fix: resolve open CodeQL findings (real fixes) + add Rust desktop unit tests

[Prekzursil]

User description

Summary

Behavior-preserving real fixes for all 3 open CodeQL/code-scanning alerts, conversion of the 2 prior py/test-equals-none dismissals into a real code fix, and a starter unit-test suite for the desktop (Tauri) Rust crate (which previously had zero tests). No alert was dismissed; no security state was touched.

CodeQL real fixes (no dismissals)

Alert	Rule	Fix
#1462, #1463 (dismissed → fixed)	py/test-equals-none	publish_api.py:206,227 — == None # noqa: E711 → .is_(None) (SQLAlchemy/SQLModel idiom; compiles to SQL IS NULL, not flagged). The lingering # noqa: E711 is removed since it would otherwise be an unused suppression. The two false positive dismissals become a real code fix and resolve as fixed on the next scan.
#1456 (open)	py/empty-except	api.py:1675 — bare except Exception: pass on the best-effort Celery revoke → logger.warning(..., exc_info=True) + explanatory comment. Errors are still swallowed (the run/steps are cancelled regardless), so request behavior is unchanged.
#1496 (open)	py/unused-import	check_visual_zero.py:6 — remove unused os import.
#1461 (open)	py/unused-local-variable	test_project_collaboration.py:38 — drop the unused collaborator binding; keep the _register(...) call for its registration side effect.

Rust desktop crate (apps/desktop/src-tauri)

• Extract behavior-preserving pure helpers find_compose_file_from(start) and compose_up_args(build) so the logic is unit-testable without depending on the process cwd.
• Add a #[cfg(test)] suite (13 tests) covering format_output (all stdout/stderr branches incl. trailing-newline handling), docker_compose_unsupported (each match arm + negatives + case-insensitivity), compose_up_args, and find_compose_file_from (found / not-found). Uses std only — no new dependencies. The #[tauri::command] wrappers and docker-invoking paths are intentionally left uncovered (require a live Tauri context / docker daemon).

Verification

• Python: ruff check (all passed) + python -m compileall on the 4 changed files.
• Rust: cargo fmt --check (clean), cargo clippy --lib --tests (no warnings), cargo test --lib → 13 passed, 0 failed.

Out of scope (left for other PRs)

• 45 Dependabot version-bump advisories → grouped Dependabot PRs.
• ~64 stale dismissals under Inspirations & Former Attempts/ (directory removed from main in PR fix: harden security workflows and sanitize media/url inputs #68; no longer present) and per-site security dismissals (path-injection/SSRF/etc.) requiring human judgment.
• First-party apps/desktop/src-tauri/src/** is currently listed under sonar.coverage.exclusions, so these new tests do not yet move the Sonar coverage number — un-excluding it (adding Rust coverage to CI and hitting threshold) is a sized follow-up.

Test plan

• ruff check on changed Python files
• cargo test --lib in apps/desktop/src-tauri
• CI green (CodeQL + lint + existing Python/web suites)

---

Summary by cubic

Fixes all open CodeQL alerts with real code changes and adds a 13-test Rust suite for the desktop crate. No behavior changes and no dismissals.

• Bug Fixes

  • Python: use .is_(None) instead of == None in publish queries (SQLAlchemy/SQLModel), converting two prior dismissals into fixes.
  • Python: replace bare except: pass on Celery revoke with logger.warning(..., exc_info=True).
  • Python: remove one unused import and one unused local variable.

• New Features

  • Extract pure helpers for compose file discovery and up args to enable testing.
  • Add 13 Rust unit tests covering output formatting, unsupported compose detection, up args, and compose file discovery.

^{Written for commit 3d358d5. Summary will update on new commits.}

---

CodeAnt-AI Description

Fix a few scan issues and add coverage for desktop compose behavior

What Changed

• Publish provider and connection lists now match only active connections correctly when the revoked time is unset.
• Cancelling a workflow run now logs revoke failures instead of silently ignoring them, while still cancelling the run and queued steps.
• Removed unused code from a visual-check script and a collaboration test.
• Added Rust tests for desktop compose discovery, docker compose/docker-compose fallback handling, output formatting, and compose up command options.

Impact

✅ Correctly hidden revoked publish connections
✅ Clearer workflow cancellation failures
✅ Safer desktop compose command handling

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[devloai]

Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔
Please upgrade your plan or buy additional credits from the subscription page.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@Prekzursil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 657c10a8-d3c7-401b-b65e-d6e3805eb38f

📥 Commits

Reviewing files that changed from the base of the PR and between df95284 and 3d358d5.

📒 Files selected for processing (5)

• apps/api/app/api.py
• apps/api/app/publish_api.py
• apps/api/tests/test_project_collaboration.py
• apps/desktop/src-tauri/src/lib.rs
• scripts/quality/check_visual_zero.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/codeql-real-fixes-and-rust-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ecc-tools]

Analyzing 200 commits...

[ecc-tools]

Analysis Complete

Generated ECC bundle from 1 commits | Confidence: 50%

View Pull Request #193

Repository Profile

Attribute	Value
Language	Python
Framework	Not detected
Commit Convention	conventional
Test Directory	mixed

Changed Files (5)

Metric	Value
Files changed	5
Additions	153
Deletions	13

Top hotspots

Path	Status	+/-
apps/desktop/src-tauri/src/lib.rs	modified	+146 / -8
apps/api/app/api.py	modified	+4 / -1
apps/api/app/publish_api.py	modified	+2 / -2
apps/api/tests/test_project_collaboration.py	modified	+1 / -1
scripts/quality/check_visual_zero.py	modified	+0 / -1

Top directories

Directory	Files	Total changes
apps/desktop/src-tauri/src	1	154
apps/api/app	2	9
apps/api/tests	1	2
scripts/quality	1	1

Analysis Depth Readiness (commit-history, 7%)

ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.

Area	Status	Evidence / Next Step
Commit history	Partial	1 commits sampled
CI/CD signals	Missing	Add workflow files or CI troubleshooting evidence so ECC Tools can reason about pipeline setup.
Security evidence	Missing	Add AgentShield, audit, SARIF, SBOM, or security review evidence so recommendations can cover security posture.
Harness configuration	Missing	Add Claude, Codex, OpenCode, Zed, dmux, MCP, plugin, or cross-harness config evidence for harness-agnostic recommendations.
Reference/eval evidence	Missing	Add fixtures, golden traces, reference sets, or evaluator benchmarks so deeper recommendations have regression evidence.
AI routing and cost controls	Missing	Add model-routing, budget, usage, or cost-control files before relying on AI-heavy automation recommendations.
Team handoff and project tracking	Missing	Add roadmap, runbook, project, Linear, or follow-up tracking docs so generated work can land in a team queue.

Reference Set Readiness (0/7, 0%)

Area	Status	Evidence / Next Step
Deep analyzer corpus	Missing	Add analyzer fixture, golden, benchmark, or reference-set files that can catch analyzer regressions.
RAG/evaluator comparison	Missing	Add retrieval or evaluator reference-set comparison fixtures with expected ranking behavior.
PR salvage/review corpus	Missing	Add stale-PR, review-thread, reopen-flow, or salvage reference cases for queue cleanup automation.
Discussion triage corpus	Missing	Add public discussion triage fixtures, golden cases, or reference sets for informational, answered, and no-response classifications.
Harness compatibility	Missing	Add cross-harness, adapter-compliance, or harness-audit evidence for Claude, Codex, OpenCode, Zed, dmux, and agent surfaces.
Security evidence	Missing	Attach security evidence such as SBOMs, SARIF, audit reports, or AgentShield evidence packs.
CI failure-mode evidence	Missing	Add captured CI failure logs, dry-run fixtures, or troubleshooting docs for common workflow failure modes.

Likely Future Issues (3)

Severity	Signal	Why it may show up
HIGH	Regression coverage may lag behind the diff	2 generic code paths changed; 0 test files changed
HIGH	API contract changes may ship without integration coverage	3 API surface paths changed; 0 integration or e2e tests changed
MEDIUM	API implementation changes may ship without contract artifact updates	3 API implementation paths changed; 0 API contract/spec files changed

• Regression coverage may lag behind the diff: The PR changes multiple code paths but does not touch any obvious test files.
• API contract changes may ship without integration coverage: The PR changes API or route-facing files but does not touch any obvious integration or end-to-end tests.
• API implementation changes may ship without contract artifact updates: The PR changes API implementation files but does not touch any obvious OpenAPI, GraphQL, or contract/spec artifact.

Suggested Follow-up Work (3)

Type	Suggested title	Targets
PR	test: add regression coverage for apps/api/app/api.py + apps/api/app/publish_api.py	apps/api/app/api.py, apps/api/app/publish_api.py
PR	test: add integration coverage for apps/api/app/api.py + apps/api/app/publish_api.py	apps/api/app/api.py, apps/api/app/publish_api.py
PR	docs: sync API contract for apps/api/app/api.py + apps/api/app/publish_api.py	apps/api/app/api.py, apps/api/app/publish_api.py

• test: add regression coverage for apps/api/app/api.py + apps/api/app/publish_api.py: Backfill regression coverage before another change set lands on the touched code paths.
• test: add integration coverage for apps/api/app/api.py + apps/api/app/publish_api.py: Backfill integration or end-to-end coverage for the changed API surface before more contract changes land.
• docs: sync API contract for apps/api/app/api.py + apps/api/app/publish_api.py: Backfill the missing API contract or spec update before another implementation change lands on top of the same surface.

Copy-ready bodies

test: add regression coverage for apps/api/app/api.py + apps/api/app/publish_api.py

## Summary
- Add regression coverage for the recently touched code paths before more changes stack on top.

## Why
- Backfill regression coverage before another change set lands on the touched code paths.

## Touched paths
- `apps/api/app/api.py`
- `apps/api/app/publish_api.py`

## Validation
- Add or extend focused tests that exercise the touched paths.
- Run the affected test suite and verify the new coverage closes the gap.

test: add integration coverage for apps/api/app/api.py + apps/api/app/publish_api.py

## Summary
- Add integration or end-to-end coverage for the recently changed API surface.

## Why
- Backfill integration or end-to-end coverage for the changed API surface before more contract changes land.

## Touched paths
- `apps/api/app/api.py`
- `apps/api/app/publish_api.py`

## Validation
- Add or extend integration / e2e coverage for the changed API, route, or contract surface.
- Exercise the touched endpoints or route handlers against realistic request / response flows.

docs: sync API contract for apps/api/app/api.py + apps/api/app/publish_api.py

## Summary
- Update the API contract artifact that should reflect the recently changed implementation surface.

## Why
- Backfill the missing API contract or spec update before another implementation change lands on top of the same surface.

## Touched paths
- `apps/api/app/api.py`
- `apps/api/app/publish_api.py`

## Validation
- Update the relevant OpenAPI, GraphQL, or contract/spec artifact used by this repo.
- Run the contract validation, docs generation, or API verification flow that depends on that artifact.

Generated Instincts (14)

Domain	Count
git	4
code-style	9
testing	1

After merging, import with:

/instinct-import .claude/homunculus/instincts/inherited/Reframe-instincts.yaml

Files

• .claude/ecc-tools.json
• .claude/skills/Reframe/SKILL.md
• .agents/skills/Reframe/SKILL.md
• .agents/skills/Reframe/agents/openai.yaml
• .claude/identity.json
• .codex/config.toml
• .codex/AGENTS.md
• .codex/agents/explorer.toml
• .codex/agents/reviewer.toml
• .codex/agents/docs-researcher.toml
• .claude/homunculus/instincts/inherited/Reframe-instincts.yaml

---

_{ECC Tools | Everything Claude Code}

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 high

Alerts:
⚠ 1 issue (≤ 0 issues of at least minor severity)
⚠ 1 issue (≤ 0 issues of at least minor severity)

Results:
1 new issue

Category	Results
Security	1 high

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	✅ 0 (≤ 0 duplication)

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cubic-dev-ai]

No issues found across 5 files

_{Re-trigger cubic}