fix: reset RegisterUpdateDialog state on close and block metadata shadowing

- useEffect resets id/name/automated/metadata/error when dialog closes,
  so reopening starts clean instead of showing stale inputs or errors.
- Strip id/update_name/automated from the JSON metadata object and
  spread extras before the UI-controlled fields so user metadata
  cannot override validated top-level values.
- Add regression test covering the reserved-key stripping.

Author: bburda

src/components/RegisterUpdateDialog.test.tsx

@@ -29,6 +29,23 @@ describe('RegisterUpdateDialog', () => {
         expect(onSubmit).not.toHaveBeenCalled();
     });
 
+    it('strips reserved keys from metadata so UI-validated fields win', async () => {
+        const onSubmit = vi.fn().mockResolvedValue(undefined);
+        render(<RegisterUpdateDialog open onClose={() => {}} onSubmit={onSubmit} />);
+        fireEvent.change(screen.getByLabelText(/^id$/i), { target: { value: 'ui-id' } });
+        fireEvent.change(screen.getByLabelText(/additional metadata/i), {
+            target: { value: '{"id":"evil","update_name":"evil","automated":true,"extra":1}' },
+        });
+        fireEvent.click(screen.getByRole('button', { name: /^register$/i }));
+        await waitFor(() =>
+            expect(onSubmit).toHaveBeenCalledWith({
+                id: 'ui-id',
+                update_name: 'ui-id',
+                extra: 1,
+            })
+        );
+    });
+
     it('submits merged body on valid input', async () => {
         const onSubmit = vi.fn().mockResolvedValue(undefined);
         render(<RegisterUpdateDialog open onClose={() => {}} onSubmit={onSubmit} />);

src/components/RegisterUpdateDialog.tsx

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { useState } from 'react';
+import { useEffect, useState } from 'react';
 import { Button } from '@/components/ui/button';
 import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
@@ -41,6 +41,17 @@ export function RegisterUpdateDialog({ open, onClose, onSubmit }: Props) {
     const [error, setError] = useState<string | null>(null);
     const [submitting, setSubmitting] = useState(false);
 
+    useEffect(() => {
+        if (!open) {
+            setId('');
+            setName('');
+            setAutomated(false);
+            setMetadata('{}');
+            setError(null);
+            setSubmitting(false);
+        }
+    }, [open]);
+
     const handleSubmit = async () => {
         setError(null);
         if (!id.trim()) {
@@ -54,22 +65,25 @@ export function RegisterUpdateDialog({ open, onClose, onSubmit }: Props) {
                 if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
                     throw new Error('not an object');
                 }
-                extras = parsed as Record<string, unknown>;
+                const { id: _i, update_name: _n, automated: _a, ...safe } = parsed as Record<string, unknown>;
+                void _i;
+                void _n;
+                void _a;
+                extras = safe;
             } catch {
                 setError('invalid JSON in additional metadata');
                 return;
             }
         }
-        const body: RegisterUpdateBody = { id: id.trim(), ...extras };
-        body.update_name = name.trim() || id.trim();
+        const body: RegisterUpdateBody = {
+            ...extras,
+            id: id.trim(),
+            update_name: name.trim() || id.trim(),
+        };
         if (automated) body.automated = true;
         setSubmitting(true);
         try {
             await onSubmit(body);
-            setId('');
-            setName('');
-            setAutomated(false);
-            setMetadata('{}');
             onClose();
         } catch (e) {
             setError(e instanceof Error ? e.message : String(e));