🔴 parallel_queries executes @query in false @if/@else branches — control-flow bypass

[tcconnally]

Severity: Critical (control-flow bypass; undermines @if/@else security model)

Discovered by

Codex code review (2026-06-03)

Location

src/perseus/renderer.py:761 — parallel_queries pre-execution

Problem

parallel_queries pre-executes top-level @query directives in a thread pool BEFORE the renderer evaluates @if/@else/@endif and tier gates. A query that lives inside a false conditional still runs.

@if production
@query "aws s3 ls s3://prod-data-bucket"
@endif

In dev, the user expects the @query to be skipped. With parallel_queries: true, the query runs anyway in the pre-execution pass.

Impact

• Sensitive queries guarded by @if (env gates, dry-run gates, debug gates) execute regardless
• Breaks the documented @if/@else security contract
• Silent — no error, no warning, no audit signal

Fix

Either:

1. Make parallel_queries control-flow aware (parse @if/@else tree first; skip queries in inactive branches)
2. Recommended: disable parallel_queries by default until the scheduling is control-flow aware

Acceptance criteria

• Test: @if false + @query "echo SHOULD_NOT_RUN >/tmp/marker" + @endif with parallel_queries: true → assert marker NOT created
• Test: @if true + @query "echo OK" + @endif → assert query runs

Refs

• Codex review §2 finding ordering bug; §9 Critical

[tcconnally]

Fixed in PR #179 (integration branch targeting main).