Enable ruff's future-annotations and RUF* rules

[snejus]

Summary

This PR updates typing and linting across the codebase and enables stricter ruff checks for Python 3.10:

1. Enable tool.ruff.lint.future-annotations
   Very handy feature released in 0.13.0: if required, it automatically adds from __future__ import annotations and moves relevant imports under if TYPE_CHECKING:

   # before (runtime import)
   from beets.library import Library
   
   # after
   from __future__ import annotations
   
   from typing import TYPE_CHECKING
   
   if TYPE_CHECKING:
       from beets.library import Library

2. Set tool.ruff.target-version = "py310"

   This enforced PEP 604 unions in the codebase:

   # before
   SQLiteType = Union[str, bytes, float, int, memoryview, None]
   
   # after
   SQLiteType = str | bytes | float | int | memoryview | None

3. Enable RUF* family of checks

   • Remove unused # noqas

   • Ignore unused unpacked variables

     # before
     likelies, consensus = util.get_most_common_tags(self.items)
     
     # after
     likelies, _ = util.get_most_common_tags(self.items)

   • Avoid list materialization

     # before
     for part in parts + [","]:
     
     # after
     for part in [*parts, ","]:

   • And, most importantly, RUF012: use ClassVar for mutable class attributes

     • This underlined our messy BeetsPlugin.template_* attributes design, where I have now defined BeetsPluginMeta to make a clear distinction between class and instance attributes. @semohr and @asardaes I saw you had a discussion regarding these earlier - we will need to revisit this at some point to sort it out for good.
     • It also revealed a legitimate issue in metasync.MetaSource where item_types were initialised as an instance attribute (but luckily never used).

[github-actions]

Thank you for the PR! The changelog has not been updated, so here is a friendly reminder to check if you need to add an entry.

[sourcery-ai]

Hey - I've found 1 security issue, 2 other issues, and left some high level feedback:

Security issues:

• Detected subprocess function 'Popen' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)

General comments:

• The change to BeetsPlugin/BeetsPluginMeta switches template_funcs/template_fields/album_template_fields from shared class-level dicts to per-instance dicts; double-check whether any existing plugins rely on cross-instance sharing of these registries and, if so, consider keeping a central class-level store in addition to per-instance overrides.
• In several places the new [*seq, elem] pattern is used where the original code relied on list concatenation semantics (seq + [elem]); it may be worth standardizing on a single style (e.g., [*seq, elem] everywhere) for consistency and to make the refactor’s intent clearer.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The change to `BeetsPlugin`/`BeetsPluginMeta` switches `template_funcs`/`template_fields`/`album_template_fields` from shared class-level dicts to per-instance dicts; double-check whether any existing plugins rely on cross-instance sharing of these registries and, if so, consider keeping a central class-level store in addition to per-instance overrides.
- In several places the new `[*seq, elem]` pattern is used where the original code relied on list concatenation semantics (`seq + [elem]`); it may be worth standardizing on a single style (e.g., `[*seq, elem]` everywhere) for consistency and to make the refactor’s intent clearer.

## Individual Comments

### Comment 1
<location> `pyproject.toml:314-316` </location>
<code_context>
     "N", # pep8-naming
     "PT", # flake8-pytest-style
-    # "RUF", # ruff
+    "RUF", # ruff
     "UP", # pyupgrade
-    "TCH", # flake8-type-checking
+    "TC", # flake8-type-checking
     "W", # pycodestyle
 ]
</code_context>

<issue_to_address>
**issue (bug_risk):** The `TC` code in Ruff `select` likely doesn’t correspond to flake8-type-checking

Ruff uses the `TCH` prefix for flake8-type-checking rules (e.g., `TCH001`), not `TC`, so this entry won’t enable the plugin as intended. Update the code to use `"TCH"` instead of `"TC"` here.
</issue_to_address>

### Comment 2
<location> `beets/util/pipeline.py:195` </location>
<code_context>
         task: R | T | None = None
         while True:
             task = yield task
-            task = func(*(args + (task,)))
+            task = func(*((*args, task)))

     return coro
</code_context>

<issue_to_address>
**suggestion:** The new argument expansion in `coro` is more complex than necessary and slightly obscures intent

`func(*((*args, task)))` is equivalent to `func(*args, task)` but less readable and creates an unnecessary tuple. Please simplify to `func(*args, task)` here and in the similar `coro` call below.
</issue_to_address>

### Comment 3
<location> `beetsplug/mbsubmit.py:72` </location>
<code_context>
            subprocess.Popen([picard_path, *paths])
</code_context>

<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'Popen' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

❌ Patch coverage is 90.15152% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.91%. Comparing base (bd319c2) to head (c9625f8).
⚠️ Report is 6 commits behind head on master.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
beetsplug/replaygain.py	0.00%	4 Missing ⚠️
beets/util/artresizer.py	66.66%	3 Missing ⚠️
beetsplug/bpd/gstplayer.py	33.33%	2 Missing ⚠️
beets/ui/commands/import_/display.py	66.66%	1 Missing ⚠️
beetsplug/bpd/__init__.py	66.66%	1 Missing ⚠️
beetsplug/bpsync.py	0.00%	1 Missing ⚠️
beetsplug/mbsubmit.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6245      +/-   ##
==========================================
+ Coverage   68.68%   68.91%   +0.23%     
==========================================
  Files         138      138              
  Lines       18540    18553      +13     
  Branches     3064     3061       -3     
==========================================
+ Hits        12734    12786      +52     
+ Misses       5152     5116      -36     
+ Partials      654      651       -3     

Files with missing lines	Coverage Δ
beets/autotag/match.py	76.92% <100.00%> (ø)
beets/dbcore/db.py	94.04% <100.00%> (ø)
beets/dbcore/query.py	91.34% <100.00%> (ø)
beets/dbcore/queryparse.py	97.46% <100.00%> (ø)
beets/dbcore/types.py	95.98% <100.00%> (ø)
beets/importer/__init__.py	100.00% <ø> (ø)
beets/importer/session.py	94.36% <100.00%> (ø)
beets/importer/stages.py	88.05% <100.00%> (ø)
beets/importer/tasks.py	90.89% <100.00%> (ø)
beets/library/__init__.py	100.00% <ø> (ø)
... and 41 more

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR updates typing and linting across the codebase to enable stricter ruff checks for Python 3.10+. It automatically adds from __future__ import annotations where needed, enforces PEP 604 union syntax, and addresses various linting issues including proper use of ClassVar for mutable class attributes.

Key changes:

• Enabled ruff's future-annotations feature (auto-adds from __future__ import annotations and moves imports under TYPE_CHECKING)
• Set target-version = "py310" to enforce PEP 604 union syntax (str | None instead of Union[str, None])
• Enabled RUF* rules and addressed all identified issues (unused # noqa, unused unpacked variables, list materialization, ClassVar annotations)

Reviewed changes

Copilot reviewed 79 out of 80 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pyproject.toml	Updated ruff version requirement and configuration to enable future-annotations, set py310 target, and enable RUF rules
.git-blame-ignore-revs	Added commit hashes for the linting/typing changes to git blame ignore list
Multiple test files	Replaced unused variables with _ placeholder and removed unnecessary # noqa comments
Multiple plugin files	Added ClassVar type hints to mutable class attributes and moved imports under TYPE_CHECKING
beets/plugins.py	Introduced BeetsPluginMeta metaclass to properly distinguish class vs instance attributes for template fields
beets/dbcore/*.py	Added ClassVar annotations to class-level field/sort dictionaries and moved type imports
beets/library/models.py	Added ClassVar annotations to _fields, _sorts, and item_keys dictionaries
Multiple source files	Replaced list concatenation with unpacking syntax ([*list, item]) and converted to PEP 604 union types

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JOJ0]

I've looked through points 1. and 2. which essentially are commits f75cbfe and f70eb4c

That is done if someone cares to continue with point 3.

[snejus]

I just had to address these:

[JOJ0]

damnit I used the wrong github account for the review. It's me as you've probably guessed ;-)

[henry-oberholtzer]

Looks good to me - doesn't look like it'll conflict terribly with any existing PR's either, if at all.