dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

docs(code-review): re-review 17 changed modules at 1f9de8a2 — 8 new findings

Browse Source 
Re-reviewed the modules whose source changed since the last review baseline
(full-review remediation fd618cf1 + InboundAPI Database-helper fixes b3c90143),
focused on whether the fixes are sound and regression-free. 9 of 17 modules
clean; 8 new findings (0 Critical, 0 High, 4 Medium, 4 Low), all code-verified
by the orchestrator before recording:

- DataConnectionLayer-029 (Med): DCL-023's unsubscribe-clears-in-flight reopens a
  double-subscribe window that leaks an orphaned alarm feed; the alarm completion
  handler overwrites the subscription id without the tag-path guard at line 908.
- InboundAPI-031 (Med): WaitForAttribute's 5s grace backstop is tighter than the
  CommunicationService Ask's timeout+IntegrationTimeout (30s) round-trip slack, so
  a slow-but-valid timed-out 'false' arriving in the 5-30s window is cancelled into
  an unhandled OperationCanceledException/500 (contradicts spec 6 + its own comment).
- SiteRuntime-032 (Med): SiteRuntime-029's wasPresent guard skips the deployed-count
  decrement when deleting a DISABLED instance (absent from both maps), drifting the
  health-dashboard tally; self-heals on singleton restart (observational, hence Med).
- StoreAndForward-028 (Med): StoreAndForward-025 resets the register-guard but not
  _bufferedCount, so a same-instance Stop->Start re-seeds the depth gauge to ~2N.
- AuditLog-017, CentralUI-037, ScriptAnalysis-009, SiteRuntime-033 (Low): a
  test-coverage gap plus stale doc-comments/spec following the remediation.

Header commit/date bumped to 1f9de8a2 / 2026-06-24 on all 17 modules; README
regenerated (8 pending / 576 total).
This commit is contained in:
Joseph Doherty
2026-06-24 09:20:03 -04:00
parent 1f9de8a2b5
commit c42bb48585
18 changed files with 635 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
code-reviews/SiteCallAudit/findings.md
+25 -2
View File
@@ -5,9 +5,9 @@
| Module | `src/ZB.MOM.WW.ScadaBridge.SiteCallAudit` |
| Design doc | `docs/requirements/Component-SiteCallAudit.md` |
| Status | Reviewed |
| Last reviewed | 2026-06-20 |
| Last reviewed | 2026-06-24 |
| Reviewer | claude-agent |
| Commit reviewed | `4307c381` |
| Commit reviewed | `1f9de8a2` |
| Open findings | 0 |
## Summary
@@ -558,3 +558,26 @@ missing observability.
**Resolution**
Resolved 2026-06-20 (commit `fd618cf1`): `ReconcileSiteAsync` now consumes `response.MoreAvailable` via a within-tick continuation drain bounded by a max-pages guard, with explicit no-progress (single-timestamp-saturation) detection that breaks and logs a Warning instead of re-pulling forever. The XML claim of parity with the sibling reconciler was corrected. Idempotent upsert retained. Tests added.
## Re-review — 2026-06-24 (commit `1f9de8a2`)
Focused re-review of the changes since the prior review — verifying the code-review remediation + feature fixes are sound and regression-free. Reviewed by a per-module workflow agent; findings code-verified by the orchestrator.
**Changes reviewed:** Two remediation items in SiteCallAuditActor.cs. SiteCallAudit-007: a new `_backgroundTimersEnabled` master switch decouples the daily terminal-row purge timer (now gated on this flag alone, since it needs only the repository) from the reconciliation timer (which additionally requires IPullSiteCallsClient/ISiteEnumerator and logs a Warning when they are absent) — the repo-only MSSQL test ctor disables both. SiteCallAudit-009: ReconcileSiteAsync now consumes PullSiteCallsResponse.MoreAvailable to drain a backlog within one tick via a page loop bounded by MaxReconciliationPagesPerTick (50), persisting the cursor per page, breaking on a single-timestamp no-progress pin (maxUpdated <= since) with a Warning, and logging Info on hitting the page ceiling. New tests cover the production-ctor-without-collaborators purge path, the multi-page within-tick drain, and the no-progress-pin bound.
**Verdict:** The changed code is sound and regression-free. The SiteCallAudit-007 decoupling correctly fixes the unbounded-growth risk (a host omitting the reconciliation client now still purges), and the master-switch design keeps the MSSQL read/upsert tests free of scheduled side effects. The SiteCallAudit-009 continuation drain guarantees forward progress (no-progress pin break), bounds dispatcher occupancy (50-page ceiling), and relies on the existing monotonic/idempotent upsert to dedupe the inclusive-boundary re-pull; per-page cursor persistence preserves already-drained rows across a later-page fault caught by the per-site try/catch. XML doc comments and constructor comments were updated consistently with the new behaviour, and new unit tests exercise all three remediation paths. The project builds clean (0 warnings, 0 errors) and all referenced test/options members exist.
| # | Category | Examined | Notes |
|---|----------|----------|-------|
| 1 | Correctness & logic bugs | ☑ | MoreAvailable drain terminates: no-progress pin (maxUpdated<=since) breaks, page ceiling bounds the loop, inclusive >= boundary re-pull deduped by monotonic upsert. Purge/reconciliation gating logic correct. No issues found. |
| 2 | Akka.NET conventions | ☑ | Self-tick scheduling unchanged in pattern; handlers stay alive via per-site/per-tick try/catch; PipeTo used on read/relay paths; Sender captured before await. Timer arming in PreStart, cancel in PostStop. No issues found. |
| 3 | Concurrency & thread safety | ☑ | _reconciliationCursors and per-page cursor mutated only on the actor thread inside the awaited tick handler; no captured this/sender in the new loop closures. No shared mutable state introduced. No issues found. |
| 4 | Error handling & resilience | ☑ | Per-site fault isolation retained; per-page cursor persistence keeps drained rows on a later-page throw; no-progress and ceiling cases logged at Warning/Info respectively. Purge continue-on-error unchanged. No issues found. |
| 5 | Security | ☑ | No new external input, SQL, secrets, or logging of sensitive data; site id and timestamps logged are not sensitive. No issues found. |
| 6 | Performance & resource management | ☑ | Within-tick drain is bounded at 50 pages x batch-size; DI scope opened once per tick and awaited-disposed (CreateAsyncScope) — pre-existing pattern, not regressed by holding it across up to 50 awaited upsert pages. No issues found. |
| 7 | Design-document adherence | ☑ | Matches Component-SiteCallAudit.md: self-heal pull (Reconciliation), 365-day terminal purge (Retention), eventually-consistent mirror. SiteCallAudit-007 strengthens the unbounded-growth guard the doc implies. No drift found. |
| 8 | Code organization & conventions | ☑ | New const MaxReconciliationPagesPerTick and _backgroundTimersEnabled field placed and documented consistently with surrounding style; ctors set the flag explicitly. No issues found. |
| 9 | Testing coverage | ☑ | New tests cover all three paths: production-ctor-no-collaborators purge (SiteCallAudit-007), multi-page within-tick drain with cursor advance assertion, and single-timestamp saturation pin bound (<10 pulls vs 50 ceiling). Test helpers verified present. No gaps found. |
| 10 | Documentation & comments | ☑ | Class-level and ctor XML docs accurately rewritten to describe independent purge/reconciliation preconditions and the MoreAvailable continuation drain; comments match the implemented behaviour. No issues found. |
_No new findings — the changes in this module are clean._