Files Reviewed

[rafaelfiguereod-stack]

Summary

• What changed and why.
• Keep this to 3-6 bullets focused on user-visible or architecture-impacting changes.

Problem

• What issue or risk this PR addresses.
• Include context needed for reviewers to evaluate correctness quickly.

Solution

• How the implementation solves the problem.
• Note important design decisions and tradeoffs.

Submission Checklist

If a section does not apply to this change, mark the item as N/A with a one-line reason. Do not delete items.

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — changed lines (Vitest + cargo-llvm-cov merged via diff-cover) meet the gate enforced by .github/workflows/coverage.yml. Run pnpm test:coverage and pnpm test:rust locally; PRs below 80% on changed lines will not merge.
• Coverage matrix updated — added/removed/renamed feature rows in docs/TEST-COVERAGE-MATRIX.md reflect this change (or N/A: behaviour-only change)
• All affected feature IDs from the matrix are listed in the PR description under ## Related
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces (docs/RELEASE-MANUAL-SMOKE.md)
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• Runtime/platform impact (desktop/mobile/web/CLI), if any.
• Performance, security, migration, or compatibility implications.

Related

• Closes:
• Follow-up PR(s)/TODOs:

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Keep this section for AI-authored PRs. For human-only PRs, mark each field N/A.

Linear Issue

• Key:
• URL:

Commit & Branch

• Branch:
• Commit SHA:

Validation Run

• pnpm --filter openhuman-app format:check
• pnpm typecheck
• Focused tests:
• Rust fmt/check (if changed):
• Tauri fmt/check (if changed):

Validation Blocked

• command:
• error:
• impact:

Behavior Changes

• Intended behavior change:
• User-visible effect:

Parity Contract

• Legacy behavior preserved:
• Guard/fallback/dispatch parity checks:

Duplicate / Superseded PR Handling

• Duplicate PR(s):
• Canonical PR:
• Resolution (closed/superseded/updated):

Summary by CodeRabbit

• Chores

  • Enhanced continuous integration with automated security analysis.
  • Updated core dependencies to latest versions.

• Bug Fixes

  • Mock API delays now enforced with a maximum cap to prevent excessively long response times during testing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 90a2f592-c7f8-42e0-839a-c6a827c515ad

📥 Commits

Reviewing files that changed from the base of the PR and between 12ef69b and e8d1388.

⛔ Files ignored due to path filters (2)

• Cargo.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/codeql.yml
• Cargo.toml
• scripts/mock-api-core.mjs

---

📝 Walkthrough

Walkthrough

This PR introduces three independent infrastructure and development improvements: a new CodeQL security analysis workflow that analyzes JavaScript/TypeScript, Ruby, and Rust code on pushes and scheduled intervals; a bump of the Rust rand dependency from 0.9 to 0.10; and addition of a 30-second upper bound on mocked API delays with input validation.

Changes

CodeQL Advanced Workflow

Layer / File(s)	Summary
Workflow Name and Triggers .github/workflows/codeql.yml	New "CodeQL Advanced" workflow triggered on pushes and pull requests to main, plus weekly cron schedule.
Job Matrix and Permissions .github/workflows/codeql.yml	analyze job with language matrix (JavaScript/TypeScript, Ruby, Rust), build-mode: none, dynamic runner selection, and permissions for security event reporting.
CodeQL Setup and Analysis Steps .github/workflows/codeql.yml	Checkout repository, initialize CodeQL with matrix languages, conditionally run manual build steps when needed, and execute CodeQL analysis with language-keyed categories.

Rust Dependency Update

Layer / File(s)	Summary
Rand Version Bump Cargo.toml	rand dependency updated from 0.9 to 0.10.

Mock API Delay Capping

Layer / File(s)	Summary
Max Delay Constant scripts/mock-api-core.mjs	New MAX_MOCK_DELAY_MS constant defined as 30,000 milliseconds.
Delay Validation and Clamping scripts/mock-api-core.mjs	getDelayMs now validates that delay is finite and positive, returns 0 for invalid inputs, and clamps valid delays to MAX_MOCK_DELAY_MS.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• graycyrus
• senamakel
• M3gA-Mind

Poem

A rabbit hops through workflows new, 🐰
CodeQL guards with eyes so true,
Dependencies update their tune,
While delays are capped real soon—
Three changes bloom, all tried and true!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Files Reviewed' is vague and generic, failing to describe any specific changes in the pull request. It does not convey what was actually changed (CodeQL workflow, dependency updates, mock delay capping).	Replace with a descriptive title summarizing the main change, such as 'Add CodeQL workflow and update dependencies' or 'Implement CodeQL analysis and dependency updates'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[senamakel]

really awesome PR @rafaelfiguereod-stack :D welcome to the club!

[senamakel]

some gi actions are failing like unit tests. do review and fix