Full type safety with Pyright enforcement

[nitrobass24]

Summary

Add static type checking enforcement to the Python codebase using Pyright in strict mode, with CI integration to prevent regressions.

Motivation

Type safety is a security measure. Unchecked types allow None to flow into sensitive functions (SSH command construction, os.path.join, shlex.quote), unvalidated external data to propagate through the system, and subtle bugs to hide at module boundaries.

RapidCopy enforces Mypy strict with 0 errors. We should match or exceed this with Pyright.

Current State

• Angular: Already strong — strict: true in tsconfig, strict templates, only ~12 any usages at JSON parsing boundaries
• Python: Type hints exist on many functions but no static checker is configured or enforced. Pyright already flags real issues: Optional values passed to os.path.join(), str | None to shlex.quote(), etc.

Implementation

Python (primary scope)

1. Add pyrightconfig.json with strict mode
2. Fix all violations — focus on security-critical paths first:
   • SSH command construction (remote_scanner.py, sshcp.py)
   • Path handling (os.path.join, file operations)
   • Config deserialization boundaries
   • Shell command building (lftp.py)
3. Add Pyright check to CI as a required step
4. Target: 0 errors enforced

Angular (secondary scope)

• Replace ~12 any usages with typed interfaces for JSON parsing (e.g., RawModelFile interface for SSE event data)
• Lower priority since strict mode is already enforced and blast radius of frontend type errors is smaller

Acceptance Criteria

• pyrightconfig.json added with strict mode
• 0 Pyright errors in Python codebase
• CI step enforces Pyright (fails on any error)
• Security-critical code paths fully typed (SSH, paths, shell commands, config)
• Angular any usages replaced with typed interfaces

[nitrobass24]

Pyright adoption plan — incremental rollout

Current state

806 total errors on basic mode (not even strict):

• 259 production code errors across 20 modules
• 565 test errors (mostly mock/MagicMock type inference)

Error categories (production)

Category	Count	Fix approach
Argument type mismatch	110	Add type guards, fix signatures
Optional/None safety	65	Add null checks, narrow types
Attribute access	34	Fix dynamic attribute patterns
TypeVar/cls patterns	25	Fix InnerConfig metaclass typing
Call issues	16	Fix overloads, argument counts
Assignment/Return	9	Fix return type annotations

Recommended approach: 5 phases

Phase 1: Foundation — config + CI (1 PR)

• Add pyrightconfig.json in basic mode (not strict)
• Exclude tests/ initially via exclude in config
• Add Pyright to CI as an informational step (continue-on-error: true) so we can see the error count trending down without blocking PRs
• Add pyright to the dev dependency group in pyproject.toml

Phase 2: Low-hanging fruit — small modules (1-2 PRs)

Fix modules with ≤5 errors first to build momentum:

• common/app_process.py (3 errors)
• common/multiprocessing_logger.py (4 errors)
• controller/notifier.py (3 errors)
• controller/model_builder.py (6 errors)
• controller/scan/ (2 errors)
• controller/controller_persist.py (2 errors)
• lftp/job_status_parser.py (3 errors)
• system/ (6 errors)
• scan_fs.py (4 errors)
• seedsync.py (10 errors)

~46 errors, mostly Optional/None guards and argument types.

Phase 3: Security-critical paths (1-2 PRs)

The issue specifically calls out security-critical code. Fix these next:

• ssh/sshcp.py (22 errors) — SSH command construction, None flowing into shell commands
• lftp/lftp.py (32 errors) — LFTP command building, shell escaping
• controller/extract/ (27 errors) — subprocess calls for extraction
• web/handler/ (14 errors) — request handling

~95 errors. These are the highest-value fixes — real bugs hiding behind untyped code.

Phase 4: Complex modules (1-2 PRs)

The hard stuff:

• controller/controller.py (66 errors) — largest module, complex state management
• common/config.py (18 errors) — dynamic property system, TypeVar patterns
• web/web_app.py (13 errors) — handler registration patterns
• controller/auto_queue.py (12 errors)

~109 errors. The config.py TypeVar/metaclass pattern may need targeted # type: ignore rather than full refactoring.

Phase 5: Tests (multiple PRs, can be done incrementally)

• 565 errors, mostly reportAttributeAccessIssue on MagicMock attributes
• Enable Pyright on tests/ directory
• Many will need # type: ignore on mock patterns, or typed mock helpers
• Can be done directory by directory over time

After all phases

• Switch CI from continue-on-error: true to required (fails on any error)
• Consider upgrading from basic to strict mode as a future milestone

What this does NOT include

• Strict mode — deferred. Basic mode catches real bugs (None safety, argument mismatches). Strict adds missing annotations which is a separate effort.
• Angular any cleanup — the issue mentions this but it's a separate concern. Angular already has strict: true in tsconfig.
• Config system refactor — the InnerConfig dynamic property pattern will need some # type: ignore suppressions rather than a full rewrite.