fix: apply code review security and robustness fixes

- Add require_engineer_or_admin to POST/PUT/DELETE in target_lists.py (blocks viewers from write ops) - Add require_engineer_or_admin to POST/PATCH in maintenance_schedules.py (blocks viewers from write ops) - Add team ownership guard in batch_launch_sessions after active/published checks (Fix 2) - Wrap scheduler.remove_job in try/except for SchedulerNotRunningError and JobLookupError (Fix 3) - Recompute next_run_at when is_active flips to True, capturing was_active before update (Fix 4) - Add optional batch_id and target_label fields to Session type; remove unsafe cast in MaintenanceFlowDetailPage.tsx (Fix 5) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-17 16:15:19 -05:00
parent a4717e9dd7
commit 6240d68d09
6 changed files with 24 additions and 7 deletions
--- a/frontend/src/pages/MaintenanceFlowDetailPage.tsx
+++ b/frontend/src/pages/MaintenanceFlowDetailPage.tsx
@@ -69,7 +69,7 @@ export default function MaintenanceFlowDetailPage() {
  // Group sessions by batch_id for run history
  const batchMap = new Map<string, Session[]>()
  for (const s of recentSessions) {
-    const key = (s as Session & { batch_id?: string }).batch_id ?? s.id
+    const key = s.batch_id ?? s.id
    const existing = batchMap.get(key) ?? []
    batchMap.set(key, [...existing, s])
  }
--- a/frontend/src/types/session.ts
+++ b/frontend/src/types/session.ts
@@ -60,6 +60,8 @@ export interface Session {
  scratchpad: string
  next_steps: string
  session_variables: Record<string, string>
+  batch_id?: string
+  target_label?: string
 }

 export interface SessionCreate {