Skip to content

feat: add FalkorDB chatbot graph package#5116

Draft
jabbadizzleCode wants to merge 2 commits into
v3from
codex/falkordb-chatbot-graphs
Draft

feat: add FalkorDB chatbot graph package#5116
jabbadizzleCode wants to merge 2 commits into
v3from
codex/falkordb-chatbot-graphs

Conversation

@jabbadizzleCode

@jabbadizzleCode jabbadizzleCode commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds a FalkorDB-backed prototype knowledge graph for chatbots, including local Docker Compose support, a new @klicker-uzh/falkordb package, graph lifecycle helpers, Benibot finance seed data, and a guarded chat API route for reading graph snapshots.

The chat UI now includes an optional knowledge graph drawer using React Flow, with hierarchy layout, node details, relation highlighting, legends, and corrected layering above the message composer. The prototype graph data was refined to include meaningful finance-topic relations, and selection behavior now only highlights visibly connected relationships.

Screenshots

Screenshot 2026-06-12 at 16 30 19 Screenshot 2026-06-12 at 16 31 05

ClickUp Links

This was generated by AI during triage.

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 507a3a7c-3edb-455a-83f9-3488424ae2d4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 12, 2026

Copy link
Copy Markdown

Confidence Score: 5/5

Safe to merge as a prototype feature; no correctness defects on the happy path.

The new package is well-tested with a mock client, the API endpoint uses auth guards and Zod validation, and the snapshot parsing is defensive throughout. The two findings are scoped to prototype scaffolding that won't break existing functionality.

apps/chat/src/lib/graph/flow.ts — the getRootNode fallback on label 'finance' should be removed before non-Finance chatbot graphs are introduced.

Important Files Changed

Filename Overview
packages/falkordb/src/index.ts Core FalkorDB package: UUID validation, client creation, graph lifecycle, and snapshot parsing. Well-structured with good test coverage. Some hardcoded behaviours flagged in previous threads.
apps/chat/src/app/api/chatbots/[chatbotId]/graph/route.ts New GET endpoint for graph snapshots with auth guard, Zod input validation, and differentiated error handling for missing FalkorDB config. Clean implementation.
apps/chat/src/lib/graph/flow.ts Converts FalkorDB snapshot to React Flow nodes/edges with radial layout. Contains a prototype-specific 'finance' label fallback in getRootNode that will produce incorrect layout for future non-Finance graphs.
apps/chat/src/components/chatbot-graph-drawer.tsx Side-drawer UI with React Flow graph rendering, node selection, and detail panel. Two action buttons in the concept detail panel lack onClick handlers.
apps/chat/test/graph-flow.test.ts Good unit tests covering hierarchy layout, edge filtering, selection dimming, and focus-edge reveal.
packages/falkordb/test/index.test.ts Comprehensive unit tests with mock FalkorDB client covering config loading, graph lifecycle, snapshot normalisation, truncation, and seed logic.

Sequence Diagram

sequenceDiagram
    participant Browser as Browser (ChatbotGraphDrawer)
    participant API as /api/chatbots/[id]/graph
    participant Guard as withChatbotAuth
    participant Pkg as @klicker-uzh/falkordb
    participant FDB as FalkorDB (Redis protocol)

    Browser->>API: "GET /api/chatbots/{chatbotId}/graph?nodeLimit=100&edgeLimit=150"
    API->>Guard: withChatbotAuth(req, chatbotId)
    Guard-->>API: auth context or 401/403
    API->>Pkg: "getChatbotGraphSnapshot({ chatbotId, nodeLimit, edgeLimit })"
    Pkg->>FDB: "GRAPH.RO_QUERY klickeruzh:chatbot:{id} MATCH (n) RETURN n LIMIT 101"
    FDB-->>Pkg: raw node rows
    Pkg->>FDB: "GRAPH.RO_QUERY klickeruzh:chatbot:{id} MATCH ()-[r]->() RETURN r LIMIT 151"
    FDB-->>Pkg: raw edge rows
    Pkg-->>API: "ChatbotGraphSnapshot { nodes, edges, truncated, limits }"
    API-->>Browser: 200 JSON snapshot
    Browser->>Browser: "mapGraphSnapshotToFlow(snapshot, { selectedNodeId })"
    Browser->>Browser: render ReactFlow with radial layout
Loading

Reviews (2): Last reviewed commit: "chore: add sidebar component for the cha..." | Re-trigger Greptile

Comment on lines +99 to +118
export async function readChatbotGraph(
args: ChatbotGraphQueryArgs
): Promise<unknown> {
const graphName = getChatbotGraphName(args.chatbotId)
const query = requireQuery(args.query)

return await withFalkorDBClient(args.client, async (client) => {
return await client.call('GRAPH.RO_QUERY', graphName, query)
})
}

export async function writeChatbotGraph(
args: ChatbotGraphQueryArgs
): Promise<unknown> {
const graphName = getChatbotGraphName(args.chatbotId)
const query = requireQuery(args.query)

return await withFalkorDBClient(args.client, async (client) => {
return await client.call('GRAPH.QUERY', graphName, query)
})

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security No parameterized-query support exposes callers to Cypher injection

writeChatbotGraph and readChatbotGraph pass raw query strings straight to GRAPH.QUERY / GRAPH.RO_QUERY. The FalkorDB Redis protocol supports parameterized queries by appending PARAMS <count> <key> <value>… arguments after the query string, but the current API surface (query: string only) provides no way for callers to use them. Any future call site that builds the query string from user-provided data — e.g., a document title, username, or search term — will be vulnerable to Cypher injection without any mitigation path in this package. Consider adding a params?: Record<string, string> field to ChatbotGraphQueryArgs and serialising it into the PARAMS … arguments of the underlying client.call invocation.

Fix in Codex Fix in Claude Code

Comment on lines +121 to +131
function createGraphMetadataQuery(chatbotId: string): string {
// TODO: Upload course/chatbot source data into this graph once the ingestion
// pipeline is available for chatbot-specific knowledge graphs.
return (
'MERGE (:GraphMetadata {' +
'managedBy: "klickeruzh", ' +
'resource: "chatbot", ' +
`chatbotId: "${chatbotId}"` +
'}) RETURN 1'
)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 createGraphMetadataQuery embeds chatbotId directly into a Cypher string literal. It is only safe because getChatbotGraphName happens to validate the UUID first, but that upstream guard is not enforced at the call site. A future refactor that calls it independently, or reorders the steps, silently removes the protection.

Suggested change
function createGraphMetadataQuery(chatbotId: string): string {
// TODO: Upload course/chatbot source data into this graph once the ingestion
// pipeline is available for chatbot-specific knowledge graphs.
return (
'MERGE (:GraphMetadata {' +
'managedBy: "klickeruzh", ' +
'resource: "chatbot", ' +
`chatbotId: "${chatbotId}"` +
'}) RETURN 1'
)
}
function createGraphMetadataQuery(chatbotId: string): string {
if (!UUID_PATTERN.test(chatbotId)) {
throw new Error('chatbotId must be a valid UUID')
}
// TODO: Upload course/chatbot source data into this graph once the ingestion
// pipeline is available for chatbot-specific knowledge graphs.
return (
'MERGE (:GraphMetadata {' +
'managedBy: "klickeruzh", ' +
'resource: "chatbot", ' +
`chatbotId: "${chatbotId}"` +
'}) RETURN 1'
)
}

Fix in Codex Fix in Claude Code

Comment thread packages/falkordb/package.json
Comment thread packages/falkordb/src/index.ts
@gitguardian

gitguardian Bot commented Jun 12, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 3 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
33932487 Triggered Generic Password df80713 apps/chat/.env.local.example View secret
33932487 Triggered Generic Password df80713 packages/falkordb/src/seed-prototype-finance.ts View secret
33932487 Triggered Generic Password df80713 apps/chat/.env.development View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant