Skip to content

Evaluation functionality #1070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shagun-singh-inkeep wants to merge 80 commits into
base: main
Choose a base branch
from
Open

Evaluation functionality #1070

shagun-singh-inkeep wants to merge 80 commits into from

Conversation

@shagun-singh-inkeep
Copy link
Collaborator

@shagun-singh-inkeep shagun-singh-inkeep commented Nov 20, 2025

No description provided.

@changeset-bot
Copy link

changeset-bot bot commented Nov 20, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 7208d46

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link

vercel bot commented Nov 20, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
agents-manage-api Ready Ready Preview, Comment Dec 23, 2025 2:16pm
agents-manage-ui Ready Ready Preview, Comment Dec 23, 2025 2:16pm
agents-run-api Ready Ready Preview, Comment Dec 23, 2025 2:16pm
agents-test Ready Ready Preview, Comment Dec 23, 2025 2:16pm
1 Skipped Deployment
Project Deployment Review Updated (UTC)
agents-docs Skipped Skipped Dec 23, 2025 2:16pm

@shagun-singh-inkeep shagun-singh-inkeep marked this pull request as draft November 20, 2025 20:46
@claude
Copy link

claude bot commented Nov 20, 2025
edited
Loading

Claude finished @shagun-singh-inkeep's task —— View job

PR Review: Evaluation functionality

🔍 Comprehensive Architectural Review Summary

This is a substantial and ambitious feature addition (94k+ lines across 100 files) that introduces comprehensive evaluation capabilities to the Inkeep Agent Platform. The implementation spans three main areas: a new evaluation API service, extensive UI components, and integration points with existing services.

📋 Overall Assessment

Strengths:

  • Well-structured database schema with proper tenant isolation
  • Follows existing architectural patterns consistently
  • Comprehensive feature set covering datasets, evaluators, runs, and results
  • Strong separation of concerns between services

Critical Concerns:

  • Multiple security vulnerabilities requiring immediate attention
  • Performance issues that will impact scalability
  • Several integration inconsistencies that could cause runtime issues

🚨 Critical Security Issues (Immediate Action Required)

1. Authentication System Vulnerabilities

Location: agents-eval-api/src/middleware/auth.ts

  • Issue: Falls back to no authentication when bypass secret isn't configured
  • Risk: Complete API exposure without authentication
  • Recommendation: Implement proper API key validation as primary auth method

2. Input Validation Gaps

Location: agents-eval-api/src/routes/evaluations.ts:87-100

const DatasetApiSelectSchema = z.any();  // ❌ Accepts any input
const DatasetItemApiInsertSchema = z.any();
const EvaluatorApiSelectSchema = z.any();
  • Risk: Input injection attacks, data corruption
  • Recommendation: Replace all z.any() schemas with specific validation rules

3. CORS Security Risk

Location: agents-eval-api/src/app.ts:134

allowHeaders: ['*'], // ❌ Security vulnerability
  • Risk: CSRF attacks with credential exposure
  • Recommendation: Specify required headers explicitly

Performance & Scalability Concerns

1. Multiple N+1 Query Patterns

Location: ConversationEvaluationTrigger.ts:92-98, evaluations.ts:1853-1875

  • Issue: Individual database queries in loops
  • Impact: Linear performance degradation with scale
  • Recommendation: Implement bulk query methods

2. Missing Database Indexes

Schema Impact: Critical queries will be slow at scale

-- Recommended indexes:
CREATE INDEX conversations_active_sub_agent_created_idx ON conversations(tenant_id, project_id, active_sub_agent_id, created_at);
CREATE INDEX evaluation_result_conversation_evaluator_run_idx ON evaluation_result(...);

3. No Pagination Implementation

  • Issue: All data loaded at once regardless of dataset size
  • Risk: Memory exhaustion with large datasets
  • Recommendation: Implement cursor-based pagination

4. Synchronous Evaluation Processing

  • Issue: No concurrency control or queue management
  • Risk: Resource exhaustion during bulk evaluations
  • Recommendation: Implement evaluation queue with configurable concurrency

🔧 Integration & Consistency Issues

1. Authentication Configuration Bug

Location: agents-manage-ui/src/lib/api/api-config.ts:59

// ❌ Uses manage API secret for eval API
Authorization: `Bearer ${process.env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET}`
  • Issue: Eval API expects its own bypass secret
  • Impact: Authentication failures in production

2. Incomplete Schema Implementation

  • Issue: Eval API routes use placeholder schemas instead of proper validation
  • Impact: Inconsistent developer experience vs manage API
  • Recommendation: Implement comprehensive Zod schemas

🏗️ Architectural Recommendations

Immediate Actions (Pre-Production):

  1. Security: Fix authentication system and input validation
  2. Performance: Add critical database indexes
  3. Integration: Fix authentication configuration in UI
  4. Validation: Replace z.any() schemas with specific rules

Medium-term Improvements:

  1. Caching: Implement evaluation result caching
  2. Background Processing: Move evaluations to queue-based processing
  3. Monitoring: Add performance metrics and alerting
  4. Documentation: Expand API documentation to match manage API

Long-term Scaling:

  1. Database: Consider partitioning for evaluation results
  2. Architecture: Implement read replicas for analytics workloads

💡 Positive Highlights

  • Database Design: Well-structured schema with proper relationships and tenant isolation
  • Error Handling: Excellent consistency with existing APIs using structured error responses
  • UI Components: Clean, reusable components following established patterns
  • Type Safety: Proper use of TypeScript and Zod throughout
  • Integration: Thoughtful integration points with conversation completion triggers

🎯 Recommendation

This PR introduces valuable evaluation functionality that extends the platform's capabilities significantly. However, the security vulnerabilities and performance issues must be addressed before merging to prevent production incidents.

Suggested Approach:

  1. Address critical security issues (auth system, input validation)
  2. Add essential database indexes
  3. Fix integration bugs (auth configuration)
  4. Consider phased rollout for performance optimizations

The foundation is solid, but production-readiness requires addressing these critical concerns.

@vercel vercel bot temporarily deployed to Preview – agents-docs November 24, 2025 22:33 Inactive
@vercel vercel bot temporarily deployed to Preview – agents-docs November 25, 2025 04:23 Inactive
@shagun-singh-inkeep shagun-singh-inkeep marked this pull request as ready for review December 22, 2025 22:33
@vercel vercel bot temporarily deployed to Preview – agents-docs December 23, 2025 14:14 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shagun-singh-inkeep