Harden source validation in live bounty checker scripts (#1145)

[yanyishuai]

Summary

• Reject empty / whitespace-only --input and --repo values up front in scripts/check_bounty_issue_states.py and scripts/check_live_bounty_closing_refs.py.
• Choose fixture vs live mode using explicit presence checks (is not None) after validation, not string truthiness.
• Move the existing --fix requires --repo, not --input check into the new validator so it surfaces a clean argparse error instead of a SystemExit message.

Why

argparse happily accepts "" or " " for a required=True source argument, and the previous if args.input: / else load_live_data(...) branches then silently selected the wrong runtime path or fell through to a raw gh traceback. The new _validate_source_args helpers fail fast with bounded CLI errors and keep existing valid fixture / live / --fix behavior intact.

Behavior

• --input "", --input " ", --repo "", --repo " ": argparse error, no gh call, no traceback.
• --fix --input ...: argparse error (was SystemExit).
• Valid fixture mode (--input path/to/fixture.json): unchanged.
• Valid live mode (--repo owner/name): unchanged.
• Valid --fix --repo ...: unchanged.

Tests

• Full suite (pytest tests/): 924 passed.
• Manual: python scripts/check_bounty_issue_states.py --input "" and --repo " " exit with error: --input/--repo must not be empty or whitespace-only and no traceback.
• Manual: python scripts/check_live_bounty_closing_refs.py --input " " exits with the same shape of error.

Closes #1145

Solana wallet for bounty payout: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

[coderabbitai]

Warning

Review limit reached

@yanyishuai, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 28 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c96203bd-8654-4ec4-949c-288038936619

📥 Commits

Reviewing files that changed from the base of the PR and between 3bc87d2 and 646ebac.

📒 Files selected for processing (10)

• app/accounts.py
• app/work_discovery.py
• docs/agent-guide.md
• scripts/check_bounty_issue_states.py
• scripts/check_live_bounty_closing_refs.py
• scripts/claim_inventory.py
• tests/run_safety_caps.py
• tests/test_account_validation.py
• tests/test_claim_inventory.py
• tests/test_work_discovery.py

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[qingfeng312]

Finding:

• [P1] Normalize formatting before this source-validation hardening PR can merge. The current head 06b7a26a494a14087f8d4297a2ef51937dfa8287 passes the full pytest run (916 passed, 1 warning), but CI fails at ruff format --check .. The formatter reports three files requiring reformatting: app/work_discovery.py, tests/run_safety_caps.py, and tests/test_account_validation.py. Please run the project formatter and push only the formatting delta.

Evidence checked:

• PR #1172 is open, non-draft, and authored by another account.
• Inspected the changed file list covering app/work_discovery.py, scripts/check_bounty_issue_states.py, scripts/check_live_bounty_closing_refs.py, scripts/claim_inventory.py, tests/run_safety_caps.py, and related tests/docs.
• Checked CI run 28329645698: pytest passed, then ruff format --check . failed on the three files above.

Scope boundary: review evidence only. No wallet signing, treasury mutation, payout execution, exchange, bridge, private data, credentials, or secrets involved.

[yanyishuai]

@qingfeng312 Formatting + lint fixes pushed (stacked on #983).

• Same formatter/lint cleanup for the shared helper files in this stack
• Source-validation hardening unchanged functionally

Latest head: 646ebac1d9f6. CI: pass. Please re-review.

[yanyishuai]

@qingfeng312 CI is green on the latest head (646ebac1d9f6) for #1145. Could you take another look when you have a moment?

[yanyishuai]

@qingfeng312 CI is green on the latest head (646ebac1d9f6) for #1145. Could you take another look when you have a moment?

[qingfeng312]

Follow-up on current head 646ebac1d9f659adffd26d4bea90370fa1f62759.

The earlier formatter blocker has been resolved. I rechecked the updated source-validation changes in scripts/check_bounty_issue_states.py and scripts/check_live_bounty_closing_refs.py, along with the shared helper/test files in the stacked branch.

The source argument validation now rejects empty and whitespace-only --input/--repo values before live execution, and the valid fixture/live/fix paths remain bounded to the intended maintenance-script behavior.

Validation checked: GitHub CI Quality, readiness, docs, and image checks passed on run 28349494898; CodeRabbit status is success on this head. I did not find a remaining blocker for the scoped #1145 change.

[yanyishuai]

@qingfeng312 Approval noted for #1145 — head 646ebac1d9f6 still passes the full quality gate.

The source-validation hardening is merge-ready whenever maintainers have bandwidth.

[yanyishuai]

@qingfeng312 Follow-up on #1145 — source-validation hardening is still green on 646ebac1d9f6 with your approval.

Ready to merge whenever maintainers have bandwidth.