Triage initial CodeQL findings

[saagpatel]

Goal

Triage the initial GitHub code-scanning alert backlog now that CodeQL is enabled on main.

Notes

• Keep detailed alert review inside the GitHub Security / Code scanning UI.
• Prioritize real exploitability and user-facing exposure first.
• Start with the critical/high buckets, then decide which note-level findings are worth cleanup versus dismissal.

Done When

• Critical/high alerts are reviewed and either fixed or intentionally dismissed with rationale.
• Any confirmed fixes land through normal PR + CI.
• The security model docs are updated if the accepted policy changes.

[saagpatel]

First remediation tranche is complete. PR #12 hardened the local web runner and HTMX fragments; PR #13 documented the remaining analyzer boundary and the three targeted CodeQL records were closed as reviewed false positives. Current targeted status on main: no open py/command-line-injection or py/reflective-xss alerts. Remaining backlog stays focused on logging/storage sensitivity review plus lower-severity cleanup.

[saagpatel]

Second CodeQL tranche complete. PR #14 documents the generated artifact privacy model, and the reviewed clear-text logging/storage false-positive family has been closed with that rationale. Current open alert total is 125, with py/clear-text-logging-sensitive-data and py/clear-text-storage-sensitive-data both at zero open alerts. Next high-signal tranche: the remaining high-severity URL substring sanitization and weak hashing findings, followed by medium stack-trace exposure.

[saagpatel]

Third CodeQL tranche complete. PR #15 fixed the remaining high-severity URL substring sanitization and SHA-1 hashing findings. Main CI and CodeQL both passed on 3818087, and current open counts are zero for py/incomplete-url-substring-sanitization and py/weak-sensitive-data-hashing. Open code-scanning backlog is now 119, mostly note-level cleanup plus 7 medium stack-trace exposure findings.

[saagpatel]

Fourth CodeQL tranche complete. PR #16 fixed the medium-severity stack-trace exposure findings by replacing exception-detail HTMX fragments with generic user-safe errors. Main CI and CodeQL both passed on 9a67ad7, and py/stack-trace-exposure is now zero open alerts. Open code-scanning backlog is now 112, all note/warning/error maintainability cleanup with no high/medium security findings left open.

[saagpatel]

Fifth CodeQL tranche complete. PR #17 documented intentional empty fallback catches across source and targeted tests. Main CI and CodeQL both passed on f443331, and py/empty-except is now zero open alerts. Open code-scanning backlog is now 73, led by py/cyclic-import, py/repeated-import, and unused-symbol cleanup.

[saagpatel]

Import-hygiene tranche completed and merged.

Merged PRs:

• chore(codeql): clean up import hygiene #18 cleaned repeated imports, unused import aliases, and most mixed import styles.
• chore(codeql): finish suggest initiatives import cleanup #19 removed the last py/import-and-import-from instance in tests/test_suggest_initiatives.py.

Verification:

• PR and post-merge main CI passed.
• PR and post-merge main CodeQL passed.
• main now has 0 open py/repeated-import, 0 open py/unused-import, and 0 open py/import-and-import-from alerts.

Remaining open CodeQL families on main are now led by py/cyclic-import plus non-import cleanup items.

[saagpatel]

Dead-code tranche completed and merged.

Merged PR:

• chore(codeql): clean up dead-code alerts #20 cleaned the non-cyclic CodeQL leftovers: unused locals, unused global state, redundant comparison, multiple definition, uninitialized local, and ineffectual placeholder statements.

Verification:

• Local verifier passed before PR: python3 -m pytest -q -p no:cacheprovider and ruff check src/ tests/.
• PR checks passed: CI and CodeQL.
• Post-merge main checks passed: CI and CodeQL.
• Open CodeQL alerts on main are now only py/cyclic-import (33 alerts).

Next tranche:

• Tackle cyclic imports as a separate refactor-oriented pass.

[saagpatel]

Cyclic-import tranche completed and merged.

Merged PR:

• chore(codeql): break static model import cycles #21 broke the static cycle rooted in src.models by keeping AuditReport.from_audits public but deferring report assembly dependencies dynamically.

Verification:

• Local verifier passed before PR: python3 -m pytest -q -p no:cacheprovider and ruff check src/ tests/.
• PR checks passed: CI and CodeQL.
• PR branch had 0 open CodeQL alerts before merge.
• Post-merge main checks passed: CI and CodeQL.
• main now has 0 open CodeQL alerts for the CodeQL tool.

Status:

• The public repo CodeQL cleanup is complete from the current alert list.

[saagpatel]

Final closeout: CodeQL cleanup is complete.

Verified on main:

• CI passed.
• CodeQL passed.
• Open CodeQL alerts: 0.
• Branch protection now requires both test (3.11) and Analyze (python) before merge.
• Dependabot alerts and automated security fixes are enabled.

Closing this tracking issue as complete.