fix(api): block uploads to ready bundle paths

[riderx]

Summary (AI generated)

• Block resumable attachment uploads when the requested file path already belongs to a ready bundle.
• Return bundle_already_ready for ready bundle path upload attempts.
• Add a regression test covering the ready bundle upload path guard.

Motivation (AI generated)

Ready bundles should be immutable after upload completes. The database trigger protects bundle row fields, but the file upload API also needs to reject attempts to overwrite the stored bundle object path.

Business Impact (AI generated)

This prevents users or API keys from replacing finalized bundle contents without creating a new bundle version, protecting update integrity and auditability.

Test Plan (AI generated)

• bunx eslint supabase/functions/_backend/files/files.ts tests/files-security.test.ts
• bun run lint:backend
• bun run supabase:with-env -- bunx vitest run tests/files-security.test.ts
• bun run cli:check
• Pre-commit: bun run cli:build && vue-tsc --noEmit

Generated with AI

Summary by CodeRabbit

• Bug Fixes

  • Added validation to prevent uploading or modifying finalized application bundles. The system now returns an error when attempting to overwrite a bundle that is already marked as ready.

• Tests

  • Added test coverage for finalized bundle protection, verifying that finalized bundles cannot be overwritten.

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 38 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14240717-f850-45be-89a8-a91b14560475

📥 Commits

Reviewing files that changed from the base of the PR and between 39cd822 and c2f53c4.

📒 Files selected for processing (2)

• supabase/functions/_backend/files/files.ts
• tests/files-security.test.ts

📝 Walkthrough

Walkthrough

The PR adds a guard in the checkWriteAppAccess function to detect and block writes to ready bundle paths that already exist in the app_versions table. If a matching record is found (same owner_org, app_id, r2_path with storage_provider not equal to 'r2-direct'), the mutation is blocked with a 409 error; otherwise, existing access checks proceed.

Changes

Ready Bundle Upload Immutability

Layer / File(s)	Summary
Core Implementation supabase/functions/_backend/files/files.ts	Added guard in checkWriteAppAccess that queries app_versions for an existing ready bundle matching the target r2_path, owner_org, and app_id (excluding 'r2-direct' storage). If found, throws 409 with bundle_already_ready error and details; otherwise continues with existing access checks.
Test Support tests/files-security.test.ts	New helper function seedReadyBundle creates a ready bundle entry in app_versions table with matching app_id, org, checksum, and r2_path, returning the file path and upload metadata for test scenarios.
Tests tests/files-security.test.ts	New test case verifies that attempting to start a resumable upload for an already-ready bundle path returns 409 with bundle_already_ready error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~13 minutes

Possibly related PRs

• Cap-go/capgo#2015: Adds DB trigger enforcement for encrypted-bundle invariants on app_versions INSERT/UPDATE to complement this application-level guard for bundle immutability.

Poem

🐰 A bundle once finalized must rest,
No re-uploads put it to the test,
With 409, we guard it well,
Ready paths have stories to tell! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: blocking uploads to ready bundle paths, which matches the core functionality added in the changeset.
Description check	✅ Passed	The description covers Summary, Motivation, Business Impact, and Test Plan sections with clear details; however, it is AI-generated and lacks the Checklist section specified in the template.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/block-ready-bundle-upload-path

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/block-ready-bundle-upload-path (c2f53c4) with main (5b76c59)}

[coderabbitai]

🧹 Nitpick comments (1)

tests/files-security.test.ts (1)

177-192: 💤 Low value

Use it.concurrent() for parallel test execution.

Per coding guidelines, tests should use it.concurrent() instead of it() to maximize parallelism within test files.

♻️ Suggested change

-  it('blocks resumable upload creation for an already ready bundle path', async () => {
+  it.concurrent('blocks resumable upload creation for an already ready bundle path', async () => {

As per coding guidelines: "use it.concurrent() instead of it() to maximize parallelism within test files".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/files-security.test.ts` around lines 177 - 192, Replace the synchronous
test definition with a concurrent one by changing the test invocation for the
case named 'blocks resumable upload creation for an already ready bundle path'
from it(...) to it.concurrent(...); locate the it call in
tests/files-security.test.ts (the test that posts to '/files/upload/attachments'
and asserts a 409 and error 'bundle_already_ready') and simply swap the function
name to it.concurrent so the test runs in parallel with other tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/files-security.test.ts`:
- Around line 177-192: Replace the synchronous test definition with a concurrent
one by changing the test invocation for the case named 'blocks resumable upload
creation for an already ready bundle path' from it(...) to it.concurrent(...);
locate the it call in tests/files-security.test.ts (the test that posts to
'/files/upload/attachments' and asserts a 409 and error 'bundle_already_ready')
and simply swap the function name to it.concurrent so the test runs in parallel
with other tests.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25d2d672-59f4-4ebd-812b-1788d8080189

📥 Commits

Reviewing files that changed from the base of the PR and between 5b76c59 and 39cd822.

📒 Files selected for processing (2)

• supabase/functions/_backend/files/files.ts
• tests/files-security.test.ts

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud