feat: implement issue #23 auto-readme-generator multi-agent pipeline

[Franci-343]

Oxtools Submission

Project name: auto-readme-generator | issue #23
Contributor: Franci-343

Submission checklist

Check every box before requesting a review. Unchecked items will result in the PR being sent back.

Structure

• My project is in its own directory under projects/[my-project-name]/
• I have not placed any files directly in the repository root

Required files

• Dockerfile is present and docker build . succeeds
• docker-compose.yml is present and docker compose up starts the app
• oxlo-manifest.json is present and all fields are filled in
• .env.example lists every environment variable the project needs (with empty values)
• README.md is present with setup instructions a reviewer can follow exactly

Security

• No API keys, private keys, or secrets are hardcoded anywhere in the codebase
• My actual .env file is not included in this PR
• I have verified my diff with git grep -i "api_key" and found no leaks

Oxlo API

• The tool makes at least one functional call to the Oxlo API
• The API key is read from the OXLO_API_KEY environment variable

---

For maintainers

• Security scan passed — no secrets in diff
• docker build . succeeded locally
• docker compose up ran successfully and app is reachable
• Oxlo API integration verified
• Approved for merge

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
oxtools	Ready	Preview, Comment	May 17, 2026 4:19pm

[oxlo-ai]

OxBot Review

This PR implements an auto-readme-generator with a multi-agent pipeline (analyzer, planner, writer, validator, refiner) that generates project READMEs from metadata via LLM calls. While the Python backend shows clear stage separation and the tests cover key happy paths, the submission is undermined by a fundamental architectural mismatch: it claims to be a standalone community project under projects/ yet modifies core application files in app/src/lib/tools/ and places service code under services/python-tools/tools/. Furthermore, the pipeline lacks defensive error handling and null-safety, uses brittle JSON extraction without schema validation, and interpolates user input directly into prompts, creating reliability and security risks. The requirements.txt is also missing essential Tier 2 service dependencies such as FastAPI and uvicorn, and the CI workflow paths do not align with the stated project structure. These structural, robustness, and dependency gaps need to be resolved before merge.

Notes

• Architectural tier mismatch: The submission checklist marks this as a community project under projects/, but the PR modifies the core app registry and places code in services/python-tools/. Community projects must be fully self-contained; built-in tools require proper Tier 2 FastAPI integration and should not claim projects/ status.
• Cross-cutting robustness issues: The pipeline uses brittle regex/string parsing for LLM outputs, lacks Pydantic schema validation, and has inconsistent exception handling across stages, which can crash the entire stream on a single malformed response or null input.
• Security and input validation: User-controlled metadata fields are interpolated directly into system prompts without sanitization, creating prompt injection risks; additionally, data.get() with defaults does not guard against explicit null values, leading to potential AttributeError crashes.
• Dependency and infrastructure gaps: The requirements.txt omits FastAPI, uvicorn, and pydantic, which are required for Tier 2 tools, while the CI workflow monitors the wrong path and installs an incomplete dependency set.
• Frontend/backend contract: The frontend tool definition is missing a required outputFormat field and uses an ambiguous tier label, while the backend yields plain-text markers that require a documented StreamingResponse contract with the frontend.
• Testing coverage: While unit tests for individual agents are clean, the suite lacks integration tests for the full pipeline and does not exercise failure modes such as max-refinement retries or malformed LLM responses.

⚠️ Verdict: Needs Changes | 19 inline comment(s) | 15 file(s) reviewed | ⏱️ 606s

---

_{Automated review by OxBot}

[oxlo-ai]

OxBot Review

This PR implements a multi-agent README generation pipeline (analyzer, planner, writer, validator, refiner) for issue #23, complete with a FastAPI tool entrypoint, TypeScript tool definitions, GitHub Actions CI, and unit/integration tests. The code demonstrates strong separation of concerns and good testability via dependency injection, but it is undermined by prompt injection vulnerabilities, fragile LLM response handling, and an unresolved architectural tension between being a standalone community project and a core platform tool. Several files also leak internal state or exceptions, and the dependency management needs cleanup before production deployment.

Notes

• There is a fundamental architectural mismatch: the PR is framed as a community project under projects/, yet it places code in services/python-tools/tools/ and modifies core application files (app/src/lib/tools/registry.ts, app/src/types/index.ts). Please clarify whether this is a built-in Tier 1/2 tool or a standalone submission and restructure accordingly.
• Multiple prompt injection vulnerabilities exist across the Python backend (analyzer.py, writer.py) where raw user input is interpolated into LLM prompts between XML-like tags without escaping. This should be treated as a cross-cutting security concern requiring a unified input sanitization strategy.
• Pipeline resilience is insufficient for a multi-agent system: unhandled Pydantic ValidationError in the analyzer, fragile response parsing in the LLM client, and raw exception strings yielded directly to clients in tool.py create cascading failure and information disclosure risks.
• The requirements.txt mixes production and test dependencies with inconsistent version pinning, which will bloat the Docker image and harm build reproducibility. Split these into separate files or Docker stages.
• Several test assertions (particularly in test_pipeline.py) are weak or logically inconsistent regarding failure paths; strengthen integration tests to assert positive fallback behavior rather than just the absence of error strings.
• If this is intended to be a core tool, ensure all prompt quality, model selection, and Oxlo API client configurations are reviewed and that the tool definition file is properly linked in the registry. If it is a community project, remove all changes to app/src/ and relocate the code to projects/auto-readme-generator/.

⚠️ Verdict: Needs Changes | 22 inline comment(s) | 17 file(s) reviewed | ⏱️ 551s

---

_{Automated review by OxBot}

[oxlo-ai]

OxBot Review

This PR introduces an auto-readme-generator built as a multi-agent pipeline with five stages—analyze, plan, write, validate, and refine—streaming progress updates to the user. The code shows solid separation of concerns and thoughtful UX design, but the submission suffers from a fundamental architectural identity crisis: it claims to be a standalone community project under projects/ while simultaneously integrating into the core built-in tool registry and residing in services/python-tools/tools/. Compounding this, the async pipeline entrypoint lacks uniform exception handling, which risks silent stream aborts, and the test suite uses non-idiomatic asyncio.run patterns. Several modules also contain likely invalid LLM identifiers and overly strict markdown validation regexes. These issues must be resolved before the PR can land.

Notes

• Clarify the intended contribution tier. Community projects under projects/ must not modify app/src/lib/tools/registry.ts or live in services/python-tools/tools/; built-in tools require FastAPI integration files and should not claim community-project status.
• The async generator entrypoint lacks uniform exception handling; unhandled errors in analyzer, refiner, or writer stages will abruptly terminate the stream instead of yielding graceful error messages to the client.
• The test suite mixes synchronous wrappers with async code via asyncio.run; adopt @pytest.mark.asyncio and async def tests to align with Python best practices and prevent event loop conflicts.
• CI workflow path filters and file locations must be reconciled with the final directory structure, whether the project lands in projects/ or services/python-tools/tools/.
• Several pipeline modules reference potentially invalid model identifiers and leave LLM API exceptions unhandled; audit all agent modules for consistent error boundaries before merging.
• The validator's fenced code block regex rejects valid GitHub Flavored Markdown info strings, which will cause false positives in real-world READMEs.

⚠️ Verdict: Needs Changes | 14 inline comment(s) | 17 file(s) reviewed | ⏱️ 666s

---

_{Automated review by OxBot}

[ms-shashank]

LGTM