Apply remaining CodeRabbit suggestions for PR AutoForgeAI#119

- review.py: Add path traversal validation for files parameter
- review.py: Fix session closure in try/finally block
- github_actions.py: CodeQL languages as list instead of comma-separated string
- design_tokens.py: Fix generate_all docstring (returns content strings)
- templates.py: Add path validation for project_dir in /apply endpoint
- security_scanner.py: Support pyproject.toml in pip-audit scans
- logs.py: Fix count filter mismatch (add tool_name/search params)
- git_workflow.py: Add confirm_clean param for destructive git clean
- git_workflow.py: Log config load errors instead of silently passing

Author: Agent-Planner

design_tokens.py

@@ -546,7 +546,7 @@ def generate_all(self, output_dir: Optional[Path] = None) -> dict:
             output_dir: Output directory (default: project root styles/)
 
         Returns:
-            Dict with paths to generated files
+            Dict with paths to generated files as strings
         """
         tokens = self.load()
         output = output_dir or self.project_dir / "src" / "styles"

git_workflow.py

@@ -514,8 +514,8 @@ def get_workflow(project_dir: Path) -> GitWorkflow:
         branch_prefix = git_config.get("branch_prefix", "feature/")
         main_branch = git_config.get("main_branch", "main")
         auto_merge = git_config.get("auto_merge", False)
-    except Exception:
-        pass
+    except Exception as e:
+        logger.debug(f"Could not load git_workflow config, using defaults: {e}")
 
     return GitWorkflow(
         project_dir,

integrations/ci/github_actions.py

@@ -395,7 +395,7 @@ def generate_security_workflow(project_dir: Path) -> GitHubWorkflow:
             "name": "Initialize CodeQL",
             "uses": "github/codeql-action/init@v3",
             "with": {
-                "languages": ", ".join(
+                "languages": list(
                     filter(None, [
                         "javascript" if stack["has_node"] else None,
                         "python" if stack["has_python"] else None,

security_scanner.py

@@ -471,9 +471,22 @@ def _run_pip_audit(self, result: ScanResult) -> None:
         # Try pip-audit first
         pip_audit_path = shutil.which("pip-audit")
         if pip_audit_path:
+            # Determine which file to audit
+            req_file = self.project_dir / "requirements.txt"
+            pyproject_file = self.project_dir / "pyproject.toml"
+            
+            if req_file.exists():
+                audit_args = ["pip-audit", "--format", "json", "-r", "requirements.txt"]
+            elif pyproject_file.exists():
+                # pip-audit can scan pyproject.toml directly without -r flag
+                audit_args = ["pip-audit", "--format", "json"]
+            else:
+                # No dependency file found, skip
+                return
+
             try:
                 proc = subprocess.run(
-                    ["pip-audit", "--format", "json", "-r", "requirements.txt"],
+                    audit_args,
                     cwd=self.project_dir,
                     capture_output=True,
                     text=True,

server/routers/logs.py

@@ -160,7 +160,14 @@ async def query_logs(
             offset=offset,
         )
 
-        total = query.count(level=level, agent_id=agent_id, feature_id=feature_id, since=since)
+        total = query.count(
+            level=level,
+            agent_id=agent_id,
+            feature_id=feature_id,
+            tool_name=tool_name,
+            search=search,
+            since=since,
+        )
 
         return LogQueryResponse(
             logs=[LogEntry(**log) for log in logs],

server/routers/review.py

@@ -148,6 +148,12 @@ async def run_code_review(request: RunReviewRequest):
     """
     project_dir = get_project_dir(request.project_name)
 
+    # Validate file paths to prevent directory traversal
+    if request.files:
+        for file_path in request.files:
+            if ".." in file_path or file_path.startswith("/") or file_path.startswith("\\"):
+                raise HTTPException(status_code=400, detail=f"Invalid file path: {file_path}")
+
     # Configure checks
     check_config = request.checks or {}
 
@@ -263,6 +269,7 @@ async def create_features_from_issues(request: CreateFeaturesRequest):
         raise HTTPException(status_code=404, detail="Project database not found")
 
     created_features = []
+    session = None
 
     try:
         session = get_session(db_path)
@@ -296,7 +303,6 @@ async def create_features_from_issues(request: CreateFeaturesRequest):
             )
 
         session.commit()
-        session.close()
 
         return CreateFeaturesResponse(
             created=len(created_features),
@@ -306,6 +312,9 @@ async def create_features_from_issues(request: CreateFeaturesRequest):
     except Exception as e:
         logger.error(f"Failed to create features: {e}")
         raise HTTPException(status_code=500, detail=str(e))
+    finally:
+        if session:
+            session.close()
 
 
 @router.delete("/reports/{project_name}/{filename}")

server/routers/templates.py

@@ -249,8 +249,12 @@ async def apply_template(request: ApplyRequest):
         if not template:
             raise HTTPException(status_code=404, detail=f"Template not found: {request.template_id}")
 
+        # Validate project_dir to prevent path traversal
+        if ".." in request.project_dir:
+            raise HTTPException(status_code=400, detail="Invalid project directory: path traversal not allowed")
+
         # Create project directory
-        project_dir = Path(request.project_dir)
+        project_dir = Path(request.project_dir).resolve()
         prompts_dir = project_dir / "prompts"
         prompts_dir.mkdir(parents=True, exist_ok=True)