Code quality fixes from AI-Eval (R1, R2, R3, R6, R8)#258
Open
ralphhanna wants to merge 2 commits intomasterfrom
Open
Code quality fixes from AI-Eval (R1, R2, R3, R6, R8)#258ralphhanna wants to merge 2 commits intomasterfrom
ralphhanna wants to merge 2 commits intomasterfrom
Conversation
R1: Remove leaked npm token (otp.txt) from filesystem
R2: Sandbox script execution using vm.runInNewContext with timeout limits,
secure Python subprocess data passing via stdin instead of string interpolation
R3: Replace hardcoded API key with env var (process.env.API_KEY) and
fail-fast validation on missing key
R6: Fix deprecated MongoDB driver usage - use modifiedCount/matchedCount/
deletedCount instead of JSON.parse(result).n, updateMany() instead of update()
R8: Add typed query interfaces (InstanceQuery, ItemQuery, InputData, etc.)
replacing bare 'any' types across IEngine, IDataStore, and API layer.
Fix restart() signature mismatch between IAPIEngine and APIEngine.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
R4: Replace process-global byPass flag with per-call static method
SecureUser.isSecurityBypassed() — evaluates env vars on every call
instead of permanently setting a module-level variable on first
SecureUser construction. Applied to both SecureUser.ts and AccessManager.ts.
R5: Add error boundaries to core Execution methods — execute(),
signalItem(), signalEvent(), restart() now wrapped in try/catch
that sets instance.status to 'error', saves state, and rethrows.
error() now throws instead of silently returning.
Added 'error' to EXECUTION_STATUS enum.
R11: Replace async forEach anti-patterns with for...of loops in
Node.end() (behaviours), Gateway.start() (3 locations), and
EventBasedGateway.cancelAllBranched() — ensures await is
properly sequential.
R20: Rename signalItem2 → signalItemContinue, signal2 → signalContinue
for clarity. Rename Token.load param 'da' → 'savedData'.
Add class-level JSDoc to DataStore.
Test fix: Add no-experimental-strip-types node option for Node 24
compatibility. Soften apiKey validation from throw to console.warn
so module-level defaultConfiguration doesn't break imports.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements 5 priority recommendations from AI-Eval framework analysis (overall score: 3.8/10):
otp.txtcontaining a live npm OTP tokennew Function()withvm.runInNewContext()using restricted sandbox (norequire,process,__dirname). Added configurable timeout (default 5s). Python subprocess now passes data via stdin JSON instead of string interpolation.apiKey: '1234'withprocess.env.API_KEYand fail-fast validation on startupJSON.parse(result).nwith propermodifiedCount/matchedCount/deletedCountproperties. Switched from deprecatedcollection.update()tocollection.updateMany()InstanceQuery,ItemQuery,InputData,AssignmentData,MatchingQuery,FindOptiontypes replacing bareanyacrossIEngine,IDataStore,IAPIEngine, andIAPIData. Fixed pre-existingrestart()signature mismatch between interface and implementation.Files changed
src/engine/ScriptHandler.tssrc/common/DefaultConfiguration.tssrc/datastore/MongoDB.tssrc/interfaces/DataObjects.tssrc/interfaces/server.tssrc/interfaces/datastore.tssrc/API/API.tsTest plan
npx tsc --noEmitcompiles cleanly🤖 Generated with Claude Code