Summary
rsvps.setStatus persists arbitrary RSVP status strings. Live QA submitted status: "not-a-real-rsvp-status"; the capability returned success and stored that value.
Expected
RSVP status should be limited to the supported values: going, maybe, and cancelled. Invalid values should return a validation error and leave the current RSVP unchanged.
Evidence
- Live target:
https://eagles.kychon.com
- Temporary QA data was cleaned up after the repro.
- Spec:
openspec/specs/events/spec.md:23 defines the allowed RSVP statuses.
- Handler area:
functions/kychon-api.js:1092 and functions/kychon-api.js:1115 write input.status || "going" without enum validation.
Suggested Test
Add tests for create and update paths that reject unknown RSVP statuses, empty strings that should not silently coerce, and casing variants such as Going.
Summary
rsvps.setStatuspersists arbitrary RSVP status strings. Live QA submittedstatus: "not-a-real-rsvp-status"; the capability returned success and stored that value.Expected
RSVP status should be limited to the supported values:
going,maybe, andcancelled. Invalid values should return a validation error and leave the current RSVP unchanged.Evidence
https://eagles.kychon.comopenspec/specs/events/spec.md:23defines the allowed RSVP statuses.functions/kychon-api.js:1092andfunctions/kychon-api.js:1115writeinput.status || "going"without enum validation.Suggested Test
Add tests for create and update paths that reject unknown RSVP statuses, empty strings that should not silently coerce, and casing variants such as
Going.