fix(pending): allow suggest-tier 'upsert' drafts; make dependency wiring owner-only

The pending_changes.action CHECK only permitted create/update/delete, so a
suggest-tier agent hitting POST /api/refs/upsert (or the resource dependency
routes) 500'd on the INSERT (docs/security-followups.md HIGH finding).

- migration 009: widen CHECK to include 'upsert'
- applyPendingChange: dispatch 'upsert' -> refsRepo.upsertByExternal on approve
- resources.js: add_dependency/remove_dependency are now owner-only (requireOwner),
  infra wiring is never diverted to pending_changes
- tests/api/pending_extended_actions.test.js: regression coverage

Full suite green (278 pass / 1 skip).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/security-followups.md

@@ -39,6 +39,13 @@ defensible for the alpha. (a) is the right long-term answer.
 
 ## Migration 006 (audit + pending_changes) — Plan 2 finding
 
+> **✅ RESOLVED 2026-06-01** (migration `009_pending_upsert_action.sql`). Applied the
+> recommended fix: (1) `upsert` is now a valid `pending_changes.action` with an
+> approval dispatch arm (`applyPendingChange` → `refsRepo.upsertByExternal`); (3)
+> `add_dependency` / `remove_dependency` routes are now **owner-only** (`requireOwner`)
+> and never divert to `pending_changes`. Regression coverage in
+> `tests/api/pending_extended_actions.test.js`. Original finding kept below for context.
+
 **[HIGH] `pending_changes.action` CHECK constraint blocks extended actions emitted
 by some routes.** The table's CHECK accepts only `('create','update','delete')`,
 but the following routes call `divertToPending` with actions outside that set: