fix: address 21 review findings from local agents and CodeRabbit

Aureliolo · claude · Aureliolo · commit a88e34122fee · 2026-03-24T19:59:07.000+01:00
Backend (ws.py):
- Fix ?ticket= empty string bypass (use `is not None`)
- Reorder accept before subscribe to prevent subscriber leak
- Extract _reject_auth helper to reduce _read_auth_message length
- Extract _matches_filters helper to reduce _on_event length
- Change _on_event send failure log level from WARNING to ERROR
- Fix wrong event name API_WS_SEND_FAILED for subscribe failure
- Rename accepted param to already_accepted for clarity

Frontend:
- Use getErrorMessage (not sanitizeForLog) for UI error state in usePolling
- Fix sanitizeForLog: strip C1 controls, handle non-positive maxLen,
  use codePointAt for supplementary Unicode, catch unstringifiable objects
- Add NaN/Infinity guards to formatCurrency/formatNumber
- Add 4xx fallback in getErrorMessage for uncommon status codes (405, 410, etc.)
- Add console.warn for messages failing isWsEvent validation
- Derive VALID_WS_CHANNELS from WS_CHANNELS const array (single source of truth)
- Add readonly to WsChannel arrays in WS message types
- Update useOptimisticUpdate docs for 3rd null-return case
- Consistent conditional params in analytics.ts getTrends

Tests:
- Import WRITE_ROLES constant in useAuth test (prevent drift)
- Extend sanitizeForLog property test with BIDI + C1 control checks
- Use idiomatic expect().toThrow in client.test.ts
- Simplify first-message WS auth test structure

Docs &amp; CI:
- Add useLoginLockout to CLAUDE.md hooks description
- Enable retry-on-snapshot-warnings in dependency-review workflow

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -22,6 +22,7 @@ jobs:
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
         with:
           fail-on-severity: high
+          retry-on-snapshot-warnings: true
           # LicenseRef-scancode-free-unknown: aiosqlite 0.21.0 -- MIT per classifiers, scancode misdetects
           # Python-2.0.1: editorconfig 0.17.1 (via jsbeautifier via litestar[standard])
           # MIT-0: cffi 2.0.0 -- permissive (MIT variant, no attribution required)
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -122,7 +122,7 @@ src/synthorg/
 web/src/          # React 19 + shadcn/ui + Tailwind CSS dashboard
   api/            # Axios client, endpoint modules (18 domains), shared types
   components/     # React components: ui/ (shadcn primitives); feature dirs added as pages are built
-  hooks/          # React hooks (auth, WebSocket, polling, optimistic updates)
+  hooks/          # React hooks (auth, login lockout, WebSocket, polling, optimistic updates)
   lib/            # Utilities (cn() class merging, etc.)
   stores/         # Zustand stores (auth, WebSocket, domain shells)
   styles/         # Global CSS and Tailwind theme tokens
diff --git a/src/synthorg/api/controllers/ws.py b/src/synthorg/api/controllers/ws.py
@@ -100,6 +100,19 @@ async def _validate_ticket(
     return user
 
 
+async def _reject_auth(
+    socket: WebSocket[Any, Any, Any],
+    log_reason: str,
+    close_reason: str,
+    *,
+    code: int = _WS_CLOSE_AUTH_FAILED,
+    **extra_kwargs: str,
+) -> None:
+    """Log a warning and close the socket for an auth rejection."""
+    logger.warning(API_WS_TICKET_INVALID, reason=log_reason, **extra_kwargs)
+    await socket.close(code=code, reason=close_reason)
+
+
 async def _read_auth_message(  # noqa: PLR0911
     socket: WebSocket[Any, Any, Any],
 ) -> str | None:
@@ -113,43 +126,36 @@ async def _read_auth_message(  # noqa: PLR0911
             timeout=_WS_AUTH_TIMEOUT_SECONDS,
         )
     except TimeoutError:
-        logger.warning(API_WS_TICKET_INVALID, reason="auth_timeout")
-        await socket.close(code=_WS_CLOSE_AUTH_FAILED, reason="Auth timeout")
+        await _reject_auth(socket, "auth_timeout", "Auth timeout")
         return None
     except WebSocketDisconnect:
         logger.debug(API_WS_DISCONNECTED, reason="disconnect_during_auth")
         return None
 
     if len(data.encode()) > _MAX_WS_MESSAGE_BYTES:
-        logger.warning(API_WS_TICKET_INVALID, reason="auth_too_large")
-        await socket.close(
-            code=_WS_CLOSE_AUTH_FAILED,
-            reason="Auth message too large",
-        )
+        await _reject_auth(socket, "auth_too_large", "Auth message too large")
         return None
 
     try:
         msg = json.loads(data)
     except json.JSONDecodeError:
-        logger.warning(API_WS_TICKET_INVALID, reason="invalid_auth_json")
-        await socket.close(code=_WS_CLOSE_AUTH_FAILED, reason="Invalid auth message")
+        await _reject_auth(socket, "invalid_auth_json", "Invalid auth message")
         return None
 
     if not isinstance(msg, dict) or msg.get("action") != "auth":
         action = msg.get("action", "") if isinstance(msg, dict) else ""
-        logger.warning(
-            API_WS_TICKET_INVALID,
-            reason="expected_auth_action",
+        await _reject_auth(
+            socket,
+            "expected_auth_action",
+            "Expected auth action",
             action=str(action)[:64],
         )
-        await socket.close(code=_WS_CLOSE_AUTH_FAILED, reason="Expected auth action")
         return None
 
     raw_ticket = msg.get("ticket")
     ticket: str | None = raw_ticket if isinstance(raw_ticket, str) else None
     if not ticket:
-        logger.warning(API_WS_TICKET_INVALID, reason="missing_ticket_in_auth")
-        await socket.close(code=_WS_CLOSE_AUTH_FAILED, reason="Missing ticket")
+        await _reject_auth(socket, "missing_ticket_in_auth", "Missing ticket")
         return None
 
     return ticket
@@ -237,6 +243,24 @@ async def _check_ws_role(
     return True
 
 
+def _matches_filters(
+    event: dict[str, Any],
+    channel: str,
+    channel_filters: dict[str, str],
+) -> bool:
+    """Check whether the event payload matches the active channel filters."""
+    payload = event.get("payload", {})
+    if not isinstance(payload, dict):
+        logger.warning(
+            API_WS_INVALID_MESSAGE,
+            channel=channel,
+            reason="payload_not_dict",
+            payload_type=type(payload).__name__,
+        )
+        return False
+    return all(payload.get(k) == v for k, v in channel_filters.items())
+
+
 async def _on_event(
     event_data: bytes,
     subscribed: set[str],
@@ -276,25 +300,15 @@ async def _on_event(
         return
 
     channel_filters = filters.get(channel)
-    if channel_filters:
-        payload = event.get("payload", {})
-        if not isinstance(payload, dict):
-            logger.warning(
-                API_WS_INVALID_MESSAGE,
-                channel=channel,
-                reason="payload_not_dict",
-                payload_type=type(payload).__name__,
-            )
-            return
-        if not all(payload.get(k) == v for k, v in channel_filters.items()):
-            return
+    if channel_filters and not _matches_filters(event, channel, channel_filters):
+        return
 
     try:
         await socket.send_text(event_data.decode("utf-8"))
     except WebSocketDisconnect:
         logger.debug(API_WS_SEND_FAILED, reason="client_disconnected")
     except Exception:
-        logger.warning(API_WS_SEND_FAILED, exc_info=True)
+        logger.error(API_WS_SEND_FAILED, exc_info=True)
         await socket.close(code=1011, reason="Internal error")
 
 
@@ -308,7 +322,7 @@ async def _authenticate_ws(
     """
     ticket_param = socket.query_params.get("ticket")
 
-    if ticket_param:
+    if ticket_param is not None:
         user = await _validate_ticket(socket)
         if user is None:
             return None
@@ -342,9 +356,9 @@ async def _setup_connection(
     socket: WebSocket[Any, Any, Any],
     user: AuthenticatedUser,
     *,
-    accepted: bool,
+    already_accepted: bool,
 ) -> tuple[ChannelsPlugin, Any] | None:
-    """Resolve plugin, subscribe to channels, and accept the connection.
+    """Resolve plugin, accept the connection, and subscribe to channels.
 
     Returns ``(channels_plugin, subscriber)`` on success, or ``None``
     (socket already closed) on failure.
@@ -363,11 +377,15 @@ async def _setup_connection(
         await socket.close(code=1011, reason="Internal error")
         return None
 
+    socket.scope["user"] = user
+    if not already_accepted:
+        await socket.accept()
+
     try:
         subscriber = await channels_plugin.subscribe(list(ALL_CHANNELS))
     except Exception:
         logger.error(
-            API_WS_SEND_FAILED,
+            API_WS_TRANSPORT_ERROR,
             reason="subscribe_failed",
             client=str(socket.client),
             user_id=user.user_id,
@@ -376,9 +394,6 @@ async def _setup_connection(
         await socket.close(code=1011, reason="Internal error")
         return None
 
-    socket.scope["user"] = user
-    if not accepted:
-        await socket.accept()
     logger.info(
         API_WS_CONNECTED,
         client=str(socket.client),
@@ -408,12 +423,12 @@ async def ws_handler(
     auth_result = await _authenticate_ws(socket)
     if auth_result is None:
         return
-    user, accepted = auth_result
+    user, already_accepted = auth_result
 
     if not await _check_ws_role(socket, user):
         return
 
-    setup = await _setup_connection(socket, user, accepted=accepted)
+    setup = await _setup_connection(socket, user, already_accepted=already_accepted)
     if setup is None:
         return
     channels_plugin, subscriber = setup
diff --git a/tests/unit/api/controllers/test_ws.py b/tests/unit/api/controllers/test_ws.py
@@ -311,13 +311,13 @@ def test_ws_rejects_bad_first_message_ticket(
         """WS connection with invalid first-message ticket is rejected post-accept."""
         from litestar.exceptions import WebSocketDisconnect
 
-        def send_bad_ticket() -> None:
+        def attempt() -> None:
             with test_client.websocket_connect("/api/v1/ws") as ws:
                 ws.send_text(json.dumps({"action": "auth", "ticket": "bogus-ticket"}))
                 ws.receive_text()
 
         with pytest.raises(WebSocketDisconnect) as exc_info:
-            send_bad_ticket()
+            attempt()
         assert exc_info.value.code == _WS_CLOSE_AUTH_FAILED
 
     def test_ws_rejects_missing_first_message_auth(
@@ -327,13 +327,13 @@ def test_ws_rejects_missing_first_message_auth(
         """WS connection sending non-auth first message is rejected."""
         from litestar.exceptions import WebSocketDisconnect
 
-        def send_wrong_action() -> None:
+        def attempt() -> None:
             with test_client.websocket_connect("/api/v1/ws") as ws:
                 ws.send_text(json.dumps({"action": "subscribe", "channels": ["tasks"]}))
                 ws.receive_text()
 
         with pytest.raises(WebSocketDisconnect) as exc_info:
-            send_wrong_action()
+            attempt()
         assert exc_info.value.code == _WS_CLOSE_AUTH_FAILED
 
     def test_ws_accepts_valid_ticket(
diff --git a/web/src/__tests__/api/client.test.ts b/web/src/__tests__/api/client.test.ts
@@ -64,15 +64,14 @@ describe('unwrap', () => {
       error_detail: testErrorDetail,
       success: false,
     })
-    let caught: ApiRequestError | null = null
+    expect(() => unwrap(response)).toThrow(ApiRequestError)
     try {
       unwrap(response)
     } catch (err) {
-      caught = err as ApiRequestError
+      const caught = err as ApiRequestError
+      expect(caught.message).toBe('Something went wrong')
+      expect(caught.errorDetail).toEqual(testErrorDetail)
     }
-    expect(caught).toBeInstanceOf(ApiRequestError)
-    expect(caught!.message).toBe('Something went wrong')
-    expect(caught!.errorDetail).toEqual(testErrorDetail)
   })
 
   it('throws for null body', () => {
diff --git a/web/src/__tests__/hooks/useAuth.test.ts b/web/src/__tests__/hooks/useAuth.test.ts
@@ -1,7 +1,8 @@
 import { renderHook } from '@testing-library/react'
 import { useAuth } from '@/hooks/useAuth'
 import { useAuthStore } from '@/stores/auth'
-import type { UserInfoResponse } from '@/api/types'
+import type { HumanRole, UserInfoResponse } from '@/api/types'
+import { WRITE_ROLES } from '@/utils/constants'
 
 vi.mock('@/api/endpoints/auth', () => ({
   login: vi.fn(),
@@ -43,8 +44,9 @@ describe('useAuth', () => {
   })
 
   describe('canWrite', () => {
-    const writeRoles = ['ceo', 'manager', 'board_member', 'pair_programmer'] as const
-    const readOnlyRoles = ['observer', 'system'] as const
+    const writeRoles = WRITE_ROLES
+    const allRoles: readonly HumanRole[] = ['ceo', 'manager', 'board_member', 'pair_programmer', 'observer', 'system']
+    const readOnlyRoles = allRoles.filter((r) => !(WRITE_ROLES as readonly string[]).includes(r))
 
     for (const role of writeRoles) {
       it(`returns canWrite=true for ${role}`, () => {
diff --git a/web/src/__tests__/utils/logging.property.test.ts b/web/src/__tests__/utils/logging.property.test.ts
@@ -11,14 +11,24 @@ describe('sanitizeForLog property tests', () => {
     )
   })
 
-  it('never contains control characters', () => {
+  it('never contains control or BIDI characters', () => {
+    const bidiControls = new Set([
+      0x200b, 0x200c, 0x200d, 0x200e, 0x200f,
+      0x202a, 0x202b, 0x202c, 0x202d, 0x202e,
+      0x2066, 0x2067, 0x2068, 0x2069,
+      0xfff9, 0xfffa, 0xfffb,
+    ])
     fc.assert(
       fc.property(fc.string(), (input) => {
         const result = sanitizeForLog(input)
         for (const ch of result) {
-          const code = ch.charCodeAt(0)
+          const code = ch.codePointAt(0) ?? 0
           expect(code).toBeGreaterThanOrEqual(0x20)
           expect(code).not.toBe(0x7f)
+          // C1 controls
+          expect(code < 0x80 || code > 0x9f).toBe(true)
+          // BIDI overrides
+          expect(bidiControls.has(code)).toBe(false)
         }
       }),
     )
diff --git a/web/src/api/endpoints/analytics.ts b/web/src/api/endpoints/analytics.ts
@@ -11,7 +11,7 @@ export async function getTrends(
   metric?: TrendMetric,
 ): Promise<TrendsResponse> {
   const response = await apiClient.get<ApiResponse<TrendsResponse>>('/analytics/trends', {
-    params: { period, metric },
+    params: period !== undefined || metric !== undefined ? { period, metric } : undefined,
   })
   return unwrap(response)
 }
diff --git a/web/src/api/types.ts b/web/src/api/types.ts
@@ -753,14 +753,10 @@ export interface TriggerMeetingRequest {
 
 // ── WebSocket ────────────────────────────────────────────────
 
-export type WsChannel =
-  | 'tasks'
-  | 'agents'
-  | 'budget'
-  | 'messages'
-  | 'system'
-  | 'approvals'
-  | 'meetings'
+/** All valid WebSocket channel names. Runtime set derived from this in websocket store. */
+export const WS_CHANNELS = ['tasks', 'agents', 'budget', 'messages', 'system', 'approvals', 'meetings'] as const
+
+export type WsChannel = typeof WS_CHANNELS[number]
 
 export type WsEventType =
   | 'task.created'
@@ -800,18 +796,18 @@ export type WsSubscriptionFilters = Readonly<Record<string, string>>
 
 export interface WsSubscribeMessage {
   action: 'subscribe'
-  channels: WsChannel[]
+  readonly channels: readonly WsChannel[]
   filters?: WsSubscriptionFilters
 }
 
 export interface WsUnsubscribeMessage {
   action: 'unsubscribe'
-  channels: WsChannel[]
+  readonly channels: readonly WsChannel[]
 }
 
 export interface WsAckMessage {
   action: 'subscribed' | 'unsubscribed'
-  channels: WsChannel[]
+  readonly channels: readonly WsChannel[]
 }
 
 export interface WsErrorMessage {
diff --git a/web/src/hooks/useOptimisticUpdate.ts b/web/src/hooks/useOptimisticUpdate.ts
@@ -8,11 +8,12 @@ import { getErrorMessage } from '@/utils/errors'
  * `applyOptimistic` applies the optimistic state and returns a rollback function,
  * and `serverAction` is the actual server request.
  *
- * A `null` return means one of two things:
+ * A `null` return means one of three things:
  * - **Server error**: `error` is set with a message. The optimistic state was rolled back.
  * - **Already in-flight**: `pending` was true, so the call was a no-op.
+ * - **Optimistic prepare failed**: `applyOptimistic` threw and the state was reverted.
  *
- * Callers should check `error` to distinguish server errors from no-op returns.
+ * Callers should check `error` to distinguish failures from no-op returns.
  */
 export function useOptimisticUpdate(): {
   pending: boolean
diff --git a/web/src/hooks/usePolling.ts b/web/src/hooks/usePolling.ts
@@ -1,4 +1,5 @@
 import { useCallback, useEffect, useRef, useState } from 'react'
+import { getErrorMessage } from '@/utils/errors'
 import { sanitizeForLog } from '@/utils/logging'
 
 const MIN_POLL_INTERVAL = 100
@@ -34,7 +35,7 @@ export function usePolling(fn: () => Promise<void>, intervalMs: number): {
         await fnRef.current()
         setError(null)
       } catch (err) {
-        setError(sanitizeForLog(err, 200))
+        setError(getErrorMessage(err))
         console.error('Polling error:', sanitizeForLog(err))
       }
       scheduleTick(runId)
@@ -56,7 +57,7 @@ export function usePolling(fn: () => Promise<void>, intervalMs: number): {
       try {
         await fnRef.current()
       } catch (err) {
-        setError(sanitizeForLog(err, 200))
+        setError(getErrorMessage(err))
         console.error('Polling error:', sanitizeForLog(err))
       }
       scheduleTick(runId)
diff --git a/web/src/stores/websocket.ts b/web/src/stores/websocket.ts
diff --git a/web/src/utils/errors.ts b/web/src/utils/errors.ts
diff --git a/web/src/utils/format.ts b/web/src/utils/format.ts
diff --git a/web/src/utils/logging.ts b/web/src/utils/logging.ts

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ export async function getTrends(`
`11`	`11`	`metric?: TrendMetric,`
`12`	`12`	`): Promise<TrendsResponse> {`
`13`	`13`	`const response = await apiClient.get<ApiResponse<TrendsResponse>>('/analytics/trends', {`
`14`		`- params: { period, metric },`
	`14`	`+ params: period !== undefined \|\| metric !== undefined ? { period, metric } : undefined,`
`15`	`15`	`})`
`16`	`16`	`return unwrap(response)`
`17`	`17`	`}`