chore(ai): endpoint improvements.

* Move more of the resource info out of the system messages/prefix into the
Tools descriptions
* Disable the product-info tool for now, it’s better to use the sbom-info for similar information.
* Bump async-openai version
* switch to new langchain-rust patch branch
* Add more info to tool response.

Signed-off-by: Hiram Chirino <[email protected]>

Cargo.toml

@@ -43,6 +43,7 @@ async-graphql = "7.0.5"
 async-graphql-actix-web = "7.0.5"
 async-std = "1"
 async-trait = "0.1.74"
+async-openai = "0.25.0"
 base64 = "0.22"
 biscuit = "0.7"
 build-info = "0.0.38"
@@ -76,7 +77,7 @@ itertools = "0.13"
 jsn = "0.14"
 json-merge-patch = "0.0.1"
 jsonpath-rust = "0.7.0"
-langchain-rust = { version = "4.4.3" }
+langchain-rust = { version = "4.6.0" }
 lenient_semver = "0.4.2"
 liblzma = "0.3"
 libz-sys = "*"
@@ -194,8 +195,6 @@ postgresql_commands = { version = "0.16.3", default-features = false, features =
 # required due to https://github.com/voteblake/csaf-rs/pull/29
 csaf = { git = "https://github.com/chirino/csaf-rs", rev = "414896904bc5e5287fd88b1daef5c27f70503d01" }
 
-# to pickup up fix: https://github.com/64bit/async-openai/pull/263 and https://github.com/64bit/async-openai/pull/267
-# needed to work against groq.com API
-async-openai = { git = "https://github.com/chirino/async-openai", branch = "optional-fields" }
-# to pickup fix https://github.com/Abraxas-365/langchain-rust/pull/236
-langchain-rust = { git = "https://github.com/chirino/langchain-rust", branch = "remove-extraneous-agent-msg" }
+# to pickup fix: https://github.com/Abraxas-365/langchain-rust/pull/246
+#       and fix: https://github.com/Abraxas-365/langchain-rust/pull/250
+langchain-rust = { git = "https://github.com/chirino/langchain-rust", branch = "main" }

modules/fundamental/src/advisory/service/test.rs

@@ -191,7 +191,25 @@ async fn single_advisory(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
     let jenny384 = Id::sha384(&digests.sha384);
     let jenny512 = Id::sha512(&digests.sha512);
     let fetched = fetch.fetch_advisory(jenny256.clone(), ()).await?;
+    let id = Id::Uuid(fetched.as_ref().unwrap().head.uuid);
 
+    assert!(matches!(
+            fetched,
+            Some(AdvisoryDetails {
+                head: AdvisoryHead { .. },
+            source_document: Some(SourceDocument {
+                sha256,
+                sha384,
+                sha512,
+                ..
+            }),
+            average_severity: Some(average_severity),
+
+                ..
+            })
+        if sha256 == jenny256.to_string() && sha384 == jenny384.to_string() && sha512 == jenny512.to_string() && average_severity == Severity::Critical));
+
+    let fetched = fetch.fetch_advisory(id, ()).await?;
     assert!(matches!(
             fetched,
             Some(AdvisoryDetails {

modules/fundamental/src/ai/endpoints/expected_tools_result.json

@@ -0,0 +1,66 @@
+[
+  {
+    "name": "cve-info",
+    "description": "This tool can be used to get information about a Vulnerability.\nA Vulnerability is known as a CVE.\n\nVulnerabilities are security issues that may affect software packages.\nVulnerabilities may affect multiple packages.\n\nVulnerability are identified by their CVE Identifier.  Examples:\n* CVE-2014-0160\n\nThe input should be the partial name of the Vulnerability to search for.\nWhen the input is a full CVE ID, the tool will provide information about the vulnerability.\nWhen the input is a partial name, the tool will provide a list of possible matches.",
+    "parameters": {
+      "type": "object",
+      "properties": {
+        "input": {
+          "type": "string",
+          "description": "This tool can be used to get information about a Vulnerability.\nA Vulnerability is known as a CVE.\n\nVulnerabilities are security issues that may affect software packages.\nVulnerabilities may affect multiple packages.\n\nVulnerability are identified by their CVE Identifier.  Examples:\n* CVE-2014-0160\n\nThe input should be the partial name of the Vulnerability to search for.\nWhen the input is a full CVE ID, the tool will provide information about the vulnerability.\nWhen the input is a partial name, the tool will provide a list of possible matches."
+        }
+      },
+      "required": [
+        "input"
+      ]
+    }
+  },
+  {
+    "name": "advisory-info",
+    "description": "This tool can be used to get information about an Advisory.\n\nAdvisories are notifications that a vulnerability affects a product or SBOM.\nAdvisories are issued by a vendor or security organization.\nUnless there is a specific advisory for a CVE, the CVE may or may not affect the product.\n\nAdvisories have a UUID that uniquely identifies the advisory.  Example:\n* 2fd0d1b7-a908-4d63-9310-d57a7f77c6df\n\nThe input should be the UUID of the Advisory.",
+    "parameters": {
+      "type": "object",
+      "properties": {
+        "input": {
+          "type": "string",
+          "description": "This tool can be used to get information about an Advisory.\n\nAdvisories are notifications that a vulnerability affects a product or SBOM.\nAdvisories are issued by a vendor or security organization.\nUnless there is a specific advisory for a CVE, the CVE may or may not affect the product.\n\nAdvisories have a UUID that uniquely identifies the advisory.  Example:\n* 2fd0d1b7-a908-4d63-9310-d57a7f77c6df\n\nThe input should be the UUID of the Advisory."
+        }
+      },
+      "required": [
+        "input"
+      ]
+    }
+  },
+  {
+    "name": "package-info",
+    "description": "This tool provides information about a Package, which has a name and version. Packages are identified by a URI or a UUID. Examples of URIs:\n\n* pkg://rpm/redhat/[email protected]?arch=ppc64le\n* pkg:maven/org.apache.maven.wagon/[email protected]?type=jar\n\nExample of a UUID: 2fd0d1b7-a908-4d63-9310-d57a7f77c6df.\n\nInput: The package name, its Identifier URI, or UUID.",
+    "parameters": {
+      "type": "object",
+      "properties": {
+        "input": {
+          "type": "string",
+          "description": "This tool provides information about a Package, which has a name and version. Packages are identified by a URI or a UUID. Examples of URIs:\n\n* pkg://rpm/redhat/[email protected]?arch=ppc64le\n* pkg:maven/org.apache.maven.wagon/[email protected]?type=jar\n\nExample of a UUID: 2fd0d1b7-a908-4d63-9310-d57a7f77c6df.\n\nInput: The package name, its Identifier URI, or UUID."
+        }
+      },
+      "required": [
+        "input"
+      ]
+    }
+  },
+  {
+    "name": "sbom-info",
+    "description": "This tool retrieves information about a Software Bill of Materials (SBOM). SBOMs are identified by SHA-256, SHA-384, SHA-512 hashes, or UUID URIs. Examples:\n\nsha256:315f7c672f6e4948ffcc6d5a2b30f269c767d6d7d6f41d82ae716b5a46e5a68e\nurn:uuid:2fd0d1b7-a908-4d63-9310-d57a7f77c6df\n\nThe tool provides a list of advisories/CVEs affecting the SBOM.\n\nInput: An SBOM identifier or a product name. A full SBOM name typically combines the product name and version (e.g., \"product-version\"). If a user specifies both, use the product name to find the best matching SBOM. For example, \"quarkus 3.2.11\" might correspond to \"quarkus-bom-3.2.11.Final-redhat-00001\".\n\nThe link field contains a URL for more information about the item.",
+    "parameters": {
+      "type": "object",
+      "properties": {
+        "input": {
+          "type": "string",
+          "description": "This tool retrieves information about a Software Bill of Materials (SBOM). SBOMs are identified by SHA-256, SHA-384, SHA-512 hashes, or UUID URIs. Examples:\n\nsha256:315f7c672f6e4948ffcc6d5a2b30f269c767d6d7d6f41d82ae716b5a46e5a68e\nurn:uuid:2fd0d1b7-a908-4d63-9310-d57a7f77c6df\n\nThe tool provides a list of advisories/CVEs affecting the SBOM.\n\nInput: An SBOM identifier or a product name. A full SBOM name typically combines the product name and version (e.g., \"product-version\"). If a user specifies both, use the product name to find the best matching SBOM. For example, \"quarkus 3.2.11\" might correspond to \"quarkus-bom-3.2.11.Final-redhat-00001\".\n\nThe link field contains a URL for more information about the item."
+        }
+      },
+      "required": [
+        "input"
+      ]
+    }
+  }
+]