mbproxy: remediate the 2026-05-16 code-review findings

Fixes every finding from the codereviews/2026-05-16 multi-agent review
(2 Critical, 20 Major, 38 Minor) and adds that review to the repo.

Highlights: dashboard XSS escape; response cache invalidated on the
write request (not just the response); ReloadValidator now runs at
startup so port collisions / duplicate names / malformed Resilience
profiles fail fast; AdminPort 0 genuinely disables the admin endpoint;
PlcListener accept-loop faults propagate to the supervisor's faulted
path; reconciler Restart builds before removing; Resilience pipelines
are restart-only from a frozen snapshot; multiplexer connect-race leak,
watchdog party-list snapshot, backend-response and FC16 framing
validation; frontend reconnect retry and util.js load guard; plus the
log-event/doc drift sweep and test-port hygiene.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

mbproxy/tests/Mbproxy.Tests/Admin/DebugDtoSerializationTests.cs

@@ -14,9 +14,16 @@ namespace Mbproxy.Tests.Admin;
 [Trait("Category", "Unit")]
 public sealed class DebugDtoSerializationTests
 {
-    // The exact policy AdminEndpointHost configures on the hub's PayloadSerializerOptions.
-    private static readonly JsonSerializerOptions HubOptions =
-        new() { PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+    // The exact configuration AdminEndpointHost applies to the hub's
+    // PayloadSerializerOptions — referenced, not copied, so the two cannot drift.
+    private static readonly JsonSerializerOptions HubOptions = BuildHubOptions();
+
+    private static JsonSerializerOptions BuildHubOptions()
+    {
+        var o = new JsonSerializerOptions();
+        AdminEndpointHost.ConfigureHubPayloadJson(o);
+        return o;
+    }
 
     [Fact]
     public void PlcDetailResponse_SerializesWithCamelCaseFieldNames()

mbproxy/tests/Mbproxy.Tests/Admin/PlcSubscriptionTrackerTests.cs

@@ -39,6 +39,23 @@ public sealed class PlcSubscriptionTrackerTests
         t.ActivePlcs().ShouldBeEmpty();
     }
 
+    [Fact]
+    public void SameTab_TwoConnections_RemovedNewestFirst_StaysActiveUntilLast()
+    {
+        // Mirror of SameTab_TwoConnections_StaysActiveUntilLastConnectionGone: the
+        // reconnect's NEW connection is the one that drops first (the order is not
+        // guaranteed). The tab must still be alive on the surviving old connection.
+        var t = new PlcSubscriptionTracker();
+        t.SubscribePlc("c-old", "tab", "plc");
+        t.SubscribePlc("c-new", "tab", "plc");
+
+        t.RemoveConnection("c-new");
+        t.ActivePlcs().ShouldContain("plc", "the tab still holds the old connection");
+
+        t.RemoveConnection("c-old");
+        t.ActivePlcs().ShouldBeEmpty();
+    }
+
     [Fact]
     public void DistinctTabs_AreCountedSeparately()
     {

mbproxy/tests/Mbproxy.Tests/Admin/SignalRFakes.cs

@@ -24,11 +24,10 @@ internal sealed class FakeHubCallerContext : HubCallerContext
     public override void Abort() { }
 }
 
-/// <summary>Records every group join/leave so tests can assert membership changes.</summary>
+/// <summary>Records every group join so tests can assert membership changes.</summary>
 internal sealed class FakeGroupManager : IGroupManager
 {
     public List<(string ConnectionId, string Group)> Added { get; } = [];
-    public List<(string ConnectionId, string Group)> Removed { get; } = [];
 
     public Task AddToGroupAsync(string connectionId, string groupName, CancellationToken cancellationToken = default)
     {
@@ -36,11 +35,10 @@ internal sealed class FakeGroupManager : IGroupManager
         return Task.CompletedTask;
     }
 
+    // StatusHub.OnDisconnectedAsync never calls RemoveFromGroupAsync — SignalR removes a
+    // disconnected connection from its groups implicitly. Nothing to record here.
     public Task RemoveFromGroupAsync(string connectionId, string groupName, CancellationToken cancellationToken = default)
-    {
-        Removed.Add((connectionId, groupName));
-        return Task.CompletedTask;
-    }
+        => Task.CompletedTask;
 }
 
 /// <summary>Records every push so <see cref="StatusBroadcaster"/> tests can assert routing.</summary>

mbproxy/tests/Mbproxy.Tests/Admin/StatusBroadcasterTests.cs

@@ -183,9 +183,10 @@ public sealed class StatusBroadcasterTests
         h.Sink.FleetPushes.Count.ShouldBeGreaterThanOrEqualTo(3,
             "the background loop must push the fleet snapshot every interval");
 
+        // StopAsync awaits the loop task before returning, so the loop is guaranteed
+        // terminated here — no settling delay is needed for the assertion to be sound.
         await h.Broadcaster.StopAsync();
         int afterStop = h.Sink.FleetPushes.Count;
-        await Task.Delay(400, TestContext.Current.CancellationToken);
         h.Sink.FleetPushes.Count.ShouldBe(afterStop, "no pushes may occur after StopAsync");
     }
 }

mbproxy/tests/Mbproxy.Tests/Admin/StatusHubTests.cs

@@ -68,6 +68,28 @@ public sealed class StatusHubTests
         tracker.ActivePlcs().ShouldBeEmpty("no viewer may be stranded after the tab closes");
     }
 
+    [Fact]
+    public async Task Reconnect_SameTab_NewConnectionDisconnectsFirst_DoesNotLeakViewer()
+    {
+        // Mirror of the reconnect test above with the disconnect ordering reversed: the
+        // NEW connection's OnDisconnectedAsync arrives before the old one's. SignalR does
+        // not guarantee the order, so the tracker must be correct either way.
+        var tracker = new PlcSubscriptionTracker();
+
+        var first = MakeHub("conn-old", tracker, out _);
+        await first.SubscribePlc("plc-1", "tab-A");
+
+        var second = MakeHub("conn-new", tracker, out _);
+        await second.SubscribePlc("plc-1", "tab-A");
+
+        await second.OnDisconnectedAsync(null); // the new connection drops first
+        tracker.ActivePlcs().ShouldContain("plc-1",
+            "the tab is still open on the original connection");
+
+        await first.OnDisconnectedAsync(null);
+        tracker.ActivePlcs().ShouldBeEmpty("no viewer may be stranded after the tab closes");
+    }
+
     [Fact]
     public async Task TwoTabs_FirstCloseKeepsActive_LastCloseClears()
     {

mbproxy/tests/Mbproxy.Tests/HostSmokeTests.cs

@@ -105,10 +105,12 @@ internal static class TestHostBuilderExtensions
         this HostApplicationBuilder builder,
         Serilog.ILogger serilogLogger)
     {
-        // Minimal in-memory config so AddMbproxyOptions doesn't fail.
+        // Minimal in-memory config so AddMbproxyOptions doesn't fail. AdminPort 0
+        // disables the admin endpoint — the smoke tests do not exercise it, and a fixed
+        // port would collide under parallel test execution.
         builder.Configuration.AddInMemoryCollection(new Dictionary<string, string?>
         {
-            ["Mbproxy:AdminPort"] = "8080",
+            ["Mbproxy:AdminPort"] = "0",
         });
 
         builder.Services.AddSerilog(serilogLogger, dispose: false);

mbproxy/tests/Mbproxy.Tests/Proxy/Multiplexing/MultiplexerE2ETests.cs

@@ -342,6 +342,9 @@ public sealed class MultiplexerE2ETests
             ["Mbproxy:Connection:BackendConnectTimeoutMs"] = "3000",
             // Long request timeout so the watchdog doesn't fire during the test's wait window.
             ["Mbproxy:Connection:BackendRequestTimeoutMs"] = "30000",
+            // This test exercises backend disconnect, not keepalive — disable keepalive so
+            // the 30 s request timeout above doesn't trip the heartbeat cross-field rule.
+            ["Mbproxy:Connection:Keepalive:Enabled"] = "false",
             // Aggressive backend retry so the second connect happens fast.
             ["Mbproxy:Resilience:BackendConnect:MaxAttempts"] = "5",
             ["Mbproxy:Resilience:BackendConnect:BackoffMs:0"] = "50",
@@ -458,8 +461,11 @@ public sealed class MultiplexerE2ETests
         var config = MakeBaseConfig(proxyPort);
         config["Mbproxy:AdminPort"] = adminPort.ToString();
         // Short idle window so the heartbeat fires several times within the test budget.
+        // BackendRequestTimeoutMs is lowered below the 700 ms idle window so the
+        // heartbeat cross-field rule (idle > request timeout) holds.
         config["Mbproxy:Connection:Keepalive:Enabled"] = "true";
         config["Mbproxy:Connection:Keepalive:BackendHeartbeatIdleMs"] = "700";
+        config["Mbproxy:Connection:BackendRequestTimeoutMs"] = "500";
 
         var host = BuildBcdHost(config);
         using var startCts = new CancellationTokenSource(TimeSpan.FromSeconds(3));

mbproxy/tests/Mbproxy.Tests/Proxy/ProxyForwardingTests.cs

@@ -64,7 +64,9 @@ public sealed class ProxyForwardingTests
 
         var config = new Dictionary<string, string?>
         {
-            ["Mbproxy:AdminPort"] = "8080",
+            // 0 disables the admin endpoint — this test does not exercise it, and a
+            // fixed port would collide under parallel test execution.
+            ["Mbproxy:AdminPort"] = "0",
             [$"Mbproxy:Plcs:0:Name"]       = "TestPLC",
             [$"Mbproxy:Plcs:0:ListenPort"] = proxyPort.ToString(),
             [$"Mbproxy:Plcs:0:Host"]       = _sim.Host,
@@ -239,7 +241,9 @@ public sealed class ProxyForwardingTests
 
         var config = new Dictionary<string, string?>
         {
-            ["Mbproxy:AdminPort"] = "8080",
+            // 0 disables the admin endpoint — this test does not exercise it, and a
+            // fixed port would collide under parallel test execution.
+            ["Mbproxy:AdminPort"] = "0",
             [$"Mbproxy:Plcs:0:Name"]       = "BadPLC",
             [$"Mbproxy:Plcs:0:ListenPort"] = proxyPort.ToString(),
             [$"Mbproxy:Plcs:0:Host"]       = "127.0.0.1",
@@ -307,7 +311,9 @@ public sealed class ProxyForwardingTests
 
         var config = new Dictionary<string, string?>
         {
-            ["Mbproxy:AdminPort"] = "8080",
+            // 0 disables the admin endpoint — this test does not exercise it, and a
+            // fixed port would collide under parallel test execution.
+            ["Mbproxy:AdminPort"] = "0",
             [$"Mbproxy:Plcs:0:Name"]       = "TestPLC",
             [$"Mbproxy:Plcs:0:ListenPort"] = proxyPort.ToString(),
             [$"Mbproxy:Plcs:0:Host"]       = _sim.Host,

mbproxy/tests/Mbproxy.Tests/Proxy/RewriterE2ETests.cs

@@ -385,7 +385,9 @@ public sealed class RewriterE2ETests
 
         var config = new Dictionary<string, string?>
         {
-            ["Mbproxy:AdminPort"] = "8080",
+            // 0 disables the admin endpoint — this test does not exercise it, and a
+            // fixed port would collide under parallel test execution.
+            ["Mbproxy:AdminPort"] = "0",
             ["Mbproxy:Plcs:0:Name"]       = "TestPLC",
             ["Mbproxy:Plcs:0:ListenPort"] = proxyPort.ToString(),
             ["Mbproxy:Plcs:0:Host"]       = _sim.Host,

mbproxy/tests/Mbproxy.Tests/Sim/DL205SimulatorFixture.cs

@@ -118,9 +118,12 @@ public sealed class DL205SimulatorFixture : IAsyncLifetime
         _process.BeginErrorReadLine();
 
         // ── 5. Poll for TCP readiness (up to ReadinessTimeout) ───────────────
+        // Link the readiness deadline against the test-runner's cancellation token so a
+        // CI job timeout / keyboard interrupt aborts the poll promptly instead of running
+        // the full 120 s and leaving the spawned Python process orphaned (review M3).
         using var deadline = new CancellationTokenSource(ReadinessTimeout);
         using var linked   = CancellationTokenSource.CreateLinkedTokenSource(
-            deadline.Token, CancellationToken.None);
+            deadline.Token, TestContext.Current.CancellationToken);
 
         bool ready = false;
         while (!linked.Token.IsCancellationRequested)