docs: add python / matplotlib requirement example#1293
Conversation
github-actions
Bot
added
the
documentation
psschwei
left a comment
psschwei
left a comment
There was a problem hiding this comment.
a few nits but otherwise LGTM
| print(f"\n ✓ Graph saved to: {graph_path}") | ||
| print(f" File size: {graph_path.stat().st_size} bytes") | ||
| else: | ||
| print(f"\n ⚠ Graph file not found at {graph_path}") |
There was a problem hiding this comment.
The conftest passes the test when the script exits 0, and process_user_request always exits 0 — there's no sys.exit or raise when the graph isn't produced, just a print + return. So even with matplotlib installed, if the pipeline fails for any reason the test is recorded as passing whilst producing nothing. Worth raising here so failures are visible:
| print(f"\n ⚠ Graph file not found at {graph_path}") | |
| if not graph_path.exists(): | |
| raise RuntimeError(f"Graph was not created at {graph_path}") | |
| print(f"\n ✓ Graph saved to: {graph_path}") | |
| print(f" File size: {graph_path.stat().st_size} bytes") |
There was a problem hiding this comment.
Thanks for the earlier fix. The latest commit (2b9d4f89) reverted this back to print + return — the raise RuntimeError that was there previously is now gone. Since the conftest passes the test on exit code 0, a missing graph still goes undetected. Please restore the raise RuntimeError (or a sys.exit(1)) so that test failures surface properly.
|
Tiny one: the PR title has a typo — "requrement" should be "requirement". Worth fixing before merge as it ends up in the commit message. |
planetf1
left a comment
planetf1
left a comment
There was a problem hiding this comment.
Thanks for the example — the pipeline approach is nicely structured and the README additions are clear.
Two things I'd want addressed before merge:
- matplotlib guard —
matplotlibisn't a project dependency so the example can't succeed on a clean checkout. The repair loop exhausts silently with no useful message to the user (see inline comment). - Silent test pass — the conftest passes the test on exit 0, and
process_user_requestalways exits 0 even when no graph is produced. The e2e test gives a false green in that case (see inline comment).
The other inline comments (execution tier caveat, README requirements section) are informational — happy for those to be addressed or tracked as follow-ups.
akihikokuroda
changed the title
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
| data = list(reader) | ||
|
|
||
| preview_lines = [] | ||
| with open(csv_path) as f: |
There was a problem hiding this comment.
The CSV file is opened twice: once with csv.DictReader to read all rows (lines 59–61), and again to collect preview lines (lines 63–67). This doubles the I/O cost unnecessarily.
Since csv.DictReader already reads the raw lines, both purposes can be served in a single pass.
There was a problem hiding this comment.
This was consolidated but not fixed. The file is still read twice. I guess you want one pass for raw preview and the other pass for dict. So you chose not to try single pass and deal w/ unwanted format. Makes sense.
TO FIX: The preview loop only takes < 5, but then it continues to read the rest for no reason. Add a break if >= 5.
| Returns: | ||
| Extracted Python code string, or None if extraction failed. | ||
| """ | ||
| from mellea.stdlib.requirements.python_reqs import _has_python_code_listing |
There was a problem hiding this comment.
I added some comments to explain.
|
|
||
| m = mellea.start_session() | ||
|
|
||
| output_path = f"{output_dir}/graph_{request_number}.png" |
There was a problem hiding this comment.
Better practice: use Path to join instead of hard-coding the /
|
|
||
| prompt = f""" | ||
| The user has this request: | ||
| "{user_request}" |
There was a problem hiding this comment.
Curious what we can do about injection risk here.
user_request (interactive user input) and csv_preview (CSV file content that may contain adversarial data) are both interpolated unsanitized into the prompt f-string sent to the LLM. In interactive mode, a user can inject instructions that override the intended prompt, causing the model to generate arbitrary code that is then executed in a local subprocess via PythonExecutionReq(execution_tier="local").
This is especially serious because the generated code is executed as a subprocess side effect of validation.
There was a problem hiding this comment.
Fix it. Some comments are added.
| strategy = ModelFriendlyRepairStrategy(loop_budget=5, requirements=all_reqs) | ||
|
|
||
| print("Generating code to extract data and create graph...") | ||
| generated = m.instruct( |
There was a problem hiding this comment.
should check for errors here.
the error that would show up later would be misleading.
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
| return | ||
|
|
||
| generated_str = str(generated) | ||
| code = _extract_code_from_output(generated_str) |
There was a problem hiding this comment.
ModelOutputThunk has no __bool__, so not generated is always False — this guard never fires. The fix is to test the string value, which the code already produces one line later anyway:
| code = _extract_code_from_output(generated_str) | |
| generated_str = str(generated) | |
| if not generated_str.strip(): | |
| print(" ✗ Model failed to generate output") | |
| return | |
| code = _extract_code_from_output(generated_str) |
| The underlying mechanism (what `PythonExecutionReq` does under the hood): | ||
|
|
||
| ```python | ||
| def execute_python_code(code: str, timeout: int = 10) -> dict: |
There was a problem hiding this comment.
This snippet does not reflect the actual implementation — PythonExecutionReq routes through environment.execute(code) (built from your execution_tier and CapabilityPolicy), not a bare subprocess.run. The two diverge silently as the code evolves.
A prose pointer to the source would be more durable:
PythonExecutionReqexecutes code via anExecutionEnvironmentbuilt from theexecution_tierandCapabilityPolicyyou pass — that's what enforces the timeout and tier behaviour. Seemellea/stdlib/requirements/python_reqs.pyfor the full implementation.
| # Check if graph file was created | ||
| graph_path = Path(output_path) | ||
| if not graph_path.exists(): | ||
| raise RuntimeError(f"Graph was not created at {graph_path}") |
There was a problem hiding this comment.
The two failure modes above (empty generation, failed code extraction) handle errors gracefully with print and return. This one raises, which aborts the whole batch run on the first failure.
Given the loop budget is 5 and LLM output is probabilistic, a single failed graph should not stop the remaining examples from running. Consider matching the pattern above:
| raise RuntimeError(f"Graph was not created at {graph_path}") | |
| if not graph_path.exists(): | |
| print(f" ✗ Graph was not created at {graph_path}") | |
| return |
|
|
||
| # Sanitize user input and CSV preview to prevent prompt injection attacks. | ||
| # Use repr() to escape special characters and quote the values, preventing | ||
| # the model from interpreting user input as prompt instructions. |
There was a problem hiding this comment.
repr() wraps the string in quotes and escapes special characters, but it does not stop the model from reading and acting on the content inside them. "Prevent prompt injection" overstates what this does — it reduces accidental prompt formatting breakage, which is still useful, but worth calling it that rather than a security control.
There was a problem hiding this comment.
Comments are updated.
| print("Generating code to extract data and create graph...") | ||
| generated = m.instruct( | ||
| prompt, | ||
| requirements=all_reqs, # type: ignore[arg-type] |
There was a problem hiding this comment.
all_reqs is already passed to ModelFriendlyRepairStrategy — when both are provided, the strategy takes precedence and the requirements= arg on instruct() is redundant. Since this is example code people will copy, it is worth being accurate: pass requirements in one place only (the strategy is the right home, since that is where repair feedback is built).
| epilog=""" | ||
| Examples: | ||
| # Run with default sample data and predefined requests | ||
| python code_generation_and_execution.py |
There was a problem hiding this comment.
The project convention (AGENTS.md §1) is uv run python rather than plain python — and since this is example code people will run directly, it matters: plain python may silently pick up a different interpreter or environment. Applies to all four invocations in this epilog.
| 2. Extract the data as specified in the user request | ||
| 3. Use matplotlib with headless backend (set matplotlib.use('Agg') at start) | ||
| 4. Create the visualization (graph type) specified by the user | ||
| 5. Save the graph to {output_path} using plt.savefig(\'{output_path}\') |
There was a problem hiding this comment.
nit: the backslash-escaped quotes around {output_path} are unnecessary inside a """ f-string — single quotes work fine without escaping here.
planetf1
left a comment
planetf1
left a comment
There was a problem hiding this comment.
Two things to fix before merge:
-
mellea[plotting]does not exist — theImportErrormessage points users atuv pip install mellea[plotting], which fails because there is no such extras group inpyproject.toml. The correct install isuv pip install matplotlib numpy(already in the README prerequisites). -
README code snippet does not match the implementation — the
execute_python_codeblock under "How Code Execution Works" usessubprocess.rundirectly and omits theExecutionEnvironmentabstraction that actually enforcesexecution_tierandCapabilityPolicy. See inline comment for a suggested replacement.
Remaining inline comments (dead guard, RuntimeError in batch mode, repr() comment, double-wired requirements, argparse epilog) are improvements worth addressing but not hard blockers.
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
|
@planetf1 I addressed all your comments. Please review. Thanks! |
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
|
LGTM — all comments addressed from my side. Leaving formal approval to reviewers who still have open threads. |
planetf1
dismissed
their stale review
Dismissing changes needed review - other approvers can review and check open threads - specifically need to ensure extras are correct
markstur
left a comment
markstur
left a comment
There was a problem hiding this comment.
See inline.
You should add a break instead of reading the whole file to build a preview. I guess that's not blocking but worth improving.
Otherwise I think my comments were addressed and I think Nigel's were(?)
Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
|
@markstur Nigel said
|
markstur
dismissed
planetf1’s stale review
@planetf1 already said changes were lgtm and dismissed
b59753f
5 participants
Pull Request
Issue
Fix: #1025
Description
Testing
Attribution
Adding a new component, requirement, sampling strategy, or tool?
If your PR adds or modifies one of the types below, check the matching box. A checklist of type-specific review items will be posted as a comment.
NOTE: Please ensure you have an issue that has been acknowledged by a core contributor and routed you to open a pull request against this repository. Otherwise, please open an issue before continuing with this pull request.