Refs #576: Harden static GitHub links

[jakerated-r]

Summary

Refs #576.

This adds the existing public-link hygiene treatment (rel="nofollow noopener") to static GitHub links that are rendered from the public shell/docs templates.

Evidence / Distinctness

Current public templates already apply rel="nofollow noopener" on several dynamic GitHub issue links, for example bounty detail/list links. A fresh check found static GitHub links in these surfaces did not have the same treatment:

• LTC Lab header GitHub nav link in app/templates/base.html
• /docs GitHub discussion and repository-document links in app/templates/docs.html

This is intentionally distinct from the current account/activity link PR #586: this PR does not touch dynamic account/activity links or the failing account-page assertions in that branch. It only covers static public navigation/docs links that remain unmodified on main.

Scope

• Adds rel="nofollow noopener" to the static GitHub nav link shown in the LTC Lab header.
• Adds rel="nofollow noopener" to static GitHub documentation/discussion links on /docs.
• Adds rendered-route regression tests for /docs and the LTC Lab host header path.
• No wallet, ledger, payout, exchange, bridge, price, liquidity, auth, admin, webhook, or deployment behavior changes.

Validation

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_public_routes.py -q -> 3 passed
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_public_routes.py tests/test_hub.py -q -> 7 passed
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest -q -> 450 passed
• uv run --extra dev python -m ruff check tests/test_public_routes.py -> passed
• uv run --extra dev python -m ruff format --check tests/test_public_routes.py -> passed
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m mypy app/public_routes.py app/main.py -> success
• git diff --check -> clean

Safety

No private keys, wallet material, cookies, tokens, OAuth state, signatures, private vulnerability details, deployment credentials, MRWK price claims, exchange claims, bridge claims, liquidity claims, off-ramp claims, or fabricated payout claims are included.

Summary by CodeRabbit

• Updates

  • External GitHub links in the site navigation and project docs now include security attributes (rel="nofollow noopener") to control link behavior.

• Tests

  • Added tests verifying GitHub links on the docs and home pages render with the new security attributes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 83b09f0f-da44-4cd4-8d45-a60fac590009

📥 Commits

Reviewing files that changed from the base of the PR and between dfaf527 and 081573f.

📒 Files selected for processing (3)

• app/templates/base.html
• app/templates/docs.html
• tests/test_public_routes.py

---

📝 Walkthrough

Walkthrough

Templates now add rel="nofollow noopener" to external GitHub anchor tags in the base and docs templates. Tests were added to assert those attributes appear in the rendered HTML for the home (under ltclab.site) and /docs routes.

Changes

External GitHub link security attributes

Layer / File(s)	Summary
Add rel attributes to external GitHub links app/templates/base.html, app/templates/docs.html	GitHub navigation link in the base template and documentation links in the docs template now include rel="nofollow noopener".
Test rel attribute rendering tests/test_public_routes.py	New tests import TestClient and create_app, then verify /docs renders specific GitHub links with rel="nofollow noopener" and the home route under ltclab.site renders the GitHub nav link with the same attribute.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly and concretely identifies the change: hardening static GitHub links with rel attributes. Directly matches the changeset across all three modified files.
Description check	✅ Passed	Description includes all required template sections: Summary, Evidence, Scope, Validation with specific command outputs, and Safety confirmation. Comprehensive and complete.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR adds rel="nofollow noopener" to static GitHub links. No investment, price, cash-out, or fabricated payout claims added. MRWK correctly described as native project coin.
Bounty Pr Focus	✅ Passed	PR diff matches stated scope: 1 hardened link in base.html, 6 in docs.html, 2 new tests covering all URLs. No unrelated files modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: a08b9cae-bd25-4a94-8738-a9b04d8e6913

📥 Commits

Reviewing files that changed from the base of the PR and between d4bf32a and f1b0205.

📒 Files selected for processing (3)

• app/templates/base.html
• app/templates/docs.html
• tests/test_public_routes.py

[GHX5T-SOL]

Reviewed current head f1b0205 and approve.

Evidence: inspected app/templates/base.html, app/templates/docs.html, and tests/test_public_routes.py. The change adds rel="nofollow noopener" to static GitHub links on the LTC Lab header and docs page without changing internal navigation, and the new tests cover the docs links plus the LTC Lab header link.

Validation: /tmp/mergework-pr590-review-venv/bin/python -m pytest tests/test_public_routes.py -q -> 3 passed; ruff check tests/test_public_routes.py -> pass; ruff format --check tests/test_public_routes.py -> already formatted; mypy app/main.py app/public_routes.py -> success; scripts/docs_smoke.py -> docs smoke ok; git diff --check upstream/main...HEAD -> clean; git merge-tree --write-tree upstream/main HEAD -> clean; gitleaks git over the PR commit -> no leaks. Hosted Quality/readiness/docs/image check is successful. I did not run the full suite because this is a narrow template/public-route change.

[jakerated-r]

Follow-up for CodeRabbit's coverage warning: pushed dfaf527 to assert all six hardened GitHub docs links, not only the original three. This now covers:

• discussions/16
• docs/bounty-rules.md
• docs/paid-bounties.md
• docs/agent-guide.md
• docs/api-examples.md
• docs/ledger.md

Validation after the follow-up:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_public_routes.py -q -> 3 passed
• uv run --extra dev python -m ruff check tests/test_public_routes.py -> pass
• uv run --extra dev python -m ruff format --check tests/test_public_routes.py -> already formatted
• git diff --check -> clean
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_public_routes.py tests/test_hub.py -q -> 7 passed
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m mypy app/public_routes.py app/main.py -> success
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest -q -> 450 passed

[coderabbitai]

Actionable comments posted: 0

[jakerated-r]

Bounty-focus clarification after the latest automated summary: the current GitHub PR diff is limited to the intended three files for Bounty #576.

Verified against the current upstream base after fetching origin/main:

gh pr diff 590 -R ramimbo/mergework --name-only
app/templates/base.html
app/templates/docs.html
tests/test_public_routes.py

 git diff --name-only origin/main...HEAD
app/templates/base.html
app/templates/docs.html
tests/test_public_routes.py

No CSS styling, admin docs, claim-inventory script, or unrelated test files are present in the current PR diff. The follow-up commit only broadened tests/test_public_routes.py assertions to cover all six static docs links flagged in the previous review.

[eliasx45]

Reviewed current head dfaf527643814c38cbe3158c2dcfb9fb7c05390e.

Verdict: approve.

The current PR diff is limited to the intended three files: app/templates/base.html, app/templates/docs.html, and tests/test_public_routes.py. The earlier automated scope warning about unrelated files is not present against the current base after fetching origin/main. The change consistently adds rel="nofollow noopener" to the static GitHub links in the LTC Lab header and docs page, and the follow-up assertions cover all six static docs GitHub links plus the header link. This remains scoped to public-link hygiene under Bounty #576.

Validation:

• git diff --name-only origin/main...HEAD -> only the three intended files.
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m pytest tests\test_public_routes.py -q -> 3 passed.
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m pytest tests\test_public_routes.py tests\test_hub.py -q -> 7 passed.
• .\.venv\Scripts\python.exe -m ruff check tests\test_public_routes.py -> passed.
• .\.venv\Scripts\python.exe -m ruff format --check tests\test_public_routes.py -> already formatted.
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe scripts\docs_smoke.py -> docs smoke ok.
• git diff --check origin/main...HEAD -> clean.
• git merge-tree --write-tree origin/main HEAD -> clean merge tree.
• Hosted quality/readiness/docs/image check is successful.

[jakerated-r]

Rebased this PR onto current origin/main after GitHub marked the branch dirty/conflicting. The conflict was only in tests/test_public_routes.py; the resolution preserves both mainline API-results URL coverage and this PR's static GitHub link coverage.

Current diff scope after the rebase is still the intended three files:

gh pr diff 590 -R ramimbo/mergework --name-only
app/templates/base.html
app/templates/docs.html
tests/test_public_routes.py

git diff --name-only origin/main...HEAD
app/templates/base.html
app/templates/docs.html
tests/test_public_routes.py

Rebased head: 081573f727d3d5084821f1e34a1e4dcce38f671a

Validation after the rebase:

• git merge-tree --write-tree origin/main HEAD -> clean
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_public_routes.py -q -> 4 passed
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_public_routes.py tests/test_hub.py -q -> 8 passed
• uv run --extra dev python -m ruff check tests/test_public_routes.py -> passed
• uv run --extra dev python -m ruff format --check tests/test_public_routes.py -> already formatted
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m mypy app/public_routes.py app/main.py -> success
• git diff --check origin/main...HEAD -> clean
• GitHub Actions Quality, readiness, docs, and image checks on 081573f -> success: https://github.com/ramimbo/mergework/actions/runs/26602554942

If the automated bounty-focus warning still mentions CSS/admin/claim-inventory files, that is stale relative to the current PR diff above. No unrelated files are present in the live diff.

[coderabbitai]

Actionable comments posted: 0

[eliasx45]

Re-reviewed rebased head 081573f.

Verdict: approve.

The rebase resolved the prior dirty/conflicting state and preserved the intended scope. The live diff is still limited to app/templates/base.html, app/templates/docs.html, and tests/test_public_routes.py. The public-link hygiene behavior from my earlier review remains intact: static GitHub links in the header/docs templates include rel="nofollow noopener", and the tests cover the header plus all six docs GitHub links.

Validation on the rebased head:

• git diff --name-only origin/main...HEAD -> only the three intended files
• git merge-tree --write-tree origin/main HEAD -> clean merge tree
• git diff --check origin/main...HEAD -> clean
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 ..venv\Scripts\python.exe -m pytest tests\test_public_routes.py tests\test_hub.py -q -> 8 passed
• ..venv\Scripts\python.exe -m ruff check tests\test_public_routes.py -> passed
• ..venv\Scripts\python.exe -m ruff format --check tests\test_public_routes.py -> 1 file already formatted
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 ..venv\Scripts\python.exe scripts\docs_smoke.py -> docs smoke ok
• Hosted quality/readiness/docs/image check is successful