fix: address pre-release review findings (2026-06-23)

Hardening from the pre-release review of the 06-19/06-23 roadmap batches:
solar timezone crash, webhook header CRLF, MQTT topic-prefix injection,
get_stats thread-safe copy, MQTT discovery lock, reactive_mode Literal,
and calibration modal accessibility. Adds regression coverage in
test_release_review_2026_06_23.py.

server/src/ledgrab/api/routes/automations.py

@@ -134,13 +134,18 @@ def _action_from_schema(s: ActionSchema) -> Action:
     fire_on = s.fire_on or "activate"
     if fire_on not in ("activate", "deactivate", "both"):
         raise ValueError(f"Invalid fire_on: {fire_on}. Must be activate, deactivate or both.")
+    # content_type is emitted verbatim as the outbound Content-Type header — reject
+    # control chars (CR/LF) so it can't be used to inject additional HTTP headers.
+    content_type = (s.content_type or "application/json").strip()
+    if len(content_type) > 128 or any(ord(c) < 0x20 or ord(c) > 0x7E for c in content_type):
+        raise ValueError("Invalid content_type: control or non-ASCII characters are not allowed.")
     # Raises HTTPException(400) on a blocked/loopback/metadata target.
     validate_polling_url(url)
     return WebhookAction(
         webhook_url=url,
         method=method,
         body_template=s.body_template or "",
-        content_type=s.content_type or "application/json",
+        content_type=content_type,
         fire_on=fire_on,
     )
 
@@ -487,5 +492,9 @@ async def trigger_automation(
     except ValueError as e:
         raise HTTPException(status_code=404, detail=str(e))
 
+    try:
         status, errors = await engine.fire_manual_trigger(automation)
+    except Exception as e:  # noqa: BLE001 — surface a structured error, never a bare 500
+        logger.error("Manual trigger failed for automation %s: %s", automation_id, e)
+        return AutomationTriggerResponse(status="error", errors=[str(e)])
     return AutomationTriggerResponse(status=status, errors=errors)

server/src/ledgrab/api/schemas/automations.py

@@ -111,12 +111,16 @@ ConditionSchema = RuleSchema
 class ActionSchema(BaseModel):
     """A single outbound action fired alongside scene activation/deactivation."""
 
-    action_type: str = Field(description="Action type discriminator (e.g. 'webhook')")
+    action_type: str = Field(
+        max_length=32, description="Action type discriminator (e.g. 'webhook')"
+    )
     # Webhook action fields
     webhook_url: str | None = Field(
         None, max_length=2048, description="Target URL for the webhook action"
     )
-    method: str | None = Field(None, description="'POST', 'PUT', or 'GET' (for webhook action)")
+    method: str | None = Field(
+        None, max_length=8, description="'POST', 'PUT', or 'GET' (for webhook action)"
+    )
     body_template: str | None = Field(
         None,
         max_length=8192,
@@ -126,10 +130,12 @@ class ActionSchema(BaseModel):
         ),
     )
     content_type: str | None = Field(
-        None, description="Content-Type header for the webhook body (default application/json)"
+        None,
+        max_length=128,
+        description="Content-Type header for the webhook body (default application/json)",
     )
     fire_on: str | None = Field(
-        None, description="'activate', 'deactivate', or 'both' (for webhook action)"
+        None, max_length=16, description="'activate', 'deactivate', or 'both' (for webhook action)"
     )
 
 

server/src/ledgrab/api/schemas/color_strip_sources.py

@@ -338,7 +338,9 @@ class EffectCSSCreate(_CSSCreateBase):
     custom_palette: List[List[float]] | None = Field(None, description="Custom palette stops")
     audio_reactive: bool | None = Field(None, description="Modulate output by live audio loudness")
     reactive_audio_source_id: str | None = Field(None, description="AudioSource id for reactivity")
-    reactive_mode: str | None = Field(None, description="brightness | saturation | both")
+    reactive_mode: Literal["brightness", "saturation", "both"] | None = Field(
+        None, description="brightness | saturation | both"
+    )
     reactive_intensity: Any = Field(default=None, description="Reactive modulation strength (0-1)")
 
 
@@ -542,7 +544,9 @@ class EffectCSSUpdate(_CSSUpdateBase):
     custom_palette: List[List[float]] | None = Field(None, description="Custom palette stops")
     audio_reactive: bool | None = Field(None, description="Modulate output by live audio loudness")
     reactive_audio_source_id: str | None = Field(None, description="AudioSource id for reactivity")
-    reactive_mode: str | None = Field(None, description="brightness | saturation | both")
+    reactive_mode: Literal["brightness", "saturation", "both"] | None = Field(
+        None, description="brightness | saturation | both"
+    )
     reactive_intensity: Any = Field(default=None, description="Reactive modulation strength (0-1)")
 
 

server/src/ledgrab/api/schemas/mqtt.py

@@ -20,7 +20,10 @@ class MQTTSourceCreate(BaseModel):
         default=False, description="Publish Home Assistant MQTT auto-discovery configs"
     )
     discovery_prefix: str = Field(
-        default="homeassistant", description="HA MQTT discovery prefix (default 'homeassistant')"
+        default="homeassistant",
+        max_length=64,
+        pattern=r"^[A-Za-z0-9_\-/]+$",
+        description="HA MQTT discovery prefix (default 'homeassistant')",
     )
     description: str | None = Field(None, description="Optional description", max_length=500)
     tags: List[str] = Field(default_factory=list, description="User-defined tags")
@@ -49,7 +52,12 @@ class MQTTSourceUpdate(BaseModel):
     publish_ha_discovery: bool | None = Field(
         None, description="Publish Home Assistant MQTT auto-discovery configs"
     )
-    discovery_prefix: str | None = Field(None, description="HA MQTT discovery prefix")
+    discovery_prefix: str | None = Field(
+        None,
+        max_length=64,
+        pattern=r"^[A-Za-z0-9_\-/]+$",
+        description="HA MQTT discovery prefix",
+    )
     description: str | None = Field(None, description="Optional description", max_length=500)
     tags: List[str] | None = None
     icon: str | None = Field(

server/src/ledgrab/core/devices/lifx_client.py

@@ -396,7 +396,7 @@ class LIFXClient(LEDClient):
         self._protocol.received.clear()
         self._send(MSG_GET_DEVICE_CHAIN, b"")
         self._send(MSG_GET_COLOR_ZONES, _build_get_color_zones_payload())
-        loop = asyncio.get_event_loop()
+        loop = asyncio.get_running_loop()
         deadline = loop.time() + 0.6
         while loop.time() < deadline:
             await asyncio.sleep(0.05)

server/src/ledgrab/core/devices/nanoleaf_client.py

@@ -326,7 +326,7 @@ class NanoleafClient(LEDClient):
         """Stream per-panel (extControl) when enabled, else average to one HSB state."""
         if not self.is_connected:
             raise RuntimeError("NanoleafClient not connected")
-        loop_now = asyncio.get_event_loop().time()
+        loop_now = asyncio.get_running_loop().time()
         if loop_now < self._next_tx_at:
             return True
 

server/src/ledgrab/core/game_integration/runtime_state.py

@@ -61,12 +61,22 @@ def record_events(integration_id: str, events: list[GameEvent]) -> None:
 
 
 def get_stats(integration_id: str) -> dict[str, Any]:
-    """Get runtime stats for an integration."""
+    """Get a snapshot of runtime stats for an integration.
+
+    Returns a fresh copy (incl. a copied ``event_counts_by_type``) so the caller
+    can read/iterate it on the event loop while the poll thread keeps mutating
+    the live dict under the lock — otherwise a concurrent insert raises
+    ``RuntimeError: dictionary changed size during iteration``.
+    """
     with _state_lock:
-        return _integration_stats.get(
-            integration_id,
-            {"event_count": 0, "event_counts_by_type": {}, "last_event_time": None},
-        )
+        stats = _integration_stats.get(integration_id)
+        if stats is None:
+            return {"event_count": 0, "event_counts_by_type": {}, "last_event_time": None}
+        return {
+            "event_count": stats["event_count"],
+            "event_counts_by_type": dict(stats["event_counts_by_type"]),
+            "last_event_time": stats["last_event_time"],
+        }
 
 
 def cleanup_state(integration_id: str) -> None:

server/src/ledgrab/core/mqtt/mqtt_manager.py

@@ -37,6 +37,12 @@ class MQTTManager:
         # Sources for which we hold a discovery acquire() reference.
         self._discovery_sources: set[str] = set()
         self._lock = asyncio.Lock()
+        # Serializes the discovery reconcile (ensure/disable) check-then-acquire so
+        # two concurrent sync_discovery() calls for the same source can't both see
+        # "first time" and double-acquire (ref-count leak). Separate from _lock
+        # because ensure/disable call acquire()/release() which take _lock, and
+        # asyncio.Lock is not re-entrant.
+        self._discovery_lock = asyncio.Lock()
 
     async def acquire(self, source_id: str) -> MQTTRuntime:
         """Get or create a runtime for the given MQTT source. Increments ref count."""
@@ -142,6 +148,7 @@ class MQTTManager:
             return
         if not getattr(source, "publish_ha_discovery", False):
             return
+        async with self._discovery_lock:
             first_time = source_id not in self._discovery_sources
             if first_time:
                 runtime = await self.acquire(source_id)
@@ -154,8 +161,10 @@ class MQTTManager:
 
     async def disable_discovery(self, source_id: str) -> None:
         """Clear a source's discovery configs and drop our runtime reference."""
+        async with self._discovery_lock:
             if source_id not in self._discovery_sources:
                 return
+            self._discovery_sources.discard(source_id)
             runtime = self.get_runtime(source_id)
             if runtime is not None:
                 try:
@@ -163,7 +172,6 @@ class MQTTManager:
                     await self._make_publisher(runtime, source).remove_all()
                 except Exception as exc:  # noqa: BLE001 — best-effort cleanup
                     logger.warning("HA discovery cleanup failed for %s: %s", source_id, exc)
-        self._discovery_sources.discard(source_id)
             await self.release(source_id)
 
     async def sync_discovery(self, source_id: str) -> None:

server/src/ledgrab/core/processing/effect_stream.py

@@ -456,10 +456,10 @@ class EffectColorStripStream(ColorStripStream):
         Quiet audio dims/desaturates toward ``1 - intensity``; loud audio drives
         full brightness (and a saturation boost up to ``1 + intensity``).
         """
-        e = self._audio_tap.energy()
         k = max(0.0, min(1.0, self.resolve("reactive_intensity", self._reactive_intensity)))
         if k <= 0.0:
             return
+        e = self._audio_tap.energy()
         f = buf.astype(np.float32)
         if self._reactive_mode in ("brightness", "both"):
             f *= (1.0 - k) + k * e

server/src/ledgrab/static/css/modal.css

@@ -3277,6 +3277,14 @@
     background: none;
     cursor: pointer;
     flex-shrink: 0;
+    transition: box-shadow var(--duration-fast, 120ms) ease,
+                border-color var(--duration-fast, 120ms) ease;
+}
+.gradient-harmony-row input[type="color"]:hover,
+.gradient-harmony-row input[type="color"]:focus-visible {
+    outline: none;
+    border-color: var(--primary-color, var(--border-color));
+    box-shadow: 0 0 0 3px color-mix(in srgb, var(--primary-color, #4c8dff) 28%, transparent);
 }
 .gradient-harmony-types {
     display: flex;
@@ -3284,7 +3292,7 @@
     gap: 6px;
 }
 .gradient-harmony-btn {
-    padding: 4px 10px;
+    /* padding inherited from .btn-sm; only the slightly smaller harmony size differs */
     font-size: 0.75rem;
 }
 
@@ -3296,6 +3304,12 @@
     gap: 8px;
     margin-top: 10px;
 }
+/* The toggle's text label — neutralize the global `label` bottom margin so it
+   stays vertically centered against the switch in this flex row. */
+.calibration-linear-row label[for] {
+    margin: 0;
+    cursor: pointer;
+}
 .calibration-linear-row .input-hint {
     flex-basis: 100%;
     margin: 0;

server/src/ledgrab/static/js/global.d.ts

@@ -213,6 +213,7 @@ interface Window {
     cloneAutomation: (...args: any[]) => any;
     deleteAutomation: (...args: any[]) => any;
     copyWebhookUrl: (...args: any[]) => any;
+    triggerAutomationNow: (...args: any[]) => any;
 
     // ─── Scene Presets ───
     openScenePresetCapture: (...args: any[]) => any;
@@ -275,6 +276,7 @@ startTargetOverlay: (...args: any[]) => any;
     deleteColorStrip: (...args: any[]) => any;
     onCSSTypeChange: (...args: any[]) => any;
     onEffectTypeChange: (...args: any[]) => any;
+    onEffectReactiveToggle: (...args: any[]) => any;
     onCSSClockChange: (...args: any[]) => any;
     onAnimationTypeChange: (...args: any[]) => any;
     onDaylightRealTimeChange: (...args: any[]) => any;

server/src/ledgrab/templates/modals/calibration.html

@@ -199,7 +199,7 @@
                                 <input type="checkbox" id="cal-linear-blend">
                                 <span class="settings-toggle-slider"></span>
                             </label>
-                            <span data-i18n="calibration.linear_blend">Linear-light blending</span>
+                            <label for="cal-linear-blend" data-i18n="calibration.linear_blend">Linear-light blending</label>
                             <small class="input-hint" data-i18n="calibration.linear_blend.hint">Average border pixels in linear light for perceptually correct, brighter colour mixing.</small>
                         </div>
                         <div class="calibration-linear-row">
@@ -207,7 +207,7 @@
                                 <input type="checkbox" id="cal-dither">
                                 <span class="settings-toggle-slider"></span>
                             </label>
-                            <span data-i18n="calibration.dither">Dithering</span>
+                            <label for="cal-dither" data-i18n="calibration.dither">Dithering</label>
                             <small class="input-hint" data-i18n="calibration.dither.hint">Spatio-temporal dithering reduces visible banding on smooth gradients.</small>
                         </div>
                     </div>

server/src/ledgrab/utils/solar.py

@@ -89,7 +89,11 @@ def utc_offset_hours_for(tz_name: str, when: datetime.datetime | None = None) ->
             offset = when.replace(tzinfo=None).astimezone(ZoneInfo(tz_name)).utcoffset()
             if offset is not None:
                 return offset.total_seconds() / 3600.0
-        except ZoneInfoNotFoundError:
+        # ZoneInfo() also raises ValueError (path-traversal / null-byte names) and
+        # OSError (over-long names) for malformed input, not just
+        # ZoneInfoNotFoundError. Catch all three so one bad SolarRule.timezone
+        # can't crash the whole automation evaluation tick.
+        except (ZoneInfoNotFoundError, ValueError, OSError):
             pass
     local_offset = when.astimezone().utcoffset()
     return local_offset.total_seconds() / 3600.0 if local_offset else 0.0

server/tests/core/test_automation_rule_handlers.py

@@ -19,6 +19,7 @@ from ledgrab.storage.automation import (
     DisplayStateRule,
     HomeAssistantRule,
     HTTPPollRule,
+    ManualTriggerRule,
     MQTTRule,
     Rule,
     SolarRule,
@@ -30,6 +31,7 @@ from ledgrab.storage.automation import (
 
 EXPECTED_RULE_TYPES = {
     StartupRule,
+    ManualTriggerRule,
     ApplicationRule,
     TimeOfDayRule,
     SolarRule,

server/tests/test_release_review_2026_06_23.py

@@ -0,0 +1,149 @@
+"""Regression tests for the 2026-06-23 pre-release review fixes.
+
+Covers the roadmap-batch (per-pixel smart-lights + integrations) findings fixed
+before release:
+
+* solar timezone offset must not crash on a malformed ``timezone`` string
+  (DoS of the automation evaluation tick / 500 on manual trigger);
+* the webhook action's ``content_type`` must reject CRLF / control chars
+  (outbound HTTP header injection);
+* the MQTT ``discovery_prefix`` must reject wildcard / control chars
+  (HA-discovery topic injection);
+* the effect ``reactive_mode`` must reject unknown values (silent no-op);
+* game-integration ``get_stats`` must return an independent copy
+  (cross-thread ``dict changed size during iteration``).
+"""
+
+import datetime
+import types
+
+import pytest
+from pydantic import ValidationError
+
+from ledgrab.api.routes.automations import _action_from_schema
+from ledgrab.api.schemas.automations import ActionSchema
+from ledgrab.api.schemas.color_strip_sources import EffectCSSCreate
+from ledgrab.api.schemas.mqtt import MQTTSourceCreate
+from ledgrab.core.game_integration import runtime_state
+from ledgrab.utils.solar import utc_offset_hours_for
+
+
+# ── solar timezone offset hardening ──────────────────────────────────────────
+
+
+@pytest.mark.parametrize(
+    "bad_tz",
+    [
+        "../../../etc/passwd",  # path traversal -> ValueError
+        "foo\x00bar",  # embedded null -> ValueError
+        "x" * 5000,  # over-long -> OSError on some platforms
+        "Not/A/Real/Zone",  # plausible-but-unknown -> ZoneInfoNotFoundError
+    ],
+)
+def test_solar_offset_does_not_raise_on_malformed_timezone(bad_tz):
+    """A crafted SolarRule.timezone must fall back, never crash the eval tick."""
+    when = datetime.datetime(2026, 1, 15, 12, 0, 0)
+    offset = utc_offset_hours_for(bad_tz, when)
+    assert isinstance(offset, float)
+
+
+def test_solar_offset_valid_timezone_still_resolves():
+    when = datetime.datetime(2026, 1, 15, 12, 0, 0)  # winter -> EST = -5
+    assert utc_offset_hours_for("America/New_York", when) == pytest.approx(-5.0)
+
+
+# ── webhook action Content-Type header injection ─────────────────────────────
+
+
+@pytest.mark.parametrize(
+    "bad_ct",
+    [
+        "application/json\r\nX-Injected: evil",
+        "text/plain\nX-Injected: evil",
+        "application/json\x00",
+        "application/jsön",  # non-ASCII
+    ],
+)
+def test_webhook_action_rejects_unsafe_content_type(bad_ct):
+    schema = ActionSchema(
+        action_type="webhook",
+        webhook_url="http://10.0.0.5/hook",
+        method="POST",
+        content_type=bad_ct,
+        fire_on="activate",
+    )
+    with pytest.raises(ValueError, match="content_type"):
+        _action_from_schema(schema)
+
+
+def test_webhook_action_accepts_normal_content_type():
+    schema = ActionSchema(
+        action_type="webhook",
+        webhook_url="http://10.0.0.5/hook",  # LAN IP is allowed by SSRF policy
+        method="POST",
+        content_type="application/json; charset=utf-8",
+        fire_on="activate",
+    )
+    action = _action_from_schema(schema)
+    assert action.content_type == "application/json; charset=utf-8"
+
+
+# ── MQTT HA-discovery topic injection ────────────────────────────────────────
+
+
+@pytest.mark.parametrize(
+    "bad_prefix",
+    [
+        "homeassistant/+/evil",  # MQTT wildcard
+        "homeassistant/#",  # MQTT wildcard
+        "home\nassistant",  # control char
+        "x" * 65,  # over max_length
+    ],
+)
+def test_mqtt_discovery_prefix_rejects_unsafe_value(bad_prefix):
+    with pytest.raises(ValidationError):
+        MQTTSourceCreate(name="src", broker_host="broker.local", discovery_prefix=bad_prefix)
+
+
+def test_mqtt_discovery_prefix_defaults_to_homeassistant():
+    src = MQTTSourceCreate(name="src", broker_host="broker.local")
+    assert src.discovery_prefix == "homeassistant"
+
+
+# ── effect reactive_mode validation ──────────────────────────────────────────
+
+
+def test_reactive_mode_rejects_unknown_value():
+    with pytest.raises(ValidationError):
+        EffectCSSCreate(name="fx", reactive_mode="invalid")
+
+
+@pytest.mark.parametrize("mode", ["brightness", "saturation", "both"])
+def test_reactive_mode_accepts_known_values(mode):
+    src = EffectCSSCreate(name="fx", reactive_mode=mode)
+    assert src.reactive_mode == mode
+
+
+# ── game-integration get_stats returns an independent snapshot ───────────────
+
+
+def test_get_stats_returns_independent_copy():
+    integration_id = "test-int-copy"
+    runtime_state.cleanup_state(integration_id)
+    try:
+        event = types.SimpleNamespace(event_type="kill", timestamp="2026-06-23T00:00:00Z")
+        runtime_state.record_events(integration_id, [event])
+
+        snapshot = runtime_state.get_stats(integration_id)
+        assert snapshot["event_count"] == 1
+        assert snapshot["event_counts_by_type"] == {"kill": 1}
+
+        # Mutating the returned snapshot must not corrupt the live state.
+        snapshot["event_counts_by_type"]["kill"] = 999
+        snapshot["event_counts_by_type"]["injected"] = 1
+
+        fresh = runtime_state.get_stats(integration_id)
+        assert fresh["event_counts_by_type"] == {"kill": 1}
+        assert "injected" not in fresh["event_counts_by_type"]
+    finally:
+        runtime_state.cleanup_state(integration_id)