chore: resync downstream content

[leseb]

358fe45 chore: add files API to the definition
b770d1a feat: add milvus remote provider
d576cb0 chore: add milvus remote to the build config
7e76164 feat: add files localfs provider
cbbc46c feat: add postgres sql dependencies
6c5211b chore: bump lmeval version
7674ef8 fix: allow trustyai lmeval to be disabled
c16eebb chore: convert build.yaml to use modules for external providers

commit 358fe45
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 09:48:14 2025 +0200

chore: add files API to the definition

The distribution config file was missing the declaration of the Files
API in the APIs list so it can be activated.

Relates to: RHAIENG-897
Signed-off-by: Sébastien Han <seb@redhat.com>

commit b770d1a
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 09:49:30 2025 +0200

feat: add milvus remote provider

We can now optionally use the remote::milvus provider. The provider
would be activated if the MILVUS_ENDPOINT env variable is provider in
the execution context.

Relates to: RHAIENG-873
Signed-off-by: Sébastien Han <seb@redhat.com>

commit d576cb0
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 09:53:56 2025 +0200

chore: add milvus remote to the build config

So that we can fetch the right dependencies and build our distro image
correctly.

Relates to: RHAIENG-874
Signed-off-by: Sébastien Han <seb@redhat.com>

commit 7e76164
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 09:56:04 2025 +0200

feat: add files localfs provider

New files API and the localfs provider. Mostly used for RAG.

Relates to: RHAIENG-896
Signed-off-by: Sébastien Han <seb@redhat.com>

commit cbbc46c
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 09:58:21 2025 +0200

feat: add postgres sql dependencies

So that the following metadata can be stored on Postgres:

* Agent persistence
* Agent responses
* Metadata store

Relates to: RHAIENG-731
Signed-off-by: Sébastien Han <seb@redhat.com>

commit 6c5211b
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 10:00:54 2025 +0200

chore: bump lmeval version

Original LMEval provider issue:
https://issues.redhat.com/browse/RHOAIENG-32731 Bump LMEval provider
version from 0.2.1 to 0.2.3.

Relates to: RHAIENG-696
Signed-off-by: Sébastien Han <seb@redhat.com>

commit 7674ef8
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 10:24:08 2025 +0200

fix: allow trustyai lmeval to be disabled

When not running on kubernetes we can set TRUSTYAI_LMEVAL_USE_K8S=false
to avoid loading the provider.

Relates to: RHAIENG-1024
Signed-off-by: Sébastien Han <seb@redhat.com>

commit c16eebb
Author: Sébastien Han seb@redhat.com
Date: Fri Sep 12 10:49:26 2025 +0200

chore: convert build.yaml to use modules for external providers

We now use the "module" field to pull the dependencies. This also bumps
trusty deps.

Relates to: RHAIENG-498
Signed-off-by: Sébastien Han <seb@redhat.com>

@coderabbitai ignore

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

distribution/run.yaml (1)

48-61: Remote Milvus gating and defaults — please verify behavior; consider safer typed defaults.

Two checks:

• If MILVUS_ENDPOINT is unset, ${env.MILVUS_ENDPOINT:+milvus-remote} yields an empty provider_id. Confirm the config loader fully drops this provider block rather than creating a provider with an empty ID.
• Several fields likely expect typed values. Empty-string defaults may violate schema validation (e.g., booleans/enums).

Suggested minimal hardening:

• Require uri when enabled; avoid empty default.
• Provide boolean and enum-safe defaults for secure and consistency_level.

Proposed diff:

   - provider_id: ${env.MILVUS_ENDPOINT:+milvus-remote}
     provider_type: remote::milvus
     config:
-      uri: ${env.MILVUS_ENDPOINT:=}
+      uri: ${env.MILVUS_ENDPOINT}
       token: ${env.MILVUS_TOKEN:=}
-      secure: ${env.MILVUS_SECURE:=}
-      consistency_level: ${env.MILVUS_CONSISTENCY_LEVEL:=}
+      secure: ${env.MILVUS_SECURE:=false}
+      consistency_level: ${env.MILVUS_CONSISTENCY_LEVEL:=Bounded}
       ca_pem_path: ${env.MILVUS_CA_PEM_PATH:=}
       client_pem_path: ${env.MILVUS_CLIENT_PEM_PATH:=}
       client_key_path: ${env.MILVUS_CLIENT_KEY_PATH:=}
       kvstore:
         type: sqlite
         namespace: null
         db_path: /opt/app-root/src/.llama/distributions/rh/milvus_remote_registry.db

If the loader does not drop empty provider blocks, one safe alternative is to keep provider_id constant and gate via a boolean flag your loader supports (e.g., enabled: ${env.MILVUS_ENDPOINT:+true}), or move this provider to an overlay file loaded only when MILVUS_ENDPOINT is set.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff6635a and b770d1a.

📒 Files selected for processing (1)

• distribution/run.yaml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-test-push (linux/amd64)

🔇 Additional comments (1)

distribution/run.yaml (1)

13-13: Files API surfaced — LGTM.

Addition is consistent with the existing providers.files block later in the file. No issues spotted.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

distribution/build.yaml (1)

11-11: Add pinned pymilvus to distribution/build.yaml additional_pip_packages

run.yaml registers remote::milvus (distribution/run.yaml:49) and the Containerfile already installs pymilvus (distribution/Containerfile:30), but distribution/build.yaml’s additional_pip_packages does not — add a pinned pymilvus entry.

 additional_pip_packages:
 - aiosqlite
 - sqlalchemy[asyncio]
+- pymilvus>=2.4,<3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b770d1a and d576cb0.

📒 Files selected for processing (1)

• distribution/build.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-test-push (linux/amd64)

[leseb]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[leseb]

@coderabbitai ignore

[coderabbitai]

Note

Reviews paused

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":404,"request":{"method":"PATCH","url":"https://api.github.com/repos/opendatahub-io/llama-stack-distribution/issues/comments/3284309343","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.3 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- walkthrough_start -->\n\n## Walkthrough\nConfiguration updates across container and distribution files: dependency adjustments (asyncpg added; lmeval pinned to 0.2.3; psycopg2-binary added), new eval/tool runtime entries, a new public API category (files), and a configurable remote Milvus provider. Test script removes a TRUSTYAI namespace env var.\n\n## Changes\n| Cohort / File(s) | Summary |\n|---|---|\n| **Container dependencies**<br>`distribution/Containerfile` | Modified pip installs: add asyncpg; remove kubernetes and lmeval 0.2.4 from initial block; add separate install for `llama_stack_provider_lmeval==0.2.3`. |\n| **Build configuration**<br>`distribution/build.yaml` | Added `remote::milvus` to vector\\_io; specified eval module `llama_stack_provider_lmeval==0.2.3`; included `inline::localfs` under tool\\_runtime files; extended additional\\_pip\\_packages with `asyncpg`, `psycopg2-binary`. |\n| **Runtime configuration**<br>`distribution/run.yaml` | Added `files` to public APIs; introduced optional remote Milvus provider `${env.MILVUS_ENDPOINT:+milvus-remote}` with env-driven config and sqlite kvstore at `/opt/app-root/src/.llama/distributions/rh/milvus_remote_registry.db`; made `trustyai_lmeval.use_k8s` env-configurable `${env.TRUSTYAI_LMEVAL_USE_K8S:=true}`. |\n| **Smoke tests**<br>`tests/smoke.sh` | Removed `TRUSTYAI_LM_EVAL_NAMESPACE=dummy` env var from docker run in `start_and_wait_for_llama_stack_container`. |\n\n## Sequence Diagram(s)\n```mermaid\nsequenceDiagram\n  autonumber\n  participant Client\n  participant API as Llama Stack API\n  participant Files as Files API (new)\n  participant FS as LocalFS (tool_runtime)\n  rect rgb(238, 245, 255)\n    note over Client,Files: New Files API category\n    Client->>API: HTTP request (files.*)\n    API->>Files: Route to Files service\n    Files->>FS: Read/Write file\n    FS-->>Files: Result (path/bytes/metadata)\n    Files-->>API: Response DTO\n    API-->>Client: HTTP 200/4xx\n  end\n```\n\n```mermaid\nsequenceDiagram\n  autonumber\n  participant Service as Vector Service\n  participant Provider as Provider Registry\n  participant MilvusL as inline::milvus\n  participant MilvusR as remote::milvus (env-driven)\n  note over Provider: Select provider based on env MILVUS_ENDPOINT\n  Service->>Provider: Resolve \"milvus\" provider\n  alt MILVUS_ENDPOINT set\n    Provider-->>Service: Use remote::milvus\n    Service->>MilvusR: Connect (uri/token/secure...)\n    MilvusR-->>Service: OK\n  else default\n    Provider-->>Service: Use inline::milvus\n    Service->>MilvusL: Connect (local config)\n    MilvusL-->>Service: OK\n  end\n```\n\n## Estimated code review effort\n🎯 3 (Moderate) | ⏱️ ~25 minutes\n\n\n\n\n\n\n## Poem\n> I thump with joy at configs bright,  \n> New files API takes wing in flight.  \n> Milvus near or far—in tune!  \n> Async gears now softly croon.  \n> Downgraded pins, tests made spry—  \n> Hippity-hop, ship it, aye! 🐇🚀\n\n<!-- walkthrough_end -->\n\n\n"},"request":{"retryCount":1}},"response":{"url":"https://api.github.com/repos/opendatahub-io/llama-stack-distribution/issues/comments/3284309343","status":404,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","content-encoding":"gzip","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Fri, 12 Sep 2025 08:45:14 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","transfer-encoding":"chunked","vary":"Accept-Encoding, Accept, X-Requested-With","x-accepted-github-permissions":"issues=write; pull_requests=write","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-api-version-selected":"2022-11-28","x-github-media-type":"github.v3; format=json","x-github-request-id":"6011:FC6F7:13FC16:46A92C:68C3DD9A","x-ratelimit-limit":"12500","x-ratelimit-remaining":"11370","x-ratelimit-reset":"1757667252","x-ratelimit-resource":"core","x-ratelimit-used":"1130","x-xss-protection":"0"},"data":{"message":"Not Found","documentation_url":"https://docs.github.com/rest/issues/comments#update-an-issue-comment","status":"404"}}}

Pre-merge checks (2 passed, 1 inconclusive)

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title "chore: resync downstream content" is concise and indicates a maintenance sync, but it is generic and does not surface the PR's significant functional changes (Files API/localfs provider, optional Milvus remote provider, Postgres deps, and lmeval version bump). Because the changes include notable features and configuration updates beyond a simple sync, the title does not clearly convey the primary developer-facing change. Given that lack of specificity, the check is inconclusive.	Rename the PR to a short, specific title that highlights the main changes (for example: "feat: add Files API and localfs provider; optional Milvus remote provider; add Postgres deps; bump lmeval to 0.2.3") or, if this truly is only a downstream sync, clarify which configs were resynced (e.g., "chore: resync run.yaml and build.yaml downstream updates"). Update the PR description to match the revised title so reviewers can quickly understand scope, then re-run the pre-merge checks.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

distribution/build.yaml (1)

39-40: Confirm need for both asyncpg and psycopg2-binary

Carrying both async and sync PG drivers is fine if both paths are used; otherwise, drop the unused one to slim the image.

distribution/run.yaml (1)

137-144: Files provider paths — ensure dirs exist in image

Storage dir and sqlite file directories must exist at runtime. The Containerfile change to mkdir these paths (see suggestion there) will prevent first-run failures.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff6635a and 7674ef8.

📒 Files selected for processing (4)

• distribution/Containerfile (2 hunks)
• distribution/build.yaml (2 hunks)
• distribution/run.yaml (3 hunks)
• tests/smoke.sh (0 hunks)

💤 Files with no reviewable changes (1)

• tests/smoke.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-test-push (linux/amd64)

🔇 Additional comments (9)

distribution/build.yaml (4)

11-11: LGTM: remote Milvus provider added to vector_io

This aligns with the new remote Milvus support in run.yaml. No concerns.

---

18-18: Pin lmeval module to 0.2.3 — good and consistent

Matches the Containerfile pin. Keep provider and core stack versions in lockstep going forward.

---

33-34: Files API provider declared — OK

Inline localfs added to providers. This matches the new “files” API in run.yaml.

---

35-35: Python base mismatch between build spec (3.11) and Containerfile (3.12)

Align container_image here with the 3.12 base used in the Containerfile to avoid ABI/runtime drift.

distribution/Containerfile (3)

10-10: LGTM: asyncpg installation

Required for async Postgres paths. No issues.

---

41-42: LGTM: lmeval pinned to 0.2.3 in a dedicated step

Consistent with build.yaml. Good.

---

7-8: Double SQLAlchemy install — keep or simplify

If the plain sqlalchemy install is still required due to extras resolution quirks, keep it; otherwise, remove the first line to save one layer.

distribution/run.yaml (2)

13-13: LGTM: expose the new “files” API

API surface updated accordingly.

---

48-61: Remote Milvus provider — set explicit boolean default for secure; verify conditional provider block

File: distribution/run.yaml (lines 48–61)

• Set secure to an explicit boolean default to avoid type/parsing issues:

-      secure: ${env.MILVUS_SECURE:=}
+      secure: ${env.MILVUS_SECURE:=false}

• Verify the templater behavior for provider_id: ${env.MILVUS_ENDPOINT:+milvus-remote} — ensure the entire provider block is removed when MILVUS_ENDPOINT is unset; if it is not pruned, gate the block or use a safe default provider_id so server initialization cannot fail.

[coderabbitai]

🛠️ Refactor suggestion

Create directories used by the new Files API and DB paths

run.yaml writes under /opt/app-root/src/.llama/distributions/rh (and files/). Pre-create to avoid runtime failures on first boot.

Apply after the existing mkdir step:

 RUN pip install --no-cache llama-stack==0.2.21
-RUN mkdir -p ${HOME}/.llama/providers.d ${HOME}/.cache
+RUN mkdir -p ${HOME}/.llama/providers.d ${HOME}/.cache \
+    && mkdir -p /opt/app-root/src/.llama/distributions/rh/files

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In distribution/Containerfile around lines 41 to 42, the Dockerfile installs
llama_stack_provider_lmeval but does not pre-create directories used by the new
Files API and DB paths; add a step (immediately after the existing mkdir step)
to create /opt/app-root/src/.llama/distributions/rh and
/opt/app-root/src/.llama/files (or the exact files/ path used by run.yaml), set
appropriate ownership (app-root user) and permissions so the runtime process can
write there, and ensure the mkdir command uses -p to avoid errors.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Critical: env var name and default for use_k8s

PR text references LM_EVAL_USE_K8S=false, but config reads TRUSTYAI_LMEVAL_USE_K8S with default true. With kubernetes lib not installed in the image, default true can cause runtime errors.

Apply one of the following (preferred: align with PR doc and default to false):

-        use_k8s: ${env.TRUSTYAI_LMEVAL_USE_K8S:=true}
+        use_k8s: ${env.LM_EVAL_USE_K8S:=false}

Run to confirm naming and defaults across the repo:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Containerfile base:"
rg -n '^FROM .*python-(3\d+)' -n distribution/Containerfile
echo
echo "build.yaml container_image:"
rg -n 'container_image:' -n distribution/build.yaml
echo
echo "Env var occurrences:"
rg -n 'LM_EVAL_USE_K8S|TRUSTYAI_LMEVAL_USE_K8S' -n

Length of output: 403

---

Critical: env var name and default for use_k8s

distribution/run.yaml defaults TRUSTYAI_LMEVAL_USE_K8S to true (distribution/run.yaml:84); tests/smoke.sh sets TRUSTYAI_LMEVAL_USE_K8S=False (tests/smoke.sh:14). LM_EVAL_USE_K8S is not present. Default=true can cause runtime errors when k8s libs are not in the image. Apply one of the following (preferred: align with PR doc and default to false):

-        use_k8s: ${env.TRUSTYAI_LMEVAL_USE_K8S:=true}
+        use_k8s: ${env.LM_EVAL_USE_K8S:=false}

Files: distribution/run.yaml:84, tests/smoke.sh:14

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	use_k8s: ${env.TRUSTYAI_LMEVAL_USE_K8S:=true}
	use_k8s: ${env.LM_EVAL_USE_K8S:=false}

🤖 Prompt for AI Agents

In distribution/run.yaml around line 84, the environment variable and default
are wrong: change the key to use LM_EVAL_USE_K8S (matching the PR doc) and set
the default to false instead of true; ensure tests/smoke.sh (line ~14) and any
other refs use the same variable name and casing (or update the test to export
LM_EVAL_USE_K8S=False) so runtime defaults do not enable k8s by default.

[coderabbitai]

✅ Actions performed

Reviews paused.

[nathan-weinberg]

LGTM and image smoke test is passing 👍