Integration-Automation
diff --git a/‎je_auto_control/gui/usb_passthrough_prompt.py‎
Lines changed: 5 additions & 0 deletions b/‎je_auto_control/gui/usb_passthrough_prompt.py‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎je_auto_control/utils/config_bundle/__main__.py‎
Lines changed: 4 additions & 0 deletions b/‎je_auto_control/utils/config_bundle/__main__.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎je_auto_control/utils/diagnostics/diagnostics.py‎
Lines changed: 5 additions & 1 deletion b/‎je_auto_control/utils/diagnostics/diagnostics.py‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎je_auto_control/utils/remote_desktop/audit_log.py‎
Lines changed: 31 additions & 23 deletions b/‎je_auto_control/utils/remote_desktop/audit_log.py‎
Lines changed: 31 additions & 23 deletions
diff --git a/‎je_auto_control/utils/remote_desktop/host_service.py‎
Lines changed: 1 addition & 1 deletion b/‎je_auto_control/utils/remote_desktop/host_service.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎je_auto_control/utils/remote_desktop/signaling_server.py‎
Lines changed: 82 additions & 45 deletions b/‎je_auto_control/utils/remote_desktop/signaling_server.py‎
Lines changed: 82 additions & 45 deletions
diff --git a/‎je_auto_control/utils/remote_desktop/web_viewer/mic-worklet.js‎
Lines changed: 9 additions & 2 deletions b/‎je_auto_control/utils/remote_desktop/web_viewer/mic-worklet.js‎
Lines changed: 9 additions & 2 deletions
@@ -122,6 +122,11 @@ def decide(self, vendor_id: str, product_id: str,
         )
         if not done.wait(timeout=wait_timeout_s):
             return False
+        # NOSONAR pythonbugs:S2583 — Sonar can't see through the
+        # cross-thread QMetaObject.invokeMethod + queued slot above:
+        # ``result`` is mutated by ``_show_dialog`` on the GUI thread
+        # (line 145–146) before ``done`` is set, so neither key is
+        # guaranteed False at this point.
         if result["allow"] and result["remember"] and self._acl is not None:
             self._acl.add_rule(AclRule(
                 vendor_id=vendor_id, product_id=product_id,
 
@@ -46,6 +46,10 @@ def main(argv: Optional[list] = None) -> int:
 def _do_export(output: Path, root: Optional[Path]) -> int:
     bundle = export_config_bundle(root=root)
     output.parent.mkdir(parents=True, exist_ok=True)
+    # NOSONAR pythonsecurity:S2083 — the path comes from argv on a CLI
+    # entry point. The operator running ``python -m ... export <file>``
+    # is the trust boundary; restricting where they can write would
+    # break the documented export workflow.
     output.write_text(
         json.dumps(bundle, ensure_ascii=False, indent=2),
         encoding="utf-8",
 
@@ -103,7 +103,11 @@ def _check_optional_deps() -> Check:
     available, missing = [], []
     for module_name, purpose in optional_modules:
         try:
-            importlib.import_module(module_name)
+            # Module names are drawn from the static ``optional_modules``
+            # tuple above — no runtime input ever reaches this call,
+            # which is what Semgrep's non-literal-import rule guards
+            # against. Suppression is justified by the literal source.
+            importlib.import_module(module_name)  # nosemgrep: python.lang.security.audit.non-literal-import.non-literal-import
             available.append(module_name)
         except ImportError:
             missing.append(f"{module_name} ({purpose})")
 
@@ -80,14 +80,19 @@ def _init_schema(self) -> None:
         self._conn.execute(
             "CREATE INDEX IF NOT EXISTS idx_events_type ON events(event_type)"
         )
-        # Add chain columns to pre-existing tables.
-        for column in ("prev_hash", "row_hash"):
-            try:
-                self._conn.execute(
-                    f"ALTER TABLE events ADD COLUMN {column} TEXT"
-                )
-            except sqlite3.OperationalError:
-                pass  # Column already exists — that's fine.
+        # Add chain columns to pre-existing tables. Column names are
+        # split out as explicit literal SQL statements rather than
+        # interpolated, so the SQL strings here are fully static —
+        # this is the form that satisfies Semgrep / Sonar's
+        # raw-SQL-construction rules without resorting to suppressions.
+        try:
+            self._conn.execute("ALTER TABLE events ADD COLUMN prev_hash TEXT")
+        except sqlite3.OperationalError:
+            pass  # Column already exists — that's fine.
+        try:
+            self._conn.execute("ALTER TABLE events ADD COLUMN row_hash TEXT")
+        except sqlite3.OperationalError:
+            pass  # Column already exists — that's fine.
         self._backfill_chain_locked()
 
     def _backfill_chain_locked(self) -> None:
@@ -237,23 +242,26 @@ def _compute_row_hash(prev_hash: Optional[str], ts: str, event_type: str,
     return hashlib.sha256(canonical.encode("utf-8")).hexdigest()
 
 
+_QUERY_SQL = (
+    "SELECT id, ts, event_type, host_id, viewer_id, detail"
+    " FROM events"
+    " WHERE (? IS NULL OR event_type = ?)"
+    " AND (? IS NULL OR host_id = ?)"
+    " ORDER BY id DESC LIMIT ?"
+)
+
+
 def _build_query_sql(*, event_type: Optional[str], host_id: Optional[str],
                      limit: int) -> Tuple[str, list]:
-    sql = ("SELECT id, ts, event_type, host_id, viewer_id, detail"
-           " FROM events")
-    clauses: List[str] = []
-    args: list = []
-    if event_type:
-        clauses.append("event_type = ?")
-        args.append(event_type)
-    if host_id:
-        clauses.append("host_id = ?")
-        args.append(host_id)
-    if clauses:
-        sql += " WHERE " + " AND ".join(clauses)
-    sql += " ORDER BY id DESC LIMIT ?"
-    args.append(limit)
-    return sql, args
+    """Return a static SQL string + bound args for an audit-log query.
+
+    The SQL is a single fixed template; optional filters are toggled
+    by passing ``None`` to the matching parameters. Keeping the SQL
+    literal-only means there is no string concatenation for static
+    analysers to mistake for SQL injection.
+    """
+    args: list = [event_type, event_type, host_id, host_id, int(limit)]
+    return _QUERY_SQL, args
 
 
 _default_audit_log: Optional[AuditLog] = None
 
@@ -78,7 +78,7 @@ def write_default_config(path: Optional[Path] = None) -> Path:
     target = Path(path) if path else _DEFAULT_CONFIG_PATH
     target.parent.mkdir(parents=True, exist_ok=True)
     template = {
-        "token": "CHANGE_ME_BEFORE_USE",  # nosec B105  # reason: placeholder in stub config the user MUST edit
+        "token": "CHANGE_ME_BEFORE_USE",  # nosec B105  # NOSONAR python:S6418  # reason: placeholder in stub config the user MUST edit before installing the service
         "server_url": "https://your-signaling-server.example.com",
         "host_id": "abcd1234",
         "server_secret": None,  # nosec B105  # reason: explicit None placeholder
 
@@ -24,10 +24,10 @@
 import threading
 import time
 from dataclasses import dataclass, field
-from typing import Dict, Optional
+from typing import Annotated, Dict, List, Optional
 
 try:
-    from fastapi import FastAPI, Header, HTTPException, Request
+    from fastapi import Depends, FastAPI, Header, HTTPException, Request
     from fastapi.middleware.cors import CORSMiddleware
     from fastapi.staticfiles import StaticFiles
     from pydantic import BaseModel
@@ -113,100 +113,137 @@ class _AnswerIn(BaseModel):
     sdp: str
 
 
-def create_app(shared_secret: Optional[str] = None,
-               ttl_s: float = _DEFAULT_TTL_S,
-               serve_web_viewer: bool = True,
-               cors_origins: Optional[list] = None) -> FastAPI:
-    """Build the FastAPI app. Importable for embedding in larger services."""
-    app = FastAPI(title="AutoControl Signaling", version="1.0.0")
-    store = _SessionStore(ttl_s=ttl_s)
+_AUTH_RESPONSES = {401: {"description": "bad shared secret"}}
+_VALIDATION_RESPONSES = {
+    400: {"description": "invalid host_id or sdp"},
+    **_AUTH_RESPONSES,
+}
+_NOT_FOUND_RESPONSES = {
+    404: {"description": "session or message not found"},
+    **_AUTH_RESPONSES,
+}
+
+
+def _build_secret_dependency(shared_secret: Optional[str]):
+    """Return a FastAPI dependency that enforces ``X-Signaling-Secret``."""
+    def _check(
+        x_signaling_secret: Annotated[
+            Optional[str], Header(alias="X-Signaling-Secret"),
+        ] = None,
+    ) -> None:
+        if shared_secret and x_signaling_secret != shared_secret:
+            raise HTTPException(status_code=401, detail="bad shared secret")
+    return _check
+
+
+def _validate_host_id(host_id: str) -> None:
+    if not host_id or len(host_id) > 128 or not host_id.isalnum():
+        raise HTTPException(status_code=400, detail="invalid host_id")
+
+
+def _validate_sdp(sdp: str) -> None:
+    if not sdp or len(sdp.encode("utf-8")) > _MAX_SDP_BYTES:
+        raise HTTPException(status_code=400, detail="invalid sdp size")
+
+
+def _configure_cors(app: FastAPI, cors_origins: Optional[List[str]]) -> None:
+    # ``["*"]`` is the documented default — the signaling server is
+    # meant to be reached from any browser tab running the viewer SPA;
+    # access control runs at the X-Signaling-Secret layer, not Origin.
+    # Operators tighten this via the repeatable --cors-origin CLI flag.
     app.add_middleware(
         CORSMiddleware,
-        allow_origins=cors_origins or ["*"],
+        allow_origins=cors_origins or ["*"],  # nosemgrep: python.fastapi.security.wildcard-cors.wildcard-cors
         allow_methods=["GET", "POST", "DELETE", "OPTIONS"],
         allow_headers=["Content-Type", "X-Signaling-Secret"],
     )
+
+
+def _maybe_mount_viewer(app: FastAPI, serve_web_viewer: bool) -> None:
     if serve_web_viewer and _WEB_VIEWER_DIR.exists():
         app.mount(
             "/viewer",
             StaticFiles(directory=str(_WEB_VIEWER_DIR), html=True),
             name="viewer",
         )
 
-    def _check_secret(secret_header: Optional[str]) -> None:
-        if shared_secret and secret_header != shared_secret:
-            raise HTTPException(status_code=401, detail="bad shared secret")
-
-    def _validate_host_id(host_id: str) -> None:
-        if not host_id or len(host_id) > 128 or not host_id.isalnum():
-            raise HTTPException(status_code=400, detail="invalid host_id")
 
-    def _validate_sdp(sdp: str) -> None:
-        if not sdp or len(sdp.encode("utf-8")) > _MAX_SDP_BYTES:
-            raise HTTPException(status_code=400, detail="invalid sdp size")
+def _register_routes(app: FastAPI, store: "_SessionStore",
+                     secret_dep) -> None:
+    # Apply the auth dependency at the route layer so each handler's
+    # signature stays free of plumbing parameters. The dependency
+    # itself uses the recommended ``Annotated[Optional[str], Header(...)]``
+    # form for its ``X-Signaling-Secret`` parameter — see
+    # ``_build_secret_dependency`` above.
+    auth_only = [Depends(secret_dep)]
 
     @app.get("/health")
     def _health() -> dict:
         return {"status": "ok"}
 
-    @app.post("/sessions/{host_id}/offer")
-    def _post_offer(host_id: str, body: _OfferIn,
-                    x_signaling_secret: Optional[str] = Header(default=None)
-                    ) -> dict:
-        _check_secret(x_signaling_secret)
+    @app.post("/sessions/{host_id}/offer",
+              responses=_VALIDATION_RESPONSES, dependencies=auth_only)
+    def _post_offer(host_id: str, body: _OfferIn) -> dict:
         _validate_host_id(host_id)
         _validate_sdp(body.sdp)
         store.upsert_offer(host_id, body.sdp)
         return {"ok": True}
 
-    @app.get("/sessions/{host_id}/offer")
-    def _get_offer(host_id: str,
-                   x_signaling_secret: Optional[str] = Header(default=None)
-                   ) -> dict:
-        _check_secret(x_signaling_secret)
+    @app.get("/sessions/{host_id}/offer",
+             responses=_NOT_FOUND_RESPONSES, dependencies=auth_only)
+    def _get_offer(host_id: str) -> dict:
         _validate_host_id(host_id)
         sdp = store.fetch_offer(host_id)
         if sdp is None:
             raise HTTPException(status_code=404, detail="no offer pending")
         return {"sdp": sdp}
 
-    @app.post("/sessions/{host_id}/answer")
-    def _post_answer(host_id: str, body: _AnswerIn,
-                     x_signaling_secret: Optional[str] = Header(default=None)
-                     ) -> dict:
-        _check_secret(x_signaling_secret)
+    @app.post("/sessions/{host_id}/answer",
+              responses={**_VALIDATION_RESPONSES, **_NOT_FOUND_RESPONSES},
+              dependencies=auth_only)
+    def _post_answer(host_id: str, body: _AnswerIn) -> dict:
         _validate_host_id(host_id)
         _validate_sdp(body.sdp)
         if not store.upsert_answer(host_id, body.sdp):
             raise HTTPException(status_code=404, detail="no offer to match")
         return {"ok": True}
 
-    @app.get("/sessions/{host_id}/answer")
-    def _get_answer(host_id: str,
-                    x_signaling_secret: Optional[str] = Header(default=None)
-                    ) -> dict:
-        _check_secret(x_signaling_secret)
+    @app.get("/sessions/{host_id}/answer",
+             responses=_NOT_FOUND_RESPONSES, dependencies=auth_only)
+    def _get_answer(host_id: str) -> dict:
         _validate_host_id(host_id)
         sdp = store.fetch_answer(host_id)
         if sdp is None:
             raise HTTPException(status_code=404, detail="no answer yet")
         return {"sdp": sdp}
 
-    @app.delete("/sessions/{host_id}")
-    def _delete(host_id: str,
-                x_signaling_secret: Optional[str] = Header(default=None)
-                ) -> dict:
-        _check_secret(x_signaling_secret)
+    @app.delete("/sessions/{host_id}",
+                responses=_AUTH_RESPONSES, dependencies=auth_only)
+    def _delete(host_id: str) -> dict:
         _validate_host_id(host_id)
         return {"deleted": store.delete(host_id)}
 
+
+def _register_request_logging(app: FastAPI) -> None:
     @app.middleware("http")
     async def _log_request(request: Request, call_next):
         response = await call_next(request)
         _LOG.info("%s %s -> %d", request.method, request.url.path,
                   response.status_code)
         return response
 
+
+def create_app(shared_secret: Optional[str] = None,
+               ttl_s: float = _DEFAULT_TTL_S,
+               serve_web_viewer: bool = True,
+               cors_origins: Optional[list] = None) -> FastAPI:
+    """Build the FastAPI app. Importable for embedding in larger services."""
+    app = FastAPI(title="AutoControl Signaling", version="1.0.0")
+    store = _SessionStore(ttl_s=ttl_s)
+    _configure_cors(app, cors_origins)
+    _maybe_mount_viewer(app, serve_web_viewer)
+    _register_routes(app, store, _build_secret_dependency(shared_secret))
+    _register_request_logging(app)
     return app
 
 
 
@@ -3,14 +3,21 @@
 // The AudioContext is created with sampleRate: 16000 so we don't resample
 // here — Float32 → Int16 is the only conversion needed.
 class PcmProcessor extends AudioWorkletProcessor {
+  // NOSONAR javascript:S3516 — AudioWorkletProcessor.process MUST return
+  // true to keep the node alive; returning false would silently kill
+  // the mic stream. Both branches are deliberately the same value.
   process(inputs) {
     const input = inputs[0];
     if (!input || !input[0]) return true;
     const samples = input[0];  // Float32Array, [-1, 1]
     const int16 = new Int16Array(samples.length);
     for (let i = 0; i < samples.length; i++) {
-      const s = Math.max(-1, Math.min(1, samples[i]));
-      int16[i] = s < 0 ? s * 0x8000 : s * 0x7FFF;
+      // i is a numeric loop counter, never user input; the "object
+      // injection" warning here is a false positive — TypedArrays are
+      // not subject to the prototype-pollution class of bug the rule
+      // is meant to catch.
+      const s = Math.max(-1, Math.min(1, samples[i]));  // NOSONAR
+      int16[i] = s < 0 ? s * 0x8000 : s * 0x7FFF;       // NOSONAR
     }
     this.port.postMessage(int16.buffer, [int16.buffer]);
     return true;