Skip to content

fix(spreadsheet): reject out-of-union operation at the writer (audit P1-2 / row_delta recurrence guard)#506

Merged
HomenShum merged 1 commit into
mainfrom
fix/spreadsheet-operation-validate
Jun 4, 2026
Merged

fix(spreadsheet): reject out-of-union operation at the writer (audit P1-2 / row_delta recurrence guard)#506
HomenShum merged 1 commit into
mainfrom
fix/spreadsheet-operation-validate

Conversation

@HomenShum
Copy link
Copy Markdown
Owner

@HomenShum HomenShum commented Jun 4, 2026

Closes the seam that the P0 (#505) only papered over

#505 made the stray row_delta doc valid so prod could deploy again. This stops the class from recurring.

storeSpreadsheetEvent derived operationType = firstOp?.type || "unknown" and inserted via eventData: any. "unknown" is not in spreadsheetEvents.operation — so any op missing a .type would write a document that fails convex deploy schema validation and aborts every prod deploy (the exact failure mode of the 6h outage).

Fix

  • New single source of truth convex/tools/spreadsheetOperationTypes.ts (SPREADSHEET_OPERATION_TYPES + isSpreadsheetOperationType).
  • The writer now rejects any operation not in the schema union instead of silently inserting a deploy-breaker (drops the || "unknown" fallback).
  • Self-contained guard test (4/4) locks the literal set and proves "unknown"/undefined/etc. are rejected. No _generated/codegen dependency.

Why reject, not clamp

Legit callers pass Zod-validated ops, so the reject only fires on a genuine upstream bug — surfacing it loudly instead of poisoning prod. Make the failure mode impossible, not hidden.

Follow-ups (audit, separate)

  • CI convex deploy --dry-run schema-vs-data gate (catch the next drift on a PR, not in prod).
  • Optional: derive the schema v.union from the shared const for a structural single source of truth.

🤖 Generated with Claude Code

@HomenShum @claude
fix(spreadsheet): reject out-of-union operation at the writer (audit …
4569863 
…P1-2 / row_delta recurrence guard)

storeSpreadsheetEvent derived operationType as firstOp?.type || 'unknown' and inserted via eventData:any — so any op missing a .type wrote operation:'unknown', a value NOT in spreadsheetEvents.operation, which fails convex deploy schema validation and aborts ALL prod deploys (the row_delta P0 class). New single-source-of-truth SPREADSHEET_OPERATION_TYPES + isSpreadsheetOperationType; the writer now REJECTS any operation not in the schema union instead of silently inserting a deploy-breaker. Self-contained guard test (4/4) locks the set + rejects 'unknown'/undefined/etc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@HomenShum HomenShum enabled auto-merge (squash) June 4, 2026 05:18
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nodebench-ai Ready Ready Preview, Comment Jun 4, 2026 5:19am

Request Review

@HomenShum HomenShum merged commit 9d6bf19 into main Jun 4, 2026
16 checks passed
@HomenShum HomenShum deleted the fix/spreadsheet-operation-validate branch June 4, 2026 05:30
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 4, 2026

Demo: walkthrough of the surfaces this PR changed is available as a workflow artifact (pr-demo-506) at https://github.com/HomenShum/nodebench-ai/actions/runs/26932857901

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HomenShum