Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

Browse Source 
- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it)
- Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak)
- Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup)
- Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s
- Q9: disabled failing syncoid-donatello timer on Z

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-03 07:54:57 +10:00
parent 1e1d0c539d
commit 925cb0d7d6
12 changed files with 150 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/db/repos/pending_changes.js
View File

@@ -30,3 +30,12 @@ export async function resolve(id, status, resolved_by) {
);
return r;
}
// Compensating action: return a claimed change to 'pending' if applying it
// failed, so the owner can retry (prevents a claimed-but-unapplied dead change).
export async function reopen(id) {
await pool.query(
`UPDATE pending_changes SET status='pending', resolved_at=NULL, resolved_by=NULL WHERE id=$1`,
[id]
);
}