dohertj2/chat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: drawer delete_turn guards event_id <= 0 (T110.1)

Browse Source 
A stale tab or hand-crafted request posting event_id=0 to the surgical
delete route would compute after_event_id=-1 and silently truncate the
entire log. Now rejected with 400.

SQLite assigns event_log ids starting at 1, so any legitimate id is
always >= 1 — non-positive values can only indicate a client bug.

Test: tests/test_drawer_phase4.py::test_delete_turn_with_event_id_zero_returns_400.
This commit is contained in:
Joseph Doherty
2026-04-27 05:11:39 -04:00
parent 2afbb9fefc
commit f3827706df
2 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
chat/web/drawer.py
+12
View File
@@ -1278,7 +1278,19 @@ async def delete_turn(
A snapshot is taken before truncation (inside ``execute_rewind``)
so the user can recover via the snapshot index.
T110.1 guards ``event_id <= 0``: a stale tab or hand-crafted request
posting ``event_id=0`` would otherwise compute ``after_event_id=-1``
and silently truncate the entire log. ``id`` is auto-assigned by
SQLite starting at 1 so any caller's "real" id is always >= 1; a
zero or negative value can only mean a client bug, surfaced as 400.
"""
if int(event_id) <= 0:
raise HTTPException(
status_code=400,
detail=f"event_id must be a positive integer, got {event_id}",
)
chat = get_chat(conn, chat_id)
if chat is None:
raise HTTPException(status_code=404, detail=f"chat not found: {chat_id}")