Skip to content

Round 6 security review fixes: DRY debugLog, gate debugPrint#65

Merged
sohamM97 merged 3 commits intomainfrom
sec-review
Mar 31, 2026
Merged

Round 6 security review fixes: DRY debugLog, gate debugPrint#65
sohamM97 merged 3 commits intomainfrom
sec-review

Conversation

@sohamM97
Copy link
Copy Markdown
Owner

@sohamM97 sohamM97 commented Mar 31, 2026

Summary

  • LOW-21/LOW-22 fix: Extract shared debugLog() helper in display_utils.dart that gates debugPrint behind kDebugMode, preventing error details from leaking to Android logcat in release builds
  • DRY refactor: Replace all 12 raw if (kDebugMode) debugPrint(...) call sites across auth_service.dart, auth_provider.dart, main.dart, and todays_five_screen.dart with debugLog()
  • LOW-15 deferred: Firestore security rules version-control deferred for proper Firebase CLI setup later
  • Regression test: Codebase scan test ensures no ungated debugPrint calls can be reintroduced

Test plan

  • flutter analyze — 0 issues
  • flutter test — 1275 tests pass (6 new tests added)
  • flutter build linux — builds successfully
  • Manual test: app startup, Today's 5 deadline suppression pin/unpin — all pass

🤖 Generated with Claude Code

Soham Marik and others added 2 commits March 31, 2026 15:29
@claude
Round 6 security review: verify Round 5 fixes, 4 ungated debugPrint f…
a89af40 
…indings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
Round 6 security fix: DRY debugLog helper, gate all debugPrint calls
2c70247 
Fix LOW-21 (main.dart) and LOW-22 (todays_five_screen.dart) ungated
debugPrint calls. Extract shared debugLog() helper in display_utils.dart
that gates behind kDebugMode, replacing all 12 raw debugPrint call sites
across auth_service, auth_provider, main, and todays_five_screen.
Adds regression test scanning lib/ for ungated debugPrint. LOW-15
(Firestore rules) deferred for proper Firebase CLI setup later.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Mar 31, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@claude
Copy link
Copy Markdown

claude bot commented Mar 31, 2026

test comment check

@claude
Copy link
Copy Markdown

claude bot commented Mar 31, 2026

Code review

Issue 1 — Bug: "debugLog import present" test always passes vacuously

File: test/utils/display_utils_test.dart lines 815-818

The condition has two logical problems that make missingImports always empty — the test is a no-op and provides no regression protection:

  1. Branch 2 is impossible. content.contains('debugLog(') && !content.contains('debugLog') — any string containing debugLog( necessarily contains debugLog. Always false.
  2. Branch 1 checks the wrong thing. !content.contains("import") flags files with no import statements at all — that never happens in lib/. The intent was to check for the specific display_utils.dart import.

Suggested fix:

        if (content.contains('debugLog(') &&
            !content.contains('display_utils.dart')) {

Issue 2 — Stale line reference in docs (CLAUDE.md: verify before documenting)

File: docs/SECURITY_REVIEW.md line 1189 and line 1288

Both references claim launchSafeUrl() is at display_utils.dart:166-182, but this PR itself inserts the 8-line debugLog() function at the top of that file, pushing launchSafeUrl down to lines 174-190.

Per CLAUDE.md: "Verify before documenting. Before writing any factual claim in a doc, verify it exists in the codebase first... Do not rely on memory, TODO lists, or stale branch knowledge."

Fix: update both occurrences of display_utils.dart:166-182 to display_utils.dart:174-190.

@claude
Fix review comments: debugLog import test logic, stale line refs
5e9bc3a 
Fix no-op test condition in debugLog import check — was using
impossible logic that always passed. Now correctly verifies files
calling debugLog() import display_utils.dart. Update launchSafeUrl
line references in SECURITY_REVIEW.md (166→174 after debugLog insert).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sohamM97 sohamM97 merged commit 5f2071f into main Mar 31, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sohamM97