Fix SonarCloud issues: vulnerabilities, bugs, and code smells

- Fix BLOCKER BUG: wrong keyword arg in generate_flow route (format→fmt)
- Fix BLOCKER: Use Annotated type hints for all FastAPI query params
- Fix CRITICAL VULN: Cap loop bounds in ego() and trace_impact() (max 10)
- Fix MAJOR BUG: Remove duplicate if/else branches in GraphQuery
- Fix MAJOR BUG: Remove redundant regex alternatives in django_models, session_header_auth
- Fix duplicate string literals (micronaut, quarkus, flow/views)
- Fix unused variables (5 detectors + cli)
- Fix regex issues (fastapi_auth, session_header_auth, scala, renderer)
- Remove commented-out code in python_structures
- Document HTTPException responses in routes
- Fix remaining code-intelligence references to osscodeiq

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aksOps

src/osscodeiq/cli.py

@@ -1,4 +1,4 @@
-"""CLI entry point for code-intelligence."""
+"""CLI entry point for OSSCodeIQ."""
 
 from __future__ import annotations
 
@@ -17,12 +17,16 @@
 )
 console = Console()
 
+_GRAPH_DIR_NAME = ".code-intelligence"
+_KUZU_DB_NAME = "graph.kuzu"
+_SQLITE_DB_NAME = "graph.db"
+
 
 def _get_version() -> str:
     """Get package version from metadata."""
     try:
         from importlib.metadata import version
-        return version("code-intelligence")
+        return version("osscodeiq")
     except Exception:
         return "0.1.0"
 
@@ -63,11 +67,11 @@ def analyze(
     cfg.analysis.incremental = incremental
     cfg.graph.backend = backend
     if backend in ("kuzu", "sqlite"):
-        graph_dir = path.resolve() / ".code-intelligence"
+        graph_dir = path.resolve() / _GRAPH_DIR_NAME
         if backend == "kuzu":
-            cfg.graph.path = str(graph_dir / "graph.kuzu")
+            cfg.graph.path = str(graph_dir / _KUZU_DB_NAME)
         elif backend == "sqlite":
-            cfg.graph.path = str(graph_dir / "graph.db")
+            cfg.graph.path = str(graph_dir / _SQLITE_DB_NAME)
 
     console.print("🚀 Starting analysis…")
     analyzer = Analyzer(cfg)
@@ -145,7 +149,7 @@ def graph(
     cache_path = path.resolve() / cfg.cache.directory / cfg.cache.db_name
 
     if not cache_path.exists():
-        console.print("❌ No analysis cache found. Run 'code-intelligence analyze' first.")
+        console.print("❌ No analysis cache found. Run 'osscodeiq analyze' first.")
         raise typer.Exit(1)
 
     console.print("💾 Loading analysis cache…")
@@ -229,7 +233,7 @@ def query(
     cache_path = path.resolve() / cfg.cache.directory / cfg.cache.db_name
 
     if not cache_path.exists():
-        console.print("❌ No analysis cache found. Run 'code-intelligence analyze' first.")
+        console.print("❌ No analysis cache found. Run 'osscodeiq analyze' first.")
         raise typer.Exit(1)
 
     console.print("💾 Loading analysis cache…")
@@ -302,7 +306,7 @@ def cache(
             console.print("⚠️  No cache found.")
     elif action == "stats":
         if not cache_path.exists():
-            console.print("⚠️  No cache found. Run 'code-intelligence analyze' first.")
+            console.print("⚠️  No cache found. Run 'osscodeiq analyze' first.")
             return
         console.print("📊 Loading cache statistics…")
         from osscodeiq.cache.store import CacheStore
@@ -362,11 +366,11 @@ def bundle(
     cfg.graph.backend = backend
 
     # Set default path for file-based backends
-    graph_dir = path.resolve() / ".code-intelligence"
+    graph_dir = path.resolve() / _GRAPH_DIR_NAME
     if backend == "kuzu":
-        cfg.graph.path = str(graph_dir / "graph.kuzu")
+        cfg.graph.path = str(graph_dir / _KUZU_DB_NAME)
     elif backend == "sqlite":
-        cfg.graph.path = str(graph_dir / "graph.db")
+        cfg.graph.path = str(graph_dir / _SQLITE_DB_NAME)
 
     # Run analysis
     from osscodeiq.analyzer import Analyzer
@@ -432,17 +436,17 @@ def _load_graph_backend(path: Path, backend: str, config: Path | None = None):
     """Load a graph backend from a previously analyzed project."""
     from osscodeiq.graph.backends import create_backend
 
-    graph_dir = path.resolve() / ".code-intelligence"
+    graph_dir = path.resolve() / _GRAPH_DIR_NAME
     if backend == "kuzu":
-        db_path = str(graph_dir / "graph.kuzu")
+        db_path = str(graph_dir / _KUZU_DB_NAME)
     elif backend == "sqlite":
-        db_path = str(graph_dir / "graph.db")
+        db_path = str(graph_dir / _SQLITE_DB_NAME)
     else:
         # NetworkX ��� load from cache
         cfg = _load_config(config)
         cache_path = path.resolve() / cfg.cache.directory / cfg.cache.db_name
         if not cache_path.exists():
-            console.print("No analysis cache found. Run 'code-intelligence analyze' first.")
+            console.print("No analysis cache found. Run 'osscodeiq analyze' first.")
             raise typer.Exit(1)
         from osscodeiq.cache.store import CacheStore
         cache = CacheStore(cache_path)
@@ -451,7 +455,7 @@ def _load_graph_backend(path: Path, backend: str, config: Path | None = None):
 
     from pathlib import Path as P
     if not P(db_path).exists():
-        console.print(f"No graph database found at {db_path}. Run 'code-intelligence analyze --backend {backend}' first.")
+        console.print(f"No graph database found at {db_path}. Run 'osscodeiq analyze --backend {backend}' first.")
         raise typer.Exit(1)
 
     from osscodeiq.graph.store import GraphStore
@@ -624,7 +628,7 @@ def _flow_fallback(store, node_id: str | None, hops: int) -> list[dict]:
     visited: set[str] = set()
     frontier = {node_id}
     results = []
-    for depth in range(1, hops + 1):
+    for _ in range(1, hops + 1):
         next_frontier: set[str] = set()
         for nid in frontier:
             for neighbor in store.neighbors(nid, direction="out"):
@@ -700,7 +704,7 @@ def serve(
     import uvicorn
     from osscodeiq.server.app import create_app
 
-    console.print(f"[bold]OSSCodeIQ Server[/bold]")
+    console.print("[bold]OSSCodeIQ Server[/bold]")
     console.print(f"  Codebase: {path.resolve()}")
     console.print(f"  Backend:  {backend}")
     console.print(f"  API docs: http://{host}:{port}/docs")

src/osscodeiq/detectors/auth/session_header_auth.py

@@ -29,7 +29,7 @@ class _PatternDef:
 
 # -- Header patterns --
 _HEADER_PATTERNS: list[_PatternDef] = [
-    _PatternDef(re.compile(r"""['"](X-API-Key|x-api-key)['"]""", re.IGNORECASE), "header", NodeKind.GUARD),
+    _PatternDef(re.compile(r"""['"]X-API-Key['"]""", re.IGNORECASE), "header", NodeKind.GUARD),
     _PatternDef(
         re.compile(r"""(?:req|request|ctx)\.headers?\s*\[\s*['"]authorization['"]\s*\]""", re.IGNORECASE),
         "header",
@@ -49,8 +49,8 @@ class _PatternDef:
         "api_key",
         NodeKind.GUARD,
     ),
-    _PatternDef(re.compile(r"\bapi[_-]?key\s*(?:=|:)\s*", re.IGNORECASE), "api_key", NodeKind.GUARD),
-    _PatternDef(re.compile(r"\bvalidate[_]?api[_]?key\b", re.IGNORECASE), "api_key", NodeKind.GUARD),
+    _PatternDef(re.compile(r"\bapi[_-]?key\s*[=:]\s*", re.IGNORECASE), "api_key", NodeKind.GUARD),
+    _PatternDef(re.compile(r"\bvalidate_?api_?key\b", re.IGNORECASE), "api_key", NodeKind.GUARD),
 ]
 
 # -- CSRF patterns --

src/osscodeiq/detectors/csharp/csharp_minimal_apis.py

@@ -129,8 +129,6 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
             lifetime = m.group(1)
             interface_name = m.group(2)
             impl_name = m.group(3)  # May be None for single-type registrations
-            line_num = find_line_number(text, m.start())
-
             if impl_name:
                 result.edges.append(GraphEdge(
                     source=f"dotnet:*:{impl_name}",

src/osscodeiq/detectors/java/micronaut.py

@@ -22,6 +22,9 @@
 _INJECT_RE = re.compile(r"@Inject\b")
 _SCHEDULED_RE = re.compile(r'@Scheduled\s*\(\s*fixedRate\s*=\s*"([^"]+)"')
 _EVENT_LISTENER_RE = re.compile(r"@EventListener\b")
+_INJECT = "@Inject"
+_EVENT_LISTENER = "@EventListener"
+
 _CLASS_RE = re.compile(r"(?:public\s+)?class\s+(\w+)")
 _JAVA_METHOD_RE = re.compile(
     r"(?:public|protected|private)?\s*(?:static\s+)?(?:[\w<>\[\],\s]+)\s+(\w+)\s*\("
@@ -51,9 +54,9 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
                 "@Prototype",
                 "@Infrastructure",
                 "@Client",
-                "@Inject",
+                _INJECT,
                 "@Scheduled",
-                "@EventListener",
+                _EVENT_LISTENER,
                 "io.micronaut",
             )
         ):
@@ -198,11 +201,11 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
                     GraphNode(
                         id=node_id,
                         kind=NodeKind.MIDDLEWARE,
-                        label="@Inject",
+                        label=_INJECT,
                         fqn=f"{class_name}.inject" if class_name else "inject",
                         module=ctx.module_name,
                         location=SourceLocation(file_path=ctx.file_path, line_start=lineno),
-                        annotations=["@Inject"],
+                        annotations=[_INJECT],
                         properties={"framework": "micronaut"},
                     )
                 )
@@ -233,11 +236,11 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
                     GraphNode(
                         id=node_id,
                         kind=NodeKind.EVENT,
-                        label="@EventListener",
+                        label=_EVENT_LISTENER,
                         fqn=f"{class_name}.eventListener" if class_name else "eventListener",
                         module=ctx.module_name,
                         location=SourceLocation(file_path=ctx.file_path, line_start=lineno),
-                        annotations=["@EventListener"],
+                        annotations=[_EVENT_LISTENER],
                         properties={"framework": "micronaut"},
                     )
                 )

src/osscodeiq/detectors/java/quarkus.py

@@ -23,6 +23,8 @@
 _SCHEDULED_RE = re.compile(r'@Scheduled\s*\(\s*(?:every|cron)\s*=\s*"([^"]+)"')
 _TRANSACTIONAL_RE = re.compile(r"@Transactional\b")
 _STARTUP_RE = re.compile(r"@Startup\b")
+_TRANSACTIONAL = "@Transactional"
+
 _CLASS_RE = re.compile(r"(?:public\s+)?class\s+(\w+)")
 
 
@@ -46,7 +48,7 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
                 "@ApplicationScoped",
                 "@RequestScoped",
                 "@Scheduled",
-                "@Transactional",
+                _TRANSACTIONAL,
                 "@Startup",
                 "io.quarkus",
             )
@@ -145,11 +147,11 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
                     GraphNode(
                         id=node_id,
                         kind=NodeKind.MIDDLEWARE,
-                        label="@Transactional",
+                        label=_TRANSACTIONAL,
                         fqn=f"{class_name}.transactional" if class_name else "transactional",
                         module=ctx.module_name,
                         location=SourceLocation(file_path=ctx.file_path, line_start=lineno),
-                        annotations=["@Transactional"],
+                        annotations=[_TRANSACTIONAL],
                         properties={"framework": "quarkus"},
                     )
                 )

src/osscodeiq/detectors/python/django_auth.py

@@ -113,7 +113,6 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
             for base in bases:
                 if base in _AUTH_MIXINS:
                     line = _line_number(text, m.start())
-                    pattern_name = _AUTH_MIXINS[base]
                     result.nodes.append(GraphNode(
                         id=f"auth:{ctx.file_path}:{base}:{line}",
                         kind=NodeKind.GUARD,

src/osscodeiq/detectors/python/django_models.py

@@ -16,7 +16,7 @@ class DjangoModelDetector:
     supported_languages: tuple[str, ...] = ("python",)
 
     _DJANGO_MODEL_RE = re.compile(
-        r"^class\s+(\w+)\s*\(\s*(?:models\.Model|[\w.]*Model)\s*\)", re.MULTILINE
+        r"^class\s+(\w+)\s*\(\s*[\w.]*Model\s*\)", re.MULTILINE
     )
     _FK_RE = re.compile(
         r"(\w+)\s*=\s*models\.(?:ForeignKey|OneToOneField)\s*\(\s*[\"']?(\w+)",
@@ -29,7 +29,7 @@ class DjangoModelDetector:
     _META_TABLE_RE = re.compile(r"db_table\s*=\s*[\"'](\w+)[\"']")
     _META_ORDERING_RE = re.compile(r"ordering\s*=\s*(\[.*?\])")
     _MANAGER_RE = re.compile(
-        r"^class\s+(\w+)\s*\(\s*(?:models\.Manager|[\w.]*Manager)\s*\)", re.MULTILINE
+        r"^class\s+(\w+)\s*\(\s*[\w.]*Manager\s*\)", re.MULTILINE
     )
     _MANAGER_ASSIGNMENT_RE = re.compile(r"(\w+)\s*=\s*(\w+)\s*\(\s*\)", re.MULTILINE)
 

src/osscodeiq/detectors/python/fastapi_auth.py

@@ -10,7 +10,7 @@
 
 # Depends(get_current_user) or Depends(get_current_active_user) etc.
 _DEPENDS_AUTH_RE = re.compile(
-    r'Depends\(\s*(get_current[_\w]*|require_auth[_\w]*|auth[_\w]*)\s*\)'
+    r'Depends\(\s*(get_current[\w]*|require_auth[\w]*|auth[\w]*)\s*\)'
 )
 
 # Security(oauth2_scheme) or Security(some_auth_scheme, scopes=[...])

src/osscodeiq/detectors/python/kafka_python.py

@@ -161,7 +161,6 @@ def _ensure_topic(topic: str, role: str, line: int) -> str:
 
         # Detect imports -> IMPORTS edges
         for i, line in enumerate(lines):
-            lineno = i + 1
             m = _IMPORT_RE.search(line)
             if m:
                 lib = m.group(1)

src/osscodeiq/detectors/python/python_structures.py

@@ -199,15 +199,13 @@ def detect(self, ctx: DetectorContext) -> DetectorResult:
             from_module = m.group(1)
             import_names = m.group(2)
             if from_module:
-                # from X import Y, Z
                 result.edges.append(GraphEdge(
                     source=file_node_id,
                     target=from_module,
                     kind=EdgeKind.IMPORTS,
                     label=f"{fp} imports {from_module}",
                 ))
             else:
-                # import X, Y
                 for name in import_names.split(","):
                     name = name.strip()
                     if name: