Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(pending): allow suggest-tier 'upsert' drafts; make dependency wiring owner-only

Browse Source 
The pending_changes.action CHECK only permitted create/update/delete, so a
suggest-tier agent hitting POST /api/refs/upsert (or the resource dependency
routes) 500'd on the INSERT (docs/security-followups.md HIGH finding).

- migration 009: widen CHECK to include 'upsert'
- applyPendingChange: dispatch 'upsert' -> refsRepo.upsertByExternal on approve
- resources.js: add_dependency/remove_dependency are now owner-only (requireOwner),
  infra wiring is never diverted to pending_changes
- tests/api/pending_extended_actions.test.js: regression coverage

Full suite green (278 pass / 1 skip).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-01 23:19:44 +10:00
parent 8ce97bbacc
commit c591b2aed1
5 changed files with 133 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lib/api/routes/resources.js
View File

@@ -5,7 +5,7 @@ import * as sourceDocs from '../../db/repos/source_docs.js';
import * as audit from '../../db/repos/audit.js';
import { validate } from '../validate.js';
import { NotFoundError, ValidationError, ConflictError, asyncWrap } from '../errors.js';
import { requireWrite, divertToPending } from '../cap.js';
import { requireWrite, requireOwner, divertToPending } from '../cap.js';
const RUNTIME = ['lxc', 'vm', 'docker', 'bare-metal'];
const STATUSES = ['running', 'stopped', 'down', 'unknown'];
@@ -103,18 +103,14 @@ router.delete('/:id',
})
);
// Dependency wiring is infra-level: owner-only, never diverted to pending_changes.
router.post('/:id/dependencies',
requireWrite('resource'),
requireOwner,
validate({ params: idParams, body: depBody }),
asyncWrap(async (req, res) => {
if (req.params.id === req.body.depends_on) {
throw new ValidationError('resource cannot depend on itself');
}
if (req.capTier === 'suggest') {
return divertToPending(req, res, {
entity_type: 'resource', entity_id: req.params.id, action: 'add_dependency', payload: req.body
});
}
try {
await repo.addDependency(req.params.id, req.body.depends_on, req.body.kind);
res.status(201).json({ resource_id: req.params.id, depends_on: req.body.depends_on });
@@ -135,15 +131,9 @@ router.get('/:id/dependencies',
);
router.delete('/:id/dependencies/:dep_id',
requireWrite('resource'),
requireOwner,
validate({ params: depParams }),
asyncWrap(async (req, res) => {
if (req.capTier === 'suggest') {
return divertToPending(req, res, {
entity_type: 'resource', entity_id: req.params.id, action: 'remove_dependency',
payload: { depends_on: req.params.dep_id }
});
}
await repo.removeDependency(req.params.id, req.params.dep_id);
res.status(204).end();
})