-- Allow the legitimate suggestion action 'upsert' on pending_changes.
-- A suggest-tier agent hitting POST /api/refs/upsert previously 500'd because
-- the inline CHECK only permitted create/update/delete (docs/security-followups.md).
-- 'add_dependency' / 'remove_dependency' are intentionally NOT added here:
-- those routes become owner-only and never divert to pending_changes.
ALTER TABLE pending_changes DROP CONSTRAINT IF EXISTS pending_changes_action_check;
ALTER TABLE pending_changes
  ADD CONSTRAINT pending_changes_action_check
  CHECK (action IN ('create','update','delete','upsert'));