Skip to content

Dead code removal, exception hygiene, tab reformat#411

Merged
dylanuys merged 7 commits into
mainfrom
chore/dead-code-and-lint-hygiene
Jul 14, 2026
Merged

Dead code removal, exception hygiene, tab reformat#411
dylanuys merged 7 commits into
mainfrom
chore/dead-code-and-lint-hygiene

Conversation

@dylanuys

@dylanuys dylanuys commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Continuation of the code-quality burndown (#407, #409). Independent pieces, one commit each — the reformat commit is whitespace-only and safe to skip in review.

Dead code (580f30a)

Deletes three functions whose features live on in their replacements, all with zero callers:

  • generate_prompts_from_image / generate_scene_from_image → replaced by the batch pipeline (generate_scenes_batch + compose_prompts_from_scenes)
  • save_images_to_disk → replaced by generator_service._write_media
  • is_duplicate → replaced by compute_media_hash + check_duplicate_in_db

Also removes the never-called get_service_info methods (registry uses get_info()) and replaces the __import__("sqlite3").Row inline-import hack with a normal top-level import in the three db stores.

local_service signposting (58d0beb)

Kept as a reference implementation, now with an explicit do-not-enable banner: local generation produces no C2PA provenance, so its output fails validator verification.

Exception hygiene (e69d4af)

All six remaining bare except: clauses fixed — temp-file cleanups narrowed to except OSError, the rest to except Exception with the error logged. The silent _save_profiles_to_cache swallows now log at debug. Also fixes a SyntaxWarning from an unescaped regex in a docstring. E722 added to the CI lint gate.

Tab reformat (f5436f1 + 404da99)

content_manager.py was the repo's last tab-indented file (2,362 tabs). Converted to 4-space; AST verified identical modulo docstring whitespace. W191 added to the CI gate, and the reformat SHA is recorded in .git-blame-ignore-revs (GitHub blame picks this up automatically; locally run git config blame.ignoreRevsFile .git-blame-ignore-revs once).

Dependency security burndown (8576233)

Attacks the 120 Dependabot alerts (1 critical, 47 high). Fixes the critical and ~22 of the 27 unique highs.

Removed — verified never imported anywhere in the repo:

  • onnx (inference happens inside gasbench via its own onnxruntime-gpu) — kills all 6 onnx alerts
  • python-multipart (FastAPI only needs it for form parsing; we have no form endpoints) — kills all 6
  • asyncpg (no postgres anywhere anymore)
  • Cargo-culted pins of other packages' transitives: sympy, coloredlogs, flatbuffers, humanfriendly, scikit-learn, nest-asyncio — still installed via their real requirers where needed
  • black + pre-commit moved from runtime deps to the dev group

Bumped direct pins with CVEs:

  • pillow 10.4.0 → 12.2.0 — OOB writes parsing malformed images; validators parse miner-submitted media, so this is the security bump that matters most
  • diffusers 0.36.0 → 0.38.0 (trust_remote_code bypass), pyarrow 19.0.1 → 23.0.1, python-dotenv 1.0.1 → 1.2.2
  • httpcore 1.0.7 → 1.0.9 — unblocks h11 0.16.0, the one critical (malformed chunked-encoding)

Lockfile-only (transitive) upgrades: GitPython 3.1.50, urllib3 2.7.0, cryptography 49.0.0, msgpack 1.2.1, protobuf 5.29.6, ecdsa 0.19.2, and ~150 others via uv lock --upgrade.

New guard: [tool.uv] constraint-dependencies = ["torchaudio==2.7.1"] — torchaudio wheels declare no torch dependency, so without this the resolver floats it to versions ABI-incompatible with pinned torch 2.7.1 (it had already drifted to 2.11.0 on the first lock upgrade).

Deliberately not fixed:

  • aiohttp / starlette / setuptools alerts — hard-blocked by bittensor 9.9.0's own pins (aiohttp~=3.9, fastapi~=0.110.1, setuptools~=70); requires a bittensor SDK bump
  • torch / transformers — major-version jumps, not worth the GPU-stack risk for medium-severity alerts
  • ecdsa Minerva timing attack — no upstream patch exists

⚠️ Testnet note: the pillow 10→12 and diffusers 0.36→0.38 bumps touch live media-parsing and generation paths that CI doesn't exercise — worth a testnet soak before this reaches mainnet validators.

No behavior changes outside the dependency bumps. CI is green at every commit, not just HEAD.

🤖 Generated with Claude Code

dylanuys added 7 commits July 9, 2026 17:29
- Delete generate_prompts_from_image/generate_scene_from_image
  (replaced by generate_scenes_batch + compose_prompts_from_scenes),
  save_images_to_disk (replaced by generator_service._write_media),
  and is_duplicate (replaced by compute_media_hash +
  check_duplicate_in_db). All had zero callers.
- Delete get_service_info from openrouter/stabilityai services;
  nothing calls it (the registry uses get_info()).
- Replace __import__("sqlite3").Row with a normal top-level
  import sqlite3 in the three db stores (11 call sites).
Local generation produces no C2PA provenance, so its output fails
validator verification. Keep the service as a reference implementation
with a loud do-not-enable banner, and explain the disabled SERVICE_MAP
entry instead of leaving it bare.
- Narrow the six remaining bare except: clauses — temp-file unlink
  cleanups to except OSError, the rest to except Exception with the
  error logged (chain metadata parsing, create_repo, CLIP cleanup).
- Log (debug) instead of silently passing when _save_profiles_to_cache
  fails in generator_service.
- Fix SyntaxWarning from an unescaped regex in a docstring
  (huggingface_uploads) by making it a raw string.
- Gate E722 in CI so bare excepts can't return.
Whitespace-only: 2,362 tabs converted; AST verified identical modulo
docstring indentation. Gate W191 in CI. Add this commit's SHA to
.git-blame-ignore-revs to keep blame useful on this file.
Dependabot burndown (120 alerts on main). Three kinds of change:

Removed — never imported anywhere in the repo:
- onnx (inference happens in gasbench via its own onnxruntime-gpu;
  kills all 6 onnx alerts), python-multipart (no form endpoints;
  kills all 6), asyncpg (postgres era is over), and the cargo-culted
  transitive pins sympy/coloredlogs/flatbuffers/humanfriendly/
  scikit-learn/nest-asyncio (still installed via their real
  requirers where needed).
- black + pre-commit moved from runtime deps to the dev group.

Bumped direct pins with CVEs:
- pillow 10.4.0 -> 12.2.0 (OOB writes parsing malformed images —
  validators parse miner-submitted media, so this is the one that
  matters most), diffusers 0.36.0 -> 0.38.0 (trust_remote_code
  bypass), pyarrow 19.0.1 -> 23.0.1, python-dotenv 1.0.1 -> 1.2.2,
  httpcore 1.0.7 -> 1.0.9 (unblocks h11 0.16.0 — the one CRITICAL
  alert, malformed chunked-encoding).

Lockfile-only upgrades (transitive): GitPython 3.1.50, urllib3 2.7.0,
cryptography 49.0.0, msgpack 1.2.1, protobuf 5.29.6, ecdsa 0.19.2,
requests, idna, pygments, and ~150 others via uv lock --upgrade.

Added [tool.uv] constraint-dependencies = [torchaudio==2.7.1]:
torchaudio wheels declare no torch dependency, so the resolver
happily floats it to versions ABI-incompatible with our pinned
torch 2.7.1.

Deliberately NOT fixed:
- aiohttp / starlette / setuptools alerts: blocked by bittensor
  9.9.0's own pins (aiohttp~=3.9, fastapi~=0.110.1, setuptools~=70).
  Requires a bittensor SDK bump.
- torch / transformers: major-version jumps; not worth the GPU-stack
  risk for medium-severity alerts.
- ecdsa Minerva timing attack: no patch exists upstream.
The 2.x line vendors cyscale, which shares the scalecodec namespace
and refuses to coexist with it — but substrate-interface (still used
for Keypair in epistula.py) requires scalecodec. Caught by CI test
collection.
@dylanuys
dylanuys merged commit c98d9ad into main Jul 14, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant