fix(e2e): #2782 parameterize chat-seed JSON + quote regression #2825

2026-06-14T04:47:06Z

agent-dev-a commented

2026-06-14 04:47:06 +00:00

Fixes the residual E2E-Chat main-red where seedChatHistory() built SQL containing JSON text, causing Postgres to receive invalid jsonb when seeded messages contained quotes.

Changes

canvas/e2e/fixtures/chat-seed.ts: replaced psql/execFileSync SQL string construction with node-postgres parameterized queries. JSON request/response bodies are bound as parameters ($3/$4), so content with single quotes, double quotes, backslashes, or apostrophes is never interpolated into SQL or the shell command line. The workspace UPDATE and cleanup DELETE are also parameterized.
canvas/e2e/chat-separation.spec.ts: hardened the Data Flow regression seed to include backslashes and apostrophes in addition to double quotes, proving the parameterized path survives them.
canvas/package.json: added pg + @types/pg as dev dependencies for true parameter binding.

Activity API auth

The source-filter tests already authenticate with the workspace bearer token on main; this PR preserves that behavior.

Comprehensive testing performed

npx eslint e2e/fixtures/chat-seed.ts e2e/chat-separation.spec.ts passes.
npx tsc --noEmit e2e/fixtures/chat-seed.ts e2e/chat-separation.spec.ts passes.
Local go test / E2E Chat run not available in this runtime; CI is authoritative.

Local-postgres E2E run

N/A: TypeScript E2E fixture change; the relevant verification is the E2E-Chat CI lane.

Staging-smoke verified or pending

Pending CI E2E-Chat run on this PR.

Root-cause not symptom

Root cause: JSON payloads were interpolated into the SQL string sent to psql, so embedded quotes broke jsonb parsing. Fix: bind JSON as node-postgres parameters.

Five-Axis review walked

Correctness: parameterized INSERT is the safe, correct way to pass jsonb.
Readability: helper functions mirror existing patterns.
Architecture: no runtime changes.
Security: no new trust boundary; DB credentials unchanged.
Performance: single client reused per seedChatHistory call.

No backwards-compat shim / dead code added

No. Replaces a brittle string-building path with a robust one.

Memory/saved-feedback consulted

Prior #2788/#11517 work on shell-safe seeding informed this stricter parameter-binding approach.

Closes #2782

Co-Authored-By: Claude noreply@anthropic.com

🤖 Generated with Claude Code

Fixes the residual E2E-Chat main-red where `seedChatHistory()` built SQL containing JSON text, causing Postgres to receive invalid jsonb when seeded messages contained quotes. ## Changes - `canvas/e2e/fixtures/chat-seed.ts`: replaced `psql`/execFileSync SQL string construction with `node-postgres` parameterized queries. JSON request/response bodies are bound as parameters (`$3`/`$4`), so content with single quotes, double quotes, backslashes, or apostrophes is never interpolated into SQL or the shell command line. The workspace UPDATE and cleanup DELETE are also parameterized. - `canvas/e2e/chat-separation.spec.ts`: hardened the Data Flow regression seed to include backslashes and apostrophes in addition to double quotes, proving the parameterized path survives them. - `canvas/package.json`: added `pg` + `@types/pg` as dev dependencies for true parameter binding. ## Activity API auth The source-filter tests already authenticate with the workspace bearer token on `main`; this PR preserves that behavior. ## Comprehensive testing performed - `npx eslint e2e/fixtures/chat-seed.ts e2e/chat-separation.spec.ts` passes. - `npx tsc --noEmit e2e/fixtures/chat-seed.ts e2e/chat-separation.spec.ts` passes. - Local `go test` / E2E Chat run not available in this runtime; CI is authoritative. ## Local-postgres E2E run N/A: TypeScript E2E fixture change; the relevant verification is the E2E-Chat CI lane. ## Staging-smoke verified or pending Pending CI E2E-Chat run on this PR. ## Root-cause not symptom Root cause: JSON payloads were interpolated into the SQL string sent to `psql`, so embedded quotes broke jsonb parsing. Fix: bind JSON as node-postgres parameters. ## Five-Axis review walked - Correctness: parameterized INSERT is the safe, correct way to pass jsonb. - Readability: helper functions mirror existing patterns. - Architecture: no runtime changes. - Security: no new trust boundary; DB credentials unchanged. - Performance: single client reused per `seedChatHistory` call. ## No backwards-compat shim / dead code added No. Replaces a brittle string-building path with a robust one. ## Memory/saved-feedback consulted Prior #2788/#11517 work on shell-safe seeding informed this stricter parameter-binding approach. Closes #2782 Co-Authored-By: Claude <noreply@anthropic.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code)

agent-dev-a added 1 commit 2026-06-14 04:53:01 +00:00

fix(e2e): #2782 parameterize chat-seed JSON + Activity API auth + quote regression

CI / Python Lint & Test (pull_request) Successful in 5s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 5s

Details

Harness Replays / detect-changes (pull_request) Successful in 7s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 10s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s

Details

Harness Replays / Harness Replays (pull_request) Successful in 1s

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s

Details

qa-review / approved (pull_request_target) Failing after 8s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: memory-consulted

Details

reserved-path-review / reserved-path-review (pull_request_target) Successful in 7s

Details

security-review / approved (pull_request_target) Failing after 7s

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 5s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 8s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 12s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 20s

Details

E2E Chat / E2E Chat (pull_request) Successful in 3s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 19s

Details

E2E Chat / detect-changes (pull_request) Successful in 19s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 32s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2s

Details

CI / Detect changes (pull_request) Successful in 37s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 32s

Details

CI / Platform (Go) (pull_request) Successful in 1s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 40s

Details

CI / Canvas (Next.js) (pull_request) Successful in 3m59s

Details

CI / Canvas Deploy Status (pull_request) Successful in 0s

Details

CI / all-required (pull_request) Successful in 3s

Details

audit-force-merge / audit (pull_request_target) Has been skipped

Details

eafbb92a23

- Replace psql/execFileSync SQL string construction in canvas/e2e/fixtures/chat-seed.ts
  with node-postgres parameterized queries. JSON payloads are bound as parameters
  (/), so seed content containing single quotes, double quotes, backslashes,
  or apostrophes cannot be mangled by shell or SQL quoting.
- Add async queryPsql<T>() helper for read-only DB assertions and update
  chat-desktop.spec.ts to use it for the push-delivery regression check.
- Preserve Activity API source-filter auth headers (already on main).
- Harden Data Flow regression seed to include backslashes and apostrophes in
  addition to double quotes.

Closes #2782

Co-Authored-By: Claude <noreply@anthropic.com>

agent-dev-a force-pushed fix/2782-seed-param-auth from 548c2dd2f4 to eafbb92a23

2026-06-14 04:53:01 +00:00

Compare

agent-dev-a closed this pull request

2026-06-14 05:07:37 +00:00

CI / Python Lint & Test (pull_request) Successful in 5s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 5s

Details

Harness Replays / detect-changes (pull_request) Successful in 7s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 10s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s

Details

Harness Replays / Harness Replays (pull_request) Successful in 1s

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s

Details

qa-review / approved (pull_request_target) Failing after 8s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: memory-consulted

Details

reserved-path-review / reserved-path-review (pull_request_target) Successful in 7s

Details

security-review / approved (pull_request_target) Failing after 7s

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 5s

Required

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s

Required

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 8s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 12s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 20s

Details

E2E Chat / E2E Chat (pull_request) Successful in 3s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 19s

Details

E2E Chat / detect-changes (pull_request) Successful in 19s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 32s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2s

Required

Details

CI / Detect changes (pull_request) Successful in 37s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 32s

Details

CI / Platform (Go) (pull_request) Successful in 1s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 40s

Details

CI / Canvas (Next.js) (pull_request) Successful in 3m59s

Details

CI / Canvas Deploy Status (pull_request) Successful in 0s

Details

CI / all-required (pull_request) Successful in 3s

Required

Details

audit-force-merge / audit (pull_request_target) Has been skipped

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2825