Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1df0a905a254bf9c32f08591ab12881ed137f710
Void-Homelab/lib/api/routes/resources.js
root c591b2aed1 fix(pending): allow suggest-tier 'upsert' drafts; make dependency wiring owner-only 
The pending_changes.action CHECK only permitted create/update/delete, so a
suggest-tier agent hitting POST /api/refs/upsert (or the resource dependency
routes) 500'd on the INSERT (docs/security-followups.md HIGH finding).

- migration 009: widen CHECK to include 'upsert'
- applyPendingChange: dispatch 'upsert' -> refsRepo.upsertByExternal on approve
- resources.js: add_dependency/remove_dependency are now owner-only (requireOwner),
  infra wiring is never diverted to pending_changes
- tests/api/pending_extended_actions.test.js: regression coverage

Full suite green (278 pass / 1 skip).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 23:19:44 +10:00

155 lines
5.1 KiB
JavaScript
Raw Blame History

import { Router } from 'express';
import { z } from 'zod';
import * as repo from '../../db/repos/resources.js';
import * as sourceDocs from '../../db/repos/source_docs.js';
import * as audit from '../../db/repos/audit.js';
import { validate } from '../validate.js';
import { NotFoundError, ValidationError, ConflictError, asyncWrap } from '../errors.js';
import { requireWrite, requireOwner, divertToPending } from '../cap.js';
const RUNTIME = ['lxc', 'vm', 'docker', 'bare-metal'];
const STATUSES = ['running', 'stopped', 'down', 'unknown'];
const baseFields = {
slug: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/),
name: z.string().min(1).max(200),
runtime_type: z.enum(RUNTIME),
host: z.string().nullable().optional(),
url: z.string().nullable().optional(),
version: z.string().nullable().optional(),
status: z.enum(STATUSES).optional(),
monitoring: z.record(z.string(), z.any()).nullable().optional(),
metadata: z.record(z.string(), z.any()).nullable().optional(),
last_check: z.string().datetime().nullable().optional(),
maintenance_until: z.string().datetime().nullable().optional()
};
const createSchema = z.object(baseFields);
const patchSchema = z.object(Object.fromEntries(
Object.entries(baseFields).map(([k, v]) => [k, v.optional()])
));
const idParams = z.object({ id: z.string().uuid() });
const spaceParams = z.object({ space_id: z.string().uuid() });
const depParams = z.object({ id: z.string().uuid(), dep_id: z.string().uuid() });
const depBody = z.object({
depends_on: z.string().uuid(),
kind: z.string().nullable().optional()
});
export const router = Router();
export const spacesScopedRouter = Router({ mergeParams: true });
spacesScopedRouter.get('/',
validate({ params: spaceParams }),
asyncWrap(async (req, res) => { res.json(await repo.listBySpace(req.params.space_id)); })
);
spacesScopedRouter.post('/',
requireWrite('resource'),
validate({ params: spaceParams, body: createSchema }),
asyncWrap(async (req, res) => {
const payload = { ...req.body, space_id: req.params.space_id };
if (req.capTier === 'suggest') {
return divertToPending(req, res, { entity_type: 'resource', action: 'create', payload });
}
try {
const row = await repo.create(payload, req.actor);
res.status(201).json(row);
} catch (e) {
if (e.code === '23503') throw new ValidationError('invalid space', { space_id: req.params.space_id });
throw e;
}
})
);
router.get('/:id',
validate({ params: idParams }),
asyncWrap(async (req, res) => {
const row = await repo.getById(req.params.id);
if (!row) throw new NotFoundError('resource not found');
res.json(row);
})
);
router.patch('/:id',
requireWrite('resource'),
validate({ params: idParams, body: patchSchema }),
asyncWrap(async (req, res) => {
const existing = await repo.getById(req.params.id);
if (!existing) throw new NotFoundError('resource not found');
if (req.capTier === 'suggest') {
return divertToPending(req, res, {
entity_type: 'resource', entity_id: req.params.id, action: 'update', payload: req.body
});
}
res.json(await repo.update(req.params.id, req.body, req.actor));
})
);
router.delete('/:id',
requireWrite('resource'),
validate({ params: idParams }),
asyncWrap(async (req, res) => {
const existing = await repo.getById(req.params.id);
if (!existing) throw new NotFoundError('resource not found');
if (req.capTier === 'suggest') {
return divertToPending(req, res, {
entity_type: 'resource', entity_id: req.params.id, action: 'delete', payload: {}
});
}
await repo.del(req.params.id, req.actor);
res.status(204).end();
})
);
// Dependency wiring is infra-level: owner-only, never diverted to pending_changes.
router.post('/:id/dependencies',
requireOwner,
validate({ params: idParams, body: depBody }),
asyncWrap(async (req, res) => {
if (req.params.id === req.body.depends_on) {
throw new ValidationError('resource cannot depend on itself');
}
try {
await repo.addDependency(req.params.id, req.body.depends_on, req.body.kind);
res.status(201).json({ resource_id: req.params.id, depends_on: req.body.depends_on });
} catch (e) {
if (e.code === '23503') throw new ConflictError('cross-space or unknown resource', {
resource_id: req.params.id, depends_on: req.body.depends_on, hint: 'dependencies must share a space_id'
});
throw e;
}
})
);
router.get('/:id/dependencies',
validate({ params: idParams }),
asyncWrap(async (req, res) => {
res.json(await repo.listDependencies(req.params.id));
})
);
router.delete('/:id/dependencies/:dep_id',
requireOwner,
validate({ params: depParams }),
asyncWrap(async (req, res) => {
await repo.removeDependency(req.params.id, req.params.dep_id);
res.status(204).end();
})
);
router.get('/:id/source-docs',
validate({ params: idParams }),
asyncWrap(async (req, res) => {
res.json(await sourceDocs.listByResource(req.params.id));
})
);
router.get('/:id/changes',
validate({ params: idParams }),
asyncWrap(async (req, res) => {
res.json(await audit.listForEntity('resource', req.params.id));
})
);
Reference in New Issue View Git Blame Copy Permalink