Skip to content

Project improvements: security, reliability, tests, docs#115

Draft
nvdweem wants to merge 5 commits into
mainfrom
project-improvements
Draft

Project improvements: security, reliability, tests, docs#115
nvdweem wants to merge 5 commits into
mainfrom
project-improvements

Conversation

@nvdweem

@nvdweem nvdweem commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Implements a prioritized set of improvements from an in-depth project analysis (backend reliability, security hardening, test coverage, docs). All 510 JVM tests pass; the tree compiles in JVM mode.

What landed

Security

  • OSC listener binds 127.0.0.1 instead of all interfaces (it was the app's only network-facing socket); autocomplete address set capped at 500 entries.
  • Home Assistant servers on plain http to a non-local host now surface a token-exposure warning. Local http installs (the norm) are never flagged.
  • Corrected the stale Id.CLASS doc comment to the actual Id.NAME allowlist mechanism.

Reliability / threading

  • Device-connected observer no longer persists synchronously; the identity-backfill save is debounced off the provider thread so SaveEvent observers can't run re-entrantly and deadlock it.
  • Shutdown lifecycle consolidated onto Quarkus @PreDestroy (with documented raw JVM hooks kept only for the flag-only / pre-CDI cases); MqttService now publishes its offline availability payload before disconnecting.
  • New AppThreads factory (named, daemon, uncaught-exception handler) adopted across HID/tray threads.
  • Fixed a lost-wakeup race in CommandDispatcher's handler; the rolling-average worker parks while idle instead of spinning at 10 ms; MQTT message handling catches per-message so one malformed payload can't kill delivery.

Tests

  • New unit tests for the OBS/OSC/MQTT/program/output/profile command families, CommandDispatcher routing/coalescing, the Home Assistant client value mapping, and a REST DTO serialization smoke test over every DTO endpoint.
  • Debouncer clock made injectable so the throttle test is deterministic (no sleeps); smoke-test.sh broadened to all list-returning endpoints.

Docs / templates

  • Extracted ARCHITECTURE.md from CLAUDE.md (fixing several stale claims); added SECURITY.md, a PR template with the AI-disclosure line, and modern GitHub Issue Forms.

Dependencies

  • Added .github/dependabot.yml (maven, npm/webui, github-actions; weekly, grouped).

Not in this branch / follow-ups

  • CI workflow changes (new pr-ci.yml + action SHA-pinning + appimagetool checksum) could not be pushed — the automation credential lacks the GitHub workflow scope. They are preserved as .github/pending-ci-workflows.patch; see .github/PENDING-CI-WORKFLOWS.md to apply them with a scoped token.
  • Frontend phase deferred: the ESLint/typing/a11y/settings-split work was only partially started and reverted to avoid shipping a broken npm run lint.
  • Integration status-events + websocket-RPC dedup and a few empty-catch trace logs were not reached before the run ended.
  • docs/events.md drift and docs/README.md/integrations.md remain as noted follow-ups.

This pull request was made by an AI without any human intervention

Niels and others added 5 commits July 2, 2026 16:56
…-HTTP HA

The OSC input socket now binds 127.0.0.1 instead of all interfaces (it is
the app's only network-facing socket) and the autocomplete address set is
capped at 500 entries so a hostile sender cannot grow it unboundedly.

Home Assistant servers configured with plain http to a non-local host now
surface a warning (token sent unencrypted); local http installs, which are
the norm, are never flagged. Also corrects a stale Id.CLASS doc comment to
the actual Id.NAME allowlist mechanism.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…n, tame threads

- DeviceHolder no longer persists synchronously inside the device-connected
  observer; the identity-backfill save is debounced off the provider thread so
  SaveEvent observers cannot run re-entrantly and deadlock it.
- Shutdown lifecycle moves onto Quarkus @PreDestroy where a bean can observe it
  (CommandDispatcher); AppShutdownState and FileChecker keep documented raw JVM
  hooks for the flag-only / pre-CDI cases. MqttService gains a @PreDestroy that
  publishes the offline availability payload before disconnecting.
- New AppThreads factory gives every ad-hoc thread a name, daemon flag and an
  uncaught-exception handler; adopted across the HID and tray threads.
- CommandDispatcher's handler re-checks the queue under the lock before waiting,
  closing a lost-wakeup race; the rolling-average worker parks while idle instead
  of spinning at 10ms. MQTT message handling catches per-message so one malformed
  payload cannot kill delivery for every subscription.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…zation

Adds unit tests for the OBS/OSC/MQTT/program/output/profile command families
(JSON round-trip through the polymorphic mapper plus pure value logic), the
central CommandDispatcher routing/coalescing, the Home Assistant client value
mapping, and a REST DTO serialization smoke test that round-trips every
DTO-returning endpoint's payload through an app-like ObjectMapper without
booting the container. Broadens packaging/smoke-test.sh to exercise all
list-returning endpoints. Makes Debouncer's clock injectable so the
throttle-leading test is deterministic instead of sleep-based. A small
CommandMapperTestFactory lets out-of-package command tests build the mapper.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…issue forms

Moves the human-facing architecture/build/native-image/C++ reference out of
CLAUDE.md into ARCHITECTURE.md (CLAUDE.md keeps agent workflow rules and now
points at it; CONTRIBUTING links it too), fixing several stale claims along the
way (Id.NAME not Id.CLASS, the native-config-gen profile, the committed-DLL/CMake
SndCtrl reality, Windows CI running verify, the full TS classPattern list, the
MCP /mcp transport). Adds a terse SECURITY.md describing the loopback/LocalHttpGuard
threat model, a PULL_REQUEST_TEMPLATE embedding the required AI-disclosure line,
and converts the issue templates to GitHub Issue Forms with a required version field.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dependabot (maven, npm/webui, github-actions; weekly, grouped) pushes normally.
The PR-CI workflow and the action SHA-pinning could not be pushed by the
automation (the credential lacks the GitHub 'workflow' scope), so they are
preserved as .github/pending-ci-workflows.patch with apply instructions in
.github/PENDING-CI-WORKFLOWS.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant