fix(git-sync): address PR #119 review #2 — throttle /git Basic auth, fix mcp schema drift + warnings/tests

Must-fix:
- Throttle the raw /git HTTP-Basic path: it bypasses Nest/ThrottlerGuard, so
  verifyUserCredentials (bcrypt) ran unthrottled. Wrap it in the SAME
  FailedLoginLimiter the /mcp path uses (5/60s; per-IP, per-IP+email, global
  per-email keys; atomic tryReserve BEFORE bcrypt; success resets, non-credential
  errors release). The (threshold+1)-th attempt now gets 429 pre-bcrypt. Sweep
  timer + onModuleDestroy mirror McpService.
- Fix the mcp schema mirror drift: packages/mcp details `open` attr now reads via
  hasAttribute (matches editor-ext canon + git-sync copy); getAttribute dropped a
  bare `<details open>` state. (build/ is gitignored — rebuilt locally.)

Tests added:
- /git brute-force throttle: pre-bcrypt 429 on the 6th failure; success resets;
  non-credential error releases the budget.
- git-http-backend lost-lock AbortSignal: already-aborted -> no spawn + 500;
  live abort mid-request -> SIGTERM + response closed.
- orchestrator divergentDocmost -> WARN + flag surfaced in status (+ clean case).
- pollTick re-entrancy guard skips an overlapping tick.
- datasource NotFound early-throws (getPageJson/move/rename) + updatedAt:undefined
  stale-read branch (importPageMarkdown/createPage).

Suggestions:
- space.repo updateGitSyncSettings: parameterize the jsonb key (`${prefKey}::text`)
  instead of sql.raw (latent-injection footgun); value stays sql.lit. Spec updated.
- pollTick re-entrancy guard (private `polling` flag).
- page-change.listener docstring: honest about the move/rename/delete over-skip
  (loop-guard keys only on lastUpdatedSource) -> ~poll-interval latency, not loss.
- AGENTS.md: document the root /git smart-HTTP route + GitSyncModule.
- Remove redundant redteam-provenance.spec.ts (covered e2e in
  persistence.extension.spec.ts:145).
- Extract the duplicated SIGTERM->SIGKILL+finish block (watchdog + abort) into
  terminateChild; centralize watchdog-timer teardown in done().

Architecture (deferred, documented): mcp schema header now carries the three-copy
keep-in-sync + schema-core note; the editor-ext contract test documents that the
mcp copy and attribute-behaviour drift (details `open`) are not mechanically
covered yet.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
a
2026-06-27 23:49:36 +03:00
committed by claude code agent 227
parent 7179f8a5b2
commit 22e3fcdeba
14 changed files with 544 additions and 115 deletions
@@ -205,6 +205,14 @@ describe('GitmostDataSourceService', () => {
content: { type: 'doc', content: [] },
});
});
it('throws NotFound when the page does not exist', async () => {
const { service, mocks } = build();
mocks.pageRepo.findById.mockResolvedValue(undefined);
await expect(service.bind(CTX).getPageJson('gone')).rejects.toThrow(
/not found/i,
);
});
});
describe('importPageMarkdown', () => {
@@ -236,6 +244,20 @@ describe('GitmostDataSourceService', () => {
expect(res.updatedAt).toBe('2026-06-20T11:00:00.000Z');
});
it('returns updatedAt:undefined when the page row is gone after the write (stale-read branch)', async () => {
// writeBody succeeds, but the post-write findById returns nothing (e.g. the
// page was concurrently hard-deleted) -> the optional updatedAt is omitted.
const { service, mocks } = build();
mocks.pageRepo.findById.mockResolvedValue(undefined);
const res = await service
.bind(CTX)
.importPageMarkdown('p1', '# Hello\n\nworld');
expect(mocks.collabGateway.writePageBody).toHaveBeenCalledTimes(1);
expect(res.updatedAt).toBeUndefined();
});
// The 2-way path (no base) is covered above; this exercises the THREE-WAY
// branch that only fires when a `baseMarkdown` is supplied (review #5). The
// merge dispatch itself now lives in the collab handler (gitSyncWriteBody);
@@ -295,6 +317,20 @@ describe('GitmostDataSourceService', () => {
updatedAt: '2026-06-20T12:00:00.000Z',
});
});
it('returns updatedAt:undefined when the fresh page row is missing after create', async () => {
const { service, mocks } = build();
mocks.pageService.create.mockResolvedValue({ id: 'new-id' });
// The post-create findById returns nothing -> the optional updatedAt is
// omitted (the id is still returned from create()).
mocks.pageRepo.findById.mockResolvedValue(undefined);
const res = await service
.bind(CTX)
.createPage('Title', 'body md', 'space-1');
expect(res).toEqual({ data: { id: 'new-id' }, updatedAt: undefined });
});
});
describe('deletePage', () => {
@@ -348,6 +384,15 @@ describe('GitmostDataSourceService', () => {
// db not consulted for a supplied position.
expect(mocks.db.selectFrom).not.toHaveBeenCalled();
});
it('throws NotFound and moves nothing when the page does not exist', async () => {
const { service, mocks } = build();
mocks.pageRepo.findById.mockResolvedValue(undefined);
await expect(
service.bind(CTX).movePage('gone', 'parent-1'),
).rejects.toThrow(/not found/i);
expect(mocks.pageService.movePage).not.toHaveBeenCalled();
});
});
describe('renamePage', () => {
@@ -364,6 +409,15 @@ describe('GitmostDataSourceService', () => {
expect(user).toEqual({ id: 'svc-user' });
expect(provenance).toEqual({ actor: 'git-sync', aiChatId: null });
});
it('throws NotFound and renames nothing when the page does not exist', async () => {
const { service, mocks } = build();
mocks.pageRepo.findById.mockResolvedValue(undefined);
await expect(
service.bind(CTX).renamePage('gone', 'whatever'),
).rejects.toThrow(/not found/i);
expect(mocks.pageService.update).not.toHaveBeenCalled();
});
});
describe('restorePage', () => {