c591b2aed1
The pending_changes.action CHECK only permitted create/update/delete, so a suggest-tier agent hitting POST /api/refs/upsert (or the resource dependency routes) 500'd on the INSERT (docs/security-followups.md HIGH finding). - migration 009: widen CHECK to include 'upsert' - applyPendingChange: dispatch 'upsert' -> refsRepo.upsertByExternal on approve - resources.js: add_dependency/remove_dependency are now owner-only (requireOwner), infra wiring is never diverted to pending_changes - tests/api/pending_extended_actions.test.js: regression coverage Full suite green (278 pass / 1 skip). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
10 lines
600 B
SQL
10 lines
600 B
SQL
-- Allow the legitimate suggestion action 'upsert' on pending_changes.
|
|
-- A suggest-tier agent hitting POST /api/refs/upsert previously 500'd because
|
|
-- the inline CHECK only permitted create/update/delete (docs/security-followups.md).
|
|
-- 'add_dependency' / 'remove_dependency' are intentionally NOT added here:
|
|
-- those routes become owner-only and never divert to pending_changes.
|
|
ALTER TABLE pending_changes DROP CONSTRAINT IF EXISTS pending_changes_action_check;
|
|
ALTER TABLE pending_changes
|
|
ADD CONSTRAINT pending_changes_action_check
|
|
CHECK (action IN ('create','update','delete','upsert'));
|