Update with template

[t0mdavid-m]

Summary by CodeRabbit

Release Notes

• New Features

  • Added comprehensive Kubernetes deployment support with automated CI/CD pipelines, Docker image building, and integration testing.
  • Added admin configuration and demo workspace management capabilities.
  • Added GHCR image cleanup workflow for registry maintenance.

• Improvements

  • Enhanced workspace directory handling with environment variable configuration.
  • Improved workflow execution by ensuring parameters are saved before processing.

• Documentation

  • Added extensive guides for deployment, page creation, workflow setup, and application configuration.

[coderabbitai]

Warning

Rate limit exceeded

@t0mdavid-m has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 26 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 26 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b2844c4d-4554-43f8-b393-3dfda241ebc0

📥 Commits

Reviewing files that changed from the base of the PR and between 286fd0b and a732de0.

📒 Files selected for processing (2)

• .github/workflows/build-and-test.yml
• src/common/admin.py

📝 Walkthrough

Walkthrough

This PR introduces comprehensive Kubernetes deployment infrastructure for the OpenMS Streamlit web app, including base manifests, memory-tier components, production overlays, GitHub CI/CD workflows, and eight new Claude skill guides documenting app extension and deployment processes. Code updates enable workspace directory configuration via environment variables and admin-gated UI features.

Changes

Cohort / File(s)	Summary
Claude AI Skill Guides .claude/skills/add-presets.md, add-python-tool.md, add-visualization.md, configure-app-settings.md, configure-docker-compose-deployment.md, configure-k8s-deployment.md, create-page.md, create-workflow.md	Eight new markdown guides providing step-by-step instructions for AI-assisted workflow/page creation, Python tool integration, visualization setup, and deployment configuration (app settings, Docker Compose, Kubernetes).
GitHub CI/CD Workflows & Cluster Config .github/kind-config.yaml, .github/workflows/build-and-test.yml, .github/workflows/ghcr-cleanup.yml, .github/workflows/build-windows-executable-app.yaml (modified), .github/workflows/build-docker-images.yml (removed)	New kind cluster config with memory-tier labels and taint removal; replaces legacy build-docker-images.yml with comprehensive build-and-test.yml (kubeconform lint, parallel image builds, kind integration tests via nginx/Traefik); adds scheduled GHCR retention workflow with dry-run support; minor env var addition to Windows build.
Kubernetes Base Manifests k8s/base/namespace.yaml, configmap.yaml, redis.yaml, workspace-pvc.yaml, streamlit-deployment.yaml, streamlit-service.yaml, streamlit-secrets.yaml, rq-worker-deployment.yaml, cleanup-cronjob.yaml, ingress.yaml, traefik-ingressroute.yaml, limitrange.yaml, kustomization.yaml	Foundational k8s resources: namespace, ConfigMap with settings overrides, Redis deployment/service, 500Gi workspace PVC, dual-replica Streamlit deployment with health probes and initContainer for demo seeding, RQ worker with pod affinity, daily workspace cleanup CronJob, nginx Ingress and Traefik IngressRoute (sticky cookies), resource limits, and kustomize base aggregation.
Kubernetes Memory Tier Components & Overlays k8s/components/memory-tier-high/*, k8s/components/memory-tier-low/*, k8s/overlays/prod/kustomization.yaml	Memory-tier kustomize components with node-selector patches and resource request/limit pairs (high: 4Gi/4CPU streamlit, 16Gi/4CPU worker; low: 2Gi/4CPU streamlit, 16Gi/4CPU worker); production overlay applying template-app- prefix, image substitution to ghcr.io/openms/streamlit-template:main-full, and patching IngressRoute/Deployment env vars for multi-instance routing.
Application Configuration & Code Dockerfile (modified), clean-up-workspaces.py (modified), src/common/admin.py (modified), src/common/common.py (modified), src/workflow/WorkflowManager.py (modified), .streamlit/config.toml, .streamlit/secrets.toml.example	Dockerfile: GITHUB_TOKEN handling refactored to re-declare ARG before download step; workspace cleanup script respects WORKSPACES_DIR env var and skips hidden directories; admin.py treats StreamlitSecretNotFoundError as unconfigured and uses dynamic demo directory from settings; common.py honors WORKSPACES_DIR override and gates "Save as Demo" UI behind admin check; WorkflowManager saves parameters before execution; Streamlit config/secrets updated for K8s secret mounting.
Deployment & Utility Updates .gitignore (modified), docs/kubernetes-deployment.md	.gitignore appends docs/superpowers/; comprehensive 290-line Kubernetes deployment guide covering architecture, ingress routing (Traefik sticky cookies, nginx for CI), operational steps, manifest breakdown, and CI/CD workflow descriptions (linting, image builds, kind integration tests, GHCR retention).

Sequence Diagram

sequenceDiagram
    participant Client as Client/Browser
    participant Ingress as Ingress/Traefik
    participant Streamlit as Streamlit<br/>(2 replicas)
    participant Redis as Redis
    participant RQWorker as RQ Worker
    
    Client->>Ingress: HTTP Request<br/>(sticky cookie)
    Ingress->>Streamlit: Route to same replica<br/>(stroute affinity)
    Streamlit->>Streamlit: Render page,<br/>handle user input
    
    rect rgba(100, 150, 200, 0.5)
    Note over Streamlit: Workflow Submission
    Streamlit->>Streamlit: Save parameters
    Streamlit->>Redis: Queue job<br/>(RQ)
    Streamlit-->>Client: Return job ID
    end
    
    rect rgba(150, 100, 200, 0.5)
    Note over RQWorker: Background Processing
    RQWorker->>Redis: Poll for jobs
    Redis-->>RQWorker: Dequeue job
    RQWorker->>RQWorker: Execute workflow<br/>(conda env)
    RQWorker->>RQWorker: Write results
    end
    
    Client->>Ingress: Poll results
    Ingress->>Streamlit: Route request
    Streamlit->>Streamlit: Read job status<br/>from Redis/disk
    Streamlit-->>Client: Display results

Loading

Possibly related PRs

• OpenMS/quantms-web#16: Modifies src/common/common.py workspace selection and sidebar UI logic similarly, with overlapping changes to page setup and parameter handling.

Poem

🐰 A Kubernetes warren now stands tall and true,
With Redis-backed burrows for workers to do,
Streamlit replicas bound by sticky-sweet cookies,
Workspace cleanup CronJobs (the finest of rookies),
Multi-tier memorials for high and low—
Our cluster blooms brilliantly, watch it grow! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update with template' is vague and generic, using non-descriptive language that fails to convey the specific scope or nature of the substantial changes being introduced.	Provide a more specific title that describes the main change, such as 'Add Kubernetes deployment infrastructure and Claude skills documentation' or 'Implement K8s manifests, CI/CD workflows, and setup guides'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update_with_template

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 15

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.claude/skills/add-visualization.md (1)

127-135: 🛠️ Refactor suggestion | 🟠 Major

Expand the checklist to include OpenMS-Insight cache and StateManager patterns.

The checklist is missing verification items for the cache-based OpenMS-Insight pattern used in the codebase.

✅ Suggested checklist additions

 ## Checklist
 
 - [ ] Correct library chosen for the use case
 - [ ] Dependencies present in `requirements.txt`
 - [ ] `show_fig()` used for pyopenms-viz plots (consistent download/export behavior)
 - [ ] `backend="plotly"` specified for all pyopenms-viz plots
-- [ ] Unique `key=` values for all OpenMS-Insight components
+- [ ] OpenMS-Insight components initialized with `cache_id` and `cache_path`
+- [ ] `StateManager()` initialized once and shared across linked components
+- [ ] Components rendered by calling them with `state_manager` parameter
+- [ ] Unique `key=` values passed during component rendering (not initialization)
 - [ ] Cross-component linking set up if multiple views of same data

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/add-visualization.md around lines 127 - 135, Add checklist
items verifying the OpenMS-Insight cache and StateManager patterns: confirm that
the OpenMS-Insight cache is used where intended, that a StateManager instance
(e.g., StateManager or equivalent class) is created and wired to components,
that component `key=` values match cache keys, that cache invalidation/refresh
logic is present and tested (including persistence/serialization and eviction
behavior), and that cache-backed views are covered by tests to ensure consistent
state across linked components.

src/common/admin.py (1)

12-27: ⚠️ Potential issue | 🔴 Critical

Critical: import breaks page load — StreamlitSecretNotFoundError is not exported from streamlit.errors.

The import at line 12 fails because StreamlitSecretNotFoundError does not exist in streamlit.errors. While the exception was added to Streamlit in version 1.38.0+, it lives in the internal module streamlit.runtime.secrets, not the public streamlit.errors API. Since the broad except Exception block at lines 26–27 already handles all secrets-access failures (including missing secrets and malformed configurations), the safest fix is to drop the unstable import and let the generic handler cover all cases.

🛡️ Proposed fix — drop the unstable import

 import streamlit as st
-from streamlit.errors import StreamlitSecretNotFoundError
 
 
 def is_admin_configured() -> bool:
@@ -18,8 +17,8 @@ def is_admin_configured() -> bool:
     """
     try:
         return bool(st.secrets.get("admin", {}).get("password"))
-    except (FileNotFoundError, KeyError, StreamlitSecretNotFoundError):
-        return False
     except Exception:
+        # Covers FileNotFoundError, KeyError, and StreamlitSecretNotFoundError
+        # across Streamlit versions where the symbol's import path varies.
         return False

If you need granular exception handling, guard the import:

try:
    from streamlit.runtime.secrets import StreamlitSecretNotFoundError
except ImportError:
    StreamlitSecretNotFoundError = Exception  # type: ignore[assignment,misc]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/common/admin.py` around lines 12 - 27, Remove the unstable import from
streamlit.errors and let the generic exception handler cover secrets failures:
delete the line importing StreamlitSecretNotFoundError and update the
is_admin_configured function to not rely on that symbol (keep the try/except
that returns False on FileNotFoundError, KeyError, and the broad Exception). If
you prefer granular handling, wrap an import-from streamlit.runtime.secrets in a
try/except ImportError and fall back to a generic Exception alias for
StreamlitSecretNotFoundError; locate these changes around the module import and
the is_admin_configured function.

🧹 Nitpick comments (12)

.claude/skills/add-visualization.md (1)

14-23: Consider adding streamlit_plotly_events to the library comparison.

Based on learnings, streamlit_plotly_events is used for interactive visualizations in this codebase. The table should include guidance on when to use it (e.g., for custom click/selection handlers on Plotly charts) versus OpenMS-Insight components.

📊 Suggested addition to the table

 | Use Case | Library | Why |
 |----------|---------|-----|
 | Quick spectrum/chromatogram/peak map plots | **pyopenms-viz** | Simple one-liner API, publication quality |
+| Custom click/selection handlers on Plotly charts | **streamlit_plotly_events** | Event handling for user interactions |
 | Large datasets (millions of points) | **OpenMS-Insight** | Server-side pagination, intelligent downsampling |

Based on learnings: "Use Plotly and streamlit_plotly_events for interactive visualizations"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/add-visualization.md around lines 14 - 23, Add a new row to
the library comparison table recommending streamlit_plotly_events for custom
Plotly interaction handlers (click/selection events) and how it differs from
OpenMS-Insight: use streamlit_plotly_events with plotly.express and show_fig()
when you need lightweight client-side click/selection callbacks on Plotly
charts, whereas OpenMS-Insight (Table, link_id, server-side
filtering/downsampling) should be used for cross-linked views, large datasets,
and server-driven interactions; mention it complements pyopenms-viz for
one-liners and OpenMS-Insight for heavy-duty UIs.

k8s/base/streamlit-secrets.yaml (1)

12-14: Consider an alternative to git update-index --skip-worktree for managing the live admin password.

skip-worktree is fragile: the bit is local-only, can be lost on git stash, branch switches, or fresh clones, and silently risks the real password being committed if it gets cleared. For a production secret, a more robust pattern would be to keep this committed file with the empty placeholder and manage the real value out-of-band via kubectl patch/SealedSecrets/External Secrets/SOPS, then drop the skip-worktree suggestion to avoid encouraging an error-prone workflow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/base/streamlit-secrets.yaml` around lines 12 - 14, The current comment
recommends using git update-index --skip-worktree in
k8s/base/streamlit-secrets.yaml which is fragile; instead keep the committed
file with the empty placeholder admin password and remove the skip-worktree
recommendation, and update the surrounding docs/comments to instruct operators
to manage the live admin password out-of-band using kubectl patch,
SealedSecrets/External Secrets/SOPS (or other secret manager) so production
secrets are never stored locally or relied on skip-worktree; reference the
streamlit-secrets.yaml placeholder and the docs/kubernetes-deployment.md
"Configuring the admin password" section to make this change.

k8s/base/limitrange.yaml (1)

6-16: LGTM, with one operational note.

The defaults/max are consistent with the per-tier patches (low streamlit 2Gi/4 CPU, high worker 180Gi/20 CPU all fit under 200Gi/20 CPU). Note that any container in the namespace without explicit resources will now silently get 2Gi/2 CPU as its limit, which can cap heavy workloads (e.g., Redis or future sidecars) without an obvious failure mode — worth keeping in mind when adding new workloads.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/base/limitrange.yaml` around lines 6 - 16, The LimitRange currently sets
a default limit (limits[].type: Container -> default) which will silently apply
2Gi/2 CPU to any pod without explicit resources; to avoid capping unintended
workloads remove the default block (keep defaultRequest and max) or lower the
default values, and add a clear comment/annotation documenting that pods must
declare resources; update the LimitRange resource (limits[].default,
limits[].defaultRequest, limits[].max) accordingly so new workloads won’t be
silently limited.

Dockerfile (1)

220-228: Consider using BuildKit secret mount for GITHUB_TOKEN instead of ARG.

BuildKit's --mount=type=secret is the recommended approach for handling secrets in Docker builds. While the current code doesn't expose the token value in echo statements or image layers (it only passes the token as an environment variable to gh), Trivy flags this pattern (DS-0031) because build-args can inadvertently leak through logs or build history. BuildKit secrets provide stronger guarantees that the secret never appears in image metadata or build history.

♻️ Proposed refactor

 # Download latest OpenMS App executable as a ZIP file.
-# ARG declared here (not at the top) — otherwise the per-run token busts the cache.
-ARG GITHUB_TOKEN
-RUN if [ -n "$GITHUB_TOKEN" ]; then \
-        echo "GITHUB_TOKEN is set, proceeding to download the release asset..."; \
-        gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \
-    else \
-        echo "GITHUB_TOKEN is not set, skipping the release asset download."; \
-    fi
+# Use a BuildKit secret to keep the token out of image layers/history.
+# Build with: DOCKER_BUILDKIT=1 docker build --secret id=github_token,env=GITHUB_TOKEN ...
+RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
+    if [ -n "${GITHUB_TOKEN:-}" ]; then \
+        echo "GITHUB_TOKEN is set, proceeding to download the release asset..."; \
+        gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \
+    else \
+        echo "GITHUB_TOKEN is not set, skipping the release asset download."; \
+    fi

Update .github/workflows/build-and-test.yml to pass the secret via the secrets parameter instead of build-args:

 build-args: |
-  GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
+secrets: |
+  github_token=${{ secrets.GITHUB_TOKEN }}

Also update local build instructions to use: DOCKER_BUILDKIT=1 docker build --secret id=github_token,env=GITHUB_TOKEN ...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 220 - 228, Replace the ARG GITHUB_TOKEN pattern with
a BuildKit secret mount: remove ARG GITHUB_TOKEN and change the RUN that calls
gh (the block containing gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p
"OpenMS-App.zip" -D /app) to use a --mount=type=secret,id=github_token and set
the token inside the container from the secret (e.g., export GITHUB_TOKEN="$(cat
/run/secrets/github_token)" && gh release download ...), so the secret never
becomes a build-arg; also update your CI (build-and-test.yml) to pass the token
as a build secret (not as build-args) and document local build usage as
DOCKER_BUILDKIT=1 docker build --secret id=github_token,env=GITHUB_TOKEN ... so
the secret is provided via BuildKit.

clean-up-workspaces.py (1)

26-28: Hidden-dir skip is correct, but consider .startswith on Path.name is fine — minor robustness nit.

If a user ever creates a directory containing a literal newline or unusual chars, behavior is unchanged. No action needed; flagging only because the seeded .demos/ semantics now depend entirely on this convention — worth documenting next to the demo seeding code so a future contributor doesn't rename .demos/ to demos/ and silently break it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clean-up-workspaces.py` around lines 26 - 28, The hidden-dir skip using
directory.name.startswith(".") is fine but rely on the convention that seeded
demo workspaces live in a top-level ".demos" directory; add a brief comment next
to the demo seeding logic and/or the directory filter (reference the check using
directory.name.startswith(".")) clarifying that seeded demos must be placed in a
literal ".demos" top-level dir and that renaming to "demos" will break the skip
behavior, so future contributors know why the dot-prefix convention is required.

src/common/admin.py (1)

64-75: Consider sharing demo-dir resolution with get_demo_source_dirs to avoid drift.

src/common/common.py:get_demo_source_dirs() already implements list/string/legacy fallback resolution for demo_workspaces. get_demo_target_dir() reimplements the same precedence inline; if the schema evolves (e.g., per-tier sources, env override), the two functions can drift silently — demo_exists() and save_workspace_as_demo() would then write to a different root than what's listed for browsing. Reusing get_demo_source_dirs()[0] (or extracting a shared helper) keeps a single source of truth.

Sketch

-def get_demo_target_dir() -> Path:
-    default = Path("example-data/workspaces")
-    try:
-        demo_config = st.session_state.settings.get("demo_workspaces", {})
-    except (AttributeError, KeyError):
-        return default
-
-    dirs = demo_config.get("source_dirs", demo_config.get("source_dir"))
-    if isinstance(dirs, str):
-        return Path(dirs)
-    if isinstance(dirs, list) and dirs:
-        return Path(dirs[0])
-    return default
+def get_demo_target_dir() -> Path:
+    from src.common.common import get_demo_source_dirs  # deferred to avoid cycles
+    dirs = get_demo_source_dirs()
+    return dirs[0] if dirs else Path("example-data/workspaces")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/common/admin.py` around lines 64 - 75, get_demo_target_dir currently
duplicates the demo_workspaces resolution logic already implemented in
get_demo_source_dirs, which risks divergent behavior; update get_demo_target_dir
to reuse get_demo_source_dirs() (e.g., return Path(get_demo_source_dirs()[0])
with a safe default if the list is empty) or move the resolution into a shared
helper used by both get_demo_source_dirs and get_demo_target_dir so demo_exists
and save_workspace_as_demo operate against the same computed demo root.

k8s/components/memory-tier-high/streamlit-resources.yaml (1)

10-16: Wide request-to-limit ratio may cause overcommit pressure.

Memory limit (4Gi) is 8× the request (512Mi) and CPU limit (4) is 8× the request (500m). On contended nodes, scheduling decisions are made on requests, so co-located pods can collectively burst far above what the node can sustain, leading to evictions or throttling. If that headroom is intentional for peaky workloads, it's fine; otherwise consider tightening requests closer to typical steady-state usage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/components/memory-tier-high/streamlit-resources.yaml` around lines 10 -
16, The resource requests vs limits in the streamlit-resources.yaml pod spec are
too wide (memory request "512Mi" vs limit "4Gi" and cpu request "500m" vs limit
"4"), which risks node overcommit and evictions; adjust the values in the
resources.requests and resources.limits block to bring requests closer to
typical steady-state usage (or reduce limits) — update the memory and cpu
entries under the resources: requests: and limits: sections so requests reflect
observed steady consumption and limits only allow reasonable burst headroom for
the Streamlit workload.

k8s/overlays/prod/kustomization.yaml (1)

12-13: Migrate from deprecated commonLabels to labels.

commonLabels is deprecated in Kustomize. Use labels: instead with includeSelectors: true and includeTemplates: true to match the existing behavior. You can run kustomize edit fix to automate the migration, or manually convert to:

labels:
  - pairs:
      app: template-app
    includeSelectors: true
    includeTemplates: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/overlays/prod/kustomization.yaml` around lines 12 - 13, Replace the
deprecated commonLabels block with the new labels structure: remove
commonLabels: app: template-app and add a labels entry that uses pairs to set
the app label and sets includeSelectors: true and includeTemplates: true to
preserve behavior; specifically update the Kustomize manifest where commonLabels
is defined and ensure the new labels stanza contains pairs with app:
template-app plus includeSelectors and includeTemplates flags (or run kustomize
edit fix to perform this migration automatically).

.github/workflows/build-and-test.yml (2)

142-145: Pin ingress-nginx to a release tag.

raw.githubusercontent.com/.../ingress-nginx/main/... follows whatever is on main upstream. An incompatible breaking change there will silently break this CI overnight with no repo change. Pin to a specific tag (e.g. controller-v1.11.2) and bump deliberately.

♻️ Suggested fix

-          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/kind/deploy.yaml

Pick the latest stable tag at the time of merge.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-and-test.yml around lines 142 - 145, Replace the
unstable raw URL used in the "Install nginx ingress controller" step where
kubectl apply fetches from ingress-nginx main; pin the manifest to a specific
release tag (e.g., controller-v1.11.2) instead of "main" in the kubectl apply
command, and document/update the tag when you intentionally bump it (pick the
latest stable tag at merge time).

---

97-102: Avoid interpolating ${{ }} directly into shell — use an env var.

Direct interpolation of GitHub Actions expressions into run: blocks is a script-injection vector (GitHub Security Lab guidance). steps.meta.outputs.tags is derived from refs and shas so the practical risk here is low, but the safer idiom is to bind via env: and let the shell expand the variable.

♻️ Proposed refactor

       - name: Retag for kind (stable local tag)
+        env:
+          META_TAGS: ${{ steps.meta.outputs.tags }}
         run: |
           # load:true above loaded all meta-action tags into local docker.
           # Retag the first one to the stable name the kustomize overlay expects.
-          FIRST_TAG=$(printf '%s\n' "${{ steps.meta.outputs.tags }}" | head -n 1)
+          FIRST_TAG=$(printf '%s\n' "$META_TAGS" | head -n 1)
           docker tag "$FIRST_TAG" openms-streamlit:test

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-and-test.yml around lines 97 - 102, The workflow
currently interpolates the GitHub Actions expression directly into the run
block; instead bind the expression to an env var (e.g., META_TAGS: ${{
steps.meta.outputs.tags }}) and in the Retag for kind step use shell expansion
to derive FIRST_TAG (e.g., FIRST_TAG=$(printf '%s\n' "$META_TAGS" | head -n 1))
before calling docker tag "$FIRST_TAG" openms-streamlit:test; update the step to
set env and replace any direct `${{ steps.meta.outputs.tags }}` usage in the run
script accordingly.

k8s/base/streamlit-deployment.yaml (1)

75-80: Sanity-check liveness probe timing.

livenessProbe.initialDelaySeconds: 30 assumes the conda activation + jq merge + streamlit boot finishes within 30s on a cold start. If image pulls or PVC attach are slow on the production cluster, the kubelet will start liveness probes before streamlit binds 8501 and restart the pod. Consider adding failureThreshold (default 3 × periodSeconds 30 = 90s slack), or use startupProbe to gate the liveness probe.

♻️ Optional hardening with startupProbe

+          startupProbe:
+            httpGet:
+              path: /_stcore/health
+              port: 8501
+            failureThreshold: 30
+            periodSeconds: 5
           livenessProbe:
             httpGet:
               path: /_stcore/health
               port: 8501
             initialDelaySeconds: 30
             periodSeconds: 30

startupProbe gives up to 150s for first boot, after which liveness takes over.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/base/streamlit-deployment.yaml` around lines 75 - 80, The livenessProbe's
initialDelaySeconds (30s) is likely too short for cold starts; update the probe
in the Deployment by either increasing initialDelaySeconds and/or adding
failureThreshold to give more slack (e.g., keep periodSeconds: 30 and set
failureThreshold to 3 or higher), or add a startupProbe that targets the same
path (/ _stcore/health) and port (8501) with a longer total timeout (e.g.,
periodSeconds: 10 and failureThreshold: 15 for ~150s) so the startupProbe gates
the livenessProbe until the app binds; ensure livenessProbe remains pointing at
httpGet path /_stcore/health and port 8501 so normal health checks continue
after startup.

.claude/skills/configure-k8s-deployment.md (1)

117-130: JSON patch is positional — pin the env order in the base manifests.

/spec/template/spec/containers/0/env/0/value silently targets whatever is at index 0 in the base manifest's env array. Today that's REDIS_URL in both streamlit-deployment.yaml and rq-worker-deployment.yaml, so this works. If a future contributor reorders env entries (e.g., adds a new var first, or alphabetizes), this patch will overwrite the wrong variable without any error.

Two low-cost mitigations worth considering:

1. Add an inline comment in both base deployments warning that env[0] must remain REDIS_URL because the prod overlay patches that index.
2. Or switch the overlay patches to strategic merge (which matches by name: REDIS_URL) instead of JSON Patch.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/configure-k8s-deployment.md around lines 117 - 130, The
overlay's JSON patches use positional paths
(/spec/template/spec/containers/0/env/0/value) which will silently modify
whichever env entry is at index 0; update the overlay to avoid positional JSON
patches by either (A) adding a clear inline comment in the base Deployment
manifests (streamlit and rq-worker) next to the env array that REDIS_URL must
remain at index 0, or (B) convert the overlay patches to strategic-merge style
patches that match the env entry by name (targeting the streamlit and rq-worker
Deployment resources and setting spec.template.spec.containers[].env[] where
name: REDIS_URL to value: "redis://<slug>-redis:6379/0") so the patch matches by
name instead of index.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/add-visualization.md:
- Around line 84-91: The docs show using a deprecated link_id parameter for
cross-component syncing; update the example to create a single StateManager
instance and pass it into each component instead: import and instantiate
StateManager, initialize Table, LinePlot, Heatmap with their cache_id/cache_path
constructors (Table, LinePlot, Heatmap) and then render each by calling the
component with the same state_manager argument (e.g.,
table(state_manager=state_manager, ...), line_plot(state_manager=state_manager,
...), heatmap(state_manager=state_manager, ...)) so selections synchronize via
the StateManager rather than a link_id column.
- Around line 98-114: The results() fragment should use the cache-based
OpenMS-Insight pattern instead of passing DataFrame directly: create cache_dir =
Path(self.workflow_dir, "results", "insight_cache"), set a cache_id (e.g.
"results_table"), check for (cache_dir / f"table_{cache_id}").is_dir() and if
present instantiate StateManager() and Table(cache_id=f"table_{cache_id}",
cache_path=str(cache_dir)) and call table(state_manager=state_manager,
height=533); keep the pyopenms_viz spectrum plotting (df.plot.ms_spectrum +
show_fig) but move the Table usage to the cached flow and show st.warning when
the cache is missing.
- Around line 61-78: Update the example to use the cache-based component pattern
used in the codebase: import and instantiate StateManager, create components
with cache_id and cache_path (e.g., Table(cache_id=..., cache_path=...),
Heatmap(...), LinePlot(...), SequenceView(...)) rather than passing data, then
render them by calling the component instances with state_manager and runtime
args (e.g., key, height) — for example create state_manager = StateManager(),
instantiate table/heatmap/line_plot variables with cache_id/cache_path, and call
table(state_manager=state_manager, height=...), line_plot(key=...,
state_manager=state_manager, height=...), etc.

In @.claude/skills/configure-app-settings.md:
- Around line 30-37: The documentation incorrectly states that the full
Dockerfile installs Python dependencies from environment.yml; update the doc
block describing **Dockerfile** to say it uses requirements.txt (not
environment.yml) so it matches the actual Dockerfile implementation (see
dependency install in Dockerfile lines that currently reference
requirements.txt), while leaving the **Dockerfile_simple** note that it also
uses requirements.txt; keep references to executor.run_topp(), TOPP tools,
app.py and pyOpenMS unchanged.

In @.claude/skills/configure-docker-compose-deployment.md:
- Around line 28-32: The docs instruct editing clean-up-workspaces.py to
hardcode workspaces_directory, but the script already reads WORKSPACES_DIR from
the environment; update the step to tell users to set the WORKSPACES_DIR env var
for the service instead of editing clean-up-workspaces.py—mention the script
name clean-up-workspaces.py and the env var WORKSPACES_DIR so maintainers know
where the source-of-truth is and to configure the compose service environment
accordingly.

In @.github/workflows/build-and-test.yml:
- Around line 171-175: Remove the "|| true" that masks failures from the kubectl
wait call; instead, run kubectl wait -n openms --for=condition=available
deployment -l app=template-app --timeout=180s and if it fails, explicitly dump
diagnostics (run kubectl get pods -n openms -l app=template-app and kubectl get
services -n openms -l app=template-app) and then exit with a non‑zero status so
the workflow fails; apply the same change to the analogous test-traefik block
(the kubectl wait/get commands in that section).
- Around line 94-95: The workflow currently passes GITHUB_TOKEN as a build-arg
(build-args: GITHUB_TOKEN) which leaks into image metadata; change to using
BuildKit secrets: remove GITHUB_TOKEN from build-args and instead pass it via
the actions/setup-buildx or build-push action secrets mounting feature as a
secret named e.g. github_token, then update the Dockerfile to stop using ARG
GITHUB_TOKEN and instead use a RUN that reads the secret via a secret mount (RUN
--mount=type=secret,id=github_token ...) and set GITHUB_TOKEN from
/run/secrets/github_token before calling gh release download (the gh release
download invocation and the Dockerfile RUN that downloads OpenMS-App.zip are the
locations to change).

In @.github/workflows/build-windows-executable-app.yaml:
- Around line 16-19: The workflow defines OPENMS_CONTRIB_VERSION but never uses
it; add a step (e.g., "Resolve contrib ref") that computes
CONTRIB_REF="${OPENMS_CONTRIB_VERSION:-$OPENMS_VERSION}" and exports it to
GITHUB_ENV, then replace usages of env.OPENMS_VERSION for the contrib cache key
and the gh release download with env.CONTRIB_REF (i.e., update the cache key
expression and the `gh release download release/...` target to reference
CONTRIB_REF) so both caching and download consistently use the resolved contrib
ref.

In @.github/workflows/ghcr-cleanup.yml:
- Around line 19-28: The container-retention step using
snok/container-retention-policy@v3.0.1 is passing the GITHUB_TOKEN, which does
not support the complex negation globs in the image-tags input; replace token:
${{ secrets.GITHUB_TOKEN }} with a personal access token or GitHub App token
secret (e.g., token: ${{ secrets.CLEANUP_TOKEN }}) and ensure that secret is
provisioned with appropriate repo permissions so the negated patterns ("!v*-full
!v*-simple !main-full !main-simple !latest") are honored and protected images
are not deleted.

In @.gitignore:
- Line 15: The .gitignore currently blanket-ignores the entire docs/superpowers/
tree (entry 'docs/superpowers/'), which prevents source-controlled documentation
from being committed; replace that broad entry with a narrower pattern that only
excludes generated artifacts (e.g., build/output folders or specific generated
file extensions inside docs/superpowers) so source files remain tracked—update
the 'docs/superpowers/' line to target only generated paths (for example a
docs/superpowers/build/ or docs/superpowers/**/*.html-generated pattern) and
keep real source docs under version control.

In `@docs/kubernetes-deployment.md`:
- Around line 119-121: Update the two kubectl commands that target the streamlit
deployment to include the namespace flag so they work for non-default contexts:
change the commands that start with "kubectl exec deploy/streamlit" and "kubectl
rollout restart deploy/streamlit" to add "-n openms", and also note that the
actual deployment name may be prefixed (use "<your-app-name>-streamlit" or the
repo's <namePrefix>streamlit as shown elsewhere in the docs).
- Around line 274-281: The docs are out of sync: update the CI description so
that Job "build" is described as only building and uploading the image artifact
(no kind integration), and replace the existing "Job 2 — build" / "Job 3 —
traefik-integration" wording with accurate behavior: there are two test jobs
("test-nginx" and "test-traefik") that both need "build" and both run a matrix
over [full, simple] (so Traefik is exercised for both variants), and ensure
notes about when images are pushed, cache behavior, and PR vs push/tag semantics
remain consistent with that flow; refer to the job names "build", "test-nginx",
and "test-traefik" and the matrix `[full, simple]` when editing the doc.

In `@k8s/base/traefik-ingressroute.yaml`:
- Around line 6-9: The base IngressRoute currently exposes entryPoints: web and
routes.match using PathPrefix(`/`) (i.e., an overly permissive IngressRoute) so
ensure every deployment applies the prod overlay patch that tightens
routes.match to include the host restrictions and updates the service name;
update CI/CD kustomize/helm pipeline to always build/deploy using the prod
overlay (or add a conservative default host match in the base) and add a
pipeline check that verifies the IngressRoute produced for deployment has the
patched match expression (not just PathPrefix(`/`)) before allowing deployment.

In `@k8s/base/workspace-pvc.yaml`:
- Around line 6-11: The PVC currently uses accessModes: ReadWriteOnce with
storageClassName: cinder-csi which will cause Multi-Attach errors when mounted
by streamlit-deployment, rq-worker-deployment, and cleanup-cronjob across
multiple nodes; update the PVC to use a ReadWriteMany-capable backend (replace
storageClassName cinder-csi with your Manila/NFS CSI class and set accessModes
to ReadWriteMany) so multiple pods on different nodes can mount the volume, or
alternatively implement nodeAffinity/podAffinity on streamlit-deployment and
rq-worker-deployment to co-locate them on one node (or merge streamlit and
rq-worker into the same pod) if changing storage backend isn’t possible.

In `@k8s/components/memory-tier-high/worker-resources.yaml`:
- Around line 11-16: The resource spec in worker-resources.yaml has an unsafe
request-to-limit gap (memory request "2Gi" vs limit "180Gi" and cpu "2" vs "20")
which can cause node-level OOMs; update the Resources block (requests.memory,
limits.memory, requests.cpu, limits.cpu) to set requests closer to the realistic
working set (e.g., increase requests.memory to a value that reflects typical
usage, and scale requests.cpu accordingly) or reduce limits to a reasonable
burst factor (e.g., ≤2–4×), and/or add pod antiAffinity or a nodeSelector/taints
for high-memory nodes in the same manifest (use the same Deployment/PodSpec that
references these resources) so that pods requiring very large limits are
scheduled only on capacity-matched nodes.

---

Outside diff comments:
In @.claude/skills/add-visualization.md:
- Around line 127-135: Add checklist items verifying the OpenMS-Insight cache
and StateManager patterns: confirm that the OpenMS-Insight cache is used where
intended, that a StateManager instance (e.g., StateManager or equivalent class)
is created and wired to components, that component `key=` values match cache
keys, that cache invalidation/refresh logic is present and tested (including
persistence/serialization and eviction behavior), and that cache-backed views
are covered by tests to ensure consistent state across linked components.

In `@src/common/admin.py`:
- Around line 12-27: Remove the unstable import from streamlit.errors and let
the generic exception handler cover secrets failures: delete the line importing
StreamlitSecretNotFoundError and update the is_admin_configured function to not
rely on that symbol (keep the try/except that returns False on
FileNotFoundError, KeyError, and the broad Exception). If you prefer granular
handling, wrap an import-from streamlit.runtime.secrets in a try/except
ImportError and fall back to a generic Exception alias for
StreamlitSecretNotFoundError; locate these changes around the module import and
the is_admin_configured function.

---

Nitpick comments:
In @.claude/skills/add-visualization.md:
- Around line 14-23: Add a new row to the library comparison table recommending
streamlit_plotly_events for custom Plotly interaction handlers (click/selection
events) and how it differs from OpenMS-Insight: use streamlit_plotly_events with
plotly.express and show_fig() when you need lightweight client-side
click/selection callbacks on Plotly charts, whereas OpenMS-Insight (Table,
link_id, server-side filtering/downsampling) should be used for cross-linked
views, large datasets, and server-driven interactions; mention it complements
pyopenms-viz for one-liners and OpenMS-Insight for heavy-duty UIs.

In @.claude/skills/configure-k8s-deployment.md:
- Around line 117-130: The overlay's JSON patches use positional paths
(/spec/template/spec/containers/0/env/0/value) which will silently modify
whichever env entry is at index 0; update the overlay to avoid positional JSON
patches by either (A) adding a clear inline comment in the base Deployment
manifests (streamlit and rq-worker) next to the env array that REDIS_URL must
remain at index 0, or (B) convert the overlay patches to strategic-merge style
patches that match the env entry by name (targeting the streamlit and rq-worker
Deployment resources and setting spec.template.spec.containers[].env[] where
name: REDIS_URL to value: "redis://<slug>-redis:6379/0") so the patch matches by
name instead of index.

In @.github/workflows/build-and-test.yml:
- Around line 142-145: Replace the unstable raw URL used in the "Install nginx
ingress controller" step where kubectl apply fetches from ingress-nginx main;
pin the manifest to a specific release tag (e.g., controller-v1.11.2) instead of
"main" in the kubectl apply command, and document/update the tag when you
intentionally bump it (pick the latest stable tag at merge time).
- Around line 97-102: The workflow currently interpolates the GitHub Actions
expression directly into the run block; instead bind the expression to an env
var (e.g., META_TAGS: ${{ steps.meta.outputs.tags }}) and in the Retag for kind
step use shell expansion to derive FIRST_TAG (e.g., FIRST_TAG=$(printf '%s\n'
"$META_TAGS" | head -n 1)) before calling docker tag "$FIRST_TAG"
openms-streamlit:test; update the step to set env and replace any direct `${{
steps.meta.outputs.tags }}` usage in the run script accordingly.

In `@clean-up-workspaces.py`:
- Around line 26-28: The hidden-dir skip using directory.name.startswith(".") is
fine but rely on the convention that seeded demo workspaces live in a top-level
".demos" directory; add a brief comment next to the demo seeding logic and/or
the directory filter (reference the check using directory.name.startswith("."))
clarifying that seeded demos must be placed in a literal ".demos" top-level dir
and that renaming to "demos" will break the skip behavior, so future
contributors know why the dot-prefix convention is required.

In `@Dockerfile`:
- Around line 220-228: Replace the ARG GITHUB_TOKEN pattern with a BuildKit
secret mount: remove ARG GITHUB_TOKEN and change the RUN that calls gh (the
block containing gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p
"OpenMS-App.zip" -D /app) to use a --mount=type=secret,id=github_token and set
the token inside the container from the secret (e.g., export GITHUB_TOKEN="$(cat
/run/secrets/github_token)" && gh release download ...), so the secret never
becomes a build-arg; also update your CI (build-and-test.yml) to pass the token
as a build secret (not as build-args) and document local build usage as
DOCKER_BUILDKIT=1 docker build --secret id=github_token,env=GITHUB_TOKEN ... so
the secret is provided via BuildKit.

In `@k8s/base/limitrange.yaml`:
- Around line 6-16: The LimitRange currently sets a default limit
(limits[].type: Container -> default) which will silently apply 2Gi/2 CPU to any
pod without explicit resources; to avoid capping unintended workloads remove the
default block (keep defaultRequest and max) or lower the default values, and add
a clear comment/annotation documenting that pods must declare resources; update
the LimitRange resource (limits[].default, limits[].defaultRequest,
limits[].max) accordingly so new workloads won’t be silently limited.

In `@k8s/base/streamlit-deployment.yaml`:
- Around line 75-80: The livenessProbe's initialDelaySeconds (30s) is likely too
short for cold starts; update the probe in the Deployment by either increasing
initialDelaySeconds and/or adding failureThreshold to give more slack (e.g.,
keep periodSeconds: 30 and set failureThreshold to 3 or higher), or add a
startupProbe that targets the same path (/ _stcore/health) and port (8501) with
a longer total timeout (e.g., periodSeconds: 10 and failureThreshold: 15 for
~150s) so the startupProbe gates the livenessProbe until the app binds; ensure
livenessProbe remains pointing at httpGet path /_stcore/health and port 8501 so
normal health checks continue after startup.

In `@k8s/base/streamlit-secrets.yaml`:
- Around line 12-14: The current comment recommends using git update-index
--skip-worktree in k8s/base/streamlit-secrets.yaml which is fragile; instead
keep the committed file with the empty placeholder admin password and remove the
skip-worktree recommendation, and update the surrounding docs/comments to
instruct operators to manage the live admin password out-of-band using kubectl
patch, SealedSecrets/External Secrets/SOPS (or other secret manager) so
production secrets are never stored locally or relied on skip-worktree;
reference the streamlit-secrets.yaml placeholder and the
docs/kubernetes-deployment.md "Configuring the admin password" section to make
this change.

In `@k8s/components/memory-tier-high/streamlit-resources.yaml`:
- Around line 10-16: The resource requests vs limits in the
streamlit-resources.yaml pod spec are too wide (memory request "512Mi" vs limit
"4Gi" and cpu request "500m" vs limit "4"), which risks node overcommit and
evictions; adjust the values in the resources.requests and resources.limits
block to bring requests closer to typical steady-state usage (or reduce limits)
— update the memory and cpu entries under the resources: requests: and limits:
sections so requests reflect observed steady consumption and limits only allow
reasonable burst headroom for the Streamlit workload.

In `@k8s/overlays/prod/kustomization.yaml`:
- Around line 12-13: Replace the deprecated commonLabels block with the new
labels structure: remove commonLabels: app: template-app and add a labels entry
that uses pairs to set the app label and sets includeSelectors: true and
includeTemplates: true to preserve behavior; specifically update the Kustomize
manifest where commonLabels is defined and ensure the new labels stanza contains
pairs with app: template-app plus includeSelectors and includeTemplates flags
(or run kustomize edit fix to perform this migration automatically).

In `@src/common/admin.py`:
- Around line 64-75: get_demo_target_dir currently duplicates the
demo_workspaces resolution logic already implemented in get_demo_source_dirs,
which risks divergent behavior; update get_demo_target_dir to reuse
get_demo_source_dirs() (e.g., return Path(get_demo_source_dirs()[0]) with a safe
default if the list is empty) or move the resolution into a shared helper used
by both get_demo_source_dirs and get_demo_target_dir so demo_exists and
save_workspace_as_demo operate against the same computed demo root.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b69bba5-fb56-40cd-8089-57b2df09f7c0

📥 Commits

Reviewing files that changed from the base of the PR and between ee7952b and 286fd0b.

📒 Files selected for processing (44)

• .claude/skills/add-presets.md
• .claude/skills/add-python-tool.md
• .claude/skills/add-visualization.md
• .claude/skills/configure-app-settings.md
• .claude/skills/configure-docker-compose-deployment.md
• .claude/skills/configure-k8s-deployment.md
• .claude/skills/create-page.md
• .claude/skills/create-workflow.md
• .github/kind-config.yaml
• .github/workflows/build-and-test.yml
• .github/workflows/build-docker-images.yml
• .github/workflows/build-windows-executable-app.yaml
• .github/workflows/ghcr-cleanup.yml
• .gitignore
• .streamlit/config.toml
• .streamlit/secrets.toml.example
• Dockerfile
• clean-up-workspaces.py
• docs/kubernetes-deployment.md
• k8s/base/cleanup-cronjob.yaml
• k8s/base/configmap.yaml
• k8s/base/ingress.yaml
• k8s/base/kustomization.yaml
• k8s/base/limitrange.yaml
• k8s/base/namespace.yaml
• k8s/base/redis.yaml
• k8s/base/rq-worker-deployment.yaml
• k8s/base/streamlit-deployment.yaml
• k8s/base/streamlit-secrets.yaml
• k8s/base/streamlit-service.yaml
• k8s/base/traefik-ingressroute.yaml
• k8s/base/workspace-pvc.yaml
• k8s/components/memory-tier-high/kustomization.yaml
• k8s/components/memory-tier-high/nodeselector.yaml
• k8s/components/memory-tier-high/streamlit-resources.yaml
• k8s/components/memory-tier-high/worker-resources.yaml
• k8s/components/memory-tier-low/kustomization.yaml
• k8s/components/memory-tier-low/nodeselector.yaml
• k8s/components/memory-tier-low/streamlit-resources.yaml
• k8s/components/memory-tier-low/worker-resources.yaml
• k8s/overlays/prod/kustomization.yaml
• src/common/admin.py
• src/common/common.py
• src/workflow/WorkflowManager.py

💤 Files with no reviewable changes (1)

• .github/workflows/build-docker-images.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Correct the OpenMS-Insight API pattern to match the actual implementation.

The documented pattern shows direct data passing (Table(df, key="results-table")), but the actual implementation in the codebase uses a cache-based approach. Components are initialized with cache_id and cache_path, then called with state_manager and other parameters.

✅ Correct pattern from content/results_database_search.py

from openms_insight import Table, LinePlot, Heatmap, SequenceView, StateManager

# Initialize state manager for cross-component linking
state_manager = StateManager()

# Load components from cache (no data parameter needed)
table = Table(cache_id=f"table_{cache_id_prefix}", cache_path=str(cache_dir))
heatmap = Heatmap(cache_id=f"heatmap_{cache_id_prefix}", cache_path=str(cache_dir))
line_plot = LinePlot(cache_id=f"lineplot_{cache_id_prefix}", cache_path=str(cache_dir))

# Render components by calling them
st.subheader("PSM Table")
table(state_manager=state_manager, height=533)

st.subheader("MS2 Spectrum")
line_plot(key=f"lineplot_{cache_id_prefix}", state_manager=state_manager, height=450)

Key differences:

• Components are initialized with cache_id and cache_path (not data)
• Components are rendered by calling them as functions
• state_manager is passed when rendering, not link_id
• key is passed during rendering, not initialization

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/add-visualization.md around lines 61 - 78, Update the example
to use the cache-based component pattern used in the codebase: import and
instantiate StateManager, create components with cache_id and cache_path (e.g.,
Table(cache_id=..., cache_path=...), Heatmap(...), LinePlot(...),
SequenceView(...)) rather than passing data, then render them by calling the
component instances with state_manager and runtime args (e.g., key, height) —
for example create state_manager = StateManager(), instantiate
table/heatmap/line_plot variables with cache_id/cache_path, and call
table(state_manager=state_manager, height=...), line_plot(key=...,
state_manager=state_manager, height=...), etc.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Correct the cross-component linking pattern to use StateManager.

The documented pattern shows using a link_id parameter, but the actual implementation uses StateManager for cross-component synchronization. The link_id column approach is not consistent with the real codebase.

✅ Correct linking pattern

from openms_insight import Table, LinePlot, Heatmap, StateManager

# Initialize state manager ONCE for all linked components
state_manager = StateManager()

# Initialize components from cache
table = Table(cache_id="table_id", cache_path=str(cache_dir))
line_plot = LinePlot(cache_id="lineplot_id", cache_path=str(cache_dir))
heatmap = Heatmap(cache_id="heatmap_id", cache_path=str(cache_dir))

# Render components with the SAME state_manager instance
table(state_manager=state_manager, height=533)
line_plot(state_manager=state_manager, height=450)
heatmap(state_manager=state_manager, height=350)

Selections in one component automatically update all components sharing the same state_manager instance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/add-visualization.md around lines 84 - 91, The docs show
using a deprecated link_id parameter for cross-component syncing; update the
example to create a single StateManager instance and pass it into each component
instead: import and instantiate StateManager, initialize Table, LinePlot,
Heatmap with their cache_id/cache_path constructors (Table, LinePlot, Heatmap)
and then render each by calling the component with the same state_manager
argument (e.g., table(state_manager=state_manager, ...),
line_plot(state_manager=state_manager, ...),
heatmap(state_manager=state_manager, ...)) so selections synchronize via the
StateManager rather than a link_id column.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Align the workflow integration example with the cache-based pattern.

The OpenMS-Insight example in the results() method shows direct data passing (Table(df, key="results-table")), which is inconsistent with the cache-based pattern used throughout the actual codebase (see content/results_database_search.py).

🔄 Suggested alignment with actual pattern

`@st.fragment`
def results(self) -> None:
    cache_dir = Path(self.workflow_dir, "results", "insight_cache")
    
    # pyopenms-viz for spectrum plots
    result_file = Path(self.workflow_dir, "results", "step-name", "output.tsv")
    if result_file.exists():
        df = pd.read_csv(result_file, sep="\t")
        import pyopenms_viz
        fig = df.plot.ms_spectrum(backend="plotly")
        show_fig(fig, "results-spectrum")
    
    # OpenMS-Insight for interactive exploration (cache-based)
    cache_id = "results_table"
    if (cache_dir / f"table_{cache_id}").is_dir():
        from openms_insight import Table, StateManager
        state_manager = StateManager()
        table = Table(cache_id=f"table_{cache_id}", cache_path=str(cache_dir))
        table(state_manager=state_manager, height=533)
    else:
        st.warning("No cached results found. Please run the workflow first.")

Alternatively, if direct data passing is a valid alternative pattern, clarify when to use each approach.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/add-visualization.md around lines 98 - 114, The results()
fragment should use the cache-based OpenMS-Insight pattern instead of passing
DataFrame directly: create cache_dir = Path(self.workflow_dir, "results",
"insight_cache"), set a cache_id (e.g. "results_table"), check for (cache_dir /
f"table_{cache_id}").is_dir() and if present instantiate StateManager() and
Table(cache_id=f"table_{cache_id}", cache_path=str(cache_dir)) and call
table(state_manager=state_manager, height=533); keep the pyopenms_viz spectrum
plotting (df.plot.ms_spectrum + show_fig) but move the Table usage to the cached
flow and show st.warning when the cache is missing.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which dependency files actually exist and are referenced by the Dockerfiles.
fd -HI -t f '^(environment\.yml|requirements\.txt)$'
rg -nP -C2 'environment\.yml|requirements\.txt' Dockerfile Dockerfile_simple 2>/dev/null

Repository: OpenMS/quantms-web

Length of output: 313

---

Update Dockerfile dependency reference in documentation.

The skill doc at lines 30-37 incorrectly states the full Dockerfile uses environment.yml for Python dependencies. The actual Dockerfile installs dependencies from requirements.txt (lines 88-89). Update the documentation to match the implementation.

Suggested change

   - **`Dockerfile`** (full): builds OpenMS from source with TOPP tools. Use when the app runs TOPP tools via `executor.run_topp()`. Update:
     - `GITHUB_USER` and `GITHUB_REPO` environment variables
-    - Python dependencies in `environment.yml`
+    - Python dependencies in `requirements.txt`
     - Entrypoint if main file is not `app.py`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/configure-app-settings.md around lines 30 - 37, The
documentation incorrectly states that the full Dockerfile installs Python
dependencies from environment.yml; update the doc block describing
**Dockerfile** to say it uses requirements.txt (not environment.yml) so it
matches the actual Dockerfile implementation (see dependency install in
Dockerfile lines that currently reference requirements.txt), while leaving the
**Dockerfile_simple** note that it also uses requirements.txt; keep references
to executor.run_topp(), TOPP tools, app.py and pyOpenMS unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm clean-up-workspaces.py reads WORKSPACES_DIR.
fd -t f 'clean-up-workspaces.py' --exec cat {}

Repository: OpenMS/quantms-web

Length of output: 2086

---

Update documentation to reflect environment variable pattern in clean-up-workspaces.py.

The file already resolves workspaces_directory from the WORKSPACES_DIR environment variable (with a fallback default), but step 2 instructs users to hardcode the path in Python. This creates confusion and leads developers to edit code that's no longer the source of truth.

Suggested rewrite

-2. **Update `clean-up-workspaces.py`**:
-
-    ```python
-    workspaces_directory = Path("/workspaces-your-repo-name")
-    ```
+2. **Set `WORKSPACES_DIR` for the service** so the cleanup script targets the right volume:
+
+    ```yaml
+    services:
+      your-app-name:
+        environment:
+          - WORKSPACES_DIR=/workspaces-your-repo-name
+    ```

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	2. **Update `clean-up-workspaces.py`**:
	```python
	workspaces_directory = Path("/workspaces-your-repo-name")
	```
	2. **Set `WORKSPACES_DIR` for the service** so the cleanup script targets the right volume:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/configure-docker-compose-deployment.md around lines 28 - 32,
The docs instruct editing clean-up-workspaces.py to hardcode
workspaces_directory, but the script already reads WORKSPACES_DIR from the
environment; update the step to tell users to set the WORKSPACES_DIR env var for
the service instead of editing clean-up-workspaces.py—mention the script name
clean-up-workspaces.py and the env var WORKSPACES_DIR so maintainers know where
the source-of-truth is and to configure the compose service environment
accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add -n openms to the demo-reseed example.

These commands omit the namespace, but every other command in the doc uses -n openms. Without it, users running with a different default-context namespace will get "deployment not found".

📝 Proposed fix

-kubectl exec deploy/streamlit -- rm -rf /workspaces-streamlit-template/.demos/<name>
-kubectl rollout restart deploy/streamlit
+kubectl -n openms exec deploy/<your-app-name>-streamlit -- rm -rf /workspaces-streamlit-template/.demos/<name>
+kubectl -n openms rollout restart deploy/<your-app-name>-streamlit

Note: post-overlay the deployment name is <namePrefix>streamlit, so use <your-app-name>-streamlit to match the rest of the guide.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl exec deploy/streamlit -- rm -rf /workspaces-streamlit-template/.demos/<name>
	kubectl rollout restart deploy/streamlit
	```
	kubectl -n openms exec deploy/<your-app-name>-streamlit -- rm -rf /workspaces-streamlit-template/.demos/<name>
	kubectl -n openms rollout restart deploy/<your-app-name>-streamlit

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/kubernetes-deployment.md` around lines 119 - 121, Update the two kubectl
commands that target the streamlit deployment to include the namespace flag so
they work for non-default contexts: change the commands that start with "kubectl
exec deploy/streamlit" and "kubectl rollout restart deploy/streamlit" to add "-n
openms", and also note that the actual deployment name may be prefixed (use
"<your-app-name>-streamlit" or the repo's <namePrefix>streamlit as shown
elsewhere in the docs).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

CI description doesn't match the actual workflow.

The doc describes:

• Job 2 build includes kind integration "per variant"
• Job 3 traefik-integration with needs: lint-manifests, runs once on Dockerfile_simple

The actual .github/workflows/build-and-test.yml has:

• Job 2 build does not run kind integration — it just builds and uploads an image artifact.
• Jobs 3/4 are test-nginx and test-traefik, both needs: build, both matrixed over [full, simple] (so traefik runs twice, not once).

Please update the doc so future readers don't trust a stale CI graph description.

📝 Suggested wording

-- **Job 2 — `build`** (`needs: lint-manifests`, matrix over `[full, simple]`):
+- **Job 2 — `build`** (`needs: lint-manifests`, matrix over `[full, simple]`):
   - Builds `Dockerfile` (full, includes TOPP tools) or `Dockerfile_simple` (pyOpenMS only) depending on the matrix leg.
   - **Buildx registry cache** ...
   - **Push** on push/tag/workflow_dispatch events (not on PRs). ...
-  - **Kind integration** runs per variant: creates a kind cluster, ...
-- **Job 3 — `traefik-integration`** (`needs: lint-manifests`, runs once on `Dockerfile_simple`): ...
+  - Uploads the built image as a `.tar` artifact for downstream test jobs.
+- **Job 3 — `test-nginx`** (`needs: build`, matrix over `[full, simple]`): downloads the image artifact, creates a kind cluster, installs nginx-ingress, applies the kustomized `prod` overlay (filtering out the Traefik `IngressRoute`, forcing `imagePullPolicy: Never` and `storageClassName: standard`), waits for Redis + deployments, and curls both `.de` and `.org` hostnames through the nginx ingress controller.
+- **Job 4 — `test-traefik`** (`needs: build`, matrix over `[full, simple]`): same shape but installs Traefik via Helm and applies the full overlay including the `IngressRoute`, then curls both hostnames through the Traefik service. Catches IngressRoute-syntax regressions the nginx-side test cannot.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/kubernetes-deployment.md` around lines 274 - 281, The docs are out of
sync: update the CI description so that Job "build" is described as only
building and uploading the image artifact (no kind integration), and replace the
existing "Job 2 — build" / "Job 3 — traefik-integration" wording with accurate
behavior: there are two test jobs ("test-nginx" and "test-traefik") that both
need "build" and both run a matrix over [full, simple] (so Traefik is exercised
for both variants), and ensure notes about when images are pushed, cache
behavior, and PR vs push/tag semantics remain consistent with that flow; refer
to the job names "build", "test-nginx", and "test-traefik" and the matrix
`[full, simple]` when editing the doc.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all environments using this IngressRoute apply an overlay that patches host/match.
fd -t f kustomization.yaml k8s/
echo "---"
rg -nP -C2 'streamlit-traefik|IngressRoute' k8s/

Repository: OpenMS/quantms-web

Length of output: 914

---

🏁 Script executed:

# Read the prod overlay patch section in full
sed -n '20,50p' k8s/overlays/prod/kustomization.yaml

Repository: OpenMS/quantms-web

Length of output: 819

---

🏁 Script executed:

# List all overlay directories
find k8s/overlays -maxdepth 1 -type d | sort

Repository: OpenMS/quantms-web

Length of output: 93

---

🏁 Script executed:

# Check all overlays for IngressRoute patches
for ov in $(find k8s/overlays -maxdepth 1 -type d ! -name "overlays"); do
  echo "=== $ov ==="
  if [ -f "$ov/kustomization.yaml" ]; then
    rg -A 10 'IngressRoute|streamlit-traefik' "$ov/kustomization.yaml" || echo "Not found"
  fi
done

Repository: OpenMS/quantms-web

Length of output: 481

---

🏁 Script executed:

# Check the base kustomization to understand default resource loading
cat -n k8s/base/kustomization.yaml

Repository: OpenMS/quantms-web

Length of output: 565

---

🏁 Script executed:

# Read the full base IngressRoute
cat -n k8s/base/traefik-ingressroute.yaml

Repository: OpenMS/quantms-web

Length of output: 548

---

🏁 Script executed:

# Search for any other kustomization patterns or deployment references that might use the base directly
rg -i 'traefik.*ingressroute|kustomization' k8s/ --type yaml -B 1 -A 1 | head -50

Repository: OpenMS/quantms-web

Length of output: 549

---

Confirm that all deployments use the prod overlay patch for the IngressRoute.

The base IngressRoute is intentionally permissive—web entrypoint only (HTTP), PathPrefix(/), and a generic service name—allowing the prod overlay to patch it with specific host restrictions and environment-appropriate service naming. The prod patch correctly restricts match to (Host(template.webapps.openms.de) || Host(template.webapps.openms.org)) && PathPrefix(/) and updates the service name.

However, only one overlay (prod) exists in the repository. If the base is ever deployed standalone in dev, test, or other environments without applying the prod overlay patches, the service would be exposed over plain HTTP on all hosts. Ensure deployment pipelines consistently use the overlay, not the base directly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/base/traefik-ingressroute.yaml` around lines 6 - 9, The base IngressRoute
currently exposes entryPoints: web and routes.match using PathPrefix(`/`) (i.e.,
an overly permissive IngressRoute) so ensure every deployment applies the prod
overlay patch that tightens routes.match to include the host restrictions and
updates the service name; update CI/CD kustomize/helm pipeline to always
build/deploy using the prod overlay (or add a conservative default host match in
the base) and add a pipeline check that verifies the IngressRoute produced for
deployment has the patched match expression (not just PathPrefix(`/`)) before
allowing deployment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Does OpenStack Cinder CSI support ReadWriteMany access mode for PersistentVolumeClaims?

💡 Result:

No, OpenStack Cinder CSI does not support ReadWriteMany (RWX) access mode for PersistentVolumeClaims in the standard filesystem mode. It primarily supports ReadWriteOnce (RWO), which maps to SINGLE_NODE_WRITER in CSI. The driver advertises only SINGLE_NODE_WRITER as its volume capability access mode in its source code. All official examples and documentation use ReadWriteOnce. Multi-attach volumes (via volume types with multiattach=True in OpenStack Cinder) allow attachment to multiple nodes, but this is intended for block mode (volumeMode: Block) use cases like databases handling their own concurrency or raw block access (e.g., KubeVirt). Using ext4 or xfs filesystems (default for filesystem mode) on multi-attach volumes is unsafe for concurrent read-write access across nodes, as these are not cluster filesystems. Recent GitHub issues (up to 2026) confirm users struggle with shared filesystem access on multi-attach Cinder volumes, with no built-in support for clustered filesystems like GFS2. For true RWX filesystem sharing, use OpenStack Manila CSI (NFS/share storage) instead.

Citations:

• 1: openstack cinder storageclass does not provide ReadWriteMany accessmode kubernetes/cloud-provider-openstack#1315
• 2: [cinder-csi-plugin] multi-attach shared file-system kubernetes/cloud-provider-openstack#3031
• 3: https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/examples.md
• 4: https://docs.openshift.org/latest/storage/container_storage_interface/persistent-storage-csi-cinder.html
• 5: https://creodias.docs.cloudferro.com/en/latest/kubernetes/Kubernetes-Persistent-Volume-Claims-on-Creodias.html
• 6: https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md
• 7: [cinder-csi-plugin] Cinder CSI plugin should not provision ROX or RWX volumes kubernetes/cloud-provider-openstack#1367
• 8: https://openmetal.io/docs/manuals/kubernetes-guides/configuring-openstack-cinder-with-kubernetes
• 9: https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/features.md
• 10: https://github.com/kubernetes/cloud-provider-openstack/blob/master/pkg/csi/cinder/driver.go

---

ReadWriteOnce PVC shared by multiple Deployments — will fail on multi-node clusters.

This PVC is mounted by streamlit-deployment, rq-worker-deployment, and the cleanup-cronjob. With accessModes: ReadWriteOnce, the volume can only be mounted by pods on a single node at a time. When the scheduler places the streamlit pod and rq-worker pod on different nodes, pod startup fails with Multi-Attach error.

This also breaks correctness of the queued-workflow path: rq-worker pods cannot read params.json from the workspace volume if they land on a different node than streamlit.

Mitigation options:

1. Switch to a ReadWriteMany-capable storage backend. On OpenStack, Cinder CSI does not support ReadWriteMany—use Manila CSI (NFS share) instead and set accessModes: [ReadWriteMany].
2. Pin all consumer pods to a single node via nodeAffinity / podAffinity (limits horizontal scale).
3. Co-locate streamlit and rq-worker containers in the same pod.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/base/workspace-pvc.yaml` around lines 6 - 11, The PVC currently uses
accessModes: ReadWriteOnce with storageClassName: cinder-csi which will cause
Multi-Attach errors when mounted by streamlit-deployment, rq-worker-deployment,
and cleanup-cronjob across multiple nodes; update the PVC to use a
ReadWriteMany-capable backend (replace storageClassName cinder-csi with your
Manila/NFS CSI class and set accessModes to ReadWriteMany) so multiple pods on
different nodes can mount the volume, or alternatively implement
nodeAffinity/podAffinity on streamlit-deployment and rq-worker-deployment to
co-locate them on one node (or merge streamlit and rq-worker into the same pod)
if changing storage backend isn’t possible.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Very wide request-to-limit gap — node-level OOM risk.

Memory request 2Gi vs limit 180Gi (90×) and CPU 2 vs 20 (10×) means many workers can be scheduled per node based on requests, but a few of them simultaneously bursting toward their limits can exceed node capacity. Under memory pressure, kubelet eviction will OOM-kill pods (not necessarily the offender). For workloads that legitimately need ~180Gi, consider raising the request closer to a typical working set, or sizing one worker per high-mem node via anti-affinity / a node selector with capacity-matched nodes.

🧰 Tools

🪛 Checkov (3.2.524)

[medium] 1-16: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[medium] 1-16: Minimize the admission of root containers

(CKV_K8S_23)

🪛 Trivy (0.69.3)

[error] 9-16: Root file system is not read-only

Container 'rq-worker' of Deployment 'rq-worker' should set 'securityContext.readOnlyRootFilesystem' to true

Rule: KSV-0014

Learn more

(IaC/Kubernetes)

---

[error] 9-16: Default security context configured

container rq-worker in default namespace is using the default security context

Rule: KSV-0118

Learn more

(IaC/Kubernetes)

---

[error] 7-16: Default security context configured

deployment rq-worker in default namespace is using the default security context, which allows root privileges

Rule: KSV-0118

Learn more

(IaC/Kubernetes)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@k8s/components/memory-tier-high/worker-resources.yaml` around lines 11 - 16,
The resource spec in worker-resources.yaml has an unsafe request-to-limit gap
(memory request "2Gi" vs limit "180Gi" and cpu "2" vs "20") which can cause
node-level OOMs; update the Resources block (requests.memory, limits.memory,
requests.cpu, limits.cpu) to set requests closer to the realistic working set
(e.g., increase requests.memory to a value that reflects typical usage, and
scale requests.cpu accordingly) or reduce limits to a reasonable burst factor
(e.g., ≤2–4×), and/or add pod antiAffinity or a nodeSelector/taints for
high-memory nodes in the same manifest (use the same Deployment/PodSpec that
references these resources) so that pods requiring very large limits are
scheduled only on capacity-matched nodes.