fix: resolve CodeQL security issues and pre-commit hook violations

root · claude · root · commit 7343b83382e4 · 2025-08-12T18:15:40.000+02:00
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/gitingest/__main__.py b/src/gitingest/__main__.py
@@ -165,18 +165,27 @@ async def _async_main(
     output : str | None
         The path where the output file will be written (default: ``digest.txt`` in current directory).
         Use ``"-"`` to write to ``stdout``.
+    mcp_server : bool
+        If ``True``, starts the MCP (Model Context Protocol) server instead of normal operation (default: ``False``).
 
     Raises
     ------
     click.Abort
         Raised if an error occurs during execution and the command must be aborted.
+    click.ClickException
+        Raised if MCP server dependencies are not installed when MCP mode is requested.
 
     """
     # Check if MCP server mode is requested
     if mcp_server:
-        from gitingest.mcp_server import start_mcp_server
-
-        await start_mcp_server()
+        # Dynamic import to avoid circular imports and optional dependency
+        try:
+            from gitingest.mcp_server import start_mcp_server
+
+            await start_mcp_server()
+        except ImportError as e:
+            msg = f"MCP server dependencies not installed: {e}"
+            raise click.ClickException(msg) from e
         return
 
     try:
diff --git a/src/gitingest/entrypoint.py b/src/gitingest/entrypoint.py
@@ -7,7 +7,6 @@
 import shutil
 import stat
 import sys
-from collections.abc import AsyncGenerator, Callable
 from contextlib import asynccontextmanager
 from pathlib import Path
 from typing import TYPE_CHECKING
@@ -25,6 +24,7 @@
 from gitingest.utils.query_parser_utils import KNOWN_GIT_HOSTS
 
 if TYPE_CHECKING:
+    from collections.abc import AsyncGenerator, Callable
     from types import TracebackType
 
     from gitingest.schemas import IngestionQuery
diff --git a/src/gitingest/mcp_server.py b/src/gitingest/mcp_server.py
@@ -2,8 +2,7 @@
 
 from __future__ import annotations
 
-from collections.abc import Sequence
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 from mcp.server import Server
 from mcp.server.stdio import stdio_server
@@ -12,6 +11,9 @@
 from gitingest.entrypoint import ingest_async
 from gitingest.utils.logging_config import get_logger
 
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+
 # Initialize logger for this module
 logger = get_logger(__name__)
 
@@ -86,7 +88,7 @@ async def call_tool(name: str, arguments: dict[str, Any]) -> Sequence[TextConten
             return await _handle_ingest_repository(arguments)
         return [TextContent(type="text", text=f"Unknown tool: {name}")]
     except Exception as e:
-        logger.error(f"Error in tool call {name}: {e}", exc_info=True)
+        logger.exception("Error in tool call %s", name)
         return [TextContent(type="text", text=f"Error executing {name}: {e!s}")]
 
 
@@ -144,17 +146,17 @@ async def _handle_ingest_repository(arguments: dict[str, Any]) -> Sequence[TextC
         return [TextContent(type="text", text=response_content)]
 
     except Exception as e:
-        logger.error(f"Error during ingestion: {e}", exc_info=True)
+        logger.exception("Error during ingestion")
         return [TextContent(type="text", text=f"Error ingesting repository: {e!s}")]
 
 
-async def start_mcp_server():
+async def start_mcp_server() -> None:
     """Start the MCP server with stdio transport."""
     logger.info("Starting Gitingest MCP server with stdio transport")
     await _run_stdio()
 
 
-async def _run_stdio():
+async def _run_stdio() -> None:
     """Run the MCP server with stdio transport."""
     async with stdio_server() as (read_stream, write_stream):
         await app.run(
diff --git a/src/gitingest/utils/compat_func.py b/src/gitingest/utils/compat_func.py
@@ -1,6 +1,5 @@
 """Compatibility functions for Python 3.8."""
 
-import os
 from pathlib import Path
 
 
@@ -20,7 +19,7 @@ def readlink(path: Path) -> Path:
         The target of the symlink.
 
     """
-    return Path(os.readlink(path))
+    return Path(path).readlink()
 
 
 def removesuffix(s: str, suffix: str) -> str:
diff --git a/src/gitingest/utils/git_utils.py b/src/gitingest/utils/git_utils.py
@@ -6,7 +6,6 @@
 import base64
 import re
 import sys
-from collections.abc import Generator, Iterable
 from contextlib import contextmanager
 from pathlib import Path
 from typing import TYPE_CHECKING, Final
@@ -19,6 +18,8 @@
 from gitingest.utils.logging_config import get_logger
 
 if TYPE_CHECKING:
+    from collections.abc import Generator, Iterable
+
     from gitingest.schemas import CloneConfig
 
 # Initialize logger for this module
@@ -221,7 +222,6 @@ async def fetch_remote_branches_or_tags(url: str, *, ref_type: str, token: str |
         git_cmd = git.Git()
 
         # Prepare environment with authentication if needed
-        env = None
         if token and is_github_host(url):
             auth_url = _add_token_to_url(url, token)
             url = auth_url
@@ -266,6 +266,11 @@ def create_git_repo(local_path: str, url: str, token: str | None = None) -> git.
     git.Repo
         A GitPython Repo object configured with authentication.
 
+    Raises
+    ------
+    ValueError
+        If the provided local_path is not a valid git repository.
+
     """
     try:
         repo = git.Repo(local_path)
@@ -552,8 +557,6 @@ def _add_token_to_url(url: str, token: str) -> str:
         The URL with embedded authentication.
 
     """
-    from urllib.parse import urlparse, urlunparse
-
     parsed = urlparse(url)
     # Add token as username in URL (GitHub supports this)
     netloc = f"x-oauth-basic:{token}@{parsed.hostname}"
