From b85b25898f2ceacafec245aa97221c1b009e1ec9 Mon Sep 17 00:00:00 2001
From: satya-blend360 <Saisrisatya.Padala@blend360.com>
Date: Wed, 27 May 2026 15:42:32 +0530
Subject: [PATCH 1/7] test: Add Python security vulnerabilities test case
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This test verifies:
- 🔴 CRITICAL: Hardcoded credentials, SQL injection, command injection
- 🟠 HIGH: Missing error handling, unsafe eval()
- 🟡 MEDIUM: Poor error handling, no type hints, division by zero
- 🟢 LOW: Debug mode in production, PEP 8 violations
- ✅ GOOD: Well-written function with type hints and parameterized queries

Will test:
- Python tech stack detection
- Flask framework detection
- Severity level tagging for Python-specific issues
- PEP 8 style guide enforcement
---
 requirements.txt   |   4 ++
 test-python-api.py | 112 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 116 insertions(+)
 create mode 100644 requirements.txt
 create mode 100644 test-python-api.py

diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..ee989a5
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,4 @@
+Flask>=3.0.0
+requests>=2.31.0
+psycopg2-binary>=2.9.0
+python-dotenv>=1.0.0
diff --git a/test-python-api.py b/test-python-api.py
new file mode 100644
index 0000000..02e32a6
--- /dev/null
+++ b/test-python-api.py
@@ -0,0 +1,112 @@
+# Test file for Python security review
+# This file contains intentional security vulnerabilities and code quality issues
+
+import os
+import sqlite3
+from flask import Flask, request, jsonify
+
+app = Flask(__name__)
+
+# 🔴 CRITICAL: Hardcoded credentials
+DATABASE_URL = "postgresql://admin:password123@localhost/prod"
+SECRET_KEY = "supersecretkey12345"
+API_TOKEN = "sk-1234567890abcdefghijklmnop"
+
+# 🔴 CRITICAL: SQL Injection vulnerability
+@app.route('/user/<username>')
+def get_user(username):
+    conn = sqlite3.connect('users.db')
+    cursor = conn.cursor()
+    # Direct string interpolation - SQL injection!
+    query = f"SELECT * FROM users WHERE username = '{username}'"
+    cursor.execute(query)
+    result = cursor.fetchone()
+    return jsonify(result)
+
+# 🟠 HIGH: Command injection vulnerability
+@app.route('/backup')
+def backup_data():
+    filename = request.args.get('filename')
+    # No input validation - command injection!
+    os.system(f'tar -czf {filename} /var/data')
+    return "Backup created"
+
+# 🟠 HIGH: Missing error handling
+@app.route('/api/data')
+def fetch_data():
+    response = request.get('https://api.external.com/data')
+    data = response.json()  # Will crash if request fails!
+    return jsonify(data)
+
+# 🟡 MEDIUM: Using eval() - code injection risk
+@app.route('/calculate')
+def calculate():
+    expression = request.args.get('expr')
+    result = eval(expression)  # Never use eval with user input!
+    return str(result)
+
+# 🟡 MEDIUM: Poor error handling, exposing stack traces
+@app.route('/divide')
+def divide():
+    a = int(request.args.get('a'))
+    b = int(request.args.get('b'))
+    return str(a / b)  # No zero division check!
+
+# 🟡 MEDIUM: Missing type hints and docstrings
+def process_payment(user_id, amount, currency):
+    if amount > 0:
+        charge_card(user_id, amount)
+        send_receipt(user_id)
+        return True
+    return False
+
+# 🟢 LOW: Debug mode enabled in production
+if __name__ == '__main__':
+    app.run(debug=True, host='0.0.0.0')  # Debug mode in production!
+
+# 🟢 LOW: Not following PEP 8
+def CalculateTotal(items,tax_rate):  # Should be snake_case
+    Total=0  # Should be lowercase
+    for item in items:
+        Total+=item['price']*item['qty']
+    return Total*(1+tax_rate)
+
+# ✅ GOOD: Well-written function with proper error handling
+def get_user_by_id(user_id: int) -> dict:
+    """
+    Fetch user by ID with proper error handling.
+
+    Args:
+        user_id: The unique identifier for the user
+
+    Returns:
+        dict: User data or None if not found
+
+    Raises:
+        ValueError: If user_id is invalid
+        DatabaseError: If database connection fails
+    """
+    if not isinstance(user_id, int) or user_id <= 0:
+        raise ValueError("Invalid user ID")
+
+    try:
+        conn = sqlite3.connect('users.db')
+        cursor = conn.cursor()
+
+        # Using parameterized query to prevent SQL injection
+        cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
+        result = cursor.fetchone()
+
+        if result:
+            return {
+                'id': result[0],
+                'username': result[1],
+                'email': result[2]
+            }
+        return None
+
+    except sqlite3.Error as e:
+        raise DatabaseError(f"Failed to fetch user: {e}")
+    finally:
+        if conn:
+            conn.close()

From fde3c32ec35fe0c2746651c284faa4f45afaa6a5 Mon Sep 17 00:00:00 2001
From: satya-blend360 <Saisrisatya.Padala@blend360.com>
Date: Thu, 28 May 2026 00:07:32 +0530
Subject: [PATCH 2/7] chore: trigger workflow after permission fix

---
 test-python-api.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-python-api.py b/test-python-api.py
index 02e32a6..3151aef 100644
--- a/test-python-api.py
+++ b/test-python-api.py
@@ -110,3 +110,4 @@ def get_user_by_id(user_id: int) -> dict:
     finally:
         if conn:
             conn.close()
+# Test trigger

From 2d498c5b09803e9ac5aa969a5a0afc5c7c0875d1 Mon Sep 17 00:00:00 2001
From: satya-blend360 <Saisrisatya.Padala@blend360.com>
Date: Thu, 28 May 2026 00:15:22 +0530
Subject: [PATCH 3/7] chore: re-trigger workflow

---
 test-python-api.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-python-api.py b/test-python-api.py
index 3151aef..606fedd 100644
--- a/test-python-api.py
+++ b/test-python-api.py
@@ -111,3 +111,4 @@ def get_user_by_id(user_id: int) -> dict:
         if conn:
             conn.close()
 # Test trigger
+

From 8ffa90b0308652ecaa1bbe42069abeae491ce531 Mon Sep 17 00:00:00 2001
From: satya-blend360 <Saisrisatya.Padala@blend360.com>
Date: Thu, 28 May 2026 00:18:02 +0530
Subject: [PATCH 4/7] fix: Add issues:read permission for PR metadata

---
 .github/workflows/ai-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ai-review.yml b/.github/workflows/ai-review.yml
index 83cd9f1..71f383d 100644
--- a/.github/workflows/ai-review.yml
+++ b/.github/workflows/ai-review.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       pull-requests: write
       contents: read
+      issues: read          # Required to read PR metadata
     uses: ./.github/workflows/ai-review-reusable.yml
     with:
       ai_provider: ${{ github.event_name == 'workflow_dispatch' && inputs.ai_provider || 'openai' }}

From e7c266b78c7e5e635f4da658b8d806020dc5d3cb Mon Sep 17 00:00:00 2001
From: satya-blend360 <Saisrisatya.Padala@blend360.com>
Date: Thu, 28 May 2026 00:18:56 +0530
Subject: [PATCH 5/7] chore: trigger after permission fix

---
 test-python-api.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-python-api.py b/test-python-api.py
index 606fedd..5031345 100644
--- a/test-python-api.py
+++ b/test-python-api.py
@@ -112,3 +112,4 @@ def get_user_by_id(user_id: int) -> dict:
             conn.close()
 # Test trigger
 
+# Trigger

From 87180cf0ca6bb690c455a68c264565d0f57599ff Mon Sep 17 00:00:00 2001
From: satya-blend360 <Saisrisatya.Padala@blend360.com>
Date: Thu, 28 May 2026 00:20:51 +0530
Subject: [PATCH 6/7] chore: final workflow trigger

---
 test-python-api.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-python-api.py b/test-python-api.py
index 5031345..c7b00d2 100644
--- a/test-python-api.py
+++ b/test-python-api.py
@@ -113,3 +113,4 @@ def get_user_by_id(user_id: int) -> dict:
 # Test trigger
 
 # Trigger
+# Final trigger

From f042a24a4902dd6f2194e79bfe780b185e477688 Mon Sep 17 00:00:00 2001
From: CodeSage Learning Bot <ai-review-bot@blend360.com>
Date: Wed, 27 May 2026 18:57:54 +0000
Subject: [PATCH 7/7] chore: update AI learned patterns [skip ci]

---
 .github/ai-skills/developers/satya-blend360.json |  6 ++++++
 .github/ai-skills/learned-patterns.json          |  8 ++++++++
 .github/ai-skills/project-analysis.json          | 15 +++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 .github/ai-skills/developers/satya-blend360.json
 create mode 100644 .github/ai-skills/learned-patterns.json
 create mode 100644 .github/ai-skills/project-analysis.json

diff --git a/.github/ai-skills/developers/satya-blend360.json b/.github/ai-skills/developers/satya-blend360.json
new file mode 100644
index 0000000..a2837c7
--- /dev/null
+++ b/.github/ai-skills/developers/satya-blend360.json
@@ -0,0 +1,6 @@
+{
+  "name": "satya-blend360",
+  "pr_count": 1,
+  "common_issues": [],
+  "last_pr": "2026-05-27T18:57:54.667461"
+}
\ No newline at end of file
diff --git a/.github/ai-skills/learned-patterns.json b/.github/ai-skills/learned-patterns.json
new file mode 100644
index 0000000..8f79da0
--- /dev/null
+++ b/.github/ai-skills/learned-patterns.json
@@ -0,0 +1,8 @@
+{
+  "common_bugs": [],
+  "recurring_issues": [],
+  "accepted_suggestions": [],
+  "rejected_patterns": [],
+  "tech_specific_rules": {},
+  "last_updated": "2026-05-27T18:57:54.667078"
+}
\ No newline at end of file
diff --git a/.github/ai-skills/project-analysis.json b/.github/ai-skills/project-analysis.json
new file mode 100644
index 0000000..d4b5101
--- /dev/null
+++ b/.github/ai-skills/project-analysis.json
@@ -0,0 +1,15 @@
+{
+  "tech_stack": [
+    "Node.js/JavaScript",
+    "Express",
+    "TypeScript",
+    "Python"
+  ],
+  "patterns": {
+    "naming": {
+      "camelCase": 3,
+      "snake_case": 1
+    }
+  },
+  "last_updated": "2026-05-27T18:57:40+00:00"
+}
\ No newline at end of file