fix(pending): allow suggest-tier 'upsert' drafts; make dependency wiring owner-only

The pending_changes.action CHECK only permitted create/update/delete, so a
suggest-tier agent hitting POST /api/refs/upsert (or the resource dependency
routes) 500'd on the INSERT (docs/security-followups.md HIGH finding).

- migration 009: widen CHECK to include 'upsert'
- applyPendingChange: dispatch 'upsert' -> refsRepo.upsertByExternal on approve
- resources.js: add_dependency/remove_dependency are now owner-only (requireOwner),
  infra wiring is never diverted to pending_changes
- tests/api/pending_extended_actions.test.js: regression coverage

Full suite green (278 pass / 1 skip).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

lib/api/routes/pending_changes.js

@@ -22,10 +22,10 @@ const REPOS = {
   source_doc: sourceDocsRepo
 };
 
-// Action dispatch only supports the three CHECK-allowed actions on
-// pending_changes. Extended actions like 'upsert' / 'add_dependency' /
-// 'remove_dependency' are surfaced from a few routes but are blocked at
-// the DB level today — see docs/security-followups.md.
+// Action dispatch for approving a pending_change. 'create'/'update'/'delete'
+// plus 'upsert' (the suggestion path from POST /api/refs/upsert). Dependency
+// mutations are owner-only and never reach pending_changes — see
+// docs/security-followups.md.
 export async function applyPendingChange(row, actor) {
   const repo = REPOS[row.entity_type];
   if (!repo) throw new ValidationError(`unsupported entity_type for approval: ${row.entity_type}`);
@@ -34,6 +34,10 @@ export async function applyPendingChange(row, actor) {
       const created = await repo.create(row.payload, actor);
       return created.id;
     }
+    case 'upsert': {
+      const row_ = await repo.upsertByExternal(row.payload, actor);
+      return row_.id;
+    }
     case 'update': {
       await repo.update(row.entity_id, row.payload, actor);
       return row.entity_id;