Address Codacy and SonarCloud findings on PR #56

- Tests: add tests/.pylintrc to scope pytest idioms (W0621, W0212,
  W0613, C1803, R0801, R1732) that are legitimate in fixtures.
- Config: fix import ordering so stdlib imports precede first-party.
- Notify manager: expose has_sinks() instead of reaching into _lock /
  _sinks from module-level helpers.
- DAG executor: promote _mark_skipped to a _DagRun method so it no
  longer needs six positional arguments.
- http_download: extract _reject_oversize, _make_reporter, _run_stream
  to keep download_file under the per-function limits.
- __main__: split _build_parser into per-category subparser helpers.
- sync_ops: make _process_source_entry's dry_run / summary keyword-only.
- local_tab: declare widget attributes up front in __init__.
- progress_tab: rename shadowed built-in (bar -> progress_bar).
- tar_ops / __init__ / google_drive download_ops: clear W0706, C0414,
  C0325.
- Bandit/Semgrep: narrow nosec / nosemgrep comments to the exact call
  sites in shell_ops, fast_find, ftp client / upload_ops, and package
  loader.
- EmailSink / LocalOpsTab / metrics.record_action: justify the
  intentional pylint disables.
- test_secrets: move NOSONAR to the flagged credential literal line.

Author: JE-Chen

automation_file/__init__.py

@@ -236,9 +236,7 @@
 from automation_file.utils.rotate import RotateException, rotate_backups
 
 if TYPE_CHECKING:
-    from automation_file.ui.launcher import (
-        launch_ui as launch_ui,  # pylint: disable=useless-import-alias
-    )
+    from automation_file.ui.launcher import launch_ui
 
 # Shared callback executor + package loader wired to the shared registry.
 callback_executor: CallbackExecutor = CallbackExecutor(executor.registry)

automation_file/__main__.py

@@ -133,15 +133,7 @@ def _sleep_forever() -> None:
         time.sleep(3600)
 
 
-def _build_parser() -> argparse.ArgumentParser:
-    parser = argparse.ArgumentParser(prog="automation_file")
-    parser.add_argument("-e", "--execute_file", help="path to an action JSON file")
-    parser.add_argument("-d", "--execute_dir", help="directory containing action JSON files")
-    parser.add_argument("-c", "--create_project", help="scaffold a project at this path")
-    parser.add_argument("--execute_str", help="JSON action list as a string")
-
-    subparsers = parser.add_subparsers(dest="command")
-
+def _add_zip_commands(subparsers: argparse._SubParsersAction) -> None:
     zip_parser = subparsers.add_parser("zip", help="zip a file or directory")
     zip_parser.add_argument("source")
     zip_parser.add_argument("target")
@@ -159,6 +151,8 @@ def _build_parser() -> argparse.ArgumentParser:
     unzip_parser.add_argument("--password", default=None)
     unzip_parser.set_defaults(handler=_cmd_unzip)
 
+
+def _add_file_commands(subparsers: argparse._SubParsersAction) -> None:
     download_parser = subparsers.add_parser("download", help="SSRF-validated HTTP download")
     download_parser.add_argument("url")
     download_parser.add_argument("output")
@@ -169,6 +163,8 @@ def _build_parser() -> argparse.ArgumentParser:
     touch_parser.add_argument("--content", default="")
     touch_parser.set_defaults(handler=_cmd_create_file)
 
+
+def _add_server_commands(subparsers: argparse._SubParsersAction) -> None:
     server_parser = subparsers.add_parser("server", help="run the TCP action server")
     server_parser.add_argument("--host", default="localhost")
     server_parser.add_argument("--port", type=int, default=9943)
@@ -183,6 +179,8 @@ def _build_parser() -> argparse.ArgumentParser:
     http_parser.add_argument("--shared-secret", default=None)
     http_parser.set_defaults(handler=_cmd_http_server)
 
+
+def _add_integration_commands(subparsers: argparse._SubParsersAction) -> None:
     ui_parser = subparsers.add_parser("ui", help="launch the PySide6 GUI")
     ui_parser.set_defaults(handler=_cmd_ui)
 
@@ -206,6 +204,19 @@ def _build_parser() -> argparse.ArgumentParser:
     drive_parser.add_argument("--name", default=None)
     drive_parser.set_defaults(handler=_cmd_drive_upload)
 
+
+def _build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(prog="automation_file")
+    parser.add_argument("-e", "--execute_file", help="path to an action JSON file")
+    parser.add_argument("-d", "--execute_dir", help="directory containing action JSON files")
+    parser.add_argument("-c", "--create_project", help="scaffold a project at this path")
+    parser.add_argument("--execute_str", help="JSON action list as a string")
+
+    subparsers = parser.add_subparsers(dest="command")
+    _add_zip_commands(subparsers)
+    _add_file_commands(subparsers)
+    _add_server_commands(subparsers)
+    _add_integration_commands(subparsers)
     return parser
 
 

automation_file/core/config.py

@@ -53,7 +53,6 @@
 from automation_file.notify.manager import NotificationManager
 from automation_file.notify.sinks import (
     EmailSink,
-    NotificationException,
     NotificationSink,
     SlackSink,
     WebhookSink,
@@ -156,8 +155,6 @@ def _build_sink(entry: dict[str, Any]) -> NotificationSink:
         )
     try:
         return builder(entry)
-    except NotificationException:
-        raise
     except (TypeError, ValueError) as err:
         raise ConfigException(
             f"invalid config for sink {entry.get('name') or sink_type!r}: {err}"

automation_file/core/dag_executor.py

@@ -51,10 +51,19 @@ def __init__(
         self.pool = pool
         self.fail_fast = fail_fast
 
+    def _mark_skipped(self, dependent: str, reason_id: str) -> None:
+        with self.lock:
+            if dependent in self.results:
+                return
+            self.results[dependent] = f"skipped: dep {reason_id!r} failed"
+        for grandchild in self.graph.get(dependent, ()):
+            self.indegree[grandchild] -= 1
+            self._mark_skipped(grandchild, dependent)
+
     def _skip_dependents(self, node_id: str) -> None:
         for dependent in self.graph.get(node_id, ()):
             self.indegree[dependent] -= 1
-            _mark_skipped(dependent, node_id, self.graph, self.indegree, self.results, self.lock)
+            self._mark_skipped(dependent, node_id)
 
     def submit(self, node_id: str) -> None:
         action = self.node_map[node_id].get("action")
@@ -74,9 +83,7 @@ def _complete(self, node_id: str, value: Any, failed: bool) -> None:
         for dependent in self.graph.get(node_id, ()):
             self.indegree[dependent] -= 1
             if failed and self.fail_fast:
-                _mark_skipped(
-                    dependent, node_id, self.graph, self.indegree, self.results, self.lock
-                )
+                self._mark_skipped(dependent, node_id)
             elif self.indegree[dependent] == 0 and dependent not in self.results:
                 self.ready.append(dependent)
 
@@ -179,20 +186,3 @@ def _detect_cycle(
                 queue.append(dependent)
     if visited != len(ids):
         raise DagException("cycle detected in DAG")
-
-
-def _mark_skipped(
-    dependent: str,
-    reason_id: str,
-    graph: dict[str, list[str]],
-    indegree: dict[str, int],
-    results: dict[str, Any],
-    lock: threading.Lock,
-) -> None:
-    with lock:
-        if dependent in results:
-            return
-        results[dependent] = f"skipped: dep {reason_id!r} failed"
-    for grandchild in graph.get(dependent, ()):
-        indegree[grandchild] -= 1
-        _mark_skipped(grandchild, dependent, graph, indegree, results, lock)

automation_file/core/metrics.py

@@ -56,7 +56,7 @@ def record_action(action: str, duration_seconds: float, ok: bool) -> None:
     try:
         ACTION_COUNT.labels(action=action, status=status).inc()
         ACTION_DURATION.labels(action=action).observe(max(0.0, float(duration_seconds)))
-    except Exception as err:  # pragma: no cover - defensive
+    except Exception as err:  # pylint: disable=broad-except  # pragma: no cover - defensive
         file_automation_logger.error("metrics.record_action failed: %r", err)
 
 

automation_file/core/package_loader.py

@@ -32,10 +32,10 @@ def load(self, package: str) -> ModuleType | None:
             file_automation_logger.error("PackageLoader: cannot find %s", package)
             return None
         try:
-            # nosemgrep: python.lang.security.audit.non-literal-import.non-literal-import
             # `package` is a trusted caller-supplied name (see PackageLoader docstring and
             # the CLAUDE.md security note on plugin loading); it is not untrusted input.
-            module = import_module(spec.name)
+            name = spec.name
+            module = import_module(name)  # nosemgrep
         except ImportError as error:
             file_automation_logger.error("PackageLoader import error: %r", error)
             return None

automation_file/core/plugins.py

@@ -83,4 +83,4 @@ def _iter_entry_points() -> list[EntryPoint]:
     except TypeError:
         # importlib.metadata before 3.10 used a different API; the project
         # targets 3.10+, so this branch exists only as defensive padding.
-        return list(entry_points().get(ENTRY_POINT_GROUP, []))
+        return list(entry_points().get(ENTRY_POINT_GROUP, []))  # pylint: disable=no-member

automation_file/local/shell_ops.py

@@ -11,7 +11,7 @@
 
 from __future__ import annotations
 
-import subprocess
+import subprocess  # nosec B404 — used only via _run_subprocess with argv list + shell=False
 from collections.abc import Mapping, Sequence
 from pathlib import Path
 
@@ -44,7 +44,7 @@ def _run_subprocess(
     capture_output: bool,
 ) -> subprocess.CompletedProcess[str]:
     try:
-        return subprocess.run(
+        return subprocess.run(  # nosec B603 nosemgrep — argv_list validated; shell=False by default
             argv_list,
             timeout=timeout,
             cwd=cwd_path,

automation_file/local/sync_ops.py

@@ -69,7 +69,7 @@ def sync_dir(
 
     src_entries = _walk_relative(source)
     for rel in src_entries:
-        _process_source_entry(source, destination, rel, compare, dry_run, summary)
+        _process_source_entry(source, destination, rel, compare, dry_run=dry_run, summary=summary)
 
     if delete:
         _delete_extras(destination, src_entries, dry_run, summary)
@@ -103,6 +103,7 @@ def _process_source_entry(
     destination: Path,
     rel: Path,
     compare: str,
+    *,
     dry_run: bool,
     summary: dict[str, Any],
 ) -> None:

automation_file/local/tar_ops.py

@@ -87,8 +87,6 @@ def extract_tar(source: str, target_dir: str) -> list[str]:
                 else:
                     archive.extract(member, str(dest))
                 extracted.append(member.name)
-    except PathTraversalException:
-        raise
     except (OSError, tarfile.TarError) as err:
         raise TarException(f"extract_tar failed: {err}") from err