Skip to content

fix(scratchnode): require verified host for FAQ-promote + wiki-publish (scratchnode/002)#500

Merged
HomenShum merged 3 commits into
mainfrom
fix/scratchnode-host-public-write
Jun 3, 2026
Merged

fix(scratchnode): require verified host for FAQ-promote + wiki-publish (scratchnode/002)#500
HomenShum merged 3 commits into
mainfrom
fix/scratchnode-host-public-write

Conversation

@HomenShum
Copy link
Copy Markdown
Owner

@HomenShum HomenShum commented Jun 3, 2026

What

snPromoteFaq and snPublishWiki were the last two host-only PUBLIC-write actions in home-v5.html still reading the host key via the weak _snReadHostOwnerKey() (which falls back through localStorage to a bare sessionId). Every other host action already used the strict _snRequireVerifiedHostOwnerKey().

Why it matters (P1, not P0)

The backend requireHost in convex/events.ts always rejected a bare sessionId (no hk1: token / no liveEventHosts row), so this was never an exploit. But the frontend would still attempt the mutation and surface a confusing raw-backend-error toast to a non-host. This is a frontend permission-consistency / UX-honesty fix.

The fix

Both actions now call _snRequireVerifiedHostOwnerKey('sn-manage-event-output') and early-return with a clear Host verification required toast when the session is not a verified host — the failure mode is made impossible, not hidden.

CI-locked by tests

3 new honesty tests in scratchnode-live-route-honesty.spec.ts:

  • guest cannot trigger promoteFaq/publishWiki (mutations never called + correct toast)
  • SN-LIVE-007/008: private send stays private, never creates a public message, IS captured privately
  • public-send boundary control

The existing publish-wiki recap test now establishes the realistic verified-host precondition (it was implicitly relying on the weak fallback).

Verification

  • home-v5-output-contract: green (17 invariants)
  • scratchnode-live-route-honesty: 27/27 green
  • Permission-consistency only — send/render path and the public/private boundary untouched.

Supersedes the DIRTY #469 (rebuilt fresh on current main; original branch went stale while the loop shipped). Goal Card: goals/scratchnode/002-host-public-write-verification.md.

🤖 Generated with Claude Code

@HShuM @claude
fix(scratchnode): require verified host for FAQ-promote + wiki-publis…
b66d7a6 
…h (scratchnode/002)

snPromoteFaq + snPublishWiki were the last host-only PUBLIC-write actions still using the weak _snReadHostOwnerKey() (falls back to a bare sessionId). Backend requireHost already rejected a bare sessionId so this was never an exploit, but the frontend would attempt the mutation and show a confusing raw-error toast to a non-host. Both now use _snRequireVerifiedHostOwnerKey('sn-manage-event-output') + early-return with a clear 'Host verification required' toast.

CI-locked by 3 honesty tests (guest-cannot-write, SN-LIVE-007/008 private-stays-private, public-send control). The existing publish-wiki recap test now establishes the realistic verified-host precondition. e2e: output-contract green; honesty 27/27.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
nodebench-ai Ignored Ignored Preview Jun 3, 2026 9:38pm

Request Review

@HomenShum HomenShum enabled auto-merge (squash) June 3, 2026 21:22
@HomenShum HomenShum mentioned this pull request Jun 3, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026
edited
Loading

✅ Dogfood Visual QA Gate: PASSED

Check Status
Screenshots 23 captured (pass)
Walkthrough 9 chapters (pass)
Key Frames 9 extracted (pass)
Scribe Steps 8 how-to steps (pass)
Build success
Artifacts

Download the dogfood-evidence-41cb4ee artifact from the Actions tab for full screenshots, frames, and walkthrough video.

Generated by Dogfood QA Gate

@HomenShum HomenShum mentioned this pull request Jun 3, 2026
Merged
HomenShum added a commit that referenced this pull request Jun 3, 2026
@HomenShum @HShuM @claude
docs(governance): record DIRTY-drift lesson + mark scratchnode/002 sh…
45f24d3 
…ipping (#501)

Operational lesson from today's loop run: reviewable PRs left open against hot files (home-v5.html, events.ts, honesty spec) go DIRTY as the daily loop squash-merges past them. #469 had to be rebuilt fresh as #500. Rule: land or rebase hot-file PRs within one working day; serialize >=2 PRs on the same hot file (strict:true makes the 'behind main' ping-pong explicit).

Co-authored-by: hshum <hshum@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@HomenShum HomenShum merged commit 48057d7 into main Jun 3, 2026
14 checks passed
@HomenShum HomenShum deleted the fix/scratchnode-host-public-write branch June 3, 2026 21:50
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026

Demo: walkthrough of the surfaces this PR changed is available as a workflow artifact (pr-demo-500) at https://github.com/HomenShum/nodebench-ai/actions/runs/26915190860

This was referenced Jun 3, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HomenShum @HShuM