fix: address Copilot review round 8 findings

- Raise tag limit from 5 to 10 to match existing catalog entries;
  update publishing guides accordingly
- Deduplicate tags in parse_tags() so duplicate submissions produce
  stable catalog output
- Make _count_list_items() tolerant of non-bullet formats: count all
  non-empty lines when no bullets are present
- Add 29 unit tests for catalog-validate.py covering parse_issue_body,
  tags, description, speckit_version, _count_list_items, and SSRF guard

Author: mnriem

.github/scripts/catalog-validate.py

@@ -376,8 +376,8 @@ def validate_tags(value: str) -> tuple[bool, str]:
     raw_tags = [t.strip().lower() for t in value.split(",") if t.strip()]
     if len(raw_tags) < 2:
         return False, "Please provide at least 2 tags."
-    if len(raw_tags) > 5:
-        return False, f"Too many tags ({len(raw_tags)}). Please provide 2-5 tags."
+    if len(raw_tags) > 10:
+        return False, f"Too many tags ({len(raw_tags)}). Please provide 2-10 tags."
     bad = [t for t in raw_tags if not re.match(r"^[a-z0-9-]+$", t)]
     if bad:
         return False, (
@@ -413,13 +413,16 @@ def validate_checklist(value: str, field_name: str) -> tuple[bool, str]:
 
 
 def _count_list_items(value: str) -> int:
-    """Count markdown list items (``- item``) in a textarea value."""
+    """Count items in a textarea value (bullets or non-empty lines)."""
     if not _present(value):
         return 0
-    return sum(
-        1 for line in value.splitlines()
-        if line.strip().startswith("- ") or line.strip().startswith("* ")
-    )
+    lines = [line.strip() for line in value.splitlines() if line.strip()]
+    # If any lines use bullet format, count only those
+    bullets = [l for l in lines if l.startswith(("- ", "* "))]
+    if bullets:
+        return len(bullets)
+    # Otherwise count all non-empty lines
+    return len(lines)
 
 
 # ---------------------------------------------------------------------------
@@ -568,12 +571,12 @@ def _add(field: str, ok: bool, msg: str, *, severity: str = "error") -> None:
 # ---------------------------------------------------------------------------
 
 def parse_tags(value: str) -> list[str]:
-    """Parse comma-separated tags into a sorted list."""
-    return sorted(
+    """Parse comma-separated tags into a sorted, deduplicated list."""
+    return sorted(set(
         t.strip().lower()
         for t in value.split(",")
         if t.strip()
-    )
+    ))
 
 
 def _clean(value: str | None) -> str:

extensions/EXTENSION-PUBLISHING-GUIDE.md

@@ -49,7 +49,7 @@ Submit your extension by opening an issue using the **Extension Submission** tem
    - Description length (under 200 characters)
    - Required URLs are present and reachable
    - Spec Kit version constraint is valid
-   - Tags format and count (2-5 lowercase tags)
+   - Tags format and count (2-10 lowercase tags)
    - All required fields and checklists are completed
 2. If any checks fail, the issue gets a `needs-changes` label with details on what to fix. Edit the issue to correct the fields and validation re-runs automatically.
 3. Once all checks pass, the issue gets a `validated` label and a **pull request is created automatically** that:

presets/PUBLISHING.md

@@ -53,7 +53,7 @@ Submit your preset by opening an issue using the **Preset Submission** template:
    - Description length (under 200 characters)
    - Required URLs are present and reachable
    - Spec Kit version constraint is valid
-   - Tags format and count (2-5 lowercase tags)
+   - Tags format and count (2-10 lowercase tags)
    - All required fields and checklists are completed
 2. If any checks fail, the issue gets a `needs-changes` label with details on what to fix. Edit the issue to correct the fields and validation re-runs automatically.
 3. Once all checks pass, the issue gets a `validated` label and a **pull request is created automatically** that:

tests/test_catalog_validate.py

@@ -0,0 +1,183 @@
+"""Tests for .github/scripts/catalog-validate.py."""
+
+from __future__ import annotations
+
+import importlib
+import ipaddress
+import sys
+import types
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+# ---------------------------------------------------------------------------
+# Import the script as a module
+# ---------------------------------------------------------------------------
+
+SCRIPT = Path(__file__).resolve().parents[1] / ".github" / "scripts" / "catalog-validate.py"
+
+
+@pytest.fixture(scope="module")
+def cv():
+    """Import catalog-validate.py as a module."""
+    spec = importlib.util.spec_from_file_location("catalog_validate", SCRIPT)
+    mod = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(mod)
+    return mod
+
+
+# ---------------------------------------------------------------------------
+# parse_issue_body
+# ---------------------------------------------------------------------------
+
+
+class TestParseIssueBody:
+    def test_basic_fields(self, cv):
+        body = "### Name\nAlice\n### Version\n1.0.0\n"
+        result = cv.parse_issue_body(body)
+        assert result["Name"] == "Alice"
+        assert result["Version"] == "1.0.0"
+
+    def test_multiline_field(self, cv):
+        body = "### Description\nLine one\nLine two\n### End\nval"
+        result = cv.parse_issue_body(body)
+        assert "Line one\nLine two" == result["Description"]
+
+    def test_empty_body(self, cv):
+        assert cv.parse_issue_body("") == {}
+
+    def test_checkbox_field(self, cv):
+        body = "### Checklist\n- [X] Item 1\n- [ ] Item 2\n"
+        result = cv.parse_issue_body(body)
+        assert "- [X] Item 1" in result["Checklist"]
+
+
+# ---------------------------------------------------------------------------
+# parse_tags / validate_tags
+# ---------------------------------------------------------------------------
+
+
+class TestTags:
+    def test_parse_tags_dedup(self, cv):
+        assert cv.parse_tags("foo, foo, bar") == ["bar", "foo"]
+
+    def test_parse_tags_sorted(self, cv):
+        assert cv.parse_tags("z, a, m") == ["a", "m", "z"]
+
+    def test_validate_tags_too_few(self, cv):
+        ok, _ = cv.validate_tags("single")
+        assert not ok
+
+    def test_validate_tags_too_many(self, cv):
+        ok, _ = cv.validate_tags(", ".join(f"tag{i}" for i in range(11)))
+        assert not ok
+
+    def test_validate_tags_max_10(self, cv):
+        ok, _ = cv.validate_tags(", ".join(f"tag{i}" for i in range(10)))
+        assert ok
+
+    def test_validate_tags_bad_chars(self, cv):
+        ok, _ = cv.validate_tags("good, BAD CHARS!")
+        assert not ok
+
+
+# ---------------------------------------------------------------------------
+# validate_description
+# ---------------------------------------------------------------------------
+
+
+class TestValidateDescription:
+    def test_empty(self, cv):
+        ok, _ = cv.validate_description("")
+        assert not ok
+
+    def test_valid(self, cv):
+        ok, _ = cv.validate_description("Short description")
+        assert ok
+
+    def test_over_limit_new(self, cv):
+        ok, _ = cv.validate_description("x" * 201)
+        assert not ok
+
+    def test_over_limit_update_warns(self, cv):
+        ok, msg = cv.validate_description("x" * 201, is_update=True)
+        assert ok
+        assert "Consider shortening" in msg
+
+
+# ---------------------------------------------------------------------------
+# validate_speckit_version
+# ---------------------------------------------------------------------------
+
+
+class TestValidateSpeckitVersion:
+    def test_valid(self, cv):
+        ok, _ = cv.validate_speckit_version(">=0.6.0")
+        assert ok
+
+    def test_valid_multi(self, cv):
+        ok, _ = cv.validate_speckit_version(">=0.6.0,<1.0.0")
+        assert ok
+
+    def test_invalid(self, cv):
+        ok, _ = cv.validate_speckit_version("not-a-version")
+        assert not ok
+
+    def test_empty(self, cv):
+        ok, _ = cv.validate_speckit_version("")
+        assert not ok
+
+
+# ---------------------------------------------------------------------------
+# _count_list_items
+# ---------------------------------------------------------------------------
+
+
+class TestCountListItems:
+    def test_bullets(self, cv):
+        assert cv._count_list_items("- one\n- two\n- three") == 3
+
+    def test_asterisks(self, cv):
+        assert cv._count_list_items("* one\n* two") == 2
+
+    def test_plain_lines(self, cv):
+        assert cv._count_list_items("one\ntwo\nthree") == 3
+
+    def test_empty(self, cv):
+        assert cv._count_list_items("") == 0
+
+    def test_mixed_blank(self, cv):
+        assert cv._count_list_items("- one\n\n- two") == 2
+
+
+# ---------------------------------------------------------------------------
+# SSRF guard (_is_safe_redirect_target)
+# ---------------------------------------------------------------------------
+
+
+class TestSSRFGuard:
+    def test_rejects_private_ip(self, cv):
+        assert not cv._is_safe_redirect_target("http://127.0.0.1/evil")
+
+    def test_rejects_non_http(self, cv):
+        assert not cv._is_safe_redirect_target("ftp://example.com/file")
+
+    def test_rejects_no_hostname(self, cv):
+        assert not cv._is_safe_redirect_target("http:///path")
+
+    def test_allows_public(self, cv):
+        # Mock DNS to return a public IP
+        fake_addr = [(None, None, None, None, ("93.184.216.34", 0))]
+        with patch.object(cv.socket, "getaddrinfo", return_value=fake_addr):
+            assert cv._is_safe_redirect_target("https://example.com")
+
+    def test_rejects_multicast(self, cv):
+        fake_addr = [(None, None, None, None, ("224.0.0.1", 0))]
+        with patch.object(cv.socket, "getaddrinfo", return_value=fake_addr):
+            assert not cv._is_safe_redirect_target("https://multicast.test")
+
+    def test_rejects_unspecified(self, cv):
+        fake_addr = [(None, None, None, None, ("0.0.0.0", 0))]
+        with patch.object(cv.socket, "getaddrinfo", return_value=fake_addr):
+            assert not cv._is_safe_redirect_target("https://zero.test")