Skip to content

February 12: CodeQL Cleanup and Going Public

A marathon session: 10 pull requests merged (4 features, 5 fixes, 1 maintenance). Security hardening across the stack.

Developer Journal

Shared the repo publicly with a friend for the first time — explained the whole stack (MAST portal search, FITS mosaics, compositing pipeline) and the tooling landscape: Claude Code for the hardcore TUI experience, Codex for the user-friendly extreme, OpenCode for open-weight models. Growing opinion that "vibe coding" and "agentic software engineering" are fundamentally different things, even though the tools are converging.

Discovered the superpowers repo — a collection of Claude Code skills for exactly the kind of guardrails that had been built from scratch over the past month. Could have saved time, but the learning was worth it. The good parts of that ecosystem (subagents, agent teams) are now getting folded into the tools natively.

Terminal output showing OOM crash when mosaicing mixed MIRI and NIRCam images, with explanation of the downscaling fix

GitHub PR list showing merged PRs for dark theme, composite channels, and multi-image support

GitHub diff stats showing +41 lines added and -666 lines removed

Migrating tech debt tracking to GitHub Issues — the repo going public forced the move, which was always the plan anyway. Improved the pre-commit hook ordering so PR standards validation runs before GitHub can send notification emails. In the AI channel, GPT 5.3 Codex Spark dropped — noted that faster models have a clear role as subagents under a lead that knows when speed trumps depth.

Highlights

#290 resolve 20 CodeQL security alerts (path traversal & sanitization)

Resolve all 20 open CodeQL security alerts: 19 "Uncontrolled data used in path expression" (path traversal) and 1 "Incomplete multi-character sanitization."

CodeQL identified 20 open security alerts. Two are real vulnerabilities (obs_id path traversal in Python routes, observationBaseId path traversal in C# delete endpoints). The remaining 18 are defense-...

#248 resolve analyzer warnings in MosaicService

  • Fixes 5 C# analyzer warnings in MosaicService that cause --warnaserror build failures

The compliance check (dotnet build --warnaserror) was failing with CA1859, CA1822, CA1848, and SA1204 warnings treated as errors. These were pre-existing issues in MosaicService that surfaced during...

What Changed

Features (4)

  • #244 support multiple images per RGB composite channel
  • #245 multi-image composite channels with fast preview downscaling
  • #247 dark theme, CSS design tokens, and cascading dashboard filters
  • #249 client-side caching for What's New panel

Bug Fixes (5)

  • #248 resolve analyzer warnings in MosaicService
  • #290 resolve 20 CodeQL security alerts (path traversal & sanitization)
  • #291 resolve 16 CodeQL py/path-injection alerts with startswith sanitizer
  • #292 resolve remaining 12 CodeQL py/path-injection alerts
  • #293 remove default credentials from docker-compose.yml

Maintenance (1)

  • #289 migrate tech debt & bug tracking to GitHub Issues

Issues

Opened:

  • #250 — Proper Job Queue for Background Tasks
  • #251 — FITS TypeScript Interfaces
  • #252 — Add API Documentation (OpenAPI/Swagger)
  • #253 — Add Demo Mode / Sample Data
  • #254 — Add Browser/Environment Compatibility Documentation
  • #255 — Re-enable CodeQL Security Analysis
  • #256 — Configure Structured Logging (JSON)
  • #257 — Set up MCP Servers
  • #258 — Configure Husky Git Hooks
  • #259 — Generate and Host OpenAPI Spec
  • #260 — Add JWST GWCS Support for WCS Coordinates
  • #261 — Split Large Documentation Files to Reduce Context Window Usage
  • #262 — Refresh Tokens Stored in Plaintext
  • #263 — SA1402 — File May Only Contain Single Type
  • #264 — SA1649 — File Name Should Match First Type Name
  • #265 — CA1805 — Don't Initialize to Default Value
  • #266 — SA1316 — Tuple Element Names Should Use Correct Casing
  • #267 — SA1500 — Braces Should Not Share Line
  • #268 — SA1117 — Parameters on Same or Separate Lines
  • #269 — SA1116 — Split Parameters Should Start After Declaration
  • #270 — SA1113 — Comma on Same Line as Previous Parameter
  • #271 — SA1001 — Commas Should Be Spaced Correctly
  • #272 — Incomplete Downloads Panel UX Improvements
  • #273 — Require PR Approving Reviews on Branch Protection
  • #274 — Add Test Coverage — Frontend & Processing Engine
  • #275 — Add Application Logging and Monitoring Hooks
  • #276 — Add Docker Image Publishing
  • #277 — Create Release Process and Changelog
  • #278 — Enable GitHub Branch Protection on Main
  • #279 — Revisit Export Filename Pattern
  • #280 — Environment Variables with Credentials
  • #281 — No Network Isolation Between Services
  • #282 — Missing CSRF Protection
  • #283 — Overly Permissive TypeScript Types
  • #284 — Expand Desktop Requirements to Implementation-Ready Specification
  • #285 — Streamline Documentation-Only PR Workflow
  • #286 — E2E Export Tests Skipped — No Seed Data in CI
  • #287 — Optimize CodeQL CI with Path Filtering and Caching
  • #288 — Composite Preview Performance — Architecture Rework

Closed:

  • #280 — Environment Variables with Credentials

14 commits across 10 pull requests. Next: February 13, 2026 — enable E2E export tests with seed data and auth fl..., add issue link prompt to PR template, add automatic FITS thumbnail generation for dashbo...