fix(git-sync): address PR #119 review #2 — throttle /git Basic auth, fix mcp schema drift + warnings/tests
Must-fix:
- Throttle the raw /git HTTP-Basic path: it bypasses Nest/ThrottlerGuard, so
verifyUserCredentials (bcrypt) ran unthrottled. Wrap it in the SAME
FailedLoginLimiter the /mcp path uses (5/60s; per-IP, per-IP+email, global
per-email keys; atomic tryReserve BEFORE bcrypt; success resets, non-credential
errors release). The (threshold+1)-th attempt now gets 429 pre-bcrypt. Sweep
timer + onModuleDestroy mirror McpService.
- Fix the mcp schema mirror drift: packages/mcp details `open` attr now reads via
hasAttribute (matches editor-ext canon + git-sync copy); getAttribute dropped a
bare `<details open>` state. (build/ is gitignored — rebuilt locally.)
Tests added:
- /git brute-force throttle: pre-bcrypt 429 on the 6th failure; success resets;
non-credential error releases the budget.
- git-http-backend lost-lock AbortSignal: already-aborted -> no spawn + 500;
live abort mid-request -> SIGTERM + response closed.
- orchestrator divergentDocmost -> WARN + flag surfaced in status (+ clean case).
- pollTick re-entrancy guard skips an overlapping tick.
- datasource NotFound early-throws (getPageJson/move/rename) + updatedAt:undefined
stale-read branch (importPageMarkdown/createPage).
Suggestions:
- space.repo updateGitSyncSettings: parameterize the jsonb key (`${prefKey}::text`)
instead of sql.raw (latent-injection footgun); value stays sql.lit. Spec updated.
- pollTick re-entrancy guard (private `polling` flag).
- page-change.listener docstring: honest about the move/rename/delete over-skip
(loop-guard keys only on lastUpdatedSource) -> ~poll-interval latency, not loss.
- AGENTS.md: document the root /git smart-HTTP route + GitSyncModule.
- Remove redundant redteam-provenance.spec.ts (covered e2e in
persistence.extension.spec.ts:145).
- Extract the duplicated SIGTERM->SIGKILL+finish block (watchdog + abort) into
terminateChild; centralize watchdog-timer teardown in done().
Architecture (deferred, documented): mcp schema header now carries the three-copy
keep-in-sync + schema-core note; the editor-ext contract test documents that the
mcp copy and attribute-behaviour drift (details `open`) are not mechanically
covered yet.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -314,6 +314,40 @@ describe('GitSyncOrchestrator', () => {
|
||||
expect(deps.settings.autoMergeConflicts).toBe(false);
|
||||
});
|
||||
|
||||
it("escalates a divergent-`docmost` push refusal to WARN and surfaces the flag in the status", async () => {
|
||||
const built = build();
|
||||
const warnSpy = jest
|
||||
.spyOn(Logger.prototype, 'warn')
|
||||
.mockImplementation(() => undefined);
|
||||
// The engine refused to fast-forward a divergent `docmost` mirror (§5).
|
||||
runCycleMock.mockResolvedValue({ ...OK_CYCLE, divergentDocmost: true });
|
||||
|
||||
const res = await built.orchestrator.runOnce('space-1', 'ws-1');
|
||||
|
||||
// The flag is surfaced in the returned status (consumable by /status).
|
||||
expect(res.divergentDocmost).toBe(true);
|
||||
// And escalated from the engine's info `log` to a WARN naming the space.
|
||||
expect(warnSpy).toHaveBeenCalledWith(
|
||||
expect.stringContaining('DIVERGENT'),
|
||||
);
|
||||
expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('space-1'));
|
||||
});
|
||||
|
||||
it("does NOT warn when the cycle is clean (divergentDocmost falsy)", async () => {
|
||||
const built = build();
|
||||
const warnSpy = jest
|
||||
.spyOn(Logger.prototype, 'warn')
|
||||
.mockImplementation(() => undefined);
|
||||
runCycleMock.mockResolvedValue(OK_CYCLE);
|
||||
|
||||
const res = await built.orchestrator.runOnce('space-1', 'ws-1');
|
||||
|
||||
expect(res.divergentDocmost).toBeUndefined();
|
||||
expect(warnSpy).not.toHaveBeenCalledWith(
|
||||
expect.stringContaining('DIVERGENT'),
|
||||
);
|
||||
});
|
||||
|
||||
it("surfaces the engine's skipped status (e.g. merge-in-progress) verbatim", async () => {
|
||||
const built = build();
|
||||
runCycleMock.mockResolvedValue({ ran: false, skipped: 'merge-in-progress' });
|
||||
@@ -461,6 +495,40 @@ describe('GitSyncOrchestrator', () => {
|
||||
expect(runOnce).toHaveBeenNthCalledWith(2, 'space-2', 'ws-2');
|
||||
});
|
||||
|
||||
it('skips an overlapping tick while a previous pass is still in flight (re-entrancy guard)', async () => {
|
||||
const built = build();
|
||||
let release!: () => void;
|
||||
const gate = new Promise<void>((resolve) => {
|
||||
release = resolve;
|
||||
});
|
||||
// Stall the first pass inside enabledSpaces so a second tick fires while it
|
||||
// is still running.
|
||||
const enabledSpy = jest
|
||||
.spyOn(built.orchestrator as any, 'enabledSpaces')
|
||||
.mockImplementation(async () => {
|
||||
await gate;
|
||||
return [{ spaceId: 'space-1', workspaceId: 'ws-1' }];
|
||||
});
|
||||
const runOnce = jest
|
||||
.spyOn(built.orchestrator, 'runOnce')
|
||||
.mockResolvedValue({ spaceId: 'space-1', ran: true });
|
||||
|
||||
const first = (built.orchestrator as any).pollTick();
|
||||
await Promise.resolve(); // let the first pass set polling=true + await gate
|
||||
|
||||
// A second tick during the first must be skipped: it never even enumerates.
|
||||
await (built.orchestrator as any).pollTick();
|
||||
expect(enabledSpy).toHaveBeenCalledTimes(1);
|
||||
|
||||
release();
|
||||
await first;
|
||||
expect(runOnce).toHaveBeenCalledTimes(1);
|
||||
|
||||
// After the first pass cleared the flag, a fresh tick runs normally.
|
||||
await (built.orchestrator as any).pollTick();
|
||||
expect(enabledSpy).toHaveBeenCalledTimes(2);
|
||||
});
|
||||
|
||||
it('does NOT throw and runs nothing when the enabled-spaces query throws (try/catch backstop)', async () => {
|
||||
jest.spyOn(Logger.prototype, 'error').mockImplementation(() => undefined);
|
||||
const built = build();
|
||||
|
||||
@@ -384,28 +384,45 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
|
||||
}
|
||||
}
|
||||
|
||||
/** True while a pollTick pass is in flight (re-entrancy guard). */
|
||||
private polling = false;
|
||||
|
||||
/**
|
||||
* One poll tick: catches events missed by the listener and reconciles after
|
||||
* downtime. Gated on GIT_SYNC_ENABLED (defensive — the interval is only
|
||||
* registered when enabled). Each enabled space runs under its own lock
|
||||
* (overlaps skipped). Never throws (runOnce swallows per-space errors).
|
||||
*
|
||||
* Re-entrancy guard: a batch of cycles can take LONGER than the poll interval
|
||||
* (many spaces, slow pushes), so the next interval tick could fire while this
|
||||
* pass is still running. The per-space lock already prevents overlapping cycles
|
||||
* for one space, but an overlapping tick still re-runs enabledSpaces() and
|
||||
* redundant per-space lock attempts for every space. The `polling` flag skips a
|
||||
* tick while one is already in flight; it is in-process only (each replica
|
||||
* guards its own ticks — cross-replica overlap is handled by the Redis lock).
|
||||
*/
|
||||
private async pollTick(): Promise<void> {
|
||||
if (!this.environmentService.isGitSyncEnabled()) return;
|
||||
let spaces: EnabledSpace[];
|
||||
if (this.polling) return;
|
||||
this.polling = true;
|
||||
try {
|
||||
spaces = await this.enabledSpaces();
|
||||
} catch (err) {
|
||||
this.logger.error(
|
||||
`git-sync: failed to enumerate enabled spaces: ${
|
||||
err instanceof Error ? err.message : String(err)
|
||||
}`,
|
||||
);
|
||||
return;
|
||||
}
|
||||
for (const { spaceId, workspaceId } of spaces) {
|
||||
// runOnce never throws; a per-space error is logged and returned in status.
|
||||
await this.runOnce(spaceId, workspaceId);
|
||||
let spaces: EnabledSpace[];
|
||||
try {
|
||||
spaces = await this.enabledSpaces();
|
||||
} catch (err) {
|
||||
this.logger.error(
|
||||
`git-sync: failed to enumerate enabled spaces: ${
|
||||
err instanceof Error ? err.message : String(err)
|
||||
}`,
|
||||
);
|
||||
return;
|
||||
}
|
||||
for (const { spaceId, workspaceId } of spaces) {
|
||||
// runOnce never throws; a per-space error is logged and returned in status.
|
||||
await this.runOnce(spaceId, workspaceId);
|
||||
}
|
||||
} finally {
|
||||
this.polling = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -205,6 +205,14 @@ describe('GitmostDataSourceService', () => {
|
||||
content: { type: 'doc', content: [] },
|
||||
});
|
||||
});
|
||||
|
||||
it('throws NotFound when the page does not exist', async () => {
|
||||
const { service, mocks } = build();
|
||||
mocks.pageRepo.findById.mockResolvedValue(undefined);
|
||||
await expect(service.bind(CTX).getPageJson('gone')).rejects.toThrow(
|
||||
/not found/i,
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe('importPageMarkdown', () => {
|
||||
@@ -236,6 +244,20 @@ describe('GitmostDataSourceService', () => {
|
||||
expect(res.updatedAt).toBe('2026-06-20T11:00:00.000Z');
|
||||
});
|
||||
|
||||
it('returns updatedAt:undefined when the page row is gone after the write (stale-read branch)', async () => {
|
||||
// writeBody succeeds, but the post-write findById returns nothing (e.g. the
|
||||
// page was concurrently hard-deleted) -> the optional updatedAt is omitted.
|
||||
const { service, mocks } = build();
|
||||
mocks.pageRepo.findById.mockResolvedValue(undefined);
|
||||
|
||||
const res = await service
|
||||
.bind(CTX)
|
||||
.importPageMarkdown('p1', '# Hello\n\nworld');
|
||||
|
||||
expect(mocks.collabGateway.writePageBody).toHaveBeenCalledTimes(1);
|
||||
expect(res.updatedAt).toBeUndefined();
|
||||
});
|
||||
|
||||
// The 2-way path (no base) is covered above; this exercises the THREE-WAY
|
||||
// branch that only fires when a `baseMarkdown` is supplied (review #5). The
|
||||
// merge dispatch itself now lives in the collab handler (gitSyncWriteBody);
|
||||
@@ -295,6 +317,20 @@ describe('GitmostDataSourceService', () => {
|
||||
updatedAt: '2026-06-20T12:00:00.000Z',
|
||||
});
|
||||
});
|
||||
|
||||
it('returns updatedAt:undefined when the fresh page row is missing after create', async () => {
|
||||
const { service, mocks } = build();
|
||||
mocks.pageService.create.mockResolvedValue({ id: 'new-id' });
|
||||
// The post-create findById returns nothing -> the optional updatedAt is
|
||||
// omitted (the id is still returned from create()).
|
||||
mocks.pageRepo.findById.mockResolvedValue(undefined);
|
||||
|
||||
const res = await service
|
||||
.bind(CTX)
|
||||
.createPage('Title', 'body md', 'space-1');
|
||||
|
||||
expect(res).toEqual({ data: { id: 'new-id' }, updatedAt: undefined });
|
||||
});
|
||||
});
|
||||
|
||||
describe('deletePage', () => {
|
||||
@@ -348,6 +384,15 @@ describe('GitmostDataSourceService', () => {
|
||||
// db not consulted for a supplied position.
|
||||
expect(mocks.db.selectFrom).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('throws NotFound and moves nothing when the page does not exist', async () => {
|
||||
const { service, mocks } = build();
|
||||
mocks.pageRepo.findById.mockResolvedValue(undefined);
|
||||
await expect(
|
||||
service.bind(CTX).movePage('gone', 'parent-1'),
|
||||
).rejects.toThrow(/not found/i);
|
||||
expect(mocks.pageService.movePage).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe('renamePage', () => {
|
||||
@@ -364,6 +409,15 @@ describe('GitmostDataSourceService', () => {
|
||||
expect(user).toEqual({ id: 'svc-user' });
|
||||
expect(provenance).toEqual({ actor: 'git-sync', aiChatId: null });
|
||||
});
|
||||
|
||||
it('throws NotFound and renames nothing when the page does not exist', async () => {
|
||||
const { service, mocks } = build();
|
||||
mocks.pageRepo.findById.mockResolvedValue(undefined);
|
||||
await expect(
|
||||
service.bind(CTX).renamePage('gone', 'whatever'),
|
||||
).rejects.toThrow(/not found/i);
|
||||
expect(mocks.pageService.update).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe('restorePage', () => {
|
||||
|
||||
Reference in New Issue
Block a user