Clear SonarCloud and Codacy findings across package and tests

Address the full current SonarCloud queue (43 issues) and the Codacy
backlog (166 issues) so new analyzer runs start from a clean baseline.

- rest_server: stop echoing user-controlled paths/errors; log server-side
  and return generic messages (fixes reflected-XSS blocker)
- KeypressHandler: stop inheriting Thread and rename the callback to
  handle_reply; Thread.run signature mismatch was a latent override bug
- Drop NotImplementedError / NotADirectoryError / UnicodeDecodeError /
  JSONDecodeError from except tuples that already catch their parent
- change_xml_structure: split the two recursive helpers by responsibility
  to bring cognitive complexity back under the 15-line limit
- Replace stdlib xml.etree/xml.dom.minidom parsing with defusedxml across
  xml_file, change_xml_structure, and generate_xml_report
- Extract repeated string literals (JSON filter, {temp} placeholder,
  keycode error, calculator image paths) into module constants
- Validate package names before importlib.import_module; use argv lists
  and timeouts for every subprocess call; drop shell=True
- Add .codacy.yaml excluding test/** from bandit and [tool.bandit] in
  pyproject.toml so pytest assertions stop tripping B101
- Fix stale README TOC anchors (EN/zh-CN/zh-TW) and the Sphinx copyright
  builtin rebind
- Iterate dict.values() directly in socket_server, use slice copy for
  language listeners, tighten regex to \w, drop stray list()/dict()
- Refresh test fixtures (unused imports, loop-once, opposite-operator,
  positional-args mismatch) so the tests stop generating findings

Author: JE-Chen

.codacy.yaml

@@ -0,0 +1,18 @@
+---
+# Codacy repository configuration.
+# Docs: https://docs.codacy.com/repositories-configure/codacy-configuration-file/
+
+engines:
+  bandit:
+    enabled: true
+    exclude_paths:
+      # Test code legitimately uses `assert` (B101); pytest depends on it.
+      # Library/non-test code is constrained by CLAUDE.md "no assert outside tests".
+      - "test/**"
+
+# Drop generated docs / build outputs from analysis entirely.
+exclude_paths:
+  - "docs/build/**"
+  - ".venv/**"
+  - "build/**"
+  - "dist/**"

README.md

@@ -18,17 +18,16 @@
 - [Installation](#installation)
 - [Requirements](#requirements)
 - [Quick Start](#quick-start)
-- [API Reference](#api-reference)
   - [Mouse Control](#mouse-control)
   - [Keyboard Control](#keyboard-control)
   - [Image Recognition](#image-recognition)
   - [Accessibility Element Finder](#accessibility-element-finder)
   - [AI Element Locator (VLM)](#ai-element-locator-vlm)
   - [OCR (Text on Screen)](#ocr-text-on-screen)
   - [Clipboard](#clipboard)
-  - [Screen Operations](#screen-operations)
+  - [Screenshot](#screenshot)
   - [Action Recording & Playback](#action-recording--playback)
-  - [Action Scripting (JSON Executor)](#action-scripting-json-executor)
+  - [JSON Action Scripting](#json-action-scripting)
   - [Scheduler (Interval & Cron)](#scheduler-interval--cron)
   - [Global Hotkey Daemon](#global-hotkey-daemon)
   - [Event Triggers](#event-triggers)

README/README_zh-CN.md

@@ -17,15 +17,14 @@
 - [安装](#安装)
 - [系统要求](#系统要求)
 - [快速开始](#快速开始)
-- [API 参考](#api-参考)
   - [鼠标控制](#鼠标控制)
   - [键盘控制](#键盘控制)
   - [图像识别](#图像识别)
   - [Accessibility 元件搜索](#accessibility-元件搜索)
   - [AI 元件定位（VLM）](#ai-元件定位vlm)
   - [OCR 屏幕文字识别](#ocr-屏幕文字识别)
   - [剪贴板](#剪贴板)
-  - [屏幕操作](#屏幕操作)
+  - [截图](#截图)
   - [动作录制与回放](#动作录制与回放)
   - [JSON 脚本执行器](#json-脚本执行器)
   - [调度器（Interval & Cron）](#调度器interval--cron)

README/README_zh-TW.md

@@ -17,15 +17,14 @@
 - [安裝](#安裝)
 - [系統需求](#系統需求)
 - [快速開始](#快速開始)
-- [API 參考](#api-參考)
   - [滑鼠控制](#滑鼠控制)
   - [鍵盤控制](#鍵盤控制)
   - [圖像辨識](#圖像辨識)
   - [Accessibility 元件搜尋](#accessibility-元件搜尋)
   - [AI 元件定位（VLM）](#ai-元件定位vlm)
   - [OCR 螢幕文字辨識](#ocr-螢幕文字辨識)
   - [剪貼簿](#剪貼簿)
-  - [螢幕操作](#螢幕操作)
+  - [截圖](#截圖)
   - [動作錄製與回放](#動作錄製與回放)
   - [JSON 腳本執行器](#json-腳本執行器)
   - [排程器（Interval & Cron）](#排程器interval--cron)

dev.toml

@@ -1,7 +1,7 @@
 # Rename to build dev version
 # This is dev version
 [build-system]
-requires = ["setuptools"]
+requires = ["setuptools>=82.0.1"]
 build-backend = "setuptools.build_meta"
 
 [project]

dev_requirements.txt

@@ -7,3 +7,4 @@ sphinx-rtd-theme
 PySide6==6.11.0
 qt-material==2.17
 mss==10.1.0
+defusedxml==0.7.1

docs/source/conf.py

@@ -11,7 +11,7 @@
 # -- Project information -----------------------------------------------------
 
 project = 'AutoControl'
-copyright = '2020 ~ Now, JE-Chen'
+copyright = '2020 ~ Now, JE-Chen'  # noqa: A001  # reason: Sphinx-required name
 author = 'JE-Chen'
 release = '0.0.179'
 

je_auto_control/__init__.py

@@ -138,7 +138,7 @@
 from je_auto_control.wrapper.auto_control_image import locate_all_image
 from je_auto_control.wrapper.auto_control_image import locate_and_click
 from je_auto_control.wrapper.auto_control_image import locate_image_center
-# import keyboard
+# Keyboard wrappers
 from je_auto_control.wrapper.auto_control_keyboard import check_key_is_press
 from je_auto_control.wrapper.auto_control_keyboard import get_keyboard_keys_table
 from je_auto_control.wrapper.auto_control_keyboard import hotkey
@@ -148,7 +148,7 @@
 from je_auto_control.wrapper.auto_control_keyboard import send_key_event_to_window
 from je_auto_control.wrapper.auto_control_keyboard import type_keyboard
 from je_auto_control.wrapper.auto_control_keyboard import write
-# import mouse
+# Mouse wrappers
 from je_auto_control.wrapper.auto_control_mouse import click_mouse
 from je_auto_control.wrapper.auto_control_mouse import get_mouse_position
 from je_auto_control.wrapper.auto_control_mouse import mouse_keys_table
@@ -162,7 +162,7 @@
 # record
 from je_auto_control.wrapper.auto_control_record import record
 from je_auto_control.wrapper.auto_control_record import stop_record
-# import screen
+# Screen wrappers
 from je_auto_control.wrapper.auto_control_screen import screen_size
 from je_auto_control.wrapper.auto_control_screen import screenshot
 from je_auto_control.wrapper.auto_control_screen import get_pixel

je_auto_control/gui/language_wrapper/multi_language_wrapper.py

@@ -49,7 +49,7 @@ def reset_language(self, language: str) -> None:
             return
         self.language = language
         self.language_word_dict = self._merged(language)
-        for listener in list(self._listeners):
+        for listener in self._listeners[:]:
             try:
                 listener(language)
             except (OSError, RuntimeError) as error:

je_auto_control/gui/main_widget.py

@@ -33,6 +33,9 @@
 from je_auto_control.utils.file_process.get_dir_file_list import get_dir_files_as_list
 
 
+_JSON_FILE_FILTER = "JSON (*.json)"
+
+
 def _t(key: str) -> str:
     """language_wrapper shorthand"""
     return language_wrapper.translate(key, key)
@@ -499,15 +502,15 @@ def _save_record(self):
             if not self._record_data:
                 QMessageBox.warning(self, "Warning", "No recorded data")
                 return
-            path, _ = QFileDialog.getSaveFileName(self, _t("save_record"), "", "JSON (*.json)")
+            path, _ = QFileDialog.getSaveFileName(self, _t("save_record"), "", _JSON_FILE_FILTER)
             if path:
                 write_action_json(path, self._record_data)
         except (OSError, ValueError, TypeError, RuntimeError) as error:
             QMessageBox.warning(self, "Error", str(error))
 
     def _load_record(self):
         try:
-            path, _ = QFileDialog.getOpenFileName(self, _t("load_record"), "", "JSON (*.json)")
+            path, _ = QFileDialog.getOpenFileName(self, _t("load_record"), "", _JSON_FILE_FILTER)
             if path:
                 self._record_data = read_action_json(path)
                 self.record_list_text.setText(json.dumps(self._record_data, indent=2, ensure_ascii=False))
@@ -560,7 +563,7 @@ def _build_script_tab(self) -> QWidget:
         return tab
 
     def _browse_script(self):
-        path, _ = QFileDialog.getOpenFileName(self, _t("load_script"), "", "JSON (*.json)")
+        path, _ = QFileDialog.getOpenFileName(self, _t("load_script"), "", _JSON_FILE_FILTER)
         if path:
             self.script_path_input.setText(path)
             try: