.cursor/commands/performance-review.md

-Original file line number
+Diff line change
@@ -0,0 +1,24 @@
+    Analyze the current code for performance issues specific to the Dynamiq framework.
+    Focus on these areas:
+. **DAG Execution**: Look for sequential bottlenecks where nodes could run in parallel. Check for unnecessary `node.depends_on()` chains and excessive `reset_run_state()` calls.
+. **Executor Configuration**: Review thread pool settings. Check if `ProcessExecutor` is used where `ThreadExecutor` would be better for I/O workloads. Look for missing `executor.shutdown()` calls.
+. **Connection Management**: Find nodes creating clients in `execute()` instead of `init_components()`. Check for missing `_connection_manager` storage and connection objects being recreated per-request.
+. **Caching**: Identify nodes with deterministic outputs that have `caching.enabled = False`. Look for large objects being cached causing serialization overhead.
+. **Agent Performance**: Check for high `max_loops` values, missing `stop_sequences`, and `parallel_tool_calls_enabled=True` creating new ThreadPoolExecutor per loop.
+. **Async Patterns**: Find blocking calls in async context - `time.sleep()` instead of `asyncio.sleep()`, `requests.*` instead of httpx, sync file I/O in async methods.
+. **Memory**: Look for unbounded growth in `_intermediate_steps`, prompt message accumulation without summarization, and unnecessary deep copies in `clone()`.
+    For each issue found, provide:
+    - File path and line number
+    - Description of the problem
+    - Suggested fix
+    Prioritize critical issues that significantly impact performance.

.cursor/commands/pre-pr-review.md

-Original file line number
+Diff line change
@@ -0,0 +1,36 @@
+    Review the changed files before creating a PR. Check against the project's BUGBOT rules and report any issues that would be flagged.
+    **Check for blocking issues first:**
+. **Security**: No `eval()`/`exec()`/`compile()` outside the Python tool sandbox. No hardcoded secrets - use `Field(default_factory=partial(get_env_var, "KEY"))`.
+. **Pydantic**: No `@dataclass` - use `BaseModel`. All structured data should use Pydantic models.
+. **Node patterns**:
+       - External service nodes must extend `ConnectionNode`
+       - `init_components()` must call `super().init_components()` and store `_connection_manager`
+       - Never create clients in `execute()` - use `init_components()`
+. **Serialization**:
+       - `to_dict()` must support `for_tracing` and `include_secure_params` parameters
+       - Nested nodes must call `to_dict()` with the same parameters
+       - Add `client`, `vector_store`, `executor` to `to_dict_exclude_params`
+. **Async**: No blocking calls (`time.sleep()`, `requests.*`, sync file I/O) in async methods.
+    **Then check for style issues:**
+. **Types**: All functions need type annotations for parameters and return values.
+. **Naming**:
+       - Boolean fields use `*_enabled`/`*_allowed` suffix, not `enable_*`/`allow_*` prefix
+       - Methods use clear prefixes: `get_*`, `is_*`, `has_*`, `create_*`, `validate_*`
+       - No single-letter variables except loop indices
+. **Node fields**: Nodes need `input_schema`, `NodeGroup`, `name`, `description`, and `Field()` with descriptions.
+. **Tests**: New nodes need tests. Bug fixes need regression tests.
+    For each issue, provide the file, line number, what's wrong, and how to fix it.
+    End with a summary: how many blocking issues vs style issues found.

.cursor/commands/security-review.md

-Original file line number
+Diff line change
@@ -0,0 +1,35 @@
+    Perform a security audit of the current code, focusing on vulnerabilities specific to the Dynamiq AI orchestration framework.
+    Check for these issues in order of severity:
+    **CRITICAL:**
+. **Hardcoded Secrets**: Search for API keys, passwords, or tokens as string literals. They should use `Field(default_factory=partial(get_env_var, "VAR_NAME"))` instead.
+. **Dangerous Code Execution**: Find any `eval()`, `exec()`, or `compile()` usage outside of `dynamiq/nodes/tools/python.py`. All dynamic code must go through the RestrictedPython sandbox.
+. **Credential Exposure**: Check `to_dict()` implementations - they must support `include_secure_params=False` and never log credentials.
+    **HIGH:**
+. **Injection Vulnerabilities**: Look for string interpolation in Cypher/SQL queries. Find user input directly embedded in LLM prompts without sanitization.
+. **Missing Input Validation**: Identify nodes without `input_schema` Pydantic models, especially those accepting user input.
+. **Unsafe Deserialization**: Check for `pickle.loads()` or `jsonpickle.decode()` on untrusted data. Review YAML loading for unsafe type resolution.
+. **Authentication Issues**: Find `verify_certs=False`, missing TLS configuration, or credentials in connection strings.
+    **MEDIUM:**
+. **Path Traversal**: Check file operations for `../` handling and path validation against allowed directories.
+. **Missing Tenant Isolation**: Review vector store and memory backends for multi-tenant data separation.
+. **Dependency Vulnerabilities**: Note any `# nosec` annotations and check critical dependencies like RestrictedPython, litellm, jsonpickle.
+    For each finding, report:
+    - Severity level (CRITICAL/HIGH/MEDIUM)
+    - File path and line number
+    - Description of the vulnerability
+    - Recommended fix

docs: add cursor performance security commands #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft

vitalii-dynamiq wants to merge 2 commits into main from cursor/curser-performance-security-commands-09bc

-Original file line number
+Diff line change
@@ -0,0 +1,24 @@
+    Analyze the current code for performance issues specific to the Dynamiq framework.
+    Focus on these areas:
+. **DAG Execution**: Look for sequential bottlenecks where nodes could run in parallel. Check for unnecessary `node.depends_on()` chains and excessive `reset_run_state()` calls.
+. **Executor Configuration**: Review thread pool settings. Check if `ProcessExecutor` is used where `ThreadExecutor` would be better for I/O workloads. Look for missing `executor.shutdown()` calls.
+. **Connection Management**: Find nodes creating clients in `execute()` instead of `init_components()`. Check for missing `_connection_manager` storage and connection objects being recreated per-request.
+. **Caching**: Identify nodes with deterministic outputs that have `caching.enabled = False`. Look for large objects being cached causing serialization overhead.
+. **Agent Performance**: Check for high `max_loops` values, missing `stop_sequences`, and `parallel_tool_calls_enabled=True` creating new ThreadPoolExecutor per loop.
+. **Async Patterns**: Find blocking calls in async context - `time.sleep()` instead of `asyncio.sleep()`, `requests.*` instead of httpx, sync file I/O in async methods.
+. **Memory**: Look for unbounded growth in `_intermediate_steps`, prompt message accumulation without summarization, and unnecessary deep copies in `clone()`.
+    For each issue found, provide:
+    - File path and line number
+    - Description of the problem
+    - Suggested fix
+    Prioritize critical issues that significantly impact performance.

-Original file line number
+Diff line change
@@ -0,0 +1,36 @@
+    Review the changed files before creating a PR. Check against the project's BUGBOT rules and report any issues that would be flagged.
+    **Check for blocking issues first:**
+. **Security**: No `eval()`/`exec()`/`compile()` outside the Python tool sandbox. No hardcoded secrets - use `Field(default_factory=partial(get_env_var, "KEY"))`.
+. **Pydantic**: No `@dataclass` - use `BaseModel`. All structured data should use Pydantic models.
+. **Node patterns**:
+       - External service nodes must extend `ConnectionNode`
+       - `init_components()` must call `super().init_components()` and store `_connection_manager`
+       - Never create clients in `execute()` - use `init_components()`
+. **Serialization**:
+       - `to_dict()` must support `for_tracing` and `include_secure_params` parameters
+       - Nested nodes must call `to_dict()` with the same parameters
+       - Add `client`, `vector_store`, `executor` to `to_dict_exclude_params`
+. **Async**: No blocking calls (`time.sleep()`, `requests.*`, sync file I/O) in async methods.
+    **Then check for style issues:**
+. **Types**: All functions need type annotations for parameters and return values.
+. **Naming**:
+       - Boolean fields use `*_enabled`/`*_allowed` suffix, not `enable_*`/`allow_*` prefix
+       - Methods use clear prefixes: `get_*`, `is_*`, `has_*`, `create_*`, `validate_*`
+       - No single-letter variables except loop indices
+. **Node fields**: Nodes need `input_schema`, `NodeGroup`, `name`, `description`, and `Field()` with descriptions.
+. **Tests**: New nodes need tests. Bug fixes need regression tests.
+    For each issue, provide the file, line number, what's wrong, and how to fix it.
+    End with a summary: how many blocking issues vs style issues found.

-Original file line number
+Diff line change
@@ -0,0 +1,35 @@
+    Perform a security audit of the current code, focusing on vulnerabilities specific to the Dynamiq AI orchestration framework.
+    Check for these issues in order of severity:
+    **CRITICAL:**
+. **Hardcoded Secrets**: Search for API keys, passwords, or tokens as string literals. They should use `Field(default_factory=partial(get_env_var, "VAR_NAME"))` instead.
+. **Dangerous Code Execution**: Find any `eval()`, `exec()`, or `compile()` usage outside of `dynamiq/nodes/tools/python.py`. All dynamic code must go through the RestrictedPython sandbox.
+. **Credential Exposure**: Check `to_dict()` implementations - they must support `include_secure_params=False` and never log credentials.
+    **HIGH:**
+. **Injection Vulnerabilities**: Look for string interpolation in Cypher/SQL queries. Find user input directly embedded in LLM prompts without sanitization.
+. **Missing Input Validation**: Identify nodes without `input_schema` Pydantic models, especially those accepting user input.
+. **Unsafe Deserialization**: Check for `pickle.loads()` or `jsonpickle.decode()` on untrusted data. Review YAML loading for unsafe type resolution.
+. **Authentication Issues**: Find `verify_certs=False`, missing TLS configuration, or credentials in connection strings.
+    **MEDIUM:**
+. **Path Traversal**: Check file operations for `../` handling and path validation against allowed directories.
+. **Missing Tenant Isolation**: Review vector store and memory backends for multi-tenant data separation.
+. **Dependency Vulnerabilities**: Note any `# nosec` annotations and check critical dependencies like RestrictedPython, litellm, jsonpickle.
+    For each finding, report:
+    - Severity level (CRITICAL/HIGH/MEDIUM)
+    - File path and line number
+    - Description of the vulnerability
+    - Recommended fix

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: add cursor performance security commands #519

Uh oh!

Diff view

Diff view

There are no files selected for viewing

acoola Jan 13, 2026

Uh oh!

Uh oh!

docs: add cursor performance security commands #519

Are you sure you want to change the base?

Uh oh!

docs: add cursor performance security commands #519

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

acoola Jan 13, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!