Skip to content

chore: retire QZP/SaaS machinery; lean quality gate + CodeQL alert sweep#75

Merged
Prekzursil merged 4 commits into
mainfrom
chore/retire-qzp-truly-green
Jun 25, 2026
Merged

chore: retire QZP/SaaS machinery; lean quality gate + CodeQL alert sweep#75
Prekzursil merged 4 commits into
mainfrom
chore/retire-qzp-truly-green

Conversation

@Prekzursil

Copy link
Copy Markdown
Owner

What

Retires the legacy Quality-Zero (QZP) SaaS / auto-issue / CI-churn machinery and finishes the migration to the lean quality gate, then bundles the outstanding CodeQL alert fixes so HEAD lands truly green.

Workflows deleted (QZP/SaaS/churn)

  • codecov-analytics.yml, quality-zero-backlog.yml, quality-zero-gate.yml, quality-zero-platform.yml, quality-zero-remediation.yml, semgrep.yml, sonarcloud.yml
  • (Also disabled at the Actions level; coverage-debug workflow disabled.)

Kept (genuine)

  • quality.yml (lean 6-gate caller — incl. in-repo .quality/opengrep SAST, gitleaks, osv-scanner), codeql.yml, ci.yml (build-test), dependency-review.yml, release.yml, Dependabot.

CodeQL alerts cleared

Why

The QZP machinery auto-generated issues and churned CI; the lean quality gate is the real required check (matches the Reframe baseline).

Verification

Passes the lean quality gate + build-test + codeql + dependency-review. Superseded PRs (#64, #66, and stale strict-zero/ECC PRs) closed.

Prekzursil and others added 3 commits June 26, 2026 01:09
CodeQL `cs/path-combine` (note severity) flags every multi-argument
`System.IO.Path.Combine` call because it cannot statically prove a later
argument is non-rooted; an absolute later argument would silently discard
the earlier ones. The official remediation is `Path.Join`.

All 148 flagged sites (17 in src/, 131 in tests/) share the identical
shape `Path.Join(<root>, "<relative-literal-or-var>")`. None passes a
rooted later argument at runtime, so the migration is behavior-preserving:
Combine and Join produce identical output for relative, multi-segment,
trailing-separator and empty-segment inputs (verified empirically).

The only Combine/Join divergence that mattered is null handling
(`Path.Combine(null, x)` throws; `Path.Join(null, x)` does not). The sole
site where Combine was the de-facto null guard is
`KnownStoreLocator.GetKnownStores`; an explicit
`ArgumentNullException.ThrowIfNull(codexHome)` preserves that contract,
covered by a new guard-clause test. All other sites already touch their
root argument before the Path call, so their null behavior is unchanged.

Part of the quality-zero-platform drive-to-zero campaign.
…ed-select

Resolves the two open CodeQL `cs/linq/missed-select` alerts:
- src/CodexSessionManager.Storage/Parsing/SessionJsonlParser.cs:25
- src/CodexSessionManager.Storage/Discovery/SessionWorkspaceIndexer.cs:119

Both foreach loops immediately mapped the iteration variable (`line`) to
another variable (`document = JsonDocument.Parse(line)`), which the rule
flags as a missed `.Select(...)` projection. Moved the projection into the
LINQ pipeline.

Behavior-preserving: per-iteration disposal is retained by wrapping the
projected `document` in an explicit `using (document) { ... }` block, so
each JsonDocument is still disposed at the end of every iteration,
including on early `continue` and on exceptions — identical to the prior
`using var document` semantics. No `.Select` method-group is used (Parse
is overloaded); a static lambda keeps allocation-free behavior.

Build: dotnet build -c Release -> 0 warnings, 0 errors.
Tests: 112 passing (Core 18, Storage 43, App 51), 0 failed.
Coverage: SessionJsonlParser and SessionWorkspaceIndexer remain 100%
line / 100% branch.
Delete the Quality-Zero SaaS/auto-issue/churn workflow callers now that the
lean 'quality' gate (quality.yml -> reusable-quality.yml) is the required
check. Removed: codecov-analytics, quality-zero-backlog/gate/platform/
remediation, semgrep, sonarcloud.

Kept genuine app CI/Release + security: ci.yml (build-test), codeql.yml,
dependency-review.yml, quality.yml (lean gate incl. in-repo .quality/opengrep
SAST + gitleaks + osv-scanner), release.yml, Dependabot.

Bundles the CodeQL alert fixes (cs/path-combine sweep + cs/linq/missed-select)
so HEAD lands clean.
@Prekzursil Prekzursil merged commit 37cc9aa into main Jun 25, 2026
9 checks passed
@Prekzursil Prekzursil deleted the chore/retire-qzp-truly-green branch June 25, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant