fix: strengthen concurrency test assertions and fix thread-pool deadlock risk

- Replace Barrier.SignalAndWait (blocking) with SemaphoreSlim (async-safe)
  in WebhookDeliveryConcurrencyTests and BoardPresenceConcurrencyTests to
  prevent thread-pool starvation deadlocks under CI
- Fix cross-user isolation test race: separate board creation from
  verification so the check runs against the complete set of board IDs
- Assert 429 status code explicitly in ThrottledRequests test instead of
  silently passing when rate limiting is broken
- Strengthen ProcessNext_TwoWorkersTwoItems to assert at least one success
  and valid status codes (not just "no 500s")
- Assert exactly 1 card in DoubleExecute test (was 0-1, hiding data loss)
- Assert exactly 1 proposal per batch item (was <=1, hiding data loss)

Author: Chris0Jeky

backend/tests/Taskdeck.Api.Tests/Concurrency/BoardPresenceConcurrencyTests.cs

@@ -95,22 +95,23 @@ public async Task RapidJoinLeave_EventuallyConsistent()
         await SignalRTestHelper.WaitForEventsAsync(observerEvents, 1);
         observerEvents.Clear();
 
-        // All users join simultaneously via Barrier
+        // All users join simultaneously via SemaphoreSlim (async-safe,
+        // unlike Barrier.SignalAndWait which blocks thread-pool threads)
         var connections = new List<HubConnection>();
         try
         {
-            using var joinBarrier = new Barrier(connectionCount + 1);
+            using var joinBarrier = new SemaphoreSlim(0, connectionCount);
             var joinTasks = users.Select(async user =>
             {
                 var conn = SignalRTestHelper.CreateBoardsHubConnection(_factory, user.Token);
                 conn.On<BoardPresenceSnapshot>("boardPresence", _ => { });
                 await conn.StartAsync();
                 lock (connections) { connections.Add(conn); }
-                joinBarrier.SignalAndWait(TimeSpan.FromSeconds(10));
+                await joinBarrier.WaitAsync(TimeSpan.FromSeconds(10));
                 await conn.InvokeAsync("JoinBoard", board.Id);
             }).ToArray();
 
-            joinBarrier.SignalAndWait(TimeSpan.FromSeconds(10));
+            joinBarrier.Release(connectionCount);
             await Task.WhenAll(joinTasks);
 
             // Wait for all joins to settle
@@ -122,14 +123,14 @@ public async Task RapidJoinLeave_EventuallyConsistent()
             // First half leave rapidly
             observerEvents.Clear();
             var leavingCount = connectionCount / 2;
-            using var leaveBarrier = new Barrier(leavingCount + 1);
+            using var leaveBarrier = new SemaphoreSlim(0, leavingCount);
             var leaveTasks = connections.Take(leavingCount).Select(async conn =>
             {
-                leaveBarrier.SignalAndWait(TimeSpan.FromSeconds(10));
+                await leaveBarrier.WaitAsync(TimeSpan.FromSeconds(10));
                 await conn.InvokeAsync("LeaveBoard", board.Id);
             }).ToArray();
 
-            leaveBarrier.SignalAndWait(TimeSpan.FromSeconds(10));
+            leaveBarrier.Release(leavingCount);
             await Task.WhenAll(leaveTasks);
 
             // Wait for leaves to settle

backend/tests/Taskdeck.Api.Tests/Concurrency/CrossUserIsolationStressTests.cs

@@ -35,13 +35,14 @@ public CrossUserIsolationStressTests(TestWebApplicationFactory factory)
     public async Task ConcurrentBoardCreation_NoCrossUserContamination()
     {
         const int userCount = 5;
-        var userBoards = new ConcurrentDictionary<string, Guid>();
+        var userBoards = new ConcurrentDictionary<string, (Guid BoardId, HttpClient Client)>();
         var errors = new ConcurrentBag<string>();
 
+        // Phase 1: All users create boards concurrently
         using var barrier = new SemaphoreSlim(0, userCount);
         var tasks = Enumerable.Range(0, userCount).Select(async i =>
         {
-            using var client = _factory.CreateClient();
+            var client = _factory.CreateClient();
             var user = await ApiTestHarness.AuthenticateAsync(client, $"isolation-{i}");
             await barrier.WaitAsync();
 
@@ -53,29 +54,41 @@ public async Task ConcurrentBoardCreation_NoCrossUserContamination()
             if (resp.StatusCode != HttpStatusCode.Created)
             {
                 errors.Add($"User {i} got {resp.StatusCode}");
+                client.Dispose();
                 return;
             }
 
             var board = await resp.Content.ReadFromJsonAsync<BoardDto>();
-            userBoards[user.Username] = board!.Id;
-
-            // Verify user only sees their own board
-            var listResp = await client.GetAsync("/api/boards");
-            var boards = await listResp.Content.ReadFromJsonAsync<List<BoardDto>>();
-            var otherUserBoards = boards!.Where(b =>
-                userBoards.Any(kv => kv.Key != user.Username && kv.Value == b.Id));
-            if (otherUserBoards.Any())
-            {
-                errors.Add($"User {user.Username} can see another user's board");
-            }
+            userBoards[user.Username] = (board!.Id, client);
         }).ToArray();
 
         barrier.Release(userCount);
         await Task.WhenAll(tasks);
 
-        errors.Should().BeEmpty("no cross-user board contamination should occur");
-        userBoards.Should().HaveCount(userCount,
-            "all users should have created their boards successfully");
+        try
+        {
+            errors.Should().BeEmpty("all users should create boards successfully");
+            userBoards.Should().HaveCount(userCount,
+                "all users should have created their boards successfully");
+
+            // Phase 2: After all boards exist, verify isolation with the
+            // complete set of known board IDs (no race against concurrent inserts)
+            var allBoardIds = userBoards.Values.Select(v => v.BoardId).ToHashSet();
+            foreach (var (username, (boardId, client)) in userBoards)
+            {
+                var listResp = await client.GetAsync("/api/boards");
+                var boards = await listResp.Content.ReadFromJsonAsync<List<BoardDto>>();
+                var visibleOtherBoards = boards!.Where(b =>
+                    allBoardIds.Contains(b.Id) && b.Id != boardId).ToList();
+                visibleOtherBoards.Should().BeEmpty(
+                    $"user {username} should not see other users' boards");
+            }
+        }
+        finally
+        {
+            foreach (var (_, (_, client)) in userBoards)
+                client.Dispose();
+        }
     }
 
     /// <summary>

backend/tests/Taskdeck.Api.Tests/Concurrency/ProposalApprovalRaceTests.cs

@@ -322,12 +322,12 @@ public async Task DoubleExecute_NoDuplicateSideEffects()
         proposal!.Status.Should().Be(ProposalStatus.Applied,
             "proposal should be in Applied state after execution");
 
-        // Verify at most one card was created (not duplicated)
+        // Verify exactly one card was created (not duplicated, not lost)
         var cardsResp = await client.GetAsync($"/api/boards/{board.Id}/cards");
         cardsResp.StatusCode.Should().Be(HttpStatusCode.OK);
         var cards = await cardsResp.Content.ReadFromJsonAsync<List<CardDto>>();
         var matchingCards = cards!.Count(c => c.Title.Contains("Double execute item"));
-        matchingCards.Should().BeInRange(0, 1,
-            "double execute should not create duplicate cards");
+        matchingCards.Should().Be(1,
+            "double execute should create exactly one card (no duplicates, no data loss)");
     }
 }

backend/tests/Taskdeck.Api.Tests/Concurrency/QueueClaimRaceTests.cs

@@ -230,12 +230,12 @@ public async Task CaptureTriage_BatchConcurrentWorkers_NoItemProcessedTwice()
 
         proposals.Should().NotBeNull();
 
-        // Each capture item should have at most one proposal
+        // Each capture item should have exactly one proposal (no duplicates, no data loss)
         foreach (var captureId in captureIds)
         {
             var matching = proposals!.Count(p => p.SourceReferenceId == captureId.ToString());
-            matching.Should().BeLessOrEqualTo(1,
-                $"capture item {captureId} should have at most one proposal (no duplicate processing)");
+            matching.Should().Be(1,
+                $"capture item {captureId} should have exactly one proposal (no duplicate processing, no data loss)");
         }
     }
 
@@ -278,8 +278,21 @@ public async Task ProcessNext_TwoWorkersTwoItems_EachClaimsDifferentItem()
         barrier.Release(2);
         await Task.WhenAll(workerTasks);
 
+        var responses = responseData.ToList();
+
         // No 500 errors
-        responseData.Should().NotContain(r => r.Status == HttpStatusCode.InternalServerError,
+        responses.Should().NotContain(r => r.Status == HttpStatusCode.InternalServerError,
             "no internal server errors during concurrent processing");
+
+        // At least one worker should succeed (with 2 items, ideally both succeed)
+        var successResponses = responses.Where(r => r.Status == HttpStatusCode.OK).ToList();
+        successResponses.Should().NotBeEmpty(
+            "at least one worker should successfully claim an item");
+
+        // All responses should be well-formed (OK or 404, not unexpected errors)
+        responses.Should().OnlyContain(
+            r => r.Status == HttpStatusCode.OK || r.Status == HttpStatusCode.NotFound
+                 || r.Status == HttpStatusCode.BadRequest,
+            "workers should only get OK, 404, or 400 -- not unexpected errors");
     }
 }

backend/tests/Taskdeck.Api.Tests/Concurrency/RateLimitingConcurrencyTests.cs

@@ -145,11 +145,12 @@ public async Task ThrottledRequests_IncludeRetryAfterHeader()
             "/api/auth/login",
             new LoginDto("retry-header-user-2", "wrong-pass"));
 
-        if (second.StatusCode == (HttpStatusCode)429)
-        {
-            // Retry-After header should be present on 429 responses
-            second.Headers.Contains("Retry-After").Should().BeTrue(
-                "429 responses should include a Retry-After header");
-        }
+        // Assert the rate limiter actually kicks in before checking headers
+        second.StatusCode.Should().Be((HttpStatusCode)429,
+            "the second request should be throttled (permit limit is 1)");
+
+        // Retry-After header should be present on 429 responses
+        second.Headers.Contains("Retry-After").Should().BeTrue(
+            "429 responses should include a Retry-After header");
     }
 }

backend/tests/Taskdeck.Api.Tests/Concurrency/WebhookDeliveryConcurrencyTests.cs

@@ -65,23 +65,24 @@ public async Task ConcurrentBoardMutations_EachCreatesDeliveryRecord()
             .ReadFromJsonAsync<OutboundWebhookSubscriptionSecretDto>();
         webhookSub.Should().NotBeNull();
 
-        // Create multiple cards concurrently using Barrier
-        using var barrier = new Barrier(mutationCount + 1);
+        // Create multiple cards concurrently using SemaphoreSlim (async-safe,
+        // unlike Barrier.SignalAndWait which blocks thread-pool threads)
+        using var barrier = new SemaphoreSlim(0, mutationCount);
         var statusCodes = new ConcurrentBag<HttpStatusCode>();
 
         var mutationTasks = Enumerable.Range(0, mutationCount).Select(async i =>
         {
             using var raceClient = _factory.CreateClient();
             raceClient.DefaultRequestHeaders.Authorization =
                 client.DefaultRequestHeaders.Authorization;
-            barrier.SignalAndWait(TimeSpan.FromSeconds(10));
+            await barrier.WaitAsync();
             var resp = await raceClient.PostAsJsonAsync(
                 $"/api/boards/{board.Id}/cards",
                 new CreateCardDto(board.Id, col!.Id, $"Webhook card {i}", null, null, null));
             statusCodes.Add(resp.StatusCode);
         }).ToArray();
 
-        barrier.SignalAndWait(TimeSpan.FromSeconds(10));
+        barrier.Release(mutationCount);
         await Task.WhenAll(mutationTasks);
 
         // All card creations should succeed
@@ -135,15 +136,15 @@ public async Task ConcurrentSubscriptionCreation_AllSucceedWithDistinctIds()
         await ApiTestHarness.AuthenticateAsync(client, "webhook-concurrent-sub");
         var board = await ApiTestHarness.CreateBoardAsync(client, "webhook-sub-board");
 
-        using var barrier = new Barrier(subscriptionCount + 1);
+        using var barrier = new SemaphoreSlim(0, subscriptionCount);
         var results = new ConcurrentBag<(HttpStatusCode Status, OutboundWebhookSubscriptionSecretDto? Sub)>();
 
         var tasks = Enumerable.Range(0, subscriptionCount).Select(async i =>
         {
             using var raceClient = _factory.CreateClient();
             raceClient.DefaultRequestHeaders.Authorization =
                 client.DefaultRequestHeaders.Authorization;
-            barrier.SignalAndWait(TimeSpan.FromSeconds(10));
+            await barrier.WaitAsync();
             var resp = await raceClient.PostAsJsonAsync(
                 $"/api/boards/{board.Id}/webhooks",
                 new CreateOutboundWebhookSubscriptionDto(
@@ -155,7 +156,7 @@ public async Task ConcurrentSubscriptionCreation_AllSucceedWithDistinctIds()
             results.Add((resp.StatusCode, sub));
         }).ToArray();
 
-        barrier.SignalAndWait(TimeSpan.FromSeconds(10));
+        barrier.Release(subscriptionCount);
         await Task.WhenAll(tasks);
 
         // All should succeed