test(T-03): validate SonarCloud integration

[raschmitt]

Summary

• Adds intentional code issues to validate SonarCloud annotations on PRs
• Expects 3 findings: hardcoded password (security), unused variable (code smell), and eval usage (critical)

Note: This PR should be closed without merging after validation.

[raschmitt]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8170cb345b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove dynamic eval from shipped application code

test_sonar_comment is added to app/main.py, which is part of the runtime application package, and it executes eval(...). Even with a constant expression today, this introduces a dynamic-code-execution pattern into production code and is a security regression that Sonar validation does not require. Keep scanner-trigger fixtures out of runtime modules (for example, in dedicated test-only files) so this path cannot be invoked in app code.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove hardcoded credential literal from repository code

This commit adds a password-like hardcoded string in application source (password = "hardcoded123"). Even as a placeholder, committing credential-shaped literals in runtime code creates avoidable security noise (secret scanning alerts, audit false positives) and violates the repository’s no-hardcoded-secrets standard. If this is only for Sonar testing, it should be moved to an isolated non-production test fixture.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

Preview: https://raschmitt.github.io/zapinit/previews/pr-29/

[github-actions]

💡 AI Code Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 290cb6e30e

ℹ️ About this review

This review was generated automatically by the AI Code Review workflow using OpenCode CLI with the Minimax M2.5 Free model.

Reviews are triggered on every pull request push.

[github-actions]

Hardcoded password

The string "hardcoded123" is a security issue. While this is intentional for testing, the PR notes it should be "closed without merging" — this code must not reach main.

[github-actions]

Unused variable

unused_var is assigned but never used. The # noqa: F841 suppresses linting rather than fixing the issue.

[github-actions]

Weak test

The test calls test_sonar_comment() without any assertions. It only verifies the function runs without crashing, not that it behaves correctly.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

Missing type hints

The function test_sonar_comment() lacks type annotations. The project's code standards (AGENTS.md) require type hints on all function signatures.

[github-actions]

Dead code in production

This function is not imported or called by any route in the application and serves no architectural purpose. It should be in a separate test/utility module, not in app/main.py.

[sonarqubecloud]

Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)
B Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE