Add collector for Cheltenham Borough Council

[moley-bot]

Summary

This PR adds a new bin collection data collector for Cheltenham Borough Council.

• Implements ICollector interface
• Adds integration tests
• Successfully tested with example postcode from issue

Closes #131

Test Summary

 ==================== Test Summary ====================
 
 --------------------- Collector ----------------------
 
 Cheltenham Borough Council
 
 ------------------- Addresses (17) -------------------
 
 - 1 SPENSER ROAD CHELTENHAM CHELTENHAM GL51 7DU, GL51 7DU, 51363
 - 3 SPENSER ROAD CHELTENHAM CHELTENHAM GL51 7DU, GL51 7DU, 51374
 - 3 A SPENSER ROAD CHELTENHAM CHELTENHAM GL51 7DU, GL51 7DU, 5597
 - 5 SPENSER ROAD CHELTENHAM CHELTENHAM GL51 7DU, GL51 7DU, 51376
 - 7 SPENSER ROAD CHELTENHAM CHELTENHAM GL51 7DU, GL51 7DU, 51377
 - ...
 
 --------------------- Bin Types ----------------------
 
 - Food Waste (Green Caddy)
 - Garden Waste (Brown)
 - General Waste (Green)
 - Mixed Dry Recycling (Green Box) (Green Box)
 - Paper, Glass & Cardboard Recycling (Blue Bag) (Blue Bag)
 
 ------------------- Bin Days (78) --------------------
 
 - 03/02/2026 (3 bins):
   - Mixed Dry Recycling (Green Box) (Green Box)
   - Paper, Glass & Cardboard Recycling (Blue Bag) (Blue Bag)
   - Food Waste (Green Caddy)
 
 - 09/02/2026 (1 bins):
   - Garden Waste (Brown)
 
 - 10/02/2026 (2 bins):
   - General Waste (Green)
   - Food Waste (Green Caddy)
 
 - 17/02/2026 (3 bins):
   - Food Waste (Green Caddy)
   - Mixed Dry Recycling (Green Box) (Green Box)
   - Paper, Glass & Cardboard Recycling (Blue Bag) (Blue Bag)
 
 - 23/02/2026 (1 bins):
   - Garden Waste (Brown)
 
 - 24/02/2026 (2 bins):
   - General Waste (Green)
   - Food Waste (Green Caddy)
 
 - 03/03/2026 (3 bins):
   - Food Waste (Green Caddy)
   - Mixed Dry Recycling (Green Box) (Green Box)
   - Paper, Glass & Cardboard Recycling (Blue Bag) (Blue Bag)
 
 - 09/03/2026 (1 bins):
   - Garden Waste (Brown)
 
 - 10/03/2026 (2 bins):
   - General Waste (Green)
   - Food Waste (Green Caddy)
 
 - 17/03/2026 (3 bins):
   - Mixed Dry Recycling (Green Box) (Green Box)
   - Paper, Glass & Cardboard Recycling (Blue Bag) (Blue Bag)
   - Food Waste (Green Caddy)
 - ...
 
 ======================================================

---

Generated automatically by Moley-Bot using Codex CLI

[BadgerHobbs]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new collector for Cheltenham Borough Council. While comprehensive, it has several security and reliability issues. The code is vulnerable to denial-of-service (DoS) attacks due to improper handling of malformed external responses in ParseJsonp and GetWeekStartDate. Missing URL encoding for client-side requests also poses a risk to functionality (e.g., with postcodes containing spaces) and security (potential parameter injection). Furthermore, the implementation is complex, particularly in the GetBinDays method, which exceeds recommended length, and exhibits code duplication and style guide deviations. Refactoring suggestions include creating helper methods for session/task logic, inlining constants, and improving collection/loop style.

[gemini-code-assist]

The GetBinDays method is extremely long and complex, spanning over 500 lines with 11 distinct steps. This violates the style guide's core principle of keeping collectors simple and ideally under 400 lines total.

The primary source of complexity is the repetitive logic for the ExecuteTaskJob calls in steps 4 through 7. This logic can be extracted into a helper method to significantly reduce code duplication and improve readability.

Consider creating a helper method like this:

private ClientSideRequest CreateTaskJobRequest(int nextRequestId, ClientSideResponse clientSideResponse, string taskIdKey, string taskType)
{
    var sessionId = clientSideResponse.Options!.Metadata["sessionId"];
    var taskId = clientSideResponse.Options.Metadata[taskIdKey];

    var job = $$$"""
{
	"Task": {
		"$type": "{{taskType}}"
	}
}
"""";

    var newMetadata = new Dictionary<string, string>(clientSideResponse.Options.Metadata);
    newMetadata.Remove(taskIdKey);

    return new ClientSideRequest
    {
        RequestId = nextRequestId,
        Url = $"{_auroraBaseUrl}/ExecuteTaskJob?sessionId={sessionId}&taskId={taskId}&job={job}&callback=_jqjsp",
        Method = "GET",
        Headers = new() { { "user-agent", Constants.UserAgent } },
        Options = new ClientSideOptions { Metadata = newMetadata },
    };
}

Using this helper would make each step much more concise.

References

1. Collectors should be kept simple, ideally between 200-400 lines. Collectors over 500 lines are a code smell indicating unnecessary complexity. ^(link)
2. Truly duplicated logic (used 2-3+ times) should be extracted into helper methods to reduce duplication. ^(link)

[gemini-code-assist]

The ParseJsonp method is vulnerable to a denial-of-service (DoS) attack. It attempts to extract JSON content by finding the first '(' and last ')' characters without validating their existence or relative positions. If the content (which originates from the untrusted clientSideResponse.Content) is malformed—for example, if it lacks parentheses or if the closing parenthesis appears before the opening one—the method will throw an ArgumentOutOfRangeException during the string slicing operation at line 720. This will cause the request to fail with a 500 error.

		var startIndex = content.IndexOf('(');
		var endIndex = content.LastIndexOf(')');

		if (startIndex == -1 || endIndex == -1 || endIndex <= startIndex)
		{
			throw new InvalidOperationException("Invalid JSONP response.");
		}

		var jsonContent = content[(startIndex + 1)..endIndex];

[gemini-code-assist]

The GetWeekStartDate method is vulnerable to a denial-of-service (DoS) attack. At line 843, it assumes that the startLine (derived from the untrusted clientSideResponse.Content) always contains a colon character. If an attacker provides a malformed ICS feed where a DTSTART line lacks a colon, Split(':', 2) will return an array with only one element. Accessing index [1] will then throw an IndexOutOfRangeException, causing the request to crash with a 500 error.

			var startLine = lines.FirstOrDefault(line => line.StartsWith("DTSTART", StringComparison.OrdinalIgnoreCase));

			if (startLine == null || !startLine.Contains(':'))
			{
				continue;
			}

			var dateText = startLine.Split(':', 2)[1].Trim();

[gemini-code-assist]

Multiple URLs constructed for ClientSideRequest objects (e.g., at lines 114, 441, 489, and 536) use string interpolation with untrusted data such as postcode, address.Uid, sessionId, and job without performing URL encoding.

1. Functionality Risk: Postcodes containing spaces (which is standard for UK postcodes) will result in invalid URLs, likely causing requests to fail.
2. Security Risk (Parameter Injection): An attacker can inject additional query parameters by including characters like & or = in the input. This could be used to manipulate the requests made to the third-party council API, such as injecting a malicious callback parameter for a JSONP-based XSS attack on the council's domain.

Recommendation: Use System.Web.HttpUtility.UrlEncode for all untrusted variables inserted into query strings.

[gemini-code-assist]

The logic to request a new session is duplicated at the beginning of both GetAddresses (lines 85-103) and GetBinDays. This violates the DRY principle and the style guide's recommendation to extract duplicated logic.

Please create a shared helper method for this logic, as shown in the style guide for logic used in both GetAddresses and GetBinDays.

/// <summary>
/// Creates the initial client-side request for a new session.
/// </summary>
private ClientSideRequest CreateSessionRequest(int requestId)
{
	return new ClientSideRequest
	{
		RequestId = requestId,
		Url = $"{_auroraBaseUrl}/RequestSession?userName=guest%20CBC&password=&script={_scriptPath}&callback=_jqjsp",
		Method = "GET",
		Headers = new()
		{
			{ "user-agent", Constants.UserAgent },
		},
	};
}

You can then call this helper from both GetAddresses and GetBinDays.

			var clientSideRequest = CreateSessionRequest(1);

			var getBinDaysResponse = new GetBinDaysResponse
			{
				NextClientSideRequest = clientSideRequest,
			};

			return getBinDaysResponse;

References

1. Extract truly duplicated logic (used 2-3+ times) into helper methods. The style guide provides an example for creating an initial request helper used in both GetAddresses and GetBinDays. ^(link)

[gemini-code-assist]

The last object initializer in the _binTypes collection is missing a trailing comma. The style guide requires trailing commas for all multi-line initializers to improve maintainability and create cleaner diffs.

		},

References

1. Always use trailing commas in multi-line initializers to make future diffs cleaner and reduce merge conflicts. ^(link)

[gemini-code-assist]

This constant _calendarUrl is only used once within the file (at line 578). According to the style guide, constants should only be created for values used two or more times. For single-use values, it's better to inline them directly where they are used.

References

1. Constants should only be created for values that are used 2 or more times. Values used only once should be inlined directly. ^(link)

[gemini-code-assist]

The logic for creating BinDay objects is repeated in four separate foreach loops for refuse, recycling, food, and garden waste. This can be made more concise and less repetitive.

Consider refactoring this into a single loop that iterates over a collection of tuples or a small helper method. This would improve readability and reduce code duplication.

Example refactoring:

var binDays = new List<BinDay>();
var services = new[]
{
    (refuseDates, refuseBins),
    (recyclingDates, recyclingBins),
    (foodDates, foodBins)
};

foreach (var (dates, bins) in services)
{
    foreach (var date in dates)
    {
        binDays.Add(new BinDay { Address = address, Date = date, Bins = bins });
    }
}

// Handle garden waste separately due to its conditional nature
// ...

References

1. Keep collectors simple and focused. Reducing code duplication, even for smaller patterns, contributes to overall simplicity and maintainability. ^(link)

[BadgerHobbs]

Helper method only used once.

[BadgerHobbs]

Single referenced consts.

[BadgerHobbs]

Could use regex instead.

[BadgerHobbs]

11 requests? This smells of over complexity.

[BadgerHobbs]

Incorrect indentation.

[BadgerHobbs]

Don't include bin type and color in names.