fix: resolve all SonarQube issues and security hotspots

Author: nikolay-e

scripts/migrate_tests_to_yaml.py

@@ -49,9 +49,8 @@ def extract_dict_value(node: ast.expr) -> dict[str, str]:
 
 
 def _set_option(case: dict, key: str, value: ast.expr) -> None:
-    if isinstance(value, ast.Constant):
-        if value.value is not None:
-            case.setdefault("options", {})[key] = value.value
+    if isinstance(value, ast.Constant) and value.value is not None:
+        case.setdefault("options", {})[key] = value.value
 
 
 def _process_keyword(case: dict, kw: ast.keyword) -> None:

src/treemapper/cli.py

@@ -34,8 +34,7 @@ def _validate_budget(budget: int | None) -> None:
 
 
 def _validate_alpha(alpha: float) -> None:
-    is_valid = 0 < alpha < 1
-    if not is_valid:
+    if not (0 < alpha < 1):
         _exit_error(f"--alpha must be between 0 and 1 (exclusive), got {alpha}")
 
 

src/treemapper/diffctx/config/patterns.py

@@ -36,7 +36,9 @@
     "java_class": re.compile(r"^\s*(?:public\s+)?(?:abstract\s+)?(?:final\s+)?class\s+([A-Z]\w*)", re.MULTILINE),
     "java_interface": re.compile(r"^\s*(?:public\s+)?interface\s+([A-Z]\w*)", re.MULTILINE),
     "java_enum": re.compile(r"^\s*(?:public\s+)?enum\s+([A-Z]\w*)", re.MULTILINE),
-    "java_method": re.compile(r"^\s*(?:public|private|protected)?\s*(?:static\s+)?[\w<>\[\]]+\s+([a-z]\w*)\s*\(", re.MULTILINE),
+    "java_method": re.compile(
+        r"^\s{0,20}(?:(?:public|private|protected)\s+)?(?:static\s+)?[\w<>\[\]]{1,100}\s+([a-z]\w*)\s*\(", re.MULTILINE
+    ),
     "csharp_class": re.compile(r"^\s*(?:public\s+)?(?:partial\s+)?(?:abstract\s+)?class\s+([A-Z]\w*)", re.MULTILINE),
     "csharp_interface": re.compile(r"^\s*(?:public\s+)?interface\s+(I[A-Z]\w*)", re.MULTILINE),
     "c_function": re.compile(r"^(?:static\s+)?(?:\w+\s+)+(\w+)\s*\([^)]*\)\s*\{", re.MULTILINE),
@@ -68,5 +70,5 @@
 DOC_PATTERNS = {
     "citation": re.compile(r"\[@([a-zA-Z0-9_:-]+)\]"),
     "md_internal_link": re.compile(r"\[([^\]]+)\]\(#([^)]+)\)"),
-    "md_heading": re.compile(r"^#{1,6}\s+([^\n]+)$", re.MULTILINE),
+    "md_heading": re.compile(r"^#{1,6}\s+([^\n]{1,1000})$", re.MULTILINE),
 }

src/treemapper/diffctx/edges/base.py

@@ -65,6 +65,26 @@ def __init__(self, fragments: list[Fragment], repo_root: Path | None = None):
 _MIN_REF_LENGTH_FOR_PATH_MATCH = 3
 
 
+def _candidate_rel_path(candidate: Path, repo_root: Path | None) -> str:
+    if not repo_root:
+        return candidate.name.lower()
+    try:
+        return str(candidate.relative_to(repo_root)).lower()
+    except ValueError:
+        return candidate.name.lower()
+
+
+def _matches_any_ref(candidate_name: str, candidate_rel: str, refs: set[str]) -> bool:
+    for ref in refs:
+        ref_name = ref.split("/")[-1].lower()
+        if candidate_name == ref_name:
+            return True
+        ref_lower = ref.lower()
+        if len(ref_lower) >= _MIN_REF_LENGTH_FOR_PATH_MATCH and ref_lower in candidate_rel:
+            return True
+    return False
+
+
 def discover_files_by_refs(
     refs: set[str],
     changed_files: list[Path],
@@ -81,24 +101,9 @@ def discover_files_by_refs(
         if candidate in changed_set:
             continue
         candidate_name = candidate.name.lower()
-
-        if repo_root:
-            try:
-                candidate_rel = str(candidate.relative_to(repo_root)).lower()
-            except ValueError:
-                candidate_rel = candidate_name
-        else:
-            candidate_rel = candidate_name
-
-        for ref in refs:
-            ref_lower = ref.lower()
-            ref_name = ref.split("/")[-1].lower()
-            if candidate_name == ref_name:
-                discovered.append(candidate)
-                break
-            if len(ref_lower) >= _MIN_REF_LENGTH_FOR_PATH_MATCH and ref_lower in candidate_rel:
-                discovered.append(candidate)
-                break
+        candidate_rel = _candidate_rel_path(candidate, repo_root)
+        if _matches_any_ref(candidate_name, candidate_rel, refs):
+            discovered.append(candidate)
 
     return discovered
 

src/treemapper/diffctx/edges/config/cicd.py

@@ -20,9 +20,31 @@
 _JENKINS_SH_RE = re.compile(r"sh\s*(?:\(['\"]|['\"])(.+?)['\"]\)?", re.MULTILINE | re.DOTALL)
 _JENKINS_SCRIPT_RE = re.compile(r"script\s*\{([^}]+)\}", re.MULTILINE | re.DOTALL)
 
-_SCRIPT_CALL_RE = re.compile(
-    r"(?:bash|sh|python|python3|node|npm|yarn|pnpm|make|go|cargo|dotnet|mvn|gradle|pytest|ruff|mypy|black|isort|flake8)\s+([^\s;&|]+)"
+_SCRIPT_CALL_TOOLS = frozenset(
+    {
+        "bash",
+        "sh",
+        "python",
+        "python3",
+        "node",
+        "npm",
+        "yarn",
+        "pnpm",
+        "make",
+        "go",
+        "cargo",
+        "dotnet",
+        "mvn",
+        "gradle",
+        "pytest",
+        "ruff",
+        "mypy",
+        "black",
+        "isort",
+        "flake8",
+    }
 )
+_SCRIPT_CALL_RE = re.compile(r"(?:" + "|".join(sorted(_SCRIPT_CALL_TOOLS, key=len, reverse=True)) + r")\s+([^\s;&|]+)")
 _PKG_MANAGER_SUBCOMMANDS = frozenset(
     {
         "run",
@@ -162,6 +184,27 @@ def _extract_jenkins_refs(content: str) -> set[str]:
     return refs
 
 
+def _parse_tox_deps(deps: str, refs: set[str]) -> None:
+    for line in deps.splitlines():
+        line = line.strip()
+        if not line or line.startswith("#") or line.startswith("-r"):
+            continue
+        refs.add(line.split()[0] if line.split() else line)
+
+
+def _parse_tox_commands(commands: str, refs: set[str]) -> None:
+    for line in commands.splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        for p in line.split():
+            p = p.strip("'\"")
+            p = re.sub(r"\{[^}]+\}", "", p)
+            if p and not p.startswith("-"):
+                refs.add(p)
+        refs.update(_extract_script_refs(line))
+
+
 def _extract_tox_refs(content: str) -> set[str]:
     refs: set[str] = set()
     parser = configparser.ConfigParser()
@@ -173,28 +216,8 @@ def _extract_tox_refs(content: str) -> set[str]:
     for section in parser.sections():
         if not section.lower().startswith("testenv"):
             continue
-
-        deps = parser.get(section, "deps", fallback="")
-        commands = parser.get(section, "commands", fallback="")
-
-        for line in deps.splitlines():
-            line = line.strip()
-            if not line or line.startswith("#") or line.startswith("-r"):
-                continue
-            refs.add(line.split()[0] if line.split() else line)
-
-        for line in commands.splitlines():
-            line = line.strip()
-            if not line or line.startswith("#"):
-                continue
-            parts = line.split()
-            for p in parts:
-                p = p.strip("'\"")
-                p = re.sub(r"\{[^}]+\}", "", p)
-                if not p or p.startswith("-"):
-                    continue
-                refs.add(p)
-            refs.update(_extract_script_refs(line))
+        _parse_tox_deps(parser.get(section, "deps", fallback=""), refs)
+        _parse_tox_commands(parser.get(section, "commands", fallback=""), refs)
 
     return refs
 

src/treemapper/diffctx/edges/semantic/dotnet.py

@@ -13,8 +13,11 @@
 
 _CS_USING_RE = re.compile(r"^\s*using\s+(?:static\s+)?([A-Z][a-zA-Z0-9_.]*);", re.MULTILINE)
 _CS_NAMESPACE_RE = re.compile(r"^\s*namespace\s+([A-Z][a-zA-Z0-9_.]*)", re.MULTILINE)
+_CS_ACCESS = "public|private|protected|internal"
+_CS_MODIFIERS = "static|sealed|abstract|partial"
+_CS_TYPE_KW = "class|interface|struct|record|enum"
 _CS_CLASS_RE = re.compile(
-    r"^\s{0,20}(?:(?:public|private|protected|internal)\s{1,10})?(?:(?:static|sealed|abstract|partial)\s{1,10})?(?:class|interface|struct|record|enum)\s+([A-Z]\w{0,100})",
+    rf"^\s{{0,20}}(?:(?:{_CS_ACCESS})\s{{1,10}})?(?:(?:{_CS_MODIFIERS})\s{{1,10}})?(?:{_CS_TYPE_KW})\s+([A-Z]\w{{0,100}})",
     re.MULTILINE,
 )
 _CS_INHERIT_RE = re.compile(r"(?:class|struct|record)\s+\w+[^:\n]{0,200}:\s*([A-Z]\w*(?:,\s*[A-Z]\w*)*)")

src/treemapper/diffctx/edges/semantic/python.py

@@ -14,24 +14,29 @@
 _SYMBOL_REF_WEIGHT = 0.95
 _TYPE_REF_WEIGHT = 0.60
 
-_PY_IMPORT_RE = re.compile(r"(?:from\s+(\.{0,3}[\w.]*)\s+import|import\s+([\w.]+))")
+_PY_IMPORT_RE = re.compile(r"(?:from\s+(\.{0,3}[\w.]{0,200})\s+import|import\s+([\w.]{1,200}))")
 
 
 def _is_python_file(path: Path) -> bool:
     return path.suffix.lower() in _PYTHON_EXTS
 
 
+def _count_leading_dots(s: str) -> int:
+    return len(s) - len(s.lstrip("."))
+
+
+def _strip_source_prefix(parts: list[str]) -> list[str]:
+    for i, part in enumerate(parts):
+        if part in ("src", "lib", "packages"):
+            return parts[i + 1 :]
+    return parts
+
+
 def _resolve_relative_import(imported: str, source_path: Path, repo_root: Path | None = None) -> str | None:
     if not imported.startswith("."):
         return imported
 
-    dots = 0
-    for c in imported:
-        if c == ".":
-            dots += 1
-        else:
-            break
-
+    dots = _count_leading_dots(imported)
     relative_module = imported[dots:]
 
     if repo_root and source_path.is_absolute():
@@ -40,12 +45,7 @@ def _resolve_relative_import(imported: str, source_path: Path, repo_root: Path |
         except ValueError:
             pass
 
-    parent_parts = list(source_path.parent.parts)
-
-    for i, part in enumerate(parent_parts):
-        if part in ("src", "lib", "packages"):
-            parent_parts = parent_parts[i + 1 :]
-            break
+    parent_parts = _strip_source_prefix(list(source_path.parent.parts))
 
     if parent_parts and parent_parts[-1] == "__pycache__":
         parent_parts = parent_parts[:-1]

tests/conftest.py

@@ -114,7 +114,9 @@ def _run(args):
                 main()
                 return True
             except SystemExit as e:
-                return e.code == 0
+                if e.code == 0:
+                    return True
+                raise
 
     return _run
 

tests/framework/loader.py

@@ -95,28 +95,33 @@ def load_test_cases(yaml_path: Path) -> list[YamlTestCase]:
     return []
 
 
+def _is_triplet_part(yaml_file: Path, seen: set[Path]) -> bool:
+    if yaml_file in seen:
+        return True
+    return yaml_file.stem.endswith(("_after", "_diffctx"))
+
+
 def load_test_cases_from_dir(cases_dir: Path, pattern: str = "**/*.yaml") -> list[YamlTestCase]:
-    cases = []
+    cases: list[YamlTestCase] = []
     seen_triplet_bases: set[Path] = set()
 
     for yaml_file in sorted(cases_dir.glob(pattern)):
-        if yaml_file.stem.endswith("_before"):
-            triplet_case = _load_triplet(yaml_file)
-            if triplet_case:
-                seen_triplet_bases.add(yaml_file)
-                base_name = re.sub(r"_before$", "", yaml_file.stem)
-                seen_triplet_bases.add(yaml_file.parent / f"{base_name}_after.yaml")
-                seen_triplet_bases.add(yaml_file.parent / f"{base_name}_diffctx.yaml")
-                cases.append(triplet_case)
+        if not yaml_file.stem.endswith("_before"):
+            continue
+        triplet_case = _load_triplet(yaml_file)
+        if triplet_case:
+            seen_triplet_bases.add(yaml_file)
+            base_name = re.sub(r"_before$", "", yaml_file.stem)
+            seen_triplet_bases.add(yaml_file.parent / f"{base_name}_after.yaml")
+            seen_triplet_bases.add(yaml_file.parent / f"{base_name}_diffctx.yaml")
+            cases.append(triplet_case)
 
     for yaml_file in sorted(cases_dir.glob(pattern)):
-        if yaml_file in seen_triplet_bases:
-            continue
-        if yaml_file.stem.endswith(("_after", "_diffctx")):
-            continue
-        cases.extend(load_test_cases(yaml_file))
+        if not _is_triplet_part(yaml_file, seen_triplet_bases):
+            cases.extend(load_test_cases(yaml_file))
 
-    for yaml_file in sorted(cases_dir.glob(pattern.replace(".yaml", ".yml"))):
+    yml_pattern = pattern.replace(".yaml", ".yml")
+    for yaml_file in sorted(cases_dir.glob(yml_pattern)):
         if yaml_file in seen_triplet_bases:
             continue
         if yaml_file.stem.endswith(("_before", "_after", "_diffctx")):

tests/framework/runner.py

@@ -66,12 +66,12 @@ def verify_assertions(self, context: dict, case: YamlTestCase) -> None:
 
         for pattern in case.must_include:
             assert pattern in all_content, (
-                f"[{case.name}] Expected '{pattern}' in context, but not found.\n" f"Fragment paths: {fragment_paths}"
+                f"[{case.name}] Expected '{pattern}' in context, but not found.\n" + f"Fragment paths: {fragment_paths}"
             )
 
         for file_path in case.must_include_files:
             assert any(file_path in p for p in fragment_paths), (
-                f"[{case.name}] Expected file '{file_path}' in fragments, but not found.\n" f"Fragment paths: {fragment_paths}"
+                f"[{case.name}] Expected file '{file_path}' in fragments, but not found.\n" + f"Fragment paths: {fragment_paths}"
             )
 
         for content_block in case.must_include_content: