fix(api): guard stale latest version outputs

Author: vyctorbrzezowski

convex/lib/skillFileAccess.ts

@@ -25,7 +25,8 @@ export function getPublicSkillFileAccessBlock(
   if (moderationInfo?.isPendingScan) {
     return {
       status: 423,
-      message: "This skill is pending a ClawScan security review. Please try again in a few minutes.",
+      message:
+        "This skill is pending a ClawScan security review. Please try again in a few minutes.",
     };
   }
   if (moderationInfo?.isRemoved) {

convex/skills.public.test.ts

@@ -17,6 +17,7 @@ const { getSkillBadgeMap } = await import("./lib/badges");
 const {
   getBySlug,
   listSkillReportsInternal,
+  resolveVersionByHash,
   resolveSkillAppealForUserInternal,
   submitSkillAppealForUserInternal,
   triageSkillReportForUserInternal,
@@ -75,6 +76,19 @@ const getBySlugHandler = (
   >
 )._handler;
 
+const resolveVersionByHashHandler = (
+  resolveVersionByHash as unknown as WrappedHandler<
+    {
+      slug: string;
+      hash: string;
+    },
+    {
+      match: { version: string } | null;
+      latestVersion: { version: string } | null;
+    } | null
+  >
+)._handler;
+
 const submitSkillAppealForUserInternalHandler = (
   submitSkillAppealForUserInternal as unknown as WrappedHandler<
     {
@@ -215,6 +229,39 @@ function makeSkill(overrides: Record<string, unknown> = {}) {
   };
 }
 
+function makeResolveCtx(args: {
+  skill: Record<string, unknown>;
+  latestVersion?: Record<string, unknown> | null;
+  matchVersion?: Record<string, unknown> | null;
+  fingerprintMatches?: Array<Record<string, unknown>>;
+}) {
+  const fingerprintMatches = args.fingerprintMatches ?? [
+    { versionId: "skillVersions:match", createdAt: 10 },
+  ];
+  const query = vi.fn((table: string) => {
+    if (table === "skills") {
+      return { withIndex: vi.fn(() => ({ unique: vi.fn().mockResolvedValue(args.skill) })) };
+    }
+    if (table === "skillVersionFingerprints") {
+      return { withIndex: vi.fn(() => ({ take: vi.fn().mockResolvedValue(fingerprintMatches) })) };
+    }
+    if (table === "skillVersions") {
+      return {
+        withIndex: vi.fn(() => ({
+          order: vi.fn(() => ({ take: vi.fn().mockResolvedValue([]) })),
+        })),
+      };
+    }
+    throw new Error(`Unexpected query table: ${table}`);
+  });
+  const get = vi.fn(async (id: string) => {
+    if (id === args.skill.latestVersionId) return args.latestVersion ?? null;
+    if (id === "skillVersions:match") return args.matchVersion ?? null;
+    return null;
+  });
+  return { db: { query, get } } as never;
+}
+
 describe("skills.getBySlug", () => {
   beforeEach(() => {
     vi.mocked(getAuthUserId).mockReset();
@@ -527,6 +574,77 @@ describe("skills.getBySlug", () => {
     expect(result?.skill).toMatchObject({ latestVersionId: "skillVersions:other" });
     expect(result?.latestVersion).toBeNull();
   });
+
+  it("does not expose a soft-deleted latest version", async () => {
+    const ctx = makeCtx({
+      skill: makeSkill({ latestVersionId: "skillVersions:deleted" }),
+      owner: makeOwner("users:1", "demo-owner"),
+      latestVersion: {
+        _id: "skillVersions:deleted",
+        _creationTime: 2,
+        skillId: "skills:1",
+        version: "2.0.0",
+        fingerprint: "abc",
+        changelog: "",
+        changelogSource: "user",
+        files: [],
+        createdBy: "users:1",
+        createdAt: 2,
+        softDeletedAt: 3,
+      },
+    });
+
+    const result = await getBySlugHandler(ctx, { slug: "demo" } as never);
+
+    expect(result?.latestVersion).toBeNull();
+  });
+});
+
+describe("skills.resolveVersionByHash", () => {
+  const hash = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+
+  it("does not expose a soft-deleted latest version", async () => {
+    const ctx = makeResolveCtx({
+      skill: makeSkill({ latestVersionId: "skillVersions:deleted" }),
+      latestVersion: {
+        _id: "skillVersions:deleted",
+        skillId: "skills:1",
+        version: "2.0.0",
+        softDeletedAt: 3,
+      },
+      matchVersion: {
+        _id: "skillVersions:match",
+        skillId: "skills:1",
+        version: "1.0.0",
+        files: [],
+      },
+    });
+
+    const result = await resolveVersionByHashHandler(ctx, { slug: "demo", hash });
+
+    expect(result).toMatchObject({ match: { version: "1.0.0" }, latestVersion: null });
+  });
+
+  it("does not expose a latest version that belongs to another skill", async () => {
+    const ctx = makeResolveCtx({
+      skill: makeSkill({ latestVersionId: "skillVersions:other" }),
+      latestVersion: {
+        _id: "skillVersions:other",
+        skillId: "skills:other",
+        version: "9.9.9",
+      },
+      matchVersion: {
+        _id: "skillVersions:match",
+        skillId: "skills:1",
+        version: "1.0.0",
+        files: [],
+      },
+    });
+
+    const result = await resolveVersionByHashHandler(ctx, { slug: "demo", hash });
+
+    expect(result).toMatchObject({ match: { version: "1.0.0" }, latestVersion: null });
+  });
 });
 
 describe("skill artifact moderation", () => {

convex/skills.ts

@@ -99,10 +99,7 @@ import {
 } from "./lib/reservedSlugs";
 import { matchesAllTokens, matchesExploratoryTokenPrefixes, tokenize } from "./lib/searchText";
 import { SKILL_CAPABILITY_TAGS } from "./lib/skillCapabilityTags";
-import {
-  isPublicSkillVersionAvailableForSkill,
-  isSkillVersionForSkill,
-} from "./lib/skillFileAccess";
+import { isPublicSkillVersionAvailableForSkill } from "./lib/skillFileAccess";
 import { normalizeSkillIconValue } from "./lib/skillIcon";
 import {
   fetchText,
@@ -1997,7 +1994,7 @@ export const getBySlug = query({
 
     const latestVersionDoc = skill.latestVersionId ? await ctx.db.get(skill.latestVersionId) : null;
     const latestVersion = toPublicSkillVersion(
-      isSkillVersionForSkill(latestVersionDoc, skill._id) ? latestVersionDoc : null,
+      isPublicSkillVersionAvailableForSkill(latestVersionDoc, skill._id) ? latestVersionDoc : null,
     );
     const owner = toPublicPublisher(ownerPublisher);
     if (!owner) return null;
@@ -7395,7 +7392,10 @@ export const resolveVersionByHash = query({
     const skill = resolved.skill;
     if (!skill) return null;
 
-    const latestVersion = skill.latestVersionId ? await ctx.db.get(skill.latestVersionId) : null;
+    const latestVersionDoc = skill.latestVersionId ? await ctx.db.get(skill.latestVersionId) : null;
+    const latestVersion = isPublicSkillVersionAvailableForSkill(latestVersionDoc, skill._id)
+      ? latestVersionDoc
+      : null;
 
     const fingerprintMatches = await ctx.db
       .query("skillVersionFingerprints")