chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it) - Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak) - Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup) - Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s - Q9: disabled failing syncoid-donatello timer on Z Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 07:54:57 +10:00
parent 1e1d0c539d
commit 925cb0d7d6
12 changed files with 150 additions and 11 deletions
--- a/tests/api/capture.test.js
+++ b/tests/api/capture.test.js
@@ -58,6 +58,20 @@ describe('capture api', () => {
    expect(rows[0].kind).toBe('file');
  });

+  it('POST /api/capture/upload rejects a non-UUID space_id (Q6)', async () => {
+    const res = await request(app).post('/api/capture/upload').set(ownerHeaders)
+      .field('space_id', 'not-a-uuid')
+      .attach('file', Buffer.from('hi'), { filename: 'a.txt', contentType: 'text/plain' });
+    expect(res.status).toBe(400);
+  });
+
+  it('POST /api/capture/upload rejects a non-existent space (Q6)', async () => {
+    const res = await request(app).post('/api/capture/upload').set(ownerHeaders)
+      .field('space_id', '00000000-0000-0000-0000-000000000000')
+      .attach('file', Buffer.from('hi'), { filename: 'a.txt', contentType: 'text/plain' });
+    expect(res.status).toBe(404);
+  });
+
  it('POST /api/capture rejects missing url', async () => {
    const res = await request(app).post('/api/capture').set(ownerHeaders)
      .send({ space_id: sp.id });
--- a/tests/api/pending_changes.test.js
+++ b/tests/api/pending_changes.test.js
@@ -5,6 +5,7 @@ import * as spacesRepo from '../../lib/db/repos/spaces.js';
 import * as projectsRepo from '../../lib/db/repos/projects.js';
 import * as pagesRepo from '../../lib/db/repos/pages.js';
 import * as agentsRepo from '../../lib/db/repos/agents.js';
+import * as pendingChanges from '../../lib/db/repos/pending_changes.js';

 let app, ownerHeaders, space, project, page;
 const owner = { kind: 'user', id: null };
@@ -144,6 +145,22 @@ describe('pending_changes routes', () => {
    expect(second.status).toBe(409);
  });

+  it('apply failure reopens the change to pending (Q5 — no claimed-but-unapplied)', async () => {
+    const { agent } = await mintSuggestAgent(`sug-fail-${Date.now()}`);
+    // A page-create whose apply will FK-fail: space_id points at no space.
+    const change = await pendingChanges.create({
+      agent_id: agent.id, entity_type: 'page', action: 'create',
+      payload: { space_id: '00000000-0000-0000-0000-000000000000', slug: 'x', title: 'X' },
+      reason: 'test'
+    });
+    const ap = await request(app)
+      .post(`/api/pending-changes/${change.id}/approve`).set(ownerHeaders);
+    expect(ap.status).toBe(500);                 // apply threw (FK violation)
+    const after = await pendingChanges.getById(change.id);
+    expect(after.status).toBe('pending');        // claimed-then-reopened, retryable
+    expect(after.resolved_at).toBeNull();
+  });
+
  it('reject-then-approve → 409', async () => {
    const { headers } = await mintSuggestAgent(`sug-ra-${Date.now()}`);
    const sug = await request(app).post(`/api/spaces/${space.id}/pages`).set(headers)