Code Quality: PR #396 #1174
cameroncookecodeql
on: dynamic
Matrix: analyze
Annotations
3 errors and 4 warnings
|
createBaseRenderSession.finalize discards all collected fragments:
src/rendering/render.ts#L82
The base session collects emitted fragments into the `fragments` array, but `finalize()` now passes `items: []` to the hook instead of `fragments`. For the `text` and `raw` strategies, whose `finalize` hooks render `input.items`, this means every fragment emitted via `session.emit(...)` is silently dropped at finalization. Callers that build a render session, emit fragments, and then call `finalize()` will get output that omits all transcript content (compiler diagnostics, status messages, process lines accumulated for non-streaming consumers, etc.), leaving only structured output and next-steps in the rendered text.
|
|
[WNY-HKV] createBaseRenderSession.finalize discards all collected fragments (additional location):
src/rendering/render.ts#L172
The base session collects emitted fragments into the `fragments` array, but `finalize()` now passes `items: []` to the hook instead of `fragments`. For the `text` and `raw` strategies, whose `finalize` hooks render `input.items`, this means every fragment emitted via `session.emit(...)` is silently dropped at finalization. Callers that build a render session, emit fragments, and then call `finalize()` will get output that omits all transcript content (compiler diagnostics, status messages, process lines accumulated for non-streaming consumers, etc.), leaving only structured output and next-steps in the rendered text.
|
|
[WNY-HKV] createBaseRenderSession.finalize discards all collected fragments (additional location):
src/integrations/xcode-tools-bridge/manager.ts#L182
The base session collects emitted fragments into the `fragments` array, but `finalize()` now passes `items: []` to the hook instead of `fragments`. For the `text` and `raw` strategies, whose `finalize` hooks render `input.items`, this means every fragment emitted via `session.emit(...)` is silently dropped at finalization. Callers that build a render session, emit fragments, and then call `finalize()` will get output that omits all transcript content (compiler diagnostics, status messages, process lines accumulated for non-streaming consumers, etc.), leaving only structured output and next-steps in the rendered text.
|
|
Snapshot helper invokes real xcrun and pgrep instead of injected dependencies:
src/snapshot-tests/xcode-ide-availability.ts#L1
`isXcodeIdeBridgeAvailable` calls `execSync('xcrun --find mcpbridge')` and `execSync('pgrep -x Xcode')` directly. Per the skill's guardrails, unit/snapshot tests must inject command/filesystem/external dependencies and must not call real `xcrun` (or other system tools used to probe devices/Xcode). Using `execSync` here couples the snapshot suite's behavior to the host machine's Xcode installation and runtime state, which is exactly the kind of real external invocation the boundary rules forbid.
|
|
Daemon runtime no longer receives thrown error from failed direct handler:
src/runtime/tool-invoker.ts#L599
Previously, when `opts.runtime === 'daemon'` and the direct tool handler threw, the error was re-thrown so the daemon could propagate it to the client. The new code removes that `throw` and instead only calls `emitExplicitRuntimeError`. If the daemon relies on a thrown exception to mark the invocation as failed (e.g. for status/exit codes or RPC error responses), this is a silent behavioral/backwards-compatibility change that could cause failed daemon-internal invocations to appear successful to callers.
|
|
listToolsTool no longer defaults to forcing a tool catalog refresh:
src/integrations/xcode-tools-bridge/manager.ts#L182
Previously `this.service.listTools({ refresh: params.refresh !== false })` defaulted to `refresh: true` when callers did not specify the flag, which forced a fresh fetch from the bridge. The new code passes `params.refresh` directly, so when the caller omits `refresh` the value becomes `undefined`. In `tool-service.ts` listTools() only refreshes when `opts.refresh === true`, so omitted-refresh callers now silently receive cached tools. This is a user-visible behavior regression for any API/CLI caller that previously relied on the default-refresh behavior of xcode_ide_list_tools.
|
|
renderTranscript with 'cli-text' strategy discards all input:
src/rendering/render.ts#L172
The refactored `renderTranscript` calls `createRenderHooks(strategy, ...).finalize(input)` directly, bypassing the session machinery. For the `'cli-text'` strategy, the returned `finalize` hook is `() => { renderer.finalize(); return ''; }` — it ignores its `input` argument entirely, so items, structuredOutput, and nextSteps are never fed to the renderer (they normally arrive via `onEmit`/`onSetStructuredOutput`/`onSetNextSteps`). Any caller passing `'cli-text'` to `renderTranscript` (or to `renderFragments`, which delegates here) will get an empty string and a renderer that never received the data. The `'text'` and `'raw'` cases happen to work because their `finalize` hooks consume `input` directly.
|