chore(release): cut 5.1.1 — bug-fix release from AI code review

[m4r1k]

Summary

Bug-fix release with one small TUI improvement. Bundles the actionable findings from a third-party AI code review (CodeRabbit Pro + Cubic.Dev) of the v5.1.0 codebase. Drop-in upgrade.

Each commit is one themed group; see the commit body for the per-fix bullets with reviewer attribution.

Commit groups

• fix(security) — XCP-ng vm-shutdown UUID binding, shell-quoted compose path, pypi workflow input validation + build/publish split for OIDC scope.
• fix(operational) — silent config drops (notifications.suppress + multi-UPS statistics), is_local redundancy local poweroff, multi-UPS state-file write race, TUI live-blending key mismatch, virsh-list exit unchecked in wait loop, umount multi-flag options, voltage severity escalation (F1), shutdown/remote.py robustness, graph.py correctness, battery.py / logger.py / stats.py / utils.py / cli.py fixes, bash completion quoting.
• fix(packaging) — pyproject version target, DEB prerm/postrm lifecycle handling, daemon-reload chroot guard, postinstall fresh-vs-upgrade disambiguation.
• fix(ci) — gh-pages force-push removal, nFPM pinning + checksum, integration || true removal, e2e readiness fail-fast, codeql contents:read, every action SHA-pinned across all workflows, ssh-target /var/run/sshd creation, reference-config corrections (SSH host key checking, Apprise URL formats, compose_files: [], F2 homelab parallel: false comment).
• test — autouse StatsConfig/StatsStore isolation fixture (production /var/lib/eneru no longer leaks from tests), multi-namespace run_command patching helper, failsafe tests routed through real _main_loop, F3 thread-survival assertion in redundancy evaluator, e2e exit-code capture via PIPESTATUS, low-battery scenario runtime above critical threshold, virsh happy-path command sequence assertions.
• chore(cleanup) — version docstring refresh, format_seconds negative clamp, is_numeric rejects bool/NaN/Inf, hardened logger handler cleanup, legacy ups-monitor syslog tag renamed to eneru (power events were going to journalctl under the pre-v5.0 identifier).
• feat(tui) — events panel drops the 24h truncation; ↑/↓ / PgUp/PgDn / Home/End scroll through full history; <M> toggles 8↔500 visible rows.
• chore(release) — version bump to 5.1.1 + changelog entry (subsequently trimmed to bug-fix-release scale).

Test plan

• All 10 required CI checks pass (validate × 6 Python versions + 4 E2E matrix jobs)
• Manual smoke: sudo python3 /opt/ups-monitor/eneru.py --validate-config <example> after building the deb
• Verify TUI events panel scrolling against a UPS with multi-day history (<↑>/<↓>, <Home>/<End>)
• Verify journalctl now shows power events under -t eneru (was -t ups-monitor)
• Confirm no test run leaks new files into /var/lib/eneru/

Notes

• AI re-review (@coderabbitai full review + @cubic-dev-ai review this pull request) is gated on operator approval per the project's quota-conservation policy in CLAUDE.md.

🤖 Generated with Claude Code

---

Summary by cubic

Bug-fix release with one TUI improvement: the events panel now scrolls through full history. Includes security hardening, CI/packaging fixes, and multiple correctness fixes. Drop‑in upgrade.

• Bug Fixes

  • TUI: events panel shows full history with arrow/page/home scrolling; keypad enabled so keys work reliably; first scroll auto-expands; toggles 8↔500 rows.
  • Filesystems: multi‑flag umount options are split correctly; malformed options are logged and skipped (also in dry‑run), and dry‑run logs show the exact argv.
  • XCP‑ng/XenServer shutdown binds UUIDs correctly and uses force=true.
  • Live graph blending uses uppercase state‑file keys; no right‑edge lag.
  • Multi‑UPS: per‑UPS temp files prevent state/history write races.
  • Redundancy is_local: quorum loss now powers off the host.
  • VM shutdown: virsh list failures no longer yield false “all stopped”; force‑destroy still runs.
  • Voltage alerts escalate to severe while pending when thresholds are crossed.
  • Config parsing restores notifications.suppress, voltage_hysteresis_seconds, and multi‑UPS statistics.
  • Power events syslog tag renamed to eneru (was ups-monitor).

• Security, CI, and Packaging

  • Remote stop_compose path is shlex.quoted; template no longer double‑quotes.
  • PyPI workflow split: build and publish separated; version input validated; OIDC id-token: write limited to publish.
  • All GitHub Actions SHA‑pinned; refresh instructions added to each workflow; maintenance guide added to CLAUDE.md.
  • Release workflow serializes gh-pages deploys to avoid concurrent races; no git push -f to gh-pages.
  • CI installs fail fast (dropped || true masks); readiness checks error on timeout; added CodeQL contents: read; E2E low‑battery scenario tuned to fire against all thresholds.
  • DEB lifecycle scripts handle all states; guarded systemctl daemon-reload when systemd isn’t present.
  • pyproject.toml now reads version from eneru.version.__version__; examples use safer SSH defaults, correct Slack Apprise URL, compose_files: [], and fixed NAS shutdown ordering.

^{Written for commit e9ae4fc. Summary will update on new commits.}

Summary by CodeRabbit

Release Notes - Version 5.1.1

• New Features

  • TUI now displays full event history with arrow-key, page, and home/end scrolling instead of fixed 24-hour window.
  • Added toggle to adjust maximum visible event rows.

• Bug Fixes

  • Fixed VM shutdown parameter binding for XCP-ng/XenServer.
  • Corrected voltage severity re-evaluation logic.
  • Resolved battery anomaly false-alert suppression.
  • Fixed multi-UPS temp file race conditions.
  • Improved VM shutdown loop stability.
  • Fixed shell command timeout handling.

• Security

  • Removed insecure SSH defaults; now enforces known_hosts verification.
  • Added shell injection mitigation in remote commands.
  • Enabled SHA-pinning in CI/build workflows.

• Documentation

  • Updated configuration examples for security best practices.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps version to 5.1.1 and includes CI hardening via SHA-pinned GitHub Actions, fixes to remote shutdown command UUID binding for XCP-ng and Docker/Podman, TUI event scrolling enhancements replacing the fixed 24-hour window, battery/voltage anomaly detection improvements, packaging script robustness for systemd detection, and configuration example updates removing insecure SSH defaults.

Changes

Cohort / File(s)	Summary
CI/GitHub Actions Hardening .github/workflows/codeql.yml, .github/workflows/e2e.yml, .github/workflows/integration.yml, .github/workflows/pypi.yml, .github/workflows/release.yml, .github/workflows/validate.yml	All GitHub Action references (actions/checkout, setup-python, codecov-action, etc.) pinned to specific commit SHAs instead of floating version tags; nFPM installation now uses pinned version with checksum verification; job-level permissions and OIDC token scoping refined for security.
GitHub Actions Composite Action .github/actions/e2e-setup/action.yml	Pins actions/setup-python to commit SHA; strengthens NUT/SSH readiness-waiting logic with explicit boolean flags and exit 1 failure handling.
Remote Shutdown Commands src/eneru/actions.py, src/eneru/shutdown/remote.py, src/eneru/shutdown/vms.py	XCP-ng/XenServer graceful and forced shutdown now properly bind UUIDs via xargs -I {} uuid={} (fixing empty UUID parameter); Docker/Podman compose stop removes template quotes to allow proper shell argument parsing; shlex.quote applied to path placeholders; SSH option parsing enhanced; virsh list polling now preserves previous state on errors and re-evaluates anomalies.
TUI Enhancements src/eneru/tui.py	Events query no longer bound by 24-hour time window; supports full history with configurable max-events cap; adds scroll_offset state for arrow/page/home/end scrolling; state-file key mapping updated to match daemon's uppercase format (STATUS=, BATTERY=, etc.).
Health & Battery Monitoring src/eneru/health/battery.py, src/eneru/health/voltage.py	Battery history temp file uses per-UPS filenames (prevents multi-UPS write race); anomaly detection re-checks drop magnitude after 3-poll confirmation; voltage state transitions now upgrade pending severity when subsequent polls become severe within the same state window.
Configuration & Packaging src/eneru/config.py, packaging/scripts/postinstall.sh, packaging/scripts/postremove.sh, packaging/scripts/preremove.sh, pyproject.toml	Config parser accepts suppress and voltage_hysteresis_seconds notification fields; postinstall/postremove/preremove scripts use conditional systemctl daemon-reload (checks /run/systemd/system); DEB upgrade detection via $2 parameter; version resolution redirects to src/eneru/version.py.
Configuration Examples examples/config-dual-ups.yaml, examples/config-enterprise.yaml, examples/config-homelab.yaml, examples/config-reference.yaml	SSH host key checking guidance changed from active StrictHostKeyChecking=no to comments directing use of known_hosts (insecure option only in testing comments); Slack notification URL format updated to Apprise-compatible syntax; NAS shutdown reordered via shutdown_order: 2 instead of legacy parallel: false.
Core Monitoring & Coordination src/eneru/monitor.py, src/eneru/multi_ups.py, src/eneru/redundancy.py	Syslog identifier changed from ups-monitor to eneru; multi-UPS monitor startup ensures per-group config includes statistics; redundancy executor now accepts optional local_shutdown_callback and delegates local poweroff to coordinator; drain sequence signals stop event and waits for peer poll loops before invoking shutdown.
Utilities & Diagnostics src/eneru/utils.py, src/eneru/cli.py, src/eneru/completion/eneru.bash, src/eneru/logger.py, src/eneru/graph.py, src/eneru/stats.py, src/eneru/shutdown/filesystems.py	is_numeric rejects NaN/±Inf and booleans; run_command guarantees string outputs; format_seconds clamps negatives to zero; CLI validate command re-parses config based on file existence; bash completion uses mapfile for safe whitespace handling; logger closes handlers to prevent leaks; graph auto-computes bounds from numeric data only; stats uses SQLite deferred transactions and URL-escapes read-only paths; umount options tokenized via shlex.split.
Documentation & Versioning docs/changelog.md, src/eneru/version.py	Version bumped to 5.1.1 with comprehensive changelog entry documenting TUI scrolling, shutdown/redundancy fixes, multi-UPS race conditions, voltage re-evaluation, remote-shell injection mitigation, OIDC token scoping, SHA pinning, Debian lifecycle handling, and test isolation improvements.
E2E & Unit Tests tests/conftest.py, tests/e2e/groups/multi-ups.sh, tests/e2e/groups/single-ups.sh, tests/e2e/scenarios/low-battery.dev, tests/e2e/ssh-target/Dockerfile, tests/e2e/ssh-target/entrypoint.sh, tests/test_cli.py, tests/test_monitor_core.py, tests/test_multi_ups.py, tests/test_redundancy.py, tests/test_remote_commands.py, tests/test_shutdown_vms.py, tests/test_stats.py, tests/test_tui.py	Fixtures added for stats DB isolation and patched run_command everywhere; no_stats_isolation marker for opt-out; E2E scripts now validate exit codes and timestamps; low-battery scenario updated for determinism; SSH target container ensures /var/run/sshd exists; new tests verify UUID binding, compose path quoting, and virsh command sequences; TUI test refocused on max-events query without time window; state-file helper updated to uppercase format.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat(v5.1.0): Phase 2 — redundancy groups, health model, SQLite stats, TUI graphs #26: Direct continuation of Phase 2 work including stats/SQLite, TUI graph/events, voltage hysteresis, redundancy groups, and multi-UPS coordination logic.
• refactor(monitor): decompose into shutdown/health mixins, split test_config, add nested CLAUDE.md #24: Foundation refactor introducing shutdown mixins (RemoteShutdownMixin, etc.) that this PR extends with UUID binding and callback delegation.
• fix(actions): run Proxmox stop_proxmox_{vms,cts} via sudo #25: Prior remote shutdown command work on XCP-ng/Docker templates that this PR refines with proper UUID parameterization and shell quoting.

Poem

🐰 Hops of joy for this fine release,
Where events scroll without time's cease,
UUIDs bind, and SSH's made wise,
Shutdown flows dance—no more surprise!
Redundancy nestles, stats stay apart,
Five-one-one beats in your heart. 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly summarizes the main change: cutting a 5.1.1 bug-fix release with fixes from AI code review, which directly corresponds to the changeset's content of version bumps, security/operational fixes, CI improvements, and test isolation.
Docstring Coverage	✅ Passed	Docstring coverage is 81.97% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-5.1.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 61.60000% with 48 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.06%. Comparing base (3463bc9) to head (e9ae4fc).
⚠️ Report is 13 commits behind head on main.

Files with missing lines	Patch %	Lines
src/eneru/tui.py	29.03%	21 Missing and 1 partial ⚠️
src/eneru/health/battery.py	14.28%	5 Missing and 1 partial ⚠️
src/eneru/graph.py	61.53%	1 Missing and 4 partials ⚠️
src/eneru/shutdown/remote.py	50.00%	4 Missing and 1 partial ⚠️
src/eneru/cli.py	33.33%	4 Missing ⚠️
src/eneru/logger.py	71.42%	2 Missing ⚠️
src/eneru/shutdown/vms.py	77.77%	1 Missing and 1 partial ⚠️
src/eneru/utils.py	71.42%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #31      +/-   ##
==========================================
- Coverage   79.87%   79.06%   -0.82%     
==========================================
  Files          23       23              
  Lines        3593     3664      +71     
  Branches      692      708      +16     
==========================================
+ Hits         2870     2897      +27     
- Misses        572      607      +35     
- Partials      151      160       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[m4r1k]

@coderabbitai full review

[m4r1k]

@cubic-dev-ai review this pull request

[coderabbitai]

✅ Actions performed

Full review triggered.

[cubic-dev-ai]

@cubic-dev-ai review this pull request

@m4r1k I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

5 issues found across 49 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="examples/config-enterprise.yaml">

<violation number="1" location="examples/config-enterprise.yaml:54">
P3: The Slack example URL puts `?footer=no` after the `#channel` fragment, so the footer option is not passed as a query parameter.</violation>
</file>

<file name="src/eneru/shutdown/filesystems.py">

<violation number="1" location="src/eneru/shutdown/filesystems.py:64">
P1: `shlex.split(options)` can raise on malformed config input and crash the shutdown sequence; handle parse errors before extending the command.</violation>
</file>

<file name="tests/e2e/groups/single-ups.sh">

<violation number="1" location="tests/e2e/groups/single-ups.sh:43">
P2: Do not accept a clean 0 exit here; that lets a premature daemon exit pass this monitoring test.</violation>
</file>

<file name="src/eneru/tui.py">

<violation number="1" location="src/eneru/tui.py:906">
P1: Enable keypad mode before handling `curses.KEY_*`; otherwise arrow/page/home keys can be read as raw escape input and trigger the ESC-to-quit branch instead of scrolling.</violation>
</file>

<file name="tests/conftest.py">

<violation number="1" location="tests/conftest.py:260">
P2: Patch `eneru.utils.run_command` too; otherwise `command_exists()` still shells out during the shutdown tests.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

examples/config-homelab.yaml (1)

68-99: ⚠️ Potential issue | 🟡 Minor

Update the section guidance to include shutdown_order phases.

The NAS block now correctly uses shutdown_order: 2, but Lines 68-71 still describe only the legacy two-phase parallel model. That makes this example internally inconsistent and can mislead users into using parallel: false for “shutdown last”.

📝 Suggested wording

-# Remote servers with optional pre-shutdown commands
-# Servers are processed in two phases:
-#   1. Sequential: Servers with parallel: false are shutdown one by one (in config order)
-#   2. Parallel: Remaining servers (parallel: true, the default) are shutdown concurrently
+# Remote servers with optional pre-shutdown commands
+# Servers are processed by effective shutdown order, lowest to highest.
+# Servers with the same order run concurrently.
+#   - Default: order 0, parallel batch
+#   - shutdown_order: N: explicit phase; higher numbers run later
+#   - Legacy parallel: false: sequential phases before order 0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/config-homelab.yaml` around lines 68 - 99, The example text
describing remote_servers is outdated: it only explains the legacy two-phase
"parallel" model and misleads users about how to schedule a server "last";
update the guidance to mention the new shutdown_order phases and how they
interact with the old parallel flag (i.e., that shutdown_order: <int> controls
later phases and parallel: false runs a server sequentially before the parallel
batch per RemoteServerConfig), and clarify that to run something after the
parallel batch you must set shutdown_order >= 1 (example: NAS uses
shutdown_order: 2) rather than using parallel: false.

tests/test_cli.py (1)

245-257: ⚠️ Potential issue | 🟡 Minor

Use tmp_path for the missing config path.

The hard-coded /nonexistent/path/config.yaml is environment-dependent. A temp path that is intentionally not created keeps the test deterministic.

Proposed fix

-    def test_validate_config_nonexistent_file(self, capsys):
+    def test_validate_config_nonexistent_file(self, tmp_path, capsys):
@@
-        typo_path = "/nonexistent/path/config.yaml"
+        typo_path = str(tmp_path / "missing-config.yaml")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_cli.py` around lines 245 - 257, Replace the hard-coded missing
config path with a temp path created from the pytest tmp_path fixture (e.g.,
typo_path = tmp_path / "config.yaml") and ensure you do not create that file so
it remains missing; update the test to use str(typo_path) where needed, keep the
argv patching that calls main(), and leave the same SystemExit and captured
output assertions (asserting "Configuration is valid", "Config file not found",
and the tmp_path string) so the test is deterministic across environments.

🧹 Nitpick comments (15)

.github/workflows/validate.yml (1)

19-39: LGTM on SHA pins.

Consider adding the same "how to refresh pins" comment as in codeql.yml for consistency across workflows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/validate.yml around lines 19 - 39, Add the same "how to
refresh pins" explanatory comment next to the pinned action SHAs in this
workflow (e.g., the uses: actions/checkout@de0fac2e..., uses:
actions/setup-python@a309ff8b4..., and uses: codecov/codecov-action@57e3a13...
lines) so it matches codeql.yml; insert a brief one-line note explaining the
source/command or script to update the SHA pins and where to run it (copy the
exact phrasing from codeql.yml for consistency).

.github/workflows/release.yml (1)

485-495: Recommended: add a concurrency: group now that git push -f is gone.

Removing the force-push is correct — silently clobbering a parallel release's commits is worse than failing. The flip side is that two overlapping release runs (e.g., a tag push and a manual dispatch, or a tag + an rc cut close together) will each rebuild and sign packages, do all the repo work, and only discover the race at the final git push. The loser then has to be re-run manually.

Serializing the job with a concurrency group avoids the wasted work and the operator toil, while still surfacing real divergence if gh-pages was edited out of band.

♻️ Suggested change

 on:
   release:
     types: [published]
   workflow_dispatch:
@@
 permissions:
   contents: write

+# Serialize gh-pages deploys so concurrent releases don't race the
+# non-fast-forward push at the end of the job.
+concurrency:
+  group: release-gh-pages
+  cancel-in-progress: false
+
 jobs:
   build-packages:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 485 - 495, Add a concurrency
group to the release workflow so overlapping runs are serialized and wasted work
avoided: update the job that contains the "Deploy to gh-pages" step to include a
concurrency: block (e.g., concurrency: { group: "${{ github.repository
}}-release-gh-pages-${{ github.ref }}", cancel-in-progress: false } or similar)
at the job level so concurrent release jobs targeting gh-pages are run
one-at-a-time while still failing on real divergence from the remote before
pushing with the existing git push step.

tests/test_multi_ups.py (1)

1279-1283: Assertion relaxation matches the new two-phase drain.

_drain_all_groups now joins each thread twice (short window post-stop_event, then final deadline join), so assert_called_once() would always fail. assert live_thread.join.called is correct. If you want a slightly stronger invariant without coupling to the exact count, assert live_thread.join.call_count >= 2 would lock in the two-phase contract and catch regressions if someone collapses the loops back into one.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_multi_ups.py` around lines 1279 - 1283, The test was relaxed to
use assert live_thread.join.called because _drain_all_groups now calls
Thread.join twice per thread; update the assertion to enforce the two-phase
contract by replacing assert live_thread.join.called with assert
live_thread.join.call_count >= 2 so the test verifies at least two joins
occurred for live_thread (keep the existing check for the timeout log:
any("still running after drain timeout" in m for m in logs)).

src/eneru/shutdown/filesystems.py (1)

53-57: Dry-run log shows unsplit options.

Now that the real path splits options via shlex.split, the [DRY-RUN] line on Line 55 still prints the raw {options} string as a single token, which no longer mirrors the actual argv that would be exec'd (e.g. "-l -f" vs -l -f). Cosmetic only, but easy to align:

♻️ Proposed fix

-            if self.config.behavior.dry_run:
-                self._log_message(
-                    f"  🧪 [DRY-RUN] Would execute: timeout {timeout}s umount {options} {mount_point}"
-                )
-                continue
+            if self.config.behavior.dry_run:
+                argv = ["umount", *shlex.split(options), mount_point] if options else ["umount", mount_point]
+                self._log_message(
+                    f"  🧪 [DRY-RUN] Would execute: timeout {timeout}s {' '.join(shlex.quote(a) for a in argv)}"
+                )
+                continue

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/shutdown/filesystems.py` around lines 53 - 57, The dry-run message
prints the raw options string which no longer matches the actual argv because
the real execution uses shlex.split; update the dry-run branch in the same
method that checks self.config.behavior.dry_run to reconstruct the tokenized
form (e.g. split options with shlex.split and join with spaces or format as
separate tokens) before calling self._log_message so the logged command mirrors
the real exec args (use the same shlex.split logic already used elsewhere on the
options variable).

src/eneru/stats.py (1)

608-619: URL-encoding the DB path — correct, and urlquote's default safe='/' is what you want here.

POSIX paths with ? or # would previously be truncated or mis-parsed into URI query/fragment components by sqlite3.connect(..., uri=True). quote(str(path)) with the default safe-set leaves / unescaped (so the URI remains a legal path) while encoding ?, #, space, etc. Good.

Minor: the docstring still says "Returns None if the file doesn't exist" but the declared return type is sqlite3.Connection (non-Optional) with a # type: ignore on Line 610. Consider typing it Optional[sqlite3.Connection] so callers like tui.py:208 (which already does if conn is not None) are type-checked honestly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/stats.py` around lines 608 - 619, The function currently returns
None when the DB file doesn't exist but its signature/docstring declare a
non-Optional sqlite3.Connection and use a "# type: ignore" to silence this;
update the function signature return type to Optional[sqlite3.Connection],
remove the "# type: ignore" suppression, and adjust the docstring to say
"Returns None if the file doesn't exist" so callers (e.g., the code that checks
if conn is not None) are correctly type-checked; no change to the urlquote/uri
logic (urlquote, conn, sqlite3.connect, PRAGMA busy_timeout remain the same).

src/eneru/utils.py (1)

8-29: LGTM — stricter is_numeric and normalized run_command returns line up with the call-site assumptions.

Rejecting bool and non-finite floats matches how callers in monitor.py, health/voltage.py, and the shutdown mixins consume these values (all do int(float(x)) or treat depletion_rate > 0 as a number), and normalizing stdout/stderr to "" matches shutdown/containers.py:142 and shutdown/remote.py:193 that unconditionally .strip() them. The negative-clamp in format_seconds is also a sensible display fix.

One small thing: moving import math to module top would be idiomatic (it's the only inline import here and is_numeric is on the hot path for every poll) — purely optional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/utils.py` around lines 8 - 29, The is_numeric function currently
imports math inline; move the import to the module top for idiomatic style and
to avoid the per-call import overhead: add a single top-level "import math" and
remove the inline "import math" from inside is_numeric so the function continues
to use math.isfinite without repeated imports.

tests/test_tui.py (1)

109-128: Source-string inspection is fine as a guardrail, but consider also asserting at call time.

Using inspect.getsource + substring/regex checks will silently drift if someone reformats the call (e.g. splits args across lines with a weird inner-space, uses a variable me = query_events_for_display, or renames a kwarg). A complementary behavioral assertion that patches query_events_for_display and inspects its actual call args during a short run_tui invocation would be more robust. Not blocking — the current checks do catch the exact regression you described.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_tui.py` around lines 109 - 128, Add a runtime assertion test that
patches/wraps the query_events_for_display function during a short invocation of
run_tui to inspect how it was called: use unittest.mock.patch or monkeypatch to
replace eneru.tui.query_events_for_display with a wrapper that records
args/kwargs, call tui_mod.run_tui(...) with minimal config, then assert the
recorded call has no positional time-range argument (i.e., len(args) == 1 and
args[0] is the config) and that 'max_events' is present in kwargs, and finally
restore the original function; reference run_tui and query_events_for_display
when locating where to add this behavioral check.

src/eneru/multi_ups.py (1)

265-307: Drain ordering is correct; minor nit on the Phase-1 join budget.

Signaling stop_event before running peer shutdown sequences avoids concurrent state-file writes and notifications inside peer poll cycles. The two-phase join (short window, then full-timeout) is the right shape.

Minor: join_deadline = time.time() + max(1, timeout // 4) caps the per-peer pre-drain wait at timeout/4 total across all threads combined (since remaining shrinks monotonically as threads are joined serially). With default timeout=120 that's a 30s combined budget — fine, but if a single peer hangs for the full 30s, later peers effectively get a 0-timeout join. Consider splitting the budget per-thread if a peer commonly takes seconds to exit its loop:

🛠️ Optional per-thread budget

-        self._stop_event.set()
-        join_deadline = time.time() + max(1, timeout // 4)
-        for thread in self._threads:
-            remaining = max(0.0, join_deadline - time.time())
-            thread.join(timeout=remaining)
+        self._stop_event.set()
+        per_thread_budget = max(1.0, (timeout / 4) / max(len(self._threads), 1))
+        for thread in self._threads:
+            thread.join(timeout=per_thread_budget)

Not blocking for 5.1.1.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/multi_ups.py` around lines 265 - 307, The pre-drain join loop in
_drain_all_groups currently uses a single join_deadline (join_deadline =
time.time() + max(1, timeout // 4)) which gives a combined budget across all
threads and can starve later threads; change it to compute a per-thread join
budget derived from that phase budget divided by max(1, len(self._threads)) (or
a sane minimum per-thread like 0.5s) and use that per-thread timeout when
calling thread.join so each thread gets its own slice of the Phase-1 window
(adjust references to self._threads and join_deadline accordingly in
_drain_all_groups).

tests/conftest.py (2)

245-275: LGTM — explicit target list is the right trade-off over from X import Y rebinding.

Documenting why a single patch("eneru.utils.run_command") is insufficient is exactly the context the next contributor will need. One suggestion for future-proofing: if you add another shutdown mixin (shutdown/foo.py) that does from eneru.utils import run_command, the fixture will silently under-patch it. Consider an assertion or a helper that discovers these sites automatically (e.g. scanning eneru.shutdown submodules for a run_command attribute) so new modules don't escape isolation unnoticed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/conftest.py` around lines 245 - 275, Replace the hardcoded targets in
the patch_run_command_everywhere fixture with a discovery step that scans the
eneru.shutdown package for submodules that expose a run_command symbol: use
pkgutil.iter_modules over eneru.shutdown.__path__ and importlib.import_module to
load each submodule, collect module paths where hasattr(module, "run_command"),
then build the targets list from those module paths (plus any known non-shutdown
locations like eneru.monitor and eneru.multi_ups). After discovery, assert that
the discovered shutdown modules are included in the targets (or fail the test)
so new shutdown submodules that import run_command don’t silently escape
patching; keep the rest of the fixture (creating patchers, starting mocks,
default return_value, yield, stop) unchanged.

---

42-103: Solid two-layer isolation; watch the StatsConfig.__init__ wrapper signature if the dataclass grows.

The approach is correct for today's StatsConfig, but patched_cfg_init(self, db_directory=isolated_str, **kw) bakes in the assumption that db_directory is the only positional-friendly parameter. If someone later adds a second field before db_directory in the dataclass, a positional call like StatsConfig("/path", 100) will misroute the first arg. A slightly more future-proof shape is to detect whether the caller supplied db_directory and only inject the default otherwise:

🛠️ Optional hardening

-    def patched_cfg_init(self, db_directory=isolated_str, **kw):
-        return original_cfg_init(self, db_directory=db_directory, **kw)
+    def patched_cfg_init(self, *args, **kw):
+        if "db_directory" not in kw and not args:
+            kw["db_directory"] = isolated_str
+        return original_cfg_init(self, *args, **kw)

Not urgent — current tests pass cleanly with the existing shape.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/conftest.py` around lines 42 - 103, The patched StatsConfig.__init__
currently assumes callers won't pass positional args for db_directory; update
patched_cfg_init to accept (*args, **kw) and only inject
db_directory=isolated_str when the caller did not supply it (i.e. 'db_directory'
not in kw and no positional arg was provided for it). Concretely, change
patched_cfg_init to signature patched_cfg_init(self, *args, **kw), and if
'db_directory' not in kw and len(args) == 0 set kw['db_directory'] =
isolated_str before calling original_cfg_init(self, *args, **kw); otherwise
forward arguments unchanged to original_cfg_init. This preserves current
behavior but avoids misrouting when new dataclass fields are added before
db_directory.

src/eneru/shutdown/remote.py (2)

93-120: LGTM on timeout and thread-worker hardening.

The is not None check correctly preserves per-command timeout=0 as an explicit override (matches RemoteCommandConfig.timeout: Optional[int] = None in config.py and the test at test_monitor_core.py:877-886). The except Exception in the worker thread at line 113 is appropriate here despite Ruff BLE001 — a bare-crash in a thread target would otherwise disappear silently with no log trail. Consider adding # noqa: BLE001 on line 113 to document the deliberate catch-all and silence the static analyzer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/shutdown/remote.py` around lines 93 - 120, Add an inline noqa to
the broad exception handler in shutdown_server_thread to document the deliberate
catch-all and silence the Ruff BLE001 warning: locate the except Exception as
exc: block inside the shutdown_server_thread function (in
src/eneru/shutdown/remote.py) and append a trailing comment "# noqa: BLE001" to
that except line, keeping the existing log message and behavior intact.

---

232-249: Validate stop_compose path before formatting the template.

The validation that stop_compose has a path at lines 245-249 runs after the template has already been rendered with shlex.quote("") at line 240. While the continue prevents the malformed command from being sent, it means the "stop_compose requires 'path'" warning is effectively dead code path from a correctness standpoint — but it also obscures intent: for any future template that made path mandatory in a way shlex.quote("") couldn't satisfy, the ordering would let a bad command slip through. Minor reordering makes the precondition check authoritative.

♻️ Proposed reorder

             if cmd_config.action:
                 action_name = cmd_config.action.lower()

                 if action_name not in REMOTE_ACTIONS:
                     self._log_message(
                         f"    ⚠️ [{idx}/{cmd_count}] Unknown action: {action_name} (skipping)"
                     )
                     continue

+                # Validate stop_compose has path
+                if action_name == "stop_compose" and not cmd_config.path:
+                    self._log_message(
+                        f"    ⚠️ [{idx}/{cmd_count}] stop_compose requires 'path' parameter (skipping)"
+                    )
+                    continue
+
                 # Get command template and substitute placeholders.
                 # `path` is shlex-quoted because the template embeds it
                 # directly into the remote shell — without quoting, a
                 # malicious or malformed path could expand $(), `…`, or
                 # ${…} on the remote host.
                 command_template = REMOTE_ACTIONS[action_name]
                 command = command_template.format(
                     timeout=timeout,
                     path=shlex.quote(cmd_config.path or "")
                 )
                 description = action_name
-
-                # Validate stop_compose has path
-                if action_name == "stop_compose" and not cmd_config.path:
-                    self._log_message(
-                        f"    ⚠️ [{idx}/{cmd_count}] stop_compose requires 'path' parameter (skipping)"
-                    )
-                    continue

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/shutdown/remote.py` around lines 232 - 249, Move the "stop_compose
requires 'path'" precondition check to run before you fetch/format the
REMOTE_ACTIONS template: in the loop where you access
REMOTE_ACTIONS[action_name] and call command_template.format(...), check if
action_name == "stop_compose" and ensure cmd_config.path is present first (the
block that logs the warning and continue), then only construct command_template
and call shlex.quote(cmd_config.path) and format the template; this ensures the
validation in the loop for stop_compose is authoritative and prevents any
template formatting with an empty path.

src/eneru/tui.py (2)

1032-1036: Nit: redundant max(0, …) on KEY_HOME.

len(log_events) is already non-negative, so max(0, len(log_events)) is equivalent to len(log_events). The inner clamp inside render_logs_panel (lines 721-722) is what actually pins the view to the oldest event — this assignment just needs to overshoot. Trivial simplification:

             elif key == curses.KEY_HOME:
                 # Jump to the oldest event currently in the list.
-                events_scroll = max(0, len(log_events))
+                events_scroll = len(log_events)
             elif key == curses.KEY_END:
                 events_scroll = 0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/tui.py` around lines 1032 - 1036, The KEY_HOME handler uses max(0,
len(log_events)) unnecessarily; replace the assignment events_scroll = max(0,
len(log_events)) with the simpler events_scroll = len(log_events) in the
input/key handling block where KEY_HOME is processed (the same block that sets
events_scroll for KEY_END), since render_logs_panel already clamps the scroll;
reference variables/events_scroll, log_events and the render_logs_panel function
to locate the change.

---

962-972: Scroll keys are a no-op in normal mode — consider making <M> implicit on first scroll.

When show_more=False, events_cap = EVENTS_MAX_ROWS_NORMAL = 8 at line 963, so query_events_for_display pulls at most 8 rows. The events panel typically displays ~8 rows, meaning ↑/PgUp/Home have nothing to scroll to and silently do nothing, despite the always-visible <↑↓> Scroll hint at line 759.

The comment at lines 34-39 says the panel "pulls every event from the SQLite store … and lets the operator scroll through with the arrow keys" — but that's only true once the user presses <M>. Two low-friction options:

1. Auto-promote to show_more=True when the user presses ↑/PgUp/Home (keep <M> as an explicit toggle).
2. Dim the <↑↓> Scroll hint when show_more=False, or change its label to match reality.

Either clears up the "my arrow keys are broken" moment for first-time users. Not a correctness issue.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/tui.py` around lines 962 - 972, The events panel is limited to
EVENTS_MAX_ROWS_NORMAL when show_more is False, making arrow/PgUp/Home appear to
do nothing; modify the scroll-key handler (the function that processes
↑/PgUp/Home) to detect the first scroll attempt when show_more is False, set
show_more = True, recompute events_cap = EVENTS_MAX_ROWS_MORE and re-run
query_events_for_display(config, max_events=events_cap) (or fallback to
parse_log_events) before performing the actual scroll action so the implicit
"<M>" behavior is applied on first scroll; ensure the state change is idempotent
so subsequent scrolls behave normally.

tests/test_monitor_core.py (1)

320-331: Cross-class reference to a helper defined much later in the file.

TestFailsafe.test_connection_lost_while_ob_triggers_shutdown calls TestAdvisoryTriggers._run_one_iteration (defined 600+ lines below at line 1026). It works because the reference is resolved at test-execution time, but the coupling is awkward — a reader scanning TestFailsafe has no hint where _run_one_iteration lives, and TestAdvisoryTriggers is now an implicit dependency of TestFailsafe.

Consider promoting _run_one_iteration to a module-level helper (e.g. def _run_one_iteration(monitor, ups_data_response): near make_monitor) so both test classes reference it symmetrically.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_monitor_core.py` around lines 320 - 331,
TestFailsafe.test_connection_lost_while_ob_triggers_shutdown references
TestAdvisoryTriggers._run_one_iteration (defined much later), creating a
confusing cross-class dependency; move the helper to module scope so both tests
can call it. Extract the implementation of
TestAdvisoryTriggers._run_one_iteration into a top-level function (e.g. def
_run_one_iteration(monitor, ups_data_response):) placed near make_monitor,
update both TestAdvisoryTriggers and TestFailsafe to call the module-level
_run_one_iteration, and remove or deprecate the class-level helper to eliminate
the implicit dependency while preserving behavior used in
test_connection_lost_while_ob_triggers_shutdown and other tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/integration.yml:
- Around line 197-203: The dnf fallback using "--skip-broken" can hide a failed
eneru install when rpm fails, so change the "Install dependencies and package"
step (the rpm -ivh --nodeps || dnf install -y ./eneru-*.rpm --skip-broken
command) to either not use --skip-broken or to explicitly verify the install
succeeded afterward; e.g., run dnf without --skip-broken (so failure propagates)
or keep the fallback but add a check that the installed artifact exists (test -f
/opt/ups-monitor/eneru.py or rpm -q eneru) and exit non-zero if it’s missing so
the job fails fast.

In `@src/eneru/config.py`:
- Around line 592-605: The code uses notif_data.get(..., default) which won't
protect against explicit nulls; update the notifications parsing so you only
override the defaults when the YAML value is present and not None — e.g., read
tmp = notif_data.get('suppress') and if tmp is not None then set notif_suppress
= tmp (same for notif_voltage_hysteresis), and ensure any non-None value is of
the expected type before assigning (to satisfy NotificationsConfig and the
checks in validate_config); refer to notif_suppress, notif_voltage_hysteresis,
NotificationsConfig and validate_config to locate and apply this change.

In `@src/eneru/graph.py`:
- Around line 126-137: The bounds-calculation currently filters numeric values
using isinstance(v, (int, float)), which excludes numeric strings; change the
filter in the y_min/y_max auto-bound logic (the block that builds numeric =
[...]) to accept any value coercible by float() by attempting float(v) in a
try/except and collecting the float-converted values, then compute min/max from
those floats; make the same adjustment in the duplicate bounds block used
elsewhere (the similar numeric-filtering code later in the file) so plotting and
scaling accept numeric strings and other float-coercible inputs.

In `@src/eneru/logger.py`:
- Line 26: The logger name is still "ups-monitor" which breaks the syslog
rebrand; update the call to logging.getLogger(...) in the class where
self.logger is assigned (the self.logger = logging.getLogger("ups-monitor")
statement) to use "eneru" instead so the logger identifier matches the rest of
the codebase and docs.

In `@src/eneru/version.py`:
- Around line 4-5: Update the stale format comment to reflect the current
tagged-release example by changing "5.1.0" to "5.1.1" so the comment above the
__version__ assignment matches the bumped value; locate the comment near the
__version__ = "5.1.1" line and update the example string in that comment
accordingly.

In `@tests/test_redundancy.py`:
- Around line 363-370: The test currently checks ev.is_alive() after a fixed
sleep which can race with the evaluator calling snapshot(); modify the test to
wait (with a short timeout) until the failing snapshot path has actually been
exercised by polling the bad_monitor.state.snapshot flag/call indicator (or
equivalent sentinel) before asserting ev.is_alive(); in practice add a small
loop that repeatedly checks bad_monitor.state.snapshot (or a boolean set by the
snapshot implementation) and breaks on success or fails after timeout, then
perform the ev.is_alive() assertion so the check is gated on snapshot having
been invoked.

In `@tests/test_shutdown_vms.py`:
- Around line 118-127: The test currently only checks membership for per-VM
shutdown commands, which doesn't enforce order; update the assertions after
collecting issued = [c.args[0] for c in mock_run.call_args_list] to assert the
shutdown commands occur in the expected order (e.g., compute indices of
["virsh","shutdown","vm1"] and ["virsh","shutdown","vm2"] in issued and assert
index(vm1) < index(vm2) or assert the slice of issued contains the two shutdown
commands in that exact sequence), leaving the existing checks for the initial
"virsh list ..." and the absence of "virsh destroy" intact.

---

Outside diff comments:
In `@examples/config-homelab.yaml`:
- Around line 68-99: The example text describing remote_servers is outdated: it
only explains the legacy two-phase "parallel" model and misleads users about how
to schedule a server "last"; update the guidance to mention the new
shutdown_order phases and how they interact with the old parallel flag (i.e.,
that shutdown_order: <int> controls later phases and parallel: false runs a
server sequentially before the parallel batch per RemoteServerConfig), and
clarify that to run something after the parallel batch you must set
shutdown_order >= 1 (example: NAS uses shutdown_order: 2) rather than using
parallel: false.

In `@tests/test_cli.py`:
- Around line 245-257: Replace the hard-coded missing config path with a temp
path created from the pytest tmp_path fixture (e.g., typo_path = tmp_path /
"config.yaml") and ensure you do not create that file so it remains missing;
update the test to use str(typo_path) where needed, keep the argv patching that
calls main(), and leave the same SystemExit and captured output assertions
(asserting "Configuration is valid", "Config file not found", and the tmp_path
string) so the test is deterministic across environments.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 485-495: Add a concurrency group to the release workflow so
overlapping runs are serialized and wasted work avoided: update the job that
contains the "Deploy to gh-pages" step to include a concurrency: block (e.g.,
concurrency: { group: "${{ github.repository }}-release-gh-pages-${{ github.ref
}}", cancel-in-progress: false } or similar) at the job level so concurrent
release jobs targeting gh-pages are run one-at-a-time while still failing on
real divergence from the remote before pushing with the existing git push step.

In @.github/workflows/validate.yml:
- Around line 19-39: Add the same "how to refresh pins" explanatory comment next
to the pinned action SHAs in this workflow (e.g., the uses:
actions/checkout@de0fac2e..., uses: actions/setup-python@a309ff8b4..., and uses:
codecov/codecov-action@57e3a13... lines) so it matches codeql.yml; insert a
brief one-line note explaining the source/command or script to update the SHA
pins and where to run it (copy the exact phrasing from codeql.yml for
consistency).

In `@src/eneru/multi_ups.py`:
- Around line 265-307: The pre-drain join loop in _drain_all_groups currently
uses a single join_deadline (join_deadline = time.time() + max(1, timeout // 4))
which gives a combined budget across all threads and can starve later threads;
change it to compute a per-thread join budget derived from that phase budget
divided by max(1, len(self._threads)) (or a sane minimum per-thread like 0.5s)
and use that per-thread timeout when calling thread.join so each thread gets its
own slice of the Phase-1 window (adjust references to self._threads and
join_deadline accordingly in _drain_all_groups).

In `@src/eneru/shutdown/filesystems.py`:
- Around line 53-57: The dry-run message prints the raw options string which no
longer matches the actual argv because the real execution uses shlex.split;
update the dry-run branch in the same method that checks
self.config.behavior.dry_run to reconstruct the tokenized form (e.g. split
options with shlex.split and join with spaces or format as separate tokens)
before calling self._log_message so the logged command mirrors the real exec
args (use the same shlex.split logic already used elsewhere on the options
variable).

In `@src/eneru/shutdown/remote.py`:
- Around line 93-120: Add an inline noqa to the broad exception handler in
shutdown_server_thread to document the deliberate catch-all and silence the Ruff
BLE001 warning: locate the except Exception as exc: block inside the
shutdown_server_thread function (in src/eneru/shutdown/remote.py) and append a
trailing comment "# noqa: BLE001" to that except line, keeping the existing log
message and behavior intact.
- Around line 232-249: Move the "stop_compose requires 'path'" precondition
check to run before you fetch/format the REMOTE_ACTIONS template: in the loop
where you access REMOTE_ACTIONS[action_name] and call
command_template.format(...), check if action_name == "stop_compose" and ensure
cmd_config.path is present first (the block that logs the warning and continue),
then only construct command_template and call shlex.quote(cmd_config.path) and
format the template; this ensures the validation in the loop for stop_compose is
authoritative and prevents any template formatting with an empty path.

In `@src/eneru/stats.py`:
- Around line 608-619: The function currently returns None when the DB file
doesn't exist but its signature/docstring declare a non-Optional
sqlite3.Connection and use a "# type: ignore" to silence this; update the
function signature return type to Optional[sqlite3.Connection], remove the "#
type: ignore" suppression, and adjust the docstring to say "Returns None if the
file doesn't exist" so callers (e.g., the code that checks if conn is not None)
are correctly type-checked; no change to the urlquote/uri logic (urlquote, conn,
sqlite3.connect, PRAGMA busy_timeout remain the same).

In `@src/eneru/tui.py`:
- Around line 1032-1036: The KEY_HOME handler uses max(0, len(log_events))
unnecessarily; replace the assignment events_scroll = max(0, len(log_events))
with the simpler events_scroll = len(log_events) in the input/key handling block
where KEY_HOME is processed (the same block that sets events_scroll for
KEY_END), since render_logs_panel already clamps the scroll; reference
variables/events_scroll, log_events and the render_logs_panel function to locate
the change.
- Around line 962-972: The events panel is limited to EVENTS_MAX_ROWS_NORMAL
when show_more is False, making arrow/PgUp/Home appear to do nothing; modify the
scroll-key handler (the function that processes ↑/PgUp/Home) to detect the first
scroll attempt when show_more is False, set show_more = True, recompute
events_cap = EVENTS_MAX_ROWS_MORE and re-run query_events_for_display(config,
max_events=events_cap) (or fallback to parse_log_events) before performing the
actual scroll action so the implicit "<M>" behavior is applied on first scroll;
ensure the state change is idempotent so subsequent scrolls behave normally.

In `@src/eneru/utils.py`:
- Around line 8-29: The is_numeric function currently imports math inline; move
the import to the module top for idiomatic style and to avoid the per-call
import overhead: add a single top-level "import math" and remove the inline
"import math" from inside is_numeric so the function continues to use
math.isfinite without repeated imports.

In `@tests/conftest.py`:
- Around line 245-275: Replace the hardcoded targets in the
patch_run_command_everywhere fixture with a discovery step that scans the
eneru.shutdown package for submodules that expose a run_command symbol: use
pkgutil.iter_modules over eneru.shutdown.__path__ and importlib.import_module to
load each submodule, collect module paths where hasattr(module, "run_command"),
then build the targets list from those module paths (plus any known non-shutdown
locations like eneru.monitor and eneru.multi_ups). After discovery, assert that
the discovered shutdown modules are included in the targets (or fail the test)
so new shutdown submodules that import run_command don’t silently escape
patching; keep the rest of the fixture (creating patchers, starting mocks,
default return_value, yield, stop) unchanged.
- Around line 42-103: The patched StatsConfig.__init__ currently assumes callers
won't pass positional args for db_directory; update patched_cfg_init to accept
(*args, **kw) and only inject db_directory=isolated_str when the caller did not
supply it (i.e. 'db_directory' not in kw and no positional arg was provided for
it). Concretely, change patched_cfg_init to signature patched_cfg_init(self,
*args, **kw), and if 'db_directory' not in kw and len(args) == 0 set
kw['db_directory'] = isolated_str before calling original_cfg_init(self, *args,
**kw); otherwise forward arguments unchanged to original_cfg_init. This
preserves current behavior but avoids misrouting when new dataclass fields are
added before db_directory.

In `@tests/test_monitor_core.py`:
- Around line 320-331:
TestFailsafe.test_connection_lost_while_ob_triggers_shutdown references
TestAdvisoryTriggers._run_one_iteration (defined much later), creating a
confusing cross-class dependency; move the helper to module scope so both tests
can call it. Extract the implementation of
TestAdvisoryTriggers._run_one_iteration into a top-level function (e.g. def
_run_one_iteration(monitor, ups_data_response):) placed near make_monitor,
update both TestAdvisoryTriggers and TestFailsafe to call the module-level
_run_one_iteration, and remove or deprecate the class-level helper to eliminate
the implicit dependency while preserving behavior used in
test_connection_lost_while_ob_triggers_shutdown and other tests.

In `@tests/test_multi_ups.py`:
- Around line 1279-1283: The test was relaxed to use assert
live_thread.join.called because _drain_all_groups now calls Thread.join twice
per thread; update the assertion to enforce the two-phase contract by replacing
assert live_thread.join.called with assert live_thread.join.call_count >= 2 so
the test verifies at least two joins occurred for live_thread (keep the existing
check for the timeout log: any("still running after drain timeout" in m for m in
logs)).

In `@tests/test_tui.py`:
- Around line 109-128: Add a runtime assertion test that patches/wraps the
query_events_for_display function during a short invocation of run_tui to
inspect how it was called: use unittest.mock.patch or monkeypatch to replace
eneru.tui.query_events_for_display with a wrapper that records args/kwargs, call
tui_mod.run_tui(...) with minimal config, then assert the recorded call has no
positional time-range argument (i.e., len(args) == 1 and args[0] is the config)
and that 'max_events' is present in kwargs, and finally restore the original
function; reference run_tui and query_events_for_display when locating where to
add this behavioral check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7db37aa5-3772-4abb-945b-20cc83661dd1

📥 Commits

Reviewing files that changed from the base of the PR and between 3463bc9 and 681248b.

📒 Files selected for processing (49)

• .github/actions/e2e-setup/action.yml
• .github/workflows/codeql.yml
• .github/workflows/e2e.yml
• .github/workflows/integration.yml
• .github/workflows/pypi.yml
• .github/workflows/release.yml
• .github/workflows/validate.yml
• docs/changelog.md
• examples/config-dual-ups.yaml
• examples/config-enterprise.yaml
• examples/config-homelab.yaml
• examples/config-reference.yaml
• packaging/scripts/postinstall.sh
• packaging/scripts/postremove.sh
• packaging/scripts/preremove.sh
• pyproject.toml
• pytest.ini
• src/eneru/actions.py
• src/eneru/cli.py
• src/eneru/completion/eneru.bash
• src/eneru/config.py
• src/eneru/graph.py
• src/eneru/health/battery.py
• src/eneru/health/voltage.py
• src/eneru/logger.py
• src/eneru/monitor.py
• src/eneru/multi_ups.py
• src/eneru/redundancy.py
• src/eneru/shutdown/filesystems.py
• src/eneru/shutdown/remote.py
• src/eneru/shutdown/vms.py
• src/eneru/stats.py
• src/eneru/tui.py
• src/eneru/utils.py
• src/eneru/version.py
• tests/conftest.py
• tests/e2e/groups/multi-ups.sh
• tests/e2e/groups/single-ups.sh
• tests/e2e/scenarios/low-battery.dev
• tests/e2e/ssh-target/Dockerfile
• tests/e2e/ssh-target/entrypoint.sh
• tests/test_cli.py
• tests/test_monitor_core.py
• tests/test_multi_ups.py
• tests/test_redundancy.py
• tests/test_remote_commands.py
• tests/test_shutdown_vms.py
• tests/test_stats.py
• tests/test_tui.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor: dnf install … --skip-broken can still hide a failed eneru install.

Dropping || true is the right call. One residual gap: if the initial rpm -ivh --nodeps fails for a non-dep reason and the fallback runs, dnf --skip-broken will happily exit 0 while silently skipping the eneru-*.rpm itself (e.g., signature/repo issues). The subsequent test -f /opt/ups-monitor/eneru.py in the Verify step does catch this, so it's not a correctness bug today — just worth noting if you ever remove that sanity check.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/integration.yml around lines 197 - 203, The dnf fallback
using "--skip-broken" can hide a failed eneru install when rpm fails, so change
the "Install dependencies and package" step (the rpm -ivh --nodeps || dnf
install -y ./eneru-*.rpm --skip-broken command) to either not use --skip-broken
or to explicitly verify the install succeeded afterward; e.g., run dnf without
--skip-broken (so failure propagates) or keep the fallback but add a check that
the installed artifact exists (test -f /opt/ups-monitor/eneru.py or rpm -q
eneru) and exit non-zero if it’s missing so the job fails fast.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

suppress: null / voltage_hysteresis_seconds: null in YAML bypasses the defaults.

dict.get(key, default) only returns default when the key is absent. If a user writes:

notifications:
  suppress: null        # or: suppress:
  voltage_hysteresis_seconds:

…the key is present with value None, so notif_suppress becomes None and notif_voltage_hysteresis becomes None, both of which then flow straight into NotificationsConfig(...) and violate the declared List[str] / int contract. validate_config does catch the int case (Line 935 not isinstance(hys, int)), but suppress=None would fail if config.notifications.suppress: gracefully and never get validated, while any later code assuming a list would break.

🛡️ Proposed fix

-            notif_suppress = notif_data.get('suppress', notif_suppress)
-            notif_voltage_hysteresis = notif_data.get(
-                'voltage_hysteresis_seconds', notif_voltage_hysteresis,
-            )
+            if notif_data.get('suppress') is not None:
+                notif_suppress = notif_data['suppress']
+            if notif_data.get('voltage_hysteresis_seconds') is not None:
+                notif_voltage_hysteresis = notif_data['voltage_hysteresis_seconds']

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/config.py` around lines 592 - 605, The code uses
notif_data.get(..., default) which won't protect against explicit nulls; update
the notifications parsing so you only override the defaults when the YAML value
is present and not None — e.g., read tmp = notif_data.get('suppress') and if tmp
is not None then set notif_suppress = tmp (same for notif_voltage_hysteresis),
and ensure any non-None value is of the expected type before assigning (to
satisfy NotificationsConfig and the checks in validate_config); refer to
notif_suppress, notif_voltage_hysteresis, NotificationsConfig and
validate_config to locate and apply this change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

wc -l src/eneru/graph.py

Repository: m4r1k/Eneru

Length of output: 77

---

🏁 Script executed:

cat -n src/eneru/graph.py | sed -n '120,240p'

Repository: m4r1k/Eneru

Length of output: 5730

---

🏁 Script executed:

cat -n src/eneru/graph.py | sed -n '100,125p'

Repository: m4r1k/Eneru

Length of output: 1599

---

🏁 Script executed:

cat -n src/eneru/graph.py | head -20

Repository: m4r1k/Eneru

Length of output: 819

---

🏁 Script executed:

cat -n src/eneru/graph.py | head -40

Repository: m4r1k/Eneru

Length of output: 1487

---

Align bounds calculation with plotting's numeric coercion.

Bounds use isinstance(v, (int, float)) but plotting accepts anything float(value) can coerce. This can cause graphs to render blank when data contains numeric strings like "230.5".

Proposed fix

+import math
 import locale
 import os
@@
         if y_min is None or y_max is None:
-            numeric = [v for v in data if isinstance(v, (int, float))]
+            numeric = []
+            for value in data:
+                try:
+                    v = float(value)
+                except (TypeError, ValueError):
+                    continue
+                if math.isfinite(v):
+                    numeric.append(v)
             if not numeric:
                 # Nothing to scale against; render an empty grid.
                 return [" " * width for _ in range(height)]

Also applies to: 167-170

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/graph.py` around lines 126 - 137, The bounds-calculation currently
filters numeric values using isinstance(v, (int, float)), which excludes numeric
strings; change the filter in the y_min/y_max auto-bound logic (the block that
builds numeric = [...]) to accept any value coercible by float() by attempting
float(v) in a try/except and collecting the float-converted values, then compute
min/max from those floats; make the same adjustment in the duplicate bounds
block used elsewhere (the similar numeric-filtering code later in the file) so
plotting and scaling accept numeric strings and other float-coercible inputs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm whether "ups-monitor" still appears anywhere (tests, systemd units, docs) to
# validate the rebrand scope and whether this file was missed.
rg -nP '\bups-monitor\b' -C2
rg -nP 'getLogger\(' --type=py -C1

Repository: m4r1k/Eneru

Length of output: 29390

---

Update logger name from "ups-monitor" to "eneru" to complete the syslog rebrand.

The changelog and code comments confirm the syslog identifier was renamed to "eneru" in v5.0 (see docs/changelog.md and the comment in src/eneru/monitor.py line 391), but logging.getLogger("ups-monitor") here was not updated. This inconsistency breaks downstream syslog filtering.

Proposed change

-        self.logger = logging.getLogger("ups-monitor")
+        self.logger = logging.getLogger("eneru")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	self.logger = logging.getLogger("ups-monitor")
	self.logger = logging.getLogger("eneru")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/logger.py` at line 26, The logger name is still "ups-monitor" which
breaks the syslog rebrand; update the call to logging.getLogger(...) in the
class where self.logger is assigned (the self.logger =
logging.getLogger("ups-monitor") statement) to use "eneru" instead so the logger
identifier matches the rest of the codebase and docs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stale example in the format comment.

The comment still uses 5.1.0 as the tagged-release example after bumping __version__ to 5.1.1. Minor, but worth refreshing to keep the example aligned with the current version.

📝 Proposed tweak

-# Format: "5.1.0" for tagged releases, "5.1.0-5-gabcdef1" for dev builds
+# Format: "5.1.1" for tagged releases, "5.1.1-5-gabcdef1" for dev builds
 __version__ = "5.1.1"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Format: "5.1.0" for tagged releases, "5.1.0-5-gabcdef1" for dev builds
	__version__ = "5.1.1"
	# Format: "5.1.1" for tagged releases, "5.1.1-5-gabcdef1" for dev builds
	__version__ = "5.1.1"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/eneru/version.py` around lines 4 - 5, Update the stale format comment to
reflect the current tagged-release example by changing "5.1.0" to "5.1.1" so the
comment above the __version__ assignment matches the bumped value; locate the
comment near the __version__ = "5.1.1" line and update the example string in
that comment accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Wait until the failing snapshot path is exercised.

ev.is_alive() after a fixed sleep can pass even if the evaluator has not called snapshot() yet. Gate the assertion on bad_monitor.state.snapshot being called first.

Proposed test hardening

         ev.start()
-        time.sleep(0.15)
+        deadline = time.time() + 2
+        while bad_monitor.state.snapshot.call_count == 0 and time.time() < deadline:
+            time.sleep(0.01)
+        assert bad_monitor.state.snapshot.call_count > 0
         # F3: assert the evaluator thread survived the exception storm

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ev.start()
	time.sleep(0.15)
	# F3: assert the evaluator thread survived the exception storm
	# BEFORE we signal stop. A thread killed by the unhandled
	# RuntimeError would still leave `not ev.is_alive()` True after
	# join (a dead thread joins instantly), so the original test
	# would silently pass even if the swallowing contract broke.
	assert ev.is_alive()
	ev.start()
	deadline = time.time() + 2
	while bad_monitor.state.snapshot.call_count == 0 and time.time() < deadline:
	time.sleep(0.01)
	assert bad_monitor.state.snapshot.call_count > 0
	# F3: assert the evaluator thread survived the exception storm
	# BEFORE we signal stop. A thread killed by the unhandled
	# RuntimeError would still leave `not ev.is_alive()` True after
	# join (a dead thread joins instantly), so the original test
	# would silently pass even if the swallowing contract broke.
	assert ev.is_alive()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_redundancy.py` around lines 363 - 370, The test currently checks
ev.is_alive() after a fixed sleep which can race with the evaluator calling
snapshot(); modify the test to wait (with a short timeout) until the failing
snapshot path has actually been exercised by polling the
bad_monitor.state.snapshot flag/call indicator (or equivalent sentinel) before
asserting ev.is_alive(); in practice add a small loop that repeatedly checks
bad_monitor.state.snapshot (or a boolean set by the snapshot implementation) and
breaks on success or fails after timeout, then perform the ev.is_alive()
assertion so the check is gated on snapshot having been invoked.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Pin the ordered command sequence, not just membership.

Lines 123-125 say the per-VM shutdowns are ordered, but in issued would still pass if vm2 was shut down before vm1.

Proposed test tightening

     issued = [c.args[0] for c in mock_run.call_args_list]
-    assert issued[0] == ["virsh", "list", "--name", "--state-running"]
-    # Per-VM shutdowns are issued in the order virsh list returned them.
-    assert ["virsh", "shutdown", "vm1"] in issued
-    assert ["virsh", "shutdown", "vm2"] in issued
+    assert issued[:4] == [
+        ["virsh", "list", "--name", "--state-running"],
+        ["virsh", "shutdown", "vm1"],
+        ["virsh", "shutdown", "vm2"],
+        ["virsh", "list", "--name", "--state-running"],
+    ]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Assert the actual virsh command sequence — without this, the test
	# passed even when the wrong command (or no command at all) was
	# issued during shutdown.
	issued = [c.args[0] for c in mock_run.call_args_list]
	assert issued[0] == ["virsh", "list", "--name", "--state-running"]
	# Per-VM shutdowns are issued in the order virsh list returned them.
	assert ["virsh", "shutdown", "vm1"] in issued
	assert ["virsh", "shutdown", "vm2"] in issued
	# No `destroy` should fire when graceful shutdown completes cleanly.
	assert not any(c[:2] == ["virsh", "destroy"] for c in issued)
	# Assert the actual virsh command sequence — without this, the test
	# passed even when the wrong command (or no command at all) was
	# issued during shutdown.
	issued = [c.args[0] for c in mock_run.call_args_list]
	assert issued[:4] == [
	["virsh", "list", "--name", "--state-running"],
	["virsh", "shutdown", "vm1"],
	["virsh", "shutdown", "vm2"],
	["virsh", "list", "--name", "--state-running"],
	]
	# No `destroy` should fire when graceful shutdown completes cleanly.
	assert not any(c[:2] == ["virsh", "destroy"] for c in issued)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_shutdown_vms.py` around lines 118 - 127, The test currently only
checks membership for per-VM shutdown commands, which doesn't enforce order;
update the assertions after collecting issued = [c.args[0] for c in
mock_run.call_args_list] to assert the shutdown commands occur in the expected
order (e.g., compute indices of ["virsh","shutdown","vm1"] and
["virsh","shutdown","vm2"] in issued and assert index(vm1) < index(vm2) or
assert the slice of issued contains the two shutdown commands in that exact
sequence), leaving the existing checks for the initial "virsh list ..." and the
absence of "virsh destroy" intact.