fix(git-sync): address PR #119 review #2 — throttle /git Basic auth, fix mcp schema drift + warnings/tests

Must-fix:
- Throttle the raw /git HTTP-Basic path: it bypasses Nest/ThrottlerGuard, so
  verifyUserCredentials (bcrypt) ran unthrottled. Wrap it in the SAME
  FailedLoginLimiter the /mcp path uses (5/60s; per-IP, per-IP+email, global
  per-email keys; atomic tryReserve BEFORE bcrypt; success resets, non-credential
  errors release). The (threshold+1)-th attempt now gets 429 pre-bcrypt. Sweep
  timer + onModuleDestroy mirror McpService.
- Fix the mcp schema mirror drift: packages/mcp details `open` attr now reads via
  hasAttribute (matches editor-ext canon + git-sync copy); getAttribute dropped a
  bare `<details open>` state. (build/ is gitignored — rebuilt locally.)

Tests added:
- /git brute-force throttle: pre-bcrypt 429 on the 6th failure; success resets;
  non-credential error releases the budget.
- git-http-backend lost-lock AbortSignal: already-aborted -> no spawn + 500;
  live abort mid-request -> SIGTERM + response closed.
- orchestrator divergentDocmost -> WARN + flag surfaced in status (+ clean case).
- pollTick re-entrancy guard skips an overlapping tick.
- datasource NotFound early-throws (getPageJson/move/rename) + updatedAt:undefined
  stale-read branch (importPageMarkdown/createPage).

Suggestions:
- space.repo updateGitSyncSettings: parameterize the jsonb key (`${prefKey}::text`)
  instead of sql.raw (latent-injection footgun); value stays sql.lit. Spec updated.
- pollTick re-entrancy guard (private `polling` flag).
- page-change.listener docstring: honest about the move/rename/delete over-skip
  (loop-guard keys only on lastUpdatedSource) -> ~poll-interval latency, not loss.
- AGENTS.md: document the root /git smart-HTTP route + GitSyncModule.
- Remove redundant redteam-provenance.spec.ts (covered e2e in
  persistence.extension.spec.ts:145).
- Extract the duplicated SIGTERM->SIGKILL+finish block (watchdog + abort) into
  terminateChild; centralize watchdog-timer teardown in done().

Architecture (deferred, documented): mcp schema header now carries the three-copy
keep-in-sync + schema-core note; the editor-ext contract test documents that the
mcp copy and attribute-behaviour drift (details `open`) are not mechanically
covered yet.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
a
2026-06-27 23:49:36 +03:00
committed by claude code agent 227
parent 7179f8a5b2
commit 22e3fcdeba
14 changed files with 544 additions and 115 deletions
@@ -111,8 +111,9 @@ describe('SpaceRepo.updateGitSyncSettings — jsonb merge SQL', () => {
expect(sql).toContain(
`jsonb_build_object('gitSync', COALESCE(settings->'gitSync', '{}'::jsonb) ||`,
);
// The pref key is set via jsonb_build_object on the inner object.
expect(sql).toContain(`jsonb_build_object('enabled',`);
// The pref key is set via jsonb_build_object on the inner object, with the
// key as a BOUND, ::text-cast PARAMETER (not sql.raw) — security fix #5.
expect(sql).toMatch(/jsonb_build_object\(\$\d+::text,/);
// Scoped to the row + workspace.
expect(sql).toContain(`where "id" =`);
expect(sql).toContain(`and "workspaceId" =`);
@@ -121,21 +122,25 @@ describe('SpaceRepo.updateGitSyncSettings — jsonb merge SQL', () => {
// `set "settings" = jsonb_build_object(` without the COALESCE/merge).
expect(sql).not.toContain(`set "settings" = jsonb_build_object(`);
// The pref VALUE is inlined via sql.lit (matches the repo's sql.lit usage);
// updatedAt + id + workspaceId are the only bound parameters (the jsonb
// merge text is all literal). updatedAt is a Date, so assert id/workspaceId.
// The pref VALUE stays inlined via sql.lit, but the KEY is now a bound
// parameter, so id + workspaceId + the key are all bound (updatedAt is a Date).
expect(compiled!.parameters).toContain('space-1');
expect(compiled!.parameters).toContain('ws-1');
expect(compiled!.parameters).toContain('enabled');
});
it('inlines the prefKey/prefValue literally (sql.raw key, sql.lit value)', async () => {
it('binds the prefKey as a ::text parameter (no sql.raw splice) and inlines prefValue via sql.lit', async () => {
const { repo, getCaptured } = makeRepoCapturingSql();
await repo.updateGitSyncSettings('space-1', 'ws-1', 'enabled', false);
const sql = getCaptured()!.sql.replace(/\s+/g, ' ');
// key via sql.raw + value via sql.lit -> both appear literally in the
// inner build object (no bound parameter for either).
expect(sql).toContain(`jsonb_build_object('enabled', false)`);
const compiled = getCaptured()!;
const sql = compiled.sql.replace(/\s+/g, ' ');
// The key is a bound `$N::text` parameter; the value is the sql.lit literal.
expect(sql).toMatch(/jsonb_build_object\(\$\d+::text, false\)/);
// The literal key must NOT be spliced into the statement text (the footgun).
expect(sql).not.toContain(`'enabled'`);
// The key rides as a bound parameter instead.
expect(compiled.parameters).toContain('enabled');
});
});
@@ -122,9 +122,15 @@ export class SpaceRepo {
return db
.updateTable('spaces')
.set({
// The jsonb key is a BOUND PARAMETER (`${prefKey}::text`), not
// `sql.raw(prefKey)`. The callers here only ever pass the literals
// 'enabled' / 'autoMergeConflicts', but sql.raw would splice the string
// straight into the statement — a latent SQL-injection footgun the moment
// a future caller passes a request-derived key. Parameterizing closes it
// with no behaviour change for the current literal callers.
settings: sql`COALESCE(settings, '{}'::jsonb)
|| jsonb_build_object('gitSync', COALESCE(settings->'gitSync', '{}'::jsonb)
|| jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
|| jsonb_build_object(${prefKey}::text, ${sql.lit(prefValue)}))`,
updatedAt: new Date(),
})
.where('id', '=', spaceId)