Feature/docker deploy

[AuraMindNest]

Summary by CodeRabbit

• New Features

  • Manual deployment workflow with SSH-based deploy and health check
  • New settings to enable/configure OpenRouter auto-translation

• Bug Fixes

  • Improved error handling for translation service responses
  • Fixed QuickBook conversion/validation edge cases and various format converters

• Documentation

  • API spec updated to include QuickBook format and repository type adjustments

• Chores

  • Project rebranded to boost-weblate (v1.0.0); updated licensing/lint metadata; removed legacy start/stop scripts; expanded ignore and reuse annotations

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a manual CD GitHub Actions workflow for SSH deploy + health check; renames project to boost-weblate v1.0.0; removes local start/stop scripts; adds REUSE annotations and SPDX headers; extends lint/type exclusions; tightens typing and error handling across boost_endpoint, format handlers, autobatch flow, utils, and OpenAPI enums.

Changes

Cohort / File(s)	Summary
CI/CD & Git hooks ​.github/workflows/cd.yml, ​.gitignore, ​.pre-commit-config.yaml	Adds manual CD workflow using SSH (appleboy/ssh-action) with deploy and health-check steps; expands .gitignore; adds shellcheck excludes.
Project metadata & licensing pyproject.toml, REUSE.toml	Renames package to boost-weblate and version to 1.0.0; adds REUSE annotations for workflows/docker/scripts and SPDX license blocks.
Removed local dev scripts start-weblate.sh, stop-weblate.sh	Deleted local start/stop helper scripts.
Backup & DB tooling scripts/backup/... (backup_from_server.sh, dump_database.sh, recalculate_stats.py, sync_database_to_files.py, update_push_urls.py)	Added SPDX headers; refactored dump output writes into grouped redirects; consolidated pg_dump success/failure handling.
Boost endpoint weblate/boost_endpoint/services.py, weblate/boost_endpoint/views.py	Tightened typing, set subprocess calls to check=False and check return codes, added repo-owner None guard, lint suppressions only.
Format handlers weblate/formats/asciidoc.py, weblate/formats/quickbook.py	Added null guards, stronger stream typing, clearer subprocess error handling; QuickBook signature changes and mapping logic for translated .qbk units with validation.
Translation/autobatch flow weblate/trans/autobatchtranslate.py, weblate/trans/models/component.py, weblate/trans/tasks.py	Removed dead imports/unused vars, added explicit returns after scheduling, switched to AuthenticatedHttpRequest in tasks, simplified loops and lint comments.
Utilities weblate/utils/openrouter_translator.py, weblate/utils/quickbook.py	Improved null handling for OpenRouter responses and added final retry failure; replaced tuple membership checks with sets and normalized trailing newlines in QuickBook output.
Config & API spec weblate/settings_docker.py, docs/specs/openapi.yaml	Registered weblate.boost_endpoint; added AUTO_BATCH_TRANSLATE_VIA_OPENROUTER and BOOST_ENDPOINT_ADD_TRANSLATION_SECONDS settings; OpenAPI: removed subversion, added github repository type and quickbook file format, updated server URL.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions (CD)
    participant SSH as Remote Host (SSH)
    participant App as App Dir\n(docker compose)
    participant Health as Local Health Endpoint

    GHA->>SSH: ssh (host/user/key/port from secrets)
    SSH->>App: git pull origin dev
    SSH->>App: cd docker && docker compose up -d --build
    App-->>SSH: build/start output
    GHA->>GHA: wait 300s
    GHA->>SSH: ssh curl -sf http://localhost:8000/healthz/
    alt health ok
        SSH-->>GHA: HTTP 200
        GHA-->>GHA: job succeeds
    else health fail
        SSH-->>GHA: error/timeout
        GHA-->>GHA: job fails
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• 1. #3 : Develop a script to generate Weblate translation projects/com… #4: Overlapping changes to weblate.boost_endpoint package (services/views/urls/app registration) that intersect with this PR's boost_endpoint integration.

Suggested reviewers

• henry0816191
• wpak-ai

"🐰 I hopped through commits, tidy and spry,
New workflow set up beneath CI sky,
Scripts trimmed away and types polished bright,
SPDX tucked in, quickbooks set aright,
Containers hum — health checks gleam at night! 🥕"

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Feature/docker deploy' is partially related to the changeset. While a Docker-based CD workflow is added, the changeset encompasses much broader changes including package renaming, configuration updates, script modifications, and code improvements across multiple modules.	Consider a more descriptive title that better captures the scope, such as 'Migrate to boost-weblate with Docker CI/CD and refactored components' or narrowing the PR to focus primarily on Docker deployment if other changes are separate work.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 96.15% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

weblate/trans/autobatchtranslate.py (1)

367-371: ⚠️ Potential issue | 🟡 Minor

Typo in bot user name: "Autobatch_translatior" should be "Autobatch_translator".

The typo appears in both the name and verbose parameters.

✏️ Proposed fix

             # Get or create a bot user for autobatch translation
             bot_user = User.objects.get_or_create_bot(
                 scope="weblate",
-                name="Autobatch_translatior",
-                verbose="autobatch_translatior",
+                name="Autobatch_translator",
+                verbose="autobatch_translator",
             )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@weblate/trans/autobatchtranslate.py` around lines 367 - 371, Fix the typo in
the bot creation call: update the name and verbose arguments passed to
User.objects.get_or_create_bot (where bot_user is assigned) from
"Autobatch_translatior" to "Autobatch_translator" so both parameters use the
correct spelling.

weblate/trans/models/component.py (2)

4672-4694: ⚠️ Potential issue | 🟠 Major

Commit each author-group before mutating the file for the next one.

This helper only processes one Translation, but it queues every author-group in translations_to_commit and only calls git_commit() later in a second loop. If commit_groups has more than one entry, the first commit sees the file after later groups have already updated it, so author/timestamp attribution collapses into the first commit and the remaining commits are likely empty.

Also applies to: 4708-4729

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@weblate/trans/models/component.py` around lines 4672 - 4694, The loop over
commit_groups must commit each author-group immediately after update_units
instead of deferring all commits; after calling
translation.update_units(changes, store, author_name) and confirming changes
(any(changes_status.values())), invoke git_commit(translation, author_name,
timestamp) (using the same timestamp conversion to timezone.make_aware when
needed) right there so the file state and attribution are recorded before the
next group mutates the file; remove or skip the later deferred commit loop (the
code that iterates translations_to_commit) to avoid duplicate/empty commits and
apply the same immediate-commit fix to the other block referenced around lines
4708-4729.

---

1214-1226: ⚠️ Potential issue | 🟠 Major

Guard translations_count before the // operation to fix mypy type error.

Line 1226 has a type safety violation: self.translations_count is typed as int | None, but the // operator requires an int. The code only checks for -1 at line 1218 and does not guard against None or 0, which would also cause a divide-by-zero error. Lift the attribute into a local variable, guard against both None and 0, and return early before computing progress.

Suggested fix

     # Calculate progress for translations
     if progress is None:
+        translations_count = self.translations_count
+        if translations_count in (None, 0):
+            return
         self.translations_progress += 1
-        progress = 100 * self.translations_progress // self.translations_count
+        progress = 100 * self.translations_progress // translations_count

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@weblate/trans/models/component.py` around lines 1214 - 1226, In
progress_step, guard self.translations_count (typed int | None) before using the
floor-division: assign it to a local var (e.g. count = self.translations_count),
check for None or 0 (and keep the existing -1 check for linked_component
handling) and return early if invalid to avoid mypy type errors and
divide-by-zero; then proceed to increment self.translations_progress and compute
progress = 100 * self.translations_progress // count. Ensure you still call
linked_component.progress_step(progress) when translations_count == -1 and
preserve current_task checks.

🧹 Nitpick comments (13)

pyproject.toml (1)

490-496: Note: Empty [tool.pytest] section may be redundant.

Line 496 adds an empty [tool.pytest] section while [tool.pytest.ini_options] already exists at line 498. This appears harmless but may be unnecessary. If this was intentionally added for future configuration, consider adding a comment to clarify.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 490 - 496, The pyproject.toml contains an empty
[tool.pytest] section that is redundant because [tool.pytest.ini_options]
already exists; either remove the empty [tool.pytest] header or replace it with
a clarifying comment indicating it's intentionally reserved for future pytest
settings so readers won't be confused—look for the [tool.pytest] and
[tool.pytest.ini_options] headers and perform the removal or add a short inline
comment explaining intent.

docker/requirements.txt (1)

1-66: Consider consolidating dependency management to avoid version drift.

This requirements.txt pins exact versions that duplicate dependencies already specified in pyproject.toml. Per coding guidelines, dependencies should be managed in pyproject.toml with dependency groups. Since the Dockerfile installs both this file and pyproject.toml extras, there's a risk of version inconsistencies over time.

Some minor version format inconsistencies noted:

• Line 1: aeidon==1.15 (short form) vs others using full semver
• Line 32: iniparse==0.5 vs Line 34: mercurial==7.2

Consider either:

1. Generating this file from pyproject.toml during CI/build
2. Using a tool like uv pip compile to lock versions from pyproject.toml

As per coding guidelines: "Manage dependencies in pyproject.toml with dependency groups for different environments"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/requirements.txt` around lines 1 - 66, The requirements.txt duplicates
and pins many deps already declared in pyproject.toml, risking version drift;
remove the hand-maintained pins from docker/requirements.txt and instead: update
the Dockerfile to install from pyproject.toml extras (or from a generated lock
file), and add a build step in CI/packaging that generates a frozen
requirements.txt (e.g., pip-compile / "uv pip compile" or equivalent) from
pyproject.toml so the Docker build consumes that generated lockfile; ensure the
repo documents the chosen flow and remove or mark docker/requirements.txt as
generated to avoid manual edits.

docker/etc/supervisor/conf.d/celery-backup.conf (1)

1-7: Consider adding a priority setting for consistency.

Other Celery worker configurations in this PR include a priority setting (e.g., celery-celery has 400, celery-notify has 500, celery-memory has 600). Adding a priority here would ensure deterministic startup order.

♻️ Proposed addition

 autorestart = true
 stdout_logfile=/dev/fd/1
 stdout_logfile_maxbytes=0
 redirect_stderr=true
+priority = 700

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/etc/supervisor/conf.d/celery-backup.conf` around lines 1 - 7, Add a
supervisor "priority" setting to the celery-backup program block to ensure
deterministic startup order alongside the other Celery workers; update the
[program:celery-backup] configuration (the block defining environment, command,
autorestart, stdout_logfile, redirect_stderr) to include a priority value
consistent with the existing sequence (e.g., set priority=700 to follow
400/500/600 pattern).

weblate/trans/autobatchtranslate.py (2)

108-122: Consider adding return type hint.

♻️ Proposed signature

-def _prepare_batch_request(translation: Translation):
+def _prepare_batch_request(
+    translation: Translation,
+) -> tuple[None, None, None, None] | tuple[QuerySet, dict[str, str], dict[int, Unit], set[str]]:

Or use a named tuple / dataclass for clearer return type.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@weblate/trans/autobatchtranslate.py` around lines 108 - 122, Add an explicit
return type for _prepare_batch_request to improve clarity and typing (e.g.,
Optional[Tuple[QuerySet, Dict[str,str], Dict[int,UnitType], Set[str]]]) or
replace the tuple return with a small dataclass/namedtuple (e.g., BatchRequest =
dataclass(...)) and return that instead; update the function signature for
_prepare_batch_request and adjust callers that unpack units_qs, units_data,
unit_map, expected_keys to use the new typed return or fields to keep typesafe
usage.

---

62-105: Consider adding return type hints for type safety.

Per coding guidelines, type hints are required. This function returns a tuple of (str | None, str | None, str | None).

♻️ Proposed signature

-def _resolve_openrouter_config(translation: Translation):
+def _resolve_openrouter_config(
+    translation: Translation,
+) -> tuple[str | None, str | None, str | None]:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@weblate/trans/autobatchtranslate.py` around lines 62 - 105, Update the
_resolve_openrouter_config function signature to include a return type hint of a
three-item optional string tuple (e.g. -> tuple[Optional[str], Optional[str],
Optional[str]] or -> (str | None, str | None, str | None)) and import
typing.Optional if using tuple[Optional[...]]; keep the existing logic and
return values unchanged, only add the type annotation to the function definition
to satisfy the project type-hinting guideline.

docker/etc/supervisor/conf.d/celery-single.conf (1)

1-8: LGTM! Note command syntax inconsistency with other configs.

This config correctly uses celery --app=weblate.utils worker syntax. However, celery-translate.conf uses the older celery worker syntax relying on the CELERY_APP environment variable. Consider standardizing the command syntax across all Celery configs for consistency and clarity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/etc/supervisor/conf.d/celery-single.conf` around lines 1 - 8, The
Celery command syntax is inconsistent across configs; standardize them by using
the explicit "--app=weblate.utils" form (as used in the [program:celery] config)
instead of relying on the CELERY_APP env var in other files (e.g.,
celery-translate.conf). Update the command line in celery-translate.conf (and
any other Celery supervisor confs) to use "celery --app=weblate.utils worker
..." preserving existing options/queues and any "%(ENV_... )s" placeholders so
all configs use the same explicit app invocation.

docker/etc/supervisor/conf.d/celery-beat.conf (1)

1-7: Consider adding priority setting for consistency.

Other Celery Supervisor configs (e.g., celery-translate.conf with priority 700, celery-single.conf with priority 400) include a priority setting to control startup order. This config is missing it. Consider adding a priority to ensure the beat scheduler starts at the appropriate time relative to workers.

🔧 Suggested addition

 autorestart = true
 stdout_logfile=/dev/fd/1
 stdout_logfile_maxbytes=0
 redirect_stderr=true
+priority = 500

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/etc/supervisor/conf.d/celery-beat.conf` around lines 1 - 7, Add a
priority setting to the [program:celery-beat] supervisor block so its startup
order is explicit and consistent with the other Celery configs; update the
celery-beat section (program:celery-beat, the block containing the command
"/app/venv/bin/celery beat ...") to include a numeric priority (for example 700
to match celery-translate.conf or another value chosen to place beat at the
correct order relative to celery-single.conf which uses 400).

docker/etc/supervisor/conf.d/celery-translate.conf (1)

1-8: Use explicit -A flag to specify the Celery app instead of relying on CELERY_APP environment variable.

In Celery 5.x, the application should be specified via the -A (or --app) command-line option rather than the CELERY_APP environment variable. Update the command to: celery -A weblate.utils worker --hostname 'translate@%%h' ... and remove CELERY_APP=weblate.utils from the environment. This aligns with Celery's documented best practices for app specification.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/etc/supervisor/conf.d/celery-translate.conf` around lines 1 - 8,
Remove the CELERY_APP=weblate.utils environment assignment from the
[program:celery-translate] environment and update the command string used by the
celery worker to explicitly pass the app via -A (e.g., change the command from
the current "/app/venv/bin/celery worker ..." to include "-A weblate.utils" so
it reads like "celery -A weblate.utils worker ..."); keep the existing hostname,
loglevel, queues, pool, prefetch-multiplier and %(ENV_CELERY_TRANSLATE_OPTIONS)s
tokens and ensure stdout/stderr and autorestart settings remain unchanged.

docker/etc/nginx/generate-site.py (2)

7-17: Add error handling for argument count mismatch.

The tuple unpacking on sys.argv[1:] will raise a ValueError if the wrong number of arguments is provided, but with a cryptic error message. Consider adding explicit validation with a helpful error message indicating the expected arguments.

Proposed fix

 # Parse args
+if len(sys.argv) != 9:
+    print(
+        f"Usage: {sys.argv[0]} TEMPLATE_DIRS WEBLATE_URL_PREFIX WEBLATE_REALIP "
+        "CLIENT_MAX_BODY_SIZE WEBLATE_BUILTIN_SSL WEBLATE_ANUBIS_URL "
+        "SITE_DOMAIN ENABLE_HTTPS",
+        file=sys.stderr,
+    )
+    sys.exit(1)
+
 (
     TEMPLATE_DIRS,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/etc/nginx/generate-site.py` around lines 7 - 17, Validate the number
of CLI args before unpacking sys.argv[1:] and raise a clear error if it doesn't
match the expected count; check len(sys.argv) (or len(sys.argv[1:])) against the
number of variables (TEMPLATE_DIRS, WEBLATE_URL_PREFIX, WEBLATE_REALIP,
CLIENT_MAX_BODY_SIZE, WEBLATE_BUILTIN_SSL, WEBLATE_ANUBIS_URL, SITE_DOMAIN,
ENABLE_HTTPS) and exit with a descriptive message explaining the expected
arguments and their order so the subsequent tuple unpacking using sys.argv[1:]
will never raise a cryptic ValueError.

---

1-2: Missing GPL-3.0-or-later license header.

Per coding guidelines, all Python files must include the GPL-3.0-or-later license header. Add the standard copyright and SPDX header at the top of this file.

Proposed fix

 #!/usr/bin/env python3
+# Copyright © Boost Organization <boost@boost.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 import sys

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/etc/nginx/generate-site.py` around lines 1 - 2, Add the
GPL-3.0-or-later license header immediately after the existing shebang in
docker/etc/nginx/generate-site.py: insert the SPDX short identifier line
("SPDX-License-Identifier: GPL-3.0-or-later"), a copyright line with the
project/organization and year, and the standard short GPL header notice (one- or
two-line copyright/permission notice) so the file clearly declares
GPL-3.0-or-later licensing; keep the shebang as the first line and place the
header directly below it.

docker/environment.example (1)

50-55: Clarify or remove duplicate database name variables.

Both POSTGRES_DB and POSTGRES_DATABASE are defined. Typically only one is needed—Weblate's Docker settings use POSTGRES_DB. Consider removing POSTGRES_DATABASE or adding a comment explaining when each is used.

Proposed fix

 POSTGRES_PASSWORD=
 POSTGRES_USER=
 POSTGRES_DB=
-POSTGRES_DATABASE=
 POSTGRES_HOST=host.docker.internal
 POSTGRES_PORT=5432

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/environment.example` around lines 50 - 55, Remove the duplicate
database-name variable by keeping only the conventional POSTGRES_DB and deleting
POSTGRES_DATABASE (or, if you need both for compatibility, add a clarifying
comment above the variables explaining the difference and when to use
POSTGRES_DB vs POSTGRES_DATABASE); update any references in the codebase or docs
to use POSTGRES_DB (search for POSTGRES_DATABASE and replace or document usage)
so the environment example is unambiguous.

.github/workflows/cd.yml (1)

35-37: Consider reducing or making the health check delay configurable.

The 300-second (5-minute) sleep before the health check may unnecessarily extend the workflow duration. Docker Compose builds and container startup typically complete faster. Consider reducing this delay or implementing a retry loop with exponential backoff.

Example: Retry loop instead of fixed sleep

         script: |
-          sleep 300
-          curl -sf http://localhost:8000/healthz/
+          # Wait up to 5 minutes, checking every 15 seconds
+          for i in $(seq 1 20); do
+            if curl -sf http://localhost:8000/healthz/; then
+              echo "Health check passed"
+              exit 0
+            fi
+            echo "Attempt $i failed, waiting 15s..."
+            sleep 15
+          done
+          echo "Health check failed after 20 attempts"
+          exit 1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd.yml around lines 35 - 37, Replace the fixed "sleep 300"
in the workflow script block with a configurable or retry-based health check:
either reduce the hardcoded delay to a shorter default or read a timeout/env
var, or implement a retry loop around the existing "curl -sf
http://localhost:8000/healthz/" (with incremental backoff and a max attempts) so
the workflow probes until ready instead of always waiting 300s; update the
script block that currently contains "sleep 300" and "curl -sf
http://localhost:8000/healthz/" accordingly and ensure failures still cause the
job to fail if the max retries are exhausted.

docker/Dockerfile (1)

9-10: Keep build-only sources out of the final image.

COPY . /app/boost-weblate/ and later COPY --from=build /app /app leave the full checkout and /app/src inputs in production even though the package is already installed in /app/venv. That bloats the runtime image and ships repo-only artifacts unnecessarily. Copy only the runtime outputs, or remove /app/boost-weblate and /app/src before the final stage ends.

Also applies to: 50-51

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/Dockerfile` around lines 9 - 10, Remove build-only sources from the
final image by not copying the full checkout into runtime or by deleting it
before the final stage completes: stop using COPY . /app/boost-weblate/ into the
image that becomes runtime, or after COPY --from=build /app /app remove
/app/boost-weblate and /app/src (or only copy /app/venv and the installed
package artifacts instead of the entire /app). Update the Dockerfile to ensure
only runtime outputs (e.g., /app/venv and installed site-packages) are present
in the final stage and remove repo-only artifacts (referencing COPY .
/app/boost-weblate/, COPY --from=build /app /app, and paths /app/boost-weblate
and /app/src); apply the same change for the other instances noted (lines
50-51).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cd.yml:
- Around line 22-26: The deployment script under the "script" block currently
runs "git pull origin dev", but the repo only has "main"; change the branch
reference to "main" (replace the git pull origin dev command) so the deploy uses
the correct branch before running "cd docker" and "docker compose up -d
--build".

In @.gitignore:
- Line 46: The .gitignore currently contains a broad rule '/test/' which will
untrack legitimate source tests; replace that single-line rule with explicit
ignores for test artifacts instead (e.g., test-results directories, pytest/cache
folders, coverage outputs, IDE/test runner temporary files) so real test source
files remain in version control; locate the literal '/test/' entry and remove or
change it to specific patterns such as '/test-results/', '.pytest_cache/',
'coverage/', and any generated test/*.tmp patterns used by your tooling.

In `@docker/environment.example`:
- Around line 108-116: The environment example is missing Supervisor variables
referenced by supervisor conf; add WEB_WORKERS, WEB_BLOCKING_THREADS, and
GRANIAN_ARGS with sensible defaults (for example WEB_WORKERS=4,
WEB_BLOCKING_THREADS=20, GRANIAN_ARGS="") to the docker environment example so
Supervisor can read them; place them near the web/boost-related settings (around
CLIENT_MAX_BODY_SIZE and AUTO_BATCH_TRANSLATE_VIA_OPENROUTER) and ensure values
are exported as plain KEY=VALUE entries.

In `@docker/etc/nginx/default.tpl`:
- Around line 70-73: The proxy_set_header for X-Forwarded-For must be
unconditional: move the proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; line out of the WEBLATE_BUILTIN_SSL conditional so
it always runs, leaving proxy_set_header X-Forwarded-Proto $scheme; inside the
{% if WEBLATE_BUILTIN_SSL %} ... {% endif %} block; update the template around
the WEBLATE_BUILTIN_SSL conditional to ensure X-Forwarded-For is set regardless
of TLS while X-Forwarded-Proto remains conditional.

In `@docker/etc/supervisor/supervisord.conf`:
- Line 5: Fix the typo in the supervisord config comment for the chmod setting:
change the word "sockef" to "socket" in the comment on the line containing the
chmod directive so it reads "... ; socket file mode (default 0700)" to
accurately describe the chmod parameter.

In `@docker/health_check`:
- Around line 21-25: The grep pattern in the failing detection block uses basic
regex so `\|` is treated literally; update the command that builds `failing` to
use an alternation-aware regex (e.g., switch to grep -E or use `\(...\)\|`
escaping) so it correctly matches lines containing either EXITED or RUNNING;
modify the line that sets the failing variable (the `failing="$(echo "$services"
| grep -v '^check *EXITED\|RUNNING' || true)"` assignment) to use extended regex
(grep -E) or properly escaped alternation so the negative grep filters out both
EXITED and RUNNING as intended.

In `@docker/start`:
- Around line 311-316: The script currently sets `set_real_ip_from 0.0.0.0/0;`
when `WEBLATE_IP_PROXY_HEADER=HTTP_X_FORWARDED_FOR`, allowing header spoofing;
change this to require a user-configurable trusted proxy CIDR list (e.g., new
env var `WEBLATE_TRUSTED_PROXIES`) instead of the global 0.0.0.0/0. Modify the
`case` branch that sets `WEBLATE_REALIP` to: if `WEBLATE_TRUSTED_PROXIES` is
empty, do not emit any `set_real_ip_from` lines (or exit with a clear error),
otherwise split `WEBLATE_TRUSTED_PROXIES` on spaces/commas and append a
`set_real_ip_from <CIDR>;` line for each CIDR plus `real_ip_header
X-Forwarded-For;`; remove the unconditional `set_real_ip_from 0.0.0.0/0;` and
ensure any logic that auto-enables `WEBLATE_IP_PROXY_HEADER` (related code)
respects that trusted-proxies variable.
- Around line 152-160: The timezone block currently skips on first boot because
it checks [ -w /tmp/localtime ] which fails when /tmp/localtime doesn't exist;
change the guard to check writability of /tmp (e.g. [ -w /tmp ]) and if
/tmp/localtime is missing create it (touch /tmp/localtime) before writing; then
proceed to compute zonefile="/usr/share/zoneinfo/$WEBLATE_TIME_ZONE" and cat the
selected zonefile (or Etc/UTC fallback) into /tmp/localtime as in the original
block so the symlink /etc/localtime receives the correct contents.
- Around line 208-210: Replace the use of User.objects.raw("SELECT 1") inside
the readiness loop with a direct DB connection probe: change the command passed
to run_weblate shell -c so it imports django.db.connection, opens a cursor,
executes a simple SELECT 1 and fetches a row (instead of using
User.objects.raw), so the probe doesn't require a model PK and will succeed when
PostgreSQL is reachable; update the until line accordingly to use that
connection.cursor() probe and keep the same success/failure behavior.

---

Outside diff comments:
In `@weblate/trans/autobatchtranslate.py`:
- Around line 367-371: Fix the typo in the bot creation call: update the name
and verbose arguments passed to User.objects.get_or_create_bot (where bot_user
is assigned) from "Autobatch_translatior" to "Autobatch_translator" so both
parameters use the correct spelling.

In `@weblate/trans/models/component.py`:
- Around line 4672-4694: The loop over commit_groups must commit each
author-group immediately after update_units instead of deferring all commits;
after calling translation.update_units(changes, store, author_name) and
confirming changes (any(changes_status.values())), invoke
git_commit(translation, author_name, timestamp) (using the same timestamp
conversion to timezone.make_aware when needed) right there so the file state and
attribution are recorded before the next group mutates the file; remove or skip
the later deferred commit loop (the code that iterates translations_to_commit)
to avoid duplicate/empty commits and apply the same immediate-commit fix to the
other block referenced around lines 4708-4729.
- Around line 1214-1226: In progress_step, guard self.translations_count (typed
int | None) before using the floor-division: assign it to a local var (e.g.
count = self.translations_count), check for None or 0 (and keep the existing -1
check for linked_component handling) and return early if invalid to avoid mypy
type errors and divide-by-zero; then proceed to increment
self.translations_progress and compute progress = 100 *
self.translations_progress // count. Ensure you still call
linked_component.progress_step(progress) when translations_count == -1 and
preserve current_task checks.

---

Nitpick comments:
In @.github/workflows/cd.yml:
- Around line 35-37: Replace the fixed "sleep 300" in the workflow script block
with a configurable or retry-based health check: either reduce the hardcoded
delay to a shorter default or read a timeout/env var, or implement a retry loop
around the existing "curl -sf http://localhost:8000/healthz/" (with incremental
backoff and a max attempts) so the workflow probes until ready instead of always
waiting 300s; update the script block that currently contains "sleep 300" and
"curl -sf http://localhost:8000/healthz/" accordingly and ensure failures still
cause the job to fail if the max retries are exhausted.

In `@docker/Dockerfile`:
- Around line 9-10: Remove build-only sources from the final image by not
copying the full checkout into runtime or by deleting it before the final stage
completes: stop using COPY . /app/boost-weblate/ into the image that becomes
runtime, or after COPY --from=build /app /app remove /app/boost-weblate and
/app/src (or only copy /app/venv and the installed package artifacts instead of
the entire /app). Update the Dockerfile to ensure only runtime outputs (e.g.,
/app/venv and installed site-packages) are present in the final stage and remove
repo-only artifacts (referencing COPY . /app/boost-weblate/, COPY --from=build
/app /app, and paths /app/boost-weblate and /app/src); apply the same change for
the other instances noted (lines 50-51).

In `@docker/environment.example`:
- Around line 50-55: Remove the duplicate database-name variable by keeping only
the conventional POSTGRES_DB and deleting POSTGRES_DATABASE (or, if you need
both for compatibility, add a clarifying comment above the variables explaining
the difference and when to use POSTGRES_DB vs POSTGRES_DATABASE); update any
references in the codebase or docs to use POSTGRES_DB (search for
POSTGRES_DATABASE and replace or document usage) so the environment example is
unambiguous.

In `@docker/etc/nginx/generate-site.py`:
- Around line 7-17: Validate the number of CLI args before unpacking
sys.argv[1:] and raise a clear error if it doesn't match the expected count;
check len(sys.argv) (or len(sys.argv[1:])) against the number of variables
(TEMPLATE_DIRS, WEBLATE_URL_PREFIX, WEBLATE_REALIP, CLIENT_MAX_BODY_SIZE,
WEBLATE_BUILTIN_SSL, WEBLATE_ANUBIS_URL, SITE_DOMAIN, ENABLE_HTTPS) and exit
with a descriptive message explaining the expected arguments and their order so
the subsequent tuple unpacking using sys.argv[1:] will never raise a cryptic
ValueError.
- Around line 1-2: Add the GPL-3.0-or-later license header immediately after the
existing shebang in docker/etc/nginx/generate-site.py: insert the SPDX short
identifier line ("SPDX-License-Identifier: GPL-3.0-or-later"), a copyright line
with the project/organization and year, and the standard short GPL header notice
(one- or two-line copyright/permission notice) so the file clearly declares
GPL-3.0-or-later licensing; keep the shebang as the first line and place the
header directly below it.

In `@docker/etc/supervisor/conf.d/celery-backup.conf`:
- Around line 1-7: Add a supervisor "priority" setting to the celery-backup
program block to ensure deterministic startup order alongside the other Celery
workers; update the [program:celery-backup] configuration (the block defining
environment, command, autorestart, stdout_logfile, redirect_stderr) to include a
priority value consistent with the existing sequence (e.g., set priority=700 to
follow 400/500/600 pattern).

In `@docker/etc/supervisor/conf.d/celery-beat.conf`:
- Around line 1-7: Add a priority setting to the [program:celery-beat]
supervisor block so its startup order is explicit and consistent with the other
Celery configs; update the celery-beat section (program:celery-beat, the block
containing the command "/app/venv/bin/celery beat ...") to include a numeric
priority (for example 700 to match celery-translate.conf or another value chosen
to place beat at the correct order relative to celery-single.conf which uses
400).

In `@docker/etc/supervisor/conf.d/celery-single.conf`:
- Around line 1-8: The Celery command syntax is inconsistent across configs;
standardize them by using the explicit "--app=weblate.utils" form (as used in
the [program:celery] config) instead of relying on the CELERY_APP env var in
other files (e.g., celery-translate.conf). Update the command line in
celery-translate.conf (and any other Celery supervisor confs) to use "celery
--app=weblate.utils worker ..." preserving existing options/queues and any
"%(ENV_... )s" placeholders so all configs use the same explicit app invocation.

In `@docker/etc/supervisor/conf.d/celery-translate.conf`:
- Around line 1-8: Remove the CELERY_APP=weblate.utils environment assignment
from the [program:celery-translate] environment and update the command string
used by the celery worker to explicitly pass the app via -A (e.g., change the
command from the current "/app/venv/bin/celery worker ..." to include "-A
weblate.utils" so it reads like "celery -A weblate.utils worker ..."); keep the
existing hostname, loglevel, queues, pool, prefetch-multiplier and
%(ENV_CELERY_TRANSLATE_OPTIONS)s tokens and ensure stdout/stderr and autorestart
settings remain unchanged.

In `@docker/requirements.txt`:
- Around line 1-66: The requirements.txt duplicates and pins many deps already
declared in pyproject.toml, risking version drift; remove the hand-maintained
pins from docker/requirements.txt and instead: update the Dockerfile to install
from pyproject.toml extras (or from a generated lock file), and add a build step
in CI/packaging that generates a frozen requirements.txt (e.g., pip-compile /
"uv pip compile" or equivalent) from pyproject.toml so the Docker build consumes
that generated lockfile; ensure the repo documents the chosen flow and remove or
mark docker/requirements.txt as generated to avoid manual edits.

In `@pyproject.toml`:
- Around line 490-496: The pyproject.toml contains an empty [tool.pytest]
section that is redundant because [tool.pytest.ini_options] already exists;
either remove the empty [tool.pytest] header or replace it with a clarifying
comment indicating it's intentionally reserved for future pytest settings so
readers won't be confused—look for the [tool.pytest] and
[tool.pytest.ini_options] headers and perform the removal or add a short inline
comment explaining intent.

In `@weblate/trans/autobatchtranslate.py`:
- Around line 108-122: Add an explicit return type for _prepare_batch_request to
improve clarity and typing (e.g., Optional[Tuple[QuerySet, Dict[str,str],
Dict[int,UnitType], Set[str]]]) or replace the tuple return with a small
dataclass/namedtuple (e.g., BatchRequest = dataclass(...)) and return that
instead; update the function signature for _prepare_batch_request and adjust
callers that unpack units_qs, units_data, unit_map, expected_keys to use the new
typed return or fields to keep typesafe usage.
- Around line 62-105: Update the _resolve_openrouter_config function signature
to include a return type hint of a three-item optional string tuple (e.g. ->
tuple[Optional[str], Optional[str], Optional[str]] or -> (str | None, str |
None, str | None)) and import typing.Optional if using tuple[Optional[...]];
keep the existing logic and return values unchanged, only add the type
annotation to the function definition to satisfy the project type-hinting
guideline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fa20452e-7956-480e-8687-f7b7104c51d0

📥 Commits

Reviewing files that changed from the base of the PR and between 9a01d2e and 2972150.

⛔ Files ignored due to path filters (2)

• docker/etc/nginx/ffdhe2048.pem is excluded by !**/*.pem
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (67)

• .dockerignore
• .github/workflows/api.yml
• .github/workflows/cd.yml
• .github/workflows/dependency-review.yml
• .github/workflows/docs.yml
• .github/workflows/fossa.yml
• .github/workflows/issue-closed.yml
• .github/workflows/issue-commented.yml
• .github/workflows/issue-labeled.yml
• .github/workflows/issue-milestoned.yml
• .github/workflows/issue-opened.yml
• .github/workflows/issue-reopened.yaml
• .github/workflows/issue-stale.yml
• .github/workflows/labels.yml
• .github/workflows/licenses-update.yml
• .github/workflows/linkcheck.yml
• .github/workflows/macos.yml
• .github/workflows/migrations.yml
• .github/workflows/milestone-closed.yml
• .github/workflows/pr-stale.yml
• .github/workflows/pull_requests.yaml
• .github/workflows/schema-update.yml
• .github/workflows/setup.yml
• .github/workflows/test.yml
• .github/workflows/unicodechars.yml
• .github/workflows/uv-upgrade.yml
• .github/workflows/yarn-update.yml
• .gitignore
• .pre-commit-config.yaml
• REUSE.toml
• docker/Dockerfile
• docker/docker-compose.yml
• docker/environment.example
• docker/etc/nginx/default.tpl
• docker/etc/nginx/generate-site.py
• docker/etc/nginx/nginx.conf
• docker/etc/supervisor/conf.d/celery-backup.conf
• docker/etc/supervisor/conf.d/celery-beat.conf
• docker/etc/supervisor/conf.d/celery-celery.conf
• docker/etc/supervisor/conf.d/celery-memory.conf
• docker/etc/supervisor/conf.d/celery-notify.conf
• docker/etc/supervisor/conf.d/celery-single.conf
• docker/etc/supervisor/conf.d/celery-translate.conf
• docker/etc/supervisor/conf.d/check.conf
• docker/etc/supervisor/conf.d/web.conf
• docker/etc/supervisor/supervisord.conf
• docker/health_check
• docker/requirements.txt
• docker/start
• pyproject.toml
• scripts/backup/backup_from_server.sh
• scripts/backup/dump_database.sh
• scripts/backup/recalculate_stats.py
• scripts/backup/sync_database_to_files.py
• scripts/backup/update_push_urls.py
• start-weblate.sh
• stop-weblate.sh
• weblate/boost_endpoint/services.py
• weblate/boost_endpoint/views.py
• weblate/formats/asciidoc.py
• weblate/formats/quickbook.py
• weblate/settings_docker.py
• weblate/trans/autobatchtranslate.py
• weblate/trans/models/component.py
• weblate/trans/tasks.py
• weblate/utils/openrouter_translator.py
• weblate/utils/quickbook.py

💤 Files with no reviewable changes (24)

• .github/workflows/dependency-review.yml
• .github/workflows/issue-opened.yml
• .github/workflows/milestone-closed.yml
• .github/workflows/fossa.yml
• .github/workflows/issue-milestoned.yml
• .github/workflows/issue-labeled.yml
• .github/workflows/pull_requests.yaml
• .github/workflows/labels.yml
• .github/workflows/issue-closed.yml
• .github/workflows/licenses-update.yml
• .github/workflows/pr-stale.yml
• .github/workflows/schema-update.yml
• .github/workflows/issue-commented.yml
• .github/workflows/linkcheck.yml
• .github/workflows/issue-reopened.yaml
• .github/workflows/api.yml
• .github/workflows/macos.yml
• .github/workflows/yarn-update.yml
• .github/workflows/docs.yml
• .github/workflows/issue-stale.yml
• .github/workflows/uv-upgrade.yml
• .github/workflows/setup.yml
• .github/workflows/migrations.yml
• .github/workflows/unicodechars.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/specs/openapi.yaml`:
- Around line 72402-72403: The OpenAPI server entry currently publishes an
insecure URL (the server block with url: http://localhost:8000 and description:
Weblate); replace or augment it with a TLS endpoint (e.g., url:
https://weblate.example.com) and mark the http localhost URL explicitly as
dev-only (update description to "Weblate (dev only, HTTP)" or similar) so that
token-auth endpoints list a secure HTTPS server for production while retaining
localhost HTTP for local development only. Ensure the servers array contains the
HTTPS entry used for prod and keep the http://localhost:8000 entry only with an
explicit dev-only description.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5be13ed3-a57c-4017-b6f8-141b0b03b297

📥 Commits

Reviewing files that changed from the base of the PR and between 2972150 and 8240fb8.

📒 Files selected for processing (1)

• docs/specs/openapi.yaml

[coderabbitai]

♻️ Duplicate comments (1)

docs/specs/openapi.yaml (1)

72402-72403: ⚠️ Potential issue | 🟠 Major

Add a TLS production server entry; current server list still defaults to cleartext HTTP.

Line 72402 documents only http://localhost:8000 with a non-dev-specific description, which is unsafe guidance for token-auth API usage. Please add an HTTPS production URL and mark localhost as dev-only.

🔧 Proposed fix

 servers:
-- url: http://localhost:8000
-  description: Weblate
+- url: https://weblate.example.com
+  description: Weblate (production, TLS)
+- url: http://localhost:8000
+  description: Weblate (dev only, HTTP)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/specs/openapi.yaml` around lines 72402 - 72403, The OpenAPI servers list
currently contains only the entry with url: http://localhost:8000 and
description "Weblate"; add a production TLS server entry (e.g., url:
https://weblate.example.com) above the localhost entry and update descriptions
to distinguish environments (mark the existing http://localhost:8000 entry as
development-only). Modify the servers array so the first/primary server is the
HTTPS production URL, include a clear description like "Weblate (production,
TLS)" and change the localhost description to "Weblate (development only, HTTP)"
to avoid suggesting cleartext usage for token-auth APIs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@docs/specs/openapi.yaml`:
- Around line 72402-72403: The OpenAPI servers list currently contains only the
entry with url: http://localhost:8000 and description "Weblate"; add a
production TLS server entry (e.g., url: https://weblate.example.com) above the
localhost entry and update descriptions to distinguish environments (mark the
existing http://localhost:8000 entry as development-only). Modify the servers
array so the first/primary server is the HTTPS production URL, include a clear
description like "Weblate (production, TLS)" and change the localhost
description to "Weblate (development only, HTTP)" to avoid suggesting cleartext
usage for token-auth APIs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f6bd1fa4-2c61-470a-bb74-2c525d6eeb64

📥 Commits

Reviewing files that changed from the base of the PR and between 8909e2a and fecd134.

📒 Files selected for processing (1)

• docs/specs/openapi.yaml

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️