Skip to content

fix: address 11 CodeRabbit findings from PR #11#12

Merged
vishnujayvel merged 4 commits into
mainfrom
fix/coderabbit-pr11-findings
Mar 9, 2026
Merged

fix: address 11 CodeRabbit findings from PR #11#12
vishnujayvel merged 4 commits into
mainfrom
fix/coderabbit-pr11-findings

Conversation

@vishnujayvel

@vishnujayvel vishnujayvel commented Mar 4, 2026

Copy link
Copy Markdown
Owner

Summary

Addresses all 11 CodeRabbit review comments from PR #11 (docs audit fix).

  • README: Remove trailing </content></invoke> generation artifacts
  • init.tsx: Add tui.auto_launch: true to minimal preset YAML (was bypassing applyPreset())
  • tui-launcher.ts: Escape python path in AppleScript for paths with spaces/special chars
  • architecture.md: Fix test taxonomy — integration/ is mock-based, not end-to-end
  • cli.md: Fix coaching preset description + stale GuardTester API examples
  • SECURITY.md: Align reporting policy with issue template; document scoped shell: true usage
  • security_vulnerability.md: Add blank lines after markdown headings
  • calendar-feed.py: Add credential scope compatibility check
  • CONTRIBUTING.md: Use approximate test counts (1400+) to prevent staleness
  • tui-launcher.test.ts: Fix pre-existing venv-sensitive test assertions

Test plan

  • npm run docs:build passes clean
  • 1442/1443 tests pass (1 pre-existing doctor-feeds failure unrelated to these changes)
  • All 11 CodeRabbit findings addressed

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • Documentation

    • Enhanced security vulnerability reporting process with dedicated email contact for sensitive issues and improved guidance templates.
    • Updated architecture and CLI documentation with latest specifications.
  • Bug Fixes

    • Improved OAuth token scope validation for calendar feed integration to prevent authentication issues.
  • Chores

    • Removed formatting artifacts from README.

1. Remove trailing </content></invoke> artifacts from README
2. Add tui.auto_launch to minimal preset YAML (was bypassing applyPreset)
3. Escape python path in AppleScript to handle spaces/special chars
4. Fix test taxonomy: integration/ is mock-based, not end-to-end
5. Fix coaching preset docs: enables communication, not status line
6. Align security reporting policy between SECURITY.md and issue template
7. Document scoped shell:true usage in SECURITY.md (trusted commands only)
8. Add blank lines after headings in security vulnerability template
9. Add calendar credential scope compatibility check
10. Add descriptive alt-text for feed platform diagram
11. Use approximate test counts (1400+) to prevent staleness
12. Fix GuardTester API in docs/cli.md (was still using old API)
13. Fix pre-existing venv-sensitive test assertions in tui-launcher tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Mar 4, 2026

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

Warning

Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bf6f626d-4b70-42c1-ac10-b3d5e12cc467

📥 Commits

Reviewing files that changed from the base of the PR and between 7517d7e and 84dd097.

📒 Files selected for processing (5)
  • .coderabbit.yaml
  • README.md
  • SECURITY.md
  • docs/architecture.md
  • docs/cli.md

📝 Walkthrough

Walkthrough

This PR updates documentation and guidance templates across the repository, including security vulnerability reporting procedures, architecture documentation counts, CLI preset descriptions, and adds OAuth scope validation to the calendar feed script. Changes are primarily documentation with one minor code addition.

Changes

Cohort / File(s) Summary
Security Documentation & Templates
.github/ISSUE_TEMPLATE/security_vulnerability.md, SECURITY.md
Added guidance comments to vulnerability template sections; updated vulnerability reporting guidelines with email contact and scope-appropriate issue routing.
Architecture Documentation
docs/architecture.md, .coderabbit.yaml
Updated architectural counts from 19 segments across 5 producers to 21 segments across 8 producers; updated integration test description to reflect mock-based approach.
Repository Documentation
README.md, docs/cli.md
Removed stray markup tags from Contributing section; updated coaching preset description from "status line" to "communication".
OAuth Scope Validation
scripts/calendar-feed.py
Added scope compatibility validation for OAuth tokens; forces re-authentication when loaded token scopes do not match compatible scopes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: addressing CodeRabbit review findings from a prior PR, which is confirmed by the file modifications across documentation, configuration, tests, and scripts.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/coderabbit-pr11-findings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/architecture.md`:
- Around line 35-36: Update the diagram description text to match the
architecture baseline by changing the producer and segment counts used in the
line describing the feed platform (replace "8 producers" and "21 status line
segments" with "5 producers" and "19 segments") and change the source reference
to a relative file link pointing to the actual asset (use
"docs/assets/feed-platform.excalidraw" as the source link); locate and edit the
feed-platform diagram description string and the source reference text
(feed-platform.excalidraw) in the document to apply these exact replacements.

In `@scripts/calendar-feed.py`:
- Around line 87-91: The credentials loading/validation is bypassing scope
checks when creds.scopes is falsy; update the call to
Credentials.from_authorized_user_file to pass the defined SCOPES so loaded
credentials always include scope metadata, and change the validation in the
block that uses creds/scopes to check for exact matching against entries in
SCOPES (not suffix matching) — locate the
Credentials.from_authorized_user_file(TOKEN_PATH) call and replace it to include
SCOPES, and update the conditional that references creds.scopes and the any(...
endswith ...) logic to require exact URI membership (e.g., any(s in SCOPES for s
in creds.scopes) or set intersection) so only valid Calendar API scope URIs are
accepted.

In `@src/core/tui-launcher.ts`:
- Around line 215-218: The problem is that pythonCmd is embedded un-quoted into
an AppleScript "do script" string so paths with spaces split; before creating
escapedCmd and calling spawn, shell-quote the python executable path (e.g.,
produce a quotedPythonCmd that wraps pythonCmd in single quotes and escapes any
internal single quotes using the standard '\'' substitution), then perform the
existing backslash/double-quote escapes on that quoted value and use it in the
spawn call (update escapedCmd and the spawn argument that builds the AppleScript
string to reference the quoted-and-escaped python path instead of raw
pythonCmd).

ℹ️ Review info
Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f1fbbad6-4c56-4a5c-8508-edd1801f5f36

📥 Commits

Reviewing files that changed from the base of the PR and between bf28154 and 8ac784e.

📒 Files selected for processing (10)
  • .github/ISSUE_TEMPLATE/security_vulnerability.md
  • CONTRIBUTING.md
  • README.md
  • SECURITY.md
  • docs/architecture.md
  • docs/cli.md
  • scripts/calendar-feed.py
  • src/cli/commands/init.tsx
  • src/core/tui-launcher.ts
  • tests/core/tui-launcher.test.ts

Comment thread docs/architecture.md Outdated
Comment on lines +35 to +36
> **Diagram:** Feed platform showing 8 producers polling data sources on staggered intervals, writing to an atomic cache bus, consumed by 21 status line segments.
> **Source:** feed-platform.excalidraw (in docs/assets/) -- open in [Excalidraw](https://excalidraw.com) for an editable hand-drawn version.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Update feed-platform counts and source link format to match docs rules.

The diagram description uses counts that conflict with the documented architecture baseline, and the source reference should be a relative file link (for example, docs/assets/feed-platform.excalidraw) rather than plain text.

As per coding guidelines, "Architecture descriptions match current code (v1.2, feed platform, 19 segments, 5 producers)" and "Links to source files must use relative paths and point to files that exist."

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/architecture.md` around lines 35 - 36, Update the diagram description
text to match the architecture baseline by changing the producer and segment
counts used in the line describing the feed platform (replace "8 producers" and
"21 status line segments" with "5 producers" and "19 segments") and change the
source reference to a relative file link pointing to the actual asset (use
"docs/assets/feed-platform.excalidraw" as the source link); locate and edit the
feed-platform diagram description string and the source reference text
(feed-platform.excalidraw) in the document to apply these exact replacements.

Comment thread scripts/calendar-feed.py Outdated
Comment thread src/core/tui-launcher.ts Outdated
…quoting

- calendar-feed.py: pass SCOPES to from_authorized_user_file(), use exact
  URI set intersection instead of suffix matching for scope compatibility
- tui-launcher.ts: use single-quote shell-quoting for AppleScript path
  embedding to properly handle paths with spaces or special characters

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/core/tui-launcher.ts`:
- Around line 216-219: The embedded AppleScript string currently injects
shellQuoted (built from pythonCmd) directly into a double-quoted AppleScript
literal, which breaks if pythonCmd contains backslashes or double quotes; update
the code that constructs the AppleScript argument passed to spawn (the array
with "-e", `tell application "Terminal" to do script "${...} -m hookwise_tui"`)
to first escape backslashes and double quotes for AppleScript: take shellQuoted,
replace backslashes with double-backslashes (do this replacement first), then
replace double-quote characters with backslash-quote, and use that resulting
applescriptEscaped value in the template string; reference the variables
shellQuoted and pythonCmd and the spawn call so you can locate and replace the
interpolation safely.

ℹ️ Review info
Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: be32fd0f-8f00-4869-85f0-f85fd1b7d8e7

📥 Commits

Reviewing files that changed from the base of the PR and between 8ac784e and 7517d7e.

📒 Files selected for processing (2)
  • scripts/calendar-feed.py
  • src/core/tui-launcher.ts

Comment thread src/core/tui-launcher.ts Outdated
Vishnu Jayavel and others added 2 commits March 8, 2026 23:39
- Update .coderabbit.yaml baseline to match actual code: 8 producers,
  21 segments (was stale at 5/19)
- Fix source reference in docs/architecture.md to use relative file link
- Add AppleScript-layer escaping in tui-launcher.ts to prevent malformed
  osascript when pythonCmd contains backslashes or double quotes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Accept Go-based content from main for CONTRIBUTING.md, SECURITY.md, and
docs/cli.md (replacing stale TypeScript references). Accept deletion of
src/cli/commands/init.tsx, src/core/tui-launcher.ts, and
tests/core/tui-launcher.test.ts (removed by PR #65).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vishnujayvel vishnujayvel merged commit 1f8ec46 into main Mar 9, 2026
1 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant