fix(security): address CodeQL security alerts and code quality issues

[AndyMik90]

Summary

• Fix 10 high severity security vulnerabilities in terminal-session-store.test.ts by using secure temporary directories with mkdtempSync() instead of predictable /tmp paths
• Remove dead code in PhaseProgressIndicator.tsx where condition was always false
• Clean up unused imports and variables across 16 files (backend tests and frontend components)

Test plan

• All frontend tests pass (1991 tests)
• All backend tests pass (192 tests verified)
• TypeScript compilation passes with no errors
• Pre-commit hooks pass (lint, typecheck)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved test environment isolation by using temporary directories for test execution, ensuring consistent test behavior.

• Refactor

  • Removed static progress rendering for subtasks to streamline the phase progress display.
  • Removed the Add Project button from the sidebar navigation.
  • Cleaned up unused code and simplified internal infrastructure across test and component files.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Multiple files undergo cleanup and refactoring: unused imports removed, test infrastructure updated for dynamic temporary directories, UI components simplified by removing Add Project workflow and static progress rendering, and test fixtures adjusted to reduce unnecessary scaffolding.

Changes

Cohort / File(s)	Summary
Test Infrastructure Refactoring apps/frontend/src/main/__tests__/terminal-session-store.test.ts, tests/conftest.py	Terminal session store tests refactored to use dynamic temporary directories instead of hardcoded paths via initTestPaths() and mkdtempSync. Python test fixtures simplified: removed dynamic pyproject.toml construction in favor of static string writing; improved error handling comments for module reloads.
Import Cleanup apps/frontend/src/main/agent/agent-process.ts, apps/frontend/src/main/python-env-manager.ts, tests/test_dependency_validator.py, tests/test_github_pr_e2e.py, tests/test_merge_fixtures.py, tests/test_spec_pipeline.py, tests/test_thinking_level_validation.py	Removed unused imports across multiple files: isWindows, writeFileSync, pytest, asyncio, dataclasses, AsyncMock, MagicMock, datetime. Changes reduce boilerplate without affecting runtime behavior.
Component UI Changes apps/frontend/src/renderer/components/Sidebar.tsx, apps/frontend/src/renderer/components/PhaseProgressIndicator.tsx	Sidebar: removed Trash2 icon import and Add Project workflow (selectProject, handleAddProject). PhaseProgressIndicator: eliminated static progress rendering for subtasks when phase is not running.
Hook/Component Adjustments apps/frontend/src/renderer/components/GitHubIssues.tsx	Removed unused issues destructuring from useGitHubIssues hook return; other hook fields remain in use.
Test Code Refinements apps/frontend/src/renderer/components/github-prs/hooks/__tests__/useGitHubPRs.test.ts, apps/frontend/src/renderer/components/settings/ProfileEditDialog.test.tsx, tests/test_github_pr_review.py, tests/test_recovery.py, tests/test_github_pr_e2e.py, tests/test_spec_pipeline.py	Minor test refactoring: unused mock declarations removed (mockOnSaved); parameter/variable renames for clarity (diskReviewResult → _diskReviewResult); import surface narrowed (BotDetectionState removed); RecoveryAction removed from imports; unused object instantiations simplified with comments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• fix(github): use selectedPR from hook to restore Files changed list #822 — Modifies GitHubIssues hook integration to rely on selectedIssue from the hook instead of local derivation.

Suggested labels

priority/medium

Suggested reviewers

• AlexMadera

Poem

🐰 Hoppy cleanup, files so bright,
Unused imports taking flight,
Temp dirs dance where hard paths stood,
Test rigs tidied—oh how good!
A rabbit's work, refactor's delight. 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main objective: addressing security alerts and code quality issues. It accurately reflects the primary changes across the PR, including security fixes in terminal-session-store.test.ts, dead code removal, and cleanup of unused imports.
Docstring Coverage	✅ Passed	Docstring coverage is 84.62% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @AndyMik90, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's security posture by rectifying critical vulnerabilities related to temporary file handling in tests. Concurrently, it undertakes a comprehensive code cleanup effort, removing dead code and unused dependencies across various components, which collectively improves maintainability and overall code quality without altering core functionality.

Highlights

• Security Fixes: Addressed 10 high-severity security vulnerabilities in terminal-session-store.test.ts by implementing mkdtempSync() for secure, unique temporary directory creation, replacing predictable /tmp paths to prevent potential symlink attacks and race conditions.
• Code Quality Improvements: Removed dead code in PhaseProgressIndicator.tsx where a conditional block was unreachable, and eliminated numerous unused imports and variables across 16 frontend and backend test files to improve code clarity and reduce bundle size.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses several CodeQL security alerts and improves code quality. The main security fix in terminal-session-store.test.ts, which replaces predictable temporary directory paths with secure, unique ones using mkdtempSync, is well-implemented and crucial for preventing symlink attacks. The removal of dead code in PhaseProgressIndicator.tsx correctly eliminates an unreachable code branch, improving maintainability. The extensive cleanup of unused imports and variables across numerous files is also a welcome improvement to the codebase's hygiene. I have one minor suggestion for improving code clarity in a test file, but overall, this is a solid set of fixes.

[gemini-code-assist]

While creating an instance of SpecOrchestrator just for its side effects in the constructor is valid, it's a common Python convention to assign the unused instance to an underscore (_). This explicitly signals to other developers and linters that the variable is intentionally unused. This pattern also applies to similar instantiations on lines 408 and 424.

Suggested change

	SpecOrchestrator(project_dir=temp_dir)
	_ = SpecOrchestrator(project_dir=temp_dir)

In general, to fix an unused local variable that is intentionally present for documentation, rename it to follow a convention that signals it is unused (e.g., prefix with unused_ or name it entirely underscores), or remove the left-hand side if only the right-hand side’s side effects are needed. Here, the object creation is only for illustrative purposes, and the test doesn’t rely on it. The best minimal fix is to rename _followup_context to something that includes unused, e.g., _unused_followup_context, which CodeQL explicitly whitelists.

Concretely, in tests/test_github_pr_e2e.py around line 443, change the variable name in the assignment from _followup_context to _unused_followup_context. No other references exist, so no further edits are required. No new imports, methods, or definitions are needed; this is a pure rename in that one assignment.

In general, to fix an "unused local variable" warning you either (1) remove the binding if the value is truly unused and the right-hand side’s side effects must still occur, or (2) rename the variable to a conventionally accepted “unused” name if it is intentionally unused but must exist, or (3) actually use the variable if it was meant to be used.

Here, the comment explicitly states that the manager instance is “not needed,” and the only goal is to “trigger directory creation.” Therefore, the best, minimal-impact fix is to remove the _manager variable binding and just call the constructor expression on its own. Concretely, in tests/test_recovery.py within test_initialization, replace the line:

        _manager = RecoveryManager(spec_dir, project_dir)

with:

        RecoveryManager(spec_dir, project_dir)

This preserves the constructor side effects while eliminating the unused variable, requires no new imports or additional definitions, and does not alter test behavior.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/frontend/src/main/agent/agent-process.ts (2)

44-47: Replace direct platform check with isWindows().

Direct process.platform checks violate the coding guidelines. Use the isWindows() abstraction function instead.

♻️ Proposed fix

 function deriveGitBashPath(gitExePath: string): string | null {
-  if (process.platform !== 'win32') {
+  if (!isWindows()) {
     return null;
   }

As per coding guidelines, platform detection must use abstraction functions from the platform module.

---

168-181: Replace direct platform check with isWindows().

Direct process.platform checks violate the coding guidelines. Use the isWindows() abstraction function instead.

♻️ Proposed fix

     // On Windows, detect and pass git-bash path for Claude Code CLI
     // Electron can detect git via where.exe, but Python subprocess may not have the same PATH
     const gitBashEnv: Record<string, string> = {};
-    if (process.platform === 'win32' && !process.env.CLAUDE_CODE_GIT_BASH_PATH) {
+    if (isWindows() && !process.env.CLAUDE_CODE_GIT_BASH_PATH) {
       try {
         const gitInfo = getToolInfo('git');
         if (gitInfo.found && gitInfo.path) {

As per coding guidelines, platform detection must use abstraction functions from the platform module.

🤖 Fix all issues with AI agents

In `@apps/frontend/src/main/agent/agent-process.ts`:
- Line 27: Restore the missing isWindows import from the platform module in
agent-process.ts and replace direct process.platform checks in this file (the
places around the logic that currently reads process.platform at the locations
that end up around the existing checks) with the platform abstraction
isWindows(), ensuring any branching that used process.platform now calls
isWindows() and any platform-specific cleanup uses the platform helpers (e.g.,
keep using killProcessGracefully where appropriate). Locate the direct checks in
agent-process.ts (previously around the blocks that reference process.platform)
and update them to call isWindows() so all platform logic consistently uses the
platform module abstraction.

♻️ Duplicate comments (2)

tests/test_recovery.py (1)

98-99: Consider dropping the assignment to fully resolve the CodeQL alert.

The underscore prefix communicates intent to humans, but CodeQL still flags _manager as unused (per the existing security alert). Since the instance is only needed for its side effects, you can invoke the constructor without assignment.

♻️ Suggested fix

-        # Initialize manager to trigger directory creation (manager instance not needed)
-        _manager = RecoveryManager(spec_dir, project_dir)
+        # Initialize manager to trigger directory creation
+        RecoveryManager(spec_dir, project_dir)

tests/test_github_pr_e2e.py (1)

441-444: Resolve the unused follow-up context instance.

This still triggers the unused-variable finding; either remove it or assert on it so the test actually exercises the context.

💡 Suggested fix

-        _followup_context = FollowupReviewContext(
+        followup_context = FollowupReviewContext(
             pr_number=42,
             previous_review=loaded,
             previous_commit_sha="commit_1",
             current_commit_sha="commit_2",
             files_changed_since_review=["src/auth.py"],
             diff_since_review="- vulnerable_code()\n+ secure_code()",
         )
+        assert followup_context.files_changed_since_review == ["src/auth.py"]

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Restore isWindows import and use platform abstraction functions.

The isWindows import should not be removed. This file contains direct process.platform checks on lines 45 and 168, which violate the coding guidelines requiring platform abstraction functions. Based on learnings, all platform checks in apps/frontend/src/main/**/*.{ts,tsx} must use abstraction functions like isWindows() from the platform module.

♻️ Proposed fix to restore the import

-import { killProcessGracefully } from '../platform';
+import { isWindows, killProcessGracefully } from '../platform';

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	import { killProcessGracefully } from '../platform';
	import { isWindows, killProcessGracefully } from '../platform';

🤖 Prompt for AI Agents

In `@apps/frontend/src/main/agent/agent-process.ts` at line 27, Restore the
missing isWindows import from the platform module in agent-process.ts and
replace direct process.platform checks in this file (the places around the logic
that currently reads process.platform at the locations that end up around the
existing checks) with the platform abstraction isWindows(), ensuring any
branching that used process.platform now calls isWindows() and any
platform-specific cleanup uses the platform helpers (e.g., keep using
killProcessGracefully where appropriate). Locate the direct checks in
agent-process.ts (previously around the blocks that reference process.platform)
and update them to call isWindows() so all platform logic consistently uses the
platform module abstraction.

[AndyMik90]

✅ Auto Claude Review - APPROVED

Status: Ready to Merge

Summary: ### Merge Verdict: ✅ READY TO MERGE

✅ Ready to merge - All checks passing, no blocking issues found.

No blocking issues found

Risk Assessment

Factor	Level	Notes
Complexity	Low	Based on lines changed
Security Impact	None	Based on security findings
Scope Coherence	Good	Based on structural review

---

Generated by Auto Claude PR Review

---

This automated review found no blocking issues. The PR can be safely merged.

Generated by Auto Claude