[1.0.x] Voicely Conversational AI Search

Thank you for applying!

Before giving links helpful to understand how the review process works, what to expect from a review, and what to do to avoid a review takes more time than needed, I would like to thank all the reviewers for the work they do.
These applications are volunters-driven, which also means it is not possible to predict when an application will be marked fixed and the applicant will get the permission to opt projects into security advisory policy. While we aim to make an application as quick as possible, it is also important for us that more people review the project used for an application. In this way, we make sure applications do not miss some important points that should be instead reported.
Applications are not meant to be complete debugging sessions that eliminate every existing bug, though. I apologize if sometimes applications seem to go into too-detailed reviews.

Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.

The important notes are the following.

• If you have not done it yet, you should enable GitLab CI for the project and fix the PHP_CodeSniffer errors/warnings it reports.
• For the time this application is open, only your commits are allowed.
• The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status will not be changed by this application; once this application is closed, you will be able to change the project status from Not covered to Opt into security advisory coverage. This is possible only 14 days after the project is created.
  
  Keep in mind that once the project is opted into security advisory coverage, only Security Team members may change coverage.
• Only the person who created the application will get the permission to opt projects into security advisory coverage. No other person will get the same permission from the same application; that applies also to co-maintainers/maintainers of the project used for the application.
• We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

To the reviewers

Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.

The important notes are the following.

• It is preferable to wait for a project moderator before posting the first comment on newly created applications. Project moderators will do some preliminary checks that are necessary before any change on the project files is suggested.
• Reviewers should show the output of a CLI tool only once per application.
• It may be best to have the applicant fix things before further review.

For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.

• The following points are just a start and don't necessarily encompass all of the changes that may be necessary
• A specific point may just be an example and may apply in other places
• A review is about code that doesn't follow the coding standards, contains possible security issue, or does not correctly use the Drupal API; the single points are not ordered, not even by importance

voicely_search.info.yml

name: 'Voicely Search'
type: module
description: 'RAG conversational search with voice input/output, multi-language translation, and decoupled API.'
core_version_requirement: ^10 || ^11
package: Search
dependencies:
  - drupal:search_api
  - drupal:ai
configure: voicely_search.settings

Dependency names follow the format <project machine name>:<module machine name>. Since those modules are not Drupal core modules, the first part cannot be drupal:.

I am going to review the rest of the files, now that I have time.

src/Annotation/SearchProvider.php

Projects that are compatible with Drupal 10 or higher versions should use attributes instead of annotations. This means requiring at least Drupal 10.3, but this is not an issue, considering which Drupal core versions are nowadays supported.

src/Controller/ConversationApiController.php

Code compatible with latest Drupal releases should use property promotion.

Since that class does not use methods from the parent class, or it uses a single method from the parent class, it does not need to use ControllerBase as parent class.

Controllers do not need to have a parent class; as long as they implement \Drupal\Core\DependencyInjection\ContainerInjectionInterface, they are fine.

src/Controller/ConversationLogController.php

    $count = $this->loggerService->deleteAllLogs();
    $this->messenger()->addStatus($this->t('@count log files deleted.', ['@count' => $count]));
    return new JsonResponse(['success' => TRUE, 'deleted' => $count]);

For translatable strings that change basing on a number (as in this case), there is ::formatPlural().

src/Controller/StatusDashboardController.php

        if (empty($api_key)) {
          $status['tts']['message'] = 'OpenAI API key not configured';
        }

Strings used in the user interface should be translatable.

  /**
   * Gets LLM status for manual mode.
   */
  protected function getLlmStatusManual(array $rag_config): array {

Documentation comments should describe also parameters and return value.

    $form['ai_module_settings']['ai_model'] = [
      '#type' => 'select',
      '#title' => $this->t('Provider & Model'),
      '#description' => $this->t('Providers and API keys are managed at <a href="/admin/config/ai/providers">AI provider settings</a>.'),
      '#options' => $model_options,
      '#default_value' => $config->get('rag.ai_model') ?? '',
    ];

A :variable placeholder should be use for URLs as shown in the documentation for FormattableMarkup::placeholderFormat(). That is the placeholder used also by Drupal core code for URLs that take to drupal.org.

$output = '';
$output .= '<h3>' . t('About') . '</h3>';
$output .= '<p>' . t('The Actions module provides tasks that can be executed by the site such as unpublishing content, sending email messages, or blocking a user. Other modules can trigger these actions when specific system events happen; for example, when new content is posted or when a user logs in. Modules can also provide additional actions. For more information, see the <a href=":documentation">online documentation for the Actions module</a>.', [
  ':documentation' => 'https://www.drupal.org/documentation/modules/action',
]) . '</p>';

For system URLs, it is preferable to build the URL with Url::fromRoute($route_name)->toUrl().

    $form['index_fields_wrapper']['fields']['how_it_works']['explanation'] = [
      '#type' => 'markup',
      '#markup' => '<div class="description">'
        . '<h4>' . $this->t('When a user asks a question, three things happen:') . '</h4>'
        . '<ol>'
        . '<li><strong>' . $this->t('Search (Query Fields)') .
        // Omitted
    ];    

For more complex markup, it is better to use a theme or a render function.

    $form['manual_settings']['manual_api_key'] = [
      '#type' => 'textfield',
      '#title' => $this->t('API Key'),
      '#description' => $api_key_set
        ? $this->t('<strong style="color:green">&#10003; API key is configured.</strong> Leave empty to keep existing.')
        : $this->t('Enter the API key for the provider. Leave empty for local models that don\'t require auth.'),
      '#default_value' => '',
      '#maxlength' => 512,
      '#attributes' => ['autocomplete' => 'off'],
    ];

CSS styles should not be added directly in the markup. That could create issue with the theme used by a site.

    $form['api_docs']['endpoints'] = [
      '#type' => 'markup',
      '#markup' => '
        <h4>' . $this->t('Available Endpoints') . '</h4>
        // Omitted
    ];

There is no need to hardcode the markup for a table. Drupal core has a theme function for that.

  /**
   * Format bytes to human readable.
   */
  protected function formatBytes(int $bytes): string {
    if ($bytes < 1024) {
      return $bytes . ' B';
    }
    if ($bytes < 1048576) {
      return round($bytes / 1024, 1) . ' KB';
    }
    return round($bytes / 1048576, 1) . ' MB';
  }

Drupal core has ByteSizeMarkup::create(), which returns a translatable string.
Probably, the minimum required Drupal version needs to be raised to at least Drupal 10.3, but that should not be a problem, given that Drupal 10.3 is no longer supported, and sites are expected to use a more recent Drupal 10.x version.

voicely_search.module

A new module that aims to be compatible with latest Drupal releases is expected to implement hooks as class methods as described in Support for object oriented hook implementations using autowired services.
It requires increasing the minimum required Drupal version, but that is not an issue, since not all the Drupal releases are supported.

voicely_search.services.yml

Services can be autowired starting with Drupal 9.3.x. This means that it is no longer necessary to give a list of service arguments in the .services.yml file; they will be retrieved from the constructor definition.

1. FILE: voicely_search.module

Since the module is declared compatible with Drupal 10.3, removing the function implementing the hook is not possible. The function still needs to be defined, but it calls the method defined by the service class, as described in Support for object oriented hook implementations using autowired services (Backwards-compatible Hook implementation for Drupal versions from 10.1 to 11.0).

<?php

/**
 * @file
 * Primary module hooks for Voicely Search.
 *
 * Hook implementations have been moved to
 * Drupal\voicely_search\Hook\VoicelySearchHooks using the #[Hook] attribute
 * introduced in Drupal 10.3. This file is intentionally empty but kept so
 * external tooling that expects a .module file for every module can still
 * locate it.
 */

Drupal does not have primary and secondary hooks. Instead of that, it is preferable to use the usual description: “Hook implementations for the [module name] module”, where [module name] is the name of the module given in its .info.yml file.

2. FILE: src/Form/SettingsForm.php

With Drupal 10 and Drupal 11, there is no longer need to use #default_value for each form element, when the parent class is ConfigFormBase: It is sufficient to use #config_target, as in the following code.

    $form['image_toolkit'] = [
      '#type' => 'radios',
      '#title' => $this->t('Select an image processing toolkit'),
      '#config_target' => 'system.image:toolkit',
      '#options' => [],
    ];

Using that code, it is no longer needed to save the configuration values in the form submission handler: The parent class will take care of that.

If you changed what has been reported, please change the status to Needs review. In this way, reviewers will know everything has been changed and can be reviewed again.