chore: retire QZP/SaaS machinery; lean quality gate + CodeQL alert sweep#75
Merged
Conversation
CodeQL `cs/path-combine` (note severity) flags every multi-argument `System.IO.Path.Combine` call because it cannot statically prove a later argument is non-rooted; an absolute later argument would silently discard the earlier ones. The official remediation is `Path.Join`. All 148 flagged sites (17 in src/, 131 in tests/) share the identical shape `Path.Join(<root>, "<relative-literal-or-var>")`. None passes a rooted later argument at runtime, so the migration is behavior-preserving: Combine and Join produce identical output for relative, multi-segment, trailing-separator and empty-segment inputs (verified empirically). The only Combine/Join divergence that mattered is null handling (`Path.Combine(null, x)` throws; `Path.Join(null, x)` does not). The sole site where Combine was the de-facto null guard is `KnownStoreLocator.GetKnownStores`; an explicit `ArgumentNullException.ThrowIfNull(codexHome)` preserves that contract, covered by a new guard-clause test. All other sites already touch their root argument before the Path call, so their null behavior is unchanged. Part of the quality-zero-platform drive-to-zero campaign.
…ed-select
Resolves the two open CodeQL `cs/linq/missed-select` alerts:
- src/CodexSessionManager.Storage/Parsing/SessionJsonlParser.cs:25
- src/CodexSessionManager.Storage/Discovery/SessionWorkspaceIndexer.cs:119
Both foreach loops immediately mapped the iteration variable (`line`) to
another variable (`document = JsonDocument.Parse(line)`), which the rule
flags as a missed `.Select(...)` projection. Moved the projection into the
LINQ pipeline.
Behavior-preserving: per-iteration disposal is retained by wrapping the
projected `document` in an explicit `using (document) { ... }` block, so
each JsonDocument is still disposed at the end of every iteration,
including on early `continue` and on exceptions — identical to the prior
`using var document` semantics. No `.Select` method-group is used (Parse
is overloaded); a static lambda keeps allocation-free behavior.
Build: dotnet build -c Release -> 0 warnings, 0 errors.
Tests: 112 passing (Core 18, Storage 43, App 51), 0 failed.
Coverage: SessionJsonlParser and SessionWorkspaceIndexer remain 100%
line / 100% branch.
Delete the Quality-Zero SaaS/auto-issue/churn workflow callers now that the lean 'quality' gate (quality.yml -> reusable-quality.yml) is the required check. Removed: codecov-analytics, quality-zero-backlog/gate/platform/ remediation, semgrep, sonarcloud. Kept genuine app CI/Release + security: ci.yml (build-test), codeql.yml, dependency-review.yml, quality.yml (lean gate incl. in-repo .quality/opengrep SAST + gitleaks + osv-scanner), release.yml, Dependabot. Bundles the CodeQL alert fixes (cs/path-combine sweep + cs/linq/missed-select) so HEAD lands clean.
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Retires the legacy Quality-Zero (QZP) SaaS / auto-issue / CI-churn machinery and finishes the migration to the lean
qualitygate, then bundles the outstanding CodeQL alert fixes so HEAD lands truly green.Workflows deleted (QZP/SaaS/churn)
codecov-analytics.yml,quality-zero-backlog.yml,quality-zero-gate.yml,quality-zero-platform.yml,quality-zero-remediation.yml,semgrep.yml,sonarcloud.ymlcoverage-debugworkflow disabled.)Kept (genuine)
quality.yml(lean 6-gate caller — incl. in-repo.quality/opengrepSAST, gitleaks, osv-scanner),codeql.yml,ci.yml(build-test),dependency-review.yml,release.yml, Dependabot.CodeQL alerts cleared
cs/path-combine×148 →Path.Join(supersedes fix: migrate Path.Combine to Path.Join (cs/path-combine sweep, 148 alerts) #64)cs/linq/missed-select×2 (supersedes refactor: clear cs/linq/missed-select (project JsonDocument.Parse via Select) #66)catch(Exception)handlers + CancellationTokenSource field-ownership dispose pattern) dismissed as won't-fix/false-positive.Why
The QZP machinery auto-generated issues and churned CI; the lean
qualitygate is the real required check (matches the Reframe baseline).Verification
Passes the lean
qualitygate +build-test+codeql+dependency-review. Superseded PRs (#64, #66, and stale strict-zero/ECC PRs) closed.