fix: address PR #68 review — silent failures, path traversal, dead code

[chitcommit]

Summary

Addresses 10 findings from comprehensive PR review of #68 (8 outcome-driven UI flows):

Critical (4):

• encodeURIComponent on user-supplied caseId in evidence API URLs — prevents path traversal
• Surface contradiction fetch failures in Evidence page (was silently returning empty array)
• Show error state on transaction fetch failure in Accounts (was showing "No recent transactions")
• Show dispute load error in LitigationAssistant picker (was completely empty .catch(() => {}))

Important (6):

• Remove dead actionIcon/Icon code + unused RefreshCw import
• Guard useEffect pre-population to run once only (prevents overwriting user edits on re-render)
• Restore console.error logging in Recommendations act/dismiss
• Clear stale data when loading new case in Evidence (prevents showing case A data after case B fails)
• Surface timeline.partial warning banner in Evidence page
• Show retry button on history load failure in ActionQueue
• Clear error state on reload in Legal page

Test plan

• Evidence: load a case, then load a non-existent case — stale data should clear, error shown
• Evidence: verify contradictions failure shows warning banner
• Accounts: expand account with broken API — should show error, not "No recent transactions"
• LitigationAssistant: open with bad ?dispute=ID — should show toast error
• LitigationAssistant: verify picker shows "Failed to load disputes" on API error
• Recommendations: verify no unused Icon variable (tsc --noEmit passes)
• ActionQueue: history tab failure shows retry button
• tsc --noEmit + vite build pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling and user-facing messages for transaction loading, decision history, evidence contradictions, and dispute linking.
  • Added retry functionality for failed operations.
  • Enhanced error state management to provide clearer feedback across features.

• Style

  • Cleaned up unused visual elements from recommendations interface.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR introduces consistent error state tracking across multiple page components for API failures (transactions, decision history, contradictions, disputes). Additionally, the API layer now URL-encodes caseId parameters in Evidence Timeline endpoints, and unused imports are cleaned up from the Recommendations page with improved error logging.

Changes

Cohort / File(s)	Summary
API Layer ui/src/lib/api.ts	URL-encode caseId parameter in getCaseTimeline, getCaseFacts, getCaseContradictions, and getPendingFacts endpoint paths using encodeURIComponent().
Error State Management ui/src/pages/Accounts.tsx, ui/src/pages/ActionQueue.tsx, ui/src/pages/Evidence.tsx, ui/src/pages/Legal.tsx, ui/src/pages/LitigationAssistant.tsx	Added dedicated error states to track specific API failures; updated catch blocks to extract error messages; modified UI to conditionally display error messages and retry buttons, replacing silent error suppression.
Code Cleanup & Logging ui/src/pages/Recommendations.tsx	Removed unused lucide-react icon imports and helper function; added contextual error logging with console.error in action handlers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: 8 outcome-driven UI flows #68: Directly modifies the same API endpoints (getCaseTimeline, getCaseFacts, getCaseContradictions, getPendingFacts) to URL-encode caseId, aligning with this PR's API layer changes.

Poem

🐰 When API calls go hop-by-hop,
We catch the errors, never stop!
Each state now tracks what went awry,
With messages that users spy—
Clean feedback hops from bug to fix! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing silent failures, path traversal vulnerabilities, and removing dead code across multiple UI components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pr68-review-remediation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ui/src/pages/LitigationAssistant.tsx`:
- Around line 67-76: The code sets selectedDisputeId before verifying the
dispute exists, which can leave an invalid ID in state; update the logic in the
block that reads disputeId/disputes so you first find the dispute via
disputes.find(dd => dd.id === disputeId) and only then call
setSelectedDisputeId(disputeId) and mark prePopulated.current = true; if the
dispute is found, also setRecipient(d.counterparty) and setRawNotes(...) as you
already do, otherwise leave selectedDisputeId unchanged and show the toast.error
(toast.error(...) remains in the else branch); ensure prePopulated.current is
only set when the dispute exists to avoid signaling a successful pre-population
for an invalid ID.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c310ab0e-4695-440a-95a8-0e86cf8534c4

📥 Commits

Reviewing files that changed from the base of the PR and between 7e88831 and 29da8b5.

📒 Files selected for processing (7)

• ui/src/lib/api.ts
• ui/src/pages/Accounts.tsx
• ui/src/pages/ActionQueue.tsx
• ui/src/pages/Evidence.tsx
• ui/src/pages/Legal.tsx
• ui/src/pages/LitigationAssistant.tsx
• ui/src/pages/Recommendations.tsx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid preselecting an invalid dispute ID from URL.

selectedDisputeId is set before confirming the dispute exists. That can leave an invalid ID in state and allow follow-up actions to target a nonexistent dispute.

💡 Suggested fix

-    if (disputeId && disputes.length > 0) {
+    if (disputeId && disputes.length > 0) {
       prePopulated.current = true;
-      setSelectedDisputeId(disputeId);
       const d = disputes.find(dd => dd.id === disputeId);
       if (d) {
+        setSelectedDisputeId(disputeId);
         if (d.counterparty) setRecipient(d.counterparty);
         if (d.description) setRawNotes(prev => prev || d.description || '');
       } else {
+        setSelectedDisputeId('');
         toast.error('Dispute not found', `Linked dispute ${disputeId.slice(0, 8)}... was not found`);
       }
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/pages/LitigationAssistant.tsx` around lines 67 - 76, The code sets
selectedDisputeId before verifying the dispute exists, which can leave an
invalid ID in state; update the logic in the block that reads disputeId/disputes
so you first find the dispute via disputes.find(dd => dd.id === disputeId) and
only then call setSelectedDisputeId(disputeId) and mark prePopulated.current =
true; if the dispute is found, also setRecipient(d.counterparty) and
setRawNotes(...) as you already do, otherwise leave selectedDisputeId unchanged
and show the toast.error (toast.error(...) remains in the else branch); ensure
prePopulated.current is only set when the dispute exists to avoid signaling a
successful pre-population for an invalid ID.