Agent cli#34
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces an Agent workspace management SDK and CLI for ModelScope Hub, supporting multiple frameworks (Hermes, Nanobot, OpenClaw, OpenHuman, Qoder, QwenPaw) with features like local-to-remote upload, download, format conversion, and background bidirectional sync. The review feedback highlights several critical issues: the Windows background daemon lacks an entry point to execute, the CLI fails to fall back to saved credentials in HubConfig when arguments are omitted, and unquote decodes too many characters in the OSS URL normalization. Additionally, signal registration should be guarded against non-main threads, PID file unlinking needs to verify the current process ID to prevent race conditions, framework auto-inference from backup filenames is broken for compound names, and task insertion in HeartbeatMerger places new tasks above the placeholder comment instead of below it.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
命令行用法
支持的框架:
nanobot, openclaw, hermes, qwenpaw, openhuman, qoder测试用例覆盖
test_watch_sync.pytest_upload_download.pytest_cli.pytest_merge.pytest_agent_frameworks.pytest_workspace.py薄弱点与建议
1.
download_repo_file未检查 HTTP 错误状态码unwrap=False跳过了_decode()的错误检查,HTTP 4xx/5xx 会静默返回错误 body 作为"文件内容"。建议:添加
resp.raise_for_status()或手动检查resp.status_code。2.
_refresh_baseline重试无指数退避建议:改为
time.sleep(2 ** attempt)实现指数退避,减轻服务端压力。3. Windows
_find_watch_pids_windows使用已弃用的wmicWindows 10+ 已标记
wmic为 deprecated,未来版本可能移除。建议:改用
tasklist /FO CSV /FI "IMAGENAME eq python*"或引入psutil。4.
detect_local_changes每次全量计算 SHA256watch 每 120s 触发一次,每次对所有文件计算 SHA256。工作区文件量大时有性能瓶颈。
建议:先比对 mtime/size 快速过滤,仅对疑似变更文件计算 SHA256。(注:当前
collect_bytes已将文件读入内存,实际瓶颈在磁盘 IO 而非 hash 计算本身)5.
cmd_recover中 zip 提取路径安全日志不足路径遍历防护逻辑正确,但仅用
print输出。在生产环境中这类安全事件应通过 logger 记录。建议:改用
logger.warning("Path traversal blocked: %s", info.filename)。6.
cmd_list缺少endpoint为空的前置检查当用户未登录且未设置环境变量时,
AgentApi(endpoint=None)会 fallback 到 HubConfig 默认值。如果默认值也为空,会产生不友好的错误信息。建议:在
cmd_list开头显式检查 endpoint,给出明确提示。7.
_openapi.py中request()的path与url互斥性未校验同时传入
path和url时,url优先,但缺少参数互斥的显式校验或文档警告。建议:添加
assert not (path and url)或在 docstring 中明确说明优先级。8. 测试覆盖缺失场景
../路径(代码已防护,建议补测试)