mbproxy: remediate the 2026-05-16 code-review findings

Fixes every finding from the codereviews/2026-05-16 multi-agent review (2 Critical, 20 Major, 38 Minor) and adds that review to the repo. Highlights: dashboard XSS escape; response cache invalidated on the write request (not just the response); ReloadValidator now runs at startup so port collisions / duplicate names / malformed Resilience profiles fail fast; AdminPort 0 genuinely disables the admin endpoint; PlcListener accept-loop faults propagate to the supervisor's faulted path; reconciler Restart builds before removing; Resilience pipelines are restart-only from a frozen snapshot; multiplexer connect-race leak, watchdog party-list snapshot, backend-response and FC16 framing validation; frontend reconnect retry and util.js load guard; plus the log-event/doc drift sweep and test-port hygiene. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 18:08:06 -04:00
parent 0308490aef
commit b222362ce0
45 changed files with 1735 additions and 151 deletions
@@ -14,9 +14,16 @@ namespace Mbproxy.Tests.Admin;
 [Trait("Category", "Unit")]
 public sealed class DebugDtoSerializationTests
 {
-    // The exact policy AdminEndpointHost configures on the hub's PayloadSerializerOptions.
-    private static readonly JsonSerializerOptions HubOptions =
-        new() { PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+    // The exact configuration AdminEndpointHost applies to the hub's
+    // PayloadSerializerOptions — referenced, not copied, so the two cannot drift.
+    private static readonly JsonSerializerOptions HubOptions = BuildHubOptions();
+
+    private static JsonSerializerOptions BuildHubOptions()
+    {
+        var o = new JsonSerializerOptions();
+        AdminEndpointHost.ConfigureHubPayloadJson(o);
+        return o;
+    }

    [Fact]
    public void PlcDetailResponse_SerializesWithCamelCaseFieldNames()
@@ -39,6 +39,23 @@ public sealed class PlcSubscriptionTrackerTests
        t.ActivePlcs().ShouldBeEmpty();
    }

+    [Fact]
+    public void SameTab_TwoConnections_RemovedNewestFirst_StaysActiveUntilLast()
+    {
+        // Mirror of SameTab_TwoConnections_StaysActiveUntilLastConnectionGone: the
+        // reconnect's NEW connection is the one that drops first (the order is not
+        // guaranteed). The tab must still be alive on the surviving old connection.
+        var t = new PlcSubscriptionTracker();
+        t.SubscribePlc("c-old", "tab", "plc");
+        t.SubscribePlc("c-new", "tab", "plc");
+
+        t.RemoveConnection("c-new");
+        t.ActivePlcs().ShouldContain("plc", "the tab still holds the old connection");
+
+        t.RemoveConnection("c-old");
+        t.ActivePlcs().ShouldBeEmpty();
+    }
+
    [Fact]
    public void DistinctTabs_AreCountedSeparately()
    {
@@ -24,11 +24,10 @@ internal sealed class FakeHubCallerContext : HubCallerContext
    public override void Abort() { }
 }

-/// <summary>Records every group join/leave so tests can assert membership changes.</summary>
+/// <summary>Records every group join so tests can assert membership changes.</summary>
 internal sealed class FakeGroupManager : IGroupManager
 {
    public List<(string ConnectionId, string Group)> Added { get; } = [];
-    public List<(string ConnectionId, string Group)> Removed { get; } = [];

    public Task AddToGroupAsync(string connectionId, string groupName, CancellationToken cancellationToken = default)
    {
@@ -36,11 +35,10 @@ internal sealed class FakeGroupManager : IGroupManager
        return Task.CompletedTask;
    }

+    // StatusHub.OnDisconnectedAsync never calls RemoveFromGroupAsync — SignalR removes a
+    // disconnected connection from its groups implicitly. Nothing to record here.
    public Task RemoveFromGroupAsync(string connectionId, string groupName, CancellationToken cancellationToken = default)
-    {
-        Removed.Add((connectionId, groupName));
-        return Task.CompletedTask;
-    }
+        => Task.CompletedTask;
 }

 /// <summary>Records every push so <see cref="StatusBroadcaster"/> tests can assert routing.</summary>
@@ -183,9 +183,10 @@ public sealed class StatusBroadcasterTests
        h.Sink.FleetPushes.Count.ShouldBeGreaterThanOrEqualTo(3,
            "the background loop must push the fleet snapshot every interval");

+        // StopAsync awaits the loop task before returning, so the loop is guaranteed
+        // terminated here — no settling delay is needed for the assertion to be sound.
        await h.Broadcaster.StopAsync();
        int afterStop = h.Sink.FleetPushes.Count;
-        await Task.Delay(400, TestContext.Current.CancellationToken);
        h.Sink.FleetPushes.Count.ShouldBe(afterStop, "no pushes may occur after StopAsync");
    }
 }
@@ -68,6 +68,28 @@ public sealed class StatusHubTests
        tracker.ActivePlcs().ShouldBeEmpty("no viewer may be stranded after the tab closes");
    }

+    [Fact]
+    public async Task Reconnect_SameTab_NewConnectionDisconnectsFirst_DoesNotLeakViewer()
+    {
+        // Mirror of the reconnect test above with the disconnect ordering reversed: the
+        // NEW connection's OnDisconnectedAsync arrives before the old one's. SignalR does
+        // not guarantee the order, so the tracker must be correct either way.
+        var tracker = new PlcSubscriptionTracker();
+
+        var first = MakeHub("conn-old", tracker, out _);
+        await first.SubscribePlc("plc-1", "tab-A");
+
+        var second = MakeHub("conn-new", tracker, out _);
+        await second.SubscribePlc("plc-1", "tab-A");
+
+        await second.OnDisconnectedAsync(null); // the new connection drops first
+        tracker.ActivePlcs().ShouldContain("plc-1",
+            "the tab is still open on the original connection");
+
+        await first.OnDisconnectedAsync(null);
+        tracker.ActivePlcs().ShouldBeEmpty("no viewer may be stranded after the tab closes");
+    }
+
    [Fact]
    public async Task TwoTabs_FirstCloseKeepsActive_LastCloseClears()
    {