- Extract duplicated admin/owner check from race.py into shared._is_admin_or_owner() - Add try/except around JSON.loads in room_store.load_rooms for corrupted data resilience - Use .get() for safer dict access in room deserialization
Phase 1 - Plugin code review (14/14 plugins): - Security: 3x token leak in print→logger.debug, Bearer prefix handling - Bug: bare except→specific exceptions, HorseState type safety, sync→async - Critical: response_model undefined, route dead code, sync blocking event loop - Quality: 11x print()→logger, variable name shadowing, consistent logging Phase 2 - Deep analysis: - Fix: payout int truncation→max(1, round(amount*odds)) - Fix: room_store get_lock race condition→dict.setdefault() - Verify: data_manager f-string SQL is safe (uses ? placeholders) Infrastructure: review reports generated for all plugins.
Extract shared.py from commands/__init__.py to break circular dependency: - shared.py: shared variables/services/helper functions - access.py: get_scope/check_access/get_event_id (canonical source) - __init__.py: re-exports from shared.py for backward compat - register/bet/race/help: import from .shared instead of package
