Skip to content

Fix all 38 CodeQL quality alerts and gate CodeQL locally in check.sh#104

Merged
alexkroman merged 1 commit into
mainfrom
claude/adoring-mayer-0xnjv4
Jun 12, 2026
Merged

Fix all 38 CodeQL quality alerts and gate CodeQL locally in check.sh#104
alexkroman merged 1 commit into
mainfrom
claude/adoring-mayer-0xnjv4

Conversation

@alexkroman

@alexkroman alexkroman commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Resolve everything on the repo's code-scanning quality tab (reproduced
locally with the same python/actions/javascript code-quality suites the
CodeQL workflow uploads; js+actions were already clean):

  • py/file-not-closed (the one real bug): silence_stdout leaked the
    devnull fd after dup2 — close it in a finally; test asserts the close.
  • py/ineffectual-statement (31): Protocol stub ... bodies become
    one-line docstrings; the non-None-returning stubs gain @AbstractMethod
    so mypy/pyright strict still accept the empty body, with no
    never-executed line for the patch-coverage gate to miss.
  • py/unreachable-statement (3): raise via a _raise() helper inside the
    multi-manager with pytest.raises(...), telemetry.track(...) blocks so
    the trailing assertions are visibly reachable to CodeQL's CFG.
  • py/empty-except: explain why share's Ctrl-C handler is a no-op.
  • py/repeated-import / py/import-and-import-from: drop duplicate local
    imports in tests.

Then make the alerts un-regressable: a new check.sh stage
(scripts/codeql_gate.py) runs the exact security + quality suites over a
python/actions/javascript db-cluster and fails on any finding. Self-skips
without the CodeQL bundle on PATH (codeql.yml stays the CI enforcement,
so PRs aren't double-scanned); the web session-start hook now provisions
the bundle, pinned in gate_tool_pins.sh.

https://claude.ai/code/session_01DW3ZQmfbnKsgjrA4PnsF8U

@claude
Fix all 38 CodeQL quality alerts and gate CodeQL locally in check.sh
7450aa9 
Resolve everything on the repo's code-scanning *quality* tab (reproduced
locally with the same python/actions/javascript code-quality suites the
CodeQL workflow uploads; js+actions were already clean):

- py/file-not-closed (the one real bug): silence_stdout leaked the
  devnull fd after dup2 — close it in a finally; test asserts the close.
- py/ineffectual-statement (31): Protocol stub `...` bodies become
  one-line docstrings; the non-None-returning stubs gain @AbstractMethod
  so mypy/pyright strict still accept the empty body, with no
  never-executed line for the patch-coverage gate to miss.
- py/unreachable-statement (3): raise via a _raise() helper inside the
  multi-manager `with pytest.raises(...), telemetry.track(...)` blocks so
  the trailing assertions are visibly reachable to CodeQL's CFG.
- py/empty-except: explain why share's Ctrl-C handler is a no-op.
- py/repeated-import / py/import-and-import-from: drop duplicate local
  imports in tests.

Then make the alerts un-regressable: a new check.sh stage
(scripts/codeql_gate.py) runs the exact security + quality suites over a
python/actions/javascript db-cluster and fails on any finding. Self-skips
without the CodeQL bundle on PATH (codeql.yml stays the CI enforcement,
so PRs aren't double-scanned); the web session-start hook now provisions
the bundle, pinned in gate_tool_pins.sh.

https://claude.ai/code/session_01DW3ZQmfbnKsgjrA4PnsF8U
aikido-pr-checks[bot]
aikido-pr-checks Bot reviewed Jun 12, 2026
View reviewed changes
Comment thread aai_cli/onboard/prompter.py
) -> str: ...
def text(self, title: str, *, default: str | None = None) -> str: ...
) -> str:
"""Pick one value from `options` (label, value) pairs."""

@aikido-pr-checks aikido-pr-checks Bot Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prompter.select docstring says options are (label, value), but implementations treat them as (value, label), so callers following the documented contract will pass swapped data and get wrong behavior.

Suggested change
"""Pick one value from `options` (label, value) pairs."""
"""Pick one value from `options` (value, label) pairs."""
Details

✨ AI Reasoning
​The protocol method documentation now describes options in an order that conflicts with how the runtime code interprets it. This creates an impossible-to-satisfy assumption for callers trying to follow the documented contract, leading to mismatched labels/values and incorrect selections.

Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

@alexkroman alexkroman merged commit 8c79d3d into main Jun 12, 2026
16 checks passed
@alexkroman alexkroman deleted the claude/adoring-mayer-0xnjv4 branch June 12, 2026 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexkroman @claude