Address second round of review feedback

- capi: unknown endpoint fallback now type-checks response before
  iterating, avoids AttributeError on dict responses without data key
- render_utils: flush_async_output is a no-op when no buffer exists,
  prevents masking the real error when an async agent fails early
- session: list_sessions sorts by file mtime instead of filename so
  most-recent-first ordering is actually correct
- runner: replace confusing issubset(set()) idiom with straightforward
  set difference check for unknown model settings keys
- runner: catch JSONDecodeError on outer tool result parse separately
  from the inner text parse so malformed results get a clear error
- tests: suppress S105 false positive on test token assertion

Author: anticomputer

src/seclab_taskflow_agent/capi.py

@@ -99,9 +99,14 @@ def list_capi_models(token: str) -> dict[str, dict]:
             case AI_API_ENDPOINT_ENUM.AI_API_OPENAI:
                 models_list = r.json().get("data", [])
             case _:
-                # Unknown endpoint — try OpenAI-style {"data": [...]}
+                # Unknown endpoint — try common response shapes
                 body = r.json()
-                models_list = body.get("data", body) if isinstance(body, dict) else body
+                if isinstance(body, dict):
+                    models_list = body.get("data", [])
+                elif isinstance(body, list):
+                    models_list = body
+                else:
+                    models_list = []
         for model in models_list:
             models[model.get("id")] = dict(model)
     except httpx.RequestError:

src/seclab_taskflow_agent/render_utils.py

@@ -24,9 +24,9 @@ async def flush_async_output(task_id: str) -> None:
     """Flush buffered async output for *task_id* to the console."""
     async with async_output_lock:
         if task_id not in async_output:
-            raise ValueError(f"No async output for task: {task_id}")
-        data = async_output[task_id]
-        del async_output[task_id]
+            # No buffered output (agent may have failed before producing any).
+            return
+        data = async_output.pop(task_id)
     await render_model_output(f"** 🤖✏️ Output for async task: {task_id}\n\n")
     await render_model_output(data)
 

src/seclab_taskflow_agent/runner.py

@@ -80,9 +80,10 @@ def _resolve_model_config(
     models_params: dict[str, dict[str, Any]] = m_config.model_settings or {}
     if models_params and not isinstance(models_params, dict):
         raise ValueError(f"Settings section of model_config file {model_config_ref} must be a dictionary")
-    if not set(models_params.keys()).difference(model_keys).issubset(set()):
+    unknown = set(models_params) - set(model_keys)
+    if unknown:
         raise ValueError(
-            f"Settings section of model_config file {model_config_ref} contains models not in the model section"
+            f"Settings section of model_config file {model_config_ref} contains models not in the model section: {unknown}"
         )
     for k, v in models_params.items():
         if not isinstance(v, dict):
@@ -199,20 +200,24 @@ async def _build_prompts_to_run(
             logging.warning("repeat_prompt enabled but no {{ result }} in prompt")
         try:
             last_result = json.loads(last_mcp_tool_results[-1])
-            text = last_result.get("text", "")
-            try:
-                iterable_result = json.loads(text)
-            except json.JSONDecodeError as exc:
-                logging.critical(f"Could not parse result text: {text}")
-                raise ValueError("Result text is not valid JSON") from exc
-            try:
-                iter(iterable_result)
-            except TypeError:
-                logging.critical("Last MCP tool result is not iterable")
-                raise
         except IndexError:
             logging.critical("No last MCP tool result available")
             raise
+        except json.JSONDecodeError as exc:
+            logging.critical(f"Could not parse tool result as JSON: {last_mcp_tool_results[-1][:200]}")
+            raise ValueError("Tool result is not valid JSON") from exc
+
+        text = last_result.get("text", "")
+        try:
+            iterable_result = json.loads(text)
+        except json.JSONDecodeError as exc:
+            logging.critical(f"Could not parse result text: {text}")
+            raise ValueError("Result text is not valid JSON") from exc
+        try:
+            iter(iterable_result)
+        except TypeError:
+            logging.critical("Last MCP tool result is not iterable")
+            raise
 
         if not iterable_result:
             await render_model_output("** 🤖❗MCP tool result iterable is empty!\n")

src/seclab_taskflow_agent/session.py

@@ -128,7 +128,7 @@ def load(cls, session_id: str) -> TaskflowSession:
     def list_sessions(cls) -> list[TaskflowSession]:
         """List all saved sessions, most recent first."""
         sessions: list[TaskflowSession] = []
-        for f in sorted(session_dir().glob("*.json"), reverse=True):
+        for f in sorted(session_dir().glob("*.json"), key=lambda p: p.stat().st_mtime, reverse=True):
             try:
                 sessions.append(cls.model_validate_json(f.read_text()))
             except Exception:

tests/test_runner.py

@@ -237,7 +237,7 @@ def test_engine_keys_extracted(self):
         )
         assert api_type == "responses"
         assert endpoint == "https://custom.api"
-        assert token == "secret"
+        assert token == "secret"  # noqa: S105
         assert "api_type" not in settings
         assert "endpoint" not in settings
         assert "token" not in settings