- Git branch and remote configuration.
- Working tree status, including staged, modified, and untracked files.
- Recent commit history.
- Local
HEADversusorigin/main.
git branch --show-currentgit remote -vgit status --short --branchgit log --oneline --decorate -n 12git fetch --all --prune --tagsgit symbolic-ref refs/remotes/origin/HEADgit rev-list --left-right --count HEAD...origin/maingit diff --name-statusgit diff --cached --name-statusgit ls-files --others --exclude-standard
- Current branch:
main - Remote:
origin https://github.com/westkitty/DexKeeper_Bot - Remote default branch:
origin/main - Local
HEAD:d3ba5bd(docs: refresh download links) - Ahead/behind versus
origin/main:0 / 0 - No tracked modified files.
- No staged files.
- One pre-existing untracked file in the repo root:
BIBLE.md
- The checkout matched
origin/mainexactly. - The tree was clean for tracked files.
- The working tree was not fully pristine because
BIBLE.mdexisted untracked before any changes in this audit.
- Need to determine whether
BIBLE.mdis intentional local working material or accidental repo detritus. It will not be touched unless required.
- Top-level repository file layout.
- Main runtime module:
Sources/DexKeeper_Bot/dexkeeper_bot.py - Health check script:
Sources/DexKeeper_Bot/healthcheck.py - Dependency manifests:
requirements.txt,requirements-dev.txt,Sources/DexKeeper_Bot/requirements.txt - Environment template:
.env.example - Docker assets:
scripts/Dockerfile,scripts/docker-compose.yml - Packaging build scripts and README files under
packaging/ - GitHub Actions workflows under
.github/workflows/ - Test suite under
tests/ - Static config file:
Sources/DexKeeper_Bot/settings.json
sed -n '1,220p' /Users/andrew/.agents/skills/bugsweep/SKILL.mdrg --filesfind . -maxdepth 3 \( -path './.git' -o -path './.venv' -o -path './venv' -o -path './__pycache__' \) -prune -o -type f | sortrg -n "^(async def|def|class) " Sources/DexKeeper_Bot/dexkeeper_bot.pyrg -n "ConversationHandler|CommandHandler|CallbackQueryHandler|MessageHandler|run_polling|setWebhook|job_queue|create_task|aiosqlite|parse_mode|ApplicationBuilder|load_dotenv|BOT_TOKEN|ADMIN_ID|DB_PATH" Sources/DexKeeper_Bot/dexkeeper_bot.pyrg -n --hidden --glob '!/.git' --glob '!**/__pycache__/**' "TODO|FIXME|HACK|XXX|BUG"- Multiple
sed -nreads overREADME.md,dexkeeper_bot.py, tests, workflows, Docker files, packaging docs,.gitignore, andsettings.json
- Runtime is a single-file Python Telegram bot in
Sources/DexKeeper_Bot/dexkeeper_bot.py. - Framework is
python-telegram-bot20.x withApplicationBuilder, async handlers, andjob_queue. - Startup mode is polling only; no webhook path exists in code.
- Configuration comes from
.envin the per-user data directory first, then repo.env. - Persistence is SQLite via
aiosqlite, using a single long-lived application connection and WAL (write-ahead logging) mode. - Scheduled/background work uses the Telegram job queue for heartbeat, spam-cache cleanup, update checks, and optional daily restart.
- Desktop/tray behavior is built into the bot process and varies by platform.
- Packaging scripts exist for Linux, macOS, Windows, plus Docker container support.
- Tests exist, but many appear to be structural or simulation-oriented rather than full runtime verification.
dexkeeper_bot.pyis a 2,108-line monolith with mixed concerns: config, UI/tray, persistence, handlers, scheduling, and packaging assumptions.- README claims more features and workflows than the code clearly implements; this needs verification.
Sources/DexKeeper_Bot/settings.jsonappears feature-rich, but code references database-backed settings instead. Need to verify whether the file is dead/stale.- Repo contains generated/local artifacts outside git status output because they are ignored (
.coverage,htmlcov/, caches, local DB files). These should not be mistaken for source-of-truth documentation.
- Created this audit log file.
- Group-targeted admin action handlers.
- Membership onboarding and verification flow.
- User persistence paths.
- Test and developer-tooling installation assumptions.
- README claims versus runtime code.
rg -n "INSERT INTO users|INSERT OR REPLACE INTO users|UPDATE users|DELETE FROM users|pending_requests|notes|tags|settings.json|lockdown_mode|captcha_enabled|blacklist|welcome_message|admins|auto_decline_words" Sources/DexKeeper_Bot tests README.md -g '!htmlcov/**'python3 --versionpython3 -m pytest -qpython3 -m pip_audit -r requirements.txtpython3 -m py_compile Sources/DexKeeper_Bot/dexkeeper_bot.py Sources/DexKeeper_Bot/healthcheck.pypython3 -m venv .venv-audit.venv-audit/bin/python -m pip install --upgrade pip.venv-audit/bin/python -m pip install -r requirements.txt -r requirements-dev.txt pytest pytest-asyncio.venv-audit/bin/python -m pytest -q.venv-audit/bin/python -m pip_audit -r requirements.txtBOT_TOKEN=123:TEST ADMIN_ID=1 .venv-audit/bin/python - <<'PY' ... import dexkeeper_bot ... PYnl -ba Sources/DexKeeper_Bot/dexkeeper_bot.py | sed -n '1338,1708p'nl -ba Sources/DexKeeper_Bot/dexkeeper_bot.py | sed -n '1820,1950p'nl -ba requirements-dev.txtnl -ba README.md | sed -n '1,260p'
py_compilepassed for both Python source files.- Fresh-venv import smoke test passed.
- Full pytest suite passed:
67 passed in 5.83s pip-auditreported no known vulnerabilities forrequirements.txt- Baseline environment problem: the host Python lacked both
pytestandpip_audit, andrequirements-dev.txtonly containedpip-audit, so the advertised developer test command was not reproducible from committed tooling alone.
lockdown_modeis toggled in the admin panel but never enforced inon_new_member; the setting is dead at runtime.- Group-scoped admin actions use
update.effective_chatfrom the admin conversation, which is the admin DM if the README workflow is followed. That means ban, unban, poll creation, scheduled messages, and forum topic creation target the wrong chat. - Unban only removes a database blacklist entry and never calls Telegram’s
unban_chat_member, so a previously banned user remains banned in Telegram. - “View user” is a placeholder string, not an implemented lookup.
- The runtime never inserts users into the
userstable. Broadcast and CSV export depend on that table, so those features are effectively empty unless rows are inserted manually or via tests. requirements-dev.txtdoes not includepytestorpytest-asyncio, despite the repository shipping a non-trivial pytest suite and documentation that tells users to run it.- README setup/feature documentation overstates or misstates current behavior in multiple places, including owner registration, DM-driven group actions, and operational validation commands.
Sources/DexKeeper_Bot/settings.jsonstill looks like a legacy or aspirational configuration file. I found no runtime reads of it. I have not removed it yet because that would be a broader product decision than a safe bug fix.
- Added runtime helpers to:
- persist known users into the SQLite
userstable, - remember the currently managed group/supergroup,
- resolve group-targeted admin actions correctly when launched from DM.
- persist known users into the SQLite
- Enforced
lockdown_modeinon_new_member. - Fixed unban to call Telegram’s
unban_chat_member. - Replaced the placeholder “view user” response with an actual database-backed lookup.
- Added a
/starthandler so DM users are recorded and receive a minimal onboarding response. - Updated admin/runtime code paths so admins interacting in DM are stored as active users.
- Added regression tests for:
- lockdown enforcement,
- DM-driven unban targeting the managed group,
/startrecording DM users.
- Updated
requirements-dev.txtto installpytestandpytest-asyncio.
Sources/DexKeeper_Bot/dexkeeper_bot.pytests/test_bug_fixes.pyrequirements-dev.txt
- Bug fix:
lockdown_modeexisted in storage and UI but did nothing during member joins. - Bug fix: group moderation and engagement actions used the admin DM chat instead of the managed group.
- Bug fix: unban updated only the local database, not Telegram state.
- Bug fix: user export and broadcast relied on a
userstable that runtime code never populated. - Compatibility/tooling fix: the repo’s own test instructions were incomplete because
requirements-dev.txtomitted the test runner.
.env.example- Corrected
DB_PATHdefaults to match real runtime paths on Windows, macOS, Linux, and Docker. - Added
DEXKEEPER_LOG_PATHandDEXKEEPER_DISABLE_FILE_LOG.
- Corrected
README.md- Rewrote the feature summary to match actual runtime behavior.
- Corrected Telegram setup steps so admin access is tied to
ADMIN_IDor later promotion, not a mythical owner auto-registration path. - Documented the managed-group model for DM-triggered admin actions.
- Documented that the bot is polling-only.
- Documented when users are added to the local database.
- Corrected developer setup and validation commands.
tests/README.md- Updated test installation and execution steps to use committed dependency files.
- Documented the actual test coverage areas.
- README claimed DM-driven admin actions posted directly to the group without describing the target-group requirement.
- README implied the owner became admin just by pressing
/start. - README presented a looser feature set than the actual single-managed-group design.
- Developer docs implied test commands were ready to run even though the committed dev requirements omitted pytest.
python3 -m py_compile Sources/DexKeeper_Bot/dexkeeper_bot.py Sources/DexKeeper_Bot/healthcheck.py tests/test_bug_fixes.py.venv-audit/bin/python -m pytest -q.venv-audit/bin/python -m pip_audit -r requirements.txt.venv-audit/bin/python -m pip_audit -r requirements-dev.txtgit diff --checkgit diff --stat
- Syntax checks passed.
- Full pytest suite passed:
70 passed in 1.19s pip-auditreported no known vulnerabilities for both runtime and developer dependency sets.git diff --checkpassed with no whitespace or patch-format issues.
- Live Telegram behavior still cannot be proven here without production-like bot credentials, a real managed group, and real admin permissions.
- The bot still behaves like a single-managed-group bot even though some README language historically suggested broader community-management scope.
Sources/DexKeeper_Bot/settings.jsonremains unused legacy/static material and should get a human decision: remove it, wire it in, or label it explicitly as legacy.
- Removed
Sources/DexKeeper_Bot/settings.jsonbecause it was dead legacy configuration with no runtime readers. - Removed an unused placeholder handler and stale placeholder comments from
dexkeeper_bot.py. - Updated
README.mdso runtime notes no longer mention the deleted file.
rg -n "Simulated|placeholder|legacy|for brevity|TODO|FIXME|HACK|XXX|dead|unused|skip|would functionally work" Sources/DexKeeper_Bot tests README.md -g '!htmlcov/**'rg -n "def handle_id_action\\(|handle_id_action\\(" Sources/DexKeeper_Bot tests -g '!htmlcov/**'python3 -m py_compile Sources/DexKeeper_Bot/dexkeeper_bot.py Sources/DexKeeper_Bot/healthcheck.py tests/test_bug_fixes.py.venv-audit/bin/python -m pytest -q.venv-audit/bin/python -m pip_audit -r requirements.txt && .venv-audit/bin/python -m pip_audit -r requirements-dev.txtrg -n "Simulated|for brevity|placeholder|settings\\.json" README.md Sources/DexKeeper_Bot tests -g '!htmlcov/**'git diff --check
- No remaining dead placeholder code paths were found in active source.
- Full test suite still passed:
70 passed in 0.63s - Dependency audits still passed for runtime and developer dependency sets.
- Syntax checks still passed.
- Patch formatting/whitespace checks still passed.
- README runtime notes now refer only to actual runtime state files and SQLite storage.
- Live Telegram validation remains the gating item before production confidence.
- The bot is still intentionally single-managed-group in behavior.