Preserve account filter on activity page

[xiefuzheng713-alt]

Summary

Bounty #799
Refs #798

Source report: #798 (comment)

The activity API now honors account=github:<login>, but the HTML activity page still ignored that query string and rendered the global activity page. This PR makes the page preserve the same account-scoped view and fixes a serializer variable shadowing bug that could leak a last contributor account into global activity context once the template started reading account.

Changes

• Accept and validate account on /activity with the same repeated/control-character checks as the API route.
• Reuse the normalized activity context account for the page notice, hidden search field, and "View JSON activity" link.
• Build the activity JSON inspection URL server-side so q and account are preserved together.
• Rename the contributor aggregation loop variable in activity_to_dict() so global activity responses do not gain a synthetic top-level account.
• Add regression coverage for global responses without account, account-scoped HTML, and combined q + account links.

Validation

uv run --extra dev pytest tests/test_activity.py -q
# 7 passed, 1 warning

uv run --extra dev ruff check app/activity.py app/serializers.py tests/test_activity.py
# All checks passed!

uv run --extra dev ruff format --check app/activity.py app/serializers.py tests/test_activity.py
# 3 files already formatted

uv run --extra dev mypy app/activity.py app/serializers.py
# Success: no issues found in 2 source files

uv run --extra dev python scripts/docs_smoke.py
# docs smoke ok

git diff --check
# clean

git merge-tree --write-tree origin/main HEAD
# abda6f4c7b8cc6d19c1ef4bc0fd2711b121cfce1

Scope

No payout execution, treasury mutation, wallet mutation, transfer signing, admin-token behavior, bridge/exchange/cash-out behavior, MRWK price behavior, or private data handling is changed.

Summary by CodeRabbit

• New Features

  • Filter activity by account in addition to free-text search.
  • Activity page shows contextual messages for account-only, search-only, or combined filters.
  • “View JSON activity” link now reliably includes appropriate URL‑encoded filter parameters.

• Bug Fixes

  • “Clear search” behavior and no-results links now handle account filters correctly.
  • Input validation extended to catch invalid or repeated account parameters.

• Tests

  • Expanded tests for account-scoped views, combined filters, validation, and JSON link generation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: dafc0ee7-0ad8-4bdf-ba3e-bc6c72a7ee3d

📥 Commits

Reviewing files that changed from the base of the PR and between f7d1d0b and 03e0804.

📒 Files selected for processing (4)

• app/activity.py
• app/templates/activity.html
• tests/test_activity.py
• tests/test_activity_routes.py

---

📝 Walkthrough

Walkthrough

Adds optional account filtering to the activity page: URL helpers add api_activity_url/clear_activity_url, the /activity route validates and forwards account, serialization keys contributors by account, the template renders account-aware UI, and tests cover rendering and validation cases.

Changes

Activity Page Account Filtering

Layer / File(s)	Summary
Imports and URL helpers app/activity.py	Imports urlencode and adds _activity_api_url(query, account) and _activity_page_url(account); activity_context now provides api_activity_url and clear_activity_url.
Route handler account parameter acceptance and validation app/activity.py	/activity handler accepts optional account, validates control characters and repeated parameters, and passes account (with q) into activity_context.
Contributor serialization and template rendering app/serializers.py, app/templates/activity.html	activity_to_dict uses contributor_account for contributor keys. Template emits hidden account when present, shows account/query-specific notices, uses api_activity_url for JSON link, and uses clear_activity_url for clear links.
Test coverage for account filtering tests/test_activity.py, tests/test_activity_routes.py	Asserts unfiltered API payload excludes account. Tests verify default page omits account input, account-scoped and account+query views render expected fields and URL-encoded JSON/clear links, and validation tests exercise invalid/repeated account cases. Route test expects api_activity_url in empty context.

Possibly related issues

• Proposed work: handle activity account filter explicitly #786: both concern handling of the account query parameter for activity endpoints and may overlap on server-side behavior expectations.

Possibly related PRs

• ramimbo/mergework#380: Earlier changes to activity context and routes that this PR builds on.
• ramimbo/mergework#821: Related work wiring account through activity serializers/context and validation.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concretely summarizes the main change: preserving account filter on the activity page, which is the primary objective of the PR.
Description check	✅ Passed	The description includes a clear summary with issue/bounty refs, detailed changes, comprehensive validation results covering all required checks, and scope clarification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR modifies only implementation code and tests; no changes to README, docs, or public descriptions. Contains no investment, price, cash-out, or security claims.
Bounty Pr Focus	✅ Passed	PR diff matches stated changes: account parameter in activity.py routes, contributor variable rename in serializers.py, template account filter, comprehensive test coverage with no scope creep.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[laughlife]

Bounty #838 current-head review for PR #854.

Reviewed head 529f09ed85160ebf9fdfd10d36259cf95a553e1e as a non-author.

Changes requested: the PR currently fails the hosted quality check and the failure is reproducible locally.

Blocker found:

• activity_context() now injects api_activity_url into the context, but tests/test_activity_routes.py::test_activity_context_preserves_empty_feed_shape still asserts the exact empty-feed dictionary shape without that new key.
• As a result, the full suite fails even though the PR's focused tests/test_activity.py validation passes.

Evidence checked:

• Inspected app/activity.py, app/serializers.py, app/templates/activity.html, and tests/test_activity.py.
• Checked the hosted Quality/readiness/docs/image failure for run 26938575898; it fails with the same extra api_activity_url key in test_activity_context_preserves_empty_feed_shape.
• Confirmed PR #854 currently has no prior human review on this head and GitHub reports mergeStateStatus=UNSTABLE.

Validation I ran on current head:

• uv run --extra dev pytest tests/test_activity.py -q -> 7 passed, 1 existing Starlette/httpx warning.
• uv run --extra dev pytest tests/test_activity_routes.py::test_activity_context_preserves_empty_feed_shape -q -> failed with the extra api_activity_url key.
• uv run --extra dev ruff check app/activity.py app/serializers.py tests/test_activity.py -> passed.
• uv run --extra dev ruff format --check app/activity.py app/serializers.py tests/test_activity.py -> 3 files already formatted.
• git diff --check origin/main...HEAD -> clean.
• git merge-tree --write-tree origin/main HEAD -> clean tree 2021d4aa25c8b20d5d5e9370472dec43dcb471bc.

No private data, secrets, wallet material, payout execution, treasury mutation, ledger mutation, bridge, exchange, cash-out, MRWK price behavior, or issue mutation was used.

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 64c92ba1-dce1-4a61-a16e-e591402aa2cd

📥 Commits

Reviewing files that changed from the base of the PR and between d4d0e48 and 529f09e.

📒 Files selected for processing (4)

• app/activity.py
• app/serializers.py
• app/templates/activity.html
• tests/test_activity.py

[aglichandrap]

Review evidence (head SHA: 03e0804282b4):

• ✅ Scope: Adds account=github:<login> query param support to /activity HTML page. Matches existing API behavior.
• ✅ Code quality: Clean helper functions _activity_api_url and _activity_page_url. Proper urlencode usage.
• ✅ Input validation: reject_control_char_query_param and reject_repeated_query_param applied to new account param — consistent with existing q param handling.
• ✅ Tests: 43 new lines in test_activity.py covering account filter behavior. test_activity_routes.py updated.
• ✅ serializers.py: Variable rename account → contributor_account avoids shadowing the function parameter — good cleanup.
• ✅ Mergeable: state=clean, mergeable=True.
• ✅ Files touched: 5 files, +83/-10 — well-scoped.

No blockers found. Approve.

[SYZBZ]

Bounty #838 current-head review for PR #854.

Reviewed head 03e0804282b46260ae48fc00bce941202bf37646 as a non-author.

Approve. I re-validated the follow-up that fixed the earlier empty-context blocker and confirmed the HTML activity page now preserves the same account-scoped behavior as /api/v1/activity, while the serializer rename keeps global activity context from inheriting a contributor account.

Files inspected:

• app/activity.py
• app/serializers.py
• app/templates/activity.html
• tests/test_activity.py
• tests/test_activity_routes.py

Evidence checked:

• /activity now validates repeated and control-character account params the same way as the API route.
• The page preserves the normalized account in the hidden form field, clear links, and View JSON activity URL, including combined q + account cases.
• activity_context() now exposes api_activity_url and clear_activity_url, and the empty-feed route-shape regression was updated for those new keys.
• activity_to_dict() renames the contributor loop variable, so top-level account remains the requested filter instead of a shadowed contributor value.

Validation I ran on current head:

• C:\Users\user\OneDrive - MRMAD\Desktop\github_mission\mergework\.venv\Scripts\python.exe -m pytest tests/test_activity.py tests/test_activity_routes.py -q -> 8 passed, 1 existing Starlette/httpx warning
• C:\Users\user\OneDrive - MRMAD\Desktop\github_mission\mergework\.venv\Scripts\python.exe -m ruff check app/activity.py app/serializers.py tests/test_activity.py tests/test_activity_routes.py -> passed
• C:\Users\user\OneDrive - MRMAD\Desktop\github_mission\mergework\.venv\Scripts\python.exe -m ruff format --check app/activity.py app/serializers.py tests/test_activity.py tests/test_activity_routes.py -> 4 files already formatted
• C:\Users\user\OneDrive - MRMAD\Desktop\github_mission\mergework\.venv\Scripts\python.exe -m mypy app/activity.py app/serializers.py -> success
• C:\Users\user\OneDrive - MRMAD\Desktop\github_mission\mergework\.venv\Scripts\python.exe scripts/docs_smoke.py -> docs smoke ok
• git diff --check origin/main...HEAD -> clean
• git merge-tree --write-tree origin/main HEAD -> clean tree 34cba62428c07920604e9c9423fa6ea47411e22e

GitHub state checked before approval: mergeStateStatus=CLEAN; hosted Quality, readiness, docs, and image checks and CodeRabbit are successful on this head.

No private data, secrets, wallet material, payout execution, treasury mutation, ledger mutation, bridge, exchange, cash-out, MRWK price behavior, or issue mutation was used.