fix: resolve CodeQL security issues and pre-commit hook violations

🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>

src/gitingest/__main__.py

@@ -165,18 +165,27 @@ async def _async_main(
  output : str | None
  The path where the output file will be written (default: ``digest.txt`` in current directory).
  Use ``"-"`` to write to ``stdout``.
+ mcp_server : bool
+ If ``True``, starts the MCP (Model Context Protocol) server instead of normal operation (default: ``False``).
 
  Raises
  ------
  click.Abort
  Raised if an error occurs during execution and the command must be aborted.
+ click.ClickException
+ Raised if MCP server dependencies are not installed when MCP mode is requested.
 
  """
  # Check if MCP server mode is requested
  if mcp_server:
- from gitingest.mcp_server import start_mcp_server
-
- await start_mcp_server()
+ # Dynamic import to avoid circular imports and optional dependency
+ try:
+ from gitingest.mcp_server import start_mcp_server
+
+ await start_mcp_server()
+ except ImportError as e:
+ msg = f"MCP server dependencies not installed: {e}"
+ raise click.ClickException(msg) from e
  return
 
  try:

src/gitingest/entrypoint.py

@@ -7,7 +7,6 @@
 import shutil
 import stat
 import sys
-from collections.abc import AsyncGenerator, Callable
 from contextlib import asynccontextmanager
 from pathlib import Path
 from typing import TYPE_CHECKING
@@ -25,6 +24,7 @@
 from gitingest.utils.query_parser_utils import KNOWN_GIT_HOSTS
 
 if TYPE_CHECKING:
+ from collections.abc import AsyncGenerator, Callable
  from types import TracebackType
 
  from gitingest.schemas import IngestionQuery

src/gitingest/mcp_server.py

@@ -2,8 +2,7 @@
 
 from __future__ import annotations
 
-from collections.abc import Sequence
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 from mcp.server import Server
 from mcp.server.stdio import stdio_server
@@ -12,6 +11,9 @@
 from gitingest.entrypoint import ingest_async
 from gitingest.utils.logging_config import get_logger
 
+if TYPE_CHECKING:
+ from collections.abc import Sequence
+
 # Initialize logger for this module
 logger = get_logger(__name__)
 
@@ -86,7 +88,7 @@ async def call_tool(name: str, arguments: dict[str, Any]) -> Sequence[TextConten
  return await _handle_ingest_repository(arguments)
  return [TextContent(type="text", text=f"Unknown tool: {name}")]
  except Exception as e:
- logger.error(f"Error in tool call {name}: {e}", exc_info=True)
+ logger.exception("Error in tool call %s", name)
  return [TextContent(type="text", text=f"Error executing {name}: {e!s}")]
 
 
@@ -144,17 +146,17 @@ async def _handle_ingest_repository(arguments: dict[str, Any]) -> Sequence[TextC
  return [TextContent(type="text", text=response_content)]
 
  except Exception as e:
- logger.error(f"Error during ingestion: {e}", exc_info=True)
+ logger.exception("Error during ingestion")
  return [TextContent(type="text", text=f"Error ingesting repository: {e!s}")]
 
 
-async def start_mcp_server():
+async def start_mcp_server() -> None:
  """Start the MCP server with stdio transport."""
  logger.info("Starting Gitingest MCP server with stdio transport")
  await _run_stdio()
 
 
-async def _run_stdio():
+async def _run_stdio() -> None:
  """Run the MCP server with stdio transport."""
  async with stdio_server() as (read_stream, write_stream):
  await app.run(

src/gitingest/utils/compat_func.py

@@ -1,6 +1,5 @@
 """Compatibility functions for Python 3.8."""
 
-import os
 from pathlib import Path
 
 
@@ -20,7 +19,7 @@ def readlink(path: Path) -> Path:
  The target of the symlink.
 
  """
- return Path(os.readlink(path))
+ return Path(path).readlink()
 
 
 def removesuffix(s: str, suffix: str) -> str:

src/gitingest/utils/git_utils.py

@@ -6,7 +6,6 @@
 import base64
 import re
 import sys
-from collections.abc import Generator, Iterable
 from contextlib import contextmanager
 from pathlib import Path
 from typing import TYPE_CHECKING, Final
@@ -19,6 +18,8 @@
 from gitingest.utils.logging_config import get_logger
 
 if TYPE_CHECKING:
+ from collections.abc import Generator, Iterable
+
  from gitingest.schemas import CloneConfig
 
 # Initialize logger for this module
@@ -221,7 +222,6 @@ async def fetch_remote_branches_or_tags(url: str, *, ref_type: str, token: str |
  git_cmd = git.Git()
 
  # Prepare environment with authentication if needed
- env = None
  if token and is_github_host(url):
  auth_url = _add_token_to_url(url, token)
  url = auth_url
@@ -266,6 +266,11 @@ def create_git_repo(local_path: str, url: str, token: str | None = None) -> git.
  git.Repo
  A GitPython Repo object configured with authentication.
 
+ Raises
+ ------
+ ValueError
+ If the provided local_path is not a valid git repository.
+
  """
  try:
  repo = git.Repo(local_path)
@@ -552,8 +557,6 @@ def _add_token_to_url(url: str, token: str) -> str:
  The URL with embedded authentication.
 
  """
- from urllib.parse import urlparse, urlunparse
-
  parsed = urlparse(url)
  # Add token as username in URL (GitHub supports this)
  netloc = f"x-oauth-basic:{token}@{parsed.hostname}"