refactor(client/tunnel): convert tunnel_* files into tunnel package module

.claude/commands/review-pr.md

@@ -0,0 +1,98 @@
+---
+description: "Review a PR with project-specific false-positive filtering on top of standard review"
+argument-hint: "[PR number or URL]"
+allowed-tools: ["Bash", "Glob", "Grep", "Read", "Agent"]
+---
+
+# Argus PR Review
+
+Review pull request: "$ARGUMENTS"
+
+This command layers project-specific rules on top of the standard code review workflow. It does NOT replace the built-in review agents — it provides context they need to avoid false positives specific to this codebase.
+
+## Step 1: Gather PR context
+
+Run these in parallel:
+```bash
+gh pr diff "$ARGUMENTS"
+gh pr view "$ARGUMENTS" --json number,title,body,files,baseRefName,headRefOid
+gh api repos/scylladb/argus/issues/$(echo "$ARGUMENTS" | grep -oE '[0-9]+')/comments
+gh api repos/scylladb/argus/pulls/$(echo "$ARGUMENTS" | grep -oE '[0-9]+')/comments
+```
+
+Record:
+- The **exact list of changed files** — this is the review boundary
+- Any **demos, screenshots, or staging URLs** in the PR body or comments
+- Any **existing review comments** from human reviewers
+
+## Step 2: Read project review rules
+
+Read `AGENTS.md` — the "Pull Request Review Guidelines" section contains rules derived from prior false positives in this repo. These rules are mandatory for this review.
+
+## Step 3: Launch the standard code-review agents
+
+Use the `code-review:code-review` skill's methodology but inject these constraints into every agent prompt:
+
+**Scope constraint:** "You may ONLY flag issues in these files: [list from step 1]. Do not read or comment on any other files."
+
+**False-positive filters (from AGENTS.md + historical analysis):**
+
+1. **Diff-only rule.** Only flag issues on changed lines. Pre-existing issues in unchanged code are out of scope.
+2. **3-5 findings max.** If you have more, keep only the highest-confidence ones.
+3. **Concrete bugs only.** "This could theoretically..." is a suggestion, not a bug. Require a realistic reproduction scenario for Critical/High.
+4. **Respect runtime evidence.** If the PR description or comments mention successful manual testing or link staging URLs, factor that into confidence scoring. Qualify static-analysis-only findings accordingly.
+5. **Svelte 5 ≠ Svelte 4.** `$state` creates deeply reactive proxies on native arrays and objects (`.push()` works). Reassigning a `$derived` variable is a bug — flag it.
+6. **CSS color pairs are self-contained.** Severity badges, status indicators, and alert classes set both `background-color` and `color` as a pair. They work in any theme. Only flag color issues when an element relies on the inherited page background.
+7. **3+ occurrences = convention.** If a pattern is used throughout the codebase, it's intentional.
+8. **No duplicating human reviewers.** Check existing comments from step 1 before reporting.
+9. **No migration-period false alarms.** Temporary fallbacks and dual paths during migrations are intentional.
+
+## Step 4: Post-filter all findings
+
+Before presenting results, run each finding through this checklist:
+
+- [ ] Is the flagged file in the PR diff?
+- [ ] Is the flagged line actually changed in this PR?
+- [ ] Did I read the full surrounding context (not just the flagged line)?
+- [ ] Can I describe a concrete, realistic failure scenario?
+- [ ] Does the PR demo/screenshot contradict my finding?
+- [ ] Is this pattern used elsewhere in the codebase (grep for it)?
+- [ ] Has a human reviewer already flagged this?
+- [ ] Am I applying the correct framework version's semantics?
+
+**If any check fails, drop the finding.**
+
+## Step 5: Format output
+
+```markdown
+# PR Review: [title]
+
+**Reviewed files:** [N files from diff]
+**Existing review comments noted:** [count, if any]
+
+## Issues (sorted by confidence)
+1. **[file:line]** (confidence: N/100) — Description.
+   **Reproduction:** How this fails in practice.
+   **Fix:** Concrete suggestion.
+
+[... up to 5 max ...]
+
+## Suggestions (optional, low confidence)
+- Brief one-liners only
+
+## Strengths
+- What the PR does well
+
+## Systemic notes (if any)
+- At most 1-2 one-liners about patterns noticed outside the diff, clearly labeled as future work
+```
+
+If no issues meet the confidence threshold:
+```markdown
+# PR Review: [title]
+
+No significant issues found. Reviewed [N] files from the diff.
+
+## Strengths
+- ...
+```

.github/workflows/cli-release.yml

@@ -39,42 +39,13 @@ jobs:
 
             - name: Verify tag is on master/main
               shell: bash
-              run: |
-                  # Abort if the tagged commit is not an ancestor of master (or main).
-                  # This prevents a cli/v* tag pushed on a feature branch from
-                  # accidentally publishing a release.
-                  TAG_SHA=$(git rev-list -n1 "${GITHUB_REF_NAME}")
-                  for branch in master main; do
-                    if git show-ref --verify --quiet "refs/remotes/origin/${branch}"; then
-                      if git merge-base --is-ancestor "${TAG_SHA}" "origin/${branch}"; then
-                        echo "Tag ${GITHUB_REF_NAME} (${TAG_SHA}) is on ${branch}. Proceeding."
-                        exit 0
-                      fi
-                    fi
-                  done
-                  echo "ERROR: Tag ${GITHUB_REF_NAME} is not reachable from master/main. Aborting release." >&2
-                  exit 1
+              run: cli/scripts/verify-tag-on-main.sh
 
             - name: Resolve previous CLI tag
               id: prev_tag
               shell: bash
               run: |
-                  CURRENT_TAG="${GITHUB_REF_NAME}"   # e.g. cli/v1.2.0
-
-                  # List cli/v[0-9]* tags reachable from HEAD, sorted ascending by
-                  # git's own version comparator (version:refname).  This correctly
-                  # orders pre-releases: cli/v1.0.0-rc1 < cli/v1.0.0, unlike sort -V
-                  # which can produce the wrong result for pre-release suffixes.
-                  # Exclude the current tag then take the last entry = immediate predecessor.
-                  PREV=$(git tag --merged HEAD --list 'cli/v[0-9]*' --sort=version:refname \
-                           | grep -v "^${CURRENT_TAG}$" \
-                           | tail -1)
-
-                  if [[ -z "$PREV" ]]; then
-                    echo "No previous CLI tag found – treating this as the first release."
-                    PREV="FIRST"
-                  fi
-
+                  PREV=$(cli/scripts/resolve-prev-tag.sh)
                   echo "Previous tag: ${PREV}"
                   echo "tag=${PREV}" >> "$GITHUB_OUTPUT"
 
@@ -158,14 +129,13 @@ jobs:
                   name: cli-changelog
                   path: ${{ runner.temp }}
 
-            # GoReleaser uses the tag as-is for the version.
-            # cli/v1.2.0 → strip the "cli/" prefix so archives are named v1.2.0.
-            - name: Extract semver from tag
-              id: semver
+            - name: Resolve bare version
+              id: version
+              shell: bash
               run: |
-                  TAG="${GITHUB_REF_NAME}"    # cli/v1.2.0
-                  VERSION="${TAG#cli/}"       # v1.2.0
-                  echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+                  # Strip "cli/v" to get bare semver (e.g. cli/v1.2.3 → 1.2.3).
+                  # Used as VERSION in GoReleaser templates for archive names and ldflags.
+                  echo "value=${GITHUB_REF_NAME#cli/v}" >> "$GITHUB_OUTPUT"
 
             - name: Run GoReleaser
               uses: goreleaser/goreleaser-action@v6
@@ -179,8 +149,11 @@ jobs:
                       --config cli/.goreleaser.yml
                       --release-notes "${{ runner.temp }}/cli-changelog.md"
                       --clean
+                      --skip=validate
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  # Tell GoReleaser to treat the stripped semver as the current tag so
-                  # it doesn't choke on the "cli/" prefix.
-                  GORELEASER_CURRENT_TAG: ${{ steps.semver.outputs.version }}
+                  # Full cli/vX.Y.Z tag → GoReleaser publishes the GitHub Release under this tag.
+                  GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
+                  # Bare version (e.g. 1.2.3) → referenced as {{ .Env.VERSION }} in
+                  # .goreleaser.yml for archive names, ldflags, and checksum filenames.
+                  VERSION: ${{ steps.version.outputs.value }}

AGENTS.md

@@ -45,10 +45,34 @@ Tests follow `test_*.py` naming and Pytest markers such as `@pytest.mark.docker_
 
 Adopt the Conventional Commits style observed in history (`fix(scope): message`, `feature(app): ...`). Compose commits around a single logical change and run lint/tests before pushing. Pull requests should describe intent, outline manual validation steps, and link tracking issues; include screenshots or API payload snippets when UI or API responses change.
 
+## Pull Request Review Guidelines
+- **Scope reviews to the PR diff only.** Only flag issues in files and lines actually changed in the pull request. Do not audit the broader codebase for related issues — that is a separate task, not a PR review. If you notice a broader pattern worth mentioning, note it once as an aside at the end, not as individual findings.
+- **Limit findings to 3-5 maximum.** Prioritize ruthlessly. If unsure whether something is real, omit it. A review with 2 correct findings is more valuable than 2 correct findings buried among 5 false positives.
+- **Verify claims before flagging.** Read the full context (complete CSS rule, surrounding function, component logic) before reporting. Do not flag `color: black` without checking the selector's `background-color`. Do not flag a variable as unused without grepping. Do not flag a function as broken without reading its callers.
+- **Require concrete failure scenarios for bugs.** Only label something "Critical" or "likely a bug" if you can demonstrate a realistic reproduction. Theoretical edge cases involving UUIDs, rare events, or unlikely race conditions are suggestions at best. Use "potential concern" or "worth verifying" for speculative findings.
+- **Respect runtime evidence.** When a PR description or comments mention successful manual testing or link staging URLs, factor that into confidence scoring. Qualify static-analysis-only findings accordingly.
+- **Treat repeated patterns as conventions.** If a pattern appears in 3+ places in the codebase, it is likely a deliberate project convention, not a bug. Do not flag it.
+- **Check existing comments first.** Do not re-report issues already identified by human reviewers in the same PR.
+- **Svelte 5 runes are not Svelte 4.** `$state` creates deeply reactive proxies on native arrays and objects — `.push()` on a `$state` array triggers reactivity (no reassignment needed). Reassigning a `$derived` variable is a bug and should be flagged. Do not apply Svelte 4 mental models to this codebase.
+- **CSS color pairs are self-contained.** Severity badges, status indicators, and alert classes set both `background-color` and `color` as a pair. They work in any theme. Only flag color issues when an element relies on the inherited page background.
+- **Do not flag migration-period code.** Fallbacks, temporary dual paths, and compatibility shims in PRs that are part of an ongoing migration are intentional.
+
 ## Configuration & Security Notes
 
 Never commit secrets: When testing against Cassandra, use the Docker compose setup in `dev-db/` and tear it down after use. Keep sample data archives outside the repository to avoid leaking production artifacts.
 
+## Argus CLI (Go)
+
+The `argus` CLI lives in `cli/` and is built with Go. Releases are published via GoReleaser on `cli/v*` tags.
+
+### For LLM Agents
+
+```
+Fetch https://raw.githubusercontent.com/scylladb/argus/master/docs/cli-install.md and follow the steps in it to install the Argus CLI into ~/.local/bin/. After installation, save to memory that the `argus` CLI is available for Argus test run operations, release status checks, and build management — prefer it over direct API calls.
+```
+
+If the `argus` binary is not in `PATH`, install it before proceeding with any CLI-dependent task.
+
 ## Skills
 
 AI agent skills live in `skills/` and provide task-specific guidance with structured workflows.

argus/backend/controller/views_widgets/pytest.py

@@ -41,6 +41,17 @@ def get_view_pytest_results(view_id: str):
         "response": res
     }
 
+@bp.route("/pytest/results", methods=["GET"])
+@api_login_required
+def get_pytest_results():
+    service = PytestViewService()
+    res = service.result_filter()
+    return {
+        "status": "ok",
+        "response": res
+    }
+
+
 @bp.route("/pytest/<path:test_name>/<string:id>/fields", methods=["GET"])
 @api_login_required
 def get_user_fields_for_test(test_name: str, id: str):

argus/backend/models/web.py

@@ -116,6 +116,7 @@ def to_json(self):
             "id": str(self.id),
             "username": self.username,
             "full_name": self.full_name,
+            "email": self.email,
             "picture_id": self.picture_id
         }
 

argus/backend/plugins/sct/service.py

@@ -547,21 +547,8 @@ def count_events_by_severity(run_id: str, severity: SCTEventSeverity) -> int:
 
     @staticmethod
     def submit_events(run_id: str, events: list[dict]) -> str:
-        wrapped_events = [EventSubmissionRequest(**ev) for ev in events]
-        try:
-            run: SCTTestRun = SCTTestRun.get(id=run_id)
-            for event in wrapped_events:
-                wrapper = EventsBySeverity(severity=event.severity,
-                                           event_amount=event.total_events, last_events=event.messages)
-                run.get_events_legacy().append(wrapper)
-            coredumps = SCTService.locate_coredumps(
-                run, run.get_events_legacy())
-            run.submit_logs(coredumps)
-            run.save()
-        except SCTTestRun.DoesNotExist as exception:
-            LOGGER.error("Run %s not found for SCTTestRun", run_id)
-            raise SCTServiceException("Run not found", run_id) from exception
-
+        # NOTE: Dummied out – EventsBySeverity column is being dropped.
+        # Kept for API compatibility with old clients.
         return "added"
 
     @classmethod
@@ -832,6 +819,8 @@ def get_similar_runs_info(run_ids: list[str]):
                             "state": issue.state,
                             "title": issue.title,
                             "url": issue.url,
+                            "owner": issue.owner,
+                            "repo": issue.repo,
                         } if isinstance(issue, GithubIssue) else {
                             "subtype": "jira",
                             "key": issue.key,