fix: address SonarQube code quality issues

- Move workflow permissions to job level in ci.yml
- Simplify regex patterns in edge builders
- Remove pip-audit from pre-commit hooks
- Fix unused variables and parameters
- Extract terraform.py nested conditional
- Add constant for kubernetes.py yaml extensions
- Fix test assertions and exception handling

Author: nikolay-e

.github/workflows/ci.yml

@@ -1,9 +1,6 @@
 # .github/workflows/ci.yml
 name: treemapper CI
 
-permissions:
-  contents: read
-
 'on':
   pull_request:
     branches: ['**']
@@ -18,6 +15,8 @@ jobs:
   pre-commit:
     name: Pre-commit hooks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
 
@@ -46,6 +45,8 @@ jobs:
   lint-type-check:
     name: Lint & Type Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@v6
@@ -89,6 +90,8 @@ jobs:
         python-version: ['3.10', '3.11', '3.12', '3.13']
 
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
@@ -149,6 +152,8 @@ jobs:
   test-pypy:
     needs: [pre-commit, lint-type-check]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -187,6 +192,8 @@ jobs:
   mutation-testing:
     name: Mutation Testing
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
 
     steps:
@@ -217,6 +224,8 @@ jobs:
   complexity-checks:
     name: Complexity & Maintainability Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v6
@@ -253,6 +262,8 @@ jobs:
   architecture-checks:
     name: Architecture & Import Contracts
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v6

src/treemapper/diffctx/edges/config/build.py

@@ -9,7 +9,7 @@
 _MAKEFILE_NAMES = {"makefile", "gnumakefile"}
 _MAKEFILE_EXTS = {".mk", ".mak", ".make"}
 
-_MAKE_TARGET_RE = re.compile(r"^([a-zA-Z_][a-zA-Z0-9_.-]*)(?:\s*:(?!=))", re.MULTILINE)
+_MAKE_TARGET_RE = re.compile(r"^([a-zA-Z_][a-zA-Z0-9_.-]*)\s*:(?!=)", re.MULTILINE)
 _MAKE_INCLUDE_RE = re.compile(r"^(?:-)?include\s+(.+)$", re.MULTILINE)
 _MAKE_VAR_RE = re.compile(r"^\s*([A-Z_][A-Z0-9_]*)\s*[:?]?=", re.MULTILINE)
 _MAKE_RECIPE_RE = re.compile(r"^\t(.+)$", re.MULTILINE)

src/treemapper/diffctx/edges/config/cicd.py

@@ -6,12 +6,12 @@
 from ...types import Fragment
 from ..base import EdgeBuilder, EdgeDict, FragmentIndex, discover_files_by_refs
 
-_GHA_RUN_RE = re.compile(r"^\s*-?\s*run:\s*[|>]?\s*(.+?)(?:\n\s{4,}|\n[^\s]|$)", re.MULTILINE | re.DOTALL)
+_GHA_RUN_RE = re.compile(r"^\s*-?\s*run:\s*[|>]?\s*(.+)(?:\n\s{4,}|\n[^\s]|$)", re.MULTILINE | re.DOTALL)
 
 _GITLAB_SCRIPT_RE = re.compile(r"^\s*(?:script|before_script|after_script):\s*\n((?:\s+-\s*.+\n)+)", re.MULTILINE)
 _GITLAB_INCLUDE_RE = re.compile(r"^\s*-?\s*(?:local|project|remote|template):\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
 
-_JENKINS_SH_RE = re.compile(r"sh\s*(?:\(['\"]|['\"])(.+?)(?:['\"])\)?", re.MULTILINE | re.DOTALL)
+_JENKINS_SH_RE = re.compile(r"sh\s*(?:\(['\"]|['\"])(.+?)['\"]\)?", re.MULTILINE | re.DOTALL)
 _JENKINS_SCRIPT_RE = re.compile(r"script\s*\{([^}]+)\}", re.MULTILINE | re.DOTALL)
 
 _SCRIPT_CALL_RE = re.compile(r"(?:bash|sh|python|python3|node|npm|yarn|pnpm|make|go|cargo|dotnet|mvn|gradle)\s+([^\s;&|]+)")
@@ -154,8 +154,6 @@ def build(self, fragments: list[Fragment], repo_root: Path | None = None) -> Edg
         idx = FragmentIndex(fragments, repo_root)
 
         for ci in ci_frags:
-            refs: set[str] = set()
-
             if _is_github_actions(ci.path):
                 refs = _extract_gha_refs(ci.content)
             elif _is_gitlab_ci(ci.path):

src/treemapper/diffctx/edges/config/kubernetes.py

@@ -31,6 +31,8 @@
 _VOLUME_SECRET_RE = re.compile(r"secret:\s*\n\s+secretName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
 _VOLUME_PVC_RE = re.compile(r"persistentVolumeClaim:\s*\n\s+claimName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
 
+_YAML_EXTS = {".yaml", ".yml"}
+
 _K8S_KINDS = {
     "Deployment",
     "Service",
@@ -57,7 +59,7 @@
 
 
 def _is_kubernetes_manifest(path: Path, content: str | None = None) -> bool:
-    if path.suffix.lower() not in {".yaml", ".yml"}:
+    if path.suffix.lower() not in _YAML_EXTS:
         return False
 
     if content is None:
@@ -132,7 +134,7 @@ def discover_related_files(
     ) -> list[Path]:
         k8s_files: list[Path] = []
         for f in changed_files:
-            if f.suffix.lower() in {".yaml", ".yml"}:
+            if f.suffix.lower() in _YAML_EXTS:
                 try:
                     content = f.read_text(encoding="utf-8")
                     if _is_kubernetes_manifest(f, content):
@@ -156,7 +158,7 @@ def discover_related_files(
             if candidate in changed_set:
                 continue
 
-            if candidate.suffix.lower() not in {".yaml", ".yml"}:
+            if candidate.suffix.lower() not in _YAML_EXTS:
                 continue
 
             for k8s_dir in k8s_dirs:
@@ -215,7 +217,7 @@ def build(self, fragments: list[Fragment], repo_root: Path | None = None) -> Edg
             self._build_configmap_edges(frag, configmaps, edges)
             self._build_secret_edges(frag, secrets, edges)
             self._build_service_edges(frag, services, edges)
-            self._build_volume_edges(frag, configmaps, secrets, pvcs, edges)
+            self._build_volume_edges(frag, pvcs, edges)
             self._build_selector_edges(frag, pods_with_labels, edges)
             self._build_image_edges(frag, images, edges)
 
@@ -290,8 +292,6 @@ def _build_service_edges(
     def _build_volume_edges(
         self,
         frag: Fragment,
-        configmaps: dict[str, list[FragmentId]],
-        secrets: dict[str, list[FragmentId]],
         pvcs: dict[str, list[FragmentId]],
         edges: EdgeDict,
     ) -> None:

src/treemapper/diffctx/edges/config/terraform.py

@@ -202,7 +202,12 @@ def _build_module_source_edges(
                     module_dir = (base_dir / source).resolve()
                     for p, frag_ids in path_to_frags.items():
                         try:
-                            resolved = p.resolve() if p.is_absolute() else (repo_root / p).resolve() if repo_root else p
+                            if p.is_absolute():
+                                resolved = p.resolve()
+                            elif repo_root:
+                                resolved = (repo_root / p).resolve()
+                            else:
+                                resolved = p
                             if resolved.parent == module_dir or str(resolved).startswith(str(module_dir)):
                                 for frag_id in frag_ids:
                                     if frag_id != f.id:

src/treemapper/diffctx/edges/semantic/dotnet.py

@@ -17,10 +17,10 @@
     r"^\s*(?:public|private|protected|internal)?\s*(?:static|sealed|abstract|partial)?\s*(?:class|interface|struct|record|enum)\s+([A-Z]\w*)",
     re.MULTILINE,
 )
-_CS_INHERIT_RE = re.compile(r"(?:class|interface|struct|record)\s+\w+\s*(?:<[^>]+>)?\s*:\s*([A-Z]\w*(?:\s*,\s*[A-Z]\w*)*)")
+_CS_INHERIT_RE = re.compile(r"(?:class|struct|record)\s+\w+[^:]*:\s*([A-Z]\w*(?:,\s*[A-Z]\w*)*)")
 _CS_GENERIC_RE = re.compile(r"<([A-Z]\w*(?:\s*,\s*[A-Z]\w*)*)>")
 _CS_METHOD_RE = re.compile(
-    r"^\s*(?:public|private|protected|internal)?\s*(?:static|virtual|override|abstract|async)?\s*(?:[A-Z]\w*(?:<[^>]+>)?)\s+([A-Z]\w*)\s*\(",
+    r"^\s*(?:public|private|protected|internal)?\s*\w*\s*[A-Z]\w*(?:<[^>]+>)?\s+([A-Z]\w*)\s*\(",
     re.MULTILINE,
 )
 

src/treemapper/diffctx/edges/semantic/javascript.py

@@ -14,7 +14,7 @@
 _JS_SYMBOL_REF_WEIGHT = 0.75
 _JS_TYPE_REF_WEIGHT = 0.65
 
-_JS_IMPORT_RE = re.compile(r"""(?:import\s+(?:.*?\s+from\s+)?['"]([^'"]+)['"]|require\s*\(\s*['"]([^'"]+)['"]\s*\))""")
+_JS_IMPORT_RE = re.compile(r"""import\s+[^'"]*['"]([^'"]+)['"]|require\s*\(\s*['"]([^'"]+)['"]\s*\)""")
 _JS_EXPORT_FROM_RE = re.compile(r"""export\s+.*?\s+from\s+['"]([^'"]+)['"]""")
 
 

src/treemapper/diffctx/edges/semantic/jvm.py

@@ -22,7 +22,7 @@
 
 _KOTLIN_IMPORT_RE = re.compile(r"^\s*import\s+([a-z][a-z0-9_]*(?:\.[a-z][a-z0-9_]*)*(?:\.[A-Z]\w*)?)", re.MULTILINE)
 _KOTLIN_CLASS_RE = re.compile(
-    r"^\s*(?:public|private|internal|protected)?\s*(?:abstract|open|sealed|data|inline|value)?\s*(?:class|interface|object|enum)\s+([A-Z]\w*)",
+    r"^\s*(?:\w+\s+)*(?:class|interface|object|enum)\s+([A-Z]\w*)",
     re.MULTILINE,
 )
 _KOTLIN_FUN_RE = re.compile(

src/treemapper/diffctx/edges/semantic/ruby.py

@@ -22,7 +22,7 @@
 _RUBY_INHERIT_RE = re.compile(r"class\s+\w+\s*<\s*([A-Z]\w*(?:::[A-Z]\w*)*)")
 
 _RUBY_CONST_REF_RE = re.compile(r"(?<![a-z_])([A-Z]\w*(?:::[A-Z]\w*)*)")
-_RUBY_METHOD_CALL_RE = re.compile(r"\.([a-z_]\w*)\s*(?:\(|$|[^a-z_])")
+_RUBY_METHOD_CALL_RE = re.compile(r"\.([a-z_]\w*)\s*(?:$|[^a-z_])")
 
 
 def _is_ruby_file(path: Path) -> bool:

src/treemapper/diffctx/edges/semantic/rust.py

@@ -15,7 +15,7 @@
 _RUST_STRUCT_RE = re.compile(r"^\s*(?:pub(?:\([^)]*\))?\s+)?struct\s+([A-Z]\w*)", re.MULTILINE)
 _RUST_ENUM_RE = re.compile(r"^\s*(?:pub(?:\([^)]*\))?\s+)?enum\s+([A-Z]\w*)", re.MULTILINE)
 _RUST_TRAIT_RE = re.compile(r"^\s*(?:pub(?:\([^)]*\))?\s+)?trait\s+([A-Z]\w*)", re.MULTILINE)
-_RUST_IMPL_RE = re.compile(r"^\s*impl(?:<[^>]+>)?\s+(?:([A-Z]\w*)|(?:\w+\s+for\s+)?([A-Z]\w*))", re.MULTILINE)
+_RUST_IMPL_RE = re.compile(r"^\s*impl(?:<[^>]+>)?\s+(?:\w+\s+for\s+)?([A-Z]\w*)", re.MULTILINE)
 _RUST_TYPE_ALIAS_RE = re.compile(r"^\s*(?:pub(?:\([^)]*\))?\s+)?type\s+([A-Z]\w*)", re.MULTILINE)
 
 _RUST_TYPE_REF_RE = re.compile(r"(?<![a-z_])([A-Z]\w*)\b")
@@ -53,8 +53,6 @@ def _extract_definitions(content: str) -> tuple[set[str], set[str], set[str]]:
     for m in _RUST_IMPL_RE.finditer(content):
         if m.group(1):
             types.add(m.group(1))
-        if m.group(2):
-            types.add(m.group(2))
 
     traits = {m.group(1) for m in _RUST_TRAIT_RE.finditer(content)}
     return funcs, types, traits