fix: reject negative replica counts in handleScaleHTTP

[clubanderson]

Closes #3831

Summary

• handleScaleHTTP checked for int32 overflow on the GET query-param path but allowed negative replica values through on both POST and GET paths
• Added validation after both parsing paths to return HTTP 400 with a clear error message when replicas < 0

Test plan

• Send POST /scale with {"replicas": -1} and verify 400 response
• Send GET /scale?replicas=-5&cluster=x&namespace=y&name=z and verify 400 response
• Send POST /scale with {"replicas": 0} (scale to zero) and verify it still works
• Send POST /scale with {"replicas": 3} and verify normal scaling works

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 338c287 fix: reject negative replica counts in handleScaleHTTP (Negative replica counts pass through unvalidated #3831)

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubestellarconsole ready!

Name	Link
🔨 Latest commit	338c287
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellarconsole/deploys/69c8bc870abbd70008ec2ea3
😎 Deploy Preview	https://deploy-preview-3840.console-deploy-preview.kubestellar.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

• Claude Code (Opus 4.5 / 4.6) — recommended
• GitHub Copilot
• Cursor
• Other AI coding assistants

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.

---

This is an automated message.

[github-actions]

Thank you for your contribution! Your PR has been merged.

Check out what's new:

• KubeStellar Console — Live multi-cluster dashboard
• Marketplace — Community extensions
• Knowledge Base — Troubleshooting and how-tos

Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey

[Copilot]

Pull request overview

This PR hardens the agent’s /scale HTTP endpoint by ensuring negative replica counts are rejected early (instead of being forwarded to Kubernetes), aligning behavior with issue #3831.

Changes:

• Adds validation to reject replicas < 0 after parsing (covers both POST body and GET query-param flows).
• Returns an HTTP 400 with a clear JSON error payload when a negative replica value is provided.

[Copilot]

This new negative-replicas branch returns HTTP 400, but other client/input validation failures in handleScaleHTTP (invalid JSON body, invalid replicas query value, missing cluster/namespace/name) still return HTTP 200 with an error payload. Consider making the status-code behavior consistent across all validation errors (e.g., always StatusBadRequest for malformed input) so clients can reliably use res.ok/status checks.

[Copilot]

There are extensive HTTP handler tests in pkg/agent/server_test.go, but none appear to cover /scale. Since this change introduces new request validation behavior (negative replicas -> 400) for both POST and GET paths, add unit tests that assert status code + error payload for replicas < 0 and that replicas=0 remains allowed.

[clubanderson]

🔄 Auto-Applying Copilot Code Review

Copilot code review found 0 code suggestion(s) and 2 general comment(s).

Also address these general comments:

• pkg/agent/server.go (line 1564): This new negative-replicas branch returns HTTP 400, but other client/input validation failures in handleScaleHTTP (inval
• pkg/agent/server.go (line 1565): There are extensive HTTP handler tests in pkg/agent/server_test.go, but none appear to cover /scale. Since this change i

Push all fixes in a single commit. Run cd web && npm run build && npm run lint before committing.

---

Auto-generated by copilot-review-apply workflow.