Audit Addendum — chewy_lookup.py + generate_pin_images.py

generate_pin_images.py

[HIGH] brain_secrets import always fails on GHA — PIN_GEN_AVAILABLE permanently False from brain_secrets import get_sheets_creds, get_secret as brain_get_secret is unconditional at module top. brain_secrets.py is a vault-local module that does not exist on GHA runners. generate_posts.py catches the ImportError and sets PIN_GEN_AVAILABLE=False. Pin images are never generated by the pipeline on GHA. They must be generated and committed separately before publish.

[HIGH] Unconditional hard imports fail silently dotenv, Pillow, gspread, brain_secrets all imported at module top without guards. Any missing dep causes full import failure and PIN_GEN_AVAILABLE=False with no explicit GHA log warning.

[CRITICAL] os.system() with f-string path in main() os.system(f'cd {REPO} && git add ...') — bare os.system, path injection risk if REPO contains spaces, no error capture. Fires only on standalone runs, not from GHA, but is a landmine. Replace with subprocess.run with list args.

[MEDIUM] update_sheets() uses os.getenv() inconsistently Uses os.getenv() for sheet IDs where rest of codebase uses brain_get_secret(). Silent failure on GHA if env vars not set under expected names.

chewy_lookup.py

[MEDIUM] Inconsistent logging — stderr vs structured log _impact_get() and internal functions print to sys.stderr. GHA captures stdout in structured log files. Errors from chewy_lookup during pipeline runs are invisible in LOGS/ files.

[MEDIUM] scrape_chewy_rating() bot detection risk Uses desktop Chrome User-Agent. Chewy bot detection will eventually block. No fallback strategy beyond returning None when scraping fails.

[LOW] load_dotenv path assumes three-level vault layout Path(__file__).parent.parent.parent / ".env" — silently no-ops on any non-matching layout. Not a GHA risk but fragile locally.

[LOW] is_consumable() defined but unused in this file Intended for generate_posts.py Chewy integration (not yet complete per feature/chewy-integration branch).