fix: resolve critical and major issues from code review (#145)

* fix: resolve critical and major issues from code review

- Add dryRun support to bulkUpdateTasks (was silently mutating data)
- Separate deleted vs updated counts in bulk operation responses
- Fix fallback totalTasks using nullable instead of misleading pending counts
- Thread request Origin through auth middleware for correct CORS on errors
- Add environment parameter to CORS response helpers for dev-port support
- Optimize list-tasks cache to serve filtered queries from cached all-tasks
- Initialize encryption once per batch instead of per-task in decryption loop
- Fix import ordering in list-tasks.ts
- Bump version to 6.8.8

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address minor code review issues across frontend, MCP server, and worker

Frontend:
- Use structured logObject for all log levels (not just error) in logger.ts
- Add 'email' to sensitive-key sanitization list for PII protection
- Fix import ordering in oauth-handshake/subscriber.ts
- Wrap error string in Error object in oauth-callback-handler.tsx
- Fix misleading "localStorage" log message (writes to sessionStorage)
- Fix indentation in pwa-register.tsx
- Clean up controllerchange listener and fallback timer in pwa-update-toast.tsx

MCP Server:
- Gate debug logs behind LOG_LEVEL env var in MCP logger
- Fix help text: 18 → 20 total tools, add missing tool listings
- Remove unsafe type cast for statsReset; use properly typed result object
- Fix Math.max(...spread) stack overflow risk; use reduce for large arrays
- Downgrade config guidance strings from ERROR to INFO level
- Add error context to sync-status catch for better diagnostics

Worker:
- Replace positional ALLOWED_ORIGINS[0]/[1] with named constants
- Fix double encodeURIComponent in buildErrorRedirect
- Add runtime type coercion for D1 query results (fixes pre-existing TS error)
- Downgrade pull processing log from INFO to DEBUG, remove vector clock noise
- Clean up informal "FIX #N" and "BULLETPROOF FIX" comment labels

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: vscarpenter

components/oauth-callback-handler.tsx

@@ -175,9 +175,8 @@ export function OAuthCallbackHandler() {
       if (event.status === 'success') {
         await processAuthData(event.authData, event.state);
       } else {
-        logger.error('OAuth handshake error', undefined, {
+        logger.error('OAuth handshake error', new Error(event.error ?? 'Unknown OAuth error'), {
           state: event.state.substring(0, 8) + '...',
-          error: event.error,
         });
         toast.error(event.error || 'Sign in failed. Please try again.');
       }

components/pwa-register.tsx

@@ -44,7 +44,7 @@ export function PwaRegister() {
 							navigator.serviceWorker.controller
 						) {
 							// New service worker is ready
-									logger.info('New service worker available');
+							logger.info('New service worker available');
 
 							// Dispatch custom event to notify PwaUpdateToast
 							window.dispatchEvent(

components/pwa-update-toast.tsx

@@ -52,6 +52,8 @@ export function PwaUpdateToast() {
     // Listen for the service worker to actually take over
     // IMPORTANT: Attach listener BEFORE posting message to avoid race condition
     const controllerChangeHandler = () => {
+      clearTimeout(fallbackTimeout);
+      navigator.serviceWorker.removeEventListener("controllerchange", controllerChangeHandler);
       logger.info('Service worker controller changed');
       performReload();
     };
@@ -61,6 +63,7 @@ export function PwaUpdateToast() {
     // Fallback: If controllerchange doesn't fire within 2 seconds (iOS/Safari issue),
     // reload anyway to ensure the user gets the update
     const fallbackTimeout = setTimeout(() => {
+      navigator.serviceWorker.removeEventListener("controllerchange", controllerChangeHandler);
       logger.warn('Fallback reload triggered (controllerchange not fired)');
       performReload();
     }, 2000);
@@ -71,8 +74,9 @@ export function PwaUpdateToast() {
       waitingWorker.postMessage({ type: "SKIP_WAITING" });
     } catch (error) {
       logger.error('Failed to post SKIP_WAITING message', error instanceof Error ? error : new Error(String(error)));
-      // If posting the message fails, clear timeout and just reload
+      // If posting the message fails, clean up and just reload
       clearTimeout(fallbackTimeout);
+      navigator.serviceWorker.removeEventListener("controllerchange", controllerChangeHandler);
       performReload();
     }
   };

lib/logger.ts

@@ -100,7 +100,7 @@ function sanitizeMetadata(metadata?: LogMetadata): LogMetadata | undefined {
   }
 
   // Remove sensitive fields
-  const sensitiveKeys = ['token', 'password', 'secret', 'apiKey', 'authorization', 'passphrase'];
+  const sensitiveKeys = ['token', 'password', 'secret', 'apiKey', 'authorization', 'passphrase', 'email'];
   for (const key of sensitiveKeys) {
     if (key in sanitized) {
       sanitized[key] = '***';
@@ -130,16 +130,16 @@ function formatLog(
     ...(sanitized && Object.keys(sanitized).length > 0 ? { metadata: sanitized } : {}),
   };
 
-  // Use appropriate console method
+  // Use structured logObject for all levels for consistent output
   switch (level) {
     case 'debug':
-      console.debug(`[${context}]`, message, sanitized || '');
+      console.debug(`[${context}]`, logObject);
       break;
     case 'info':
-      console.log(`[${context}]`, message, sanitized || '');
+      console.log(`[${context}]`, logObject);
       break;
     case 'warn':
-      console.warn(`[${context}]`, message, sanitized || '');
+      console.warn(`[${context}]`, logObject);
       break;
     case 'error':
       console.error(`[${context}]`, logObject);

lib/sync/oauth-handshake/broadcaster.ts

@@ -108,6 +108,6 @@ function storePayload(payload: BroadcastPayload): void {
   try {
     storage?.setItem(STORAGE_KEY, JSON.stringify(payload));
   } catch (err) {
-    logger.warn('Failed to write localStorage payload', { error: String(err) });
+    logger.warn('Failed to write sessionStorage payload', { error: String(err) });
   }
 }

lib/sync/oauth-handshake/subscriber.ts

@@ -6,10 +6,10 @@ import { toast } from 'sonner';
 import type { OAuthHandshakeEvent } from './types';
 import { listeners, processedStates } from './state';
 import { ensureInitialized } from './initializer';
+import { initiateHandshakeFetch } from './fetcher';
 import { createLogger } from '@/lib/logger';
 
 const logger = createLogger('OAUTH');
-import { initiateHandshakeFetch } from './fetcher';
 
 /**
  * Subscribe to OAuth handshake events

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "gsd-taskmanager",
-	"version": "6.8.7",
+	"version": "6.8.8",
 	"private": true,
 	"scripts": {
 		"dev": "next dev",

packages/mcp-server/src/server/config.ts

@@ -29,8 +29,8 @@ export function loadConfig(): GsdConfig {
     });
   } catch (error) {
     logger.error('Configuration error', error instanceof Error ? error : new Error(String(error)));
-    logger.error('Required environment variables: GSD_API_URL, GSD_AUTH_TOKEN | Optional: GSD_ENCRYPTION_PASSPHRASE');
-    logger.error('Run setup wizard with: npx gsd-mcp-server --setup');
+    logger.info('Required environment variables: GSD_API_URL, GSD_AUTH_TOKEN | Optional: GSD_ENCRYPTION_PASSPHRASE');
+    logger.info('Run setup wizard with: npx gsd-mcp-server --setup');
     throw error;
   }
 }

packages/mcp-server/src/tools/handlers/system-handlers.ts

@@ -95,7 +95,7 @@ export async function handleValidateConfig(config: GsdConfig): Promise<McpToolRe
 function buildToolsHelpSection(): string {
   return `# GSD Task Manager MCP Server - Help
 
-## Available Tools (18 total)
+## Available Tools (20 total)
 
 ### Metadata & Status Tools
 - **get_sync_status** - Check sync health, device count, storage usage
@@ -121,9 +121,11 @@ function buildToolsHelpSection(): string {
 - **delete_task** - Permanently delete a task
 - **bulk_update_tasks** - Update multiple tasks at once (max 50)
 
-### Configuration Tools
+### Configuration & System Tools
 - **validate_config** - Diagnose configuration issues
 - **get_help** - This help message (supports topic filtering)
+- **get_cache_stats** - View cache performance statistics
+- **get_token_status** - Check auth token expiration status
 
 `;
 }
@@ -321,7 +323,13 @@ export async function handleGetCacheStats(args: { reset?: boolean }): Promise<Mc
   const cache = getTaskCache();
   const stats = cache.getStats();
 
-  const result = {
+  const result: {
+    performance: { hitRate: string; hits: number; misses: number };
+    taskListCache: { currentSize: number; maxEntries: number; ttlSeconds: number };
+    singleTaskCache: { currentSize: number; maxEntries: number; ttlSeconds: number };
+    notes: string[];
+    statsReset?: boolean;
+  } = {
     performance: {
       hitRate: `${(stats.hitRate * 100).toFixed(1)}%`,
       hits: stats.hits,
@@ -347,7 +355,7 @@ export async function handleGetCacheStats(args: { reset?: boolean }): Promise<Mc
   // Reset stats if requested
   if (args.reset) {
     cache.resetStats();
-    (result as { statsReset?: boolean }).statsReset = true;
+    result.statsReset = true;
   }
 
   return {

packages/mcp-server/src/tools/handlers/write-handlers.ts

@@ -159,12 +159,25 @@ export async function handleDeleteTask(config: GsdConfig, args: { id: string; dr
 
 export async function handleBulkUpdateTasks(
   config: GsdConfig,
-  args: { taskIds: string[]; operation: BulkOperation; maxTasks?: number }
+  args: { taskIds: string[]; operation: BulkOperation; maxTasks?: number; dryRun?: boolean }
 ): Promise<McpToolResponse> {
-  const result = await bulkUpdateTasks(config, args.taskIds, args.operation, { maxTasks: args.maxTasks });
+  const result = await bulkUpdateTasks(config, args.taskIds, args.operation, {
+    maxTasks: args.maxTasks,
+    dryRun: args.dryRun,
+  });
+
+  let message: string;
+  if (result.dryRun) {
+    message = `🔍 DRY RUN - Bulk operation would affect ${result.updated + result.deleted} task(s) (not saved):\n\n`;
+    if (result.updated > 0) message += `Would update: ${result.updated} task(s)\n`;
+    if (result.deleted > 0) message += `Would delete: ${result.deleted} task(s)\n`;
+    message += `\nTo apply changes, remove dryRun or set it to false.`;
+  } else {
+    message = `✅ Bulk operation completed!\n\n`;
+    if (result.updated > 0) message += `Updated: ${result.updated} task(s)\n`;
+    if (result.deleted > 0) message += `Deleted: ${result.deleted} task(s)\n`;
+  }
 
-  let message = `✅ Bulk operation completed!\n\n`;
-  message += `Updated: ${result.updated} task(s)\n`;
   if (result.errors.length > 0) {
     message += `\nErrors (${result.errors.length}):\n`;
     result.errors.forEach((err, idx) => {