Improve Notification Center accessibility and UX

[daggerstuff]

I have implemented a micro-UX improvement for the Notification Center. This includes:

• Accessibility: Added mandatory aria-label attributes to the Bell toggle, Close, Mark as Read, and Dismiss buttons.
• Visual UX: Integrated Radix Tooltips for all icon-only buttons to provide visual clarity.
• Functionality: Replaced placeholder onMessage logic with a functional WebSocket parser that handles 'notification', 'unreadCount', and 'notifications' message types, enabling real-time UI updates.
• Testing Infrastructure: Fixed the broken vitest.config.ts (incorrect path aliases and missing setup file) and updated the NotificationCenter.test.tsx suite to use functional mocks and act() for simulating real-time events.
• Documentation: Recorded accessibility patterns in .jules/palette.md.

---

PR created automatically by Jules for task 6198441515359515660 started by @daggerstuff

Summary by Sourcery

Improve the Notification Center’s accessibility, UX, and real-time behavior while fixing its test configuration and coverage.

New Features:

• Add real-time WebSocket handling in NotificationCenter for notification, unreadCount, and notifications message types to keep the UI in sync with server updates.

Bug Fixes:

• Fix Vitest configuration by correcting path aliases and simplifying setup files so tests run against the proper sources and React modules.

Enhancements:

• Make icon-only controls in the Notification Center accessible by adding aria-labels and wrapping them in tooltips for clearer interaction.
• Adjust WebSocket outbound message expectations to reflect the structured payloads actually sent by the NotificationCenter component.

Documentation:

• Document icon-only button accessibility patterns in .jules/palette.md to guide future UI implementations.

Tests:

• Refactor NotificationCenter tests to drive behavior through the WebSocket onMessage callback and React act, and to assert against accessible button names.

Summary by CodeRabbit

Release Notes

• New Features

  • Added tooltips to notification center actions for clearer interaction guidance
  • Enhanced tooltip-based interactions across notification panel controls

• Documentation

  • Added accessibility guidelines for proper icon-only button labeling and screen reader support

• Bug Fixes

  • Improved WebSocket message parsing with error handling for more reliable notification updates
  • Enhanced state management for unread counts and notification lists

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pixelated	Error		Mar 7, 2026 1:02pm

[sourcery-ai]

Reviewer's Guide

Implements a fully functional, accessible Notification Center by wiring real-time WebSocket message handling into the component, adding ARIA labels and Radix tooltips to icon-only buttons, updating tests to use functional WebSocket mocks with act() for live updates, and fixing Vitest configuration and documentation to reflect the new accessibility pattern.

Sequence diagram for WebSocket-driven NotificationCenter updates

sequenceDiagram
  participant WebSocketServer
  participant useWebSocketHook
  participant NotificationCenter

  WebSocketServer->>useWebSocketHook: send message {content}
  useWebSocketHook->>NotificationCenter: onMessage(message)
  NotificationCenter->>NotificationCenter: JSON.parse(message.content)
  alt type notification
    NotificationCenter->>NotificationCenter: setNotifications([newNotification, ...prev])
    alt newNotification.status is PENDING
      NotificationCenter->>NotificationCenter: setUnreadCount(prev + 1)
    end
  else type unreadCount
    NotificationCenter->>NotificationCenter: setUnreadCount(payload.count)
  else type notifications
    NotificationCenter->>NotificationCenter: setNotifications(payload.data)
  else unknown type or parse error
    NotificationCenter->>NotificationCenter: console.error
  end

Loading

File-Level Changes

Change	Details	Files
Wire NotificationCenter to handle structured WebSocket messages and update UI state in real time.	Replace placeholder onMessage handler with JSON parsing of message.content and a type-discriminated switch over 'notification', 'unreadCount', and 'notifications'. Update notifications state when a single notification arrives and increment unreadCount when it is pending. Synchronize notifications list from bulk 'notifications' payloads and set unreadCount from 'unreadCount' messages, with basic error handling on parse failures. Wrap the NotificationCenter root in TooltipProvider to support added tooltips.	src/components/notification/NotificationCenter.tsx
Improve Notification Center accessibility and visual UX for icon-only buttons using ARIA labels and Radix Tooltips.	Wrap the bell toggle, header close button, and per-notification action buttons in Tooltip/TooltipTrigger/TooltipContent components for descriptive hover/focus text. Add aria-label attributes to the bell toggle ('Notifications'), close button ('Close notifications'), mark-as-read button ('Mark as read'), and dismiss button ('Dismiss notification'). Adjust button queries in tests to use accessible role+name (getByRole with name) aligned with the new aria-labels.	src/components/notification/NotificationCenter.tsx src/components/notification/__tests__/NotificationCenter.test.tsx
Refactor NotificationCenter tests to use functional WebSocket mocks and simulate real-time updates via captured onMessage callbacks.	Change useWebSocket mocks from static return values to mockImplementation capturing the onMessage callback for each test. Use capturedOnMessage plus act() to inject JSON-encoded WebSocket messages for 'unreadCount', 'notifications', and 'notification' types to drive UI state. Relax expectations for mark_read and dismiss actions to assert on JSON content within the WebSocket message payload rather than on plain objects. Update button selection in tests to rely on accessible names (e.g., 'Notifications', 'Close notifications', 'Mark as read', 'Dismiss notification').	src/components/notification/__tests__/NotificationCenter.test.tsx
Fix Vitest configuration so tests can resolve project paths and run with the correct setup.	Point '@' alias to '../src' instead of './src' to match the monorepo-style config directory layout. Update React and JSX runtime aliases to resolve from '../node_modules' rather than local './node_modules'. Simplify test.setupFiles to only include './src/test/setup.ts', removing the missing './vitest.setup.ts' entry.	config/vitest.config.ts
Document the accessibility pattern for icon-only buttons in the internal Jules palette.	Add guidance that icon-only buttons should always pair aria-label with a Tooltip for both screen-reader and visual clarity. Record this as a dated learning specifically referencing Bell, Check, and X icon buttons in React/Radix environments.	.jules/palette.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request enhances accessibility with tooltip documentation, adds tooltip-driven UX to the NotificationCenter component with improved WebSocket message handling, refactors CodeQL security configurations and queries to better detect EHR/FHIR security issues, and updates related test coverage and build configuration.

Changes

Cohort / File(s)	Summary
Accessibility & UI Enhancements .jules/palette.md, src/components/notification/NotificationCenter.tsx	Added accessibility guidelines for icon-only buttons recommending aria-label + Tooltip pairing; wrapped NotificationCenter with TooltipProvider and added per-action tooltips (mark as read, dismiss, close); refactored WebSocket handling to parse typed payloads and branch on message type ('notification', 'unreadCount', 'notifications').
Component Testing src/components/notification/__tests__/NotificationCenter.test.tsx	Replaced static mocks with dynamic vi.fn() implementations; added per-test onMessage capture to simulate WebSocket events; converted rerender-based updates to act()-wrapped onMessage invocations; updated selectors to use accessible names; expanded assertions to validate JSON payloads with specific type fields.
Configuration & Build Setup config/vitest.config.ts	Updated path alias '@' from ./src to ../src; simplified setupFiles from dual array to single file (../src/test/setup.ts).
CodeQL Manifest & Workflow .github/codeql/codeql-config.yml, .github/codeql/custom-queries/qlpack.yml, .github/workflows/codeql.yml	Removed CodeQL disable-default-queries, query-filters, paths, and paths-ignore sections; simplified qlpack.yml to single extractor declaration; extended workflow to conditionally add custom JavaScript queries.
CodeQL Security Queries (Refactored) .github/codeql/custom-queries/ehr-security.ql ❌ (removed), .github/codeql/custom-queries/fhir-security.ql ❌ (removed), .github/codeql/custom-queries/ehr-security-patterns.ql ✅ (new)	Consolidated EHR/FHIR security detection into unified pattern-based query; introduces EHRConfigTrackingConfig (detects sensitive token/key/secret/password reads flowing to logs or URL properties) and EHRAccessTrackingConfig (detects remote sources flowing to request/fetch/axios calls with EHR endpoint patterns).
CodeQL Security Queries (New Rules) .github/codeql/custom-queries/insecure-ehr-auth.ql, insecure-fhir-ops.ql, insecure-fhir-search.ql, missing-audit-log.ql, missing-fhir-version.ql, unencrypted-ehr-data.ql, unvalidated-fhir-access.ql	Added 7 new security queries detecting: weak EHR authentication without MFA, FHIR operations lacking authorization, FHIR searches without input sanitization, EHR operations missing audit logs, FHIR client initialization without version checks, unencrypted EHR data transmission, and unvalidated FHIR resource access.

Sequence Diagram

sequenceDiagram
    actor User
    participant NotificationCenter
    participant TooltipProvider
    participant WebSocket
    participant State

    User->>NotificationCenter: Open panel
    NotificationCenter->>TooltipProvider: Wrap component
    NotificationCenter->>WebSocket: Listen for messages
    
    WebSocket->>NotificationCenter: Emit payload (type: 'unreadCount')
    NotificationCenter->>State: Parse message, update unread badge
    NotificationCenter->>TooltipProvider: Re-render with new count
    
    User->>NotificationCenter: Hover mark-as-read button
    NotificationCenter->>TooltipProvider: Show tooltip
    
    User->>NotificationCenter: Click mark-as-read
    NotificationCenter->>WebSocket: Send {type: 'mark_read', notificationId}
    WebSocket->>State: Process action
    NotificationCenter->>TooltipProvider: Re-render updated state
    
    User->>NotificationCenter: Click close
    NotificationCenter->>TooltipProvider: Show tooltip, dismiss panel

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 With tooltips bright and WebSocket flow,
Security queries ebb and grow,
Each FHIR check, each EHR guard,
Makes accessibility less hard—
From icon hints to audit trails,
Our safety net now never fails! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Improve Notification Center accessibility and UX' directly reflects the main objectives of this PR, which focuses on adding accessibility features (aria-labels, tooltips) and improving the user experience of the Notification Center component.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch palette/notification-ux-a11y-6198441515359515660

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've left some high level feedback:

• The onMessage handler in NotificationCenter parses loosely typed JSON and relies on stringly-typed payload.type; consider defining a typed message payload union and switching on that type to get compile-time safety and clearer handling of unknown message types.
• The test suite repeats the capturedOnMessage + vi.mocked(useWebSocket).mockImplementation setup in multiple tests; extracting a small helper to create a mocked socket with a captured onMessage would reduce duplication and make the test intent clearer.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The onMessage handler in NotificationCenter parses loosely typed JSON and relies on stringly-typed `payload.type`; consider defining a typed message payload union and switching on that type to get compile-time safety and clearer handling of unknown message types.
- The test suite repeats the `capturedOnMessage` + `vi.mocked(useWebSocket).mockImplementation` setup in multiple tests; extracting a small helper to create a mocked socket with a captured `onMessage` would reduce duplication and make the test intent clearer.

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

src/components/notification/__tests__/NotificationCenter.test.tsx (2)

22-27: ⚠️ Potential issue | 🟡 Minor

Inconsistent button query may cause flaky tests.

This test uses screen.getByRole('button') without a name filter, while other tests (lines 56, 81, 119, etc.) correctly use { name: /notifications/i }. If additional buttons are added to the component, this query will fail with "multiple elements found."

🐛 Proposed fix

   it('renders notification button with no unread count', () => {
     render(<NotificationCenter />)
 
-    expect(screen.getByRole('button')).toBeInTheDocument()
+    expect(screen.getByRole('button', { name: /notifications/i })).toBeInTheDocument()
     expect(screen.queryByText(/\d+/)).not.toBeInTheDocument()
   })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/__tests__/NotificationCenter.test.tsx` around
lines 22 - 27, The test in NotificationCenter.test.tsx uses an ambiguous query
screen.getByRole('button') which can become flaky if other buttons exist; update
this assertion to target the notification button by name like
screen.getByRole('button', { name: /notifications/i }) so it matches the same
semantic query used in other tests for the NotificationCenter component and
prevents "multiple elements found" errors.

---

60-65: ⚠️ Potential issue | 🟡 Minor

Same inconsistent query pattern.

Apply the same fix as above for consistency.

🐛 Proposed fix

   it('displays empty state when there are no notifications', () => {
     render(<NotificationCenter />)
 
-    fireEvent.click(screen.getByRole('button'))
+    fireEvent.click(screen.getByRole('button', { name: /notifications/i }))
     expect(screen.getByText('No notifications')).toBeInTheDocument()
   })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/__tests__/NotificationCenter.test.tsx` around
lines 60 - 65, The test uses fireEvent.click which is inconsistent with the
other tests; update the 'displays empty state when there are no notifications'
test in NotificationCenter.test.tsx to use userEvent: import userEvent from
'@testing-library/user-event', make the test async, replace
fireEvent.click(screen.getByRole('button')) with await
userEvent.click(screen.getByRole('button')), and keep the existing assertion
expect(screen.getByText('No notifications')).toBeInTheDocument(); this aligns
with the other tests' interaction pattern.

src/components/notification/NotificationCenter.tsx (1)

100-118: ⚠️ Potential issue | 🟡 Minor

Stale closure risk when checking notification status.

notifications.find(...) on line 113 reads from the closure-captured state, which may be stale if a WebSocket message updates notifications concurrently. Move the status check before the setNotifications call to use consistent state.

🐛 Proposed fix

 const handleDismiss = async (notificationId: string) => {
   sendMessage({
     id: `dismiss-${notificationId}`,
     role: 'system',
     content: JSON.stringify({ type: 'dismiss', notificationId }),
   })

+  const wasPending =
+    notifications.find((n) => n.id === notificationId)?.status ===
+    NotificationStatus.PENDING
+
   setNotifications((prev: NotificationItem[]) =>
     prev.filter((n: NotificationItem) => n.id !== notificationId),
   )
-  if (
-    notifications.find((n: NotificationItem) => n.id === notificationId)
-      ?.status === NotificationStatus.PENDING
-  ) {
+  if (wasPending) {
     setUnreadCount((prev: number) => Math.max(0, prev - 1))
   }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 100 - 118,
The handleDismiss handler currently reads notifications from the outer closure
(notifications.find(...)) after calling setNotifications, risking a stale
closure; before calling setNotifications, compute whether the dismissed
notification was pending (e.g. check notifications.find(...) or derive from the
functional prev inside the update) and store that boolean, then call
setNotifications((prev)=>prev.filter(...)) and if it was pending call
setUnreadCount(...). Update the code paths in handleDismiss (referencing
sendMessage, setNotifications, notifications, setUnreadCount, and
NotificationStatus.PENDING) so the pending-status check happens before mutating
state to ensure consistent behavior.

🧹 Nitpick comments (2)

src/components/notification/__tests__/NotificationCenter.test.tsx (1)

29-40: Consider extracting the mock setup helper.

The capturedOnMessage pattern is repeated in 5 tests. A helper function could reduce duplication:

function setupWebSocketMock(sendMessage = vi.fn()) {
  let capturedOnMessage: (message: { content: string }) => void = () => {}
  vi.mocked(useWebSocket).mockImplementation(({ onMessage }) => {
    capturedOnMessage = onMessage as any
    return { isConnected: true, error: null, sendMessage, sendStatus: vi.fn() }
  })
  return { capturedOnMessage: () => capturedOnMessage, sendMessage }
}

This is optional since the current implementation is still readable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/__tests__/NotificationCenter.test.tsx` around
lines 29 - 40, Extract the repeated WebSocket mock pattern into a helper to
reduce duplication: create a setupWebSocketMock function that encapsulates the
capturedOnMessage closure and the vi.mocked(useWebSocket).mockImplementation
logic used in tests (the current capturedOnMessage variable assignment and
returned mock object with isConnected, error, sendMessage, sendStatus). Update
tests that currently declare capturedOnMessage and call
vi.mocked(useWebSocket).mockImplementation to use setupWebSocketMock, returning
accessors for the capturedOnMessage callback and the sendMessage mock so
existing test logic (invoking capturedOnMessage and asserting
sendMessage/notifications) remains unchanged.

src/components/notification/NotificationCenter.tsx (1)

37-44: Consider validating payload.data before casting to NotificationItem.

The unreadCount case validates with typeof payload.count === 'number' and notifications validates with Array.isArray(), but the notification case directly casts payload.data without validation. Malformed server data could introduce invalid objects into state.

♻️ Suggested validation

          case 'notification': {
-           const newNotification = payload.data as NotificationItem
+           const newNotification = payload.data
+           if (
+             newNotification &&
+             typeof newNotification.id === 'string' &&
+             typeof newNotification.title === 'string'
+           ) {
-           setNotifications((prev) => [newNotification, ...prev])
-           if (newNotification.status === NotificationStatus.PENDING) {
-             setUnreadCount((prev) => prev + 1)
-           }
+             setNotifications((prev) => [newNotification as NotificationItem, ...prev])
+             if (newNotification.status === NotificationStatus.PENDING) {
+               setUnreadCount((prev) => prev + 1)
+             }
+           }
            break
          }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 37 - 44, The
payload.data in the 'notification' case is cast directly to NotificationItem
which can let malformed server data into state; add validation before calling
setNotifications and setUnreadCount by implementing a type guard (e.g.,
isNotificationItem) or explicit checks that payload.data is an object and has
the required properties (id, message/text, status) and that status is one of
NotificationStatus values; only call
setNotifications((prev)=>[newNotification,...prev]) and increment unread via
setUnreadCount when the validation passes, otherwise skip adding (and optionally
log a warning).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/palette.md:
- Around line 1-3: Insert a blank line to surround the heading "## 2025-05-15 -
Icon-only Button Accessibility" so the heading is preceded and followed by an
empty line; if the heading is at the top of the file (no preceding content), add
a blank line immediately after that heading to satisfy markdownlint's
requirement that headings be surrounded by blank lines.

---

Outside diff comments:
In `@src/components/notification/__tests__/NotificationCenter.test.tsx`:
- Around line 22-27: The test in NotificationCenter.test.tsx uses an ambiguous
query screen.getByRole('button') which can become flaky if other buttons exist;
update this assertion to target the notification button by name like
screen.getByRole('button', { name: /notifications/i }) so it matches the same
semantic query used in other tests for the NotificationCenter component and
prevents "multiple elements found" errors.
- Around line 60-65: The test uses fireEvent.click which is inconsistent with
the other tests; update the 'displays empty state when there are no
notifications' test in NotificationCenter.test.tsx to use userEvent: import
userEvent from '@testing-library/user-event', make the test async, replace
fireEvent.click(screen.getByRole('button')) with await
userEvent.click(screen.getByRole('button')), and keep the existing assertion
expect(screen.getByText('No notifications')).toBeInTheDocument(); this aligns
with the other tests' interaction pattern.

In `@src/components/notification/NotificationCenter.tsx`:
- Around line 100-118: The handleDismiss handler currently reads notifications
from the outer closure (notifications.find(...)) after calling setNotifications,
risking a stale closure; before calling setNotifications, compute whether the
dismissed notification was pending (e.g. check notifications.find(...) or derive
from the functional prev inside the update) and store that boolean, then call
setNotifications((prev)=>prev.filter(...)) and if it was pending call
setUnreadCount(...). Update the code paths in handleDismiss (referencing
sendMessage, setNotifications, notifications, setUnreadCount, and
NotificationStatus.PENDING) so the pending-status check happens before mutating
state to ensure consistent behavior.

---

Nitpick comments:
In `@src/components/notification/__tests__/NotificationCenter.test.tsx`:
- Around line 29-40: Extract the repeated WebSocket mock pattern into a helper
to reduce duplication: create a setupWebSocketMock function that encapsulates
the capturedOnMessage closure and the vi.mocked(useWebSocket).mockImplementation
logic used in tests (the current capturedOnMessage variable assignment and
returned mock object with isConnected, error, sendMessage, sendStatus). Update
tests that currently declare capturedOnMessage and call
vi.mocked(useWebSocket).mockImplementation to use setupWebSocketMock, returning
accessors for the capturedOnMessage callback and the sendMessage mock so
existing test logic (invoking capturedOnMessage and asserting
sendMessage/notifications) remains unchanged.

In `@src/components/notification/NotificationCenter.tsx`:
- Around line 37-44: The payload.data in the 'notification' case is cast
directly to NotificationItem which can let malformed server data into state; add
validation before calling setNotifications and setUnreadCount by implementing a
type guard (e.g., isNotificationItem) or explicit checks that payload.data is an
object and has the required properties (id, message/text, status) and that
status is one of NotificationStatus values; only call
setNotifications((prev)=>[newNotification,...prev]) and increment unread via
setUnreadCount when the validation passes, otherwise skip adding (and optionally
log a warning).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc7dbe85-3927-4f1b-9734-b94bcac49c2c

📥 Commits

Reviewing files that changed from the base of the PR and between a814054 and 6f71c08.

📒 Files selected for processing (4)

• .jules/palette.md
• config/vitest.config.ts
• src/components/notification/NotificationCenter.tsx
• src/components/notification/__tests__/NotificationCenter.test.tsx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a blank line before the heading to satisfy markdown linting.

The markdownlint tool flags that headings should be surrounded by blank lines. Since this is the start of the file, add a blank line after the heading.

📝 Proposed fix

 ## 2025-05-15 - Icon-only Button Accessibility
+
 **Learning:** Icon-only buttons (like Bell, Check, X) are invisible to screen readers and confusing to users without explicit labels. In React/Radix environments, combining 'aria-label' for screen readers with 'Tooltip' for visual users provides a complete accessibility solution.

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 1-1: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/palette.md around lines 1 - 3, Insert a blank line to surround the
heading "## 2025-05-15 - Icon-only Button Accessibility" so the heading is
preceded and followed by an empty line; if the heading is at the top of the file
(no preceding content), add a blank line immediately after that heading to
satisfy markdownlint's requirement that headings be surrounded by blank lines.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/components/notification/NotificationCenter.tsx (1)

102-110: ⚠️ Potential issue | 🟠 Major

Stale closure bug: notifications reference may be outdated.

The notifications.find() on line 106 reads from the outer scope, which captures the notifications state at the time the component last rendered. If state changes between render and execution (e.g., rapid dismissals, or a WebSocket message arriving), this check may reference stale data, causing incorrect unreadCount updates.

🐛 Proposed fix using filter result

  const handleDismiss = async (notificationId: string) => {
    sendMessage({
      id: `dismiss-${notificationId}`,
      role: 'system',
      content: JSON.stringify({ type: 'dismiss', notificationId }),
    })

-   setNotifications((prev: NotificationItem[]) =>
-     prev.filter((n: NotificationItem) => n.id !== notificationId),
-   )
-   if (
-     notifications.find((n: NotificationItem) => n.id === notificationId)
-       ?.status === NotificationStatus.PENDING
-   ) {
-     setUnreadCount((prev: number) => Math.max(0, prev - 1))
-   }
+   setNotifications((prev: NotificationItem[]) => {
+     const target = prev.find((n) => n.id === notificationId)
+     if (target?.status === NotificationStatus.PENDING) {
+       setUnreadCount((c) => Math.max(0, c - 1))
+     }
+     return prev.filter((n) => n.id !== notificationId)
+   })
  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 102 - 110,
The check for pending status uses the stale outer notifications variable;
instead compute the removed item from the same filter/update and base the unread
decrement on that result. In the setNotifications call (and surrounding logic
handling notificationId), capture the removed notification(s) or the filtered
result and then, if the removed notification has status
NotificationStatus.PENDING, call setUnreadCount(prev => Math.max(0, prev - 1))
so you rely on the fresh data rather than notifications.find(...).

🧹 Nitpick comments (1)

src/components/notification/NotificationCenter.tsx (1)

31-35: Consider adding runtime validation for WebSocket payloads.

The type assertions (as { type: string; ... } and as NotificationItem) trust server data without validation. Malformed payloads could cause subtle runtime issues (e.g., missing status field on line 41).

A lightweight check before casting would improve robustness.

Also applies to: 39-39

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 31 - 35, The
code currently parses WebSocket message.content into payload and then casts to
NotificationItem without runtime checks; add lightweight validation in
NotificationCenter (around the payload const and the NotificationItem cast) to
verify required fields exist and have expected types (e.g., payload.type is
string, payload.data/count optional, and for NotificationItem check fields like
status, id, message, timestamp) before casting or pushing into state; if
validation fails, log a warning and ignore the message (or handle a safe
fallback) to avoid runtime errors when accessing properties such as
payload.data.status.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/components/notification/NotificationCenter.tsx`:
- Around line 52-57: When handling the 'notifications' message in
NotificationCenter, update the unreadCount state after calling setNotifications
so the badge reflects the true pending count; compute the count from the
incoming payload.data (e.g., count items where notification.read is falsy) and
call setUnreadCount(...) alongside setNotifications(payload.data) inside that
case block (referencing NotificationCenter, setNotifications, and
setUnreadCount).

---

Outside diff comments:
In `@src/components/notification/NotificationCenter.tsx`:
- Around line 102-110: The check for pending status uses the stale outer
notifications variable; instead compute the removed item from the same
filter/update and base the unread decrement on that result. In the
setNotifications call (and surrounding logic handling notificationId), capture
the removed notification(s) or the filtered result and then, if the removed
notification has status NotificationStatus.PENDING, call setUnreadCount(prev =>
Math.max(0, prev - 1)) so you rely on the fresh data rather than
notifications.find(...).

---

Nitpick comments:
In `@src/components/notification/NotificationCenter.tsx`:
- Around line 31-35: The code currently parses WebSocket message.content into
payload and then casts to NotificationItem without runtime checks; add
lightweight validation in NotificationCenter (around the payload const and the
NotificationItem cast) to verify required fields exist and have expected types
(e.g., payload.type is string, payload.data/count optional, and for
NotificationItem check fields like status, id, message, timestamp) before
casting or pushing into state; if validation fails, log a warning and ignore the
message (or handle a safe fallback) to avoid runtime errors when accessing
properties such as payload.data.status.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b8f6f238-ebd9-4ecd-957c-eee03fe031de

📥 Commits

Reviewing files that changed from the base of the PR and between 6f71c08 and 25f0f34.

📒 Files selected for processing (1)

• src/components/notification/NotificationCenter.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Sync unreadCount when full notifications list is received.

When the 'notifications' message type is received, the unreadCount state is not updated to reflect the actual number of pending notifications. This can cause the badge to display an incorrect count.

🐛 Proposed fix to sync unreadCount

          case 'notifications': {
            if (Array.isArray(payload.data)) {
              setNotifications(payload.data)
+             const pendingCount = payload.data.filter(
+               (n: NotificationItem) => n.status === NotificationStatus.PENDING
+             ).length
+             setUnreadCount(pendingCount)
            }
            break
          }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	case 'notifications': {
	if (Array.isArray(payload.data)) {
	setNotifications(payload.data)
	}
	break
	}
	case 'notifications': {
	if (Array.isArray(payload.data)) {
	setNotifications(payload.data)
	const pendingCount = payload.data.filter(
	(n: NotificationItem) => n.status === NotificationStatus.PENDING
	).length
	setUnreadCount(pendingCount)
	}
	break
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 52 - 57,
When handling the 'notifications' message in NotificationCenter, update the
unreadCount state after calling setNotifications so the badge reflects the true
pending count; compute the count from the incoming payload.data (e.g., count
items where notification.read is falsy) and call setUnreadCount(...) alongside
setNotifications(payload.data) inside that case block (referencing
NotificationCenter, setNotifications, and setUnreadCount).

[sentry]

Bug: The inline onMessage function in NotificationCenter is redefined on every render, causing the useWebSocket hook to trigger a constant WebSocket reconnection loop.
_{Severity: CRITICAL}

Suggested Fix

Wrap the onMessage function definition in NotificationCenter.tsx with a useCallback hook. This will memoize the function, ensuring its reference remains stable across re-renders and preventing the downstream dependency chain from triggering reconnections.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/components/notification/NotificationCenter.tsx#L29-L31

Potential issue: The `onMessage` handler in `NotificationCenter.tsx` is an inline
function, creating a new reference on each component render. This function is passed as
a prop to the `useWebSocket` hook, where it is a dependency of a `useCallback`-wrapped
`connect` function. Consequently, any re-render of `NotificationCenter` (e.g., from a
parent component update) causes the `connect` function to be recreated. This, in turn,
triggers a `useEffect` that closes the existing WebSocket connection and opens a new
one, resulting in a constant reconnection loop that prevents the notification feature
from functioning and generates excessive network traffic.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/hooks/useWebSocket.ts (1)

170-174: Consider consistent error handling with sendMessage.

sendRaw silently drops messages when the WebSocket isn't open, whereas sendMessage sets an error and calls onError. If callers (e.g., NotificationCenter) rely on knowing when sends fail, this inconsistency could cause silent data loss.

If silent failure is intentional for fire-and-forget use cases, document this behavior; otherwise, align with sendMessage:

♻️ Option: Report error when not connected

-  const sendRaw = useCallback((data: any) => {
+  const sendRaw = useCallback((data: unknown) => {
     if (wsRef.current?.readyState === WebSocket.OPEN) {
       wsRef.current.send(JSON.stringify(data))
+    } else {
+      const error = new Error('WebSocket is not connected')
+      setError(error)
+      if (onError) {
+        onError(error)
+      }
     }
-  }, [])
+  }, [onError])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/hooks/useWebSocket.ts` around lines 170 - 174, The sendRaw function
currently drops messages silently when wsRef.current?.readyState !==
WebSocket.OPEN; update it to match sendMessage's error handling by reporting the
failure instead of swallowing it: when wsRef.current is not open, set the same
error state and invoke onError (or the same error callback used by sendMessage)
with a descriptive Error (e.g., "WebSocket not open") so callers like
NotificationCenter get notified of send failures; alternatively, if silent
fire-and-forget is intentional, add a clear comment/docstring above sendRaw
describing that behavior and why it differs from sendMessage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/components/notification/NotificationCenter.tsx`:
- Around line 65-72: The initial get_notifications call in the useEffect can be
lost because sendRaw may run before the WebSocket is OPEN; modify the component
to only send when connected by checking the connection state (use the existing
isConnected flag) or queue the request and send it from the hook's onopen
handler (or retry once isConnected flips true). Concretely, update the useEffect
that calls sendRaw to either: 1) wrap the call in if (isConnected) {
sendRaw({...}) } and add a separate effect to send queued requests when
isConnected becomes true, or 2) move the initial get_notifications logic into
the WebSocket hook's onopen handler so the hook sends the request when the
socket opens; reference sendRaw, isConnected and the hook's onopen to locate
where to implement the guard/queueing or relocation.

---

Nitpick comments:
In `@src/hooks/useWebSocket.ts`:
- Around line 170-174: The sendRaw function currently drops messages silently
when wsRef.current?.readyState !== WebSocket.OPEN; update it to match
sendMessage's error handling by reporting the failure instead of swallowing it:
when wsRef.current is not open, set the same error state and invoke onError (or
the same error callback used by sendMessage) with a descriptive Error (e.g.,
"WebSocket not open") so callers like NotificationCenter get notified of send
failures; alternatively, if silent fire-and-forget is intentional, add a clear
comment/docstring above sendRaw describing that behavior and why it differs from
sendMessage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8cd68ed9-4171-471e-b5fc-c509158bf4d3

📥 Commits

Reviewing files that changed from the base of the PR and between 25f0f34 and 7e2107b.

📒 Files selected for processing (3)

• src/components/notification/NotificationCenter.tsx
• src/components/notification/__tests__/NotificationCenter.test.tsx
• src/hooks/useWebSocket.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Potential race: initial fetch may fire before WebSocket connects.

sendRaw is called immediately on mount, but the WebSocket may not yet be in OPEN state. Since sendRaw silently drops messages when not connected, the initial get_notifications request could be lost.

Consider either:

1. Guarding the send with isConnected
2. Sending from the onopen handler in the hook
3. Retrying when connection is established

🛡️ Example fix using isConnected guard

+ const { sendRaw, isConnected } = useWebSocket({
    url: 'ws://localhost:8080',
    sessionId: 'placeholder-session',
    onMessage: (message) => {
      // ...
    },
  })

  useEffect(() => {
+   if (!isConnected) return
    sendRaw({
      type: 'get_notifications',
      limit: 20,
      offset: 0,
    })
- }, [sendRaw])
+ }, [sendRaw, isConnected])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 65 - 72, The
initial get_notifications call in the useEffect can be lost because sendRaw may
run before the WebSocket is OPEN; modify the component to only send when
connected by checking the connection state (use the existing isConnected flag)
or queue the request and send it from the hook's onopen handler (or retry once
isConnected flips true). Concretely, update the useEffect that calls sendRaw to
either: 1) wrap the call in if (isConnected) { sendRaw({...}) } and add a
separate effect to send queued requests when isConnected becomes true, or 2)
move the initial get_notifications logic into the WebSocket hook's onopen
handler so the hook sends the request when the socket opens; reference sendRaw,
isConnected and the hook's onopen to locate where to implement the
guard/queueing or relocation.

[sentry]

Bug: The onMessage handler in NotificationCenter will never execute because the useWebSocket hook only forwards messages of type: 'message', not the notification types sent by the server.
_{Severity: CRITICAL}

Suggested Fix

Update the useWebSocket hook to process and forward WebSocket frames with types other than 'message'. The hook's ws.onmessage handler should be modified to parse all incoming message types and invoke the onMessage callback accordingly, allowing the NotificationCenter to receive and process notification, unread count, and other relevant updates from the server.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/components/notification/NotificationCenter.tsx#L29-L61

Potential issue: There is an architectural mismatch between the server's WebSocket
messages and the client-side `useWebSocket` hook. The server sends frames with `type:
'notification'`, `type: 'unreadCount'`, and `type: 'notifications'`. However, the
`useWebSocket` hook is implemented to only forward messages to its `onMessage` callback
if the frame's `type` is `'message'`. As a result, the `onMessage` handler in
`NotificationCenter`, which expects to process these notification-specific types, is
dead code and will never be executed. This makes the real-time notification feature
completely non-functional.

[coderabbitai]

Actionable comments posted: 13

♻️ Duplicate comments (2)

src/components/notification/NotificationCenter.tsx (2)

52-55: ⚠️ Potential issue | 🟠 Major

Sync the badge when replacing the full notification list.

Line 54 swaps in a fresh snapshot but leaves unreadCount unchanged, so the bell can keep showing stale unread state after a resync/full fetch. Recompute the pending count from payload.data in this branch and update setUnreadCount(...) alongside setNotifications(...).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 52 - 55,
When handling the 'notifications' branch where you replace the full list (case
'notifications'), recompute and update the unread badge by calculating the
unread count from payload.data before calling setNotifications; call
setUnreadCount(...) with the count of items in payload.data that are unread
(e.g., filter by .read or .isRead property) immediately alongside
setNotifications(payload.data) so the bell reflects the new snapshot instead of
retaining stale unreadCount.

---

65-76: ⚠️ Potential issue | 🟠 Major

Wait for the socket to open before sending the initial fetch.

This effect still sends get_notifications immediately on mount, but src/hooks/useWebSocket.ts only transmits when the socket is already OPEN; otherwise the message is dropped and an error is set. That makes the initial panel population nondeterministic on first load.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/NotificationCenter.tsx` around lines 65 - 76,
Effect sends get_notifications immediately on mount even if the WebSocket isn't
open, causing dropped initial requests; update the useEffect in
NotificationCenter (the effect that calls sendMessage) to wait for the socket to
be OPEN before sending by depending on the socket connection state provided by
useWebSocket (e.g., connectionStatus, isOpen, or onOpen callback) and only call
sendMessage when that state is open; if useWebSocket exposes an onOpen handler,
register a one-time onOpen to send the init-notifications payload, otherwise add
the connection status to the effect's dependency array and gate the sendMessage
call behind a check for OPEN.

🧹 Nitpick comments (1)

src/components/notification/__tests__/NotificationCenter.test.tsx (1)

30-40: Extract the repeated WebSocket test harness.

The same capturedOnMessage/mockImplementation setup is copied into five tests. A small helper that renders the component and returns capturedOnMessage would make these cases shorter and easier to update when the hook contract changes.

Also applies to: 70-78, 108-116, 152-160, 206-214

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/__tests__/NotificationCenter.test.tsx` around
lines 30 - 40, Extract the repeated WebSocket test harness by creating a small
helper (e.g., setupWebSocketMock or renderNotificationWithWebSocket) that
encapsulates the capturedOnMessage variable and the
vi.mocked(useWebSocket).mockImplementation(...) logic used in the tests; the
helper should set capturedOnMessage, mock useWebSocket to return
isConnected/error/sendMessage/sendStatus, render the NotificationCenter
component, and return the capturedOnMessage (and optionally the render result)
so each test can call the helper instead of duplicating the mock setup for
capturedOnMessage and useWebSocket.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/codeql/custom-queries/ehr-security-patterns.ql:
- Around line 43-66: The isSink predicate currently sets sink =
call.getAnArgument() without ensuring that the endpoint actually flows into that
same argument, causing false positives; modify the predicate to bind sink to the
specific call argument that the endpoint flows to (e.g., introduce a local
DataFlow::Node arg or similar, require endpoint.flowsTo(arg) and arg =
call.getAnArgument(), then set sink = arg) so that sink is guaranteed to be the
argument receiving the EHR URL; keep the existing checks on call.getCalleeName()
and the URL patterns unchanged.
- Around line 74-75: The select message is missing CodeQL $@ placeholders to
link descriptions to nodes; update the select so the human-readable string uses
`$@` placeholders (e.g., "Potential EHR security issue: $@ flows to $@.") and
pass the corresponding node descriptions (source.getNode(), "Sensitive data",
sink.getNode(), "dangerous sink") in the select call so the source and sink are
properly interpolated and tied to their AST nodes; keep the rest of the select
tuple (select sink.getNode(), source, sink, ...) intact.
- Line 14: Import and configuration usage are inconsistent: replace the generic
DataFlow::PathGraph import with module-specific imports (import
EHRConfigTracking::PathGraph; import EHRAccessTracking::PathGraph), change the
modules implementing DataFlow::ConfigSig to implement TaintTracking::ConfigSig
instead of instantiating TaintTracking::Global<>, and avoid combining two
TaintTracking::Global<> modules with `or` in a single path-problem query—either
split into two separate path-problem queries (one using EHRConfigTracking and
one using EHRAccessTracking) or create a unified tracking configuration so
PathNodes are compatible; finally fix the malformed select placeholder (the
`"flows to ."`/$@ interpolation) so the query outputs the correct `$@` value.

In @.github/codeql/custom-queries/insecure-ehr-auth.ql:
- Around line 27-31: The MFA existence check is currently global and can match
unrelated helpers; modify the mfaCall predicate so it is constrained to the same
enclosing function as authCall (e.g., add mfaCall.getEnclosingFunction() =
authCall.getEnclosingFunction() to the mfaCall conditions) so that only
MFA/verify calls in the same authentication path are considered; update the not
exists(...) clause that declares mfaCall to include this equality check using
the existing authCall symbol.

In @.github/codeql/custom-queries/insecure-fhir-ops.ql:
- Around line 26-31: The predicate hasSecurityContext(CallExpr call) currently
ignores its parameter and should be bound to the candidate FHIR operation;
update it so the found securityCall is in the same enclosing callable/scope as
the given call (e.g., require securityCall.getEnclosingCallable() =
call.getEnclosingCallable()); optionally further restrict to the same
control-flow region by checking that securityCall is reachable from or dominates
the call using CFG/ControlFlow predicates if you need stronger guarantees;
reference the existing symbols hasSecurityContext, CallExpr call, CallExpr
securityCall and the candidate fhirOp when making this change.

In @.github/codeql/custom-queries/insecure-fhir-search.ql:
- Around line 24-29: The predicate hasInputSanitization currently ignores its
parameter and just looks for any sanitize/escape/validate call globally; update
it so it checks sanitization specifically for the inputs of the CallExpr `call`
by examining `call`'s arguments and confirming that a sanitize/escape/validate
call is on the dataflow/AST path for those arguments. Constrain the
`sanitizeCall` to be related to `call`'s inputs (e.g., iterate
call.getArgument(...) or use dataflow helpers to require that the argument value
flows from/to the `sanitizeCall`) so the predicate returns true only when the
specific search call's inputs are actually sanitized.

In @.github/codeql/custom-queries/missing-audit-log.ql:
- Around line 25-29: The predicate hasLogging currently ignores its call
parameter so logCall is unconstrained; update hasLogging(CallExpr call) so that
logCall is tied to the same operation/function as call (e.g., require logCall to
be contained in or reachable from call) instead of any logging anywhere.
Constrain logCall by comparing its enclosing callable to call's enclosing
callable (or use a reachability predicate such as reachableBy) so that
hasLogging(call) only returns true if a "%log%" or "%audit%" call exists within
the same function/operation (used later as ehrOp).

In @.github/codeql/custom-queries/missing-fhir-version.ql:
- Around line 24-29: The predicate hasVersionCheck currently treats versionCall
as unconstrained and thus can match any version-related call anywhere; restrict
versionCall to be related to the input call by adding a scope constraint (e.g.,
require versionCall.getEnclosingFunction() = call.getEnclosingFunction() or
otherwise tie them to the same enclosing callable/control-flow scope) so the
predicate only returns true when a version check appears in the same
function/flow as the given CallExpr; update hasVersionCheck to reference call
alongside versionCall to enforce that relation.

In @.github/codeql/custom-queries/unencrypted-ehr-data.ql:
- Around line 38-45: The query currently treats CallExpr call and DataFlow::Node
data independently; add a dataflow constraint to ensure the EHR data actually
flows into the transmission call by requiring DataFlow::localFlow(data,
DataFlow::exprNode(call.getAnArgument())) (or equivalent) before checking for
encryption calls; keep the existing encryptCall check but nest it after this new
flow requirement so only transmissions that receive the EHR data (and lack an
encrypt* call on that argument) are reported.

In @.github/codeql/custom-queries/unvalidated-fhir-access.ql:
- Around line 28-38: The hasValidation predicate currently ignores its call
parameter and thus matches any validation anywhere; change it to actually relate
validateCall to the specific resource access (resourceCall) by using the
predicate parameter (hasValidation(CallExpr call)) and requiring the
validateCall to be in the same enclosing callable/scope as call (e.g. compare
validateCall.getEnclosingCallable() == call.getEnclosingCallable() or use
getEnclosingFunction()) and to occur before the resource access (use
location/start-line comparison or a comesBefore/CFG ordering predicate) so only
validations that precede the specific isFHIRResourceAccess(resourceCall) are
counted; also consider using a local/dataflow relation if you need to ensure the
validateCall validates the same object/variable rather than just any validation
in the same function.
- Line 7: The rule unvalidated-fhir-access is too broad because its callee-name
patterns use "%...%" wildcards and will match unrelated functions (e.g.,
readFile, getResourceFromCache); tighten the matcher by replacing wildcard
callee-name patterns with exact FHIR verb names (e.g., "read", "vread",
"search", "create", "update", "delete") and, where possible, require the call
receiver or module to be a known FHIR client type or namespace (e.g., check the
receiver's type or module qualifier) so the query only matches real FHIR client
calls; apply the same narrowing to the other similar patterns in the rule (lines
covering the other callee-name checks referenced in the file).

In @.github/workflows/codeql.yml:
- Line 43: The CodeQL workflow expression uses double-quoted string literals
inside the ${{ ... }} expression (the fragment containing matrix.language ==
"javascript" && ",./.github/codeql/custom-queries/..."), which breaks GitHub
Actions' expression syntax; change the double quotes to single quotes for the
language check and the appended query-list literal (i.e., replace
matrix.language == "javascript" with matrix.language == 'javascript' and the
long ",./.github/..." string with ',./.github/...') so the ternary/concatenation
expression is valid.

In `@src/components/notification/__tests__/NotificationCenter.test.tsx`:
- Around line 44-48: Add a missing import for act and re-run tests: import act
from an appropriate test-utils module (e.g., import { act } from
'react-dom/test-utils' or from '@testing-library/react' depending on the
project) so the calls like act(() => { capturedOnMessage(...) }) used in
NotificationCenter.test.tsx (the capturedOnMessage message-simulation blocks)
resolve; update the top of the test file to include this import to cover all
act(...) usages in the file.

---

Duplicate comments:
In `@src/components/notification/NotificationCenter.tsx`:
- Around line 52-55: When handling the 'notifications' branch where you replace
the full list (case 'notifications'), recompute and update the unread badge by
calculating the unread count from payload.data before calling setNotifications;
call setUnreadCount(...) with the count of items in payload.data that are unread
(e.g., filter by .read or .isRead property) immediately alongside
setNotifications(payload.data) so the bell reflects the new snapshot instead of
retaining stale unreadCount.
- Around line 65-76: Effect sends get_notifications immediately on mount even if
the WebSocket isn't open, causing dropped initial requests; update the useEffect
in NotificationCenter (the effect that calls sendMessage) to wait for the socket
to be OPEN before sending by depending on the socket connection state provided
by useWebSocket (e.g., connectionStatus, isOpen, or onOpen callback) and only
call sendMessage when that state is open; if useWebSocket exposes an onOpen
handler, register a one-time onOpen to send the init-notifications payload,
otherwise add the connection status to the effect's dependency array and gate
the sendMessage call behind a check for OPEN.

---

Nitpick comments:
In `@src/components/notification/__tests__/NotificationCenter.test.tsx`:
- Around line 30-40: Extract the repeated WebSocket test harness by creating a
small helper (e.g., setupWebSocketMock or renderNotificationWithWebSocket) that
encapsulates the capturedOnMessage variable and the
vi.mocked(useWebSocket).mockImplementation(...) logic used in the tests; the
helper should set capturedOnMessage, mock useWebSocket to return
isConnected/error/sendMessage/sendStatus, render the NotificationCenter
component, and return the capturedOnMessage (and optionally the render result)
so each test can call the helper instead of duplicating the mock setup for
capturedOnMessage and useWebSocket.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d4ad82c-ef1f-4d69-aeca-7db0bce834d3

📥 Commits

Reviewing files that changed from the base of the PR and between 7e2107b and f94a76c.

📒 Files selected for processing (16)

• .github/codeql/codeql-config.yml
• .github/codeql/custom-queries/ehr-security-patterns.ql
• .github/codeql/custom-queries/ehr-security.ql
• .github/codeql/custom-queries/fhir-security.ql
• .github/codeql/custom-queries/insecure-ehr-auth.ql
• .github/codeql/custom-queries/insecure-fhir-ops.ql
• .github/codeql/custom-queries/insecure-fhir-search.ql
• .github/codeql/custom-queries/missing-audit-log.ql
• .github/codeql/custom-queries/missing-fhir-version.ql
• .github/codeql/custom-queries/qlpack.yml
• .github/codeql/custom-queries/unencrypted-ehr-data.ql
• .github/codeql/custom-queries/unvalidated-fhir-access.ql
• .github/workflows/codeql.yml
• config/vitest.config.ts
• src/components/notification/NotificationCenter.tsx
• src/components/notification/__tests__/NotificationCenter.test.tsx

💤 Files with no reviewable changes (3)

• .github/codeql/codeql-config.yml
• .github/codeql/custom-queries/ehr-security.ql
• .github/codeql/custom-queries/fhir-security.ql

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CodeQL TaintTracking::Global PathGraph import path-problem query

💡 Result:

To make a taint-tracking path query you:

1. compute a global taint graph with TaintTracking::Global<...>
2. import Flow::PathGraph so the query provides the required edges result set for @kind path-problem queries. (codeql.github.com)

Minimal template (works for the languages that use the standard DataFlow/TaintTracking “Global + PathGraph” pattern):

/**
 * `@kind` path-problem
 */
import <language>
import <language-specific taint library>  // example: semmle.code.<lang>.dataflow.TaintTracking

module MyConfig implements TaintTracking::ConfigSig {
  predicate isSource(DataFlow::Node src) { /* ... */ }
  predicate isSink(DataFlow::Node snk)   { /* ... */ }

  // Optional, depending on your needs:
  // predicate isSanitizer(DataFlow::Node n) { ... }
  // predicate isAdditionalTaintStep(DataFlow::Node a, DataFlow::Node b) { ... }
}

module Flow = TaintTracking::Global<MyConfig>;
import Flow::PathGraph

from Flow::PathNode source, Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink.getNode(), source, sink, "Tainted flow from $@ to here.", source.getNode(), "source"

Notes:

• @kind path-problem + import Flow::PathGraph is the key combination for clickable path explanations. (codeql.github.com)
• If you accidentally omit the PathGraph import (or otherwise don’t provide edges), CodeQL will complain that the expected path-problem result patterns (including edges) are missing. (github.com)

Citations:

• 1: https://codeql.github.com/docs/writing-codeql-queries/creating-path-queries/?utm_source=openai
• 2: https://codeql.github.com/docs/writing-codeql-queries/creating-path-queries/?utm_source=openai
• 3: Path-problem result pattern github/codeql#15744

---

🏁 Script executed:

cat -n .github/codeql/custom-queries/ehr-security-patterns.ql

Repository: daggerstuff/pixelated

Length of output: 3031

---

Incompatible PathGraph import and unsupported module combination in path-problem query.

This query has multiple architectural issues:

1. PathGraph import mismatch: Line 14 imports generic DataFlow::PathGraph, but with TaintTracking::Global<> modules (lines 68-69), you must import PathGraph from each module: import EHRConfigTracking::PathGraph; import EHRAccessTracking::PathGraph;

2. ConfigSig mismatch: Both modules (lines 15, 39) implement DataFlow::ConfigSig, but are instantiated with TaintTracking::Global<>. Use TaintTracking::ConfigSig instead.

3. Unsupported module combination: Combining two separate TaintTracking::Global<> modules with or in a single path-problem query (lines 70-73) is not supported—each module generates module-specific PathNodes that cannot be mixed. Split into two separate queries or create a unified configuration.

4. Malformed select statement: Line 74 has incomplete placeholder syntax ("flows to .")—fix the $@ interpolation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/ehr-security-patterns.ql at line 14, Import
and configuration usage are inconsistent: replace the generic
DataFlow::PathGraph import with module-specific imports (import
EHRConfigTracking::PathGraph; import EHRAccessTracking::PathGraph), change the
modules implementing DataFlow::ConfigSig to implement TaintTracking::ConfigSig
instead of instantiating TaintTracking::Global<>, and avoid combining two
TaintTracking::Global<> modules with `or` in a single path-problem query—either
split into two separate path-problem queries (one using EHRConfigTracking and
one using EHRAccessTracking) or create a unified tracking configuration so
PathNodes are compatible; finally fix the malformed select placeholder (the
`"flows to ."`/$@ interpolation) so the query outputs the correct `$@` value.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Sink predicate logic may produce false positives.

The isSink predicate assigns sink = call.getAnArgument() independently from the endpoint.flowsTo(call.getAnArgument()) check. This means sink could be any argument to the call (e.g., options, headers), not necessarily the argument that the EHR endpoint URL flows to.

♻️ Proposed fix to tie sink to the actual endpoint argument

   predicate isSink(DataFlow::Node sink) {
     exists(DataFlow::CallNode call |
       (
         call.getCalleeName().matches("%request%") or
         call.getCalleeName().matches("%fetch%") or
         call.getCalleeName().matches("%axios%")
       ) and
-      sink = call.getAnArgument() and
       exists(DataFlow::Node endpoint |
         exists(string url |
           url = endpoint.getStringValue() and
           (
             url.matches("%/fhir/%") or
             url.matches("%/ehr/%") or
             url.matches("%/api/v%") or
             url.matches("%/epic/%") or
             url.matches("%/cerner/%") or
             url.matches("%/allscripts/%")
           )
         ) and
-        endpoint.flowsTo(call.getAnArgument())
+        endpoint.flowsTo(sink) and
+        sink = call.getAnArgument()
       )
     )
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/ehr-security-patterns.ql around lines 43 - 66,
The isSink predicate currently sets sink = call.getAnArgument() without ensuring
that the endpoint actually flows into that same argument, causing false
positives; modify the predicate to bind sink to the specific call argument that
the endpoint flows to (e.g., introduce a local DataFlow::Node arg or similar,
require endpoint.flowsTo(arg) and arg = call.getAnArgument(), then set sink =
arg) so that sink is guaranteed to be the argument receiving the EHR URL; keep
the existing checks on call.getCalleeName() and the URL patterns unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Malformed select statement placeholders.

The message "Potential EHR security issue: flows to ." appears to be missing $@ placeholders for interpolating the source and sink descriptions. CodeQL path-problem queries use $@ to link descriptive text to specific nodes.

♻️ Proposed fix for select statement

-select sink.getNode(), source, sink, "Potential EHR security issue:  flows to .",
-  source.getNode(), "Sensitive data", sink.getNode(), "dangerous sink"
+select sink.getNode(), source, sink, "Potential EHR security issue: $@ flows to $@.",
+  source.getNode(), "Sensitive data", sink.getNode(), "dangerous sink"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	select sink.getNode(), source, sink, "Potential EHR security issue: flows to .",
	source.getNode(), "Sensitive data", sink.getNode(), "dangerous sink"
	select sink.getNode(), source, sink, "Potential EHR security issue: $@ flows to $@.",
	source.getNode(), "Sensitive data", sink.getNode(), "dangerous sink"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/ehr-security-patterns.ql around lines 74 - 75,
The select message is missing CodeQL $@ placeholders to link descriptions to
nodes; update the select so the human-readable string uses `$@` placeholders
(e.g., "Potential EHR security issue: $@ flows to $@.") and pass the
corresponding node descriptions (source.getNode(), "Sensitive data",
sink.getNode(), "dangerous sink") in the select call so the source and sink are
properly interpolated and tied to their AST nodes; keep the rest of the select
tuple (select sink.getNode(), source, sink, ...) intact.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/codeql/custom-queries/insecure-ehr-auth.ql

Repository: daggerstuff/pixelated

Length of output: 1194

---

The MFA check is global, not tied to authCall.

The not exists(CallExpr mfaCall | ...) clause does not constrain mfaCall to the current authentication path. One unrelated MFA/verify helper anywhere can prevent this rule from ever firing. Scope the check to the same function or enclosing context as authCall, for example by adding .getEnclosingFunction() = authCall.getEnclosingFunction() to the mfaCall condition.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/insecure-ehr-auth.ql around lines 27 - 31, The
MFA existence check is currently global and can match unrelated helpers; modify
the mfaCall predicate so it is constrained to the same enclosing function as
authCall (e.g., add mfaCall.getEnclosingFunction() =
authCall.getEnclosingFunction() to the mfaCall conditions) so that only
MFA/verify calls in the same authentication path are considered; update the not
exists(...) clause that declares mfaCall to include this equality check using
the existing authCall symbol.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "insecure-fhir-ops.ql" -type f

Repository: daggerstuff/pixelated

Length of output: 117

---

🏁 Script executed:

cat -n .github/codeql/custom-queries/insecure-fhir-ops.ql

Repository: daggerstuff/pixelated

Length of output: 1364

---

🌐 Web query:

CodeQL exists predicate unbound variables semantics

💡 Result:

In CodeQL, exists(...) is existential quantification: it is true iff there is at least one way to extend the current tuple with values for the declared variables such that the (one or two) quantified formulas hold. Formally, exists(var_decls | F1 | F2) matches if some “quantifier extension” makes all provided quantified formulas match. [1]

However, CodeQL also enforces range restriction (to guarantee finiteness). A variable is unbound if it has no binding occurrence (no construct that restricts it to a finite set of values), and the compiler rejects predicates/queries with unbound variables (typical error: "<var>" is not bound to a value). [2]

How this interacts with exists

• Variables declared inside exists(...) are scoped to the quantifier (they’re “dummy/bound” in the logical sense), but they still must be range-restricted so evaluation stays finite. [2]
• Declaring a variable with an infinite primitive type (notably int, string, etc.) does not bind it by itself; you must add a binding occurrence (for example, a finite range, an equality from a bound value, a predicate call that binds it, a cast/type-check to a finite type, etc.). [2][3]
• Many occurrences are not binding, e.g. != and not (...) don’t bind a variable. [2]

Practical examples

// OK: `use` is a finite database type, so it's bound.
not exists(VarUse use | def = use.getADef())

(Real example from the docs.) [4]

// ERROR-prone: i is int (infinite) and appears only in a non-binding way.
exists(int i | i != 0)  // typically: "i is not bound to a value"

// OK: i is bound by a finite range.
exists(int i | i in [0 .. 10] | i != 0)

If you paste the exact exists(...) you’re unsure about, I can point out precisely which variable is unbound and what the minimal binding fix is.

Sources: QL language spec (quantified formulas). [1] CodeQL docs on evaluation/binding and unbound variables (range restriction, binding vs non-binding occurrences). [2] Predicate/binding-set discussion (infinite primitive types and how binding sets affect whether calls bind arguments). [3] Example use of not exists(...) in official guides. [4]

---

Bind the security check to the candidate FHIR operation.

The hasSecurityContext(call) predicate never references its parameter. It only checks if ANY authorize/checkPermission/verifyAccess call exists anywhere in the codebase. This causes Line 36 to suppress all findings if any security call exists globally, or flag all FHIR operations if none exist, regardless of whether each specific operation is actually secured. Connect the security check to call by filtering securityCall to the same scope, function, or control flow as the fhirOp.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/insecure-fhir-ops.ql around lines 26 - 31, The
predicate hasSecurityContext(CallExpr call) currently ignores its parameter and
should be bound to the candidate FHIR operation; update it so the found
securityCall is in the same enclosing callable/scope as the given call (e.g.,
require securityCall.getEnclosingCallable() = call.getEnclosingCallable());
optionally further restrict to the same control-flow region by checking that
securityCall is reachable from or dominates the call using CFG/ControlFlow
predicates if you need stronger guarantees; reference the existing symbols
hasSecurityContext, CallExpr call, CallExpr securityCall and the candidate
fhirOp when making this change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/codeql/custom-queries/unencrypted-ehr-data.ql

Repository: daggerstuff/pixelated

Length of output: 1671

---

data is never connected to the transmission call.

The query evaluates isDataTransmissionCall(call) and isEHRData(data) as independent conditions on lines 40-41, with no requirement that data flows into any argument of call. The only dataflow check (lines 42-45) verifies whether data reaches encryption calls, not whether it reaches the transmission call. This allows the query to pair unrelated transmission calls with unrelated EHR data nodes throughout the codebase, producing false positives. Add an explicit dataflow constraint from data to call.getAnArgument() before the encryption check to ensure the query only flags transmission calls that actually receive EHR data without encryption.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/unencrypted-ehr-data.ql around lines 38 - 45,
The query currently treats CallExpr call and DataFlow::Node data independently;
add a dataflow constraint to ensure the EHR data actually flows into the
transmission call by requiring DataFlow::localFlow(data,
DataFlow::exprNode(call.getAnArgument())) (or equivalent) before checking for
encryption calls; keep the existing encryptCall check but nest it after this new
flow requirement so only transmissions that receive the EHR data (and lack an
encrypt* call on that argument) are reported.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
import re

def ql_like(pattern: str, value: str) -> bool:
    regex = '^' + re.escape(pattern).replace('%', '.*').replace('_', '.') + '$'
    return bool(re.match(regex, value))

samples = [
    "read", "vread", "readFile",
    "search", "binarySearch", "searchParams",
    "getResource", "getResourceFromCache"
]

for sample in samples:
    print(
        f"{sample:24} "
        f"%read%={ql_like('%read%', sample)} "
        f"%search%={ql_like('%search%', sample)} "
        f"%getResource%={ql_like('%getResource%', sample)}"
    )
PY

Repository: daggerstuff/pixelated

Length of output: 641

---

🏁 Script executed:

cat -n .github/codeql/custom-queries/unvalidated-fhir-access.ql

Repository: daggerstuff/pixelated

Length of output: 1508

---

This matcher is too broad for @precision high.

The %...% callee-name checks will match unrelated calls like readFile and getResourceFromCache, so this error-level rule can emit non-FHIR findings. Narrow these to exact verb names and, ideally, a known FHIR client receiver/module before keeping @precision high.

Minimum narrowing

-      name.matches("%getResource%") or
-      name.matches("%searchResource%") or
-      name.matches("%createResource%") or
-      name.matches("%updateResource%") or
-      name.matches("%read%") or
-      name.matches("%vread%") or
-      name.matches("%search%")
+      name = "getResource" or
+      name = "searchResource" or
+      name = "createResource" or
+      name = "updateResource" or
+      name = "read" or
+      name = "vread" or
+      name = "search"

Also applies to: 14-27

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/unvalidated-fhir-access.ql at line 7, The rule
unvalidated-fhir-access is too broad because its callee-name patterns use
"%...%" wildcards and will match unrelated functions (e.g., readFile,
getResourceFromCache); tighten the matcher by replacing wildcard callee-name
patterns with exact FHIR verb names (e.g., "read", "vread", "search", "create",
"update", "delete") and, where possible, require the call receiver or module to
be a known FHIR client type or namespace (e.g., check the receiver's type or
module qualifier) so the query only matches real FHIR client calls; apply the
same narrowing to the other similar patterns in the rule (lines covering the
other callee-name checks referenced in the file).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
from pathlib import Path
import re

path = Path(".github/codeql/custom-queries/unvalidated-fhir-access.ql")
text = path.read_text()

m = re.search(r'predicate hasValidation\(CallExpr call\) \{(.*?)\n\}', text, re.S)
body = m.group(1)

print("hasValidation body:\n")
print(body.strip())
print("\nStandalone references to `call` inside predicate body:",
      bool(re.search(r'(?<![A-Za-z0-9_])call(?![A-Za-z0-9_])', body)))
PY

Repository: daggerstuff/pixelated

Length of output: 348

---

hasValidation doesn't link validation to the resource access.

The call parameter is never used in the predicate body—only validateCall is checked. This means hasValidation(resourceCall) returns true if any validate/check/verify call exists anywhere in the program, not just for that specific resource access. A single unrelated validation call will suppress alerts for all resource accesses. The query also doesn't model temporal ordering, so validation after the access is treated as valid.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/codeql/custom-queries/unvalidated-fhir-access.ql around lines 28 -
38, The hasValidation predicate currently ignores its call parameter and thus
matches any validation anywhere; change it to actually relate validateCall to
the specific resource access (resourceCall) by using the predicate parameter
(hasValidation(CallExpr call)) and requiring the validateCall to be in the same
enclosing callable/scope as call (e.g. compare
validateCall.getEnclosingCallable() == call.getEnclosingCallable() or use
getEnclosingFunction()) and to occur before the resource access (use
location/start-line comparison or a comesBefore/CFG ordering predicate) so only
validations that precede the specific isFHIRResourceAccess(resourceCall) are
counted; also consider using a local/dataflow relation if you need to ensure the
validateCall validates the same object/variable rather than just any validation
in the same function.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GitHub Actions expressions string quotes syntax single double

💡 Result:

In GitHub Actions expressions (inside ${{ ... }}):

• String literals must use single quotes: ${{ 'hello' }}. [1]
• To include a literal single quote inside that string, double it: ${{ 'It''s open source!' }}. [1]
• Double quotes are not valid for expression string literals (they “will throw an error”). [1]
• Separate from expression rules: YAML itself may use single or double quotes around the whole value, but inside the expression you still need single-quoted strings. [1]

Source
[1] GitHub Docs — “Evaluate expressions in workflows and actions” https://docs.github.com/en/actions/reference/workflows-and-actions/expressions

---

🏁 Script executed:

# Check the actual codeql.yml file to see line 43
fd "codeql.yml" --type f

Repository: daggerstuff/pixelated

Length of output: 47

---

🏁 Script executed:

# List files in .github/workflows directory
ls -la .github/workflows/ 2>/dev/null || echo "Directory not found"

# Try broader search
find . -name "codeql.yml" -o -name "codeql*.yml" 2>/dev/null | head -20

Repository: daggerstuff/pixelated

Length of output: 1136

---

🏁 Script executed:

# Read line 43 and surrounding context from codeql.yml
sed -n '40,46p' .github/workflows/codeql.yml

Repository: daggerstuff/pixelated

Length of output: 862

---

Fix GitHub Actions expression syntax on line 43.

Line 43 uses double quotes inside ${{ ... }}, which violates GitHub Actions expression syntax rules. Expressions require single-quoted string literals; double quotes will cause a parse error and block the CodeQL workflow.

Suggested fix

-          queries: security-and-quality,security-extended${{ matrix.language == "javascript" && ",./.github/codeql/custom-queries/unvalidated-fhir-access.ql,./.github/codeql/custom-queries/insecure-fhir-ops.ql,./.github/codeql/custom-queries/missing-fhir-version.ql,./.github/codeql/custom-queries/insecure-fhir-search.ql,./.github/codeql/custom-queries/unencrypted-ehr-data.ql,./.github/codeql/custom-queries/insecure-ehr-auth.ql,./.github/codeql/custom-queries/missing-audit-log.ql,./.github/codeql/custom-queries/ehr-security-patterns.ql" || "" }}
+          queries: >-
+            security-and-quality,security-extended${{ matrix.language == 'javascript' && ',./.github/codeql/custom-queries/unvalidated-fhir-access.ql,./.github/codeql/custom-queries/insecure-fhir-ops.ql,./.github/codeql/custom-queries/missing-fhir-version.ql,./.github/codeql/custom-queries/insecure-fhir-search.ql,./.github/codeql/custom-queries/unencrypted-ehr-data.ql,./.github/codeql/custom-queries/insecure-ehr-auth.ql,./.github/codeql/custom-queries/missing-audit-log.ql,./.github/codeql/custom-queries/ehr-security-patterns.ql' || '' }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	queries: security-and-quality,security-extended${{ matrix.language == "javascript" && ",./.github/codeql/custom-queries/unvalidated-fhir-access.ql,./.github/codeql/custom-queries/insecure-fhir-ops.ql,./.github/codeql/custom-queries/missing-fhir-version.ql,./.github/codeql/custom-queries/insecure-fhir-search.ql,./.github/codeql/custom-queries/unencrypted-ehr-data.ql,./.github/codeql/custom-queries/insecure-ehr-auth.ql,./.github/codeql/custom-queries/missing-audit-log.ql,./.github/codeql/custom-queries/ehr-security-patterns.ql" || "" }}
	queries: >-
	security-and-quality,security-extended${{ matrix.language == 'javascript' && ',./.github/codeql/custom-queries/unvalidated-fhir-access.ql,./.github/codeql/custom-queries/insecure-fhir-ops.ql,./.github/codeql/custom-queries/missing-fhir-version.ql,./.github/codeql/custom-queries/insecure-fhir-search.ql,./.github/codeql/custom-queries/unencrypted-ehr-data.ql,./.github/codeql/custom-queries/insecure-ehr-auth.ql,./.github/codeql/custom-queries/missing-audit-log.ql,./.github/codeql/custom-queries/ehr-security-patterns.ql' || '' }}

🧰 Tools

🪛 actionlint (1.7.11)

[error] 43-43: got unexpected character '"' while lexing expression, expecting 'a'..'z', 'A'..'Z', '_', '0'..'9', ''', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', ' '. do you mean string literals? only single quotes are available for string delimiter

(expression)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml at line 43, The CodeQL workflow expression uses
double-quoted string literals inside the ${{ ... }} expression (the fragment
containing matrix.language == "javascript" &&
",./.github/codeql/custom-queries/..."), which breaks GitHub Actions' expression
syntax; change the double quotes to single quotes for the language check and the
appended query-list literal (i.e., replace matrix.language == "javascript" with
matrix.language == 'javascript' and the long ",./.github/..." string with
',./.github/...') so the ternary/concatenation expression is valid.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and read the import section and the flagged lines
head -n 10 src/components/notification/__tests__/NotificationCenter.test.tsx

Repository: daggerstuff/pixelated

Length of output: 402

---

🏁 Script executed:

# Read lines around the flagged sections to verify act usage
sed -n '1,50p' src/components/notification/__tests__/NotificationCenter.test.tsx

Repository: daggerstuff/pixelated

Length of output: 1495

---

🏁 Script executed:

# Check the other flagged lines for act usage
sed -n '83,98p;121,136p;165,180p;219,232p' src/components/notification/__tests__/NotificationCenter.test.tsx

Repository: daggerstuff/pixelated

Length of output: 1546

---

🏁 Script executed:

# Verify if act is imported anywhere in the file
grep -n "import.*act" src/components/notification/__tests__/NotificationCenter.test.tsx

Repository: daggerstuff/pixelated

Length of output: 133

---

Import act before using these message simulations.

These blocks call act(...), but the file never imports it, so the suite will fail with ReferenceError: act is not defined.

Proposed fix

-import { fireEvent, render, screen } from '@testing-library/react'
+import { act, fireEvent, render, screen } from '@testing-library/react'

Also applies to: 83-98, 121-136, 165-180, 219-232

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/notification/__tests__/NotificationCenter.test.tsx` around
lines 44 - 48, Add a missing import for act and re-run tests: import act from an
appropriate test-utils module (e.g., import { act } from 'react-dom/test-utils'
or from '@testing-library/react' depending on the project) so the calls like
act(() => { capturedOnMessage(...) }) used in NotificationCenter.test.tsx (the
capturedOnMessage message-simulation blocks) resolve; update the top of the test
file to include this import to cover all act(...) usages in the file.