fix: resolve critical concurrency deadlocks and main-thread blocking

- SSH-1 (critical): replace DispatchSemaphore.wait() with withCheckedContinuation in HostKeyVerifier
- SVC-3 (high): remove DispatchQueue.main.sync from SQLFormatterService, pass dialect as parameter
- DB-3/PLG-1 (high): remove synchronous loadPendingPlugins() fallback, throw error instead
- PLG-2 (medium): move SecStaticCodeCheckValidity to background path
- SVC-1 (high): move SyncCoordinator storage I/O to Task.detached
- APP-3.5 (high): protect waitForConnection continuation with OSAllocatedUnfairLock
- APP-4.1 (high): consolidate AppState sync into single syncAppStateWithCurrentSession()

Author: datlechin

TablePro/AppDelegate+ConnectionHandler.swift

@@ -329,13 +329,17 @@ extension AppDelegate {
     }
 
     private func waitForConnection(timeout: Duration) async {
+        let didResume = OSAllocatedUnfairLock(initialState: false)
         await withCheckedContinuation { (continuation: CheckedContinuation<Void, Never>) in
-            var didResume = false
             var observer: NSObjectProtocol?
 
             func resumeOnce() {
-                guard !didResume else { return }
-                didResume = true
+                let shouldResume = didResume.withLock { alreadyResumed -> Bool in
+                    if alreadyResumed { return false }
+                    alreadyResumed = true
+                    return true
+                }
+                guard shouldResume else { return }
                 if let obs = observer {
                     NotificationCenter.default.removeObserver(obs)
                 }

TablePro/ContentView.swift

@@ -92,12 +92,6 @@ struct ContentView: View {
                                 payload: payload
                             )
                         }
-                        AppState.shared.isConnected = true
-                        AppState.shared.safeModeLevel = session.connection.safeModeLevel
-                        AppState.shared.editorLanguage = PluginManager.shared.editorLanguage(for: session.connection.type)
-                        AppState.shared.currentDatabaseType = session.connection.type
-                        AppState.shared.supportsDatabaseSwitching = PluginManager.shared.supportsDatabaseSwitching(
-                            for: session.connection.type)
                     }
                 } else {
                     currentSession = nil
@@ -130,20 +124,7 @@ struct ContentView: View {
                     }()
                 guard isOurWindow else { return }
 
-                if let session = DatabaseManager.shared.activeSessions[connectionId] {
-                    AppState.shared.isConnected = true
-                    AppState.shared.safeModeLevel = session.connection.safeModeLevel
-                    AppState.shared.editorLanguage = PluginManager.shared.editorLanguage(for: session.connection.type)
-                    AppState.shared.currentDatabaseType = session.connection.type
-                    AppState.shared.supportsDatabaseSwitching = PluginManager.shared.supportsDatabaseSwitching(
-                        for: session.connection.type)
-                } else {
-                    AppState.shared.isConnected = false
-                    AppState.shared.safeModeLevel = .silent
-                    AppState.shared.editorLanguage = .sql
-                    AppState.shared.currentDatabaseType = nil
-                    AppState.shared.supportsDatabaseSwitching = true
-                }
+                syncAppStateWithCurrentSession()
             }
             .onChange(of: sessionState?.toolbarState.safeModeLevel) { _, newLevel in
                 if let level = newLevel {
@@ -349,11 +330,7 @@ struct ContentView: View {
                 sessionState = nil
                 currentSession = nil
                 columnVisibility = .detailOnly
-                AppState.shared.isConnected = false
-                AppState.shared.safeModeLevel = .silent
-                AppState.shared.editorLanguage = .sql
-                AppState.shared.currentDatabaseType = nil
-                AppState.shared.supportsDatabaseSwitching = true
+                syncAppStateWithCurrentSession()
 
                 let tabbingId = "com.TablePro.main.\(sid.uuidString)"
                 DispatchQueue.main.async {
@@ -379,12 +356,27 @@ struct ContentView: View {
                 payload: payload
             )
         }
-        AppState.shared.isConnected = true
-        AppState.shared.safeModeLevel = newSession.connection.safeModeLevel
-        AppState.shared.editorLanguage = PluginManager.shared.editorLanguage(for: newSession.connection.type)
-        AppState.shared.currentDatabaseType = newSession.connection.type
-        AppState.shared.supportsDatabaseSwitching = PluginManager.shared.supportsDatabaseSwitching(
-            for: newSession.connection.type)
+    }
+
+    /// Single authoritative source for syncing AppState fields with the current session.
+    /// Called from `windowDidBecomeKey` (the correct trigger for per-window AppState)
+    /// and from `handleConnectionStatusChange` on disconnect cleanup.
+    private func syncAppStateWithCurrentSession() {
+        let connectionId = payload?.connectionId ?? currentSession?.id
+        if let connectionId, let session = DatabaseManager.shared.activeSessions[connectionId] {
+            AppState.shared.isConnected = true
+            AppState.shared.safeModeLevel = session.connection.safeModeLevel
+            AppState.shared.editorLanguage = PluginManager.shared.editorLanguage(for: session.connection.type)
+            AppState.shared.currentDatabaseType = session.connection.type
+            AppState.shared.supportsDatabaseSwitching = PluginManager.shared.supportsDatabaseSwitching(
+                for: session.connection.type)
+        } else {
+            AppState.shared.isConnected = false
+            AppState.shared.safeModeLevel = .silent
+            AppState.shared.editorLanguage = .sql
+            AppState.shared.currentDatabaseType = nil
+            AppState.shared.supportsDatabaseSwitching = true
+        }
     }
 
     // MARK: - Actions

TablePro/Core/Database/DatabaseDriver.swift

@@ -317,13 +317,12 @@ extension DatabaseDriver {
 enum DatabaseDriverFactory {
     static func createDriver(for connection: DatabaseConnection) throws -> DatabaseDriver {
         let pluginId = connection.type.pluginTypeId
-        // If the plugin isn't registered yet and background loading hasn't finished,
-        // fall back to synchronous loading for this critical code path.
-        if PluginManager.shared.driverPlugins[pluginId] == nil,
-           !PluginManager.shared.hasFinishedInitialLoad {
-            PluginManager.shared.loadPendingPlugins()
-        }
         guard let plugin = PluginManager.shared.driverPlugins[pluginId] else {
+            // If background loading hasn't finished yet, throw a specific error
+            // instead of blocking the main thread with synchronous plugin loading.
+            if !PluginManager.shared.hasFinishedInitialLoad {
+                throw PluginError.pluginNotLoaded(pluginId)
+            }
             if connection.type.isDownloadablePlugin {
                 throw PluginError.pluginNotInstalled(connection.type.rawValue)
             }

TablePro/Core/Plugins/PluginError.swift

@@ -20,6 +20,7 @@ enum PluginError: LocalizedError {
     case pluginNotInstalled(String)
     case incompatibleWithCurrentApp(minimumRequired: String)
     case invalidDescriptor(pluginId: String, reason: String)
+    case pluginNotLoaded(String)
 
     var errorDescription: String? {
         switch self {
@@ -51,6 +52,8 @@ enum PluginError: LocalizedError {
             return String(localized: "This plugin requires TablePro \(minimumRequired) or later")
         case .invalidDescriptor(let pluginId, let reason):
             return String(localized: "Plugin '\(pluginId)' has an invalid descriptor: \(reason)")
+        case .pluginNotLoaded(let databaseType):
+            return String(localized: "The \(databaseType) driver plugin is still loading. Please try again in a moment.")
         }
     }
 }

TablePro/Core/Plugins/PluginManager.swift

@@ -142,6 +142,14 @@ final class PluginManager {
                     logger.error("User plugin \(entry.url.lastPathComponent) has outdated PluginKit v\(pluginKitVersion)")
                     continue
                 }
+
+                // Verify code signature off the main thread (disk I/O in SecStaticCodeCheckValidity)
+                do {
+                    try verifyCodeSignatureStatic(bundle: bundle)
+                } catch {
+                    logger.error("Code signature verification failed for \(entry.url.lastPathComponent): \(error.localizedDescription)")
+                    continue
+                }
             }
 
             // Heavy I/O: dynamic linker resolution, C bridge library initialization
@@ -308,7 +316,8 @@ final class PluginManager {
                     current: pluginKitVersion
                 )
             }
-            try verifyCodeSignature(bundle: bundle)
+            // Code signature verification is deferred to loadBundlesOffMain()
+            // to avoid blocking the main thread with SecStaticCodeCheckValidity disk I/O.
         }
 
         pendingPluginURLs.append((url: url, source: source))
@@ -1048,13 +1057,21 @@ final class PluginManager {
     private static let signingTeamId = "D7HJ5TFYCU"
 
     private func createSigningRequirement() -> SecRequirement? {
+        Self.createSigningRequirementStatic()
+    }
+
+    nonisolated private static func createSigningRequirementStatic() -> SecRequirement? {
         var requirement: SecRequirement?
-        let requirementString = "anchor apple generic and certificate leaf[subject.OU] = \"\(Self.signingTeamId)\"" as CFString
+        let requirementString = "anchor apple generic and certificate leaf[subject.OU] = \"\(signingTeamId)\"" as CFString
         SecRequirementCreateWithString(requirementString, SecCSFlags(), &requirement)
         return requirement
     }
 
     private func verifyCodeSignature(bundle: Bundle) throws {
+        try Self.verifyCodeSignatureStatic(bundle: bundle)
+    }
+
+    nonisolated private static func verifyCodeSignatureStatic(bundle: Bundle) throws {
         var staticCode: SecStaticCode?
         let createStatus = SecStaticCodeCreateWithPath(
             bundle.bundleURL as CFURL,
@@ -1064,11 +1081,11 @@ final class PluginManager {
 
         guard createStatus == errSecSuccess, let code = staticCode else {
             throw PluginError.signatureInvalid(
-                detail: Self.describeOSStatus(createStatus)
+                detail: describeOSStatus(createStatus)
             )
         }
 
-        let requirement = createSigningRequirement()
+        let requirement = createSigningRequirementStatic()
 
         let checkStatus = SecStaticCodeCheckValidity(
             code,
@@ -1078,12 +1095,12 @@ final class PluginManager {
 
         guard checkStatus == errSecSuccess else {
             throw PluginError.signatureInvalid(
-                detail: Self.describeOSStatus(checkStatus)
+                detail: describeOSStatus(checkStatus)
             )
         }
     }
 
-    private static func describeOSStatus(_ status: OSStatus) -> String {
+    nonisolated private static func describeOSStatus(_ status: OSStatus) -> String {
         switch status {
         case -67_062: return "bundle is not signed"
         case -67_061: return "code signature is invalid"

TablePro/Core/SSH/HostKeyVerifier.swift

@@ -15,8 +15,7 @@ internal enum HostKeyVerifier {
     private static let logger = Logger(subsystem: "com.TablePro", category: "HostKeyVerifier")
 
     /// Verify the host key, prompting the user if needed.
-    /// This method blocks the calling thread while showing UI prompts.
-    /// Must be called from a background thread.
+    /// Uses `withCheckedContinuation` to await UI prompts without blocking the cooperative thread pool.
     /// - Parameters:
     ///   - keyData: The raw host key bytes from the SSH session
     ///   - keyType: The key type string (e.g. "ssh-rsa", "ssh-ed25519")
@@ -28,7 +27,7 @@ internal enum HostKeyVerifier {
         keyType: String,
         hostname: String,
         port: Int
-    ) throws {
+    ) async throws {
         let result = HostKeyStore.shared.verify(
             keyData: keyData,
             keyType: keyType,
@@ -43,7 +42,7 @@ internal enum HostKeyVerifier {
 
         case .unknown(let fingerprint, let keyType):
             logger.info("Unknown host key for [\(hostname)]:\(port), prompting user")
-            let accepted = promptUnknownHost(
+            let accepted = await promptUnknownHost(
                 hostname: hostname,
                 port: port,
                 fingerprint: fingerprint,
@@ -62,7 +61,7 @@ internal enum HostKeyVerifier {
 
         case .mismatch(let expected, let actual):
             logger.warning("Host key mismatch for [\(hostname)]:\(port)")
-            let accepted = promptHostKeyMismatch(
+            let accepted = await promptHostKeyMismatch(
                 hostname: hostname,
                 port: port,
                 expected: expected,
@@ -83,17 +82,14 @@ internal enum HostKeyVerifier {
 
     // MARK: - UI Prompts
 
-    /// Show a dialog asking the user whether to trust an unknown host
-    /// Blocks the calling thread until the user responds.
+    /// Show a dialog asking the user whether to trust an unknown host.
+    /// Suspends until the user responds, without blocking any thread.
     private static func promptUnknownHost(
         hostname: String,
         port: Int,
         fingerprint: String,
         keyType: String
-    ) -> Bool {
-        let semaphore = DispatchSemaphore(value: 0)
-        var accepted = false
-
+    ) async -> Bool {
         let hostDisplay = "[\(hostname)]:\(port)"
         let title = String(localized: "Unknown SSH Host")
         let message = String(localized: """
@@ -105,34 +101,29 @@ internal enum HostKeyVerifier {
             Are you sure you want to continue connecting?
             """)
 
-        DispatchQueue.main.async {
-            let alert = NSAlert()
-            alert.messageText = title
-            alert.informativeText = message
-            alert.alertStyle = .informational
-            alert.addButton(withTitle: String(localized: "Trust"))
-            alert.addButton(withTitle: String(localized: "Cancel"))
-
-            let response = alert.runModal()
-            accepted = (response == .alertFirstButtonReturn)
-            semaphore.signal()
+        return await withCheckedContinuation { continuation in
+            DispatchQueue.main.async {
+                let alert = NSAlert()
+                alert.messageText = title
+                alert.informativeText = message
+                alert.alertStyle = .informational
+                alert.addButton(withTitle: String(localized: "Trust"))
+                alert.addButton(withTitle: String(localized: "Cancel"))
+
+                let response = alert.runModal()
+                continuation.resume(returning: response == .alertFirstButtonReturn)
+            }
         }
-
-        semaphore.wait()
-        return accepted
     }
 
-    /// Show a warning dialog about a changed host key (potential MITM attack)
-    /// Blocks the calling thread until the user responds.
+    /// Show a warning dialog about a changed host key (potential MITM attack).
+    /// Suspends until the user responds, without blocking any thread.
     private static func promptHostKeyMismatch(
         hostname: String,
         port: Int,
         expected: String,
         actual: String
-    ) -> Bool {
-        let semaphore = DispatchSemaphore(value: 0)
-        var accepted = false
-
+    ) async -> Bool {
         let hostDisplay = "[\(hostname)]:\(port)"
         let title = String(localized: "SSH Host Key Changed")
         let message = String(localized: """
@@ -144,24 +135,22 @@ internal enum HostKeyVerifier {
             Current fingerprint: \(actual)
             """)
 
-        DispatchQueue.main.async {
-            let alert = NSAlert()
-            alert.messageText = title
-            alert.informativeText = message
-            alert.alertStyle = .critical
-            alert.addButton(withTitle: String(localized: "Connect Anyway"))
-            alert.addButton(withTitle: String(localized: "Disconnect"))
-
-            // Make "Disconnect" the default button (Return key) instead of "Connect Anyway"
-            alert.buttons[1].keyEquivalent = "\r"
-            alert.buttons[0].keyEquivalent = ""
-
-            let response = alert.runModal()
-            accepted = (response == .alertFirstButtonReturn)
-            semaphore.signal()
+        return await withCheckedContinuation { continuation in
+            DispatchQueue.main.async {
+                let alert = NSAlert()
+                alert.messageText = title
+                alert.informativeText = message
+                alert.alertStyle = .critical
+                alert.addButton(withTitle: String(localized: "Connect Anyway"))
+                alert.addButton(withTitle: String(localized: "Disconnect"))
+
+                // Make "Disconnect" the default button (Return key) instead of "Connect Anyway"
+                alert.buttons[1].keyEquivalent = "\r"
+                alert.buttons[0].keyEquivalent = ""
+
+                let response = alert.runModal()
+                continuation.resume(returning: response == .alertFirstButtonReturn)
+            }
         }
-
-        semaphore.wait()
-        return accepted
     }
 }