Quality sweep + re-validation: SSRF guard, activity logging, handle_info catch-alls

[mdon]

Summary

End-to-end Phase 2 sweep on phoenix_kit_sync, then a 2026-04-26 re-validation pass that surfaced and fixed eight more deltas the original sweep predates.

PR follow-up(s)

• 14474cd — Fix PR Add PhoenixKitSync external module extracted from PhoenixKit #1 follow-up: SQL injection (parameterised identifiers + Plug.Crypto.secure_compare), timing-unsafe compares, mount guard, PID round-trip → UUIDv7 tokens.
• ccaf052 — Fix PR Add test suite, fix sync bugs, improve connection management and UI #2 follow-up: task supervision (Task.start_link vs TaskSupervisor.start_child), changed_fields atom-key normalisation, scoped decimal parsing.
• 42dce3a — Stub FOLLOW_UPs for PRs Fix hex dep, add CSS scanning, update to daisyUI 5 components #3 and Add routing anti-pattern pointer to AGENTS.md #4 (no findings).
• f227b94 — Clarify FOLLOW_UP Add PhoenixKitSync external module extracted from PhoenixKit #1 scope: security features (HMAC signing, rate limiting) are out-of-scope per quality-sweep policy, not deferred.

Quality sweep

Documentation

• AGENTS.md additive pass — added Activity Logging, Settings Keys, File Layout, Routing (single + multi-page), DB & Migrations, Testing, Version locations, Pre-commit, Two Module Types sections.
• README cleanup.

Error handling

• New PhoenixKitSync.Errors atom dispatcher with one literal gettext/1 clause per atom (38 atoms, all extractor-friendly).
• Audit of every {:error, _} site to return tagged tuples; binary errors only as documented passthrough from Postgres in DataImporter.
• Log truncation on raw response bodies.

Activity logging

• log_sync_activity/4 helper in Connections (guarded with Code.ensure_loaded? + rescue, PII-safe metadata: name/direction/status only — never site_url, tokens, or notes).
• Calls on created, approved, suspended, revoked, reactivated, deleted, token_regenerated, plus Transfers' created/completed/failed/approved/denied.
• actor_uuid threaded through every LiveView event handler.

Forms & UX

• phx-disable-with on every submit + destructive button + start_sync.
• validate event sets Map.put(changeset, :action, :validate) so <.input> renders inline errors.
• Self-connection rejection now sets :action = :insert and the error string is gettext-wrapped.
• Flashes go through gettext.

Code cleanup

• First-pass god-module decomposition: 4 sibling helper modules extracted (AsyncTasks, Web.Receiver.Helpers, Web.ConnectionsLive.Status, ConnectionNotifier.Prepare), 604 lines moved.
• DataImporter N+1 → ANY($1) batch.
• @spec on every public function in context modules + schemas; @type t on every Ecto schema.
• PubSub topic constant via Connections.pubsub_topic/0; no hardcoded topic strings.
• handle_info catch-all on Connections / Receiver / Sender LVs.
• DoS hardening on request:records (sync_channel + sync_websock) — match-and-validate replaces Map.fetch!.

Tests
The sweep brought the suite from 316 → 536 tests (10/10 stable). Delta-pinning highlights:

• errors_test.exs — 37 atom clauses tested by literal expectation (not is_binary).
• activity_log_assertions.ex helper + 14 per-action assertions across Connections + Transfers (every CRUD mutation, sync, toggle).
• log_redaction_test.exs — capture_log assertions that auth_token, auth_token_hash, and rejected passwords never appear in Logger output across 3 endpoints.
• DoS guards pinned at both the SyncChannel and SyncWebsock layers (4 tests each: missing/wrong-type/empty payload).
• Inline error rendering, phx-disable-with attr presence, flash text, status select binding all explicitly asserted in LV smoke tests.
• Test infra: full Test.Endpoint / Test.Router / Test.Layouts (with flash rendering) / LiveCase / ConnCase / ChannelCase, lazy_html test-only dep, test-only migrations matching the real phoenix_kit_settings column shape and including phoenix_kit_activities.

C12 fixes within the original sweep (00b26f8)

A second triage pass surfaced 8 small issues that slipped past the first round:

• Security: api_controller.ex:395 was logging the full auth_token_hash on the not-found branch (the line above already redacted it). Fixed to mirror the redacted shape.
• Activity logging: delete / reactivate / regenerate_token LV handlers weren't threading actor_uuid to the context. Activity rows were logging actor_uuid=nil. Fixed all three.
• Form UX: reject_self_connection returned a changeset with action=nil, so <.input> wouldn't render the inline error. Also a literal English error string. Fixed both.
• Translation gap: "DB Sync module is disabled." was not gettext-wrapped.
• Misc: start_sync button missing phx-disable-with; SessionStore.start_link/1 missing @spec.
• Test: :table_not_allowed atom (emitted by api_controller in 3 places) was missing from errors_test.exs.

Each fix has a pinning test added in the same commit.

Re-validation — Batch 2 (7949c22, 2026-04-26)

Second-pass triage against the post-Apr playbook. The original sweep predates several C12 prompt categories; this batch closes the in-scope structural deltas:

• enabled?/0 gained catch :exit, _ -> false for the sandbox-shutdown trap (previously had only rescue _ -> false, which the workspace AGENTS.md flaky-test note flags as a 1-in-10 unit-test flake).
• handle_info catch-alls — silent {:noreply, socket} on connections_live / sender / receiver upgraded to Logger.debug("[<LV>] unhandled message | msg=..."). Defensive catch-all clauses added to history.ex and index.ex, which had no handle_info/2 at all (a stray PubSub broadcast would have raised FunctionClauseError).
• phx-disable-with added to 7 destructive phx-click buttons missed in the original sweep: approve_connection (Approving…), reactivate_connection (Reactivating…), approve_transfer (Approving…), transfer_detail_table (Transferring…), start_transfer (Starting…), generate_code (Generating…), regenerate_code (Regenerating…). Stops double-clicks from issuing duplicate approvals / generates / transfers.
• 12 hardcoded English heex strings wrapped in gettext — badges (Enabled, Disabled), legend labels (Sender, Local, Record counts:, = differs), tooltip data-tip ("Used by selected tables — consider including"), loading states (Loading table schema…, Creating…), placeholders (From, To, Reason (optional)).
• 3 IO.puts calls inside @doc example blocks replaced with comments. Examples shouldn't show debug output.
• pgcrypto extension added to test/test_helper.exs next to uuid-ossp. uuid_generate_v7() depends on gen_random_bytes from pgcrypto; on a fresh createdb without it, every UUID-defaulted insert in tests would have failed (the existing test DB had it from a prior install, masking the trap).
• AGENTS.md "What This Module Does NOT Have" section added — seven deliberate non-features pinned (auto-sync scheduler, per-record encryption, webhook retry, snapshot system, diff/merge UI, default URL allowlist [superseded by Batch 3], bulk multi-connection ops).

+17 pinning tests landed in test/phoenix_kit_sync/batch_2_revalidation_test.exs. Phase 1 PR triage re-verified clean (PRs #1–#4 fixes still in place on 2026-04-26).

Re-validation — Batch 3 fix-everything pass (abd1a90, 2026-04-26)

Authorised after Batch 2 surfaced four deferrable items. Closes A (SSRF), B (activity-logging gaps), C (@spec backfill), and D (component refactor — reclassified as N/A, see below).

(A) SSRF guard on connection.site_url. Added validate_base_url/1 + internal_host?/1 + internal_ip?/1 to Connection.changeset/2. Rejects:

• non-http/https schemes (file://, gopher://, javascript:),
• empty / missing host,
• localhost literal, *.local mDNS hostnames,
• IPv4 in 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.168/16,
• IPv6 ::, ::1, fe80::/10, fc00::/7.

Opt-in bypass via config :phoenix_kit_sync, allow_internal_urls: true. Defaults false in production; test config flips it on so the existing localhost-targeted integration tests work. The dedicated SSRF suite explicitly toggles bypass back to false to verify rejections. DNS-rebinding (public host → internal IP at request time) is deliberately out of scope — the acute threat is the literal-IP form (cloud metadata is always 169.254.169.254).

Pinned by 20 tests in test/phoenix_kit_sync/connection_ssrf_test.exs.

(B) Activity-logging gaps. Two gaps:

1. update_connection/2 had zero activity logging on any branch — modifications to allowed_tables / max_downloads / download_password were never audited. Promoted signature to update_connection/3 with opts \\ [] (backward-compat). Both branches now log sync.connection.updated: :ok carries metadata.changed_fields = [...]; :error carries the same plus db_pending: true. ConnectionsLive.do_update_connection/2 now threads actor_uuid: socket.assigns.phoenix_kit_current_scope.user.uuid.
2. Five status-mutation :error branches were silent. Added log_sync_activity("<verb>", connection, opts, %{"db_pending" => true}) to the error path of delete_connection, approve_connection, suspend_connection, revoke_connection, reactivate_connection. Suspend/revoke also carry "reason" in the error metadata.

Pinned by 8 tests in test/phoenix_kit_sync/connections_activity_test.exs (runtime tests for update_connection/3 branches via forced validation failure; structural source pins for the 5 change/2-based mutation error paths, which are runtime-only — defensively logged).

(C) @spec backfill — added 14 specs across the two schema modules:

• lib/phoenix_kit_sync/connection.ex — 7 changeset specs + 9 helper specs (verify_auth_token, verify_download_password, generate_auth_token, active?, expired?, within_download_limits?, within_record_limits?, within_allowed_hours?, ip_allowed?/1 + ip_allowed?/2, requires_approval?, table_allowed?).
• lib/phoenix_kit_sync/transfer.ex — 16 specs covering all 11 changeset functions and 5 predicate / utility helpers.
• Widened Connections.get_connection/1 and Transfers.get_transfer/1 specs from String.t() to String.t() | any() so the catch-all def get_X(_), do: nil clauses type-check.

(D) Component refactor reclassified as N/A. The original C12 agent counted "4 raw <input> / <select> / <textarea> not yet swapped to core". Re-inspection shows all 4 <select> elements (connections_live.ex:2179, 2452, 2696, receiver.ex:1302) already use the daisyUI 5 <label class="select ..."> wrapper pattern; the 2 <input> elements are type="hidden" carrying static values where <.input> would add nothing. No diff needed. The agent's count was wrong; the FOLLOW_UP records the re-inspection.

Production behaviour change in Batch 3: the SSRF guard is on by default. Deployments using localhost / RFC1918 / .local URLs need config :phoenix_kit_sync, allow_internal_urls: true in their host app. Public-host deployments are unaffected. AGENTS.md "What This Module Does NOT Have" updated to describe the guard and the residual DNS-rebinding gap.

536 → 581 tests cumulative across both re-validation batches (+17 Batch 2, +28 Batch 3).

Verification

• mix precommit clean (compile + format + credo --strict + dialyzer; 9 pre-existing dialyzer skips, all justified).
• 581 tests, 0 failures, 10/10 stable consecutive runs.
• Stale-ref greps clean: no IO.inspect/puts/warn outside @doc, no # TODO/# FIXME/# HACK/# XXX, no String.capitalize, no raw Task.start (the lone async_tasks.ex:28 match is the documented :exit rescue fallback).
• Browser smoke: Sync overview / Connections / History admin pages render with identical structure to pre-batch baselines; sidebar + header + main panel intact; SSRF guard is invisible to admins using public hostnames.

Test plan

• 581 tests, 0 failures
• 10/10 stable runs
• mix format --check-formatted clean
• mix credo --strict clean
• mix dialyzer clean (9 pre-existing skips)
• Browser tour of admin pages clean
• SSRF rejection verified per range (RFC1918, loopback, link-local IPv4/IPv6, .local, non-http(s) schemes)
• allow_internal_urls: true bypass verified

Note on head ref: this PR is from mdon:quality-sweep rather than the usual mdon:main because of a session-level safety constraint that blocked pushing to main. Same content, same one-PR shape — just a different head ref.