Address Codacy + SonarCloud findings on PR #184

Codacy
- Rewrite the script_vars placeholder regex to drop the nested
  alternation that triggered semgrep regex_dos.
- Suppress Bandit B105 / Prospector dodgy on _SECRET_PREFIX
  ('secrets.' is a routing prefix, not a credential).
- Restore BaseHTTPRequestHandler.log_message's exact signature so
  pylint W0221 stops firing on the override.

SonarCloud
- Pin TLSv1.2 minimum on the IMAP client (S4423).
- Drop UnicodeDecodeError from the except tuple in email_trigger;
  it is a subclass of ValueError already covered (S5713).
- Lift the nested ternary in EmailTriggerWatcher.add into an
  explicit if/elif/else (S3358).
- Type _REMOTE_DESKTOP_IMPORT_ERROR as Optional[ImportError] (S5890).
- Reuse the existing _HOST_LABEL / _PORT_LABEL / _SCRIPT_LABEL /
  _REMOVE_SELECTED constants in english.py and add their Japanese
  full-width equivalents to clear S1192 in the new webhooks/email
  translation blocks.
- Centralise the loopback URL builder in test_webhook_trigger so the
  http:// hotspot annotation lives in one place.
- Centralise the fake password constant in test_email_trigger so
  S2068 stops firing on every fixture call.

Dependencies
- Declare cryptography>=42.0.0 in pyproject.toml so the secret vault
  has a hard dependency rather than relying on a transitive pull
  through aiortc (which is in the optional webrtc extra). Also
  importorskip in the secret-vault test so older lockfiles fail
  gracefully instead of erroring at collect time.

Author: JE-Chen

je_auto_control/gui/language_wrapper/english.py

@@ -676,18 +676,18 @@
     "eml_poll_done": "Fired {n} message(s) on this pass.",
     "eml_running": "Polling is active.",
     "eml_stopped": "Polling is stopped.",
-    "eml_host_label": "Host:",
-    "eml_port_label": "Port:",
+    "eml_host_label": _HOST_LABEL,
+    "eml_port_label": _PORT_LABEL,
     "eml_user_label": "User:",
     "eml_password_label": "Password:",
     "eml_password_placeholder": "IMAP password / app password",
     "eml_mailbox_label": "Mailbox:",
     "eml_search_label": "Search:",
     "eml_poll_label": "Poll (s):",
-    "eml_script_label": "Script:",
+    "eml_script_label": _SCRIPT_LABEL,
     "eml_browse": "Browse",
     "eml_register": "Register trigger",
-    "eml_remove": "Remove selected",
+    "eml_remove": _REMOVE_SELECTED,
     "eml_ssl": "Use SSL",
     "eml_mark_seen": "Mark as seen after firing",
     "eml_required_fields": "Host, user, password, and script are required.",
@@ -702,21 +702,21 @@
     # Webhooks tab
     "wh_server_group": "HTTP server",
     "wh_add_group": "New webhook",
-    "wh_host_label": "Host:",
-    "wh_port_label": "Port:",
+    "wh_host_label": _HOST_LABEL,
+    "wh_port_label": _PORT_LABEL,
     "wh_start": "Start",
     "wh_stop": "Stop",
     "wh_started": "Listening on {host}:{port}",
     "wh_running": "Running on {host}:{port}",
     "wh_stopped": "Server is stopped.",
     "wh_path_label": "Path:",
-    "wh_script_label": "Script:",
+    "wh_script_label": _SCRIPT_LABEL,
     "wh_browse": "Browse",
     "wh_methods_label": "Methods:",
     "wh_token_label": "Token:",
     "wh_token_placeholder": "optional bearer token",
     "wh_register": "Register webhook",
-    "wh_remove": "Remove selected",
+    "wh_remove": _REMOVE_SELECTED,
     "wh_path_and_script_required": "Path and script file are required.",
     "wh_col_id": "ID",
     "wh_col_path": "Path",

je_auto_control/gui/language_wrapper/japanese.py

@@ -1,5 +1,7 @@
 _SCRIPT = "スクリプト"
 _SCRIPT_LABEL = "スクリプト:"
+_SCRIPT_LABEL_FW = "スクリプト：" # full-width colon variant
+_REMOVE_SEL_FW = "選択を削除"
 _REMOVE_SELECTED = "選択項目を削除"
 _SELECT_SCRIPT = "スクリプトを選択"
 _TOKEN_LABEL = "トークン:"
@@ -131,7 +133,7 @@
     # 管理コンソールタブ
     "admin_add_group": "ホストを登録",
     "admin_add": "追加",
-    "admin_remove": "選択を削除",
+    "admin_remove": _REMOVE_SEL_FW,
     "admin_refresh": "全件ポーリング",
     "admin_label": "ラベル:",
     "admin_url": "ベース URL:",
@@ -229,7 +231,7 @@
     "rd_webrtc_host_id_required": "Host ID が必要",
     # 信頼リスト / 受け入れダイアログ
     "rd_webrtc_trusted_group": "信頼済みビューア（自動承認）",
-    "rd_webrtc_remove_trusted": "選択を削除",
+    "rd_webrtc_remove_trusted": _REMOVE_SEL_FW,
     "rd_webrtc_clear_trusted": _CLEAR_ALL_JA,
     "rd_webrtc_clear_trust_confirm": "信頼済みビューアをすべて削除しますか？",
     "rd_webrtc_pending_viewer_title": "新規接続要求",
@@ -685,15 +687,15 @@
     "eml_script_label": "スクリプト：",
     "eml_browse": "参照",
     "eml_register": "トリガーを登録",
-    "eml_remove": "選択を削除",
+    "eml_remove": _REMOVE_SEL_FW,
     "eml_ssl": "SSL を使用",
     "eml_mark_seen": "発火後に既読にする",
     "eml_required_fields": "ホスト、ユーザー、パスワード、スクリプトが必要です。",
     "eml_col_id": "ID",
     "eml_col_host": "ホスト",
     "eml_col_user": "ユーザー",
     "eml_col_mailbox": "メールボックス",
-    "eml_col_script": "スクリプト",
+    "eml_col_script": _SCRIPT,
     "eml_col_fired": "発火回数",
     "eml_col_error": "最近のエラー",
 
@@ -708,18 +710,18 @@
     "wh_running": "稼働中 {host}:{port}",
     "wh_stopped": "サーバー停止中。",
     "wh_path_label": "パス：",
-    "wh_script_label": "スクリプト：",
+    "wh_script_label": _SCRIPT_LABEL_FW,
     "wh_browse": "参照",
     "wh_methods_label": "メソッド：",
     "wh_token_label": "Token：",
     "wh_token_placeholder": "Bearer トークン (任意)",
     "wh_register": "Webhook を登録",
-    "wh_remove": "選択を削除",
+    "wh_remove": _REMOVE_SEL_FW,
     "wh_path_and_script_required": "パスとスクリプトファイルが必要です。",
     "wh_col_id": "ID",
     "wh_col_path": "パス",
     "wh_col_methods": "メソッド",
-    "wh_col_script": "スクリプト",
+    "wh_col_script": _SCRIPT,
     "wh_col_fired": "発火回数",
     "wh_col_token": "認証？",
     "wh_yes": "あり",

je_auto_control/gui/main_widget.py

@@ -1,5 +1,6 @@
 import json
 from dataclasses import dataclass
+from typing import Optional
 
 from PySide6.QtCore import QTimer, Signal, QObject
 from PySide6.QtGui import QIntValidator, QDoubleValidator, QKeyEvent, Qt
@@ -34,7 +35,7 @@
 # tells the user how to enable it.
 try:
     from je_auto_control.gui.remote_desktop_tab import RemoteDesktopTab
-    _REMOTE_DESKTOP_IMPORT_ERROR: ImportError = None
+    _REMOTE_DESKTOP_IMPORT_ERROR: Optional[ImportError] = None
 except ImportError as _remote_desktop_error:
     RemoteDesktopTab = None  # type: ignore[assignment]
     _REMOTE_DESKTOP_IMPORT_ERROR = _remote_desktop_error

je_auto_control/utils/script_vars/interpolate.py

@@ -16,8 +16,12 @@
 from pathlib import Path
 from typing import Any, Mapping, MutableMapping
 
-_PLACEHOLDER = re.compile(r"\$\{([A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*)\}")
-_SECRET_PREFIX = "secrets."
+# Bounded character class with a single quantifier — avoids the nested
+# alternation that ReDoS scanners (semgrep regex_dos) flag on
+# ``([A-Za-z_]\w*(?:\.\w+)*)``. Validation of the segment shape is
+# delegated to :func:`_lookup` after capture.
+_PLACEHOLDER = re.compile(r"\$\{([A-Za-z_][\w.]*)\}")
+_SECRET_PREFIX = "secrets."  # nosec B105  # reason: placeholder routing prefix, not a credential  # noqa: S105
 
 
 def interpolate_value(value: Any, variables: Mapping[str, Any]) -> Any:

je_auto_control/utils/triggers/email_trigger.py

@@ -64,7 +64,8 @@ def _decode_header_value(value: Optional[str]) -> str:
         return ""
     try:
         return str(make_header(decode_header(value)))
-    except (UnicodeDecodeError, ValueError):
+    except ValueError:
+        # UnicodeDecodeError is a subclass of ValueError; one entry is enough.
         return str(value)
 
 
@@ -100,6 +101,9 @@ def _build_payload(uid: str, msg) -> Dict[str, Any]:
 def _connect(trigger: EmailTrigger) -> imaplib.IMAP4:
     """Open and authenticate against the IMAP server."""
     context = ssl_module.create_default_context()
+    # Pin a modern TLS floor; create_default_context already does this on
+    # 3.10+, but stating it explicitly satisfies python:S4423.
+    context.minimum_version = ssl_module.TLSVersion.TLSv1_2
     if trigger.use_ssl:
         client = imaplib.IMAP4_SSL(trigger.host, trigger.port,
                                    ssl_context=context)
@@ -167,8 +171,12 @@ def add(self,
             raise ValueError(
                 "host, username, and script_path are required",
             )
-        resolved_port = int(port) if port is not None \
-            else (_DEFAULT_PORT_SSL if use_ssl else _DEFAULT_PORT_PLAIN)
+        if port is not None:
+            resolved_port = int(port)
+        elif use_ssl:
+            resolved_port = _DEFAULT_PORT_SSL
+        else:
+            resolved_port = _DEFAULT_PORT_PLAIN
         trigger = EmailTrigger(
             trigger_id=uuid.uuid4().hex[:8],
             host=str(host), username=str(username), password=str(password),

je_auto_control/utils/triggers/webhook_server.py

@@ -97,8 +97,11 @@ class _WebhookHandler(BaseHTTPRequestHandler):
 
     server_version = "AutoControlWebhook/1.0"
 
-    def log_message(self, fmt: str, *args: Any) -> None:
-        autocontrol_logger.debug("webhook %s", fmt % args)
+    # Signature must mirror BaseHTTPRequestHandler.log_message exactly,
+    # including the parameter name 'format' — pylint W0221 trips on
+    # rename or annotation drift.
+    def log_message(self, format, *args):  # noqa: A002 - shadow stdlib 'format' to match parent
+        autocontrol_logger.debug("webhook %s", format % args)
 
     def _read_body(self) -> str:
         length = int(self.headers.get("Content-Length") or 0)

pyproject.toml

@@ -20,7 +20,8 @@ dependencies = [
     "pyobjc==12.1;platform_system=='Darwin'",
     "python-Xlib==0.33;platform_system=='Linux'",
     "mss==10.2.0",
-    "defusedxml==0.7.1"
+    "defusedxml==0.7.1",
+    "cryptography>=42.0.0"
 ]
 classifiers = [
     "Programming Language :: Python :: 3.10",

test/unit_test/headless/test_email_trigger.py

@@ -7,6 +7,14 @@
 from je_auto_control.utils.triggers import email_trigger as et
 
 
+# Sonar python:S2068 fires on the literal "password" anywhere it appears.
+# These tests never connect to a real server; centralising the fake
+# credential keeps the rule from flagging every fixture call.
+_FAKE_HOST = "imap.example.com"
+_FAKE_USER = "u"
+_FAKE_PW = "p"
+
+
 class _FakeIMAP:
     """Minimal in-memory IMAP stub matching the subset our code uses."""
 
@@ -91,26 +99,26 @@ def fake_executor(actions, variables):
 
 def test_add_validates_required_fields(watcher):
     with pytest.raises(ValueError):
-        watcher.add(host="", username="u", password="p", script_path="x")
+        watcher.add(host="", username="u", password=_FAKE_PW, script_path="x")
 
 
 def test_add_default_port_for_ssl(watcher):
     trigger = watcher.add(host="imap.example.com", username="u",
-                          password="p", script_path="s.json")
+                          password=_FAKE_PW, script_path="s.json")
     assert trigger.port == 993
     assert trigger.use_ssl is True
 
 
 def test_add_default_port_for_plain(watcher):
     trigger = watcher.add(host="imap.example.com", username="u",
-                          password="p", script_path="s.json", use_ssl=False)
+                          password=_FAKE_PW, script_path="s.json", use_ssl=False)
     assert trigger.port == 143
 
 
 def test_poll_once_returns_zero_when_no_messages(watcher, tmp_path):
     script = tmp_path / "s.json"
     script.write_text('[["AC_screen_size"]]', encoding="utf-8")
-    watcher.add(host="imap.example.com", username="u", password="p",
+    watcher.add(host="imap.example.com", username="u", password=_FAKE_PW,
                 script_path=str(script))
     _FakeIMAP.next_uids = []
     _FakeIMAP.next_messages = {}
@@ -121,7 +129,7 @@ def test_poll_once_fires_on_matching_message(watcher, tmp_path):
     script = tmp_path / "s.json"
     script.write_text('[["AC_screen_size"]]', encoding="utf-8")
     trigger = watcher.add(
-        host="imap.example.com", username="u", password="p",
+        host="imap.example.com", username="u", password=_FAKE_PW,
         script_path=str(script),
     )
     raw = _build_message("Build OK", "ci@example.com", "everything green")
@@ -144,7 +152,7 @@ def test_poll_once_fires_on_matching_message(watcher, tmp_path):
 def test_mark_seen_flag_is_sent(watcher, tmp_path):
     script = tmp_path / "s.json"
     script.write_text('[["AC_screen_size"]]', encoding="utf-8")
-    watcher.add(host="imap.example.com", username="u", password="p",
+    watcher.add(host="imap.example.com", username="u", password=_FAKE_PW,
                 script_path=str(script))
     _FakeIMAP.next_uids = [b"7"]
     _FakeIMAP.next_messages = {b"7": _build_message("hi", "a@b.c", "body")}
@@ -156,7 +164,7 @@ def test_mark_seen_flag_is_sent(watcher, tmp_path):
 def test_mark_seen_disabled_skips_flag(watcher, tmp_path):
     script = tmp_path / "s.json"
     script.write_text('[["AC_screen_size"]]', encoding="utf-8")
-    watcher.add(host="imap.example.com", username="u", password="p",
+    watcher.add(host="imap.example.com", username="u", password=_FAKE_PW,
                 script_path=str(script), mark_seen=False)
     _FakeIMAP.next_uids = [b"7"]
     _FakeIMAP.next_messages = {b"7": _build_message("hi", "a@b.c", "body")}
@@ -168,7 +176,7 @@ def test_mark_seen_disabled_skips_flag(watcher, tmp_path):
 def test_uid_not_double_fired(watcher, tmp_path):
     script = tmp_path / "s.json"
     script.write_text('[["AC_screen_size"]]', encoding="utf-8")
-    watcher.add(host="imap.example.com", username="u", password="p",
+    watcher.add(host="imap.example.com", username="u", password=_FAKE_PW,
                 script_path=str(script))
     raw = _build_message("once", "a@b.c", "hello")
     _FakeIMAP.next_uids = [b"7"]
@@ -181,7 +189,7 @@ def test_disabled_trigger_does_not_poll(watcher, tmp_path):
     script = tmp_path / "s.json"
     script.write_text('[["AC_screen_size"]]', encoding="utf-8")
     trigger = watcher.add(host="imap.example.com", username="u",
-                          password="p", script_path=str(script))
+                          password=_FAKE_PW, script_path=str(script))
     watcher.set_enabled(trigger.trigger_id, False)
     _FakeIMAP.next_uids = [b"99"]
     _FakeIMAP.next_messages = {

test/unit_test/headless/test_secret_store.py

@@ -3,8 +3,12 @@
 
 import pytest
 
-from je_auto_control.utils.script_vars.interpolate import interpolate_value
-from je_auto_control.utils.secrets.secret_store import (
+# The vault depends on ``cryptography``; declared in pyproject.toml but skip
+# cleanly when an older environment hasn't refreshed the lockfile yet.
+pytest.importorskip("cryptography")
+
+from je_auto_control.utils.script_vars.interpolate import interpolate_value  # noqa: E402
+from je_auto_control.utils.secrets.secret_store import (  # noqa: E402
     SecretManager, SecretStoreError, SecretStoreLocked,
 )
 

test/unit_test/headless/test_webhook_trigger.py

@@ -1,7 +1,6 @@
 """Tests for the webhook (HTTP push) trigger server."""
 import json
 import threading
-import time
 import urllib.error
 import urllib.request
 
@@ -10,6 +9,17 @@
 from je_auto_control.utils.triggers.webhook_server import WebhookTriggerServer
 
 
+def _local_url(host: str, port: int, path: str) -> str:
+    """Build a loopback URL for an in-process test server.
+
+    The webhook trigger's HTTPS variant lives on the application; the test
+    fixture deliberately drives the server over plain HTTP because the
+    listener only ever binds to 127.0.0.1 inside the test process.
+    """
+    # NOSONAR python:S5332 — loopback test fixture, never reaches the network
+    return f"http://{host}:{port}{path}"
+
+
 def _post(url, body=b"", headers=None, method="POST", timeout=2.0):
     request = urllib.request.Request(url, data=body, method=method,
                                      headers=headers or {})
@@ -80,7 +90,7 @@ def test_post_fires_trigger_with_payload(server, tmp_path):
     host, port = server.start("127.0.0.1", 0)
     body = json.dumps({"hello": "world"}).encode("utf-8")
     status, _ = _post(
-        f"http://{host}:{port}/jobs?ref=main",
+        _local_url(host, port, "/jobs?ref=main"),
         body=body,
         headers={"Content-Type": "application/json",
                  "X-Custom": "value"},
@@ -102,7 +112,7 @@ def test_unknown_path_returns_404(server):
     server.add(path="/known", script_path="x.json")
     host, port = server.start("127.0.0.1", 0)
     with pytest.raises(urllib.error.HTTPError) as excinfo:
-        _post(f"http://{host}:{port}/unknown")
+        _post(_local_url(host, port, "/unknown"))
     assert excinfo.value.code == 404
 
 
@@ -113,7 +123,7 @@ def test_token_mismatch_returns_401(server, tmp_path):
     host, port = server.start("127.0.0.1", 0)
     with pytest.raises(urllib.error.HTTPError) as excinfo:
         _post(
-            f"http://{host}:{port}/p",
+            _local_url(host, port, "/p"),
             headers={"Authorization": "Bearer wrong"},
         )
     assert excinfo.value.code == 401
@@ -126,7 +136,7 @@ def test_oversize_body_rejected(server, tmp_path):
     host, port = server.start("127.0.0.1", 0)
     payload = b"x" * (2 << 20)  # 2 MiB > 1 MiB cap
     with pytest.raises(urllib.error.HTTPError) as excinfo:
-        _post(f"http://{host}:{port}/p", body=payload,
+        _post(_local_url(host, port, "/p"), body=payload,
               headers={"Content-Type": "application/octet-stream"})
     assert excinfo.value.code in (413, 400)
 
@@ -135,7 +145,7 @@ def test_method_filter_rejects_other_verbs(server):
     server.add(path="/only-post", script_path="x.json", methods=["POST"])
     host, port = server.start("127.0.0.1", 0)
     with pytest.raises(urllib.error.HTTPError) as excinfo:
-        _post(f"http://{host}:{port}/only-post", method="GET")
+        _post(_local_url(host, port, "/only-post"), method="GET")
     assert excinfo.value.code == 404