Chore/lint config migration

.github/workflows/ci.yml

@@ -123,6 +123,7 @@ jobs:
     needs: [detect-changes, build]
     if: needs.detect-changes.outputs.has_modules == 'true'
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     strategy:
       fail-fast: false
       matrix:
@@ -203,7 +204,6 @@ jobs:
                 --db_user=odoo \
                 --db_password=odoo \
                 --stop-after-init \
-                --no-http \
                 --data-dir /tmp/odoo-data \
                 -i ${{ matrix.module }} \
                 --test-tags=/${{ matrix.module }} \

.github/workflows/security.yml

@@ -167,6 +167,7 @@ jobs:
             --config p/python \
             --config p/security-audit \
             --config .semgrep/ \
+            --exclude scripts/ \
             --sarif \
             --output semgrep-results.sarif \
             2>&1 || SEMGREP_EXIT=$?
@@ -176,6 +177,7 @@ jobs:
             --config p/python \
             --config p/security-audit \
             --config .semgrep/ \
+            --exclude scripts/ \
             2>&1 || true
 
           exit ${SEMGREP_EXIT:-0}

.openspp-lint.yaml

@@ -71,6 +71,11 @@ rules:
       - "line_ids" # Generic line items (typically <20)
       - "manager_ids" # Program managers (typically <10)
       - "approver_ids" # Approval workflow (typically <5)
+      - "bank_ids" # Bank accounts (typically 1-5 per person)
+      - "phone_number_ids" # Phone numbers (typically 1-3 per person)
+      - "entitlement_manager_ids" # Entitlement managers (typically <10 per program)
+      - "payment_manager_ids" # Payment managers (typically <10 per program)
+      - "farm_machinery_ids" # Farm machinery (typically <20 per farm)
 
 # Severity overrides (change default severity for rules)
 # Valid values: error, warning, info

.pre-commit-config.yaml

@@ -138,6 +138,7 @@ repos:
       - id: pylint_odoo
         args:
           - --rcfile=.pylintrc-mandatory
+        exclude: ^spp$|^scripts/|^(base_user_role|endpoint_route_handler|extendable|extendable_fastapi|fastapi|openspp-vocabularies|openspp|theme_openspp_muk|queue_job)/
   # ============================================================================
   # OpenSPP Custom Linting Rules
   # Based on docs/principles/ - see scripts/lint/README.md for details
@@ -147,7 +148,8 @@ repos:
       # Phase 1: Simple pattern-based checks (pygrep)
       - id: openspp-no-assertraises-tuple
         name: "OpenSPP: No tuple in assertRaises"
-        description: "Odoo's assertRaises doesn't support tuple of exceptions like stdlib unittest"
+        description:
+          "Odoo's assertRaises doesn't support tuple of exceptions like stdlib unittest"
         entry: 'self\.assertRaises\s*\(\s*\('
         language: pygrep
         types: [python]
@@ -202,7 +204,8 @@ repos:
       # Phase 2: Compliance check (security spec validation)
       - id: openspp-compliance-check
         name: "OpenSPP: Security compliance check"
-        description: "Validate modules with compliance.yaml against actual security config"
+        description:
+          "Validate modules with compliance.yaml against actual security config"
         entry: python -m scripts.compliance.checker --all
         language: python
         additional_dependencies:
@@ -236,7 +239,9 @@ repos:
       # Phase 3: UI patterns check (warning only)
       - id: openspp-check-ui
         name: "OpenSPP: UI patterns"
-        description: "Check list limits, sample data, XPath syntax, statusbar location, extension points"
+        description:
+          "Check list limits, sample data, XPath syntax, statusbar location, extension
+          points"
         entry: python scripts/lint/check_ui_patterns.py
         language: python
         additional_dependencies:
@@ -272,7 +277,8 @@ repos:
       # API authentication enforcement
       - id: openspp-check-api-auth
         name: "OpenSPP: API endpoint authentication"
-        description: "Verify all API endpoints require authentication (allowlist for public)"
+        description:
+          "Verify all API endpoints require authentication (allowlist for public)"
         entry: python scripts/audit-api-auth.py --strict
         language: python
         pass_filenames: false
@@ -293,6 +299,7 @@ repos:
     hooks:
       - id: semgrep
         args: ["--config", ".semgrep/", "--error", "--quiet"]
+        additional_dependencies: ["setuptools<82"]
         # Only scan OpenSPP spp_* modules (not scripts, endpoint handlers, etc.)
         files: ^spp_
         # Exclude test files, migrations, and demo-only modules

.pylintrc-mandatory

@@ -13,22 +13,14 @@ valid-odoo-versions=19.0
 [MESSAGES CONTROL]
 disable=all
 
+# Mandatory checks: these block CI. High-volume cosmetic checks
+# (attribute-string-redundant, except-pass, missing-return, etc.)
+# are in the optional .pylintrc only, enforced via --exit-zero.
 enable=anomalous-backslash-in-string,
-    api-one-deprecated,
-    api-one-multi-together,
     assignment-from-none,
-    attribute-deprecated,
-    class-camelcase,
     dangerous-default-value,
-    dangerous-view-replace-wo-priority,
     development-status-allowed,
-    duplicate-id-csv,
     duplicate-key,
-    duplicate-xml-fields,
-    duplicate-xml-record-id,
-    eval-referenced,
-    eval-used,
-    incoherent-interpreter-exec-perm,
     license-allowed,
     manifest-author-string,
     manifest-deprecated-key,
@@ -37,58 +29,23 @@ enable=anomalous-backslash-in-string,
     manifest-version-format,
     method-compute,
     method-inverse,
-    method-required-super,
     method-search,
-    openerp-exception-warning,
     pointless-statement,
-    pointless-string-statement,
     print-used,
-    redundant-keyword-arg,
-    redundant-modulename-xml,
     reimported,
-    relative-import,
     return-in-init,
-    rst-syntax-error,
     sql-injection,
     too-few-format-args,
     translation-field,
-    translation-required,
     unreachable,
-    use-vim-comment,
-    wrong-tabs-instead-of-spaces,
     xml-syntax-error,
-    attribute-string-redundant,
-    character-not-valid-in-resource-link,
-    consider-merging-classes-inherited,
     context-overridden,
-    create-user-wo-reset-password,
-    dangerous-filter-wo-user,
-    dangerous-qweb-replace-wo-priority,
-    deprecated-data-xml-node,
-    deprecated-openerp-xml-node,
     duplicate-po-message-definition,
-    except-pass,
-    file-not-used,
-    invalid-commit,
-    manifest-maintainers-list,
-    missing-newline-extrafiles,
-    missing-readme,
-    missing-return,
-    odoo-addons-relative-import,
-    old-api7-method-defined,
     po-msgstr-variables,
     po-syntax-error,
     renamed-field-parameter,
     resource-not-exist,
-    str-format-used,
     test-folder-imported,
-    translation-contains-variable,
-    translation-positional-used,
-    unnecessary-utf8-coding-comment,
-    website-manifest-key-not-valid-uri,
-    xml-attribute-translatable,
-    xml-deprecated-qweb-directive,
-    xml-deprecated-tree-attribute,
     external-request-timeout
 
 [REPORTS]

.ruff.toml

@@ -11,10 +11,10 @@ extend-select = [
     "UP",  # pyupgrade
 ]
 extend-safe-fixes = ["UP008"]
-exclude = ["setup/*"]
+exclude = ["setup/*", "fastapi/*", "base_user_role/*", "endpoint_route_handler/*", "extendable/*", "extendable_fastapi/*", "openspp-vocabularies/*", "openspp/*", "theme_openspp_muk/*", "queue_job/*"]
 
 [format]
-exclude = ["setup/*"]
+exclude = ["setup/*", "fastapi/*", "base_user_role/*", "endpoint_route_handler/*", "extendable/*", "extendable_fastapi/*", "openspp-vocabularies/*", "openspp/*", "theme_openspp_muk/*", "queue_job/*"]
 
 [lint.per-file-ignores]
 "__init__.py" = ["F401", "I001"]  # ignore unused and unsorted imports in __init__.py

.semgrep/odoo-security.yml

@@ -68,19 +68,13 @@ rules:
       owasp: "A03:2021 Injection"
 
   - id: odoo-unsafe-safe-eval
-    patterns:
-      - pattern-either:
-          - pattern: safe_eval(...)
-          - pattern: odoo.tools.safe_eval.safe_eval(...)
-          - pattern: odoo.tools.safe_eval.test_expr(...)
-      # Suppress in compute methods and known-safe domain evaluation
-      # contexts where the input is developer-controlled, not user-controlled.
-      - pattern-not-inside: |
-          def _compute_$METHOD(...):
-              ...
-      - pattern-not-inside: |
-          def action_domain_eval(...):
-              ...
+    # NOTE: pattern-not-inside blocks removed - semgrep v1.90.0 cannot parse
+    # metavariable/ellipsis patterns in Python function definitions.
+    # Use nosemgrep inline annotations for known-safe usage.
+    pattern-either:
+      - pattern: safe_eval(...)
+      - pattern: odoo.tools.safe_eval.safe_eval(...)
+      - pattern: odoo.tools.safe_eval.test_expr(...)
     message: |
       safe_eval() is NOT safe with user input!
       It can be bypassed to achieve code execution.
@@ -227,7 +221,8 @@ rules:
           - pattern: _logger.$METHOD(..., $RECORD.national_id, ...)
           - pattern: _logger.$METHOD(..., $RECORD.tax_id, ...)
           - pattern: _logger.$METHOD(..., $RECORD.vat, ...)
-    message: "Potential PII (national/tax ID) in log message - CRITICAL privacy violation."
+    message:
+      "Potential PII (national/tax ID) in log message - CRITICAL privacy violation."
     severity: ERROR
     languages: [python]
     metadata: