fix(store): derive comment sessionId from its surface#94
Closed
benvinegar wants to merge 1 commit into
Closed
Conversation
createComment stored the caller's sessionId verbatim instead of deriving it from the surface the comment attaches to. A comment could land in a session that doesn't own its surface, breaking listComments joins and the unread/aggregation logic. The HTTP/MCP flow happened to pass surface.sessionId, so it was safe today; any future caller of the Store interface could split them. Both JsonFileStore and SqlStore now resolve the surface first and derive sessionId from it, falling back to input.sessionId only when no surface (or an unknown one) is provided.
Member
Author
|
Closing for now. Verified the change is correct, but it's defensive hardening of an unreachable path rather than a live bug: the only caller of |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
createCommentstored the caller'ssessionIdverbatim instead of deriving it from the surface the comment attaches to. A comment could land in a session that doesn't own its surface, breakinglistCommentsjoins and the unread/aggregation logic.The HTTP/MCP flow happened to pass
surface.sessionId, so it was safe today; any future caller of theStoreinterface could split them.Fix
Both
JsonFileStoreandSqlStorenow resolve the surface first and derivesessionIdfrom it, falling back toinput.sessionIdonly when no surface (or an unknown one) is provided.Test
Added a store contract test (
a comment's session follows its surface, not the caller's sessionId) that creates a surface in session A, then posts a comment with session B's id and the surface's id. Asserts the comment is filed under A, not B. Fails on both stores before the fix; passes after.Validation
npm test— 184 passnpm run typecheck— cleannpm run lint— clean