent.md
  • kits/trustguard-ai/apps/.gitignore
  • kits/trustguard-ai/apps/AGENTS.md
  • kits/trustguard-ai/apps/CLAUDE.md
  • kits/trustguard-ai/apps/README.md
  • kits/trustguard-ai/apps/actions/runInvestigation.ts
  • kits/trustguard-ai/apps/app/error.tsx
  • kits/trustguard-ai/apps/app/globals.css
  • kits/trustguard-ai/apps/app/layout.tsx
  • kits/trustguard-ai/apps/app/loading.tsx
  • kits/trustguard-ai/apps/app/page.tsx
  • kits/trustguard-ai/apps/components/Badge.tsx
  • kits/trustguard-ai/apps/components/DecisionCard.tsx
  • kits/trustguard-ai/apps/components/EvidenceCard.tsx
  • kits/trustguard-ai/apps/components/Footer.tsx
  • kits/trustguard-ai/apps/components/Header.tsx
  • kits/trustguard-ai/apps/components/InputForm.tsx
  • kits/trustguard-ai/apps/components/LoadingSpinner.tsx
  • kits/trustguard-ai/apps/components/ResultCards.tsx
  • kits/trustguard-ai/apps/components/RiskMeter.tsx
  • kits/trustguard-ai/apps/components/ThreatCard.tsx
  • kits/trustguard-ai/apps/eslint.config.mjs
  • kits/trustguard-ai/apps/lib/lamatic.ts
  • kits/trustguard-ai/apps/lib/types.ts
  • kits/trustguard-ai/apps/lib/utils.ts
  • kits/trustguard-ai/apps/next.config.ts
  • kits/trustguard-ai/apps/package.json
  • kits/trustguard-ai/apps/postcss.config.mjs
  • kits/trustguard-ai/apps/tsconfig.json
  • kits/trustguard-ai/apps/types/response.ts
  • kits/trustguard-ai/constitutions/default.md
  • kits/trustguard-ai/flows/trustguard-ai.ts
  • kits/trustguard-ai/lamatic.config.ts
  • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-352_generative-model-name.ts
  • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-381_generative-model-name.ts
  • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-847_generative-model-name.ts
  • kits/trustguard-ai/model-configs/trustguard-ai_instructor-llmnode-849_generative-model-name.ts
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-352_system_0.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-352_user_1.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-381_system_0.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-381_user_1.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-847_system_0.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-847_user_1.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-849_system_0.md
  • kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-849_user_1.md
  • lamatic/flows/RichNail-7165.ts
  • lamatic/project.json

Comment thread .github/workflows/lamatic-update.yml Outdated
Comment on lines +10 to +26
jobs:
detect-flow-changes:
environment: main
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, '[LAMATIC-COMMIT]')"
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Sync Flows to lamatic
uses: Lamatic/sync-flows-to-lamatic@v1
with:
lamatic-endpoint: ${{ secrets.LAMATIC_PROJECT_ENDPOINT }}
api-key: ${{ secrets.LAMATIC_PROJECT_API_KEY }}
project-id: ${{ secrets.LAMATIC_PROJECT_ID }}
auto-deploy: ${{ secrets.LAMATIC_AUTO_DEPLOY_PROJECT }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add explicit permissions and concurrency controls to the workflow.

The workflow lacks a permissions block, so it inherits the default token scope (often contents: write or broader). Since this job only checks out the repo and calls an external action, it should be locked down to contents: read. Additionally, without a concurrency group, rapid successive pushes can trigger overlapping sync jobs that race against each other.

🔒️ Proposed hardening
 jobs:
   detect-flow-changes:
     environment: main
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: "!contains(github.event.head_commit.message, '[LAMATIC-COMMIT]')"
+    permissions:
+      contents: read
+    concurrency:
+      group: lamatic-sync-${{ github.ref }}
+      cancel-in-progress: true
     steps:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
detect-flow-changes:
environment: main
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, '[LAMATIC-COMMIT]')"
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Sync Flows to lamatic
uses: Lamatic/sync-flows-to-lamatic@v1
with:
lamatic-endpoint: ${{ secrets.LAMATIC_PROJECT_ENDPOINT }}
api-key: ${{ secrets.LAMATIC_PROJECT_API_KEY }}
project-id: ${{ secrets.LAMATIC_PROJECT_ID }}
auto-deploy: ${{ secrets.LAMATIC_AUTO_DEPLOY_PROJECT }}
jobs:
detect-flow-changes:
environment: main
runs-on: ubuntu-latest
timeout-minutes: 10
if: "!contains(github.event.head_commit.message, '[LAMATIC-COMMIT]')"
permissions:
contents: read
concurrency:
group: lamatic-sync-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Sync Flows to lamatic
uses: Lamatic/sync-flows-to-lamatic@v1
with:
lamatic-endpoint: ${{ secrets.LAMATIC_PROJECT_ENDPOINT }}
api-key: ${{ secrets.LAMATIC_PROJECT_API_KEY }}
project-id: ${{ secrets.LAMATIC_PROJECT_ID }}
auto-deploy: ${{ secrets.LAMATIC_AUTO_DEPLOY_PROJECT }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lamatic-update.yml around lines 10 - 26, Add
workflow-level permissions and concurrency controls to the workflow containing
the detect-flow-changes job: restrict GITHUB_TOKEN to contents: read, and define
a concurrency group based on the relevant workflow/ref context with an
appropriate overlap policy so rapid pushes cannot run sync jobs concurrently.
Leave the existing checkout and Lamatic sync configuration unchanged.

Comment thread kits/trustguard-ai/apps/.gitignore
Comment thread kits/trustguard-ai/apps/actions/runInvestigation.ts Outdated
Comment thread kits/trustguard-ai/apps/actions/runInvestigation.ts
Comment on lines +23 to +25
<svg className="h-7 w-7" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
</svg>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Inline SVGs should be replaced with lucide-react icons. Per coding guidelines for kit Next.js apps, lucide-react should be used for icons. Both files hand-roll inline <svg> elements instead.

  • kits/trustguard-ai/apps/app/error.tsx#L23-L25: Replace the warning triangle SVG with TriangleAlert from lucide-react.
  • kits/trustguard-ai/apps/components/ThreatCard.tsx#L32-L34: Replace the warning triangle SVG with TriangleAlert from lucide-react.
📍 Affects 2 files
  • kits/trustguard-ai/apps/app/error.tsx#L23-L25 (this comment)
  • kits/trustguard-ai/apps/components/ThreatCard.tsx#L32-L34
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/app/error.tsx` around lines 23 - 25, Replace the
inline warning SVG with the lucide-react TriangleAlert icon in
kits/trustguard-ai/apps/app/error.tsx lines 23-25 and
kits/trustguard-ai/apps/components/ThreatCard.tsx lines 32-34, adding the
required import in each file and preserving the existing icon sizing and
styling.

Source: Coding guidelines

{{triggerNode_1.output.attachment_url}}
Language:
{{triggerNode_1.output.language}}
Create a unique investigation. Generate: id: INV-<8 random uppercase letters or digits> Example: INV-7KX29PQM title: Generate a concise title describing the investigation in fewer than 8 words. Examples: Prize Scam Email Suspicious Banking SMS Fake Job Offer Telegram Crypto Fraud, also generate a category like - Email, SMS, Website, Telegram, WhatsApp, Attachment, Call, QR Code.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

LLM-generated random IDs are unreliable for uniqueness.

Instructing the LLM to generate INV-<8 random uppercase letters or digits> is problematic — LLMs are deterministic text generators, not RNGs. Collisions are likely across investigations, especially under high volume. If this ID is used for tracking or persistence, generate it programmatically in the flow or application layer instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-381_user_1.md` at
line 10, Update the investigation creation flow to generate the INV identifier
programmatically rather than asking the LLM for random characters. Keep the
required INV- prefix and eight uppercase alphanumeric characters, and have the
prompt request only the title and category while preserving their existing
constraints.

Comment on lines +24 to +29
Generate:
• risk_score (0-100)• risk_level (derive it from risk_score)
• confidence (0-100)
• threat_patterns (example - Lottery Scam, Credential Harvesting, Business Email Compromise, Tech Support Scam, Investment Fraud, Remote Access Scam)
• missing_information
• reasoning_summary

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Align prompt field names with the flow schema — risk_levelseverity, threat_patternsmatched_patterns, add indicators.

The system prompt instructs the LLM to generate risk_level and threat_patterns, but the node 847 schema defines severity and matched_patterns. The indicators object (with high/medium/low arrays) is also absent from the prompt despite being in the schema. This misalignment risks the LLM producing fields that don't map to the schema, resulting in missing or null values in the threat analysis output.

🔧 Proposed fix to align prompt with schema
 Generate:
-• risk_score (0-100)• risk_level (derive it from risk_score)
-• confidence (0-100)
-• threat_patterns (example - Lottery Scam, Credential Harvesting, Business Email Compromise, Tech Support Scam, Investment Fraud, Remote Access Scam)
-• missing_information
-• reasoning_summary
+• risk_score (0-100)
+• severity (derive it from risk_score: LOW, MEDIUM, HIGH, CRITICAL)
+• confidence (0-100)
+• indicators (object with "high", "medium", "low" arrays — classify every indicator into the appropriate array)
+• matched_patterns (example - Lottery Scam, Credential Harvesting, Business Email Compromise, Tech Support Scam, Investment Fraud, Remote Access Scam)
+• missing_information
+• reasoning_summary
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Generate:
• risk_score (0-100)• risk_level (derive it from risk_score)
• confidence (0-100)
• threat_patterns (example - Lottery Scam, Credential Harvesting, Business Email Compromise, Tech Support Scam, Investment Fraud, Remote Access Scam)
• missing_information
• reasoning_summary
Generate:
• risk_score (0-100)
• severity (derive it from risk_score: LOW, MEDIUM, HIGH, CRITICAL)
• confidence (0-100)
• indicators (object with "high", "medium", "low" arrays — classify every indicator into the appropriate array)
• matched_patterns (example - Lottery Scam, Credential Harvesting, Business Email Compromise, Tech Support Scam, Investment Fraud, Remote Access Scam)
• missing_information
• reasoning_summary
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-847_system_0.md`
around lines 24 - 29, Update the output field list in the system prompt to use
the schema names severity and matched_patterns instead of risk_level and
threat_patterns, and add the indicators object with high, medium, and low
arrays. Keep the existing risk_score, confidence, missing_information, and
reasoning_summary fields unchanged.

@@ -0,0 +1 @@
Extract all observable evidence. Normalized Object: {{InstructorLLMNode_381.output.normalized}} Return ONLY JSON matching the schema. Extract URLs. Extract Domains. Extract Email Addresses. Extract Phone Numbers. Extract Currency Amounts. Extract Brand Names. Extract Urgency Phrases. Extract Attachments. Extract Languages. Extract Named Entities. No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Break the single-line prompt into structured multi-line format.

All extraction instructions are crammed into one line, making it hard to maintain and increasing the risk of the LLM overlooking individual tasks. Consider line breaks per extraction type for clarity and better LLM adherence.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/prompts/trustguard-ai_instructor-llmnode-849_user_1.md` at
line 1, Reformat the prompt in the trustguard extraction template into a
structured multi-line layout, placing each extraction instruction—URLs, domains,
email addresses, phone numbers, currency amounts, brand names, urgency phrases,
attachments, languages, and named entities—on its own line while preserving the
normalized object reference and JSON-only schema requirement.

Comment thread kits/trustguard-ai/README.md
Comment thread lamatic/flows/RichNail-7165.ts Outdated
Comment on lines +463 to +475
export async function getNodesAndEdges(): Promise<{
nodes: Record<string, any>[],
edges: Record<string, any>[],
}> {
return {
nodes: flowConfig.nodes,
edges: flowConfig.edges,
}
}

export async function getFlowConfig(): Promise<Record<string, any>> {
return flowConfig;
} No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Async functions wrap synchronous static returns.

getNodesAndEdges and getFlowConfig are declared async but perform no asynchronous operations — they return the static flowConfig object directly. This is harmless but adds unnecessary Promise overhead and misleads callers into expecting I/O.

♻️ Proposed refactor: drop unnecessary async
-export async function getNodesAndEdges(): Promise<{
+export function getNodesAndEdges(): {
     nodes: Record<string, any>[],
     edges: Record<string, any>[],
-}> {
+} {
     return {
         nodes: flowConfig.nodes,
         edges: flowConfig.edges,
     }
 }
 
-export async function getFlowConfig(): Promise<Record<string, any>> {
+export function getFlowConfig(): Record<string, any> {
     return flowConfig;
 }

If callers depend on the Promise return, keep async but add a comment explaining the contract.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export async function getNodesAndEdges(): Promise<{
nodes: Record<string, any>[],
edges: Record<string, any>[],
}> {
return {
nodes: flowConfig.nodes,
edges: flowConfig.edges,
}
}
export async function getFlowConfig(): Promise<Record<string, any>> {
return flowConfig;
}
export function getNodesAndEdges(): {
nodes: Record<string, any>[],
edges: Record<string, any>[],
} {
return {
nodes: flowConfig.nodes,
edges: flowConfig.edges,
}
}
export function getFlowConfig(): Record<string, any> {
return flowConfig;
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lamatic/flows/RichNail-7165.ts` around lines 463 - 475, Remove the
unnecessary async declarations from getNodesAndEdges and getFlowConfig,
returning their existing flowConfig values synchronously. Verify and update any
callers that await these functions so they use the synchronous return contract,
unless the surrounding API explicitly requires Promises.

@Tuhin402

Copy link
Copy Markdown
Author

Hi Lamatic team,
This PR is submitted as part of the AgentKit Challenge.
Could someone please add the agentkit-challenge label?
Thank you!

@akshatvirmani

Copy link
Copy Markdown
Contributor

/validate

@github-actions

Copy link
Copy Markdown
Contributor

📡 Running Studio validation — results will appear here shortly.

@github-actions

Copy link
Copy Markdown
Contributor

Studio Runtime Validation (Phase 2)

Studio validation passed. The kit loaded successfully in Lamatic Studio.

This PR is ready for final review and merge.

@akshatvirmani

Copy link
Copy Markdown
Contributor

@Tuhin402 please resolve the coderabbit comments above

@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@Tuhin402

Copy link
Copy Markdown
Author

@Tuhin402 please resolve the coderabbit comments above

the /validate warning from coderabbit says the kit is forced to run on node.js v24 but my kit has v20, so github says it is a deprecated model, now for this on the runtime environment, there is so such issue, it can run seamlessly, so do I still need to update the node version?

@github-actions

Copy link
Copy Markdown
Contributor

📡 Running Studio validation — results will appear here shortly.

@coderabbitai
coderabbitai Bot requested a review from d-pamneja July 16, 2026 07:06
@Tuhin402

Copy link
Copy Markdown
Author

I've addressed the actionable CodeRabbit feedback related to runtime validation, error handling, prompt/schema alignment, and documentation. The remaining Node.js warning comes from GitHub Actions (actions/checkout@v4) and is an upstream deprecation notice rather than an issue in this kit.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (4)
kits/trustguard-ai/apps/components/ResultCards.tsx (1)

22-29: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Eliminate compounding nested animations on result cards.

Agent, we're seeing double. The CardWrapper executes an entrance animation (sliding up 24px), but the components nestled inside it simultaneously execute identical entrance animations. This causes compounding offsets and a jarring visual artifact. Your mission, should you choose to accept it, is to strip the entrance animation from the inner cards and let CardWrapper operate solo.

  • kits/trustguard-ai/apps/components/ResultCards.tsx#L22-L29: Keep CardWrapper's animation intact as the single source of truth.
  • kits/trustguard-ai/apps/components/ResultCards.tsx#L47-L52: Strip initial, animate, and transition props from InfoCard (or downgrade it to a standard div).
  • kits/trustguard-ai/apps/components/EvidenceCard.tsx#L35-L40: Strip animation props from EvidenceCard's root motion.div.
  • kits/trustguard-ai/apps/components/ThreatCard.tsx#L22-L27: Strip animation props from ThreatCard's root motion.div.
  • kits/trustguard-ai/apps/components/DecisionCard.tsx#L18-L23: Strip animation props from DecisionCard's root motion.div.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/components/ResultCards.tsx` around lines 22 - 29,
Remove entrance animation props from the nested result cards so CardWrapper
remains the sole animation source. Keep CardWrapper’s animation unchanged; strip
initial, animate, and transition from InfoCard in
kits/trustguard-ai/apps/components/ResultCards.tsx lines 47-52, and from the
root motion.div elements in EvidenceCard.tsx lines 35-40, ThreatCard.tsx lines
22-27, and DecisionCard.tsx lines 18-23, converting them to standard divs if
appropriate.
kits/trustguard-ai/apps/components/Header.tsx (2)

35-35: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Agent, your stealth camouflage is malfunctioning. hidden sm is an invalid Tailwind combination and leaves this element exposed or improperly hidden.

Update it to the correct responsive utility hidden sm:flex to ensure it only appears when the target viewport size is acquired.

🛠️ Proposed fix
-        <div className="hidden sm absolute left-1/2 -translate-x-1/2 flex flex-col items-center">
+        <div className="hidden sm:flex absolute left-1/2 -translate-x-1/2 flex-col items-center">
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/components/Header.tsx` at line 35, Update the
responsive class list on the header element to replace the invalid “hidden sm”
combination with “hidden sm:flex”, preserving the existing positioning and
flex-column utilities so the element remains hidden until the small breakpoint.

66-79: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Agent, our fallback operative is MIA. The Lamatic logo error handler hides the broken image, but the fallback text remains in deep cover (hidden).

Deploy a state toggle to reveal the text when the image goes down.

🛠️ Proposed fix

First, ensure you import useState at the top of your file:

import { useState } from "react";

Next, integrate the state toggle into the component:

-export default function Header() {
+export default function Header() {
+  const [logoError, setLogoError] = useState(false);
+
   return (
...
-            {/* Try to load user-supplied lamatic-logo.png, fall back to text */}
-            <Image
-              src="/lamatic-logo.png"
-              alt="Lamatic AI"
-              width={68}
-              height={20}
-              className="object-contain h-5 w-auto"
-              onError={(e) => {
-                // Hide broken image, show text fallback handled in JSX below
-                (e.target as HTMLImageElement).style.display = "none";
-              }}
-            />
-            <span className="lamatic-text-fallback text-xs font-semibold text-cyan-400 hidden">
-              Lamatic
-            </span>
+            {logoError ? (
+              <span className="lamatic-text-fallback text-xs font-semibold text-cyan-400">
+                Lamatic
+              </span>
+            ) : (
+              <Image
+                src="/lamatic-logo.png"
+                alt="Lamatic AI"
+                width={68}
+                height={20}
+                className="object-contain h-5 w-auto"
+                onError={() => setLogoError(true)}
+              />
+            )}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/components/Header.tsx` around lines 66 - 79, Update
the Header component’s logo fallback flow to track image failure with useState,
import useState, and set the failure state in the Image onError handler. Use
that state to conditionally reveal the lamatic-text-fallback span when the logo
cannot load, while keeping it hidden during normal image rendering.
kits/trustguard-ai/apps/app/page.tsx (1)

84-84: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Agent, your visual disguise uses outdated intel. Tailwind CSS v4 replaced the bg-gradient-to-* utilities with bg-linear-to-*. The gradients will not render until this deprecated utility is updated.

  • kits/trustguard-ai/apps/app/page.tsx#L84-L84: Replace bg-gradient-to-r with bg-linear-to-r.
  • kits/trustguard-ai/apps/components/InputForm.tsx#L145-L145: Replace bg-gradient-to-r with bg-linear-to-r on the submit button.

Your mission is to upgrade these utilities to keep your cover intact.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/app/page.tsx` at line 84, Replace the deprecated
bg-gradient-to-r utility with bg-linear-to-r in the span class in
kits/trustguard-ai/apps/app/page.tsx at lines 84-84 and on the submit button in
kits/trustguard-ai/apps/components/InputForm.tsx at lines 145-145; leave the
remaining gradient classes unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/trustguard-ai/apps/components/EvidenceCard.tsx`:
- Around line 31-32: Update EvidenceCard’s SECTION_CONFIG checks, including the
access around hasAny and the later access near line 55, to use optional chaining
when reading evidence[s.key].length. Preserve the existing behavior while
treating missing or null evidence arrays as empty rather than throwing.

In `@kits/trustguard-ai/apps/components/LoadingSpinner.tsx`:
- Around line 16-21: Update the Loader2 element in LoadingSpinner to include
role="status" and aria-live="polite", preserving its existing sizing, animation,
and aria-label attributes.

In `@kits/trustguard-ai/apps/components/ThreatCard.tsx`:
- Around line 18-19: Update the normalise function so both decimal conversion
and whole-number handling pass through clamp, ensuring negative or otherwise
out-of-range inputs produce bounded threat scores while preserving rounding.

---

Duplicate comments:
In `@kits/trustguard-ai/apps/app/page.tsx`:
- Line 84: Replace the deprecated bg-gradient-to-r utility with bg-linear-to-r
in the span class in kits/trustguard-ai/apps/app/page.tsx at lines 84-84 and on
the submit button in kits/trustguard-ai/apps/components/InputForm.tsx at lines
145-145; leave the remaining gradient classes unchanged.

In `@kits/trustguard-ai/apps/components/Header.tsx`:
- Line 35: Update the responsive class list on the header element to replace the
invalid “hidden sm” combination with “hidden sm:flex”, preserving the existing
positioning and flex-column utilities so the element remains hidden until the
small breakpoint.
- Around line 66-79: Update the Header component’s logo fallback flow to track
image failure with useState, import useState, and set the failure state in the
Image onError handler. Use that state to conditionally reveal the
lamatic-text-fallback span when the logo cannot load, while keeping it hidden
during normal image rendering.

In `@kits/trustguard-ai/apps/components/ResultCards.tsx`:
- Around line 22-29: Remove entrance animation props from the nested result
cards so CardWrapper remains the sole animation source. Keep CardWrapper’s
animation unchanged; strip initial, animate, and transition from InfoCard in
kits/trustguard-ai/apps/components/ResultCards.tsx lines 47-52, and from the
root motion.div elements in EvidenceCard.tsx lines 35-40, ThreatCard.tsx lines
22-27, and DecisionCard.tsx lines 18-23, converting them to standard divs if
appropriate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6204b45c-061c-41bc-87d2-8f26bf11c37b

📥 Commits

Reviewing files that changed from the base of the PR and between e3ddea3 and 1fbd7aa.

⛔ Files ignored due to path filters (1)
  • kits/trustguard-ai/apps/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (16)
  • kits/trustguard-ai/README.md
  • kits/trustguard-ai/apps/.gitignore
  • kits/trustguard-ai/apps/README.md
  • kits/trustguard-ai/apps/actions/runInvestigation.ts
  • kits/trustguard-ai/apps/app/page.tsx
  • kits/trustguard-ai/apps/components/DecisionCard.tsx
  • kits/trustguard-ai/apps/components/EvidenceCard.tsx
  • kits/trustguard-ai/apps/components/Header.tsx
  • kits/trustguard-ai/apps/components/InputForm.tsx
  • kits/trustguard-ai/apps/components/LoadingSpinner.tsx
  • kits/trustguard-ai/apps/components/ResultCards.tsx
  • kits/trustguard-ai/apps/components/ThreatCard.tsx
  • kits/trustguard-ai/apps/lib/schemas.ts
  • kits/trustguard-ai/apps/lib/types.ts
  • kits/trustguard-ai/apps/package.json
  • kits/trustguard-ai/apps/types/response.ts

Comment thread kits/trustguard-ai/apps/components/EvidenceCard.tsx Outdated
Comment on lines +16 to +21
<Loader2
width={size}
height={size}
className={`animate-spin ${className}`}
aria-label="Loading"
/>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Agent, your spinner needs a stealth comms upgrade. Add role="status" and aria-live="polite" so screen readers receive the intel when it drops in.

Your mission, should you choose to accept it, is to patch this accessibility gap. This message will self-destruct.

🛠️ Proposed fix
     <Loader2
       width={size}
       height={size}
       className={`animate-spin ${className}`}
+      role="status"
       aria-label="Loading"
+      aria-live="polite"
     />
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/components/LoadingSpinner.tsx` around lines 16 - 21,
Update the Loader2 element in LoadingSpinner to include role="status" and
aria-live="polite", preserving its existing sizing, animation, and aria-label
attributes.

Comment thread kits/trustguard-ai/apps/components/ThreatCard.tsx Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/trustguard-ai/apps/lib/schemas.ts`:
- Around line 42-47: Update ThreatIndicatorsSchema so the high, medium, and low
array schemas each apply .readonly() after their default([]) configuration,
matching the readonly string[] contract in ThreatIndicators while preserving the
existing defaults.

In `@kits/trustguard-ai/apps/types/response.ts`:
- Around line 27-31: Replace the handwritten interfaces in response.ts with
types inferred via z.infer from their corresponding schemas in schemas.ts,
preserving the existing exported type names and structure. Update each
referenced Zod schema to use .readonly() so the inferred types retain readonly
properties and remain synchronized with runtime validation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: a196bbce-36d4-414f-a3cb-b6050236c372

📥 Commits

Reviewing files that changed from the base of the PR and between cd6707c and e9b75f3.

📒 Files selected for processing (2)
  • kits/trustguard-ai/apps/lib/schemas.ts
  • kits/trustguard-ai/apps/types/response.ts

Comment thread kits/trustguard-ai/apps/lib/schemas.ts
Comment thread kits/trustguard-ai/apps/types/response.ts Outdated
@Tuhin402

Copy link
Copy Markdown
Author

@coderabbitai resume

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Reviews resumed.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
kits/trustguard-ai/apps/lib/utils.ts (1)

5-17: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Secure the fail-open logic on invalid risk scores.

Good morning, Agent. We've identified a vulnerability in our visual intel. If a compromised or missing risk score (NaN) infiltrates this function, the cascading fall-through will incorrectly assign a "safe" green status. We cannot afford to give the agency a false sense of security.

Your mission, should you choose to accept it, is to explicitly check for the safe threshold and fall back to a neutral color for unrecognized or corrupted data. This ensures the Threat Engine fails closed.

🕶️ Proposed operational fix
 export function getRiskColor(score: number): string {
   if (score >= 80) return "text-red-400";
   if (score >= 60) return "text-orange-400";
-  if (score >= 40) return "text-yellow-400";
-  return "text-green-400";
+  if (score < 40) return "text-green-400";
+  return "text-slate-400";
 }

This message will self-destruct upon merging.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/trustguard-ai/apps/lib/utils.ts` around lines 5 - 17, Update
getRiskColor to detect invalid scores such as NaN and return a neutral color
instead of falling through to the safe green classification. Preserve the
existing red, orange, and yellow thresholds, and only return green for valid
scores below 40.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/trustguard-ai/apps/actions/runInvestigation.ts`:
- Around line 12-22: Replace the broad RunInvestigationResult interface with a
strict discriminated union keyed by success: successful results must have
success true and required data with no error, while failed results must have
success false and required error with no data. Update only the result type
definition and preserve the existing ValidatedInvestigationResponse and
user-safe error types.

---

Outside diff comments:
In `@kits/trustguard-ai/apps/lib/utils.ts`:
- Around line 5-17: Update getRiskColor to detect invalid scores such as NaN and
return a neutral color instead of falling through to the safe green
classification. Preserve the existing red, orange, and yellow thresholds, and
only return green for valid scores below 40.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 65e900b8-4aca-4300-ae0c-aca56a64e905

📥 Commits

Reviewing files that changed from the base of the PR and between e9b75f3 and e40c0bf.

📒 Files selected for processing (7)
  • kits/trustguard-ai/apps/actions/runInvestigation.ts
  • kits/trustguard-ai/apps/components/EvidenceCard.tsx
  • kits/trustguard-ai/apps/components/LoadingSpinner.tsx
  • kits/trustguard-ai/apps/components/ThreatCard.tsx
  • kits/trustguard-ai/apps/lib/schemas.ts
  • kits/trustguard-ai/apps/lib/utils.ts
  • kits/trustguard-ai/apps/types/response.ts

Comment thread kits/trustguard-ai/apps/actions/runInvestigation.ts Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants