# Code Reviews Comprehensive, per-library code reviews of the `ZB.MOM.WW.*` shared libraries hosted in this repo. Each library (one self-contained `.slnx` at the repo root) has its own folder containing a `findings.md`. This README is the aggregated index — the single place to see all outstanding work. > Generated by `regen-readme.py` from the per-library `findings.md` files. Do not > edit by hand — edit the findings files and re-run the script. ## How it works - Reviews are performed one library at a time against a fixed checklist. - Each library is reviewed against its normalized component spec under `components/`. - Every finding is recorded in the library's `findings.md` with a severity and status. - Findings are **never deleted** — they are closed by changing their status, keeping a full audit trail. - This README aggregates every **pending** finding (`Open` / `In Progress`) across all libraries. See **[REVIEW-PROCESS.md](REVIEW-PROCESS.md)** for the full procedure: the review checklist, severity definitions, finding format, the library → component-spec mapping, and how to mark items resolved. ## Layout ``` code-reviews/ ├── README.md # this file — process overview + pending findings ├── REVIEW-PROCESS.md # how to perform a review and track findings ├── regen-readme.py # regenerates this README from the findings files ├── _template/findings.md # copy-this template for a library review └── /findings.md # one folder per ZB.MOM.WW.* shared library ``` ## Summary 6 of 6 libraries reviewed. 35 pending findings across all libraries. | Severity | Open findings | |----------|---------------| | Critical | 0 | | High | 1 | | Medium | 9 | | Low | 25 | | **Total** | **35** | ## Library Status | Library | Last reviewed | Commit | Open (C/H/M/L) | Open | Total | |---------|---------------|--------|----------------|------|-------| | [Audit](Audit/findings.md) | 2026-06-01 | `5f75cd4` | 0/0/1/4 | 5 | 5 | | [Auth](Auth/findings.md) | 2026-06-01 | `5f75cd4` | 0/0/3/3 | 6 | 6 | | [Configuration](Configuration/findings.md) | 2026-06-01 | `5f75cd4` | 0/0/0/4 | 4 | 4 | | [Health](Health/findings.md) | 2026-06-01 | `5f75cd4` | 0/0/2/4 | 6 | 6 | | [Telemetry](Telemetry/findings.md) | 2026-06-01 | `5f75cd4` | 0/1/2/5 | 8 | 8 | | [Theme](Theme/findings.md) | 2026-06-01 | `5f75cd4` | 0/0/1/5 | 6 | 6 | ## Pending Findings Every `Open` / `In Progress` finding across all libraries, highest severity first. Resolved findings drop off this list but remain recorded in their library's `findings.md` (see [REVIEW-PROCESS.md](REVIEW-PROCESS.md) §4–§5). Full detail — description, location, recommendation — lives in the library's `findings.md`. ### Critical (0) _None open._ ### High (1) | ID | Library | Title | |----|---------|-------| | Telemetry-001 | [Telemetry](Telemetry/findings.md) | `RedactionEnricher` ignores property removal, leaving secrets in the event | ### Medium (9) | ID | Library | Title | |----|---------|-------| | Audit-001 | [Audit](Audit/findings.md) | `CompositeAuditWriter` re-throws `OperationCanceledException` to the caller, contradicting the "must not throw" writer contract | | Auth-001 | [Auth](Auth/findings.md) | LDAP options validator is registered but never runs at startup | | Auth-002 | [Auth](Auth/findings.md) | A failed `MarkUsedAsync` write turns a valid API key into a thrown exception | | Auth-003 | [Auth](Auth/findings.md) | Corrupt `scopes`/`constraints` column throws `JsonException` through the verifier | | Health-001 | [Health](Health/findings.md) | Akka health checks throw (instead of returning Degraded) when cluster state is inaccessible | | Health-002 | [Health](Health/findings.md) | `GrpcDependencyHealthCheck` lets non-`RpcException`/non-`OperationCanceledException` errors escape | | Telemetry-002 | [Telemetry](Telemetry/findings.md) | Redactor cannot inspect or scrub destructured/structured property values | | Telemetry-003 | [Telemetry](Telemetry/findings.md) | No tests for redactor removal or structured-value redaction | | Theme-001 | [Theme](Theme/findings.md) | Mobile hamburger toggle silently depends on Bootstrap collapse JS | ### Low (25) | ID | Library | Title | |----|---------|-------| | Audit-002 | [Audit](Audit/findings.md) | `TruncatingAuditRedactor` over-redaction is partial: the catch path scrubs only `DetailsJson`, leaving `Target` unredacted | | Audit-003 | [Audit](Audit/findings.md) | `TruncatingAuditRedactorOptions` is a mutable class, not the immutable "options record" the contract describes | | Audit-004 | [Audit](Audit/findings.md) | XML documentation is authored but not emitted, so IntelliSense docs do not ship to consumers | | Audit-005 | [Audit](Audit/findings.md) | Missing edge-case tests for the redactor never-throw/over-redact contract and composite null/empty handling | | Auth-004 | [Auth](Auth/findings.md) | README misstates the hashing algorithm and the AspNetCore public surface | | Auth-005 | [Auth](Auth/findings.md) | `CreateKeyAsync` persists `KeyPrefix` as `prefix_keyId`, inconsistent with the read path | | Auth-006 | [Auth](Auth/findings.md) | LDAP connection ignores `allowInsecure` and offers no TLS certificate-validation hook | | Configuration-001 | [Configuration](Configuration/findings.md) | `AddValidatedOptions` uses `AddSingleton`, so a double call registers (and runs) the validator twice | | Configuration-002 | [Configuration](Configuration/findings.md) | `Checks.PortValue` quotes the raw value on a parse failure but not on a range failure | | Configuration-003 | [Configuration](Configuration/findings.md) | Port parsing accepts leading sign and surrounding whitespace and is culture-sensitive | | Configuration-004 | [Configuration](Configuration/findings.md) | XML documentation and README are not packaged into the nupkg | | Health-003 | [Health](Health/findings.md) | Null `description` is omitted from the JSON body instead of emitted as `null` | | Health-004 | [Health](Health/findings.md) | XML docs recommend the `active` tag for ready-tier probes, contradicting the spec | | Health-005 | [Health](Health/findings.md) | `MapZbHealth` returns only the readiness builder, silently dropping conventions for the active/live tiers | | Health-006 | [Health](Health/findings.md) | XML documentation is not emitted into the packed nupkgs | | Telemetry-004 | [Telemetry](Telemetry/findings.md) | `service.instance.id` Resource attribute is undocumented in spec and contract | | Telemetry-005 | [Telemetry](Telemetry/findings.md) | Two hand-maintained Resource-attribute builders can silently drift | | Telemetry-006 | [Telemetry](Telemetry/findings.md) | Malformed `OtlpEndpoint` throws `UriFormatException` late, with no context | | Telemetry-007 | [Telemetry](Telemetry/findings.md) | Redaction snapshot allocates a dictionary on every log event | | Telemetry-008 | [Telemetry](Telemetry/findings.md) | `MapZbMetrics` XML doc claims it is "only valid when Exporter = Prometheus" — stale | | Theme-002 | [Theme](Theme/findings.md) | `.chip-idle` foreground diverges from the documented token pairing | | Theme-003 | [Theme](Theme/findings.md) | Hardcoded hex values in CSS contradict the "no hardcoded hex" rule | | Theme-004 | [Theme](Theme/findings.md) | `NavRailItem` emits a `.rail-ico` span that no stylesheet defines | | Theme-005 | [Theme](Theme/findings.md) | Orphan and unstyled nav CSS classes in `layout.css` | | Theme-006 | [Theme](Theme/findings.md) | Public component/parameter surface lacks XML documentation |