9980589d92
Output of a generate→critique subagent pass on "what the feature's tests do NOT cover", implemented + verified against the live stand (20/20). Complements the basic two-way suite. Covers: - protocol shape: unknown service subpath -> 400; unknown content-type -> 415 (global allowlist); PUT/DELETE on pack endpoints -> 400; - path-traversal: `..%2f..`, `%2e%2e%2f`, bare `.git` space-id -> 400/404, no escape, never a file leak; - authz boundaries: a gitSync-DISABLED space -> 404 (existence hidden) and flips to 200 when enabled; a READER member can fetch (200) but is FORBIDDEN to push (403); a NON-member of an enabled space gets 403 (NOT 404 — the critic caught a wrong generator assumption here; pinned as a contract); - concurrency: a push while the per-space Redis lock is held -> 503 + Retry-After, and the receive-pack does NOT mutate the vault; - idempotency: repeated no-op cycles never churn `main` / `refs/docmost/last-pushed`; - data-loss guard (PR #119): deleting MORE than GIT_SYNC_MAX_DELETES_PER_CYCLE is HELD — none trashed AND last-pushed does not advance past the delete commit (retry-safe, not silently dropped). Auto-creates/tears down its fixtures (reader/non-member users, a 2nd space) and resets the vault cache on exit so re-runs and the basic suite stay green. Needs the vault dir + Redis container reachable (see header). A structural rename/move case was intentionally left to the engine unit suite (git rename-similarity on meta-only fixture pages is a fixture artifact, not a feature bug). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
13 KiB
Executable File
13 KiB
Executable File