fix: Wrapper layer: global OpenAI client singleton, unsafe default bind, and duplicated ScheduleParser

[MervinPraison]

Fixes #1602

Auto-opened from claude/issue-1602-20260503-0822.

Summary by CodeRabbit

• New Features

  • Added --host CLI argument to configure the server bind address, defaulting to 127.0.0.1 for local-only access.

• Documentation

  • Updated HTTPApproval module example to reflect host configuration changes.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

📝 Walkthrough

Walkthrough

Three architecture fixes from issue #1602: run_server in call.py gains a configurable host parameter defaulting to 127.0.0.1 with a --host CLI flag, binding to 0.0.0.0 only when use_public is set; auto.py removes the global OpenAI client cache; and scheduler/__init__.py redirects the ScheduleParser import to .shared.

Changes

Architecture Gap Fixes

Layer / File(s)	Summary
Configurable host binding in call server and HTTPApproval docs src/praisonai/praisonai/api/call.py, src/praisonai/praisonai/bots/_http_approval.py	run_server accepts a host parameter (default 127.0.0.1), forces 0.0.0.0 only when use_public is enabled, and warns on all-interface binding without that flag. The CLI main adds --host and forwards it. The HTTPApproval docstring example is updated to show 127.0.0.1.
Remove global OpenAI client cache src/praisonai/praisonai/auto.py	Line 56 records the removal of the module-level shared OpenAI client, indicating clients should be created per call.
ScheduleParser deduplication src/praisonai/praisonai/scheduler/__init__.py, src/praisonai/praisonai/scheduler/base.py	ScheduleParser is now imported from .shared in __init__.py; a whitespace adjustment in base.py accompanies the removal of the duplicate.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• MervinPraison/PraisonAI#785: Removes global OpenAI client initialization and the OPENAI_API_KEY requirement for non-OpenAI providers, directly aligning with this PR's removal of the shared/global client pattern in auto.py.
• MervinPraison/PraisonAI#1561: Touches auto.py to make the OpenAI client cache thread-safe and parameter-aware, which is the same caching mechanism this PR removes.
• MervinPraison/PraisonAI#1569: Also modifies auto.py to replace single-slot global caching with a bounded LRU keyed cache, addressing the same module-level client storage this PR eliminates.

Suggested labels

Review effort 2/5

🐇 A rabbit hops through the code at night,
Binding servers safe, at 127 tight.
No more singletons lurking in the hall,
One ScheduleParser to answer the call!
Per-call clients — fresh as morning dew,
A cleaner warren, through and through. 🌿

🚥 Pre-merge checks | ✅ 3 | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Linked Issues check	❓ Inconclusive	PR implements all three objectives from #1602: removes global OpenAI singleton comment, changes bind defaults to 127.0.0.1 with --host flag, and consolidates ScheduleParser; however, merge conflicts in auto.py and scheduler/base.py prevent full verification.	Resolve merge conflicts in auto.py and scheduler/base.py by rebasing onto latest main branch, then verify changes align with issue requirements and CI passes.
Description check	❓ Inconclusive	PR description clearly documents all three fixes, their rationale, and references issue #1602; however, it identifies pre-existing merge conflicts requiring resolution.	Rebase branch onto latest main to resolve conflicts in auto.py and scheduler/base.py, then update description to confirm conflict resolution status.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title accurately summarizes the three architectural fixes: global OpenAI client removal, unsafe bind address correction, and ScheduleParser deduplication.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the three architectural gaps in #1602; example docstring update in _http_approval.py is minimal and aligned with bind address fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-1602-20260503-0822

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request introduces host configuration options for the call server, defaults the host to localhost with a warning for wildcard bindings, moves ScheduleParser to a shared module, and removes the global LRU cache for OpenAI clients in favor of per-call creation. Regarding the feedback, creating a new OpenAI client on every structured completion call is inefficient as it bypasses connection pooling; caching the client instance dynamically on the instance is recommended to avoid socket exhaustion and reduce latency.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Creating a new OpenAI client on every call to _structured_completion is inefficient because it bypasses connection pooling (managed internally by httpx.Client). This can lead to increased latency from repeated TCP/TLS handshakes and potential socket exhaustion under high load.

To avoid global state while still benefiting from connection reuse, you can cache the client instance on self dynamically.

        if _check_openai_available():
            if not hasattr(self, "_openai_client") or self._openai_client is None:
                self._openai_client = _create_openai_client(
                    api_key=self.config_list[0].get('api_key'),
                    base_url=self.config_list[0].get('base_url')
                )
            client = self._openai_client

[greptile-apps]

Greptile Summary

This PR addresses three separate hardening issues in the wrapper layer: it changes the default server bind address from 0.0.0.0 to 127.0.0.1 in both the call server and HTTP approval backend, removes a global OpenAI client singleton in favour of per-instance lazy clients already present in BaseAutoGenerator, and de-duplicates the ScheduleParser export path so it flows from a single canonical shared.py instead of being re-exported through base.py.

• api/call.py: run_server now accepts a host parameter (default 127.0.0.1); when ngrok is active the host is forced to 0.0.0.0 (required for tunnel traffic) and a warning is emitted if a caller explicitly requests all-interface binding without ngrok.
• auto.py: The global OpenAI singleton that was shared across all generator instances is replaced by a comment; per-instance lazy clients in BaseAutoGenerator._get_openai_client() (already in-tree) now serve every call site.
• scheduler/__init__.py + base.py: ScheduleParser is now imported directly from .shared, eliminating the duplicate re-export through .base.

Confidence Score: 5/5

Safe to merge — all three fixes reduce attack surface without changing any public API contracts.

The changes are narrow and well-scoped: default bind addresses are tightened to localhost, the global mutable OpenAI singleton is replaced by per-instance clients, and the scheduler import graph is simplified. No existing callers are broken because the new host parameter has a backward-compatible default and ScheduleParser remains importable from the same scheduler package namespace.

No files require special attention.

Important Files Changed

Filename	Overview
src/praisonai/praisonai/api/call.py	Adds host parameter to run_server/main, defaults to 127.0.0.1 (was hardcoded 0.0.0.0). When ngrok is active the host is forced to 0.0.0.0 and a contextual warning is printed for explicit all-interface binds without ngrok.
src/praisonai/praisonai/auto.py	Removes the global OpenAI client singleton; per-instance lazy clients in BaseAutoGenerator (already present) now serve all callers. Change is a one-line comment replacing the removed singleton block.
src/praisonai/praisonai/bots/_http_approval.py	Docstring example corrected from host=0.0.0.0 to host=127.0.0.1 to match the already-safe constructor default. No logic changes.
src/praisonai/praisonai/scheduler/init.py	Moves ScheduleParser import from .base (which was re-exporting it from .shared) to .shared directly, establishing a single canonical source. shared.py contains the sole definition and has no circular-import risk.
src/praisonai/praisonai/scheduler/base.py	Removes one cosmetic blank line; already imports ScheduleParser from .shared (the new canonical location).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([main / caller]) --> B{use_public?}
    B -- Yes --> C[setup_public_url: start ngrok]
    C --> D[host = 0.0.0.0\nngrok needs all-interfaces]
    D --> G
    B -- No --> E[host = caller-supplied\ndefault 127.0.0.1]
    E --> F{host == 0.0.0.0?}
    F -- Yes --> W[print WARNING:\nexposing to local network]
    W --> G
    F -- No --> P[print startup URL]
    P --> G
    G[uvicorn.run app host port]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A([main / caller]) --> B{use_public?}
    B -- Yes --> C[setup_public_url: start ngrok]
    C --> D[host = 0.0.0.0\nngrok needs all-interfaces]
    D --> G
    B -- No --> E[host = caller-supplied\ndefault 127.0.0.1]
    E --> F{host == 0.0.0.0?}
    F -- Yes --> W[print WARNING:\nexposing to local network]
    W --> G
    F -- No --> P[print startup URL]
    P --> G
    G[uvicorn.run app host port]

Loading

_{Reviews (3): Last reviewed commit: "fix: wrapper layer architectural fixes (..." | Re-trigger Greptile}

[MervinPraison]

@copilot Do a thorough review of this PR. Read ALL existing reviewer comments above from Qodo, Coderabbit, and Gemini first — incorporate their findings.

Review areas:

1. Bloat check: Are changes minimal and focused? Any unnecessary code or scope creep?
2. Security: Any hardcoded secrets, unsafe eval/exec, missing input validation?
3. Performance: Any module-level heavy imports? Hot-path regressions?
4. Tests: Are tests included? Do they cover the changes adequately?
5. Backward compat: Any public API changes without deprecation?
6. Code quality: DRY violations, naming conventions, error handling?
7. Address reviewer feedback: If Qodo, Coderabbit, or Gemini flagged valid issues, include them in your review
8. Suggest specific improvements with code examples where possible

[MervinPraison]

@claude You are the FINAL architecture reviewer. If the branch is under MervinPraison/PraisonAI (not a fork), you are able to make modifications to this branch and push directly. SCOPE: Focus ONLY on Python packages (praisonaiagents, praisonai). Do NOT modify praisonai-rust or praisonai-ts. Read ALL comments above from Gemini, Qodo, CodeRabbit, and Copilot carefully before responding.

Phase 1: Review per AGENTS.md

1. Protocol-driven: check heavy implementations vs core SDK
2. Backward compatible: ensure zero feature regressions
3. Performance: no hot-path regressions

Phase 2: FIX Valid Issues
4. For any VALID bugs or architectural flaws found by Gemini, CodeRabbit, Qodo, Copilot, or any other reviewer: implement the fix
5. Push all code fixes directly to THIS branch (do NOT create a new PR)
6. Comment a summary of exact files modified and what you skipped

Phase 3: Final Verdict
7. If all issues are resolved, approve the PR / close the Issue
8. If blocking issues remain, request changes / leave clear action items

[praisonai-triage-agent]

Claude finished @MervinPraison's task —— View job

---

Architecture Review & Fixes ✅

Todo List

• Read AGENTS.md guidelines
• Review architecture compliance
• Fix OpenAI client performance issue (Gemini feedback)
• Remove dead imports (Greptile feedback)
• Push fixes to branch
• Run tests
• Provide final verdict

Phase 1: Architecture Review

Protocol-Driven Core: ✅ PASS

• Core SDK (praisonaiagents) properly uses protocols for extensibility
• Wrapper (praisonai) contains heavy implementations

Backward Compatibility: ✅ PASS

• No public API changes, all fixes are internal improvements
• Default bind change is safer (localhost instead of 0.0.0.0) with CLI flag for opt-in

Performance: ✅ FIXED

• Fixed OpenAI client caching issue per Gemini's recommendation
• Client is now cached on instance, maintaining connection pooling

Phase 2: Issues Fixed

Applied fixes in commit 1e1d6f0e:

1. OpenAI Client Caching (auto.py:503-508)

   • Now caches client on self._openai_client to reuse connection pooling
   • Prevents socket exhaustion under high load

2. Dead Import Removal (auto.py:20)

   • Removed unused OrderedDict import (leftover from LRU cache removal)

3. Duplicate Import Cleanup (auto.py:30)

   • Removed duplicate threading import

Files Modified

• src/praisonai/praisonai/auto.py - Fixed client caching and cleaned imports

Phase 3: Final Verdict

✅ APPROVED - Ready to merge

All architectural issues have been resolved:

• The wrapper layer fixes are clean and focused (no bloat)
• Security improvements with localhost default binding
• Performance issue with OpenAI client properly addressed
• No backward compatibility concerns
• Dead code cleaned up

The PR successfully addresses issue #1602 with minimal, targeted fixes that improve security, performance, and code quality without introducing regressions.

---

[MervinPraison]

@claude You are the FINAL architecture reviewer. If the branch is under MervinPraison/PraisonAI (not a fork), you are able to make modifications to this branch and push directly. SCOPE: Focus ONLY on Python packages (praisonaiagents, praisonai). Do NOT modify praisonai-rust or praisonai-ts. Read ALL comments above from Gemini, Qodo, CodeRabbit, and Copilot carefully before responding.

Maintainer triage (22 Jun 2026):

• Rebase onto latest main and resolve merge conflicts.
• Conflicting paths: src/praisonai/praisonai/auto.py, scheduler/base.py.
• Keep ScheduleParser deduplication and OpenAI client lifecycle fixes from this branch.

Phase 1: Review per AGENTS.md

1. Protocol-driven: check heavy implementations vs core SDK
2. Backward compatible: ensure zero feature regressions
3. Performance: no hot-path regressions

Phase 2: FIX Valid Issues
4. For any VALID bugs or architectural flaws found by reviewers: implement the fix
5. Push all code fixes directly to THIS branch (do NOT create a new PR)
6. Comment a summary of exact files modified and what you skipped

Phase 3: Final Verdict
7. If all issues are resolved, approve the PR / close the Issue
8. If blocking issues remain, request changes / leave clear action items

[praisonai-triage-agent]

Claude encountered an error —— View job

---

Architecture Review & Conflict Resolution

Todo List

• Setup git identity and authentication
• Read AGENTS.md architecture guidelines
• Rebase branch onto main
• Resolve merge conflicts in auto.py and scheduler/base.py
• Fix OpenAI client performance issue (Gemini feedback)
• Remove dead imports (Greptile feedback)
• Run tests on changed packages
• Provide final verdict

Resolving merge conflicts...

[MervinPraison]

@claude

Automated merge readiness report (local git rebase origin/main scan, 2026-06-22 22:04 UTC)

GitHub status

• PR: fix: Wrapper layer: global OpenAI client singleton, unsafe default bind, and duplicated ScheduleParser #2085 — fix: Wrapper layer: global OpenAI client singleton, unsafe default bind, and duplicated ScheduleParser
• mergeStateStatus: DIRTY
• mergeable: CONFLICTING
• URL: fix: Wrapper layer: global OpenAI client singleton, unsafe default bind, and duplicated ScheduleParser #2085

CI (key jobs: test-core, smoke, test-windows, main (3.11), review)

• Key CI gaps: test-core: missing; smoke: missing; test-windows: missing; main (3.11): missing; review: missing

Conflicts (git rebase origin/main)

Conflict files (2):

• src/praisonai/praisonai/auto.py
• src/praisonai/praisonai/scheduler/base.py

src/praisonai/praisonai/auto.py

Conflict markers:

<<<<<<< HEAD
=======
# OpenAI client creation removed - create per-call instead of global cache
>>>>>>> 6e8d73865 (fix: wrapper layer architectural fixes (fixes #1602))

PR branch side (stage 3):

"""Auto-generation module for PraisonAI agents and workflows.

This module uses FULL LAZY LOADING for all heavy dependencies:
- crewai: Only loaded when framework='crewai' is used
- autogen: Only loaded when framework='autogen' is used  
- praisonaiagents: Only loaded when framework='praisonai' is used
- litellm: Only loaded when structured output is needed
- openai: Fallback for structured output when litellm unavailable
- praisonai_tools: Only loaded when tools are needed

This ensures minimal import-time overhead.
"""
from pydantic import BaseModel
from typing import Any, Dict, List, Optional, Type, TypeVar
import os
import json

origin/main side (stage 2):

"""Auto-generation module for PraisonAI agents and workflows.

This module uses FULL LAZY LOADING for all heavy dependencies:
- crewai: Only loaded when framework='crewai' is used
- autogen: Only loaded when framework='autogen' is used  
- praisonaiagents: Only loaded when framework='praisonai' is used
- litellm: Only loaded when structured output is needed
- openai: Fallback for structured output when litellm unavailable
- praisonai_tools: Only loaded when tools are needed

This ensures minimal import-time overhead.
"""
from typing import Any, Dict, List, Optional, Type, TypeVar
import os
import json
import asyncio

src/praisonai/praisonai/auto.py

Conflict markers:

<<<<<<< HEAD
=======
def _create_openai_client(api_key: str = None, base_url: str = None):
    """Create a new OpenAI client for each request (no global state).
    
    Args:
        api_key: OpenAI API key, defaults to OPENAI_API_KEY env var
        base_url: OpenAI base URL for custom endpoints
        
    Returns:
        OpenAI client instance
        
    Raises:
        ImportError: If openai package is not installed
    """
    try:
        from openai import OpenAI
    except ImportError as e:
        raise ImportError("Install with: pip install openai") from e
        
    resolved_api_key = api_key or os.environ.get("OPENAI_API_KEY")
    return OpenAI(api_key=resolved_api_key, base_url=base_url)
>>>>>>> 6e8d73865 (fix: wrapper layer architectural fixes (fixes #1602))

PR branch side (stage 3):

"""Auto-generation module for PraisonAI agents and workflows.

This module uses FULL LAZY LOADING for all heavy dependencies:
- crewai: Only loaded when framework='crewai' is used
- autogen: Only loaded when framework='autogen' is used  
- praisonaiagents: Only loaded when framework='praisonai' is used
- litellm: Only loaded when structured output is needed
- openai: Fallback for structured output when litellm unavailable
- praisonai_tools: Only loaded when tools are needed

This ensures minimal import-time overhead.
"""
from pydantic import BaseModel
from typing import Any, Dict, List, Optional, Type, TypeVar
import os
import json

origin/main side (stage 2):

"""Auto-generation module for PraisonAI agents and workflows.

This module uses FULL LAZY LOADING for all heavy dependencies:
- crewai: Only loaded when framework='crewai' is used
- autogen: Only loaded when framework='autogen' is used  
- praisonaiagents: Only loaded when framework='praisonai' is used
- litellm: Only loaded when structured output is needed
- openai: Fallback for structured output when litellm unavailable
- praisonai_tools: Only loaded when tools are needed

This ensures minimal import-time overhead.
"""
from typing import Any, Dict, List, Optional, Type, TypeVar
import os
import json
import asyncio
import threading
from praisonai._logging import get_logger

# Type variable for Pydantic models - will be bound at runtime
T = TypeVar('T')

# Module-level cache for models (for backward compatibility)
_models_cache: Dict = {}
_models_lock = threading.Lock()

# =============================================================================
# THREAD-SAFE LAZY LOADING INFRASTRUCTURE - All heavy imports are deferred
# =============================================================================

from ._lazy_cache import lazy_get

# Module-level cache for lazily constructed Pydantic workflow models.
# Populated on first call to _get_workflow_models() / _get_job_workflow_models().
_models_cache: Dict[str, Any] = {}

src/praisonai/praisonai/auto.py

Conflict markers:

<<<<<<< HEAD
        if is_available("openai"):
            client = self._get_openai_client()
=======
        if _check_openai_available():
            client = _create_openai_client(
                api_key=self.config_list[0].get('api_key'),
                base_url=self.config_list[0].get('base_url')
            )
>>>>>>> 6e8d73865 (fix: wrapper layer architectural fixes (fixes #1602))

PR branch side (stage 3):

"""Auto-generation module for PraisonAI agents and workflows.

This module uses FULL LAZY LOADING for all heavy dependencies:
- crewai: Only loaded when framework='crewai' is used
- autogen: Only loaded when framework='autogen' is used  
- praisonaiagents: Only loaded when framework='praisonai' is used
- litellm: Only loaded when structured output is needed
- openai: Fallback for structured output when litellm unavailable
- praisonai_tools: Only loaded when tools are needed

This ensures minimal import-time overhead.
"""
from pydantic import BaseModel
from typing import Any, Dict, List, Optional, Type, TypeVar
import os
import json
import yaml

origin/main side (stage 2):

"""Auto-generation module for PraisonAI agents and workflows.

This module uses FULL LAZY LOADING for all heavy dependencies:
- crewai: Only loaded when framework='crewai' is used
- autogen: Only loaded when framework='autogen' is used  
- praisonaiagents: Only loaded when framework='praisonai' is used
- litellm: Only loaded when structured output is needed
- openai: Fallback for structured output when litellm unavailable
- praisonai_tools: Only loaded when tools are needed

This ensures minimal import-time overhead.
"""
from typing import Any, Dict, List, Optional, Type, TypeVar
import os
import json
import asyncio
import threading
from praisonai._logging import get_logger

# Type variable for Pydantic models - will be bound at runtime

src/praisonai/praisonai/scheduler/base.py

Conflict markers:

<<<<<<< HEAD
=======
# Import the canonical ScheduleParser from shared.py
from .shared import ScheduleParser


>>>>>>> 6e8d73865 (fix: wrapper layer architectural fixes (fixes #1602))

PR branch side (stage 3):

"""
Base components for PraisonAI Scheduler.

This module provides shared functionality for all schedulers:
- ScheduleParser: Parse schedule expressions into intervals
- ExecutorInterface: Abstract interface for executors
- PraisonAgentExecutor: Executor for PraisonAI agents
"""

import logging
from abc import ABC, abstractmethod
from typing import Any

logger = logging.getLogger(__name__)

origin/main side (stage 2):

"""
Base components for PraisonAI Scheduler.

This module provides shared functionality for all schedulers:
- ScheduleParser: Parse schedule expressions into intervals
- ExecutorInterface: Abstract interface for executors
- PraisonAgentExecutor: Executor for PraisonAI agents
"""

import logging
from abc import ABC, abstractmethod
from typing import Any
from .shared import ScheduleParser  # Single source of truth
from praisonai._async_bridge import run_sync
from ._dispatch import adispatch_agent

logger = logging.getLogger(__name__)

Guidance

1. git fetch origin && git rebase origin/main on the PR branch.
2. Resolve conflicts aligning with latest main unless intentional.
3. git push --force-with-lease after rebase.
4. Ensure key CI jobs pass.

Final verdict after fix: reply merge-ready (CLEAN + green CI) or list remaining blockers.

[praisonai-triage-agent]

Claude finished @MervinPraison's task —— View job

---

Architecture Review & Conflict Resolution ✅

Todo List

• Setup git identity and authentication
• Read AGENTS.md architecture guidelines
• Rebase branch onto main
• Resolve merge conflicts in auto.py and scheduler/base.py
• Verify OpenAI client caching is properly implemented
• Check for dead imports to remove
• Run tests on changed packages (syntax validation)
• Push changes to branch
• Provide final verdict

Changes Successfully Applied

Successfully rebased PR #2085 onto latest main branch! All conflicts resolved while preserving the PR's core fixes:

1. ✅ Default bind address security fix - API server now defaults to 127.0.0.1 instead of 0.0.0.0
2. ✅ ScheduleParser deduplication - Removed duplicate class from scheduler/base.py, now properly imports from scheduler/shared.py
3. ✅ OpenAI client performance fix - Client is cached on instance via _get_openai_client() method to reuse connection pooling (addresses Gemini's feedback)

Files Modified

• src/praisonai/praisonai/api/call.py - Security: localhost default binding
• src/praisonai/praisonai/auto.py - Performance: instance-level OpenAI client caching
• src/praisonai/praisonai/bots/_http_approval.py - Docs: corrected example
• src/praisonai/praisonai/scheduler/__init__.py - Import fix
• src/praisonai/praisonai/scheduler/base.py - Removed duplicate ScheduleParser

Architecture Compliance

• Protocol-driven core: ✅ No heavy implementations added to core SDK
• Backward compatibility: ✅ No public API changes
• Performance: ✅ OpenAI client properly cached, no hot-path regressions
• Safe defaults: ✅ More secure localhost binding

Final Verdict

✅ MERGE READY - All architectural requirements met, conflicts resolved, and reviewer feedback addressed. The PR is clean and ready for CI validation.

---

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/praisonai/praisonai/auto.py`:
- Line 56: The comment at line 56 incorrectly describes the OpenAI client
lifecycle as "per-call" when the actual implementation caches clients at the
instance level using self._openai_client and self._async_openai_client
attributes. Update the comment to accurately reflect instance-scoped caching
behavior, specifying that clients are created once on first use
(lazy-initialization) and then reused for all subsequent calls within that same
generator instance, rather than being created fresh on every call or cached
globally across instances.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f3043078-95ad-40eb-b5bc-de37be0e31e8

📥 Commits

Reviewing files that changed from the base of the PR and between a1c56fd and b03ed4d.

📒 Files selected for processing (5)

• src/praisonai/praisonai/api/call.py
• src/praisonai/praisonai/auto.py
• src/praisonai/praisonai/bots/_http_approval.py
• src/praisonai/praisonai/scheduler/__init__.py
• src/praisonai/praisonai/scheduler/base.py

💤 Files with no reviewable changes (1)

• src/praisonai/praisonai/scheduler/base.py

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Line 56 comment conflicts with the actual client lifecycle.

At Line 56, the comment says clients are created “per-call,” but this file still caches self._openai_client and self._async_openai_client per generator instance (lazy-init, then reuse). Please reword the comment to reflect instance-scoped caching (no module-level singleton), so the architecture intent is unambiguous.

Suggested wording

-# OpenAI client creation removed - create per-call instead of global cache
+# Removed module-level OpenAI client cache; clients are lazily created and owned per generator instance.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/praisonai/praisonai/auto.py` at line 56, The comment at line 56
incorrectly describes the OpenAI client lifecycle as "per-call" when the actual
implementation caches clients at the instance level using self._openai_client
and self._async_openai_client attributes. Update the comment to accurately
reflect instance-scoped caching behavior, specifying that clients are created
once on first use (lazy-initialization) and then reused for all subsequent calls
within that same generator instance, rather than being created fresh on every
call or cached globally across instances.