Skip to content

Fix 28 verified code-review bugs (for v1.0.2)#22

Merged
LXBStudioLLC merged 5 commits into
mainfrom
fix/audit-v1.0.2
Jul 5, 2026
Merged

Fix 28 verified code-review bugs (for v1.0.2)#22
LXBStudioLLC merged 5 commits into
mainfrom
fix/audit-v1.0.2

Conversation

@LXBStudioLLC

Copy link
Copy Markdown
Owner

Fixes the 28 real bugs from the code-review triage (23 confirmed + 5 partial). The 9 findings that turned out to be false positives were verified and left alone. Every change built clean and the full suite (135 tests, including container resolution) is green. These are headed into the held v1.0.2; the build itself is still on hold.

High-severity

  • Feat/ghost detection #8 Resume PDFs had no contact info. BuildHeader (name/email/phone) existed but was never attached to the page. Now rendered at the top.
  • feat(ghost): DuplicateJdSignal — lexical near-duplicate detection #9 Gemini model list was always empty. The filter checked the model name for "generateContent", which lives in supportedGenerationMethods. Filters on that array now.
  • signal: Repost Frequency #4 Captive DbContext. Singleton views held a root-scoped EnvoyDbContext for the app lifetime (unbounded change tracker, concurrent-access crash). Switched to AddDbContextFactory with a short-lived context per repository operation.

Also fixed

Verified NOT bugs (skipped)

#2 (overlapping receive loops), #5 (unsafe cast), #12 (repo null NRE), #15 (cancel token to CloseAsync), #19 (Tesseract command injection: it uses UseShellExecute=false, so no shell), #22 (startup DB init deadlock), #24 (MainWindow cast), #32 (location filter is intentional), #33 (duplicate ATS keys). Each was refuted with specific evidence.

The 67 LOW findings are not in this PR; they get a separate lighter pass.

🤖 Generated with Claude Code

LXBStudioLLC and others added 5 commits July 5, 2026 17:03
…ate crashes

- #8 ResumePdfGenerator: BuildHeader was never attached, so resumes had no
  name/email/phone. Render it once at the top of the content.
- #7 linkedin-easy-apply.json: key was "urlMatch"; the loader expects
  "url_match" (JsonPropertyName), so the template never matched a URL.
- #9 CloudLLMProvider: Gemini model listing filtered the model NAME for
  "generateContent" (which lives in supportedGenerationMethods), so it always
  returned zero models. Filter on that array instead.
- #10 SafetyService: normalize null Skills/Experience/Education/Bullets from LLM
  JSON before the checks (STJ can overwrite the = new() initializers with null).
- #11 SafetyService: guard .Max() over an experience entry with zero bullets.
- #13(cloud) CloudLLMProvider: dispose the 5 HttpResponseMessage in the
  availability/model-list probes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…s-save UX

- #1 CdpBrowserService.Dispose: run the async path via Task.Run so DisposeAsync
  continuations don't marshal back to a blocked WPF UI thread at shutdown.
- #3 CdpBrowserService: serialize concurrent SendAsync with a SemaphoreSlim
  (ClientWebSocket.SendAsync is not thread-safe; the singleton is shared by
  discovery and apply).
- #20 EnvoySettings.Encrypt: rethrow on DPAPI failure instead of returning null
  so a lost key surfaces as a failed save; FindJobsView guards the Brave-key set.
- #23 DashboardView: re-enable BtnLaunchChrome in the catch (was stuck disabled
  after a launch error).
- #25 LLMSettingsView: ActivateProvider and Model_Click now check Save() and warn
  when settings.json can't be written instead of reporting success.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ATS DI

- #14 OllamaProvider: reuse one OllamaApiClient (built in ctor) instead of a new
  client with its own HttpClient per completion.
- #13 OllamaProvider: dispose the /api/tags probe responses.
- #34 GreenhouseSource: use first_published for PostedAtUtc (fall back to
  updated_at) so posting-age and repost signals see the real age.
- #28 AtsCrossCheckSignal, #29/#30 JobDiscoveryService: honor caller cancellation
  (rethrow) instead of reporting it as "ATS unreachable"/board/search failure.
- #6 GhostDetection ServiceRegistration: constrain the AddHttpClient reflection to
  the single-generic-arg overload so MakeGenericMethod can't throw.
- #31 AtsCrossCheck HttpClient: send a User-Agent and Accept header.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ll fixes

- #18 New ResumeFilePath helper shared by ApplicationOrchestrator (writer) and
  TemplateEngine (upload reader) so the sanitized paths always match; closes the
  unsanitized/traversal read path and the silent upload-skip on a name mismatch.
- #16/#17 HardwareProfiler: dispose the WMI ManagementObject collection + each
  object, and the GPU-probe Process handles.
- #27 MainWindow.NavigateTo: drop rapid nav clicks during the fade to stop
  overlapping animations leaving a half-faded view.
- #26 ApplyView: friendly "select a profile first" message when none is chosen.
- #21 DomScorer: weight fields are static readonly (were mutable public static).
- #35 install.ps1: derive version from Directory.Build.props (was hardcoded).
- #36 FileLogger.Log: guard the formatter/write path so logging never throws.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Singleton views held repositories that captured a root-scoped EnvoyDbContext for
the app lifetime: the change tracker grew unbounded and a dashboard refresh
overlapping an apply run could throw "a second operation was started on this
context". Switch to AddDbContextFactory and have each repository, TailoringEngine,
and DatabaseInitializer create a short-lived context per operation. The repos now
hold only the (thread-safe) factory, so the captive-lifetime concern is gone with
no change to view lifetimes. 135/135 tests pass, including container resolution.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@LXBStudioLLC LXBStudioLLC merged commit 1c87298 into main Jul 5, 2026
2 checks passed
@LXBStudioLLC LXBStudioLLC deleted the fix/audit-v1.0.2 branch July 12, 2026 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant