Actions: make shuttle/review accessors total against malformed inline shapes

The inline-fiber resolve clause validated only `is_map(fiber)`, never the
shape of fiber["shuttle"] or fiber["shuttle"]["review"]. So:

  • a non-map shuttle (string / list / number) — `shuttle/1` returned it
    as-is, then enabled?/standing? called Map.get on it → BadMapError;
  • a scalar/list review on a standing fiber — review_state/1's
    get_in(shuttle, ["review", "state"]) walked into a non-Access value →
    FunctionClauseError.

Either raised through to a bare Phoenix 500 where the controller already
produces a graceful 4xx (unknown_target → 400) for other bad input. The
current Portolan client always builds well-formed shapes, so this is
public-contract robustness for any other/future caller.

`shuttle/1` now coerces a non-map to %{} and `review_state/1` guards the
review subtree, degrading a malformed shape to the default resolution
path. Both accessors back action_for_target, so this hardens BOTH the
inline-resolve path and the felt-derived actions_for path (malformed
frontmatter). Well-formed input is unchanged.

Test: POST malformed inline fibers (shuttle as string/list/number;
standing fiber with review as string/list/number) → graceful 200, never
500; two controls pin that a non-standing string review still resolves
dispatch-ad-hoc and a well-formed awaiting standing role still resolves
accept-run.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: cailmdaley

lib/shuttle/actions.ex

@@ -196,8 +196,25 @@ defmodule Shuttle.Actions do
   defp normalize_target("active"), do: "inFlight"
   defp normalize_target(target), do: target
 
-  defp shuttle(fiber), do: Map.get(fiber, "shuttle", %{}) || %{}
+  # Total accessors: a malformed inline fiber (shuttle/review as a scalar or
+  # list rather than a map) must degrade to the default path, not crash the
+  # resolver with BadMapError / ArgumentError → a bare Phoenix 500. The current
+  # client always builds well-formed shapes, so this is public-contract
+  # robustness for any other caller. (overnight-audit C10 / finding 3.)
+  defp shuttle(fiber) do
+    case Map.get(fiber, "shuttle", %{}) do
+      m when is_map(m) -> m
+      _ -> %{}
+    end
+  end
+
   defp enabled?(shuttle), do: Map.get(shuttle, "enabled") == true
   defp standing?(shuttle), do: Map.get(shuttle, "kind", Map.get(shuttle, "mode")) == "standing"
-  defp review_state(shuttle), do: get_in(shuttle, ["review", "state"]) || "scheduled"
+
+  defp review_state(shuttle) do
+    case Map.get(shuttle, "review") do
+      review when is_map(review) -> Map.get(review, "state") || "scheduled"
+      _ -> "scheduled"
+    end
+  end
 end

test/shuttle_web/controllers/api_controller_test.exs

@@ -498,6 +498,93 @@ defmodule ShuttleWeb.APIControllerTest do
            end)
   end
 
+  # overnight-audit C10 / finding 3: the inline-fiber resolve clause validated
+  # only `is_map(fiber)`, never the shape of fiber["shuttle"] / ["review"]. A
+  # non-map shuttle raised BadMapError; a scalar/list review raised
+  # FunctionClauseError — both bubbling to a bare Phoenix 500 where a graceful
+  # response is the documented contract. The accessors are now total.
+  @tag :capture_log
+  test "actions resolve degrades a malformed shuttle/review shape instead of 500ing" do
+    malformed = [
+      %{"id" => "x", "status" => "open", "shuttle" => "enabled"},
+      %{"id" => "x", "status" => "open", "shuttle" => [1, 2]},
+      %{"id" => "x", "status" => "open", "shuttle" => 7},
+      %{
+        "id" => "x",
+        "status" => "open",
+        "shuttle" => %{"enabled" => true, "kind" => "standing", "review" => "awaiting"}
+      },
+      %{
+        "id" => "x",
+        "status" => "open",
+        "shuttle" => %{"enabled" => true, "kind" => "standing", "review" => ["awaiting"]}
+      },
+      %{
+        "id" => "x",
+        "status" => "open",
+        "shuttle" => %{"enabled" => true, "kind" => "standing", "review" => 3}
+      }
+    ]
+
+    for fiber <- malformed do
+      conn =
+        post(
+          api_conn(),
+          "/api/v1/actions/resolve",
+          Jason.encode!(%{fiber: fiber, target: "tempered"})
+        )
+
+      # Graceful: a resolved action (degraded to the default path), never a 500.
+      assert conn.status == 200, "expected graceful 200 for #{inspect(fiber)}, got #{conn.status}"
+      assert Jason.decode!(conn.resp_body)["action"]["id"] != nil
+    end
+  end
+
+  # Controls: well-formed shapes still resolve correctly after the hardening.
+  @tag :capture_log
+  test "actions resolve controls: well-formed shapes still resolve correctly" do
+    # A non-standing fiber's review key is irrelevant — even a string review
+    # must not change the resolution (it degrades to the default path).
+    nonstanding =
+      post(
+        api_conn(),
+        "/api/v1/actions/resolve",
+        Jason.encode!(%{
+          fiber: %{
+            "id" => "x",
+            "status" => "open",
+            "shuttle" => %{"enabled" => true, "kind" => "oneshot", "review" => "awaiting"}
+          },
+          target: "inFlight"
+        })
+      )
+
+    assert nonstanding.status == 200
+    assert Jason.decode!(nonstanding.resp_body)["action"]["id"] == "dispatch-ad-hoc"
+
+    # A well-formed awaiting standing role still resolves accept-run.
+    standing =
+      post(
+        api_conn(),
+        "/api/v1/actions/resolve",
+        Jason.encode!(%{
+          fiber: %{
+            "id" => "x",
+            "status" => "active",
+            "shuttle" => %{
+              "enabled" => true,
+              "kind" => "standing",
+              "review" => %{"state" => "awaiting"}
+            }
+          },
+          target: "tempered"
+        })
+      )
+
+    assert standing.status == 200
+    assert Jason.decode!(standing.resp_body)["action"]["id"] == "accept-run"
+  end
+
   # Single-source invariant (C1/C2 dual-source fix). The by-fiber-id resolve
   # (`Poller.resolve_action`) and the by-fiber-id availability
   # (`Poller.actions_for`, which `validate_available` gates on) BOTH derive