Samples updates

[alhumaw]

Sample Bug Fixes

alerts_triage.py

Bug	Fix
pyqtSignal(int, bool) emitting a string. meta.get("offset", "") crashes at runtime	Changed default to 0
No closeEvent. Segfault if user closes during a fetch	Added closeEvent that cancels and waits on workers
FQL time-filter detection used substring matching. "last_" in a hostname falsely suppressed the default time window	Changed to match fieldname: pattern instead
Qt.CheckState.Checked.value comparison is fragile across Qt versions	Changed to Qt.CheckState(state) == Qt.CheckState.Checked

---

device_control_policy_manager.py

Bug	Fix
No closeEvent. Workers never stopped on close	Added closeEvent that waits on _active_workers
performDeviceControlPoliciesAction raw operation ID used alongside Pythonic names	Renamed to perform_action (live-verified)
Two SDK instances with same credentials. Double OAuth2 token exchange	Second instance now uses auth_object=sdk (live-verified)
No validation on vendor/product ID fields despite label saying "4-digit hex"	Added hex range validation in _on_accept
ExceptionDialog had 9 @property methods, each a one-liner on a throwaway dialog	Removed all properties; call site reads widget values directly

---

filevantage_monitor.py

Bug	Fix
Debug print() statements fired on every auto-refresh	Removed
Demo fixtures used file_path but real API uses entity_path. Demo exercised the wrong code path	Updated demo fixtures to use entity_path
New SDK instance created inside FetchChangesWorker.run(). New OAuth2 token every 30s	SDK created once in FileVantageWindow.__init__, passed to workers
import time inside SuppressWorker.run()	Moved to top-level imports
closeEvent called worker.wait() with no timeout. App could hang up to 30s on close	Changed to worker.wait(5000)

---

high_activity_hosts.py

Bug	Fix
Lock imported but never used	Removed from import
os._exit() at end of main bypasses Python shutdown	Replaced with sys.exit()
datetime.utcnow() deprecated since Python 3.12. Live DeprecationWarning confirmed (5 call sites)	Changed to datetime.now(timezone.utc)
max_workers parameter in count_alerts_by_host documented as unused	Removed parameter and updated all call sites
Demo data missing the < 1 hour recency tier present in real scoring	Added all three tiers (<1h, <24h, <72h)

---

ods_manager.py

Bug	Fix
_loading flag written from background thread without lock. Race with 15s poll timer	Both read and write now protected by self._lock
wx.MessageDialog created inline with .ShowModal() but never .Destroy(). Native window handle leak	All dialogs now assigned to variable and Destroy() called after ShowModal()
Two SDK instances with same credentials. Double OAuth2 token exchange	Second instance now uses auth_object=sdk (live-verified)

---

rtr_replay.py

Bug	Fix
format_duration annotated as float but checks for None	Changed annotation to Optional[float]
consume_arguments return type annotated as object	Changed to -> Namespace
Missing credentials silently fell back to demo mode. Typo in env var showed fake data with no warning	Demo mode now requires explicit --demo flag
limit cast to str in call_audit_sessions. FalconPy accepts int	Removed str() cast
Separator width inconsistency: "=" * 70 in one function, "-" * 68 in another	Standardised to 70

---

rtr_replay_gui.py

Bug	Fix
closeEvent called worker.terminate(). Same file documents this corrupts Python's GIL in urllib3/SSL	Removed terminate() call; OS reclaims thread on exit
PrefetchWorker created a new SDK instance on every loop iteration. New OAuth2 token per page	SDK instantiated once before the loop
SessionFilterProxy was an empty subclass of QSortFilterProxyModel with no methods	Removed; replaced with QSortFilterProxyModel directly
Easter egg (_ClickableLabel, _show_easter_egg, _PUNK_SPIDER_PATH) in a production sample	Removed
consume_arguments return type annotated as object	Changed to -> Namespace

---

spotlight_vuln_dashboard.py

Bug	Fix
_build_fql function defined but never called	Removed
Double-click handler used visual row index into _filtered_records. Opens wrong CVE after sorting	Record now stored in Qt.UserRole at insert time; handler reads from there
URL construction for named regions was wrong. "us1" produced https://api.us1.crowdstrike.com	Pass region string directly to FalconPy; SDK handles resolution (live-verified)
_after_token assigned then immediately suppressed with # noqa: F841	Removed the unused variable
Two SDK instances with same credentials. Double OAuth2 token exchange	Second instance now uses auth_object=sdk (live-verified)

---

tailored_intel_browser.py

Bug	Fix
_scrub_credentials_from_argv mutated sys.argv then KIVY_NO_ARGS="1" was set immediately after, making the mutation pointless	Removed scrub function; KIVY_NO_ARGS set before Kivy imports, standard argparse used in main()
80-line Lua-table parser handling a format the API does not return	Replaced with a simple json.loads call
datetime.utcfromtimestamp deprecated since Python 3.12. Live DeprecationWarning confirmed	Changed to datetime.fromtimestamp(ts, tz=timezone.utc)
import re and import sys with no usage	Removed
EventRecord._raw stored a reference to the raw dict. Caller mutation changed stored data	Changed to dict(raw) copy
TabButton Python class had no methods or properties	Removed

---

zta_score_viewer.py

Bug	Fix
fetch_bucket_counts made 11 separate API calls; _build_buckets did the same client-side for free	Deleted fetch_bucket_counts; call sites now use _build_buckets
_api_after_token and _has_more_api_data written from background thread without lock	Writes moved inside with self.state.lock
float(None) crash when API returns overall: null. Confirmed live with TypeError	Changed to float(assessment.get("overall") or raw.get("score") or 0)
fetch_audit returned identical value for both success and failure. Caller could not distinguish	Changed return type to tuple[bool, dict]; success returns (True, body)
Two SDK instances with same credentials. Double OAuth2 token exchange	Second instance now uses auth_object=sdk (live-verified)
_refresh_pending accessed as protected member outside AppState	Renamed to refresh_pending (public)