fix: reject configured ambiguous repo actions

Resolve issue state changes from the query platform_host used by generated clients, while preserving the legacy body fallback. Reject unqualified repo lookups when configured tracked repositories are ambiguous even if SQLite currently has only one matching row, preventing maintainer mutations from guessing a host.\n\nVerified with:\n- go test ./internal/server -run 'TestAPISetIssueStateUsesPlatformHostBody|TestAPISetIssueStateUsesPlatformHostQuery|TestAPIApprovePRRejectsAmbiguousRepoBeforeMutation|TestAPIApprovePRRejectsAmbiguousTrackedRepoBeforeMutation' -shuffle=on\n- go test ./internal/server -shuffle=on\n- git diff --check\n\n🤖 Generated with [OpenAI Codex](https://openai.com/codex)\nCo-authored-by: OpenAI Codex <noreply@openai.com>

Author: mariusvniekerk

internal/server/api_test.go

@@ -4881,6 +4881,121 @@ func TestAPISetIssueStateUsesPlatformHostBody(t *testing.T) {
 	assert.Equal("closed", ghesIssue.State)
 }
 
+func TestAPISetIssueStateUsesPlatformHostQuery(t *testing.T) {
+	require := require.New(t)
+	assert := Assert.New(t)
+	ctx := context.Background()
+
+	database, err := db.Open(
+		filepath.Join(t.TempDir(), "test.db"),
+	)
+	require.NoError(err)
+	t.Cleanup(func() { database.Close() })
+
+	seedIssueOnHost(
+		t, database,
+		"github.com", "acme", "widget", 7,
+		"open", "GitHub issue",
+	)
+	seedIssueOnHost(
+		t, database,
+		"ghe.example.com", "acme", "widget", 7,
+		"open", "GHES issue",
+	)
+
+	var githubEditCalls int
+	var ghesEditCalls int
+	githubClient := &mockGH{
+		editIssueFn: func(_ context.Context, _, _ string, _ int, _ string) (*gh.Issue, error) {
+			githubEditCalls++
+			return nil, errors.New("github.com client should not edit issue")
+		},
+	}
+	ghesClient := &mockGH{
+		editIssueFn: func(_ context.Context, _, _ string, number int, state string) (*gh.Issue, error) {
+			ghesEditCalls++
+			url := fmt.Sprintf("https://ghe.example.com/acme/widget/issues/%d", number)
+			createdAt := gh.Timestamp{Time: time.Now().UTC()}
+			updatedAt := gh.Timestamp{Time: time.Now().UTC()}
+			title := "GHES issue"
+			return &gh.Issue{
+				Number:    &number,
+				Title:     &title,
+				State:     &state,
+				HTMLURL:   &url,
+				CreatedAt: &createdAt,
+				UpdatedAt: &updatedAt,
+				User:      &gh.User{Login: new("ghes-user")},
+			}, nil
+		},
+	}
+
+	syncer := ghclient.NewSyncer(
+		map[string]ghclient.Client{
+			"github.com":      githubClient,
+			"ghe.example.com": ghesClient,
+		},
+		database,
+		nil,
+		[]ghclient.RepoRef{
+			{Owner: "acme", Name: "widget", PlatformHost: "github.com"},
+			{Owner: "acme", Name: "widget", PlatformHost: "ghe.example.com"},
+		},
+		time.Minute,
+		nil,
+		nil,
+	)
+	t.Cleanup(syncer.Stop)
+
+	srv := New(
+		database, syncer, nil, "/", nil, ServerOptions{},
+	)
+	t.Cleanup(func() {
+		shutdownCtx, cancel := context.WithTimeout(
+			context.Background(), 5*time.Second,
+		)
+		defer cancel()
+		_ = srv.Shutdown(shutdownCtx)
+	})
+
+	req := httptest.NewRequest(
+		http.MethodPost,
+		"/api/v1/repos/acme/widget/issues/7/github-state?platform_host=ghe.example.com",
+		strings.NewReader(`{"state":"closed"}`),
+	).WithContext(ctx)
+	req.Header.Set("Content-Type", "application/json")
+	rr := httptest.NewRecorder()
+	srv.ServeHTTP(rr, req)
+
+	require.Equal(http.StatusOK, rr.Code, rr.Body.String())
+	assert.Zero(githubEditCalls)
+	assert.Equal(1, ghesEditCalls)
+
+	githubRepo, err := database.GetRepoByHostOwnerName(
+		ctx, "github.com", "acme", "widget",
+	)
+	require.NoError(err)
+	require.NotNil(githubRepo)
+	githubIssue, err := database.GetIssueByRepoIDAndNumber(
+		ctx, githubRepo.ID, 7,
+	)
+	require.NoError(err)
+	require.NotNil(githubIssue)
+	assert.Equal("open", githubIssue.State)
+
+	ghesRepo, err := database.GetRepoByHostOwnerName(
+		ctx, "ghe.example.com", "acme", "widget",
+	)
+	require.NoError(err)
+	require.NotNil(ghesRepo)
+	ghesIssue, err := database.GetIssueByRepoIDAndNumber(
+		ctx, ghesRepo.ID, 7,
+	)
+	require.NoError(err)
+	require.NotNil(ghesIssue)
+	assert.Equal("closed", ghesIssue.State)
+}
+
 // TestAPIIssueDataFromGraphQLSync verifies the API correctly serves
 // issue data that was persisted by the GraphQL sync path. The sync
 // path itself (GraphQL fetch → normalize → DB upsert) is tested in
@@ -6936,6 +7051,43 @@ func TestAPIApprovePRRejectsAmbiguousRepoBeforeMutation(t *testing.T) {
 	assert.Zero(reviewCalls)
 }
 
+func TestAPIApprovePRRejectsAmbiguousTrackedRepoBeforeMutation(t *testing.T) {
+	assert := Assert.New(t)
+	require := require.New(t)
+	var reviewCalls int
+	mock := &mockGH{
+		createReviewFn: func(_ context.Context, _, _ string, _ int, _, body string) (*gh.PullRequestReview, error) {
+			reviewCalls++
+			id := int64(42)
+			state := "APPROVED"
+			submittedAt := gh.Timestamp{Time: time.Now().UTC()}
+			return &gh.PullRequestReview{
+				ID:          &id,
+				State:       &state,
+				Body:        &body,
+				SubmittedAt: &submittedAt,
+				User:        &gh.User{Login: new("reviewer")},
+			}, nil
+		},
+	}
+	srv, database := setupTestServerWithRepos(t, mock, []ghclient.RepoRef{
+		{Owner: "acme", Name: "widget", PlatformHost: "github.com"},
+		{Owner: "acme", Name: "widget", PlatformHost: "ghe.example.com"},
+	})
+	seedPROnHost(t, database, "github.com", "acme", "widget", 1)
+
+	rr := doJSON(
+		t,
+		srv,
+		http.MethodPost,
+		"/api/v1/repos/acme/widget/pulls/1/approve",
+		map[string]string{"body": "ship it"},
+	)
+
+	require.Equal(http.StatusBadRequest, rr.Code)
+	assert.Zero(reviewCalls)
+}
+
 func TestAPISetPRGitHubStateRejectsAmbiguousRepoBeforeMutation(t *testing.T) {
 	assert := Assert.New(t)
 	require := require.New(t)

internal/server/helpers.go

@@ -67,13 +67,35 @@ func (s *Server) lookupRepo(
 	ctx context.Context,
 	owner, name, platformHost string,
 ) (*db.Repo, error) {
+	if err := s.requireTrackedRepoUnambiguous(owner, name, platformHost); err != nil {
+		return nil, err
+	}
 	return s.repoIdentity().LookupRepo(ctx, repoIdentityRef{
 		owner:        owner,
 		name:         name,
 		platformHost: platformHost,
 	})
 }
 
+func (s *Server) requireTrackedRepoUnambiguous(
+	owner, name, platformHost string,
+) error {
+	if strings.TrimSpace(platformHost) == "" &&
+		s.syncer.IsTrackedRepoAmbiguous(owner, name) {
+		return errRepoAmbiguous
+	}
+	return nil
+}
+
+func firstNonEmpty(values ...string) string {
+	for _, value := range values {
+		if trimmed := strings.TrimSpace(value); trimmed != "" {
+			return trimmed
+		}
+	}
+	return ""
+}
+
 func (s *Server) filterConfiguredRepoSummaries(
 	summaries []db.RepoSummary,
 ) []db.RepoSummary {
@@ -89,18 +111,33 @@ func (s *Server) filterConfiguredRepoSummaries(
 
 // lookupMRID resolves the internal MR id from the common route tuple.
 func (s *Server) lookupMRID(ctx context.Context, ref repoNumberPathRef) (int64, error) {
+	if err := s.requireTrackedRepoUnambiguous(
+		ref.owner, ref.name, ref.platformHost,
+	); err != nil {
+		return 0, err
+	}
 	return s.repoIdentity().LookupMRID(ctx, ref)
 }
 
 // lookupIssueID resolves the internal issue id from the common route tuple.
 func (s *Server) lookupIssueID(ctx context.Context, ref repoNumberPathRef) (int64, error) {
+	if err := s.requireTrackedRepoUnambiguous(
+		ref.owner, ref.name, ref.platformHost,
+	); err != nil {
+		return 0, err
+	}
 	return s.repoIdentity().LookupIssueID(ctx, ref)
 }
 
 func (s *Server) lookupIssue(
 	ctx context.Context,
 	ref repoNumberPathRef,
 ) (*db.Repo, *db.Issue, error) {
+	if err := s.requireTrackedRepoUnambiguous(
+		ref.owner, ref.name, ref.platformHost,
+	); err != nil {
+		return nil, nil, err
+	}
 	return s.repoIdentity().LookupIssue(ctx, ref)
 }
 

internal/server/huma_routes.go

@@ -1899,7 +1899,7 @@ func (s *Server) setIssueGitHubState(
 		owner:        input.Owner,
 		name:         input.Name,
 		number:       input.Number,
-		platformHost: input.Body.PlatformHost,
+		platformHost: firstNonEmpty(input.PlatformHost, input.Body.PlatformHost),
 	})
 	if err != nil {
 		if errors.Is(err, errRepoAmbiguous) {