fix: address 7 CodeRabbit round-2 review items

Aureliolo · Aureliolo · commit 09a876b46b68 · 2026-04-04T18:46:24.000+02:00
- task_engine: use async put (not put_nowait) for shutdown sentinel to
  avoid QueueFull aborting stop(); remove early-exit check from observer
  timeout branch -- loop now exits only on None sentinel
- condition_eval: _parse_atom_token raises ValueError for missing
  operands, unclosed parens, and bare operator tokens (malformed
  expressions correctly resolve to False via outer handler)
- yaml-to-nodes: only advance branch counter for explicit 'true' (not
  'false') so mixed explicit+implicit entries stay synchronized
- security.md: add window.open() sessionStorage inheritance caveat
  with noopener recommendation
- tests: update unclosed-paren expectation (False, not True), use
  object form in counter-inference test, add positive assertions for
  parallel_branch depends_on
diff --git a/docs/security.md b/docs/security.md
@@ -85,7 +85,7 @@ surface:
 |---------|-----------|
 | **XSS prevention** | ESLint `no-restricted-syntax` rule bans `dangerouslySetInnerHTML` at write time. Override requires `// eslint-disable-next-line` with justification. |
 | **CSP nonce readiness** | `<MotionConfig nonce>` wrapper in `App.tsx` + `lib/csp.ts` reader. Framer Motion's dynamically injected `<style>` tags are nonce-ready. `react-style-singleton` (used by Radix Dialog/AlertDialog/Popover via `react-remove-scroll`) also supports nonces via the `get-nonce` package -- wiring `setNonce()` in `lib/csp.ts` is the remaining step. Currently staged -- see the activation checklist in `web/index.html` and the [accepted risk](#accepted-risk-inline-style-attributes) section below. |
-| **JWT storage** | `sessionStorage` (tab-scoped) with short-lived tokens, automatic expiry cleanup, and 401 interceptor. Tokens do not persist across browser sessions or leak to other tabs. Cookie-based auth (httpOnly) is a future enhancement tracked separately. |
+| **JWT storage** | `sessionStorage` (tab-scoped) with short-lived tokens, automatic expiry cleanup, and 401 interceptor. Tokens do not persist across browser sessions. Note: `window.open()` can clone the opener's sessionStorage into the child tab -- all programmatic `window.open` calls must use the `noopener` option and all `<a target="_blank">` links must include `rel="noopener"` to prevent token transfer. Cookie-based auth (httpOnly) is a planned future enhancement tracked separately. |
 
 ### Accepted Risk: Inline Style Attributes
 
diff --git a/src/synthorg/engine/task_engine.py b/src/synthorg/engine/task_engine.py
@@ -186,7 +186,9 @@ async def stop(self, *, timeout: float | None = None) -> None:  # noqa: ASYNC109
 
         await self._drain_processing(effective_timeout)
         # Signal the observer loop that no more events will arrive.
-        self._observer_queue.put_nowait(None)
+        # Use async put (not put_nowait) to avoid QueueFull aborting
+        # shutdown when the observer queue is backed up.
+        await self._observer_queue.put(None)
         observer_budget = max(0.0, deadline - asyncio.get_event_loop().time())
         await self._drain_observer(observer_budget)
 
@@ -767,10 +769,6 @@ async def _observer_dispatch_loop(self) -> None:
                     timeout=self._POLL_INTERVAL_SECONDS,
                 )
             except TimeoutError:
-                # Re-check: if not running and queue empty, the
-                # sentinel may have arrived while we were waiting.
-                if not self._running and self._observer_queue.empty():
-                    break
                 continue
             if event is None:
                 break  # sentinel -- processing loop is done
diff --git a/src/synthorg/engine/workflow/condition_eval.py b/src/synthorg/engine/workflow/condition_eval.py
@@ -191,22 +191,30 @@ def _parse_atom_token(
     pos: int,
     context: Mapping[str, object],
 ) -> tuple[bool, int]:
-    """Parse an atom: parenthesized group or single comparison."""
+    """Parse an atom: parenthesized group or single comparison.
+
+    Raises:
+        ValueError: On missing operand, unclosed parenthesis, or
+            unexpected token.
+    """
     if pos >= len(tokens):
-        return False, pos
+        msg = "Missing operand"
+        raise ValueError(msg)
 
     if tokens[pos] == "(":
         pos += 1  # consume '('
         value, pos = _parse_or(tokens, pos, context)
-        if pos < len(tokens) and tokens[pos] == ")":
-            pos += 1  # consume ')'
-        return value, pos
+        if pos >= len(tokens) or tokens[pos] != ")":
+            msg = "Unclosed parenthesis"
+            raise ValueError(msg)
+        return value, pos + 1  # consume ')'
 
     # Anything else is an atom (comparison or key lookup)
     token = tokens[pos]
-    # Guard: skip bare operators that ended up as atoms
+    # Guard: bare operators that ended up as atoms are a parse error
     if token in ("AND", "OR", "NOT", ")"):
-        return False, pos + 1
+        msg = f"Unexpected token: {token}"
+        raise ValueError(msg)
     return _eval_atom(token, context), pos + 1
 
 
diff --git a/tests/unit/engine/workflow/test_condition_eval.py b/tests/unit/engine/workflow/test_condition_eval.py
@@ -288,7 +288,8 @@ def test_leading_operator(self) -> None:
         assert evaluate_condition("AND true", {}) is False
 
     def test_unclosed_paren(self) -> None:
-        assert evaluate_condition("(a == 1 AND b == 2", {"a": "1", "b": "2"}) is True
+        # Unclosed paren is a parse error -- resolves to False.
+        assert evaluate_condition("(a == 1 AND b == 2", {"a": "1", "b": "2"}) is False
 
     def test_double_not(self) -> None:
         assert evaluate_condition("NOT NOT true", {}) is True
diff --git a/web/src/__tests__/pages/workflow-editor/workflow-to-yaml.test.ts b/web/src/__tests__/pages/workflow-editor/workflow-to-yaml.test.ts
@@ -90,6 +90,8 @@ describe('generateYamlPreview depends_on', () => {
     ]
     const yaml = generateYamlPreview(nodes, edges, 'test', 'agile')
     // parallel_branch edges should emit plain string depends_on
+    expect(yaml).toContain('depends_on')
+    expect(yaml).toContain('- fork')
     expect(yaml).not.toContain('branch:')
   })
 
diff --git a/web/src/__tests__/pages/workflow-editor/yaml-to-nodes.test.ts b/web/src/__tests__/pages/workflow-editor/yaml-to-nodes.test.ts
@@ -119,11 +119,11 @@ workflow_definition:
     - id: yes_step
       type: task
       depends_on:
-        - check
+        - id: check
     - id: no_step
       type: task
       depends_on:
-        - check
+        - id: check
 `
     const result = parseYamlToNodesEdges(yaml)
     expect(result.errors).toHaveLength(0)
diff --git a/web/src/pages/workflow-editor/yaml-to-nodes.ts b/web/src/pages/workflow-editor/yaml-to-nodes.ts
@@ -264,8 +264,10 @@ export function parseYamlToNodesEdges(
           if (sourceStep.type !== 'conditional') {
             warnings.push(`Step '${stepId}': explicit branch '${explicitBranch}' on non-conditional dependency '${depId}'`)
           }
-          // Increment counter so mixed explicit+implicit entries stay in sync
-          if (sourceStep.type === 'conditional' && sourceStep.step.condition) {
+          // Only advance the counter when the true slot is consumed so
+          // a subsequent implicit entry correctly gets the false slot.
+          // Explicit false does NOT advance -- the true slot is still open.
+          if (sourceStep.type === 'conditional' && sourceStep.step.condition && explicitBranch === 'true') {
             const branchIdx = conditionalBranchCounters.get(depId) ?? 0
             conditionalBranchCounters.set(depId, branchIdx + 1)
           }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,8 @@ describe('generateYamlPreview depends_on', () => {`
`90`	`90`	`]`
`91`	`91`	`const yaml = generateYamlPreview(nodes, edges, 'test', 'agile')`
`92`	`92`	`// parallel_branch edges should emit plain string depends_on`
	`93`	`+ expect(yaml).toContain('depends_on')`
	`94`	`+ expect(yaml).toContain('- fork')`
`93`	`95`	`expect(yaml).not.toContain('branch:')`
`94`	`96`	`})`
`95`	`97`
Original file line number	Diff line number	Diff line change
`@@ -264,8 +264,10 @@ export function parseYamlToNodesEdges(`
`264`	`264`	`if (sourceStep.type !== 'conditional') {`
`265`	`265`	warnings.push(`Step '${stepId}': explicit branch '${explicitBranch}' on non-conditional dependency '${depId}'`)
`266`	`266`	`}`
`267`		`- // Increment counter so mixed explicit+implicit entries stay in sync`
`268`		`- if (sourceStep.type === 'conditional' && sourceStep.step.condition) {`
	`267`	`+ // Only advance the counter when the true slot is consumed so`
	`268`	`+ // a subsequent implicit entry correctly gets the false slot.`
	`269`	`+ // Explicit false does NOT advance -- the true slot is still open.`
	`270`	`+ if (sourceStep.type === 'conditional' && sourceStep.step.condition && explicitBranch === 'true') {`
`269`	`271`	`const branchIdx = conditionalBranchCounters.get(depId) ?? 0`
`270`	`272`	`conditionalBranchCounters.set(depId, branchIdx + 1)`
`271`	`273`	`}`