chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it)
- Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak)
- Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup)
- Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s
- Q9: disabled failing syncoid-donatello timer on Z

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/ai/claude_cli_env.test.js

@@ -0,0 +1,36 @@
+import { describe, it, expect } from 'vitest';
+import { buildChildEnv } from '../../lib/ai/claude_cli.js';
+
+describe('buildChildEnv (Q4 — claude child env allow-list)', () => {
+  const parent = {
+    PATH: '/usr/bin', HOME: '/root', LANG: 'C.UTF-8', TERM: 'xterm',
+    CLAUDE_EXE: '/usr/bin/claude', CLAUDE_CONFIG_DIR: '/cfg',
+    OWNER_TOKEN: 'secret-owner', DATABASE_URL: 'postgres://void:pw@db/void',
+    KARAKEEP_API_TOKEN: 'kk', ANTHROPIC_API_KEY: 'sk-ant', ANTHROPIC_AUTH_TOKEN: 'tok',
+    VOID_TOOL_REGISTRY: 'security'
+  };
+
+  it('passes through benign system + CLAUDE_* vars', () => {
+    const env = buildChildEnv(parent);
+    expect(env.PATH).toBe('/usr/bin');
+    expect(env.LANG).toBe('C.UTF-8');
+    expect(env.TERM).toBe('xterm');
+    expect(env.CLAUDE_EXE).toBe('/usr/bin/claude');
+    expect(env.CLAUDE_CONFIG_DIR).toBe('/cfg');
+  });
+
+  it('NEVER leaks app secrets or API keys into the child', () => {
+    const env = buildChildEnv(parent);
+    expect(env.OWNER_TOKEN).toBeUndefined();
+    expect(env.DATABASE_URL).toBeUndefined();
+    expect(env.KARAKEEP_API_TOKEN).toBeUndefined();
+    expect(env.ANTHROPIC_API_KEY).toBeUndefined();
+    expect(env.ANTHROPIC_AUTH_TOKEN).toBeUndefined();
+    expect(env.VOID_TOOL_REGISTRY).toBeUndefined();
+  });
+
+  it('uses the home override for HOME when given', () => {
+    expect(buildChildEnv(parent, '/var/lib/void').HOME).toBe('/var/lib/void');
+    expect(buildChildEnv(parent).HOME).toBe('/root');
+  });
+});

tests/api/capture.test.js

@@ -58,6 +58,20 @@ describe('capture api', () => {
     expect(rows[0].kind).toBe('file');
   });
 
+  it('POST /api/capture/upload rejects a non-UUID space_id (Q6)', async () => {
+    const res = await request(app).post('/api/capture/upload').set(ownerHeaders)
+      .field('space_id', 'not-a-uuid')
+      .attach('file', Buffer.from('hi'), { filename: 'a.txt', contentType: 'text/plain' });
+    expect(res.status).toBe(400);
+  });
+
+  it('POST /api/capture/upload rejects a non-existent space (Q6)', async () => {
+    const res = await request(app).post('/api/capture/upload').set(ownerHeaders)
+      .field('space_id', '00000000-0000-0000-0000-000000000000')
+      .attach('file', Buffer.from('hi'), { filename: 'a.txt', contentType: 'text/plain' });
+    expect(res.status).toBe(404);
+  });
+
   it('POST /api/capture rejects missing url', async () => {
     const res = await request(app).post('/api/capture').set(ownerHeaders)
       .send({ space_id: sp.id });

tests/api/pending_changes.test.js

@@ -5,6 +5,7 @@ import * as spacesRepo from '../../lib/db/repos/spaces.js';
 import * as projectsRepo from '../../lib/db/repos/projects.js';
 import * as pagesRepo from '../../lib/db/repos/pages.js';
 import * as agentsRepo from '../../lib/db/repos/agents.js';
+import * as pendingChanges from '../../lib/db/repos/pending_changes.js';
 
 let app, ownerHeaders, space, project, page;
 const owner = { kind: 'user', id: null };
@@ -144,6 +145,22 @@ describe('pending_changes routes', () => {
     expect(second.status).toBe(409);
   });
 
+  it('apply failure reopens the change to pending (Q5 — no claimed-but-unapplied)', async () => {
+    const { agent } = await mintSuggestAgent(`sug-fail-${Date.now()}`);
+    // A page-create whose apply will FK-fail: space_id points at no space.
+    const change = await pendingChanges.create({
+      agent_id: agent.id, entity_type: 'page', action: 'create',
+      payload: { space_id: '00000000-0000-0000-0000-000000000000', slug: 'x', title: 'X' },
+      reason: 'test'
+    });
+    const ap = await request(app)
+      .post(`/api/pending-changes/${change.id}/approve`).set(ownerHeaders);
+    expect(ap.status).toBe(500);                 // apply threw (FK violation)
+    const after = await pendingChanges.getById(change.id);
+    expect(after.status).toBe('pending');        // claimed-then-reopened, retryable
+    expect(after.resolved_at).toBeNull();
+  });
+
   it('reject-then-approve → 409', async () => {
     const { headers } = await mintSuggestAgent(`sug-ra-${Date.now()}`);
     const sug = await request(app).post(`/api/spaces/${space.id}/pages`).set(headers)