root c591b2aed1 fix(pending): allow suggest-tier 'upsert' drafts; make dependency wiring owner-only ...

The pending_changes.action CHECK only permitted create/update/delete, so a
suggest-tier agent hitting POST /api/refs/upsert (or the resource dependency
routes) 500'd on the INSERT (docs/security-followups.md HIGH finding).

- migration 009: widen CHECK to include 'upsert'
- applyPendingChange: dispatch 'upsert' -> refsRepo.upsertByExternal on approve
- resources.js: add_dependency/remove_dependency are now owner-only (requireOwner),
  infra wiring is never diverted to pending_changes
- tests/api/pending_extended_actions.test.js: regression coverage

Full suite green (278 pass / 1 skip).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-01 23:19:44 +10:00

..

superpowers

chore: version 2.0.0-alpha.6 — companion on Claude CLI subprocess (Max subscription)

2026-06-01 22:22:53 +10:00

plan-1-complete.md

docs: Plan 1 completion summary

2026-05-31 15:32:38 +10:00

plan-2-complete.md

docs: Plan 2 completion summary

2026-06-01 02:27:58 +10:00

plan-3-complete.md

docs: Plan 3 completion summary

2026-06-01 04:01:12 +10:00

plan-4-complete.md

chore: version 2.0.0-alpha.4 + changelog + plan-4 completion doc

2026-06-01 10:25:31 +10:00

plan-5-complete.md

chore: version 2.0.0-alpha.5 + plan-5 completion doc

2026-06-01 19:41:46 +10:00

security-followups.md

fix(pending): allow suggest-tier 'upsert' drafts; make dependency wiring owner-only

2026-06-01 23:19:44 +10:00

testing.md

test: isolate tests on void_test DB (stop resetDb wiping prod void)

2026-06-01 22:45:17 +10:00

VERSION_HISTORY.md

chore: initial repo scaffolding

2026-05-31 01:22:10 +10:00