Skip to content

fix: resolve 16 confirmed bugs from the 2026-06-12 code audit (B1–B16)#61

Merged
lesnik512 merged 2 commits into
mainfrom
worktree-fix-audit-bugs-b1-b16
Jun 12, 2026
Merged

fix: resolve 16 confirmed bugs from the 2026-06-12 code audit (B1–B16)#61
lesnik512 merged 2 commits into
mainfrom
worktree-fix-audit-bugs-b1-b16

Conversation

@lesnik512

@lesnik512 lesnik512 commented Jun 12, 2026

Copy link
Copy Markdown
Member

Summary

Fixes all 16 confirmed bugs from the 2026-06-12 code audit (planning/active/2026-06-12-code-audit-findings.md). Each fix ships a regression test that fails on the pre-fix code. Suspected findings, test-holes, and improvements (P1–P35) are intentionally out of scope for this PR.

Data integrity / delivery

  • B5/B6/B7 — the reject-fallback trap. AckPolicy.MANUAL + a handler exception, raise NackMessage(delay=…) kwargs, and retry-strategy errors no longer silently DELETE a row. assert_state_set now nacks (honoring the retry strategy) when an exception is present; ack/nack/reject accept-and-ignore **options; a raising strategy degrades to retry_terminal; ExponentialRetry clamps the exponent to avoid OverflowError.
  • B8publish_batch no longer drops a leading/sole None body (OutboxPublishCommand overrides batch_bodies to keep every positional body).
  • B10 — the DLQ CTE and validate_schema are schema-aware (format_table / MetaData(schema=...)); MetaData(schema="app") deployments no longer hit UndefinedTable on every terminal failure.

Liveness / health

  • B1/B2/B3/B4 — fetch loop halts on drain (no connection-churn storm / test-broker livelock), start() resets _stopping, backoff resets after sustained uptime, and the LISTEN connection is closed when add_listener fails or is cancelled.
  • B11/B12ping() walks the subscribers property (so router-registered subscribers are checked) and honors its timeout via anyio.move_on_after.

Metrics / packaging

  • B9 — the Prometheus in-process gauge no longer goes negative (the .dec() is gated on duration_seconds, absent on the max_deliveries terminal).
  • B13 — the friendly missing-extra ImportErrors are now reachable (probe-guarded container import in metrics/prometheus.py; import-time friendly errors on the native middleware).

Test broker

  • B14/B15/B16 — loop-mode spawns each loop once (not twice), loop tasks are cancelled+cleared on context exit, and the fake fetch_unprocessed accepts limit=.

Test Plan

  • Full dockerized suite (Postgres 17): 423 passed (401 baseline + 22 new), 100% coverage gate met
  • ruff format + ruff check + ty check clean
  • Each bug's regression test verified red on the pre-fix code (where mechanically feasible)

🤖 Generated with Claude Code

@lesnik512 @claude
fix: resolve 16 confirmed bugs from the 2026-06-12 code audit (B1–B16)
74f8554 
Data integrity / delivery:
- B5/B6/B7: reject-fallback trap — MANUAL+exception, NackMessage(delay=)
  kwargs, and retry-strategy errors no longer DELETE a row. assert_state_set
  nacks (honors retry) when an exception is present; ack/nack/reject accept
  and ignore **options; a raising strategy degrades to retry_terminal;
  ExponentialRetry clamps the exponent to avoid OverflowError.
- B8: publish_batch no longer drops a leading/sole None body (OutboxPublishCommand
  overrides batch_bodies to keep every positional body).
- B10: DLQ CTE and validate_schema are schema-aware (format_table /
  MetaData(schema=...)) — schema-qualified deployments no longer hit UndefinedTable.

Liveness / health:
- B1/B2/B3/B4: fetch loop halts on drain (no churn/livelock), start() resets
  _stopping, backoff resets after sustained uptime, LISTEN connection closed
  on add_listener failure/cancel.
- B11/B12: ping() walks the subscribers property (router subs) and honors its
  timeout via anyio.move_on_after.

Metrics / packaging:
- B9: Prometheus in-process gauge no longer goes negative (dec gated on
  duration_seconds).
- B13: missing-extra ImportErrors are reachable (guarded container import /
  import-time friendly errors).

Test broker:
- B14/B15/B16: loops spawn once, loop tasks are cancelled on context exit,
  fake fetch_unprocessed accepts limit=.

Each fix ships a regression test. Full dockerized suite: 423 passed, 100%
coverage; ruff + ty clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@lesnik512 lesnik512 self-assigned this Jun 12, 2026
@lesnik512 @claude
refactor: dedup missing-extra message via _import_checker helper
4145107 
The friendly "requires the X extra" install hint was duplicated in each
middleware module — once in the import-time guard, once in the __init__
probe guard. Centralize the template in missing_extra_message() so the two
guards can't drift. Imported as a function (not a module constant) to keep
the guarded upstream import first without tripping E402.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@lesnik512 lesnik512 merged commit 8d27e63 into main Jun 12, 2026
3 checks passed
@lesnik512 lesnik512 deleted the worktree-fix-audit-bugs-b1-b16 branch June 12, 2026 11:04
This was referenced Jun 12, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lesnik512 lesnik512

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lesnik512