Surfaced during the PR #20 review (timeout/reconcile analysis).
Problem
reconcile_node_added matches a late-joining node to a timed-out job purely by recency — the docstring acknowledges it (commission_jobs.py:236-240: "matched by recency … the most recent one wins (a single rehearsal/retry flow never has two)"), and the claim is candidates[-1] at commission_jobs.py:260.
Two consequences:
- Two jobs time out inside RECONCILE_WINDOW (
commission_jobs.py:63, 5 min): when node X joins it is claimed by the most recent job regardless of which device it actually is — the wrong suggestedName/suggestedRoom get applied and the wrong jobId reports success.
- Any unrelated
node_added within the window (e.g. a node added from the matter-server dashboard or another controller) flips a timed-out job to success with the wrong nodeId in its result.
There is no identity check (discriminator, vendor/product from the node payload) tying the node to the job.
Status
Acceptable for v1: Domio commissions strictly one device at a time, so two in-window timeouts don't occur in practice. Revisit if Domio ever parallelizes commissioning — candidate fix is matching on the job's stored discriminator (already on the Job dataclass) against the joining node's descriptor data.
Origin: analysis in #20
🤖 Generated with Claude Code
Surfaced during the PR #20 review (timeout/reconcile analysis).
Problem
reconcile_node_addedmatches a late-joining node to a timed-out job purely by recency — the docstring acknowledges it (commission_jobs.py:236-240: "matched by recency … the most recent one wins (a single rehearsal/retry flow never has two)"), and the claim iscandidates[-1]atcommission_jobs.py:260.Two consequences:
commission_jobs.py:63, 5 min): when node X joins it is claimed by the most recent job regardless of which device it actually is — the wrongsuggestedName/suggestedRoomget applied and the wrong jobId reports success.node_addedwithin the window (e.g. a node added from the matter-server dashboard or another controller) flips a timed-out job to success with the wrongnodeIdin its result.There is no identity check (discriminator, vendor/product from the node payload) tying the node to the job.
Status
Acceptable for v1: Domio commissions strictly one device at a time, so two in-window timeouts don't occur in practice. Revisit if Domio ever parallelizes commissioning — candidate fix is matching on the job's stored
discriminator(already on theJobdataclass) against the joining node's descriptor data.Origin: analysis in #20
🤖 Generated with Claude Code