Enforce CLAUDE.md: restrict executor, pin deps, drop dead code

- Remove Python builtins injection into executor event_dict so only
  AC_-prefixed allowlist is callable via JSON/socket payloads.
- Pin core and platform dependencies in pyproject.toml and align
  PySide6 between pyproject, requirements, and dev_requirements.
- Make create_project_dir's lock module-level and cover all writes.
- Replace get_dir_files_as_list's mutable getcwd() default with None
  sentinel evaluated per call.
- Remove unused imports and deduplicate __all__.

Author: JE-Chen

CLAUDE.md

@@ -0,0 +1,135 @@
+# CLAUDE.md — AutoControl
+
+## Project Overview
+
+AutoControl (`je_auto_control`) is a cross-platform Python GUI automation framework supporting Windows (Win32 API), macOS (pyobjc/Quartz), and Linux (X11). It provides mouse/keyboard control, image recognition, screen capture, action scripting, and report generation through a unified API.
+
+- **Package name**: `je_auto_control`
+- **Python**: >= 3.10
+- **License**: MIT
+- **Author**: JE-Chen
+
+## Architecture & Design Patterns
+
+### Strategy Pattern — Platform Abstraction
+
+`wrapper/platform_wrapper.py` auto-detects the OS and loads the correct backend. All wrapper modules (`auto_control_mouse.py`, `auto_control_keyboard.py`, etc.) delegate to the platform-specific implementation. New platform support is added by implementing the backend interface — no wrapper changes needed.
+
+### Facade Pattern — Unified API Surface
+
+`je_auto_control/__init__.py` re-exports all public functions from wrapper and utility modules, providing a single entry point. Users import only `je_auto_control` and access all features.
+
+### Command Pattern — JSON Action Executor
+
+`utils/executor/action_executor.py` maps string command names (e.g., `AC_click_mouse`) to callable functions. JSON action files define sequences of commands with parameters, enabling recording, serialization, and replay of automation flows.
+
+### Observer Pattern — Callback Executor
+
+`utils/callback/callback_function_executor.py` allows registering callback functions that fire after automation actions complete, supporting event-driven chaining.
+
+### Template Method — Report Generation
+
+`utils/generate_report/` provides HTML, JSON, and XML report generators sharing a common structure: collect test records, format output, write file. Each format implements its own rendering.
+
+## Directory Structure
+
+```
+je_auto_control/
+├── wrapper/              # Platform-agnostic API (Strategy consumers)
+├── windows/              # Win32 backend (ctypes)
+├── osx/                  # macOS backend (pyobjc/Quartz)
+├── linux_with_x11/       # Linux X11 backend (python-Xlib)
+├── gui/                  # PySide6 GUI application
+└── utils/
+    ├── executor/         # JSON action executor (Command pattern)
+    ├── callback/         # Callback executor (Observer pattern)
+    ├── cv2_utils/        # OpenCV: screenshot, template matching, video
+    ├── socket_server/    # TCP server for remote automation
+    ├── shell_process/    # Shell command manager
+    ├── generate_report/  # HTML/JSON/XML report generators
+    ├── test_record/      # Test action recording
+    ├── json/             # JSON action file I/O
+    ├── project/          # Project scaffolding
+    ├── package_manager/  # Dynamic package loading
+    ├── logging/          # Logging
+    └── exception/        # Custom exceptions
+```
+
+## Development Commands
+
+```bash
+# Install dependencies
+pip install -r dev_requirements.txt
+
+# Install with GUI support
+pip install -e .[gui]
+
+# Run unit tests
+python -m pytest test/unit_test/
+
+# Run integration tests
+python -m pytest test/integrated_test/
+
+# Build package
+python -m build
+```
+
+## Coding Standards
+
+### Security First
+
+- **Input validation**: Validate all external inputs (user input, file content, network data, JSON action commands) at system boundaries. Sanitize file paths to prevent path traversal. Never trust data from TCP socket clients without validation.
+- **Injection prevention**: When executing shell commands (`shell_process`), never construct command strings from unsanitized input. Use parameterized approaches or allowlists.
+- **Deserialization safety**: JSON action files and socket server payloads must be validated against expected schemas before execution. Reject unknown command names.
+- **No secrets in code**: Never commit credentials, API keys, tokens, or `.env` files. Keep secrets out of logs and reports.
+- **Principle of least privilege**: Socket server should bind to localhost by default. Document security implications of exposing to network.
+- **Dependency awareness**: Pin dependency versions. Review transitive dependencies for known vulnerabilities.
+
+### Performance Best Practices
+
+- **Lazy imports**: Platform-specific backends are loaded only for the current OS — do not import all backends unconditionally.
+- **Avoid redundant screenshots**: Image recognition operations should reuse screen captures when performing multiple searches on the same frame.
+- **Buffer management**: Screen recording and video capture must properly release resources (file handles, codec buffers) in `finally` blocks or context managers.
+- **Thread safety**: Socket server and recording threads must use proper synchronization. Avoid shared mutable state without locks.
+- **Minimize allocations in hot paths**: Mouse/keyboard event dispatch should avoid unnecessary object creation per event.
+
+### Software Engineering Principles
+
+- **SOLID**: Each module has a single responsibility. Platform backends are open for extension (new OS) without modifying wrappers. Depend on abstractions (wrapper API), not concrete implementations (Win32/X11/Quartz).
+- **DRY**: Common logic belongs in `wrapper/` or `utils/`, not duplicated across platform backends.
+- **YAGNI**: Do not add speculative features. Implement what is needed now.
+- **Fail fast**: Raise clear, specific exceptions (`AutoControlMouseException`, `AutoControlKeyboardException`, etc.) at the point of failure. Do not silently swallow errors.
+- **Immutable data where possible**: Action lists and configuration should be treated as read-only once loaded.
+
+### Code Style
+
+- Follow PEP 8.
+- Use type hints for all public function signatures.
+- Keep functions focused and short — one function, one task.
+- Prefer composition over inheritance for extending functionality.
+- Remove dead code immediately — no commented-out blocks, no unused imports, no unreachable branches.
+
+## Commit Conventions
+
+- Write concise commit messages focused on **why**, not what.
+- **Do not mention any AI tools, assistants, or models in commit messages** — no "Co-Authored-By" AI attributions, no references to AI-generated code.
+- Use imperative mood: "Add feature", "Fix bug", "Remove unused code".
+- Examples:
+  - `Add image threshold parameter validation`
+  - `Fix mouse scroll direction on macOS`
+  - `Remove deprecated screen capture fallback`
+
+## Testing
+
+- **Unit tests**: `test/unit_test/` — test individual functions in isolation.
+- **Integration tests**: `test/integrated_test/` — test cross-module workflows.
+- **Manual tests**: `test/manual_test/` — require human verification (GUI, visual).
+- **GUI tests**: `test/gui_test/` — PySide6 interface tests.
+- All tests must pass before merging. Ensure cross-platform compatibility.
+
+## Key Conventions
+
+- All public API functions are exported from `je_auto_control/__init__.py` and listed in `__all__`.
+- JSON action command names use `AC_` prefix (e.g., `AC_click_mouse`).
+- Platform backends follow naming: `{platform}_{function}.py` (e.g., `win32_ctype_mouse_control.py`).
+- Virtual key mappings are in `core/utils/*_vk.py` per platform.

dev_requirements.txt

@@ -4,6 +4,6 @@ build
 twine
 sphinx
 sphinx-rtd-theme
-Pyside6==6.10.1
-qt-material
-mss
+PySide6==6.11.0
+qt-material==2.17
+mss==10.1.0

je_auto_control/__init__.py

@@ -99,7 +99,7 @@
 from je_auto_control.wrapper.auto_control_mouse import send_mouse_event_to_window
 from je_auto_control.wrapper.auto_control_mouse import set_mouse_position
 from je_auto_control.wrapper.auto_control_mouse import special_mouse_keys_table
-# test_record
+# record
 from je_auto_control.wrapper.auto_control_record import record
 from je_auto_control.wrapper.auto_control_record import stop_record
 # import screen
@@ -120,7 +120,7 @@
     "AutoControlScreenException", "ImageNotFoundException", "AutoControlJsonActionException",
     "AutoControlRecordException", "AutoControlActionNullException", "AutoControlActionException", "record",
     "stop_record", "read_action_json", "write_action_json", "execute_action", "execute_files", "executor",
-    "add_command_to_executor", "test_record_instance", "screenshot", "pil_screenshot",
+    "add_command_to_executor", "test_record_instance", "pil_screenshot",
     "generate_html", "generate_html_report", "generate_json", "generate_json_report", "generate_xml",
     "generate_xml_report", "get_dir_files_as_list", "create_project_dir", "start_autocontrol_socket_server",
     "callback_executor", "package_manager", "ShellManager", "default_shell_manager",

je_auto_control/gui/main_widget.py

@@ -1,22 +1,19 @@
 import json
-import sys
-from threading import Thread
 
 from PySide6.QtCore import QTimer, Signal, QObject
 from PySide6.QtGui import QIntValidator, QDoubleValidator, QKeyEvent, Qt
 from PySide6.QtWidgets import (
     QWidget, QLineEdit, QComboBox, QPushButton, QVBoxLayout, QLabel,
     QGridLayout, QHBoxLayout, QRadioButton, QButtonGroup, QMessageBox,
-    QTabWidget, QTextEdit, QFileDialog, QCheckBox, QGroupBox, QSplitter,
-    QListWidget
+    QTabWidget, QTextEdit, QFileDialog, QCheckBox, QGroupBox
 )
 
 from je_auto_control.gui.language_wrapper.multi_language_wrapper import language_wrapper
 from je_auto_control.wrapper.auto_control_keyboard import (
-    type_keyboard, press_keyboard_key, release_keyboard_key, hotkey, write, check_key_is_press
+    type_keyboard, hotkey, write
 )
 from je_auto_control.wrapper.auto_control_mouse import (
-    click_mouse, get_mouse_position, set_mouse_position, press_mouse, release_mouse, mouse_scroll
+    click_mouse, get_mouse_position, mouse_scroll
 )
 from je_auto_control.wrapper.auto_control_screen import screen_size, screenshot, get_pixel
 from je_auto_control.wrapper.auto_control_image import locate_all_image, locate_image_center, locate_and_click

je_auto_control/gui/main_window.py

@@ -1,7 +1,6 @@
 import sys
 
 from PySide6.QtWidgets import QMainWindow, QApplication, QComboBox, QLabel, QHBoxLayout, QWidget
-from PySide6.QtGui import QAction
 from qt_material import QtStyleTools
 
 from je_auto_control.gui.language_wrapper.multi_language_wrapper import language_wrapper

je_auto_control/osx/screen/osx_screen.py

@@ -1,6 +1,6 @@
 import sys
 import ctypes
-from ctypes import c_void_p, c_double, c_uint32
+from ctypes import c_void_p, c_uint32
 from typing import Tuple
 
 from je_auto_control.utils.exception.exception_tags import osx_import_error_message

je_auto_control/utils/executor/action_executor.py

@@ -1,6 +1,4 @@
-import builtins
 import types
-from inspect import getmembers, isbuiltin
 from typing import Any, Dict, List, Union
 
 from je_auto_control.utils.exception.exception_tags import (
@@ -107,10 +105,6 @@ def __init__(self):
             "AC_execute_process": start_exe,
         }
 
-        # 加入所有 Python 內建函式 Add all Python builtins
-        for function in getmembers(builtins, isbuiltin):
-            self.event_dict[str(function[0])] = function[1]
-
     def _execute_event(self, action: list) -> Any:
         """
         執行單一事件

je_auto_control/utils/file_process/get_dir_file_list.py

@@ -1,20 +1,22 @@
 from os import getcwd, walk
 from os.path import abspath, join
-from typing import List
+from typing import List, Optional
 
 
 def get_dir_files_as_list(
-    dir_path: str = getcwd(),
+    dir_path: Optional[str] = None,
     default_search_file_extension: str = ".json"
 ) -> List[str]:
     """
     Get all files in a directory that end with a specific extension.
     遍歷指定目錄，取得所有符合副檔名的檔案清單
 
-    :param dir_path: Directory path to search 要搜尋的目錄路徑
+    :param dir_path: Directory path to search 要搜尋的目錄路徑 (預設為呼叫時的當前工作目錄)
     :param default_search_file_extension: File extension to filter 要搜尋的副檔名 (預設 ".json")
     :return: List of absolute file paths 符合條件的檔案絕對路徑清單
     """
+    if dir_path is None:
+        dir_path = getcwd()
     extension = default_search_file_extension.lower()
     return [
         abspath(join(root, file))

je_auto_control/utils/project/create_project_structure.py

@@ -11,6 +11,8 @@
     template_keyword_1, template_keyword_2, bad_template_1
 )
 
+_project_lock = Lock()
+
 
 def create_dir(dir_name: str) -> None:
     """
@@ -47,17 +49,16 @@ def create_template(parent_name: str, project_path: str = None) -> None:
 
     keyword_dir_path = Path(project_path) / parent_name / "keyword"
     executor_dir_path = Path(project_path) / parent_name / "executor"
-    lock = Lock()
 
-    # 建立 keyword JSON 檔案 Create keyword JSON files
-    if keyword_dir_path.exists() and keyword_dir_path.is_dir():
-        write_action_json(str(keyword_dir_path / "keyword1.json"), template_keyword_1)
-        write_action_json(str(keyword_dir_path / "keyword2.json"), template_keyword_2)
-        write_action_json(str(keyword_dir_path / "bad_keyword_1.json"), bad_template_1)
+    with _project_lock:
+        # 建立 keyword JSON 檔案 Create keyword JSON files
+        if keyword_dir_path.exists() and keyword_dir_path.is_dir():
+            write_action_json(str(keyword_dir_path / "keyword1.json"), template_keyword_1)
+            write_action_json(str(keyword_dir_path / "keyword2.json"), template_keyword_2)
+            write_action_json(str(keyword_dir_path / "bad_keyword_1.json"), bad_template_1)
 
-    # 建立 executor Python 檔案 Create executor Python files
-    if executor_dir_path.exists() and executor_dir_path.is_dir():
-        with lock:
+        # 建立 executor Python 檔案 Create executor Python files
+        if executor_dir_path.exists() and executor_dir_path.is_dir():
             _write_file(
                 executor_dir_path / "executor_one_file.py",
                 executor_template_1.replace("{temp}", str(keyword_dir_path / "keyword1.json"))

je_auto_control/utils/xml/change_xml_structure/change_xml_structure.py

@@ -1,6 +1,6 @@
 from collections import defaultdict
 from xml.etree import ElementTree
-from typing import Union, Dict, Any
+from typing import Dict, Any
 
 
 def elements_tree_to_dict(elements_tree: ElementTree.Element) -> Dict[str, Any]: