11 KiB
11 KiB
Code Reviews
Comprehensive, per-module code reviews of the ScadaLink codebase. Each module (one
buildable project under src/) has its own folder containing a findings.md. This
README is the aggregated index — the single place to see all outstanding work.
Generated by
regen-readme.pyfrom the per-modulefindings.mdfiles. Do not edit by hand — edit the findings files and re-run the script.
How it works
- Reviews are performed one module at a time against a fixed checklist.
- Every finding is recorded in the module's
findings.mdwith a severity and status. - Findings are never deleted — they are closed by changing their status, keeping a full audit trail.
- This README aggregates every pending finding (
Open/In Progress) across all modules.
See REVIEW-PROCESS.md for the full procedure: the review checklist, severity definitions, finding format, and how to mark items resolved.
Layout
code-reviews/
├── README.md # this file — process overview + pending findings
├── REVIEW-PROCESS.md # how to perform a review and track findings
├── regen-readme.py # regenerates this README from the findings files
├── _template/findings.md # copy-this template for a module review
└── <Module>/findings.md # one folder per src/ project
Baseline review — 2026-05-16
All 19 modules were reviewed at commit 9c60592 (241 findings: 6 Critical, 46 High,
100 Medium, 89 Low). The tables below track what remains open as findings are
resolved and re-triaged; findings discovered after the baseline are appended to their
module file and counted in Total.
| Severity | Open findings |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 4 |
| Low | 46 |
| Total | 50 |
Module Status
| Module | Last reviewed | Commit | Open (C/H/M/L) | Open | Total |
|---|---|---|---|---|---|
| CLI | 2026-05-16 | 9c60592 |
0/0/0/0 | 0 | 13 |
| CentralUI | 2026-05-16 | 9c60592 |
0/0/2/0 | 2 | 19 |
| ClusterInfrastructure | 2026-05-16 | 9c60592 |
0/0/0/0 | 0 | 8 |
| Commons | 2026-05-16 | 9c60592 |
0/0/0/1 | 1 | 12 |
| Communication | 2026-05-16 | 9c60592 |
0/0/0/0 | 0 | 11 |
| ConfigurationDatabase | 2026-05-16 | 9c60592 |
0/0/0/0 | 0 | 11 |
| DataConnectionLayer | 2026-05-16 | 9c60592 |
0/0/0/0 | 0 | 13 |
| DeploymentManager | 2026-05-16 | 9c60592 |
0/0/0/1 | 1 | 14 |
| ExternalSystemGateway | 2026-05-16 | 9c60592 |
0/0/0/1 | 1 | 14 |
| HealthMonitoring | 2026-05-16 | 9c60592 |
0/0/0/0 | 0 | 12 |
| Host | 2026-05-16 | 9c60592 |
0/0/1/7 | 8 | 11 |
| InboundAPI | 2026-05-16 | 9c60592 |
0/0/1/5 | 6 | 13 |
| ManagementService | 2026-05-16 | 9c60592 |
0/0/0/5 | 5 | 13 |
| NotificationService | 2026-05-16 | 9c60592 |
0/0/0/3 | 3 | 13 |
| Security | 2026-05-16 | 9c60592 |
0/0/0/4 | 4 | 11 |
| SiteEventLogging | 2026-05-16 | 9c60592 |
0/0/0/3 | 3 | 11 |
| SiteRuntime | 2026-05-16 | 9c60592 |
0/0/0/5 | 5 | 16 |
| StoreAndForward | 2026-05-16 | 9c60592 |
0/0/0/7 | 7 | 14 |
| TemplateEngine | 2026-05-16 | 9c60592 |
0/0/0/4 | 4 | 14 |
Pending Findings
Every Open / In Progress finding across all modules, highest severity first.
Resolved findings drop off this list but remain recorded in their module's
findings.md (see REVIEW-PROCESS.md §4–§5). Full detail —
description, location, recommendation — lives in the module's findings.md.
Critical (0)
None open.
High (0)
None open.
Medium (4)
| ID | Module | Title |
|---|---|---|
| CentralUI-005 | CentralUI | Session expiry implementation diverges from the documented policy |
| CentralUI-006 | CentralUI | Deployment status page polls every 10s despite the documented SignalR-push design |
| Host-002 | Host | Akka.Persistence required by REQ-HOST-6 is not configured and not used |
| InboundAPI-007 | InboundAPI | Database.Connection() script API from the design doc is not implemented |
Low (46)
| ID | Module | Title |
|---|---|---|
| Commons-008 | Commons | SetConnectionBindingsCommand uses ValueTuple in a wire message contract |
| DeploymentManager-013 | DeploymentManager | SMTP credentials serialized and broadcast to all sites |
| ExternalSystemGateway-011 | ExternalSystemGateway | Every call performs a full repository scan of all systems and methods |
| Host-005 | Host | Blocking sync-over-async (GetAwaiter().GetResult()) inside StartAsync |
| Host-006 | Host | HOCON assembled by unescaped string interpolation |
| Host-007 | Host | REQ-HOST-4 rule "GrpcPort ≠ RemotingPort" is not enforced |
| Host-008 | Host | MachineDataDb is validated and declared but never consumed |
| Host-009 | Host | StartAsync reports success before role actors are confirmed running |
| Host-010 | Host | No retry/backoff around startup preconditions (DB migration, readiness) |
| Host-011 | Host | LoggingOptions.MinimumLevel is dead configuration |
| InboundAPI-009 | InboundAPI | Failed compilation is retried on every subsequent request |
| InboundAPI-010 | InboundAPI | ParameterValidator ignores extra body fields and cannot validate Object/List element types |
| InboundAPI-011 | InboundAPI | Method-existence check leaks to unapproved callers (enumeration oracle) |
| InboundAPI-012 | InboundAPI | ParameterDefinition POCO declared in the component project, not Commons |
| InboundAPI-013 | InboundAPI | ApiKeyValidationResult.NotFound factory returns HTTP 400, contradicting its name |
| ManagementService-005 | ManagementService | ManagementActor declares no supervision strategy |
| ManagementService-008 | ManagementService | HandleResolveRoles constructs RoleMapper manually instead of via DI |
| ManagementService-010 | ManagementService | ManagementServiceOptions.CommandTimeout is defined but never used |
| ManagementService-011 | ManagementService | ResolveRolesCommand dispatch path is stale dead code |
| ManagementService-012 | ManagementService | ManagementEnvelope carries a loosely-typed object payload |
| NotificationService-010 | NotificationService | DeliverAsync does not disconnect the SMTP client on failure |
| NotificationService-011 | NotificationService | SmtpPermanentException declared in the wrong file; module conventions |
| NotificationService-012 | NotificationService | Test coverage gaps: OAuth2 delivery path, permanent-classification fallback, token-cache concurrency |
| Security-008 | Security | N+1 query loading site-scope rules in RoleMapper |
| Security-009 | Security | CancellationToken not honored inside Task.Run LDAP calls |
| Security-010 | Security | Design doc contradicts itself on Windows Integrated Authentication |
| Security-011 | Security | Missing tests for security-critical paths |
| SiteEventLogging-006 | SiteEventLogging | Missing indexes for severity and keyword-search query paths |
| SiteEventLogging-009 | SiteEventLogging | XML doc on LogEventAsync claims asynchronous behaviour |
| SiteEventLogging-011 | SiteEventLogging | Stale "Phase 4+" placeholder in ServiceCollectionExtensions |
| SiteRuntime-012 | SiteRuntime | AttributeAccessor/ScopeAccessors block the script on a synchronous Ask |
| SiteRuntime-013 | SiteRuntime | HandleUnsubscribeDebugView does nothing despite documented behaviour |
| SiteRuntime-014 | SiteRuntime | Trigger-expression evaluation blocks the coordinator actor thread |
| SiteRuntime-015 | SiteRuntime | LoggerFactory created per Instance Actor and never disposed |
| SiteRuntime-016 | SiteRuntime | Short-lived execution actors, replication actor, and repositories are untested |
| StoreAndForward-002 | StoreAndForward | Messages enqueued with no registered handler are buffered but never deliverable |
| StoreAndForward-006 | StoreAndForward | GetParkedMessagesAsync count and page run without a transaction |
| StoreAndForward-007 | StoreAndForward | Async work in ParkedMessageHandlerActor uses ContinueWith without scheduler/affinity guarantees |
| StoreAndForward-008 | StoreAndForward | A SQLite connection is opened and torn down on every storage call |
| StoreAndForward-009 | StoreAndForward | OnActivity event invocation is not thread-safe against concurrent subscribe/unsubscribe |
| StoreAndForward-011 | StoreAndForward | StoreAndForwardMessageStatus.InFlight is unused and the doc's "retrying" status is unmodelled |
| StoreAndForward-012 | StoreAndForward | StoreAndForwardMessage is a persistence entity but lives in the component, not Commons |
| TemplateEngine-011 | TemplateEngine | SortedPropertiesConverterFactory is dead code with a misleading comment |
| TemplateEngine-012 | TemplateEngine | DataType enum naming diverges from the design doc |
| TemplateEngine-013 | TemplateEngine | ToDictionary(t => t.Id) throws on duplicate IDs; cycle detectors overload Id 0 as a sentinel |
| TemplateEngine-014 | TemplateEngine | Template-deletion constraint logic is duplicated and divergent |