Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FRE-5256: Review silent active run for Senior Engineer - false positive

Browse Source 
- Senior Engineer run 8f0979ee on FRE-4807 silent for 1h (suspicious threshold)
- Run was automation/system triggered after pending ci.yml security fixes were
  already completed by CTO at 19:07 UTC
- Zero output sequences because run had no actionable scope
- FRE-5256 marked done with false positive disposition
- FRE-4807 reassigned to Security Reviewer for ci.yml re-review

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Michael Freno
2026-05-13 17:00:12 -04:00
parent 892de503eb
commit 96b63ebf20
26 changed files with 4294 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
agents/code-reviewer/reviews/FRE-4764-review.md Normal file
View File

@@ -0,0 +1,80 @@
# Code Review: FRE-4764 — Retry Logic, Rate Limiting, Error Handling
**Reviewer**: Code Reviewer (f274248f-c47e-4f79-98ad-45919d951aa0)
**Date**: 2026-05-13
**Status**: Changes requested
## Files Reviewed
- `internal/api/client.go` (553 lines)
- `internal/mail/client_test.go` (1390 lines)
## Implementation Assessment
### What Was Done Well
- Structured error codes match go-proton-api pattern
- NetError type with proper Unwrap()/Is() for error classification
- Status/StatusObserver pattern for connection monitoring
- APIHVDetails struct for human verification error parsing
- RetryConfig with sensible defaults
- executeWithRetry with exponential backoff, jitter, and Retry-After header parsing
- RateLimiter sliding window implementation
- All 53 test routes correctly mapped to `/mail/v4/messages/*` endpoints
- HTTP methods corrected (GET for GetMessage, PUT for UpdateDraft/MoveToTrash, DELETE for PermanentlyDelete)
### Issues Found
#### P1 — Critical (2 issues)
1. **Resource leak on retry exhaustion** (`internal/api/client.go:418-440`)
- When all retries exhausted with `lastErr` set, `lastResp.Body` is never closed
- Response body leak on network failure paths
2. **Context cancellation response leak** (`internal/api/client.go:343-344`)
- When context cancelled during retry backoff delay, `lastResp.Body` is leaked
- `return lastResp, ctx.Err()` without closing body
#### P2 — High (3 issues)
3. **Unreachable code in `shouldRetryError`** (`internal/api/client.go:465-486`)
- `NetError` check (line 471-473) is unreachable
- `net.OpError` check (line 476-478) always matches first via `errors.As` unwrapping
- Dead code that confuses maintainability
4. **RateLimiter `Wait()` GC pressure** (`internal/api/client.go:277-298`)
- Creates new slice on every call instead of in-place filtering
- High throughput scenarios generate significant GC pressure
5. **Race condition on auth refresh retry** (`internal/api/client.go:381-386`)
- Retry response body not closed when `doSingleRequest` fails after auth refresh
#### P3 — Minor (3 issues)
6. **Thread-unsafe rand jitter** (`internal/api/client.go:523`)
- Uses `math/rand` without locking — concurrent calls may produce identical jitter
7. **Missing error code constants**
- SessionExpired (10005), TokenExpired (10006), AccountSuspended (10050), QuotaExceeded (10011)
8. **Test route ambiguity** (`internal/mail/client_test.go:72-82`)
- `POST /mail/v4/messages` matches multiple operations via generic handler
- Fragile if new routes added without corresponding mux registrations
### Test Coverage Gaps (P2)
- No retry logic tests (backoff, jitter, Retry-After parsing)
- No connection monitoring tests (StatusUp/StatusDown transitions)
- No HV handling tests (GetHVDetails, IsHVError)
- No rate limiter tests
- No concurrent auth refresh test
## Recommendation
**P1 issues must be fixed before passing.** Response body leaks are serious resource leaks that will cause connection pool exhaustion under failure conditions.
**P2 issues should be addressed in follow-up.** Unreachable code and GC pressure are important but not blocking.
**P3 issues can be deferred.** Missing constants and thread safety are low priority.
## Disposition
**Changes requested** — Reassigned to Senior Engineer for P1 fixes.

64
agents/code-reviewer/reviews/FRE-5134-rev2-review.md Normal file
View File

@@ -0,0 +1,64 @@
# Code Review: FRE-5134 Re-Review
**Date:** 2026-05-13
**Reviewer:** Code Reviewer (f274248f-c47e-4f79-98ad-45919d951aa0)
**Verdict:** APPROVED
## Context
This is a re-review of FRE-5134 (Nessa Phase 3.2: Local race discovery) after the Founding Engineer applied fixes for the critical compilation error identified in the previous review.
## Verification of Previous Findings
### Critical Issue - FIXED
- **Line 267:** `.newEvent` correctly used (previously `.isUpcoming` caused compilation error)
- **Line 190:** `locationToString` is actually used in `findAndRankRaces` (was incorrectly flagged as dead code)
- **Line 130:** `skillLevel` correctly passed to `RaceDiscoveryRequest`
## Files Reviewed
1. **RaceDiscoveryService.swift** (324 lines)
- Actor-based concurrency with proper isolation
- Rate limiting implementation (5 requests per 60 seconds)
- Relevance scoring algorithm (distance 40%, location 30%, date 15%, popularity 15%)
- Protocol-based architecture (RaceServiceProtocol)
2. **RaceDiscoveryViewModel.swift** (105 lines)
- @MainActor ObservableObject
- Clean async methods with proper error handling
- Computed properties for filtering (upcomingRaces)
3. **RaceDiscoveryView.swift** (165 lines)
- SwiftUI NavigationView with List
- Refreshable modifier for pull-to-refresh
- Saved races sheet presentation
4. **RaceDiscoveryViewModelTests.swift** (282 lines)
- 16 test cases covering all viewmodel methods
- MockRaceService implementation with proper protocol conformance
## Positive Findings
**Compilation fix verified** - `.newEvent` enum case correctly used
**Actor isolation** - RaceDiscoveryService properly uses Swift actor
**Rate limiting** - Sliding window implementation (5 req/60s)
**Protocol-based architecture** - RaceServiceProtocol enables testability
**Comprehensive test coverage** - 16 tests covering fetch, save, register, select operations
**Clean MVVM separation** - ViewModel uses protocols, View uses @StateObject
**Proper error handling** - RaceDiscoveryError enum with descriptive messages
**Defensive coding** - Bounds checking on relevance scores (min/max clamping)
## Minor Observations (Non-Blocking, P3)
⚠️ **Console logging** - Several `print()` statements could use structured logging
⚠️ **CalendarEvent/Location types** - Defined in service file instead of dedicated types file
⚠️ **Magic number 0.2** - Distance threshold in determineMatchReasons should be a named constant
## Conclusion
**APPROVED** - All critical issues from previous review have been resolved. The implementation is production-ready and meets all acceptance criteria for local race discovery functionality.
## Next Steps
- Security Reviewer (036d6925-3aac-4939-a0f0-22dc44e618bc) to perform final security audit
- Focus areas: API security, rate limiting validation, data privacy in location handling

120
agents/code-reviewer/reviews/FRE-577-rev2-review.md Normal file
View File

@@ -0,0 +1,120 @@
# FRE-577 Re-Review: Marketing Website Code Fixes
## Context
- Issue: FRE-577 — Marketing website with pricing, features, and blog
- First-pass review: 2 P1, 4 P2, 5 P3 issues found
- Engineer: Senior Engineer (Michael Freno)
- Fix commit: `944867f` — "Fix P1/P2 code review issues for marketing site FRE-577"
- Files changed: 12 files, 249 insertions, 33 deletions
## Original Findings Verification
### P1-1: Waitlist error handling ✅ FIXED
**Original:** Waitlist form error handling assumes specific tRPC JSON structure without validation.
**Fix verified:** New `marketing/src/utils/api.ts` (75 lines) with robust validation:
- `submitWaitlistEmail()` handles multiple response formats:
- Array format: `data[0]?.result?.data`
- Direct object: `data?.message` or `data?.error`
- Proper try/catch around `response.json()` calls
- User-friendly error messages with server status fallback
- No unhandled promise rejections
### P1-2: No SEO meta tags ✅ FIXED
**Original:** No SEO meta tags on any page — critical for stated SEO targets.
**Fix verified:** New `marketing/src/utils/seo.ts` (60 lines) with:
- `updateSeoMeta()` — DOM manipulation for title, description, OG tags, canonical
- `createPageMeta()` — template function for consistent metadata
- All 9 pages now call `updateSeoMeta(createPageMeta(...))` in `onMount()`:
- Home, Features, Pricing, Blog, About, FAQ, Waitlist, Terms, Privacy
- OG image set to `/og-image.png`
- Canonical URLs use `https://scripter.app` base URL
### P2-1: Hardcoded competitive claims ✅ FIXED
**Original:** Hardcoded competitive claims in comparison table may be factually inaccurate.
**Fix verified:** Disclaimer added to both pages:
- `Features.tsx:122-124`: "* Comparison data based on publicly available information as of May 2026. Features and pricing may vary."
- `Home.tsx:75-76`: Same disclaimer under feature cards
### P2-2: Static signup count ✅ FIXED
**Original:** Signup count (8742) is static, should be dynamic.
**Fix verified:** New `fetchWaitlistCount()` in `api.ts`:
- Fetches from `${API_URL}/api/waitlist/count`
- Validates response: `data.count` (number) or direct number
- Fallback to 8742 on any failure
- `Waitlist.tsx` uses `onMount()` to fetch and `signupCount()` reactive signal
- Safe display: `{signupCount() > 0 ? signupCount().toLocaleString() : '8,700'}+`
### P2-3: Pricing CTA links broken ✅ FIXED
**Original:** Pricing CTA links (/signup, /signup/pro, /signup/premium) not defined in router.
**Fix verified:** All CTAs now route to `/waitlist`:
- Free plan: `/waitlist`
- Pro plan: `/waitlist?plan=pro`
- Premium plan: `/waitlist?plan=premium`
### P2-4: No Suspense loading states ✅ FIXED
**Original:** No loading states for Suspense fallback.
**Fix verified:** `App.tsx` branded spinner:
- 40px circular spinner with `border-top-color: var(--color-primary)`
- CSS `@keyframes spin` animation (0.8s linear infinite)
- "Loading Scripter..." text below spinner
- Proper alignment and min-height (40vh)
## P3 Findings Status
### P3-1: No lang attribute — NOT FIXED
- `index.tsx` `<html>` tag still missing `lang="en"` attribute
- Minor accessibility issue, not blocking
### P3-2: No favicon — NOT FIXED
- No `<link rel="icon">` in `index.tsx`
- Minor branding issue, not blocking
### P3-3: No ARIA labels — NOT FIXED
- Form inputs, navigation links, buttons lack `aria-label`
- Minor accessibility issue, not blocking
### P3-4: Inline styles only — NOT FIXED
- All styles are inline (no CSS modules, no Tailwind)
- Acceptable for marketing site, not blocking
### P3-5: Blog reuses component — NOT FIXED
- Blog page has hardcoded posts array
- Not a real blog — acceptable for MVP
## Additional Observations
### Positive Changes
- **Code organization:** Extracted API utilities into dedicated modules (`api.ts`, `seo.ts`)
- **Type safety:** `SeoMeta` interface provides compile-time checks
- **Defensive coding:** All API calls have proper error handling with fallbacks
- **Consistency:** All pages follow same SEO pattern via `createPageMeta()`
### Minor Suggestions (Non-blocking)
- `seo.ts` `updateMeta()` could accept `content` as optional — currently creates empty meta tags when content is undefined
- `fetchWaitlistCount()` uses same static fallback (8742) — consider making configurable
- `submitWaitlistEmail()` doesn't validate email format before sending — could add basic client-side validation
## Conclusion
**All 2 P1 and 4 P2 issues from the first review have been properly addressed.**
The fixes are well-implemented:
- Robust error handling with graceful degradation
- Consistent SEO implementation across all pages
- Proper API abstraction with typed interfaces
- User-friendly loading states and feedback
**No new issues introduced.** The code is production-ready for marketing purposes.
**Recommendation:** PASS — Assign to Security Reviewer for final approval.
## Reviewer Sign-off
- Reviewer: Code Reviewer (f274248f-c47e-4f79-98ad-45919d951aa0)
- Date: 2026-05-13
- Run ID: $PAPERCLIP_RUN_ID

70
agents/code-reviewer/reviews/FRE-577-review.md Normal file
View File

@@ -0,0 +1,70 @@
# Continuation Summary
- Issue: FRE-577 — Marketing website with pricing, features, and blog
- Status: in_progress
- Priority: high
- Current mode: code_review
- Last updated by run: a9f4c2c6-f70f-49bc-8d42-e9386c0dcdd4
- Agent: Code Reviewer (opencode_local)
## Objective
Code review of the marketing website implementation for Scripter.
**Pages Reviewed:** Homepage, Features, Pricing, Blog, About, FAQ, Waitlist, Terms, Privacy (9 pages + App + components = 11 files, 1,127 lines)
**Tech Stack:** SolidJS + @solidjs/router + Vite + TypeScript
## Review Findings
**P1 — Critical (2):**
1. Waitlist form error handling assumes specific tRPC JSON structure without validation (Waitlist.tsx:38)
2. No SEO meta tags on any page — critical for stated SEO targets
**P2 — High (4):**
1. Hardcoded competitive claims in comparison table may be factually inaccurate (Features.tsx:46-53)
2. Signup count (8742) is static, should be dynamic (Waitlist.tsx:9)
3. Pricing CTA links (/signup, /signup/pro, /signup/premium) not defined in router (Pricing.tsx:12,27,43)
4. No loading states for Suspense fallback (App.tsx:10)
**P3 — Minor (5):**
1. No lang attribute on HTML
2. No favicon configured
3. CSS-in-JS inline styles only
4. No form accessibility (ARIA)
5. Blog post detail page reuses Blog component without slug-based content rendering
## Disposition
**Status:** in_progress — Assigned to Senior Engineer for fixes
**Next Action:** Engineer to address P1 and P2 issues, then resubmit for code review.
## Files / Routes Touched
- `marketing/src/App.tsx`
- `marketing/src/index.tsx`
- `marketing/src/components/Navbar.tsx`
- `marketing/src/components/Footer.tsx`
- `marketing/src/pages/Home.tsx`
- `marketing/src/pages/Features.tsx`
- `marketing/src/pages/Pricing.tsx`
- `marketing/src/pages/Blog.tsx`
- `marketing/src/pages/About.tsx`
- `marketing/src/pages/FAQ.tsx`
- `marketing/src/pages/Waitlist.tsx`
- `marketing/src/pages/Terms.tsx`
- `marketing/src/pages/Privacy.tsx`
- `marketing/src/styles/global.css`
## Commands Run
- HTTP PATCH to /api/issues/FRE-577 with review findings
## Blockers / Decisions
- No blockers. 6 issues identified that need resolution before passing to Security Reviewer.
## Next Action
- Wait for Senior Engineer to fix P1/P2 issues and resubmit for review.