Joseph Doherty
d190345ef0
13 well-bounded test-coverage gaps closed across 11 test projects.
Net +35 regression tests; no production code changes except the
SiteEventLogger src reference unchanged (W3 redacted only test code).
Test additions:
- CLI-022: CommandTreeTests pinned-count assertion bumped 14→16 and
3 InlineData rows added for the audit + bundle command groups.
- Commons-020: new TransportRecordsTests covers BundleManifest /
ExportSelection / ImportPreview / ImportResolution / ImportResult —
ctor + System.Text.Json round-trip + record-equality (14 tests).
- CD-024: SPLIT-RANGE failure-continuation now under
EnsureLookahead_SecondSplitThrows_LoopAborts_FirstBoundaryStillCommitted
(Skippable MS-SQL fixture); production-shape rowversion delete
asserted by DeleteDeploymentRecord_CurrentRowVersion_StubAttachPath_DeleteSucceeds.
- CentralUI-033: new QueryStringDrillInTests with 4 bUnit cases for
Transport + SiteCalls drill-in / query-string handling.
- DM-024: probe actors (ReconcileProbeActor, SerializationProbeActor,
ArtifactProbeActor) refactored from static fields to per-test instances
(Interlocked on counter) — all 31 callers updated; no production
changes required.
- HM-022: real-time PeriodicTimer test flake fixed by replacing
fixed-budget Task.Delay with a RunLoopUntil poll-until-condition
helper (5s/25ms). Production loop untouched.
- InboundAPI-023: new EndpointExtensionsTests covers the
POST /api/{methodName} composition wiring via TestServer (7 cases:
happy path, missing key 401, unknown method 403, invalid JSON 400,
missing param 400, script-throws 500 sanitised, AuditActorItemKey
stash invariant).
- MgmtSvc-021: 6 new ManagementActorTests cover the Transport bundle
handlers (role gate for Export/Preview/Import, unknown-name
ManagementCommandException, blocker-rejection, dedupe last-write-wins).
- SCA-006: SiteCallQueryRequest_StuckOnly_CursorAtNonStuckBoundary_SkipsToNextStuckRow
pins the missing boundary case.
- SEL-023: stress-test `bool stop` promoted to `volatile bool` for
cross-thread visibility under release/JIT.
Verify-only resolutions:
- NS-024: closed by NS-019 (commit ac96b83 deletion of
NotificationDeliveryService + its test file). No edits needed.
- NotifOutbox-008: FallbackMaxRetries/FallbackRetryDelay are private
forward-compat constants returned only when no SMTP-config row exists
(in which case EmailNotificationDeliveryAdapter returns Permanent,
bypassing the values entirely). Marked Resolved with note.
- Transport-010: Overwrite child-collection sync covered by the T-001/
T-002 tests added in commit e3ca9af; per-IP throttle by
BundleUnlockRateLimiterTests; failed-session retention by
BundleSessionStoreTests; T-009 closed structurally via AsyncLocal.
Marked Resolved by reference.
Build clean; all 11 affected test suites green. README regenerated:
33 open (was 46).
Code Reviews
Comprehensive, per-module code reviews of the ScadaLink codebase. Each module (one
buildable project under src/) has its own folder containing a findings.md. This
README is the aggregated index — the single place to see all outstanding work.
Generated by
regen-readme.pyfrom the per-modulefindings.mdfiles. Do not edit by hand — edit the findings files and re-run the script.
How it works
- Reviews are performed one module at a time against a fixed checklist.
- Every finding is recorded in the module's
findings.mdwith a severity and status. - Findings are never deleted — they are closed by changing their status, keeping a full audit trail.
- This README aggregates every pending finding (
Open/In Progress) across all modules.
See REVIEW-PROCESS.md for the full procedure: the review checklist, severity definitions, finding format, and how to mark items resolved.
Layout
code-reviews/
├── README.md # this file — process overview + pending findings
├── REVIEW-PROCESS.md # how to perform a review and track findings
├── regen-readme.py # regenerates this README from the findings files
├── _template/findings.md # copy-this template for a module review
└── <Module>/findings.md # one folder per src/ project
Baseline review — 2026-05-16
All 19 modules were reviewed at commit 9c60592 (241 findings: 6 Critical, 46 High,
100 Medium, 89 Low). The tables below track what remains open as findings are
resolved and re-triaged; findings discovered after the baseline are appended to their
module file and counted in Total.
| Severity | Open findings |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 13 |
| Low | 20 |
| Total | 33 |
Module Status
| Module | Last reviewed | Commit | Open (C/H/M/L) | Open | Total |
|---|---|---|---|---|---|
| AuditLog | 2026-05-28 | 1eb6e97 |
0/0/1/0 | 1 | 11 |
| CLI | 2026-05-28 | 1eb6e97 |
0/0/0/1 | 1 | 23 |
| CentralUI | 2026-05-28 | 1eb6e97 |
0/0/0/2 | 2 | 33 |
| ClusterInfrastructure | 2026-05-28 | 1eb6e97 |
0/0/0/3 | 3 | 14 |
| Commons | 2026-05-28 | 1eb6e97 |
0/0/0/3 | 3 | 23 |
| Communication | 2026-05-28 | 1eb6e97 |
0/0/0/1 | 1 | 22 |
| ConfigurationDatabase | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 24 |
| DataConnectionLayer | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 22 |
| DeploymentManager | 2026-05-28 | 1eb6e97 |
0/0/0/2 | 2 | 24 |
| ExternalSystemGateway | 2026-05-28 | 1eb6e97 |
0/0/1/0 | 1 | 23 |
| HealthMonitoring | 2026-05-28 | 1eb6e97 |
0/0/0/1 | 1 | 23 |
| Host | 2026-05-28 | 1eb6e97 |
0/0/1/3 | 4 | 22 |
| InboundAPI | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 25 |
| ManagementService | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 23 |
| NotificationOutbox | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 10 |
| NotificationService | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 25 |
| Security | 2026-05-28 | 1eb6e97 |
0/0/0/0 | 0 | 21 |
| SiteCallAudit | 2026-05-28 | 1eb6e97 |
0/0/2/0 | 2 | 6 |
| SiteEventLogging | 2026-05-28 | 1eb6e97 |
0/0/0/1 | 1 | 23 |
| SiteRuntime | 2026-05-28 | 1eb6e97 |
0/0/2/0 | 2 | 26 |
| StoreAndForward | 2026-05-28 | 1eb6e97 |
0/0/3/2 | 5 | 24 |
| TemplateEngine | 2026-05-28 | 1eb6e97 |
0/0/3/0 | 3 | 22 |
| Transport | 2026-05-28 | 1eb6e97 |
0/0/0/1 | 1 | 12 |
Pending Findings
Every Open / In Progress finding across all modules, highest severity first.
Resolved findings drop off this list but remain recorded in their module's
findings.md (see REVIEW-PROCESS.md §4–§5). Full detail —
description, location, recommendation — lives in the module's findings.md.
Critical (0)
None open.
High (0)
None open.
Medium (13)
| ID | Module | Title |
|---|---|---|
| AuditLog-001 | AuditLog | Combined-telemetry transport is plumbed end-to-end but never invoked in production |
| ExternalSystemGateway-020 | ExternalSystemGateway | JsonElementToParameterValue silently downcasts non-Int64 JSON numbers to double, losing precision for decimal SQL parameters on retry |
| Host-016 | Host | Site CentralContactPoints second entry targets the site's own remoting port |
| SiteCallAudit-001 | SiteCallAudit | SupervisorStrategy override is dead code; XML claims Resume that is not enforced |
| SiteCallAudit-003 | SiteCallAudit | OnUpsertAsync does not refresh IngestedAtUtc; direct-write callers must remember to stamp it |
| SiteRuntime-021 | SiteRuntime | HandleDeployArtifacts updates DataConnections in SQLite but never sends CreateConnectionCommand to the DCL |
| SiteRuntime-022 | SiteRuntime | AuditingDbCommand.DbConnection.set uses reflection to read AuditingDbConnection._inner |
| StoreAndForward-019 | StoreAndForward | Notifications park after DefaultMaxRetries exhaustion, contradicting "retried until central acks" |
| StoreAndForward-020 | StoreAndForward | RetryParkedMessageAsync skips standby replication when the message is deleted between local update and re-load |
| StoreAndForward-021 | StoreAndForward | Design doc claims the Operation Tracking Table lives in StoreAndForward but the implementation is in SiteRuntime |
| TemplateEngine-018 | TemplateEngine | DiffService reports no entries for added/removed/changed connections |
| TemplateEngine-019 | TemplateEngine | TemplateResolver.BuildInheritanceChain still uses the 0-as-no-parent sentinel that was removed from CycleDetector |
| TemplateEngine-020 | TemplateEngine | Create* audit entries are written with EntityId = "0" before SaveChangesAsync populates the real key |
Low (20)
| ID | Module | Title |
|---|---|---|
| CLI-020 | CLI | bundle export success-envelope parse is unguarded |
| CentralUI-029 | CentralUI | ConfigurationAuditLog uses JS.InvokeAsync<int>("eval", ...) instead of a dedicated JS module |
| CentralUI-032 | CentralUI | AuditResultsGrid paging is forward-only, no Previous button |
| ClusterInfrastructure-011 | ClusterInfrastructure | SectionName constant is decorative — no binding site references it |
| ClusterInfrastructure-013 | ClusterInfrastructure | Test uses catastrophic config values without an inline-intent comment |
| ClusterInfrastructure-014 | ClusterInfrastructure | AddClusterInfrastructureActors is dead surface — no caller, no behaviour |
| Commons-016 | Commons | BundleSession.Locked uses a magic 3 rather than a named constant |
| Commons-018 | Commons | IOperationTrackingStore and IPartitionMaintenance are at the root of Interfaces/ instead of Interfaces/Services/ |
| Commons-023 | Commons | Trailing-optional SourceNode on positional records mixes additive evolution patterns |
| Communication-020 | Communication | SiteAddressCacheLoaded carries mutable Dictionary/List types |
| DeploymentManager-021 | DeploymentManager | ResolveSiteIdentifierAsync silently substitutes the DB id when the site row is missing |
| DeploymentManager-022 | DeploymentManager | Pending and InProgress are written back-to-back with no intervening work |
| HealthMonitoring-021 | HealthMonitoring | CentralSiteId = "central" reserved constant silently collides with a real site named "central" |
| Host-018 | Host | Shipped per-role configs omit NodeOptions.NodeName, leaving SourceNode null |
| Host-020 | Host | MinimumLevel.Is silently overrides any operator-set Serilog:MinimumLevel |
| Host-021 | Host | Microsoft Logging:LogLevel section in appsettings.json is dead config under Serilog |
| SiteEventLogging-018 | SiteEventLogging | FailedWriteCount is exposed but never consumed by Health Monitoring |
| StoreAndForward-022 | StoreAndForward | NotifyCachedCallObserverAsync silently drops the entire audit lifecycle when the message id is not a parseable TrackedOperationId |
| StoreAndForward-023 | StoreAndForward | siteId silently defaults to empty when no IStoreAndForwardSiteContext is registered, degrading audit telemetry correlation |
| Transport-012 | Transport | "Bundle Import" filter promised in design doc not surfaced in Configuration Audit Log Viewer UI |