AndyMik90 · AndyMik90 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/apps/backend/core/platform/__init__.py b/apps/backend/core/platform/__init__.py
@@ -371,7 +371,7 @@ def validate_cli_path(cli_path: str) -> bool:
     Returns:
         True if path is secure, False otherwise
     """
-    if not cli_path:
+    if not cli_path or not cli_path.strip():
         return False
 
     # Security validation: reject paths with shell metacharacters or other dangerous patterns
@@ -380,7 +380,7 @@ def validate_cli_path(cli_path: str) -> bool:
         r"%[^%]+%",  # Windows environment variable expansion
         r"\.\./",  # Unix directory traversal
         r"\.\.\\",  # Windows directory traversal
-        r"[\r\n]",  # Newlines (command injection)
+        r"[\r\n\x00]",  # Newlines (command injection), null bytes (path truncation)
     ]
 
     for pattern in dangerous_patterns:

diff --git a/apps/backend/runners/github/models.py b/apps/backend/runners/github/models.py
@@ -76,6 +76,132 @@ class MergeVerdict(str, Enum):
 )
 
 
+# =============================================================================
+# Verdict Helper Functions (testable logic extracted from orchestrator)
+# =============================================================================
+
+
+def verdict_from_severity_counts(
+    critical_count: int = 0,
+    high_count: int = 0,
+    medium_count: int = 0,
+    low_count: int = 0,
+) -> MergeVerdict:
+    """
+    Determine merge verdict based on finding severity counts.
+
+    This is the canonical implementation of severity-to-verdict mapping.
+    Extracted here so it can be tested directly and reused.
+
+    Args:
+        critical_count: Number of critical severity findings
+        high_count: Number of high severity findings
+        medium_count: Number of medium severity findings
+        low_count: Number of low severity findings
+
+    Returns:
+        MergeVerdict based on severity levels
+    """
+    if critical_count > 0:
+        return MergeVerdict.BLOCKED
+    elif high_count > 0 or medium_count > 0:
+        return MergeVerdict.NEEDS_REVISION
+    # Low findings or no findings -> ready to merge
+    return MergeVerdict.READY_TO_MERGE
+
+
+def apply_merge_conflict_override(
+    verdict: MergeVerdict,
+    has_merge_conflicts: bool,
+) -> MergeVerdict:
+    """
+    Apply merge conflict override to verdict.
+
+    Merge conflicts always result in BLOCKED, regardless of other verdicts.
+
+    Args:
+        verdict: The current verdict
+        has_merge_conflicts: Whether PR has merge conflicts
+
+    Returns:
+        BLOCKED if conflicts exist, otherwise original verdict
+    """
+    if has_merge_conflicts:
+        return MergeVerdict.BLOCKED
+    return verdict
+
+
+def apply_branch_behind_downgrade(
+    verdict: MergeVerdict,
+    merge_state_status: str,
+) -> MergeVerdict:
+    """
+    Apply branch-behind status downgrade to verdict.
+
+    BEHIND status downgrades READY_TO_MERGE and MERGE_WITH_CHANGES to NEEDS_REVISION.
+    BLOCKED verdict is preserved (not downgraded).
+
+    Args:
+        verdict: The current verdict
+        merge_state_status: The merge state status (e.g., "BEHIND", "CLEAN")
+
+    Returns:
+        Downgraded verdict if behind, otherwise original
+    """
+    if merge_state_status == "BEHIND":
+        if verdict in (MergeVerdict.READY_TO_MERGE, MergeVerdict.MERGE_WITH_CHANGES):
+            return MergeVerdict.NEEDS_REVISION
+    return verdict
+
+
+def apply_ci_status_override(
+    verdict: MergeVerdict,
+    failing_count: int = 0,
+    pending_count: int = 0,
+) -> MergeVerdict:
+    """
+    Apply CI status override to verdict.
+
+    Failing CI -> BLOCKED
+    Pending CI -> NEEDS_REVISION (if currently READY_TO_MERGE or MERGE_WITH_CHANGES)
+
+    Args:
+        verdict: The current verdict
+        failing_count: Number of failing CI checks
+        pending_count: Number of pending CI checks
+
+    Returns:
+        Updated verdict based on CI status
+    """
+    if failing_count > 0:
+        if verdict in (MergeVerdict.READY_TO_MERGE, MergeVerdict.MERGE_WITH_CHANGES):
+            return MergeVerdict.BLOCKED
+    elif pending_count > 0:
+        if verdict in (MergeVerdict.READY_TO_MERGE, MergeVerdict.MERGE_WITH_CHANGES):
+            return MergeVerdict.NEEDS_REVISION
+    return verdict
+
+
+def verdict_to_github_status(verdict: MergeVerdict) -> str:
+    """
+    Map merge verdict to GitHub review overall status.
+
+    Args:
+        verdict: The merge verdict
+
+    Returns:
+        GitHub review status: "approve", "comment", or "request_changes"
+    """
+    if verdict == MergeVerdict.BLOCKED:
+        return "request_changes"
+    elif verdict == MergeVerdict.NEEDS_REVISION:
+        return "request_changes"
+    elif verdict == MergeVerdict.MERGE_WITH_CHANGES:
+        return "comment"
+    else:
+        return "approve"
+
+
 class AICommentVerdict(str, Enum):
     """Verdict on AI tool comments (CodeRabbit, Cursor, Greptile, etc.)."""