PR4: activate CI, OIDC publish, User Guide

[rfrenchseti]

Summary

This branch is the second half of the rms-picmaker modernization. It
sits on top of picmaker_rewrite (which split the 3,493-line god module
into per-concern leaves) and finishes the job: turns on every quality
gate that was scaffolded but left off, makes the test suite enforce
≥90% coverage, switches PyPI publishing to OIDC, fills out the User
Guide and Developer Guide, and applies a modernization pass over the
remaining legacy hot spots in the package.

96 files changed; +6,409 / −816.

Closes #10 (grayscale rescale=True was ignored by pil_to_array for 'L' mode PIL images).

Source modernization

• New picmaker.options.PicmakerOptions — centralizes the ~45
  CLI/library knobs and their mutex / value-validity invariants in one
  dataclass. Both cli._normalize_and_validate and
  pipeline.images_to_pics build a PicmakerOptions from their kwargs
  and call .validate(), so the CLI and the library agree on every
  rule.
• Strict typing across the package — mypy --strict is clean on
  both src/ and tests/. io.py in particular replaces the legacy
  Any surface with concrete unions: str | Sequence[str | os.PathLike[str]] for multi-file inputs, an ObjectSelector alias
  (int | str | list[…] | tuple[…] | None) for PDS / FITS object
  selection, NDArray[Any] returns where the dtype genuinely varies,
  and a ReadResult NamedTuple replacing the bare 3-tuple. The
  reader cascade chains every per-format failure into an
  ExceptionGroup on the final OSError so callers can inspect what
  each branch rejected.
• Decomposed pipeline — io.py / enhance.py / geometry.py /
  pipeline.py / cli.py / pil_utils.py / colornames.py /
  tiff16.py and the instruments/ subpackage now follow the
  coding-standards rules in .cursor/rules/python_best_practices.mdc
  (line length 100, Google-style docstrings, pathlib over
  os.path, no mutable defaults, raise-from on chained exceptions,
  __all__ + py.typed).
• Bug fixes verified by new tests: corrected grayscale rescale
  handling in the PIL bridge, fixed the Windows-separator bug in
  find_common_path, hardened the PDS3 reader to iterate
  label.dict directly, repaired error-cause chaining in the reader
  cascade, and tightened color-name parsing.
• Python policy: minimum Python raised from 3.10 → 3.11; ruff
  target-version = "py311"; classifiers and CI matrix updated.

Test suite

• 472 tests, ≥90% coverage gate. pyproject.toml ratchets
  fail_under from 0 → 90. The full suite runs in ~10s under
  pytest-xdist.
• New per-module branch coverage tests for every leaf module
  (test_cli_unit.py, test_io_cascade.py, test_io_extra.py,
  test_pipeline.py, test_pipeline_branches.py,
  test_enhance_branches.py, test_geometry_branches.py,
  test_pil_utils_branches.py, test_filters_branches.py,
  test_tiff16_branches.py, test_instruments_branches.py,
  test_pds3_reader.py, test_pds3_reader_branches.py,
  test_package_init.py) plus targeted regression tests for the
  bug fixes listed above.
• Doc-drift gate — test_user_guide_documents_every_cli_flag
  diffs tests/fixtures/.baseline-flags.txt against
  docs/user_guide.rst; adding a CLI flag without documenting it
  fails CI.
• Warning policy — filterwarnings = ["error", …] in
  pyproject.toml surfaces unexpected runtime warnings as test
  failures, with a single targeted ignore:: entry for Pillow 12's
  Image.Image.getdata deprecation (tracked in Adopt pytest filterwarnings = ['error']; track Pillow get_flattened_data migration #9).

CI and release

• .github/workflows/run-tests.yml turned back on for
  pull_request / push / weekly schedule / workflow_dispatch.
  • Lint job: ruff check, mypy src tests, bandit, vulture,
    sphinx-build -W, pymarkdown scan, and pip-audit . (the dotted
    form scans the project's declared deps through pyproject
    resolution, not the runner's own pip).
  • Test job matrix: ubuntu-latest, macos-latest,
    windows-latest × Python 3.11, 3.12, 3.13.
  • Snapshot freshness check (generate_snapshots.py + git diff --exit-code) runs on ubuntu-latest + 3.13 to catch fixture
    drift.
  • Codecov upload on ubuntu-latest + 3.13 only, skipped on
    forks.
• OIDC PyPI publishing —
  .github/workflows/publish_to_pypi.yml and
  publish_to_test_pypi.yml add permissions: id-token: write,
  drop the password: ${{ secrets.…_API_TOKEN }} lines, and bind each
  job to its GitHub Environment (pypi / testpypi).
  • ⚠️ Release blocker. The workflows fail with
    invalid-publisher until the trusted publisher is configured on
    the PyPI side. CONTRIBUTING.md / the Developer Guide releasing
    page have the PyPI + TestPyPI + GitHub Environments setup steps.

Documentation

• User Guide (docs/user_guide.rst) — twelve sections covering
  overview, installation (pip and pipx), quick start, command-line
  reference (one bullet list per --help group), supported input
  formats, supported instruments and filters (Cassini ISS, Voyager
  ISS, Galileo SSI, HST WFC3/ACS/WFPC2/NICMOS, New Horizons MVIC),
  output formats, enhancement and geometry pipelines, the
  --versions FILE form, programmatic usage, and a troubleshooting
  reference. Written for end users; intentionally free of code-level
  references (no module paths, function names, exception types, or
  return-value shapes).
• Developer Guide (docs/developer_guide.rst + docs/dev/) —
  six per-concern pages: repository overview (with the development
  environment setup recipe — clone, venv at ./venv, pip install -e ".[dev]", bash scripts/run-all-checks.sh), module-by-module
  description, pipeline walk-through with a client-side Mermaid SVG
  flowchart, test-suite guide, adding-an-instrument tutorial, and
  release process.
• Module reference (docs/module.rst) — top-level Public API
  section (autofunction / autoclass for every name in
  picmaker.__all__, organized by topic) above the leaf-module
  sections, which remain the authoritative per-symbol source.
• docs/conf.py — Mermaid configured with
  mermaid_output_format = 'raw' so the pipeline diagram is rendered
  client-side as inline SVG (natively zoomable, no mmdc binary
  required for CI or ReadTheDocs).

Test plan

• bash scripts/run-all-checks.sh -s clean (ruff, mypy, pytest,
  pyroma, bandit, vulture, sphinx -W, pymarkdown).
• pytest reports 472 passed.
• coverage report ≥ 90% (gate enforced by
  tool.coverage.report.fail_under = 90).
• sphinx-build -W -b html docs docs/_build succeeds with the
  User Guide, Developer Guide, and Module reference all wired in.
• pip-audit . clean against project deps.
• CI matrix passes on Linux / macOS / Windows × Python 3.11 /
  3.12 / 3.13.
• Manual (post-merge): configure trusted publisher on PyPI
  and TestPyPI per the Developer Guide's releasing page before
  tagging the first OIDC-published release.
• Manual (post-setup): trigger publish_to_test_pypi.yml and
  confirm OIDC upload succeeds without TEST_PYPI_API_TOKEN.

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Raises Python to 3.11, migrates PyPI/TestPyPI publishing to OIDC trusted publishers, expands CI matrix and linting, centralizes option validation via PicmakerOptions, refactors I/O (ReadResult and PDS3 handling) and pipeline filter rename, rewrites TIFF16 read/write, hardens color/PIL utilities, expands Sphinx docs, and adds broad tests.

Changes

Unified project-wide update

Layer / File(s)	Summary
CI, packaging, Python baseline .github/workflows/*, pyproject.toml, CONTRIBUTING.md, .cursor/rules/*	Publish workflows migrated to OIDC (environment: pypi/testpypi, id-token: write), lint job and matrix added to run-tests, Python baseline raised to >=3.11, and tooling/coverage gates tightened.
Core option model and API rename src/picmaker/options.py, src/picmaker/pipeline.py, src/picmaker/cli.py, src/picmaker/__init__.py, src/picmaker/picmaker.py	Adds PicmakerOptions dataclass with validate(), pipeline and CLI construct/use it, renames filter→filter_name, and updates re-exports.
I/O refactor and contracts src/picmaker/io.py, tests/test_io*, tests/test_pds3_*	Introduce ReadResult/FilterInfo, typed returns, exception-accumulating reader cascade using ExceptionGroup as cause, tolerant PDS3 parsing with sibling-label probing, and add cascade/PDS3 tests.
TIFF16 implementation & PIL utilities src/picmaker/tiff16.py, src/picmaker/pil_utils.py, tests/test_tiff16*, tests/test_pil_utils_branches.py	Rewrite WriteTiff16/ReadTiff16 with validated header/IFD handling, endian/mode/transpose/up semantics; _one_pil_to_array honors rescale for 'L'; un-xfail palette tests and add branch tests.
Color parsing and hardening src/picmaker/colornames.py, related tests	Harden ColorNames.lookup to use ast.literal_eval, strict regex full-match, typed ClassVars, and add negative-security tests for RGB parsing.
Docs and Sphinx config docs/*, docs/conf.py, tests/fixture_recipes/*	Add user and developer guides, pipeline/module docs and diagrams, update conf.py (intersphinx, nitpicky ignores, static path), add releasing docs for Trusted Publishers, and add thumbnail generator script.
Tests and test wiring tests/*	Large additions and updates: CLI unit tests, many branch tests for geometry/enhance/io/pds3/tiff/pil/instruments/pipeline, import-path fixes to top-level package, and new package-init smoke test.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• SETI/rms-picmaker#7 — Continues prior core decomposition and export refactors that this PR extends.
• SETI/rms-picmaker#4 — Earlier workflow and packaging changes; this PR updates publish workflows to OIDC.
• SETI/rms-picmaker#6 — Overlaps on TIFF16 implementation and test coverage additions.

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user_guide.rst`:
- Around line 279-283: Replace British spelling "colour/coloured" with American
"color/colored" in the user-facing docs for the pad options and any related
descriptions: update the block documenting ``--pad-color``, the ``pad_color``
field, the default ``'black'``, and the phrase "Padding fill colour (any X11
name from :class:`picmaker.colornames.ColorNames` or ``#RRGGBB``)" to use
"color" instead of "colour"; apply the same change at the other mentioned
occurrences (around lines 324-327, 397-408, 632-633) so all user-visible text
consistently uses American spelling.
- Around line 475-499: Replace inline code literals with Sphinx cross-reference
roles throughout the paragraph: change occurrences like pickle.load to
:func:`pickle.load`, numpy.load to :func:`numpy.load`, vicar.VicarImage to
:class:`vicar.VicarImage`, detect_vicar to :func:`detect_vicar`, detect_fits to
:func:`detect_fits`, astropy.io.fits.open to :func:`astropy.io.fits.open`,
PIL.Image.open to :func:`PIL.Image.open`, and rms-pdsparser to
:mod:`rms-pdsparser`; also convert attribute-like tokens such as ^IMAGE,
--pointer, and --alt-pointer to appropriate roles (e.g., :attr:`^IMAGE` or use
:option: if you have that role) and ensure returned tuple names (inst_host,
inst_id, filter_name) referenced in prose use :data: or :attr: roles as
appropriate so every API symbol in the narrative uses the correct Sphinx role.

In `@tests/fixture_recipes/generate_user_guide_thumbnails.py`:
- Around line 87-98: Update the docstring so the mention of the helper function
uses a Sphinx cross-reference: replace the plain `images_to_pics` text with a
function role such as `:func:\`images_to_pics\`` (or
`:func:\`module.images_to_pics\`` if fully qualified) in the docstring of the
thumbnail-rendering function so the reference is rendered and validated by
Sphinx.
- Around line 132-141: Add a descriptive docstring to the main() function that
briefly explains its purpose (generates thumbnails for fixtures in ALL_GALLERIES
into OUT_DIR), what it returns (exit code int), and any notable side effects
(creates OUT_DIR, prints progress and summary, calls _generate_one for each
gallery). Place the docstring as the first statement inside the main()
definition above the implementation so tooling and linters pick it up; reference
the function name main(), constants OUT_DIR and ALL_GALLERIES, and helper
_generate_one in the prose as appropriate.
- Around line 32-34: Rename the module-level constants HERE, FIXTURES, and
OUT_DIR to use the ALL_CAPS_WITH_UNDERSCORES convention for internal constants
(prefixing with an underscore as suggested): change HERE → _HERE, FIXTURES →
_FIXTURES, and OUT_DIR → _OUT_DIR; update all references to these symbols
throughout the file (e.g., usages like fixture = FIXTURES / fixture_name →
fixture = _FIXTURES / fixture_name, _OUT_DIR.mkdir(...), and the formatted
message referencing OUT_DIR → _OUT_DIR) so identifiers remain consistent.
- Line 22: Remove the unnecessary module-level import "from __future__ import
annotations" in tests/fixture_recipes/generate_user_guide_thumbnails.py — simply
delete that import line so annotations use native Python 3.10+ syntax; no other
changes required.

In `@tests/test_cli.py`:
- Line 69: The regex used to extract flags in the test (the expression assigned
to guide_flags via re.findall in tests/test_cli.py) is too restrictive because
r'--[a-z_-]+' excludes digits; update that pattern to allow digits (use
r'--[a-z0-9_-]+') so numeric flags like --16 would be matched in future
baselines—locate the guide_flags = set(re.findall(...)) line and replace the
pattern string accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8f06d03d-5c6f-40d6-8664-9672c4ead6fa

📥 Commits

Reviewing files that changed from the base of the PR and between af0223c and ffc1770.

⛔ Files ignored due to path filters (23)

• docs/_static/user_guide/cassini_iss_tint.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/enhance_colormap.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/enhance_default.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/enhance_gamma2.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/enhance_histogram.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/enhance_pct5_95.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/enhance_tint.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/galileo_ssi_tint_a.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/galileo_ssi_tint_b.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/geom_default.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/geom_frame_max_50.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/geom_frame_pad.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/geom_rot90.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/geom_scale200.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/hst_acs_tint.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/hst_wfc3_tint.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/hst_wfpc2_tint.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/nh_mvic_tint.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/output_jpg.jpg is excluded by !**/*.jpg
• docs/_static/user_guide/output_png.png is excluded by !**/*.png
• docs/_static/user_guide/output_tiff.tiff is excluded by !**/*.tiff
• docs/_static/user_guide/output_tiff16.tiff is excluded by !**/*.tiff
• docs/_static/user_guide/voyager_iss_tint.jpg is excluded by !**/*.jpg

📒 Files selected for processing (10)

• .github/workflows/publish_to_pypi.yml
• .github/workflows/publish_to_test_pypi.yml
• .github/workflows/run-tests.yml
• CONTRIBUTING.md
• docs/conf.py
• docs/index.rst
• docs/user_guide.rst
• pyproject.toml
• tests/fixture_recipes/generate_user_guide_thumbnails.py
• tests/test_cli.py

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/picmaker/__init__.py (1)

17-21: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Narrow the version fallback exception scope.

Catching Exception here can hide legitimate import/runtime failures and incorrectly force __version__ to 0.0.0+unknown.

Proposed fix

 try:
     from importlib.metadata import version as _version
+    from importlib.metadata import PackageNotFoundError

     __version__ = _version('rms-picmaker')
-except Exception:  # pragma: no cover — only fires when the package isn't installed
+except PackageNotFoundError:  # pragma: no cover — package metadata unavailable
     try:
         from picmaker._version import __version__
     except ImportError:
         __version__ = '0.0.0+unknown'

As per coding guidelines, "Catch exceptions at the smallest granularity possible. Do NOT wrap large blocks in a single try/except."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/__init__.py` around lines 17 - 21, The current broad "except
Exception" in src/picmaker/__init__.py should be narrowed so real runtime errors
aren't swallowed; change the outer "except Exception" that surrounds the import
of picmaker._version to only catch ImportError (or ModuleNotFoundError) and keep
the existing fallback assignment to __version__ = '0.0.0+unknown' inside the
ImportError handler; reference the import of "picmaker._version" and the
variable "__version__" when making this change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/picmaker/io.py`:
- Around line 309-315: The code constructs imagefile from untrusted label/node
values (in the node string and list/tuple branches) which permits path
traversal; update the logic in the node handling (where imagefile is set using
filename_str, node, and node[0] and offset_value is derived) to resolve and
normalize the joined path to an absolute path (use os.path.abspath +
os.path.normpath) and then verify it is inside the expected base directory (the
directory of filename_str) using os.path.commonpath (or equivalent) before
accepting it; if the resolved path escapes the base directory, treat it as
invalid (raise or skip) and do the same validation for both the str and
list/tuple branches where imagefile is computed.

In `@tests/test_pipeline_branches.py`:
- Line 125: Move the "import logging" statement out of the test functions and
place it with the module-level imports at the top of the file; then remove the
inline "import logging" lines from the test functions that currently include
them so the module uses the single top-level logging import instead of
per-function imports. Ensure any logging usage in those tests continues to
reference the same logging symbol.
- Line 6: Remove the unnecessary future import statement: delete the line "from
__future__ import annotations" from the test module since the codebase targets
Python 3.10+ and uses native generics (e.g., dict[str, Any], Path), so the
import is redundant per guidelines.

---

Outside diff comments:
In `@src/picmaker/__init__.py`:
- Around line 17-21: The current broad "except Exception" in
src/picmaker/__init__.py should be narrowed so real runtime errors aren't
swallowed; change the outer "except Exception" that surrounds the import of
picmaker._version to only catch ImportError (or ModuleNotFoundError) and keep
the existing fallback assignment to __version__ = '0.0.0+unknown' inside the
ImportError handler; reference the import of "picmaker._version" and the
variable "__version__" when making this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3d7819f3-3e28-4c0a-b593-be7207196f3c

📥 Commits

Reviewing files that changed from the base of the PR and between ffc1770 and b10477b.

📒 Files selected for processing (10)

• .github/workflows/run-tests.yml
• pyproject.toml
• src/picmaker/__init__.py
• src/picmaker/io.py
• tests/test_cli_unit.py
• tests/test_io_branches.py
• tests/test_io_extra.py
• tests/test_misc_branches.py
• tests/test_pds3_reader.py
• tests/test_pipeline_branches.py

[coderabbitai]

Actionable comments posted: 21

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

tests/test_color.py (1)

57-59: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Stale "eval" reference in comment.

The production code uses :func:ast.literal_eval, not :func:eval. Update the comment to avoid misleading future readers. If you adopt the tuple-normalization suggested in colornames.py, this test (and its comment) will need a corresponding update to assert a tuple instead.

📝 Proposed wording fix (no behavior change)

-        # Bracket form `[100, 100, 100]` parses but returns a list (eval result),
-        # not a tuple — documenting the actual current behavior.
+        # Bracket form `[100, 100, 100]` parses via ast.literal_eval and
+        # returns a list, not a tuple — documenting current behavior.
         assert ColorNames.lookup('[100, 100, 100]') == [100, 100, 100]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_color.py` around lines 57 - 59, The comment in tests referencing
"eval" is stale; update the comment near the assertion calling
ColorNames.lookup('[100, 100, 100]') to say the production code uses
ast.literal_eval (not eval), and if you implement the tuple-normalization change
in colornames.py (the tuple normalization behavior in ColorNames.lookup), also
update the test assertion to expect a tuple instead of a list and adjust the
comment to describe that tuple-normalization behavior.

src/picmaker/colornames.py (1)

782-836: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a docstring to lookup and tighten the return type.

Two issues on the public API surface of :meth:ColorNames.lookup:

1. The method has no docstring. Per coding guidelines it must document parameters, return value, raised exceptions (TypeError, KeyError, ValueError) and the accepted input forms — enough to write a black-box test from the docstring alone.
2. The annotated return type is Any. Concretely, the dict path returns tuple[int, int, int], the parenthesized RGB form returns tuple[int, int, int] (via :func:ast.literal_eval), but the bracket form [r, g, b] returns list[int] — an inconsistency that tests/test_color.py::TestRgbExpression::test_rgb_brackets_expression had to document around. Normalizing to a tuple removes a real ergonomic wart for callers and lets the annotation become precise.

♻️ Proposed fix

     `@staticmethod`
-    def lookup(name: str) -> Any:
+    def lookup(name: str) -> tuple[int, int, int]:
+        """Resolve a color specifier to an ``(r, g, b)`` tuple.
+
+        Accepts an X11 color name (case- and whitespace-insensitive, with
+        optional surrounding quotes) or a literal ``(r, g, b)`` /
+        ``[r, g, b]`` expression with components in ``[0, 255]``.
+
+        Parameters:
+            name: Color specifier to resolve.
+
+        Returns:
+            A 3-tuple of integer RGB components.
+
+        Raises:
+            TypeError: If ``name`` is not a string.
+            KeyError: If ``name`` is not a recognized color name and is not
+                a well-formed RGB literal that fully consumes the input.
+            ValueError: If any parsed RGB component exceeds 255.
+        """
@@
-        for i in rgb:
-            if i > 255:
-                raise ValueError("Color value out of range: " + name)
-
-        return rgb
+        for i in rgb:
+            if i > 255:
+                raise ValueError("Color value out of range: " + name)
+
+        return tuple(rgb)

The corresponding test test_rgb_brackets_expression should then assert == (100, 100, 100).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/colornames.py` around lines 782 - 836, Add a docstring to
ColorNames.lookup describing the parameter (name: str), the return value
(tuple[int,int,int]), and the raised exceptions (TypeError for non-str, KeyError
for unknown names, ValueError for out-of-range components) plus the accepted
input forms (named colors, lower/normalized variants, RGB tuple or bracketed
list). Change the annotated return type from Any to tuple[int, int, int] and
normalize any parsed RGB list to a 3-tuple before returning (e.g. convert the
ast.literal_eval result or any list from RGB parsing into tuple(r,g,b)). Ensure
the function still uses ColorNames.COLOR_NAME_DICT,
ColorNames.COLOR_NAME_LOWER_DICT and ColorNames.RGB_PATTERN as currently to
locate the code to modify.

CODEBASE_CRITIQUE.md (1)

1-212: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Minor documentation quality issues in internal audit document.

This internal codebase critique has several minor formatting and spelling issues flagged by static analysis:

1. Mixed British/American spelling: "modernization" (line 141) vs "modernisation" (line 178)
2. GitHub should be capitalized in several places (lines 4, 168, 170, 171, 173)
3. Several code blocks missing blank lines before/after (markdownlint MD031)

Since this is an internal audit document rather than user-facing documentation, these are low-priority, but consistency would improve readability.

As per coding guidelines: "Always use American spelling instead of British spelling (e.g., color instead of colour) in documentation."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CODEBASE_CRITIQUE.md` around lines 1 - 212, The audit document
CODEBASE_CRITIQUE.md contains inconsistent British/American spelling
("modernisation" vs "modernization"), inconsistent capitalization of "GitHub",
and missing blank lines around fenced/code blocks flagged by markdownlint MD031;
edit CODEBASE_CRITIQUE.md to standardize to American spelling (e.g., change
"modernisation" → "modernization"), capitalise all occurrences of "GitHub", and
ensure there is a blank line before and after each code block (or fenced block)
to satisfy MD031.

src/picmaker/io.py (1)

178-243: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use a context manager for FITS files to avoid resource leaks on exceptions.

hdulist.close() only runs on the success path. The code can raise IndexError (line 181, 189, 206), OSError (line 230), or other exceptions before reaching the explicit close() call, leaving the file handle open and causing resource leaks.

Proposed fix

-                hdulist = pyfits.open(filename_str)
-                _fitsobj = hdulist[0]  # IndexError if not FITS
+                with pyfits.open(filename_str) as hdulist:
+                    _fitsobj = hdulist[0]  # IndexError if not FITS
+                    ...
-                hdulist.close()
-                return ReadResult(array3d, True, filter_info)
+                    return ReadResult(array3d, True, filter_info)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/io.py` around lines 178 - 243, The FITS file handle opened via
pyfits.open(filename_str) (hdulist) can leak if exceptions occur before
hdulist.close(); change the code to open the FITS file with a context manager
(e.g., with pyfits.open(filename_str) as hdulist:) or wrap the existing logic in
try/finally to ensure hdulist.close() always runs; apply this around the block
that uses hdulist (the detection loop using instruments.FITS_INSTRUMENTS, the
HST branches for 'ACS/WFC' and 'WFPC2', the obj handling and the final
ReadResult return) so that exceptions like IndexError or OSError won’t leave the
file open.

♻️ Duplicate comments (2)

src/picmaker/io.py (1)

349-355: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Detached PDS pointer filenames still allow directory traversal.

At Line 350 and Line 354, untrusted pointer paths are joined directly against the label directory without containment checks. This can escape via ../....

As per coding guidelines, "For file paths, resolve to absolute paths and verify they remain within the expected directory (prevent path traversal)."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/io.py` around lines 349 - 355, The code that sets imagefile in
the node-handling branch (the string branch and the list/tuple branch treating
node[0]) joins untrusted pointer values directly to the label directory using
filename_str, allowing path traversal; fix by resolving the candidate path to an
absolute/resolved path (use os.path.abspath or pathlib.Path(filename).resolve())
and compare it against the base directory resolved path
(os.path.dirname(filename_str) resolved) using os.path.commonpath or
Path.commonpath to ensure the resulting imagefile is contained within the base
directory; if the containment check fails, reject the pointer (raise an error or
skip) rather than using the escaped path, and preserve existing offset_value
logic for valid paths (references: filename_str, pname, label_dict, imagefile,
offset_value, node and node[0]).

tests/fixture_recipes/generate_user_guide_thumbnails.py (1)

30-32: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Use underscore prefix for internal module-level constants.

HERE, FIXTURES, and OUT_DIR are internal to this script and should follow the private naming convention. As per coding guidelines, names not part of the public API should be prefixed with a single underscore.

♻️ Proposed fix

-HERE = Path(__file__).parent
-FIXTURES = HERE.parent / 'fixtures'
-OUT_DIR = HERE.parent.parent / 'docs' / '_static' / 'user_guide'
+_HERE = Path(__file__).parent
+_FIXTURES = _HERE.parent / 'fixtures'
+_OUT_DIR = _HERE.parent.parent / 'docs' / '_static' / 'user_guide'

Then update all references throughout the file:

• Line 98: fixture = _FIXTURES / fixture_name
• Line 142: _OUT_DIR.mkdir(parents=True, exist_ok=True)
• Line 145: path = _generate_one(slug, fixture_name, kwargs, ext, _OUT_DIR)
• Line 149: print(f'...to {_OUT_DIR}')

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/fixture_recipes/generate_user_guide_thumbnails.py` around lines 30 -
32, Rename the module-level constants HERE, FIXTURES, and OUT_DIR to use a
single leading underscore (_HERE, _FIXTURES, _OUT_DIR) to mark them as internal,
then update every use in this file accordingly (e.g., replace fixture = FIXTURES
/ fixture_name with fixture = _FIXTURES / fixture_name, call
_OUT_DIR.mkdir(...), pass _OUT_DIR into _generate_one(...) and update print
messages to reference _OUT_DIR); ensure imports/other symbols remain unchanged
and run tests to confirm no remaining references to the old names.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user_guide.rst`:
- Around line 457-459: The table documents the CLI option ``--filter`` as having
dest ``filter`` but the actual argparse binding uses ``filter_name``; update the
docs entry for the ``--filter``/``-f NAME`` option to show dest as
``filter_name`` (replace the current ``filter`` value), ensuring the table row
for the ``--filter`` option matches the actual binding name used in the codebase
(``filter_name``).

In `@src/picmaker/colornames.py`:
- Line 15: Add a descriptive class docstring to ColorNames that explains the
class exposes the standard X11 color-name table and provides the lookup entry
point (lookup), and describe supported input forms: color name (case-insensitive
/ lowercase normalized) and RGB containers like (r, g, b) or [r, g, b]; place
this docstring immediately under the class ColorNames declaration and keep it
concise but informative per project docstring guidelines.

In `@src/picmaker/instruments/galileo.py`:
- Around line 34-35: The docstring in src/picmaker/instruments/galileo.py
contains lines that exceed the 90-character wrap target (notably the long lines
around the block where FILTER index and the "GLL/SSI" prefix are described and
the similar lines at the later occurrence); split those long strings into
multiple shorter lines (<=90 chars) while preserving docstring indentation and
wording, updating both places (the docstring segment near the
FILTER/FILTER_NAMES description and the repeated lines at the later location) so
they remain valid Python docstrings and keep existing punctuation and backticks
intact.

In `@src/picmaker/instruments/hst.py`:
- Around line 87-88: The docstring incorrectly uses :data: for callable symbols;
change the Sphinx roles for RFUNC, GFUNC, and BFUNC to use :func: instead of
:data: (find the docstring referencing picmaker._rgb.RFUNC / picmaker._rgb.GFUNC
/ picmaker._rgb.BFUNC in src/picmaker/instruments/hst.py and replace each
:data:`picmaker._rgb.RFUNC` / :data:`picmaker._rgb.GFUNC` /
:data:`picmaker._rgb.BFUNC` with :func:`picmaker._rgb.RFUNC` /
:func:`picmaker._rgb.GFUNC` / :func:`picmaker._rgb.BFUNC` so they are proper
callable cross-references).

In `@src/picmaker/instruments/nh.py`:
- Around line 87-88: The docstring's "Raises:" entry for KeyError in
src/picmaker/instruments/nh.py exceeds the 90-character wrap limit; edit the
docstring (the Raises: KeyError line that mentions FILTER_DICT and inst_id/MVIC
path) to wrap the sentence to 90 characters or less (split into two properly
indented lines while preserving Sphinx/reST markup and references like
picmaker.instruments.nh.FILTER_DICT, filter_name, and inst_id).

In `@src/picmaker/instruments/voyager.py`:
- Around line 86-87: The docstring in src/picmaker/instruments/voyager.py has a
too-long Raises entry for KeyError; edit the docstring (near the
FILTER_DICT/inst_id explanation) to reflow the KeyError description to a maximum
line length of 90 characters, preserving wording and meaning but breaking the
sentence across lines to comply with the project's docstring wrapping rules
(ensure the “Raises:” section and the KeyError bullet remain correctly indented
and formatted).

In `@src/picmaker/io.py`:
- Around line 135-143: The current reader silently calls pickle.load on
filename_str and appends any exception to cascade_errors; remove this unsafe
default by gating pickle deserialization behind an explicit opt-in flag (e.g.,
add and check an allow_pickle boolean parameter to the public reader function)
or remove the pickle branch entirely; when gated, require callers to pass
allow_pickle=True and include a documented security warning before invoking
pickle.load, and keep the rest of the flow (constructing ReadResult and
appending to cascade_errors) unchanged so callers that do opt-in still get the
same return semantics.

In `@src/picmaker/options.py`:
- Around line 87-113: The validate method contains a redundant None check for
filter_name: since filter_name is declared as str with default 'NONE', remove
the unnecessary "is not None" branch and directly check the value when twobytes
is true; i.e., in validate(), under the twobytes block use filter_name.lower()
!= 'none' (and keep the existing extension check and error message), referencing
the validate method, the twobytes field, and filter_name to locate and simplify
the conditional.

In `@src/picmaker/pipeline.py`:
- Around line 100-110: When movie mode is enabled the code indexes
option_dicts[0] without ensuring the list is non-empty; add a guard before the
any(...) check to raise a clear ValueError if option_dicts is empty (e.g.,
"movie mode requires at least one option_dict") and only perform the
proceed-equality check afterwards—update the branch that currently references
option_dicts[0] so it first validates option_dicts is truthy, then runs the
existing any(...) comparison and raises the existing ValueError for mismatched
'proceed' values.
- Around line 58-72: The root-only check after calling os.path.commonpath
(variable result) fails to treat Windows drive-only roots like 'C:\\' as "no
useful prefix"; update the condition to detect drive roots explicitly by using
os.path.splitdrive(result) and ensuring there's a meaningful path component
after the root separator — e.g., splitdrive_root, rest =
os.path.splitdrive(result); if not rest or rest == os.sep or
(rest.startswith(os.sep) and rest.count(os.sep) == 1): return '' — or
alternatively check that there is at least one non-root separator character
after the anchor before returning result.

In `@src/picmaker/tiff16.py`:
- Around line 106-114: The code currently treats any byteorder other than
"little" as big-endian; instead validate byteorder (case-insensitive) only for
"native", "little", or "big": if "native" set byteorder = sys.byteorder, then if
byteorder == "little" set o = "<" and flag = b"I", elif byteorder == "big" set o
= ">" and flag = b"M", otherwise raise a ValueError describing the invalid
byteorder input; update the logic around the byteorder variable and the o/flag
assignments (refer to byteorder, sys.byteorder, o, flag) to fail fast on unknown
values.

In `@TEST_SUITE_CRITIQUE.md`:
- Around line 73-88: The document uses bare code names in narrative prose
instead of Sphinx cross-reference roles; update every plain-symbol mention
(e.g., images_to_pics, ColorNames.lookup, picmaker.io.read_one_image_array and
other function/class/module/constant mentions) to the appropriate Sphinx role
(for example :func:`images_to_pics`, :meth:`ColorNames.lookup`,
:mod:`picmaker.io` or :func:`picmaker.io.read_one_image_array`, or
:class:/:attr:/:data: as appropriate) throughout the markdown sections flagged
(including the other noted blocks around the document) so that each class,
method, function, module, attribute, or data constant in narrative prose uses
the correct :class:, :meth:, :func:, :mod:, :attr:, or :data: role.
- Around line 282-283: The audit paragraph in TEST_SUITE_CRITIQUE.md is
inconsistent: remove the stale "RESOLVED" claim and any text that suggests
`palette != None` was fixed, and replace it with a single clear statement that
the underlying bug remains because tiff16.py still uses the problematic
comparison `has_palette = (palette != None)` (which can raise on a non-None
numpy palette), therefore the strict-xfail markers in test_tiff16.py should
still be considered valid; also mention the remaining strict-xfail in
test_pil_utils.py::test_rescale_grayscale_returns_float_in_unit_range as a
separate outstanding issue.
- Around line 197-201: Multiple fenced code blocks (e.g., the pytest snippet
calling ColorNames.lookup('not_a_real_color')) are missing surrounding blank
lines and some fences lack a language tag; update each listed block by ensuring
there is a blank line before and after the ``` fence (fix MD031) and add an
appropriate language identifier (e.g., ```python for Python blocks, ```bash for
shell commands) to the opening fence (fix MD040) for the ranges mentioned
(include the pytest example and the blocks at the other noted ranges).
- Line 19: The document incorrectly states the coverage gate as "fail_under =
90"; update every occurrence in TEST_SUITE_CRITIQUE.md that mentions 'fail_under
= 90' (including the later sections referenced) to match the actual project
setting 'fail_under = 59' as defined in pyproject.toml [tool.coverage.report],
and ensure any nearby text (e.g., references to CI/pytest addopts or coverage
checks) is adjusted for consistency with the real threshold.

In `@tests/test_enhance_branches.py`:
- Around line 73-76: The test uses a loose inequality for the upper limit
(assert hi <= 200 + 0.5) which can mask regressions; update the assertion to
check the precise expected value for hi returned by get_limits for this fixture
(e.g., replace the inequality with assert hi == <expected_value>) and ensure you
reference the same call to get_limits(...) and the hi variable in
tests/test_enhance_branches.py to keep the branch test strict.

In `@tests/test_filters_branches.py`:
- Around line 15-19: The test test_filter_image_blur currently only checks size;
update it to assert the blur actually changed pixel values by comparing the
input image pixels (im) with the output image pixels (out) produced by
filter_image(im, 'blur') — e.g., verify that at least one pixel value differs
(or compute a full pixel-wise difference and assert non-zero) so a no-op
implementation will fail; keep the test using the same 8x8 Image.new('L', ...)
and reference filter_image and the test name when making the change.

In `@tests/test_pil_utils.py`:
- Around line 38-39: Replace the weak range checks on the variable back with a
precise equality assertion: compute or provide the exact expected normalized
numpy array for the test case and assert back equals that expected array using
numpy's array comparison utilities (e.g., np.testing.assert_allclose or
np.testing.assert_array_equal) instead of the two assertions on dtype and max;
update the assertions in tests/test_pil_utils.py referencing back to compare the
full array contents and dtype to the expected normalized values.

In `@tests/test_pipeline_branches.py`:
- Around line 328-329: The test currently uses a too-broad exception check
around the process_images(...) call; change pytest.raises((OSError, Exception))
to the single expected exception type (e.g., pytest.raises(OSError)) and assert
the error message content (either via the raises(..., match="expected text")
parameter or by capturing excinfo and asserting str(excinfo.value) contains the
expected substring) for the call to process_images([str(bogus)], str(tmp_path /
'out'), True, [od]) so the test only passes for the intended failure mode.

In `@tests/test_tiff16_branches.py`:
- Line 42: The test currently allows two shapes which weakens regression checks;
update test_tiff16_branches to assert a single canonical shape by normalizing
the result first (e.g., apply np.squeeze or reshape to remove a singleton
channel) and then assert array.shape == (8, 8). Concretely: ensure the code
operating on the test variable array removes any trailing singleton dimension
(use array = np.squeeze(array) or equivalent) and replace the "assert
array.shape == (8, 8) or array.shape == (8, 8, 1)" with a single exact assertion
"assert array.shape == (8, 8)".
- Around line 28-34: The tests currently only assert file creation; update them
to validate TIFF semantics by reading the written file with ReadTiff16 and
asserting the output shape and pixel values for each branch: for
test_tiff16_three_d_grayscale validate the read array equals the original
reduced grayscale data and shape (h,w,1); for the ROTATE_90 branch call
WriteTiff16 with the rotation option then ReadTiff16 and assert the data matches
a 90-degree rotated version of the input; for the up=True branch write with
up=True, read back with ReadTiff16 and assert both the expected shape and
scaled/upsampled pixel values; ensure assertions use the same unique helpers
WriteTiff16 and ReadTiff16 to check content rather than just file existence.

---

Outside diff comments:
In `@CODEBASE_CRITIQUE.md`:
- Around line 1-212: The audit document CODEBASE_CRITIQUE.md contains
inconsistent British/American spelling ("modernisation" vs "modernization"),
inconsistent capitalization of "GitHub", and missing blank lines around
fenced/code blocks flagged by markdownlint MD031; edit CODEBASE_CRITIQUE.md to
standardize to American spelling (e.g., change "modernisation" →
"modernization"), capitalise all occurrences of "GitHub", and ensure there is a
blank line before and after each code block (or fenced block) to satisfy MD031.

In `@src/picmaker/colornames.py`:
- Around line 782-836: Add a docstring to ColorNames.lookup describing the
parameter (name: str), the return value (tuple[int,int,int]), and the raised
exceptions (TypeError for non-str, KeyError for unknown names, ValueError for
out-of-range components) plus the accepted input forms (named colors,
lower/normalized variants, RGB tuple or bracketed list). Change the annotated
return type from Any to tuple[int, int, int] and normalize any parsed RGB list
to a 3-tuple before returning (e.g. convert the ast.literal_eval result or any
list from RGB parsing into tuple(r,g,b)). Ensure the function still uses
ColorNames.COLOR_NAME_DICT, ColorNames.COLOR_NAME_LOWER_DICT and
ColorNames.RGB_PATTERN as currently to locate the code to modify.

In `@src/picmaker/io.py`:
- Around line 178-243: The FITS file handle opened via pyfits.open(filename_str)
(hdulist) can leak if exceptions occur before hdulist.close(); change the code
to open the FITS file with a context manager (e.g., with
pyfits.open(filename_str) as hdulist:) or wrap the existing logic in try/finally
to ensure hdulist.close() always runs; apply this around the block that uses
hdulist (the detection loop using instruments.FITS_INSTRUMENTS, the HST branches
for 'ACS/WFC' and 'WFPC2', the obj handling and the final ReadResult return) so
that exceptions like IndexError or OSError won’t leave the file open.

In `@tests/test_color.py`:
- Around line 57-59: The comment in tests referencing "eval" is stale; update
the comment near the assertion calling ColorNames.lookup('[100, 100, 100]') to
say the production code uses ast.literal_eval (not eval), and if you implement
the tuple-normalization change in colornames.py (the tuple normalization
behavior in ColorNames.lookup), also update the test assertion to expect a tuple
instead of a list and adjust the comment to describe that tuple-normalization
behavior.

---

Duplicate comments:
In `@src/picmaker/io.py`:
- Around line 349-355: The code that sets imagefile in the node-handling branch
(the string branch and the list/tuple branch treating node[0]) joins untrusted
pointer values directly to the label directory using filename_str, allowing path
traversal; fix by resolving the candidate path to an absolute/resolved path (use
os.path.abspath or pathlib.Path(filename).resolve()) and compare it against the
base directory resolved path (os.path.dirname(filename_str) resolved) using
os.path.commonpath or Path.commonpath to ensure the resulting imagefile is
contained within the base directory; if the containment check fails, reject the
pointer (raise an error or skip) rather than using the escaped path, and
preserve existing offset_value logic for valid paths (references: filename_str,
pname, label_dict, imagefile, offset_value, node and node[0]).

In `@tests/fixture_recipes/generate_user_guide_thumbnails.py`:
- Around line 30-32: Rename the module-level constants HERE, FIXTURES, and
OUT_DIR to use a single leading underscore (_HERE, _FIXTURES, _OUT_DIR) to mark
them as internal, then update every use in this file accordingly (e.g., replace
fixture = FIXTURES / fixture_name with fixture = _FIXTURES / fixture_name, call
_OUT_DIR.mkdir(...), pass _OUT_DIR into _generate_one(...) and update print
messages to reference _OUT_DIR); ensure imports/other symbols remain unchanged
and run tests to confirm no remaining references to the old names.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 68b14d1c-1a10-4403-b69e-b9a295df492f

📥 Commits

Reviewing files that changed from the base of the PR and between b10477b and 11fb105.

📒 Files selected for processing (68)

• .cursor/rules/python_best_practices.mdc
• .github/workflows/publish_to_pypi.yml
• .github/workflows/publish_to_test_pypi.yml
• .github/workflows/run-tests.yml
• CODEBASE_CRITIQUE.md
• CONTRIBUTING.md
• RELEASING.md
• TEST_SUITE_CRITIQUE.md
• docs/conf.py
• docs/developer_guide.rst
• docs/index.rst
• docs/module.rst
• docs/user_guide.rst
• pyproject.toml
• scripts/run-all-checks.sh
• src/picmaker/__init__.py
• src/picmaker/_filters.py
• src/picmaker/cli.py
• src/picmaker/colornames.py
• src/picmaker/instruments/__init__.py
• src/picmaker/instruments/cassini.py
• src/picmaker/instruments/galileo.py
• src/picmaker/instruments/hst.py
• src/picmaker/instruments/nh.py
• src/picmaker/instruments/voyager.py
• src/picmaker/io.py
• src/picmaker/options.py
• src/picmaker/picmaker.py
• src/picmaker/pil_utils.py
• src/picmaker/pipeline.py
• src/picmaker/tiff16.py
• tests/fixture_recipes/generate_user_guide_thumbnails.py
• tests/test_alt_strip_alias.py
• tests/test_apply_gamma.py
• tests/test_cli.py
• tests/test_cli_unit.py
• tests/test_color.py
• tests/test_enhance.py
• tests/test_enhance_branches.py
• tests/test_filters_branches.py
• tests/test_frame_max.py
• tests/test_geometry.py
• tests/test_geometry_branches.py
• tests/test_geometry_extra.py
• tests/test_hst_filter_tuple_normalization.py
• tests/test_instruments_branches.py
• tests/test_io.py
• tests/test_io_cascade.py
• tests/test_io_extra.py
• tests/test_mutable_defaults.py
• tests/test_overlap_vs_overlaps.py
• tests/test_package_init.py
• tests/test_paths.py
• tests/test_pds3_reader.py
• tests/test_pds3_reader_branches.py
• tests/test_pickle_iolost_propagates_to_final_error.py
• tests/test_pil_utils.py
• tests/test_pil_utils_branches.py
• tests/test_pipeline.py
• tests/test_pipeline_branches.py
• tests/test_snapshots.py
• tests/test_tiff16.py
• tests/test_tiff16_branches.py
• tests/test_tinted_colormap.py
• tests/test_unknown_filter_warning.py
• tests/test_versions_override.py
• tests/test_warning_elevation.py
• tests/test_zebra.py

💤 Files with no reviewable changes (3)

• tests/test_alt_strip_alias.py
• tests/test_overlap_vs_overlaps.py
• tests/test_versions_override.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use :func: roles for callable symbols in this docstring.

RFUNC, GFUNC, and BFUNC are functions, so these references should use :func: instead of :data:.

Suggested docstring fix

-    :data:`picmaker._rgb.RFUNC` / :data:`picmaker._rgb.GFUNC` /
-    :data:`picmaker._rgb.BFUNC` splines. Each detector family has its
+    :func:`picmaker._rgb.RFUNC` / :func:`picmaker._rgb.GFUNC` /
+    :func:`picmaker._rgb.BFUNC` splines. Each detector family has its

As per coding guidelines, “EVERY mention of a class, method, function, module, attribute, or data constant in narrative prose MUST use appropriate Sphinx cross-reference roles.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/instruments/hst.py` around lines 87 - 88, The docstring
incorrectly uses :data: for callable symbols; change the Sphinx roles for RFUNC,
GFUNC, and BFUNC to use :func: instead of :data: (find the docstring referencing
picmaker._rgb.RFUNC / picmaker._rgb.GFUNC / picmaker._rgb.BFUNC in
src/picmaker/instruments/hst.py and replace each :data:`picmaker._rgb.RFUNC` /
:data:`picmaker._rgb.GFUNC` / :data:`picmaker._rgb.BFUNC` with
:func:`picmaker._rgb.RFUNC` / :func:`picmaker._rgb.GFUNC` /
:func:`picmaker._rgb.BFUNC` so they are proper callable cross-references).

[coderabbitai]

Actionable comments posted: 8

♻️ Duplicate comments (2)

src/picmaker/io.py (2)

347-358: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Critical security issue: Path traversal in PDS pointer resolution remains unresolved.

Lines 348 and 352 join untrusted pointer paths from PDS labels without validation. A malicious label could use ^IMAGE = "../../../sensitive_file" to read arbitrary files. The past review requested validation using os.path.abspath and os.path.commonpath to ensure paths remain within the expected directory.

As per coding guidelines, "For file paths, resolve to absolute paths and verify they remain within the expected directory (prevent path traversal)."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/io.py` around lines 347 - 358, The pointer-resolution branches
(the isinstance(node, str) and isinstance(node, (list, tuple)) paths that set
imagefile using filename_str and node values) join untrusted PDS label values
directly, allowing path traversal; fix by resolving the candidate image path to
an absolute path with os.path.abspath, compute the expected base directory from
filename_str (e.g., os.path.dirname(filename_str) and its abspath), then verify
with os.path.commonpath that the resolved image path is inside that base
directory; if the check fails, raise a ValueError/TypeError and do not use the
path; keep existing offset_value logic and continue to use label_dict/pname for
offset lookup but validate all pointer-derived paths before assigning imagefile.

---

136-142: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Critical security issue: pickle.load on untrusted input remains unresolved.

pickle.load(f) at line 137 can execute arbitrary code embedded in malicious pickle files. This function is a public API that accepts user-provided filenames without any opt-in flag or security warning. The past review flagged this as critical and requested either removal or explicit opt-in gating.

As per coding guidelines, "NEVER trust external input (function arguments from callers, file contents, environment variables, data from remote URLs). Validate inputs at the public API boundary of the library."

Based on learnings, "NEVER guess at bug causes. Use logic, stack traces, and targeted logging. If stuck in a fix loop, revert and re-approach from first principles. When necessary, ask for help."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/io.py` around lines 136 - 142, The use of pickle.load on
untrusted files in the public API must be removed or explicitly gated: replace
the blind pickle.load call inside the function that opens filename_str and
returns ReadResult with a safe alternative or an explicit opt-in check (e.g.,
add a new boolean parameter allow_pickle defaulting to False) so that by default
loading raises a clear security error; if allow_pickle is True, require callers
to explicitly opt in and log a security warning before using pickle (or use a
documented, sandboxed custom Unpickler). Update the code paths that call this
loader to pass the flag where appropriate and ensure ReadResult creation remains
unchanged (return ReadResult(array3d, False, None)) only after safe loading
succeeds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/dev/module_layout.rst`:
- Around line 20-24: Replace the inline literal API symbols in the prose with
Sphinx cross-reference roles: wrap class names like VicarImage and VicarError
with :class:, functions like ReadTiff16 and WriteTiff16 with :func:, and
data/constants like ColorNames, GALILEO_SSI_DICT, GALILEO_SSI_NAMES,
NH_MVIC_DICT, and VOYAGER_ISS_DICT with :data: (adjust role if a symbol is a
different type), e.g. use :class:`VicarImage`, :func:`ReadTiff16`,
:data:`GALILEO_SSI_DICT` so the references are validated and linkable and
conform to the coding guideline requiring roles for API mentions.

In `@docs/dev/pipeline.rst`:
- Around line 130-135: Replace bare mentions of functions in narrative prose
with Sphinx cross-reference roles: change occurrences of "fits.open" to an
appropriate function role (e.g. :func:`astropy.io.fits.open`), and wrap
"tint_for" and "write_pil" with function roles (e.g. :func:`tint_for`,
:func:`write_pil`) so they become linkable and validated by Sphinx; apply the
same conversion to the other affected paragraph range (the section around lines
273-290) to ensure every prose mention of these callables uses the proper
cross-reference role.

In `@docs/user_guide.rst`:
- Line 400: Replace British spelling "Colour" with American "Color" in the three
table description phrases that read "Colour used for pixels below the lower
limit." (and similar occurrences) in docs/user_guide.rst so all instances use
"Color"; update each matching phrase exactly (e.g., change "Colour used for
pixels below the lower limit." to "Color used for pixels below the lower
limit.") to maintain consistency with the coding guidelines.

In `@tests/fixture_recipes/generate_user_guide_thumbnails.py`:
- Around line 78-84: The helper _generate_one currently accepts five positional
args; change its signature to make parameters after the first three keyword-only
(e.g. def _generate_one(slug: str, fixture_name: str, kwargs: dict[str, Any], *,
ext: str, out_dir: Path) -> Path | None) and apply the same change to the other
occurrence referenced at line 145; then update all call sites to pass ext and
out_dir by name instead of position. Ensure type hints remain and no behavioral
changes are introduced.

In `@tests/test_enhance_branches.py`:
- Line 66: Replace the single relational assertion "assert lo == hi - 1" with
two precise assertions that check the exact expected values for the test;
specifically assert that hi equals 100 and lo equals 99 (since the test
describes "all 100s except one masked"), updating the assertions in
tests/test_enhance_branches.py to use these exact constants instead of a
difference check.
- Around line 86-87: The assertions use computed expressions rather than
explicit expected values; replace the two asserts that compare lo and hi against
arr[4:-4, 4:-4].min() - 0.5 and arr[4:-4, 4:-4].max() + 0.5 with hard-coded
numeric expected values (e.g., assert lo == <expected_min_float> and assert hi
== <expected_max_float>) so the test checks precise values for lo and hi using
the actual numbers derived from the arr[4:-4,4:-4] slice.
- Around line 122-126: The test test_apply_colormap_named_two_stop currently
only checks shape; update it to assert actual RGB values produced by
apply_colormap(arr, (0.0, 7.0), colormap='red-blue'). Compute or hardcode the
expected 3-channel RGB result for the input arr (including endpoint colors for
0.0 and 7.0 and interpolated values for intermediate indices), then assert
out.dtype is correct, out.shape == (2,4,3), and that out equals (or is
approximately equal to) the expected RGB array element-wise; reference
apply_colormap and the test function name to locate and replace the shape-only
assertion with these value assertions.

In `@tests/test_pipeline_branches.py`:
- Line 123: Move the inline "import logging" statements out of the two test
functions and add a single "import logging" to the module-level standard-library
import block at the top of the file (alphabetize it within the stdlib group and
keep the blank-line separation between stdlib/third-party/local groups); then
remove the two inline "import logging" lines from the test functions so they use
the module-level logger import instead.

---

Duplicate comments:
In `@src/picmaker/io.py`:
- Around line 347-358: The pointer-resolution branches (the isinstance(node,
str) and isinstance(node, (list, tuple)) paths that set imagefile using
filename_str and node values) join untrusted PDS label values directly, allowing
path traversal; fix by resolving the candidate image path to an absolute path
with os.path.abspath, compute the expected base directory from filename_str
(e.g., os.path.dirname(filename_str) and its abspath), then verify with
os.path.commonpath that the resolved image path is inside that base directory;
if the check fails, raise a ValueError/TypeError and do not use the path; keep
existing offset_value logic and continue to use label_dict/pname for offset
lookup but validate all pointer-derived paths before assigning imagefile.
- Around line 136-142: The use of pickle.load on untrusted files in the public
API must be removed or explicitly gated: replace the blind pickle.load call
inside the function that opens filename_str and returns ReadResult with a safe
alternative or an explicit opt-in check (e.g., add a new boolean parameter
allow_pickle defaulting to False) so that by default loading raises a clear
security error; if allow_pickle is True, require callers to explicitly opt in
and log a security warning before using pickle (or use a documented, sandboxed
custom Unpickler). Update the code paths that call this loader to pass the flag
where appropriate and ensure ReadResult creation remains unchanged (return
ReadResult(array3d, False, None)) only after safe loading succeeds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3820e490-3657-4625-8e51-ae9f78b533bc

📥 Commits

Reviewing files that changed from the base of the PR and between 11fb105 and e27f9ac.

📒 Files selected for processing (26)

• .github/workflows/publish_to_pypi.yml
• .github/workflows/publish_to_test_pypi.yml
• .github/workflows/run-tests.yml
• docs/dev/adding_an_instrument.rst
• docs/dev/module_layout.rst
• docs/dev/pipeline.rst
• docs/dev/releasing.rst
• docs/dev/repository_overview.rst
• docs/dev/running_tests.rst
• docs/developer_guide.rst
• docs/user_guide.rst
• src/picmaker/colornames.py
• src/picmaker/instruments/galileo.py
• src/picmaker/instruments/nh.py
• src/picmaker/instruments/voyager.py
• src/picmaker/io.py
• src/picmaker/options.py
• src/picmaker/pipeline.py
• src/picmaker/tiff16.py
• tests/fixture_recipes/generate_user_guide_thumbnails.py
• tests/test_color.py
• tests/test_enhance_branches.py
• tests/test_filters_branches.py
• tests/test_pil_utils.py
• tests/test_pipeline_branches.py
• tests/test_tiff16_branches.py

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

src/picmaker/io.py (2)

137-152: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Pickle deserialization remains ungated.

The past review comment requesting removal or opt-in gating for pickle.load() was not addressed. This function is part of the public API and accepts filenames from users without validation. Per coding guidelines, never trust external input at the public API boundary.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/io.py` around lines 137 - 152, This code performs an unguarded
pickle.load on filename_str in the public API; add an explicit opt-in gate
(e.g., a boolean parameter like allow_pickle=False) to the public read function
that contains this block, and only execute the pickle.load branch when
allow_pickle is True; if allow_pickle is False, skip the pickle branch (append a
clear exception to cascade_errors or raise a ValueError indicating pickle
deserialization is disabled) so callers must opt-in to use pickle; keep the
existing try/except around pickle.load and return ReadResult(array3d, False,
None) only when allow_pickle is enabled and loading succeeds.

---

353-367: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Validate detached PDS pointer paths to prevent traversal.

The pointer resolution joins untrusted label values directly without validation. A malicious label with node = "../../../etc/passwd" could read arbitrary files. Per coding guidelines, "For file paths, resolve to absolute paths and verify they remain within the expected directory (prevent path traversal)."

Past review comment marked this as addressed, but the validation logic is not present in the code.

🛡️ Proposed fix

+    base_dir = os.path.abspath(os.path.dirname(filename_str))
+
     if isinstance(node, int):
         imagefile = filename_str
         offset_value = node
     elif isinstance(node, str):
-        imagefile = os.path.join(os.path.split(filename_str)[0], node)
+        candidate = os.path.abspath(os.path.join(base_dir, node))
+        if not candidate.startswith(base_dir + os.sep) and candidate != base_dir:
+            raise ValueError(f'Pointer path escapes label directory: {node!r}')
+        imagefile = candidate
         offset_value = label_dict.get(pname + '_offset', 1) or 1
     elif isinstance(node, (list, tuple)):
         if isinstance(node[0], str):
-            imagefile = os.path.join(os.path.split(filename_str)[0], node[0])
+            candidate = os.path.abspath(os.path.join(base_dir, node[0]))
+            if not candidate.startswith(base_dir + os.sep) and candidate != base_dir:
+                raise ValueError(f'Pointer path escapes label directory: {node[0]!r}')
+            imagefile = candidate
             offset_value = int(node[1]) if len(node) >= 2 else 1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/picmaker/io.py` around lines 353 - 367, The pointer resolution currently
joins untrusted label values (node) into imagefile using filename_str without
validating path traversal; update the logic in the branch handling str and
list/tuple string-first entries so after computing the candidate path (from
os.path.join(os.path.split(filename_str)[0], node or node[0])) you resolve it to
an absolute path and verify it remains inside the expected base directory (the
directory portion of filename_str) — e.g., use os.path.abspath or
pathlib.Path.resolve and compare against the base dir (using Path.relative_to or
a safe startswith check with a trailing separator); if the check fails, raise a
ValueError/TypeError rather than using the path. Ensure the same validation is
applied to all branches that set imagefile (str branch and list/tuple branch
where node[0] is str) and keep existing behavior for numeric offsets and error
messages referencing filename_str and pname.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/test_enhance_branches.py`:
- Around line 123-126: The tests in tests/test_enhance_branches.py only assert a
single channel for the sentinel colors (assert out[0,0,2] and assert out[0,3,0])
so other channels could be wrong; update these to assert the full RGB triplets
at positions out[0,0] and out[0,3] equal the expected vectors (blue [0,0,1] and
red [1,0,0]) using a vector comparison (e.g., pytest.approx on the list/tuple or
numpy.testing.assert_allclose) so all three channels are verified for the
below/above sentinel cases.

In `@tests/test_io_cascade.py`:
- Line 214: Remove the redundant inline imports "from PIL import Image as
PILImage" and their aliases; replace any usages of PILImage in the test with the
already-imported module-level Image symbol (i.e., change PILImage.open(...) /
PILImage.new(...) calls to Image.open(...) / Image.new(...)), and delete both
inline import statements so the file uses the single top-level Image import.

---

Duplicate comments:
In `@src/picmaker/io.py`:
- Around line 137-152: This code performs an unguarded pickle.load on
filename_str in the public API; add an explicit opt-in gate (e.g., a boolean
parameter like allow_pickle=False) to the public read function that contains
this block, and only execute the pickle.load branch when allow_pickle is True;
if allow_pickle is False, skip the pickle branch (append a clear exception to
cascade_errors or raise a ValueError indicating pickle deserialization is
disabled) so callers must opt-in to use pickle; keep the existing try/except
around pickle.load and return ReadResult(array3d, False, None) only when
allow_pickle is enabled and loading succeeds.
- Around line 353-367: The pointer resolution currently joins untrusted label
values (node) into imagefile using filename_str without validating path
traversal; update the logic in the branch handling str and list/tuple
string-first entries so after computing the candidate path (from
os.path.join(os.path.split(filename_str)[0], node or node[0])) you resolve it to
an absolute path and verify it remains inside the expected base directory (the
directory portion of filename_str) — e.g., use os.path.abspath or
pathlib.Path.resolve and compare against the base dir (using Path.relative_to or
a safe startswith check with a trailing separator); if the check fails, raise a
ValueError/TypeError rather than using the path. Ensure the same validation is
applied to all branches that set imagefile (str branch and list/tuple branch
where node[0] is str) and keep existing behavior for numeric offsets and error
messages referencing filename_str and pname.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0a8158e0-32b0-4954-b78d-b495b7687f62

📥 Commits

Reviewing files that changed from the base of the PR and between e27f9ac and a284d1a.

📒 Files selected for processing (12)

• docs/dev/module_layout.rst
• docs/dev/pipeline.rst
• docs/module.rst
• docs/user_guide.rst
• scripts/run-all-checks.sh
• src/picmaker/io.py
• tests/fixture_recipes/generate_user_guide_thumbnails.py
• tests/test_enhance_branches.py
• tests/test_io_cascade.py
• tests/test_io_extra.py
• tests/test_paths.py
• tests/test_pipeline_branches.py