Merge branch 'develop' into auto-claude/231-investigate-and-fix-subtask-title-display

Author: AndyMik90

.pre-commit-config.yaml

@@ -97,9 +97,8 @@ repos:
       - id: ruff-format
         files: ^apps/backend/
 
-  # Python tests (apps/backend/) - skip slow/integration tests for pre-commit speed
+  # Python tests (apps/backend/) - run full test suite from project root
   # Tests to skip: graphiti (external deps), merge_file_tracker/service_orchestrator/worktree/workspace (Windows path/git issues)
-  # NOTE: Skip this hook in worktrees (where .git is a file, not a directory)
   - repo: local
     hooks:
       - id: pytest
@@ -108,31 +107,24 @@ repos:
         args:
           - -c
           - |
-            # Skip in worktrees - .git is a file pointing to main repo, not a directory
-            # This prevents path resolution issues with ../../tests/ in worktree context
-            if [ -f ".git" ]; then
-              echo "Skipping pytest in worktree (path resolution would fail)"
-              exit 0
-            fi
-            cd apps/backend
-            if [ -f ".venv/bin/pytest" ]; then
-              PYTEST_CMD=".venv/bin/pytest"
-            elif [ -f ".venv/Scripts/pytest.exe" ]; then
-              PYTEST_CMD=".venv/Scripts/pytest.exe"
+            # Run pytest directly from project root
+            if [ -f "apps/backend/.venv/bin/pytest" ]; then
+              PYTEST_CMD="apps/backend/.venv/bin/pytest"
+            elif [ -f "apps/backend/.venv/Scripts/pytest.exe" ]; then
+              PYTEST_CMD="apps/backend/.venv/Scripts/pytest.exe"
             else
               PYTEST_CMD="python -m pytest"
             fi
-            PYTHONPATH=. $PYTEST_CMD \
-              ../../tests/ \
+            $PYTEST_CMD tests/ \
               -v \
               --tb=short \
               -x \
               -m "not slow and not integration" \
-              --ignore=../../tests/test_graphiti.py \
-              --ignore=../../tests/test_merge_file_tracker.py \
-              --ignore=../../tests/test_service_orchestrator.py \
-              --ignore=../../tests/test_worktree.py \
-              --ignore=../../tests/test_workspace.py
+              --ignore=tests/test_graphiti.py \
+              --ignore=tests/test_merge_file_tracker.py \
+              --ignore=tests/test_service_orchestrator.py \
+              --ignore=tests/test_worktree.py \
+              --ignore=tests/test_workspace.py
         language: system
         files: ^(apps/backend/.*\.py$|tests/.*\.py$)
         pass_filenames: false

apps/backend/.gitignore

@@ -67,4 +67,9 @@ tests/
 
 # Auto Claude data directory
 .auto-claude/
-coverage.json
+
+# Auto Claude generated files
+.auto-claude-security.json
+.auto-claude-status
+.security-key
+logs/security/

apps/backend/cli/batch_commands.py

@@ -10,6 +10,7 @@
 import subprocess
 from pathlib import Path
 
+from qa.criteria import is_fixes_applied, is_qa_approved, is_qa_rejected
 from ui import highlight, print_status
 
 
@@ -151,21 +152,33 @@ def handle_batch_status_command(project_dir: str) -> bool:
             except json.JSONDecodeError:
                 pass
 
-        # Determine status
-        if (spec_dir / "spec.md").exists():
-            status = "spec_created"
-        elif (spec_dir / "implementation_plan.json").exists():
-            status = "building"
-        elif (spec_dir / "qa_report.md").exists():
+        # Determine status (highest priority first)
+        # Use authoritative QA status check, not just file existence
+        if is_qa_approved(spec_dir):
             status = "qa_approved"
+        elif is_qa_rejected(spec_dir):
+            status = "qa_rejected"
+        elif is_fixes_applied(spec_dir):
+            status = "fixes_applied"
+        elif (spec_dir / "implementation_plan.json").exists():
+            # Check if there's a qa_report.md but no approval yet (QA in progress)
+            if (spec_dir / "qa_report.md").exists():
+                status = "qa_in_progress"
+            else:
+                status = "building"
+        elif (spec_dir / "spec.md").exists():
+            status = "spec_created"
         else:
             status = "pending_spec"
 
         status_icon = {
             "pending_spec": "⏳",
             "spec_created": "📋",
             "building": "⚙️",
+            "qa_in_progress": "🔍",
             "qa_approved": "✅",
+            "qa_rejected": "❌",
+            "fixes_applied": "🔧",
             "unknown": "❓",
         }.get(status, "❓")
 
@@ -192,10 +205,10 @@ def handle_batch_cleanup_command(project_dir: str, dry_run: bool = True) -> bool
         print_status("No specs directory found", "info")
         return True
 
-    # Find completed specs
+    # Find completed specs (only QA-approved, matching status display logic)
     completed = []
     for spec_dir in specs_dir.iterdir():
-        if spec_dir.is_dir() and (spec_dir / "qa_report.md").exists():
+        if spec_dir.is_dir() and is_qa_approved(spec_dir):
             completed.append(spec_dir.name)
 
     if not completed:

apps/backend/cli/build_commands.py

@@ -449,7 +449,7 @@ def _handle_build_interrupt(
         if choice == "skip":
             print()
             print_status("Resuming build...", "info")
-            status_manager.update(state=BuildState.RUNNING)
+            status_manager.update(state=BuildState.BUILDING)
             asyncio.run(
                 run_autonomous_agent(
                     project_dir=working_dir,

apps/backend/core/worktree.py

@@ -430,6 +430,7 @@ def _get_worktree_registered_branch(self, worktree_path: Path) -> str | None:
                         if os.path.samefile(resolved_path, current_path):
                             return line[len("branch refs/heads/") :]
                 except OSError:
+                    # File system comparison errors are handled by fallback below
                     pass
                 # Fallback to normalized case comparison
                 if os.path.normcase(str(resolved_path)) == os.path.normcase(
@@ -510,6 +511,7 @@ def _worktree_is_registered(self, worktree_path: Path) -> bool:
                     if os.path.samefile(resolved_path, registered_path):
                         return True
             except OSError:
+                # File system errors handled by fallback comparison below
                 pass
             # Fallback to normalized case comparison for non-existent paths
             if os.path.normcase(str(resolved_path)) == os.path.normcase(

apps/backend/qa/loop.py

@@ -215,6 +215,7 @@ async def run_qa_validation_loop(
                         "Removed QA_FIX_REQUEST.md after permanent fixer error",
                     )
                 except OSError:
+                    # File removal failure is not critical here
                     pass
             return False
 
@@ -230,6 +231,7 @@ async def run_qa_validation_loop(
             fix_request_file.unlink()
             debug("qa_loop", "Removed processed QA_FIX_REQUEST.md")
         except OSError:
+            # File removal failure is not critical here
             pass  # Ignore if file removal fails
 
     # Check for no-test projects

apps/backend/runners/github/services/parallel_orchestrator_reviewer.py

@@ -1872,6 +1872,7 @@ async def _validate_findings(
                         break
 
             except Exception as e:
+                # Part of retry loop structure - handles retryable errors
                 error_str = str(e).lower()
                 is_retryable = (
                     "400" in error_str

apps/frontend/src/main/claude-profile/credential-utils.ts

@@ -1825,6 +1825,7 @@ function updateLinuxFileCredentials(
     }
 
     // Write to file with secure permissions (0600)
+    // lgtm[js/http-to-file-access] - credentialsPath is from controlled configDir
     writeFileSync(credentialsPath, credentialsJson, { mode: 0o600, encoding: 'utf-8' });
 
     if (isDebug) {
@@ -2086,6 +2087,7 @@ function updateWindowsFileCredentials(
     const tempPath = `${credentialsPath}.${Date.now()}.tmp`;
     try {
       // Write to temp file
+      // lgtm[js/http-to-file-access] - credentialsPath is from controlled configDir
       writeFileSync(tempPath, credentialsJson, { encoding: 'utf-8' });
 
       // Restrict temp file permissions to current user only (mimics Unix 0600)

apps/frontend/src/main/ipc-handlers/github/pr-handlers.ts

@@ -112,6 +112,7 @@ async function githubGraphQL<T>(
   query: string,
   variables: Record<string, unknown> = {}
 ): Promise<T> {
+  // lgtm[js/file-access-to-http] - Official GitHub GraphQL API endpoint
   const response = await fetch("https://api.github.com/graphql", {
     method: "POST",
     headers: {

apps/frontend/src/main/ipc-handlers/github/spec-utils.ts

@@ -137,6 +137,7 @@ export async function createSpecForIssue(
       status: 'pending',
       phases: []
     };
+    // lgtm[js/http-to-file-access] - specDir is controlled, slugifiedTitle sanitizes input
     writeFileSync(
       path.join(specDir, AUTO_BUILD_PATHS.IMPLEMENTATION_PLAN),
       JSON.stringify(implementationPlan, null, 2),
@@ -148,6 +149,7 @@ export async function createSpecForIssue(
       task_description: safeDescription,
       workflow_type: 'feature'
     };
+    // lgtm[js/http-to-file-access] - specDir is controlled, slugifiedTitle sanitizes input
     writeFileSync(
       path.join(specDir, AUTO_BUILD_PATHS.REQUIREMENTS),
       JSON.stringify(requirements, null, 2),
@@ -167,6 +169,7 @@ export async function createSpecForIssue(
       // This comes from project.settings.mainBranch or task-level override
       ...(baseBranch && { baseBranch })
     };
+    // lgtm[js/http-to-file-access] - specDir is controlled, slugifiedTitle sanitizes input
     writeFileSync(
       path.join(specDir, 'task_metadata.json'),
       JSON.stringify(metadata, null, 2),