fix(security): address CodeQL security alerts and code quality issues

apps/frontend/src/main/__tests__/terminal-session-store.test.ts

@@ -3,22 +3,37 @@
  * Tests atomic writes, backup recovery, race condition prevention, and write serialization
  */
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
-import { mkdirSync, writeFileSync, rmSync, existsSync, readFileSync } from 'fs';
+import { mkdirSync, mkdtempSync, writeFileSync, rmSync, existsSync, readFileSync } from 'fs';
 import path from 'path';
-
-// Test directories
-const TEST_DIR = '/tmp/terminal-session-store-test';
-const USER_DATA_PATH = path.join(TEST_DIR, 'userData');
-const SESSIONS_DIR = path.join(USER_DATA_PATH, 'sessions');
-const STORE_PATH = path.join(SESSIONS_DIR, 'terminals.json');
-const TEMP_PATH = path.join(SESSIONS_DIR, 'terminals.json.tmp');
-const BACKUP_PATH = path.join(SESSIONS_DIR, 'terminals.json.backup');
-const TEST_PROJECT_PATH = path.join(TEST_DIR, 'test-project');
+import os from 'os';
+
+// Test directories - use secure temporary directory with unique suffix
+// This prevents symlink attacks and race conditions compared to predictable /tmp paths
+let TEST_DIR: string;
+let USER_DATA_PATH: string;
+let SESSIONS_DIR: string;
+let STORE_PATH: string;
+let TEMP_PATH: string;
+let BACKUP_PATH: string;
+let TEST_PROJECT_PATH: string;
+
+function initTestPaths(): void {
+  // Create a unique temporary directory using mkdtempSync for security
+  TEST_DIR = mkdtempSync(path.join(os.tmpdir(), 'terminal-session-store-test-'));
+  USER_DATA_PATH = path.join(TEST_DIR, 'userData');
+  SESSIONS_DIR = path.join(USER_DATA_PATH, 'sessions');
+  STORE_PATH = path.join(SESSIONS_DIR, 'terminals.json');
+  TEMP_PATH = path.join(SESSIONS_DIR, 'terminals.json.tmp');
+  BACKUP_PATH = path.join(SESSIONS_DIR, 'terminals.json.backup');
+  TEST_PROJECT_PATH = path.join(TEST_DIR, 'test-project');
+}
 
 // Mock Electron before importing the store
+// Note: The mock uses a getter to access the dynamic paths at runtime
 vi.mock('electron', () => ({
   app: {
     getPath: vi.fn((name: string) => {
+      // Access the module-level variables which are set before each test
       if (name === 'userData') return USER_DATA_PATH;
       return TEST_DIR;
     })
@@ -27,13 +42,16 @@ vi.mock('electron', () => ({
 
 // Setup test directories
 function setupTestDirs(): void {
+  // Initialize unique test paths for this test run
+  initTestPaths();
   mkdirSync(SESSIONS_DIR, { recursive: true });
   mkdirSync(TEST_PROJECT_PATH, { recursive: true });
 }
 
 // Cleanup test directories
 function cleanupTestDirs(): void {
-  if (existsSync(TEST_DIR)) {
+  // Only clean up if TEST_DIR was initialized and exists
+  if (TEST_DIR && existsSync(TEST_DIR)) {
     rmSync(TEST_DIR, { recursive: true, force: true });
   }
 }
@@ -71,7 +89,9 @@ function createTestSession(overrides: Partial<{
 
 describe('TerminalSessionStore', () => {
   beforeEach(async () => {
+    // Clean up any previous test's temp directory
     cleanupTestDirs();
+    // Setup creates new unique temp directory for this test
     setupTestDirs();
     vi.resetModules();
     vi.useFakeTimers();

apps/frontend/src/main/agent/agent-process.ts

@@ -24,7 +24,7 @@ import type { AppSettings } from '../../shared/types/settings';
 import { getOAuthModeClearVars } from './env-utils';
 import { getAugmentedEnv } from '../env-utils';
 import { getToolInfo } from '../cli-tool-manager';
-import { isWindows, killProcessGracefully } from '../platform';
+import { killProcessGracefully } from '../platform';
 
 /**
  * Type for supported CLI tools

apps/frontend/src/main/python-env-manager.ts

@@ -1,5 +1,5 @@
 import { spawn, execSync, ChildProcess } from 'child_process';
-import { existsSync, readdirSync, writeFileSync } from 'fs';
+import { existsSync, readdirSync } from 'fs';
 import path from 'path';
 import { EventEmitter } from 'events';
 import { app } from 'electron';

apps/frontend/src/renderer/components/GitHubIssues.tsx

@@ -28,7 +28,6 @@ export function GitHubIssues({ onOpenSettings, onNavigateToTask }: GitHubIssuesP
   const tasks = useTaskStore((state) => state.tasks);
 
   const {
-    issues,
     syncStatus,
     isLoading,
     isLoadingMore,

apps/frontend/src/renderer/components/PhaseProgressIndicator.tsx

@@ -197,15 +197,6 @@ export const PhaseProgressIndicator = memo(function PhaseProgressIndicator({
               key="indeterminate-static"
               className={cn('absolute h-full w-1/3 rounded-full left-1/3', colors.color)}
             />
-          ) : totalSubtasks > 0 ? (
-            // Static progress based on subtasks (when not running)
-            <motion.div
-              key="static"
-              className={cn('h-full rounded-full', colors.color)}
-              initial={{ width: 0 }}
-              animate={{ width: `${subtaskProgress}%` }}
-              transition={{ duration: 0.5, ease: 'easeOut' }}
-            />
           ) : null}
         </AnimatePresence>
       </div>

apps/frontend/src/renderer/components/Sidebar.tsx

@@ -3,7 +3,6 @@ import { useTranslation } from 'react-i18next';
 import {
   Plus,
   Settings,
-  Trash2,
   LayoutGrid,
   Terminal,
   Map,
@@ -103,7 +102,6 @@ export function Sidebar({
   const { t } = useTranslation(['navigation', 'dialogs', 'common']);
   const projects = useProjectStore((state) => state.projects);
   const selectedProjectId = useProjectStore((state) => state.selectedProjectId);
-  const selectProject = useProjectStore((state) => state.selectProject);
   const settings = useSettingsStore((state) => state.settings);
 
   const [showAddProjectModal, setShowAddProjectModal] = useState(false);
@@ -209,10 +207,6 @@ export function Sidebar({
     checkGit();
   }, [selectedProject]);
 
-  const handleAddProject = () => {
-    setShowAddProjectModal(true);
-  };
-
   const handleProjectAdded = (project: Project, needsInit: boolean) => {
     if (needsInit) {
       setPendingProject(project);

apps/frontend/src/renderer/components/github-prs/hooks/__tests__/useGitHubPRs.test.ts

@@ -71,7 +71,7 @@ async function simulateSelectPR(params: SelectPRTestParams): Promise<SelectPRTes
     prNumber,
     projectId,
     existingState,
-    diskReviewResult,
+    diskReviewResult: _diskReviewResult,  // Passed for test documentation but not used directly
     mockCheckNewCommits,
     mockGetPRReview,
     mockSetNewCommitsCheck,

apps/frontend/src/renderer/components/settings/ProfileEditDialog.test.tsx

@@ -455,7 +455,6 @@ describe('ProfileEditDialog - Validation', () => {
 
 describe('ProfileEditDialog - Test Connection Feature', () => {
   const mockOnOpenChange = vi.fn();
-  const mockOnSaved = vi.fn();
   const mockTestConnection = vi.fn();
 
   const mockProfile: APIProfile = {

tests/conftest.py

@@ -153,6 +153,7 @@
                 try:
                     importlib.reload(sys.modules[review_module])
                 except Exception:
+                    # Module reload may fail if dependencies aren't loaded; safe to ignore
                     pass
 
 
@@ -267,25 +268,7 @@
 @pytest.fixture
 def python_project(temp_git_repo: Path) -> Path:
     """Create a sample Python project structure."""
-    # Create pyproject.toml
-    pyproject = {
-        "project": {
-            "name": "test-project",
-            "version": "0.1.0",
-            "dependencies": [
-                "flask>=2.0",
-                "pytest>=7.0",
-                "sqlalchemy>=2.0",
-            ],
-        },
-        "tool": {
-            "pytest": {"testpaths": ["tests"]},
-            "ruff": {"line-length": 100},
-        },
-    }
-
-    import tomllib
-    # Write as TOML (we'll write manually since tomllib is read-only)
+    # Write pyproject.toml content directly (tomllib is read-only, no writer)
     toml_content = """[project]
 name = "test-project"
 version = "0.1.0"
@@ -1057,17 +1040,21 @@
 # MERGE SYSTEM FIXTURES AND SAMPLE DATA
 # =============================================================================
 
-# Import merge module (path already added at top of conftest)
+# NOTE: These imports appear unused but are intentionally kept at module level.
+# They cause the merge module to be loaded during pytest collection, which:
+# 1. Validates that merge module imports work correctly
+# 2. Ensures coverage includes merge module files (required for 10% threshold)
+# Removing these imports drops coverage from ~12% to ~4% (CodeQL: intentional)
 try:
-    from merge import (
+    from merge import (  # noqa: F401
         SemanticAnalyzer,
         ConflictDetector,
         AutoMerger,
         FileEvolutionTracker,
         AIResolver,
     )
 except ImportError:
-    # Module will be available when tests run
+    # Module will be available when tests run from correct directory
     pass
 
 # Sample data constants moved to test_fixtures.py

tests/test_dependency_validator.py

@@ -13,8 +13,6 @@
 from pathlib import Path
 from unittest.mock import MagicMock, patch
 
-import pytest
-
 # Add apps/backend directory to path for imports
 sys.path.insert(0, str(Path(__file__).parent.parent / "apps" / "backend"))
 

tests/test_github_pr_e2e.py

@@ -6,13 +6,11 @@
 These tests validate the integration between components.
 """
 
-import asyncio
 import json
 import sys
 from datetime import datetime, timedelta
 from pathlib import Path
-from unittest.mock import AsyncMock, MagicMock, patch
-from dataclasses import dataclass
+from unittest.mock import patch
 
 import pytest
 
@@ -441,7 +439,8 @@
         assert loaded.has_posted_findings is True
 
         # Step 3: Contributor fixes the issue, new commit
-        followup_context = FollowupReviewContext(
+        # Note: Context shown for documentation; test validates result persistence
+        _followup_context = FollowupReviewContext(
             pr_number=42,
             previous_review=loaded,
             previous_commit_sha="commit_1",

tests/test_github_pr_review.py

@@ -5,12 +5,10 @@
 Tests the PR review orchestrator and follow-up review functionality.
 """
 
-import json
 import sys
 from datetime import datetime
 from pathlib import Path
-from unittest.mock import AsyncMock, MagicMock, patch
-from dataclasses import asdict
+from unittest.mock import patch
 
 import pytest
 
@@ -30,7 +28,7 @@
     MergeVerdict,
     FollowupReviewContext,
 )
-from bot_detection import BotDetector, BotDetectionState
+from bot_detection import BotDetector
 
 
 # ============================================================================

tests/test_merge_fixtures.py

@@ -12,10 +12,8 @@
 import os
 import subprocess
 import sys
-from datetime import datetime
 from pathlib import Path
 from typing import Callable, Generator
-from unittest.mock import MagicMock
 
 import pytest
 

tests/test_recovery.py

@@ -16,12 +16,11 @@
 import tempfile
 import shutil
 from pathlib import Path
-from datetime import datetime
 
 # Add parent directory to path for imports
 sys.path.insert(0, str(Path(__file__).parent.parent))
 
-from recovery import RecoveryManager, FailureType, RecoveryAction
+from recovery import RecoveryManager, FailureType
 
 
 def setup_test_environment():
@@ -96,7 +95,8 @@
     temp_dir, spec_dir, project_dir, saved_env = setup_test_environment()
 
     try:
-        manager = RecoveryManager(spec_dir, project_dir)
+        # Initialize manager to trigger directory creation (manager instance not needed)
+        _manager = RecoveryManager(spec_dir, project_dir)
 
         # Check that memory directory was created
         assert (spec_dir / "memory").exists(), "Memory directory not created"

tests/test_spec_pipeline.py

@@ -14,9 +14,8 @@
 import pytest
 import sys
 import time
-from datetime import datetime, timedelta
 from pathlib import Path
-from unittest.mock import MagicMock, patch, AsyncMock
+from unittest.mock import MagicMock, patch
 
 # Add auto-claude directory to path for imports
 sys.path.insert(0, str(Path(__file__).parent.parent / "Apps" / "backend"))
@@ -356,9 +355,6 @@ def test_removes_empty_pending_folder(self, temp_dir: Path):
             import os
             os.utime(old_pending, (old_time, old_time))
 
-            # Store the inode to verify it's actually deleted and recreated
-            old_inode = old_pending.stat().st_ino
-
             # Creating orchestrator triggers cleanup
             # The cleanup removes 002-pending (empty and old)
             # Then _create_spec_dir creates 004-pending (after 003)
@@ -386,8 +382,8 @@ def test_keeps_folder_with_requirements(self, temp_dir: Path):
             import os
             os.utime(pending_with_req, (old_time, old_time))
 
-            # Creating orchestrator triggers cleanup
-            orchestrator = SpecOrchestrator(project_dir=temp_dir)
+            # Creating orchestrator triggers cleanup (instance not used)
+            SpecOrchestrator(project_dir=temp_dir)
 
             assert pending_with_req.exists()
 
@@ -408,8 +404,8 @@ def test_keeps_folder_with_spec(self, temp_dir: Path):
             import os
             os.utime(pending_with_spec, (old_time, old_time))
 
-            # Creating orchestrator triggers cleanup
-            orchestrator = SpecOrchestrator(project_dir=temp_dir)
+            # Creating orchestrator triggers cleanup (instance not used)
+            SpecOrchestrator(project_dir=temp_dir)
 
             assert pending_with_spec.exists()
 
@@ -424,8 +420,8 @@ def test_keeps_recent_pending_folder(self, temp_dir: Path):
             recent_pending = specs_dir / "001-pending"
             recent_pending.mkdir()
 
-            # Creating orchestrator triggers cleanup
-            orchestrator = SpecOrchestrator(project_dir=temp_dir)
+            # Creating orchestrator triggers cleanup (instance not used)
+            SpecOrchestrator(project_dir=temp_dir)
 
             # Recent folder should still exist (unless orchestrator created 002-pending)
             # The folder might be gone if orchestrator picked a different name

tests/test_thinking_level_validation.py

@@ -9,8 +9,6 @@
 import sys
 from pathlib import Path
 
-import pytest
-
 # Add auto-claude to path
 sys.path.insert(0, str(Path(__file__).parent.parent / "Apps" / "backend"))