fix(backup): harden tenant restore preview and lookup handling#920
Merged
viettranx merged 11 commits intonextlevelbuilder:devfrom Apr 16, 2026
Merged
Conversation
fix(security): cross-group session leak + auto-inject scoping + vault graph + UI fixes
Release: vault enrich filter, stop bug, graph, tests, security fixes
…SSRF flag - Replace mode no longer deletes the tenants row (FK safe vs excluded diagnostic tables: traces, activity_logs, usage_snapshots, spans, embedding_cache, pairing_requests, paired_devices, channel_pending_messages, cron_run_logs). Metadata is preserved in place. - shouldRestoreTable now excludes tenants for both new and replace modes. - CLI: add validateTenantRestoreFlags guardrail. mode=new requires --new-tenant-slug and rejects --tenant/--tenant-id; upsert/replace warn on stray --new-tenant-slug; invalid --mode values rejected. TAB in help text fixed; flag descriptions clarified. - HTTP: resolveRestoreTarget rejects tenant_id for mode=new regardless of tenant_slug (matches CLI contract). New i18n key MsgRestoreNewModeRejectsTenantID (en/vi/zh). - security/ssrf: allowLoopbackForTest switched to atomic.Bool so concurrent reads from outbound dialers are race-safe. - Polish: vi backup.json key order matches en/zh; TenantRestoreOptions.Mode doc comment documents upsert/replace/new semantics including clone behavior for new. - Tests: unit coverage for validator (12 cases), HTTP guardrails (3 cases), shouldRestoreTable replace branch. Integration test tests/integration/tenant_restore_replace_test.go regression-guards the FK fix using activity_logs seed + DeleteTenantDataForTest helper.
# Conflicts: # internal/store/pg/hooks.go # internal/store/pg/hooks_test.go # internal/store/sqlitestore/hooks.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens the tenant backup and restore flow end to end. It fixes the original tenant backup scope bug by making the backup registry scope-aware, including root-table handling for
tenantsand coverage fortenant_users, then rebuilds tenant restore modenewso it creates a fresh tenant from archive metadata instead of replaying the archived tenant row.The restore flow now validates the target slug up front, including in dry-run mode, so preview runs catch slug collisions before any real work starts. The HTTP restore auth path also now distinguishes a missing tenant from a real store or database failure, returning
404only when the tenant truly does not exist and logging unexpected lookup failures as server errors.On top of the backend changes, the CLI restore path, web restore form, request builder, and localized restore copy were updated to match the new
mode=newcontract. Focused regression tests were added for tenant restore helper behavior, tenant table scoping, and tenant lookup error handling.The branch also picked up follow-up hardening from CI: hook-store
GetByIDnow respects tenant scope in both PostgreSQL and SQLite, hook integration tests explicitly opt into the loopback bypass used by SSRF-safe HTTP handlers, and the affected hook tests were tightened so they match the current uniqueness and dispatcher behavior instead of relying on brittle assumptions. That keeps the integration suite aligned with the actual store contract and the test-only security bypass the HTTP hook handler expects.Type
main)Target Branch
dev
Checklist
go build ./...passesgo build -tags sqliteonly ./...passes (if Go changes)go vet ./...passesgo test -race ./...cd ui/web && pnpm build(if UI changes)$1, $2(no string concat)internal/upgrade/version.go(if new migration)Test Plan
go test ./internal/backup -run 'TestLoadTenantRestoreRow|TestShouldRestoreTable|TestEnsureTenantSlugAvailable'go test ./internal/http -run 'TestResolveTenant|TestResolveRestoreTargetNewModeUsesSlug'go test ./cmd -run '^$'cd ui/web && pnpm build