Add comprehensive codebase analysis and architecture documentation

[Copilot]

Analyzed PyGtk-Posting codebase to document architecture, identify technical debt, and provide actionable improvement roadmap.

Deliverables

CODEBASE_ANALYSIS.md - 14 sections covering:

• Architecture overview (3-tier desktop app: GTK3 → Python → PostgreSQL/SQLite)
• Module inventory (181 Python files, ~44k LOC across 13 business domains)
• Code quality metrics and security analysis
• Prioritized recommendations (immediate → long-term)

ARCHITECTURE.md - Technical deep-dive with:

• Component interaction diagrams (startup, invoice workflow, LISTEN/NOTIFY broadcast)
• Transaction factory pattern for double-entry accounting
• Multi-user deployment models
• Extension points for custom reports and modules

SQL_INJECTION_ANALYSIS.md - Detailed security vulnerability report:

• 4 SQL injection vulnerabilities identified with exact line numbers
• Severity assessment (2 HIGH exploitable, 1 HIGH dead code, 1 MEDIUM)
• Exploitation scenarios and attack examples
• Specific remediation steps with secure code examples
• False positive analysis (verified safe modules)

Key Findings

High-priority security issues:

• 4 SQL injection vulnerabilities identified:
  • src/documents_window.py line 112 (HIGH - exploitable via drag-and-drop)
  • src/complete_search.py lines 90-91 (HIGH - exploitable via TreeView)
  • src/kit_products.py line 61 (HIGH - dead code, not currently executed)
  • src/db/database_tools.py line 219 (MEDIUM - database creation)
• Minimal test coverage (2 files, py3o module only)
• Plain text password storage in SQLite

Notable patterns:

• Real-time synchronization via PostgreSQL LISTEN/NOTIFY (1s poll interval)
• GTK Builder pattern with 141 .ui Glade files
• Transaction factory classes ensure GL entry integrity (debits = credits)

Largest files requiring refactor:

• purchase_order_window.py (1,325 LOC)
• invoice_window.py (1,174 LOC)
• db/transactor.py (763 LOC)

Overall assessment: Production-ready core with solid accounting domain modeling, needs testing infrastructure and security hardening. Immediate action required to fix exploitable SQL injection vulnerabilities in documents_window.py and complete_search.py.

Original prompt

analyze codebase

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[benreu]

@copilot which modules suffer from sql injection?

[Copilot]

@copilot which modules suffer from sql injection?

I've identified 4 SQL injection vulnerabilities (commit fd6c61d):

HIGH Severity (actively exploitable):

• src/documents_window.py line 112 - drag-and-drop handler using % (table, _id_)
• src/complete_search.py lines 90-91 - TreeView handler using % (schema, table, ctid)

HIGH Severity (dead code, early return):

• src/kit_products.py line 61 - drag-and-drop handler (not currently executed)

MEDIUM Severity:

• src/db/database_tools.py line 219 - CREATE DATABASE using % db_name

The files I initially mentioned (transactor.py, purchase_ordering.py, pay_stub.py) actually use proper parameterized queries and are safe.

See SQL_INJECTION_ANALYSIS.md for detailed analysis, exploitation scenarios, and remediation steps for each vulnerability.