mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 21:39:54 +02:00
* refactor(server): make ParseUUID error-returning to prevent silent data loss (MUL-1410) util.ParseUUID previously swallowed errors and returned a zero pgtype.UUID on invalid input. When this zero UUID reached a write query (DELETE/UPDATE), the SQL matched zero rows and the handler returned 2xx success — producing silent data corruption. #1661 (DeleteIssue with identifier-style ID) was the visible symptom; PR #1680 patched that one site, this commit closes the class of bug. Changes: - util.ParseUUID now returns (pgtype.UUID, error). Add util.MustParseUUID for trusted round-trips that should panic on invalid input. - handler/handler.go: parseUUID wrapper now calls MustParseUUID — any unguarded user-input string reaching it surfaces as a recovered panic (chi middleware.Recoverer → 500) instead of silently corrupting data. Add parseUUIDOrBadRequest(w, s, fieldName) for handler entry points. - Convert every Queries.Delete*/Update* call site reachable from raw user input (autopilot, comment, project, skill, skill_file, label, pin, attachment, feedback, issue assignee, daemon runtime, workspace) to validate UUIDs explicitly with parseUUIDOrBadRequest, returning 400 on invalid input. Where a resolved entity.ID is already in scope, write queries now use it directly instead of re-parsing the URL string. - Update getWorkspaceMember + loadIssueForUser to handle invalid UUIDs gracefully (404/400 instead of panic). - Update util/middleware/cmd-level callers (subscriber_listeners, notification_listeners, activity_listeners, scope_authorizer, middleware/workspace) to use the error-returning API. - Add server/internal/util/pgx_test.go covering valid/invalid input and the MustParseUUID panic contract. - Add TestDeleteIssueByIdentifier + TestDeleteIssueRejectsInvalidUUID regression tests in handler_test.go (the original #1661 bug + the invalid-input case). - Document the handler UUID parsing convention in CLAUDE.md so the rule is enforceable in future PR review. * fix(server): address GPT-Boy review of #1748 P1 fixes from PR #1748 review: 1. Migrate remaining request-boundary UUIDs to parseUUIDOrBadRequest so malformed input returns 400 instead of panic/500. Was missing on: - issue.go: workspace_id in CreateIssue/ChildIssueProgress/ListIssues/ SearchIssues/BatchUpdateIssues/BatchDeleteIssues; project_id / parent_issue_id / lead_id / assignee_id / assignee_ids / creator_id filters; batch issue_ids and assignee/parent/project fields in BatchUpdateIssues (skip on bad input via util.ParseUUID, matching the existing per-row continue semantics). - project.go: project id + workspace_id in GetProject/UpdateProject/ DeleteProject; lead_id in CreateProject/UpdateProject; workspace_id in ListProjects + SearchProjects. - handler.go: resolveActor now uses util.ParseUUID for X-Agent-ID / X-Task-ID headers; invalid UUID falls back to "member" (matches pre-existing semantics) instead of panicking. - issue.go: validateAssigneePair returns 400 on invalid workspace_id instead of panicking. 2. Fix issue:deleted WS event payloads to emit uuidToString(issue.ID) instead of the raw URL string. After an identifier-path delete ("MUL-7"), the previous payload would have leaked the identifier to subscribers, leaving stale entries in frontend caches that key by UUID. Updated DeleteIssue (issue.go:1341) and BatchDeleteIssues (issue.go:1641). The slog "issue deleted" log line also now records the resolved UUID so logs match the WS payload. 3. Extend TestDeleteIssueByIdentifier to subscribe to the bus and assert issue:deleted.payload.issue_id is the resolved UUID, not the identifier. * fix(server): validate remaining reviewed UUID inputs * fix(server): validate remaining handler UUID inputs * fix(server): finish request boundary UUID audit * fix(server): validate remaining request body UUIDs * fix(server): validate runtime path UUIDs * fix(server): validate remaining audit UUID inputs --------- Co-authored-by: Eve <eve@multica.ai>
176 lines
5.7 KiB
Go
176 lines
5.7 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestRuntimeHandlersRejectMalformedRuntimeID(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
method string
|
|
path string
|
|
handle func(http.ResponseWriter, *http.Request)
|
|
}{
|
|
{
|
|
name: "usage",
|
|
method: "GET",
|
|
path: "/api/runtimes/not-a-uuid/usage",
|
|
handle: testHandler.GetRuntimeUsage,
|
|
},
|
|
{
|
|
name: "task activity",
|
|
method: "GET",
|
|
path: "/api/runtimes/not-a-uuid/task-activity",
|
|
handle: testHandler.GetRuntimeTaskActivity,
|
|
},
|
|
{
|
|
name: "delete",
|
|
method: "DELETE",
|
|
path: "/api/runtimes/not-a-uuid",
|
|
handle: testHandler.DeleteAgentRuntime,
|
|
},
|
|
{
|
|
name: "models",
|
|
method: "POST",
|
|
path: "/api/runtimes/not-a-uuid/models",
|
|
handle: testHandler.InitiateListModels,
|
|
},
|
|
{
|
|
name: "update",
|
|
method: "POST",
|
|
path: "/api/runtimes/not-a-uuid/update",
|
|
handle: testHandler.InitiateUpdate,
|
|
},
|
|
{
|
|
name: "local skills",
|
|
method: "POST",
|
|
path: "/api/runtimes/not-a-uuid/local-skills",
|
|
handle: testHandler.InitiateListLocalSkills,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
w := httptest.NewRecorder()
|
|
req := newRequest(tt.method, tt.path, nil)
|
|
req = withURLParam(req, "runtimeId", "not-a-uuid")
|
|
tt.handle(w, req)
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("%s: expected 400 for malformed runtimeId, got %d: %s", tt.name, w.Code, w.Body.String())
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestGetRuntimeUsage_BucketsByUsageTime ensures a task that was enqueued on
|
|
// one calendar day but whose tokens were reported the next day (e.g. execution
|
|
// crossed midnight, or the task sat in the queue) is attributed to the day
|
|
// tokens were actually produced, not the enqueue day. It also verifies the
|
|
// ?days=N cutoff covers the full earliest calendar day, not just "now minus N
|
|
// days" which would clip the morning of that day.
|
|
func TestGetRuntimeUsage_BucketsByUsageTime(t *testing.T) {
|
|
if testHandler == nil {
|
|
t.Skip("database not available")
|
|
}
|
|
ctx := context.Background()
|
|
|
|
// Pick a runtime bound to the fixture workspace.
|
|
var runtimeID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
SELECT id FROM agent_runtime WHERE workspace_id = $1 LIMIT 1
|
|
`, testWorkspaceID).Scan(&runtimeID); err != nil {
|
|
t.Fatalf("fetch runtime: %v", err)
|
|
}
|
|
var agentID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
SELECT id FROM agent WHERE workspace_id = $1 LIMIT 1
|
|
`, testWorkspaceID).Scan(&agentID); err != nil {
|
|
t.Fatalf("fetch agent: %v", err)
|
|
}
|
|
|
|
// Create an issue for the tasks to reference.
|
|
var issueID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO issue (workspace_id, title, creator_id, creator_type)
|
|
VALUES ($1, 'runtime usage test', $2, 'member')
|
|
RETURNING id
|
|
`, testWorkspaceID, testUserID).Scan(&issueID); err != nil {
|
|
t.Fatalf("create issue: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(ctx, `DELETE FROM issue WHERE id = $1`, issueID)
|
|
})
|
|
|
|
// enqueued yesterday 23:58 UTC, finished today 00:05 UTC — tokens belong to today.
|
|
now := time.Now().UTC()
|
|
today := time.Date(now.Year(), now.Month(), now.Day(), 0, 0, 0, 0, time.UTC)
|
|
yesterdayLate := today.Add(-2 * time.Minute)
|
|
todayEarly := today.Add(5 * time.Minute)
|
|
// Task that ran entirely yesterday around 05:00 — used to verify the
|
|
// ?days cutoff isn't clipping yesterday's morning.
|
|
yesterdayMorning := today.Add(-19 * time.Hour)
|
|
|
|
insertTaskWithUsage := func(enqueueAt, usageAt time.Time, inputTokens int64) string {
|
|
var taskID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO agent_task_queue (agent_id, issue_id, runtime_id, status, created_at)
|
|
VALUES ($1, $2, $3, 'completed', $4)
|
|
RETURNING id
|
|
`, agentID, issueID, runtimeID, enqueueAt).Scan(&taskID); err != nil {
|
|
t.Fatalf("insert task: %v", err)
|
|
}
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO task_usage (task_id, provider, model, input_tokens, output_tokens, created_at)
|
|
VALUES ($1, 'claude', 'claude-3-5-sonnet', $2, 0, $3)
|
|
`, taskID, inputTokens, usageAt); err != nil {
|
|
t.Fatalf("insert task_usage: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(ctx, `DELETE FROM agent_task_queue WHERE id = $1`, taskID)
|
|
})
|
|
return taskID
|
|
}
|
|
|
|
insertTaskWithUsage(yesterdayLate, todayEarly, 1000) // cross-midnight
|
|
insertTaskWithUsage(yesterdayMorning, yesterdayMorning, 2000) // full-day yesterday
|
|
|
|
// Call the handler with ?days=1 at whatever "now" is. That should include
|
|
// both today and yesterday in full.
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("GET", "/api/runtimes/"+runtimeID+"/usage?days=1", nil)
|
|
req = withURLParam(req, "runtimeId", runtimeID)
|
|
testHandler.GetRuntimeUsage(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("GetRuntimeUsage: expected 200, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var resp []RuntimeUsageResponse
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
|
|
byDate := make(map[string]int64)
|
|
for _, r := range resp {
|
|
byDate[r.Date] += r.InputTokens
|
|
}
|
|
|
|
todayKey := today.Format("2006-01-02")
|
|
yesterdayKey := today.Add(-24 * time.Hour).Format("2006-01-02")
|
|
|
|
// Cross-midnight task must attribute to today (tu.created_at), not yesterday
|
|
// (atq.created_at). Before the fix this was 0 on today / 1000 on yesterday.
|
|
if byDate[todayKey] != 1000 {
|
|
t.Errorf("cross-midnight task: today bucket expected 1000 input tokens, got %d (full map: %v)", byDate[todayKey], byDate)
|
|
}
|
|
// Yesterday's morning task must still be included — this is what breaks
|
|
// when ?days=N is interpreted as a rolling window instead of calendar days.
|
|
if byDate[yesterdayKey] != 2000 {
|
|
t.Errorf("yesterday morning task: yesterday bucket expected 2000 input tokens, got %d (full map: %v)", byDate[yesterdayKey], byDate)
|
|
}
|
|
}
|