Merge branch 'main' into copilot/change-default-api-endpoint

Author: kevinbackhouse

.devcontainer/devcontainer.json

@@ -15,6 +15,9 @@
     },
     "ghcr.io/devcontainers/features/github-cli:1": {
       "version": "latest"
+    },
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "latest"
     }
   },
   // Configure tool-specific properties

.github/workflows/smoketest.yaml

@@ -16,6 +16,7 @@ permissions:
 jobs:
   Linux:
     runs-on: ubuntu-latest
+    environment: smoketest
     if: github.event.issue.pull_request  # Make sure the comment is on a PR
     steps:
       - name: branch-deploy
@@ -24,6 +25,7 @@ jobs:
         with:
           trigger: "smoke test"
           reaction: "eyes"
+          environment: "smoketest"
           stable_branch: "main"
           update_branch: "disabled"
 

README.md

@@ -457,6 +457,26 @@ taskflow:
 
 The model version can then be updated by changing `gpt_latest` in the `model_config` file and applied across all taskflows that use the config.
 
+In addition, model specific parameters can be provided via `model_config`. To do so, define a `model_settings` section in the `model_config` file. This section has to be a dictionary with the model names as keys:
+
+```yaml
+model_settings:
+  gpt_latest:
+    temperature: 1
+    reasoning:
+      effort: high
+```
+
+You do not need to set parameters for all models defined in the `models` section. When parameters are not set for a model, they'll fall back to the default value. However, all the settings in this section must belong to one of the models specified in the `models` section, otherwise an error will raise:
+
+```yaml
+model_settings:
+  new_model:
+    ...
+```
+
+The above will result in an error because `new_model` is not defined in `models` section. Model parameters can also be set per task, and any settings defined in a task will override the settings in the config.
+
 ## Passing environment variables
 
 Files of types `taskflow` and `toolbox` allow environment variables to be passed using the `env` field:

doc/GRAMMAR.md

@@ -91,6 +91,18 @@ Tasks can optionally specify which Model to use on the configured inference endp
 
 Note that model identifiers may differ between OpenAI compatible endpoint providers, make sure you change your model identifier accordingly when switching providers. If not specified, a default LLM model (`gpt-4o`) is used.
 
+Parameters to the model can also be specified in the task using the `model_settings` section:
+
+```yaml
+    model: gpt-5-mini
+    model_settings:
+      temperature: 1
+      reasoning:
+        effort: high
+```
+
+If `model_settings` is absent, then the model parameters will fall back to either the default or the ones supplied in a `model_config`. However, any parameters supplied in the task will override those that are set in the `model_config`.
+
 ### Completion Requirement
 
 Tasks can be marked as requiring completion, if a required task fails, the taskflow will abort. This defaults to false.

pyproject.toml

@@ -39,7 +39,6 @@ dependencies = [
   "cyclopts==3.24.0",
   "distro==1.9.0",
   "dnspython==2.8.0",
-  "docstring-to-markdown==0.17",
   "docstring_parser==0.17.0",
   "docutils==0.22",
   "email-validator==2.3.0",
@@ -73,6 +72,7 @@ dependencies = [
   "parse==1.20.2",
   "parso==0.8.4",
   "pathable==0.4.4",
+  "platformdirs==4.5.0",
   "pluggy==1.6.0",
   "pycparser==2.23",
   "pydantic==2.11.7",

src/seclab_taskflow_agent/__main__.py

@@ -107,7 +107,7 @@ async def deploy_task_agents(available_tools: AvailableTools,
                              exclude_from_context: bool = False,
                              max_turns: int = DEFAULT_MAX_TURNS,
                              model: str = DEFAULT_MODEL,
-                             model_settings: ModelSettings | None = None,
+                             model_par: dict = {},
                              run_hooks: TaskRunHooks | None = None,
                              agent_hooks: TaskAgentHooks | None = None):
 
@@ -130,10 +130,11 @@ async def deploy_task_agents(available_tools: AvailableTools,
 
     # https://openai.github.io/openai-agents-python/ref/model_settings/
     parallel_tool_calls = True if os.getenv('MODEL_PARALLEL_TOOL_CALLS') else False
-    model_settings = ModelSettings(
-        temperature=os.getenv('MODEL_TEMP', default=0.0),
-        tool_choice=('auto' if toolboxes else None),
-        parallel_tool_calls=(parallel_tool_calls if toolboxes else None))
+    model_params = {'temperature' : os.getenv('MODEL_TEMP', default = 0.0),
+                        'tool_choice' : ('auto' if toolboxes else None),
+                        'parallel_tool_calls' : (parallel_tool_calls if toolboxes else None)}
+    model_params.update(model_par)
+    model_settings = ModelSettings(**model_params)
 
     # block tools if requested
     tool_filter = create_static_tool_filter(blocked_tool_names=blocked_tools) if blocked_tools else None
@@ -438,13 +439,22 @@ async def on_handoff_hook(
             global_variables.update(cli_globals)
         model_config = taskflow.get('model_config', {})
         model_keys = []
+        models_params = {}
         if model_config:
-            model_dict = available_tools.get_model_config(model_config)
-            model_dict = model_dict.get('models', {})
+            m_config = available_tools.get_model_config(model_config)
+            model_dict = m_config.get('models', {})
             if model_dict:
                 if not isinstance(model_dict, dict):
                     raise ValueError(f"Models section of the model_config file {model_config} must be a dictionary")
-            model_keys = model_dict.keys() 
+            model_keys = model_dict.keys()
+            models_params = m_config.get('model_settings', {})
+            if models_params and not isinstance(models_params, dict):
+                raise ValueError(f"Settings section of model_config file {model_config} must be a dictionary")
+            if not set(models_params.keys()).difference(model_keys).issubset(set([])):
+                raise ValueError(f"Settings section of model_config file {model_config} contains models that are not in the model section")
+            for k,v in models_params.items():
+                if not isinstance(v, dict):
+                    raise ValueError(f"Settings for model {k} in model_config file {model_config} is not a dictionary")
 
         for task in taskflow['taskflow']:
 
@@ -465,8 +475,17 @@ async def on_handoff_hook(
                     if k not in task_body:
                         task_body[k] = v
             model = task_body.get('model', DEFAULT_MODEL)
+            model_settings = {}
             if model in model_keys:
+                if model in models_params:
+                    model_settings = models_params[model].copy()
                 model = model_dict[model]
+            task_model_settings = task_body.get('model_settings', {})
+            if not isinstance(task_model_settings, dict):
+                name = task.get('name', '')
+                raise ValueError(f"model_settings in task {name} needs to be a dictionary")
+            model_settings.update(task_model_settings)
+
             # parse our taskflow grammar
             name = task_body.get('name', 'taskflow') # placeholder, not used yet
             description = task_body.get('description', 'taskflow') # placeholder not used yet
@@ -622,6 +641,7 @@ async def _deploy_task_agents(resolved_agents, prompt):
                                         on_tool_end=on_tool_end_hook,
                                         on_tool_start=on_tool_start_hook),
                                     model = model,
+                                    model_par = model_settings,
                                     agent_hooks=TaskAgentHooks(
                                         on_handoff=on_handoff_hook))
                             return result

src/seclab_taskflow_agent/mcp_servers/codeql/mcp_server.py

@@ -20,10 +20,11 @@
 import re
 from urllib.parse import urlparse, unquote
 import zipfile
+from seclab_taskflow_agent.path_utils import mcp_data_dir
 
 mcp = FastMCP("CodeQL")
 
-CODEQL_DBS_BASE_PATH = Path(os.getenv('CODEQL_DBS_BASE_PATH', default='/workspaces'))
+CODEQL_DBS_BASE_PATH = mcp_data_dir('seclab-taskflow-agent', 'codeql', 'CODEQL_DBS_BASE_PATH')
 
 # tool name -> templated query lookup for supported languages
 TEMPLATED_QUERY_PATHS = {

src/seclab_taskflow_agent/mcp_servers/logbook/logbook.py

@@ -12,14 +12,13 @@
 from fastmcp import FastMCP # move to FastMCP 2.0
 import json
 from pathlib import Path
-import os
+from seclab_taskflow_agent.path_utils import mcp_data_dir
 
 mcp = FastMCP("Logbook")
 
 LOG = {}
 
-LOGBOOK = Path(__file__).parent.resolve() / Path(os.getenv('LOGBOOK_STATE_DIR', default='./')) / Path("logbook.json")
-
+LOGBOOK = mcp_data_dir('seclab-taskflow-agent', 'logbook', 'LOGBOOK_STATE_DIR') / Path("logbook.json")
 
 def ensure_log():
     global LOG

src/seclab_taskflow_agent/mcp_servers/memcache/memcache.py

@@ -16,6 +16,7 @@
 from typing import Any
 from .memcache_backend.dictionary_file import MemcacheDictionaryFileBackend
 from .memcache_backend.sqlite import SqliteBackend
+from seclab_taskflow_agent.path_utils import mcp_data_dir
 
 mcp = FastMCP("Memcache")
 
@@ -24,10 +25,7 @@
     'sqlite': SqliteBackend,
 }
 
-# if MEMCACHE_STATE_DIR contains an absolute path we WANT the user to be able
-# to override the relative path in that case this path join will return
-# /MEMCACHE_STATE_DIR/memory.json
-MEMORY = Path(__file__).parent.resolve() / Path(os.getenv('MEMCACHE_STATE_DIR', default='./'))
+MEMORY = mcp_data_dir('seclab-taskflow-agent', 'memcache', 'MEMCACHE_STATE_DIR')
 BACKEND = os.getenv('MEMCACHE_BACKEND', default='sqlite')
 
 backend = backends.get(BACKEND)(str(MEMORY))

src/seclab_taskflow_agent/path_utils.py

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2025 GitHub
+# SPDX-License-Identifier: MIT
+
+import platformdirs
+import os
+from pathlib import Path
+
+
+def mcp_data_dir(packagename: str, mcpname: str, env_override: str | None) -> Path:
+    """
+    Create a directory for an MCP to store its data.
+
+    Parameters:
+        packagename (str): The name of the package. Used as a subdirectory under the data directory.
+        mcpname (str): The name of the MCP server. Used as a subdirectory under the package directory.
+        env_override (str | None): The name of an environment variable that, if set, overrides the default data directory location. If None, the default location is used.
+
+    Returns:
+        Path: The path to the created data directory for the MCP server.
+    """
+    if env_override:
+        p = os.getenv(env_override)
+        if p:
+            return Path(p)
+    # Use [platformdirs](https://pypi.org/project/platformdirs/) to
+    # choose an appropriate location.
+    d = platformdirs.user_data_dir(appname="seclab-taskflow-agent",
+                                   appauthor="GitHubSecurityLab",
+                                   ensure_exists=True)
+    # Each MCP server gets its own sub-directory
+    p = Path(d).joinpath(packagename).joinpath(mcpname)
+    p.mkdir(parents=True, exist_ok=True)
+    return p