fix: exhaustive nanoflow denylist test, error handling coverage comment, and trailing-dot numeric literal

Author: retran

mdl/executor/cmd_microflows_format_action.go

@@ -1159,7 +1159,7 @@ func isNumericLiteral(s string) bool {
 			return false
 		}
 	}
-	return hasDigit
+	return hasDigit && !(dotSeen && s[len(s)-1] == '.')
 }
 
 // formatImportXmlAction formats an import mapping action as MDL.

mdl/executor/cmd_microflows_format_action_test.go

@@ -742,6 +742,11 @@ func TestIsNumericLiteral(t *testing.T) {
 		{"$42", false},
 		{"1.2.3", false},
 		{"42abc", false},
+		{".", false},
+		{"-.", false},
+		{"5.", false},
+		{".5", true},
+		{"-.5", true},
 	}
 	for _, tt := range tests {
 		got := isNumericLiteral(tt.input)

mdl/executor/cmd_nanoflows_mock_test.go

@@ -303,6 +303,9 @@ func TestShowAccessOnNanoflow_Mock_NotFound(t *testing.T) {
 // --- NANOFLOW VALIDATION ---
 
 func TestValidateNanoflowBody_DisallowedActions(t *testing.T) {
+	// EXHAUSTIVE: every type in checkDisallowedNanoflowAction must appear here.
+	// If a new server-side action is added to the AST but not to the denylist,
+	// add it here so the test fails visibly.
 	tests := []struct {
 		name string
 		stmt ast.MicroflowStatement
@@ -311,9 +314,24 @@ func TestValidateNanoflowBody_DisallowedActions(t *testing.T) {
 		{"RaiseError", &ast.RaiseErrorStmt{}, "ErrorEvent"},
 		{"JavaAction", &ast.CallJavaActionStmt{}, "Java"},
 		{"DatabaseQuery", &ast.ExecuteDatabaseQueryStmt{}, "database"},
+		{"CallExternalAction", &ast.CallExternalActionStmt{}, "external action"},
 		{"ShowHomePage", &ast.ShowHomePageStmt{}, "SHOW HOME PAGE"},
 		{"RestCall", &ast.RestCallStmt{}, "REST"},
+		{"SendRestRequest", &ast.SendRestRequestStmt{}, "REST"},
+		{"ImportFromMapping", &ast.ImportFromMappingStmt{}, "import mapping"},
+		{"ExportToMapping", &ast.ExportToMappingStmt{}, "export mapping"},
+		{"TransformJson", &ast.TransformJsonStmt{}, "JSON transformation"},
 		{"CallWorkflow", &ast.CallWorkflowStmt{}, "workflow"},
+		{"GetWorkflowData", &ast.GetWorkflowDataStmt{}, "workflow"},
+		{"GetWorkflows", &ast.GetWorkflowsStmt{}, "workflow"},
+		{"GetWorkflowActivityRecords", &ast.GetWorkflowActivityRecordsStmt{}, "workflow"},
+		{"WorkflowOperation", &ast.WorkflowOperationStmt{}, "workflow"},
+		{"SetTaskOutcome", &ast.SetTaskOutcomeStmt{}, "workflow"},
+		{"OpenUserTask", &ast.OpenUserTaskStmt{}, "workflow"},
+		{"NotifyWorkflow", &ast.NotifyWorkflowStmt{}, "workflow"},
+		{"OpenWorkflow", &ast.OpenWorkflowStmt{}, "workflow"},
+		{"LockWorkflow", &ast.LockWorkflowStmt{}, "workflow"},
+		{"UnlockWorkflow", &ast.UnlockWorkflowStmt{}, "workflow"},
 	}
 
 	for _, tt := range tests {
@@ -338,6 +356,7 @@ func TestValidateNanoflowBody_AllowedActions(t *testing.T) {
 		{"ShowPage", &ast.ShowPageStmt{}},
 		{"CallMicroflow", &ast.CallMicroflowStmt{}},
 		{"CallNanoflow", &ast.CallNanoflowStmt{}},
+		{"CallJavaScriptAction", &ast.CallJavaScriptActionStmt{}},
 		{"CreateVariable", &ast.DeclareStmt{}},
 		{"ChangeVariable", &ast.MfSetStmt{}},
 	}

mdl/executor/nanoflow_validation.go

@@ -97,6 +97,12 @@ func checkDisallowedNanoflowAction(stmt ast.MicroflowStatement) string {
 }
 
 // getErrorHandling extracts the ErrorHandlingClause from statements that have one.
+//
+// NOTE: This function does not cover all statement types that carry an ErrorHandling
+// field (e.g., CallWorkflowStmt, ShowHomePageStmt, workflow action stmts). That is
+// safe because validateNanoflowStatements checks the denylist FIRST and skips
+// recursion (via continue) for disallowed actions. If the denylist ordering changes,
+// add error handling extraction for those types here.
 func getErrorHandling(stmt ast.MicroflowStatement) *ast.ErrorHandlingClause {
 	switch s := stmt.(type) {
 	case *ast.CreateObjectStmt: