Skip to content

fix(dashboard): close 2 strong slop-scan findings + adversarial-review hardening#38

Merged
kaicianflone merged 1 commit into
mainfrom
fix/dashboard-slopscan-cleanup
May 6, 2026
Merged

fix(dashboard): close 2 strong slop-scan findings + adversarial-review hardening#38
kaicianflone merged 1 commit into
mainfrom
fix/dashboard-slopscan-cleanup

Conversation

@kaicianflone
Copy link
Copy Markdown
Collaborator

@kaicianflone kaicianflone commented May 6, 2026

Summary

Slop-scan rerun on apps/dashboard (post the 3-PR zod trust-boundary refactor) flagged 2 strong findings. This PR closes both, plus a third issue Codex adversarial caught at the handler we were touching.

Changes

apps/dashboard/src/components/agents/AgentsPanel.tsx

Closes structure.pass-through-wrappers at line 57. parseMetadata was a literal forward to parseAgentMetadata introduced in PR #37 (T05) for testability. Drop the wrapper, inline parseAgentMetadata at the 3 call sites. Required a typeof === 'string' type guard at line 498 because parseAgentMetadata returns the typed schema output (passthrough fields are unknown) where the old wrapper returned Record<string, any>.

apps/dashboard/src/pages/WorkflowsDashboard.tsx

Closes defensive.error-swallowing at line 346 (handleLoadTemplate). The handler caught and only console.error'd. Now mirrors the sibling executeWorkflow pattern (setApiError(null) at start, setApiError(...) in the catch).

Plus: empty-payload 200 case (Codex adversarial finding). The original try/catch only handled non-OK HTTP. A 200 OK with {} or {template: null} would silently clear errors and do nothing. Added an else branch that surfaces "server returned no template payload" so backend regressions / proxy mangling don't get swallowed.

Adversarial review (max)

User invoked /review max adversarial. Three passes ran:

Pass Result
Claude adversarial subagent Ship as-is. Verified semantic equivalence (wrapper was a literal forward; inlining is identity). Module-private ParticipantCard confirmed safe for prop removal.
Codex adversarial challenge 2 findings: (1) race-condition class in handleLoadTemplate — no abort/versioning, overlapping clicks can clobber error state; (2) silent failure on empty 200.
Codex structured review CLEAN — no [P1], GATE: PASS. "Small, coherent refactors and error-handling improvements without observable logic regressions."

Codex finding #2 (silent empty 200): FIXED in this PR with the else branch.

Codex finding #1 (race condition): DEFERRED to P2 follow-up. It's a pre-existing structural issue across multiple handlers in this file (the explicit comment at refreshList:108 calls out the same class). Fix needs AbortController + request versioning across the file — too broad for a 6-line slop-cleanup PR.

Verification

  • pnpm --filter @consensus-tools/dashboard test — 79/79 pass
  • pnpm --filter @consensus-tools/dashboard typecheck — clean
  • pnpm --filter @consensus-tools/dashboard build — passes
  • npx slop-scan@latest scan apps/dashboard --lint5 → 3 findings (both strong items closed; 3 remaining are medium structure.directory-fanout-hotspot which are React app shape, not slop)

Test plan

  • All dashboard tests pass under jsdom env (79/79)
  • Typecheck + build clean
  • slop-scan rerun confirms both strong findings closed
  • P2 follow-up: file an issue/branch for AbortController + request versioning across WorkflowsDashboard handlers (Codex finding init #1)

🤖 Generated with Claude Code

@kaicianflone @claude
fix(dashboard): close 2 strong slop-scan findings
5a4fb9e 
Slop-scan rerun on apps/dashboard after the 3-PR zod trust-boundary refactor
flagged two strong findings that survived. Both are 1-line classes that the
manual subagent audit also caught:

1. defensive.error-swallowing at WorkflowsDashboard.tsx:346
   handleLoadTemplate caught and only console.error'd. User-clicked
   template loads now surface the failure via setApiError, mirroring
   executeWorkflow's pattern at the same file.

2. structure.pass-through-wrappers at AgentsPanel.tsx:57
   parseMetadata was a literal forward to parseAgentMetadata introduced
   in PR #37 (T05) for testability. Drop the wrapper and call
   parseAgentMetadata at the 3 sites directly. Required a type guard at
   line 498 because parseAgentMetadata returns the typed schema output
   (where passthrough fields are 'unknown') instead of Record<string, any>.

Verification:
- pnpm --filter @consensus-tools/dashboard test  79/79 pass
- pnpm --filter @consensus-tools/dashboard typecheck  clean
- pnpm --filter @consensus-tools/dashboard build  passes
- npx slop-scan@latest scan apps/dashboard --lint  3 findings (was 5)
  Both 'strong' findings closed; remaining 3 are 'medium' directory
  fan-out hotspots that are React app shape, not slop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@kaicianflone kaicianflone merged commit 24b78e4 into main May 6, 2026
3 checks passed
@kaicianflone kaicianflone deleted the fix/dashboard-slopscan-cleanup branch May 6, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaicianflone