max / makenotwork
| 1 | -- Reject negative `duration_seconds` at the DB level. A negative duration cast |
| 2 | -- to u64 in `routes/storage/downloads.rs::stream_url` becomes ~u64::MAX, |
| 3 | -- producing a presigned URL with a multi-decade expiry — effectively a |
| 4 | -- permanent credential leak for the underlying object. The route now clamps |
| 5 | -- defensively, but pinning the invariant in the schema means no future |
| 6 | -- writer (admin tool, bulk import, manual SQL) can reintroduce it. |
| 7 | items |
| 8 | ADD CONSTRAINT items_duration_seconds_nonnegative |
| 9 | CHECK (duration_seconds IS NULL OR duration_seconds >= 0); |
| 10 | |
| 11 | items |
| 12 | ADD CONSTRAINT items_video_duration_seconds_nonnegative |
| 13 | CHECK (video_duration_seconds IS NULL OR video_duration_seconds >= 0); |
| 14 |