Validate report API host arguments

[alan747271363-art]

Summary

• Add a shared public_api_host argparse validator for public report-tool API origins.
• Reject blank, whitespace-only, relative, and non-HTTP(S) --api-host values before any live GitHub/API collection.
• Apply the validator to proposed_work_triage.py, claim_inventory.py, and submission_quality_gate.py as requested by source issue Proposed work: validate report API host arguments #815.

Bounty #799
Source issue: #815

Evidence

#815 reports that report scripts can accept malformed API hosts and crash later while building public API URLs. The issue comment also points out that submission_quality_gate.py has the same boundary and should share the validation helper.

This PR keeps valid absolute HTTP(S) hosts working and only changes CLI argument validation for invalid hosts.

Validation

• python -m pytest tests\test_proposed_work_triage.py tests\test_claim_inventory.py tests\test_submission_quality_gate.py -q -> 73 passed
• python -m pytest -q -> 752 passed, 1 existing Starlette/httpx warning
• python -m ruff format --check . -> 111 files already formatted
• python -m ruff check . -> All checks passed
• python -m mypy app -> Success
• git diff --check -> clean

CLI smoke after the fix:

• python scripts\proposed_work_triage.py --repo ramimbo/mergework --limit 1 --api-host " " --format json -> argparse error: api host must be a non-empty HTTP(S) URL
• python scripts\claim_inventory.py --repo ramimbo/mergework --api-host /relative --format json -> argparse error: api host must be an absolute HTTP(S) URL
• python scripts\submission_quality_gate.py --text-file draft.md --api-host ftp://api.example.test --format json -> argparse error: api host must be an absolute HTTP(S) URL

Scope and Safety

• Read-only report tooling only.
• No GitHub mutations, labels, comments, bounty creation, claim acceptance, payout execution, treasury mutation, ledger mutation, wallet behavior, private data, secrets, bridge, exchange, off-ramp, cash-out, or price behavior.

Summary by CodeRabbit

• Bug Fixes

  • CLI tools now validate the --api-host argument and only accept absolute HTTP(S) URLs; empty, whitespace-only, relative, or non-HTTP(S) values produce clear parse-time errors.

• Tests

  • Added CLI tests that verify invalid --api-host values are rejected with appropriate exit codes and error messages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c6c09fa1-a0cc-434b-957c-9a23553a2c1d

📥 Commits

Reviewing files that changed from the base of the PR and between 548794d and 25194c0.

📒 Files selected for processing (1)

• tests/test_proposed_work_triage.py

💤 Files with no reviewable changes (1)

• tests/test_proposed_work_triage.py

---

📝 Walkthrough

Walkthrough

This PR centralizes API-host parsing by adding public_api_host() (argparse type) that enforces an absolute HTTP(S) URL, and wires it into three CLI scripts' --api-host options with tests asserting invalid inputs produce argparse errors and exit code 2.

Changes

API Host Validation

Layer / File(s)	Summary
API host validation helper scripts/api_host_args.py	New public_api_host(value: str) function that strips input, validates HTTP(S) scheme and non-empty netloc, and raises argparse.ArgumentTypeError on invalid values.
claim_inventory CLI integration scripts/claim_inventory.py, tests/test_claim_inventory.py	Imports validator and applies type=public_api_host to --api-host while keeping the same default; adds tests asserting invalid hosts exit with code 2 and emit an "api host must" error.
proposed_work_triage CLI integration scripts/proposed_work_triage.py, tests/test_proposed_work_triage.py	Adds conditional sys.path adjustment to import public_api_host, applies type=public_api_host to --api-host, and adds tests asserting rejection of empty/whitespace/relative/non-HTTP hosts.
submission_quality_gate CLI integration scripts/submission_quality_gate.py, tests/test_submission_quality_gate.py	Imports validator and applies type=public_api_host to --api-host; adds tests asserting invalid hosts exit with code 2 and stderr includes the error substring.

Possibly related issues

• Proposed work: validate report API host arguments #815: Implements the requested argparse-based API-host validation and applies it across the affected scripts.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Validate report API host arguments' clearly and concretely names the main change: adding validation for API host arguments across report scripts.
Description check	✅ Passed	The description covers all required sections with substantive content: summary of changes, evidence from issue #815, detailed validation results across tests and static checks, and explicit scope statement.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR contains only code changes to validation logic with no modifications to README, docs, or public descriptions; no investment, price, cash-out, or MRWK utility claims introduced.
Bounty Pr Focus	✅ Passed	PR matches stated scope: created api_host_args.py with shared validator, applied to 3 target scripts, added test coverage with proper error assertions for invalid hosts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d2381118-b38f-4b1e-9a46-a3545b840ef3

📥 Commits

Reviewing files that changed from the base of the PR and between c504500 and 548794d.

📒 Files selected for processing (7)

• scripts/api_host_args.py
• scripts/claim_inventory.py
• scripts/proposed_work_triage.py
• scripts/submission_quality_gate.py
• tests/test_claim_inventory.py
• tests/test_proposed_work_triage.py
• tests/test_submission_quality_gate.py

[jakerated-r]

Reviewed current head 548794da737c04a11956cbef8901bc34515cf468 for bounty review scope.

What I checked:

• Inspected the new shared scripts/api_host_args.py validator and its wiring into claim_inventory.py, proposed_work_triage.py, and submission_quality_gate.py.
• Verified invalid --api-host values now fail during argparse parsing before live GitHub/API collection for blank, relative, and non-HTTP(S) inputs.
• Verified valid absolute hosts still work, including a trailing-slash smoke on proposed_work_triage.py --api-host https://api.mrwk.online/.
• Confirmed the existing api_host.rstrip('/') URL construction is preserved in all three scripts.
• Checked duplicate/saturation risk on #654: no existing human review or #654 claim for PR #842 before this review.
• Checked hosted status: Quality workflow SUCCESS, CodeRabbit SUCCESS, GitHub mergeStateStatus CLEAN.

Local validation:

• uv run --extra dev pytest tests/test_proposed_work_triage.py tests/test_claim_inventory.py tests/test_submission_quality_gate.py -q -> 73 passed
• uv run --extra dev pytest -q -> 752 passed, 1 existing Starlette/httpx deprecation warning
• uv run --extra dev ruff format --check scripts/api_host_args.py scripts/claim_inventory.py scripts/proposed_work_triage.py scripts/submission_quality_gate.py tests/test_claim_inventory.py tests/test_proposed_work_triage.py tests/test_submission_quality_gate.py -> 7 files already formatted
• uv run --extra dev ruff check scripts/api_host_args.py scripts/claim_inventory.py scripts/proposed_work_triage.py scripts/submission_quality_gate.py tests/test_claim_inventory.py tests/test_proposed_work_triage.py tests/test_submission_quality_gate.py -> All checks passed
• uv run --extra dev mypy app -> Success
• git diff origin/main...HEAD --check -> clean
• git merge-tree $(git merge-base origin/main HEAD) origin/main HEAD -> completed without conflict markers

Non-blocking note: CodeRabbit's one actionable comment is only the redundant local import pytest in tests/test_proposed_work_triage.py; since it is test-only and harmless, I am not blocking on it.

[jakerated-r]

Follow-up current-head review after the cleanup commit.

Reviewed new head 25194c0dad91d7bf2f739cd776da9126c7a849a0, which only removes the redundant local import pytest from tests/test_proposed_work_triage.py. The prior API-host validation analysis still applies to the current head.

Current-head validation rerun:

• uv run --extra dev pytest tests/test_proposed_work_triage.py tests/test_claim_inventory.py tests/test_submission_quality_gate.py -q -> 73 passed
• uv run --extra dev pytest -q -> 752 passed, 1 existing Starlette/httpx deprecation warning
• uv run --extra dev ruff format --check scripts/api_host_args.py scripts/claim_inventory.py scripts/proposed_work_triage.py scripts/submission_quality_gate.py tests/test_claim_inventory.py tests/test_proposed_work_triage.py tests/test_submission_quality_gate.py -> 7 files already formatted
• uv run --extra dev ruff check scripts/api_host_args.py scripts/claim_inventory.py scripts/proposed_work_triage.py scripts/submission_quality_gate.py tests/test_claim_inventory.py tests/test_proposed_work_triage.py tests/test_submission_quality_gate.py -> All checks passed
• uv run --extra dev mypy app -> Success
• git diff origin/main...HEAD --check -> clean
• git merge-tree $(git merge-base origin/main HEAD) origin/main HEAD -> completed without conflict markers
• Valid-host smoke with proposed_work_triage.py --api-host https://api.mrwk.online/ still exits 0 and returns the expected summary keys.

No new findings from me on this head.

[ramimbo]

Maintainer queue status for #815/#799: held before merge/payment. Current head and checks are clean, #799 has live effective capacity, and this remains the implementation path for #815, but there is only one distinct useful current-head human reviewer. Needs a second useful current-head human review before acceptance.

[xiefuzheng713-alt]

Reviewed current head 25194c0dad91d7bf2f739cd776da9126c7a849a0 as a non-author.

Scope inspected:

• scripts/api_host_args.py: verified the shared public_api_host() argparse type trims input, rejects empty/whitespace-only values, and requires an absolute HTTP(S) URL with a netloc before report tooling builds public API URLs.
• scripts/proposed_work_triage.py, scripts/claim_inventory.py, and scripts/submission_quality_gate.py: verified the new validator is applied only to --api-host parsing and does not add GitHub mutations or change report analysis logic.
• tests/test_proposed_work_triage.py, tests/test_claim_inventory.py, and tests/test_submission_quality_gate.py: verified invalid host coverage for empty string, whitespace-only, relative path, and non-HTTP(S) URL.

Validation run on this head:

• uv run --python 3.12 --extra dev python -m pytest tests/test_proposed_work_triage.py tests/test_claim_inventory.py tests/test_submission_quality_gate.py -q -> 73 passed.
• CLI smoke: python scripts/proposed_work_triage.py --repo ramimbo/mergework --limit 1 --api-host " " --format json -> exit 2 with api host must be a non-empty HTTP(S) URL.
• CLI smoke: python scripts/claim_inventory.py --repo ramimbo/mergework --api-host /relative --format json -> exit 2 with api host must be an absolute HTTP(S) URL.
• CLI smoke: python scripts/submission_quality_gate.py --text-file draft.md --api-host ftp://api.example.test --format json -> exit 2 with api host must be an absolute HTTP(S) URL.
• uv run --python 3.12 --extra dev python -m pytest -q -> 752 passed, 1 existing Starlette/httpx warning.
• uv run --python 3.12 --extra dev ruff check scripts/api_host_args.py scripts/proposed_work_triage.py scripts/claim_inventory.py scripts/submission_quality_gate.py tests/test_proposed_work_triage.py tests/test_claim_inventory.py tests/test_submission_quality_gate.py -> passed.
• uv run --python 3.12 --extra dev ruff format --check scripts/api_host_args.py scripts/proposed_work_triage.py scripts/claim_inventory.py scripts/submission_quality_gate.py tests/test_proposed_work_triage.py tests/test_claim_inventory.py tests/test_submission_quality_gate.py -> 7 files already formatted.
• uv run --python 3.12 --extra dev mypy app -> success.
• uv run --python 3.12 --extra dev python scripts/docs_smoke.py -> docs smoke ok.
• git diff --check origin/main...HEAD -> clean.
• git merge-tree --write-tree origin/main HEAD -> clean tree c5b1c4acfdb6e5711c377bd0be82e0e8c1c758d1.

Currentness and duplicate check: PR #842 is mergeable at the reviewed head with hosted Quality/readiness/docs/image and CodeRabbit checks passing. Before posting, I found one current-head human approval and the existing #654 claim comments were both from that same reviewer, so this is a second independent current-head review.

No blocker found. The change is limited to read-only report-script argument validation and does not touch GitHub label/comment mutation paths from the app, bounty creation, proposal execution, payout, ledger mutation, wallet behavior, private data, secrets, exchange, bridge, off-ramp, cash-out, or price behavior.

[aglichandrap]

Review evidence (head SHA: 25194c0dad91):

• ✅ Scope: Extracts public_api_host validator into shared scripts/api_host_args.py, applies to claim_inventory.py.
• ✅ Validation: Checks for non-empty string, http/https scheme, and non-empty netloc via urllib.parse.urlparse.
• ✅ Reusability: Shared module avoids duplicating validation across scripts.
• ✅ Argparse integration: Uses type=public_api_host for automatic validation on --api-host.
• ✅ Files: 7 files, +53/-3 — includes proposed_work_triage.py, submission_quality_gate.py.
• ✅ Mergeable: state=clean.

No blockers. Approve.