feat(workstream-c): cheatsheet categorization and grouping

[shreeshtripurwarcomp23-coder]

Workstream C — Categorization and Optional Grouping

Closes Issue C from the RFC: Autonomous LLM Pipeline for OWASP Cheat Sheet to CRE Mapping

What this PR delivers

• categorize_cheatsheet(record) — labels cheat sheets using a 29-label controlled taxonomy via deterministic keyword matching
• group_cheatsheets(records) — groups cheat sheets by category with stable sha256-based group IDs
• LLM-optional path with full fallback to deterministic mode on any failure
• 50 tests covering all 5 acceptance criteria from RFC Issue C

Checklist

• C1 — Taxonomy defined (29 controlled labels, single source of truth)
• C2 — Deterministic rule-based categorizer
• C3 — Grouping with stable IDs across repeated runs
• C4 — LLM-optional path with safe fallback
• C5 — 50 tests, all passing

Acceptance criteria met

• Labels only from approved taxonomy
• Same input → same output (deterministic)
• Group IDs stable across runs
• Unknown inputs → uncategorized, no crash
• 3+ categories + unknown case covered in tests

Note

CheatsheetRecord is currently a local stub matching the RFC contract exactly. Will be replaced with Workstream B's import once their PR merges — one line change, no logic affected.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Summary by CodeRabbit

• New Features

  • Added cheatsheet categorization and grouping system with intelligent keyword-based organization.
  • Improved smartlink navigation: direct redirect to single linked resource instead of intermediate page.

• Tests

  • Added comprehensive test suite for cheatsheet categorization and grouping functionality.

• Chores

  • Enhanced telemetry data with import run records and event tracking.

Walkthrough

This PR adds a new cheatsheet_categorizer module with a controlled taxonomy, deterministic keyword-to-label matching, optional LLM-based labeling with safe fallback, and stable grouping via CheatsheetGroup. A corresponding test suite covers all code paths. Separately, the smartlink route gains a fast-path redirect to /cre/<id> when a node has exactly one CRE link.

Changes

Cheatsheet Categorizer Module

Layer / File(s)	Summary
Taxonomy, keyword rules, and data contracts application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py	Defines module context, TAXONOMY and UNCATEGORIZED sentinel, ordered keyword-to-label rules, CheatsheetRecord dataclass with __post_init__ validation, and CheatsheetGroup dataclass with deterministic make_group_id via truncated SHA-256.
categorize_cheatsheet, group_cheatsheets, and internal helpers application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py	Implements categorize_cheatsheet with optional LLM invocation, label validation, and deterministic fallback; group_cheatsheets bucketing by group_id and sorting; _build_searchable_text, _deterministic_categorize keyword scan, and _validate_labels filtering.
Cheatsheet categorizer test suite application/tests/test_cheatsheet_categorizer.py	Full unit test suite covering taxonomy integrity, deterministic categorization with sorting/deduplication, UNCATEGORIZED fallback, all LLM-path variants with injection and fallback scenarios, group_cheatsheets behavior and ordering, make_group_id determinism and format, _validate_labels filtering, and _deterministic_categorize expectations.

Smartlink Single-CRE Redirect

Layer / File(s)	Summary
Single-CRE fast-path in smartlink route and test update application/web/web_main.py, application/tests/web_main_test.py	Inserts a redirect to /cre/<cre_id> in the smartlink handler when the resolved node has exactly one CRE link; updates test_smartlink to assert 302 redirects to /cre/ pages for single-CRE cases and adds a second linked CRE fixture for the multi-CRE path.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 43.48% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: implementing cheatsheet categorization and grouping functionality as part of Workstream C.
Description check	✅ Passed	The description thoroughly explains the PR's purpose, deliverables, acceptance criteria, and implementation details related to the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Biome (2.4.16)

import_telemetry.json

File contains syntax errors that prevent linting: Line 2: End of file expected; Line 3: End of file expected; Line 4: End of file expected; Line 5: End of file expected; Line 6: End of file expected; Line 7: End of file expected; Line 8: End of file expected; Line 9: End of file expected; Line 10: End of file expected; Line 11: End of file expected; Line 12: End of file expected; Line 13: End of file expected; Line 14: End of file expected; Line 15: End of file expected; Line 16: End of file expected; Line 17: End of file expected; Line 18: End of file expected; Line 19: End of file expected; Line 20: End of file expected; Line 21: End of file expected; Line 22: End of file expected; Line 23: End of file expected; Line 24: End of file expected; Line 25: End of file expected

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@application/tests/test_cheatsheet_categorizer.py`:
- Around line 330-344: Both test_same_category_same_group and
test_different_categories_different_groups contain assertions guarded by
conditional statements, allowing them to pass without testing anything if the
categorization unexpectedly changes. Fix this by converting the conditional
guards into direct assertions that verify the expected label relationships
first. In test_same_category_same_group, change the if statement to
self.assertEqual(auth_labels, pwd_labels) so the label equality is asserted
unconditionally, then follow with the grouping assertions. Similarly, in
test_different_categories_different_groups, change the if statement to
self.assertNotEqual(auth_labels, secrets_labels) to unconditionally assert the
labels differ, then follow with the grouping assertions. This ensures these
tests fail if categorization behavior changes unexpectedly.

In
`@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`:
- Around line 343-349: The loop variable `l` (lowercase letter L) on lines 343
and 346 violates Ruff E741 linting rules because it is ambiguous and looks like
the number 1. Rename this variable to a more descriptive name like `label`
throughout the code block. Replace `l` in the list comprehension (valid = [l for
l in labels...]), in the for loop declaration (for l in valid:), and in the
conditional check (if l not in seen:) and subsequent operations
(deduped.append(l) and seen.add(l)) with the new variable name to satisfy lint
requirements.
- Around line 170-189: The CheatsheetRecord dataclass documents that required
fields (source, source_id, title, hyperlink, summary, headings,
raw_markdown_path) must be non-empty strings or lists after normalization, but
this constraint is not enforced. Add a __post_init__ method to the
CheatsheetRecord dataclass that validates each required field is non-empty
(non-empty string or non-empty list), raising a descriptive ValueError with
field-level details if any required field is empty or invalid.
- Around line 209-211: The make_group_id function does not properly implement
set-based behavior because it sorts the labels list directly without removing
duplicates. When duplicate labels exist, different label sets produce different
hashes, violating the documented set-based contract. Fix this by converting the
labels parameter to a set before sorting it, so that duplicate labels are
eliminated and semantically equivalent label sets always produce the same stable
hash.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 39b63327-3bdc-452c-bd18-66396c5b7cb8

📥 Commits

Reviewing files that changed from the base of the PR and between e853cd3 and 43cd7e5.

📒 Files selected for processing (4)

• application/tests/test_cheatsheet_categorizer.py
• application/tests/web_main_test.py
• application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py
• application/web/web_main.py

[coderabbitai]

♻️ Duplicate comments (1)

application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py (1)

194-210: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate list fields in __post_init__ to prevent categorize_cheatsheet runtime crashes.

CheatsheetRecord.__post_init__ currently guards only required string fields. If headings/category_hints contain non-strings, Line 342 (" ".join(parts)) can raise TypeError, which breaks the “unknown input should not crash” behavior.

Proposed fix

 def __post_init__(self) -> None:
@@
         for fname in required_str_fields:
             value = getattr(self, fname)
             if not isinstance(value, str) or not value.strip():
                 raise ValueError(
                     f"CheatsheetRecord.{fname} must be a non-empty string, "
                     f"got {value!r}"
                 )
+
+        required_list_fields = ["headings", "category_hints"]
+        for fname in required_list_fields:
+            value = getattr(self, fname)
+            if not isinstance(value, list):
+                raise ValueError(f"CheatsheetRecord.{fname} must be a list, got {type(value).__name__}")
+            if any(not isinstance(item, str) for item in value):
+                raise ValueError(f"CheatsheetRecord.{fname} must contain only strings")

Also applies to: 339-342

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`
around lines 194 - 210, The __post_init__ method in CheatsheetRecord currently
validates only string fields but does not validate the list fields headings and
category_hints. If these list fields contain non-string values, the "
".join(parts) call in categorize_cheatsheet will raise a TypeError at runtime.
Add validation in __post_init__ to ensure that headings and category_hints are
present and contain only string elements, raising a ValueError with a
descriptive message if validation fails. This will prevent runtime crashes when
non-string values are passed in these list fields.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`:
- Around line 194-210: The __post_init__ method in CheatsheetRecord currently
validates only string fields but does not validate the list fields headings and
category_hints. If these list fields contain non-string values, the "
".join(parts) call in categorize_cheatsheet will raise a TypeError at runtime.
Add validation in __post_init__ to ensure that headings and category_hints are
present and contain only string elements, raising a ValueError with a
descriptive message if validation fails. This will prevent runtime crashes when
non-string values are passed in these list fields.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 0859c5cd-3886-42e4-96f8-08c6c3dfe810

📥 Commits

Reviewing files that changed from the base of the PR and between 484afac and 604e85a.

📒 Files selected for processing (2)

• application/tests/test_cheatsheet_categorizer.py
• application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py

🚧 Files skipped from review as they are similar to previous changes (1)

• application/tests/test_cheatsheet_categorizer.py

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py (2)

341-341: ⚡ Quick win

Prefer iterable unpacking for list construction.

As flagged by Ruff RUF005, iterable unpacking is more idiomatic than list concatenation in Python.

♻️ Proposed refactor

-    parts = [record.title] + record.headings + record.category_hints
+    parts = [record.title, *record.headings, *record.category_hints]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`
at line 341, The list construction at the assignment to parts uses the +
operator for list concatenation, which is less idiomatic than iterable unpacking
in Python. Replace the list concatenation using + operators with iterable
unpacking syntax by converting the assignment to use a single list literal with
the record.title element followed by *record.headings and *record.category_hints
unpacking operators to combine all the elements into the parts list.

Source: Linters/SAST tools

---

318-318: 💤 Low value

Consider adding specific type hint for bucket.

The generic dict type hint could be more specific as dict[str, CheatsheetGroup] for better type safety and IDE support.

♻️ Proposed type hint improvement

-    bucket: dict = {}
+    bucket: dict[str, CheatsheetGroup] = {}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`
at line 318, The `bucket` variable in the cheatsheet_categorizer.py file is
using a generic `dict` type hint, which lacks specificity and reduces IDE type
safety. Replace the type hint from `dict` to `dict[str, CheatsheetGroup]` to
explicitly indicate that the bucket dictionary maps string keys to
CheatsheetGroup values. Ensure that CheatsheetGroup is properly imported or
available in the scope where this change is made.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`:
- Around line 194-210: The __post_init__ method in the CheatsheetRecord class
validates required string fields but omits validation for the required headings
field. Add validation after the existing string field checks to ensure the
headings field is present and is a non-empty list, raising a ValueError with an
appropriate message if it is missing, not a list, or empty, maintaining
consistency with the error message format used for string field validation.

---

Nitpick comments:
In
`@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`:
- Line 341: The list construction at the assignment to parts uses the + operator
for list concatenation, which is less idiomatic than iterable unpacking in
Python. Replace the list concatenation using + operators with iterable unpacking
syntax by converting the assignment to use a single list literal with the
record.title element followed by *record.headings and *record.category_hints
unpacking operators to combine all the elements into the parts list.
- Line 318: The `bucket` variable in the cheatsheet_categorizer.py file is using
a generic `dict` type hint, which lacks specificity and reduces IDE type safety.
Replace the type hint from `dict` to `dict[str, CheatsheetGroup]` to explicitly
indicate that the bucket dictionary maps string keys to CheatsheetGroup values.
Ensure that CheatsheetGroup is properly imported or available in the scope where
this change is made.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 2c123407-b815-4a80-a0a0-d553c11b3de7

📥 Commits

Reviewing files that changed from the base of the PR and between 604e85a and 99be263.

📒 Files selected for processing (4)

• application/tests/test_cheatsheet_categorizer.py
• application/tests/web_main_test.py
• application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py
• application/web/web_main.py

🚧 Files skipped from review as they are similar to previous changes (3)

• application/tests/web_main_test.py
• application/web/web_main.py
• application/tests/test_cheatsheet_categorizer.py

[coderabbitai]

This command requires write access to the repository. Only users with write or admin permissions can trigger CodeRabbit to commit or create pull requests.

[Bornunique911]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

♻️ Duplicate comments (1)

application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py (1)

194-210: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing validation for required headings field.

This issue was already flagged in a previous review comment. The __post_init__ method validates required string fields but does not check the headings field. According to line 181, "Required fields must be non-empty strings / lists after normalisation," but headings (line 189) is a required field with no default that is not validated. An empty list or non-list value would violate the contract.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`
around lines 194 - 210, The `__post_init__` method in the CheatsheetRecord class
validates required string fields but is missing validation for the `headings`
field, which is also a required field according to the class design. Add
validation logic after the existing string field validation loop to check that
`headings` is a non-empty list and raise a ValueError with a descriptive message
if it is not a list, is empty, or has no valid content, following the same
pattern and structure as the string field validation checks above it.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py`:
- Around line 194-210: The `__post_init__` method in the CheatsheetRecord class
validates required string fields but is missing validation for the `headings`
field, which is also a required field according to the class design. Add
validation logic after the existing string field validation loop to check that
`headings` is a non-empty list and raise a ValueError with a descriptive message
if it is not a list, is empty, or has no valid content, following the same
pattern and structure as the string field validation checks above it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: bdc441f9-0dab-4e63-9b95-9b14ab8ce2fb

📥 Commits

Reviewing files that changed from the base of the PR and between 99be263 and 86088d4.

📒 Files selected for processing (2)

• application/tests/web_main_test.py
• application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py

🚧 Files skipped from review as they are similar to previous changes (1)

• application/tests/web_main_test.py

[shreeshtripurwarcomp23-coder]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

import_telemetry.json (1)

1-25: 💤 Low value

Biome parse errors are false positives for NDJSON format.

The static analysis tool Biome (a JavaScript/TypeScript linter) is reporting parse errors because it expects a single JSON object, but this file uses NDJSON (newline-delimited JSON) format where each line is a separate JSON object. This is the correct format per the upstream emit_import_event implementation that writes json.dumps(event) + "\n".

If this file is meant to be committed, consider excluding it from Biome checks by adding it to the Biome ignore configuration, or document that these errors are expected for NDJSON files.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@import_telemetry.json` around lines 1 - 25, The import_telemetry.json file
contains NDJSON format (newline-delimited JSON) where each line is a separate
valid JSON object, which matches the upstream emit_import_event implementation
that writes json.dumps(event) + "\n". Biome is incorrectly reporting parse
errors because it expects a single JSON object. Add the import_telemetry.json
file to the Biome ignore configuration in your biome.json config file by adding
the file path to the ignore patterns or files list, so Biome will skip linting
this file and these false positive errors will be resolved.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@import_telemetry.json`:
- Around line 1-25: The file import_telemetry.json contains transient runtime
telemetry data generated by the telemetry.py module during test execution and
should not be committed to version control. Delete import_telemetry.json from
the repository and add the filename to the .gitignore file to prevent accidental
commits of future telemetry artifacts generated during local development.

---

Nitpick comments:
In `@import_telemetry.json`:
- Around line 1-25: The import_telemetry.json file contains NDJSON format
(newline-delimited JSON) where each line is a separate valid JSON object, which
matches the upstream emit_import_event implementation that writes
json.dumps(event) + "\n". Biome is incorrectly reporting parse errors because it
expects a single JSON object. Add the import_telemetry.json file to the Biome
ignore configuration in your biome.json config file by adding the file path to
the ignore patterns or files list, so Biome will skip linting this file and
these false positive errors will be resolved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 6897a458-7002-46e1-a2b9-1804bd249296

📥 Commits

Reviewing files that changed from the base of the PR and between 99be263 and 931dace.

📒 Files selected for processing (3)

• application/tests/web_main_test.py
• application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py
• import_telemetry.json

🚧 Files skipped from review as they are similar to previous changes (1)

• application/utils/external_project_parsers/parsers/cheatsheet_categorizer.py