Found during Step 6 consolidation sweep after #53
These issues were found by auditing consumer repos after shipping ActorTypeResolver. Each repo is currently active — fix in a dedicated session when the in-progress work is complete.
claudony — ClaudonyLedgerEventCapture (HIGH)
Silent exception swallowing: catch (Exception e) only logs — DB failures or constraint violations return successfully from the CDI observer, invisible to callers. casehub-engine's equivalent propagates the exception. Fix: remove try/catch or rethrow.
nextSequenceNumber() race condition: MAX() query + result+1 is not safe under concurrent writes — two threads on the same caseId can both get sequence 1. casehub-engine uses a repository method that is safer.
casehub-work — LedgerEventCapture + TrustScoreComputerTest (MEDIUM)
JSON built with String.format() (no escaping): buildDecisionContext() interpolates field values directly into a JSON string. A quote or backslash in any field silently corrupts the JSON. Jackson is already on the classpath.
Missing null guard on eventSuffix() return: eventSuffix() can return null; downstream EVENT_META.get(null) returns null; subsequent array index throws NPE. No guard present.
Pre-existing test failures (8 tests): TrustScoreComputerTest in casehub-work expects score=1.0 for unattested decisions and score=0.0 for flagged — neither matches the Bayesian Beta model (correct result is 0.5 for no evidence). Tests have wrong expectations and are already failing before any of our changes.
Fix order
Fix claudony issues first (production code, silent failures). casehub-work JSON/null can follow. Test expectations need a decision on whether to align with the algorithm or change the algorithm.
Found during Step 6 consolidation sweep after #53
These issues were found by auditing consumer repos after shipping ActorTypeResolver. Each repo is currently active — fix in a dedicated session when the in-progress work is complete.
claudony — ClaudonyLedgerEventCapture (HIGH)
Silent exception swallowing:
catch (Exception e)only logs — DB failures or constraint violations return successfully from the CDI observer, invisible to callers.casehub-engine's equivalent propagates the exception. Fix: remove try/catch or rethrow.nextSequenceNumber() race condition:
MAX()query + result+1 is not safe under concurrent writes — two threads on the same caseId can both get sequence 1.casehub-engineuses a repository method that is safer.casehub-work — LedgerEventCapture + TrustScoreComputerTest (MEDIUM)
JSON built with String.format() (no escaping):
buildDecisionContext()interpolates field values directly into a JSON string. A quote or backslash in any field silently corrupts the JSON. Jackson is already on the classpath.Missing null guard on eventSuffix() return:
eventSuffix()can return null; downstreamEVENT_META.get(null)returns null; subsequent array index throws NPE. No guard present.Pre-existing test failures (8 tests):
TrustScoreComputerTestin casehub-work expects score=1.0 for unattested decisions and score=0.0 for flagged — neither matches the Bayesian Beta model (correct result is 0.5 for no evidence). Tests have wrong expectations and are already failing before any of our changes.Fix order
Fix claudony issues first (production code, silent failures). casehub-work JSON/null can follow. Test expectations need a decision on whether to align with the algorithm or change the algorithm.