test(server): batch 5 authorization, transclusion, search & comment coverage
Test-only. Fills the authorization / data-integrity gaps from the strategy
report. Full server suite: 100 suites / 1031 passed + 1 todo, green.
Authorization (privilege-escalation catches):
- workspace/space ability factories: exact can/cannot per (action,subject) —
admin cannot Manage Audit, writer/reader cannot Manage Settings/Member, etc.
- findHighestUserSpaceRole, isAdminActingOnOwner.
- WorkspaceService role guards: last-owner lockout, admin-over-owner, self-target.
- SpaceMemberService.validateLastAdmin: never orphan a space without an admin.
- GroupService: default-group immutability, name uniqueness.
Access / data integrity:
- PageAccessService: restriction-vs-space-ability branches for view/edit/comment.
- TransclusionService.unsyncReference: cross-workspace/NotFound boundary asserts
NO attachment write or ref-row delete on rejection; lookupWithAccessSet
positional status mapping; listReferences drops private/cross-ws/deleted refs;
syncPageTransclusions/References diff (no-op on unchanged content).
- SearchService.searchPage: query-mode scoping; leakage modes return empty
before executing the query.
- CommentService: reply-to-reply guard, agent provenance, self-mention filter,
no double-notify.
Pure helpers:
- prosemirror extractors (mention dedup-key id-vs-entityId, attachment UUID
validation, removeMarkTypeFromDoc), collaboration.util (getPageId,
isEmptyParagraphDoc, stripUnknownNodes unwrap, prosemirrorNodeToYElement).
Reviewed (APPROVE WITH SUGGESTIONS): mutation-resistant, not vacuous.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
4df79aafd3