Fix dependency audit findings, lint errors, and contact move authorization

.agents/skills/testing-bonds-runtime/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: testing-bonds-runtime
+description: Test the Bonds app end-to-end locally through the browser. Use when verifying dependency changes or full-stack runtime behavior across registration, vaults, and contacts.
+---
+
+# Bonds Runtime Testing
+
+## Devin Secrets Needed
+
+None for the local self-registration smoke flow. The default local seed enables registration and disables required email verification when SMTP is not configured.
+
+## Verified local setup
+
+From the repo root, run the backend and frontend in separate shells:
+
+```bash
+cd server
+GOPROXY=https://goproxy.cn,direct \
+SERVER_PORT=8080 \
+SERVER_HOST=0.0.0.0 \
+DB_DRIVER=sqlite \
+DB_DSN=/absolute/path/to/repo/.devin-test/bonds-e2e.db \
+STORAGE_UPLOAD_DIR=/absolute/path/to/repo/.devin-test/uploads \
+BLEVE_INDEX_PATH=/absolute/path/to/repo/.devin-test/bleve \
+BACKUP_DIR=/absolute/path/to/repo/.devin-test/backups \
+JWT_SECRET=devin-local-e2e-secret \
+APP_URL=http://localhost:5173 \
+go run cmd/server/main.go
+```
+
+```bash
+cd web
+PLAYWRIGHT_SERVER_PORT=8080 bun dev --host 0.0.0.0
+```
+
+Vite serves the app at `http://localhost:5173` and proxies `/api` to the Go backend on port 8080.
+
+## Browser smoke flow
+
+1. Open `http://localhost:5173/register`.
+2. Assert the page renders `Create an account` and the `Create account` button.
+3. Register a unique local user using a unique `@example.com` email and a password such as `Password123!`.
+4. Assert the app redirects to `/vaults` and shows the authenticated `Vaults` page.
+5. Create a vault with a recognizable name.
+6. Assert the vault dashboard loads and shows `Add contact`.
+7. Create a contact with first name, last name, and nickname.
+8. Assert the contact detail page shows the expected name, nickname, first/last fields, and `Active` status.
+
+## Notes and caveats
+
+- If backend startup logs that Bleve search could not initialize, search may be disabled; this does not block the registration/vault/contact smoke flow, but do not claim search was tested.
+- Ant Design deprecation warnings might appear in the browser console; record them as DX warnings unless they block runtime behavior.
+- Use screen recording with annotations for UI testing evidence.

server/go.mod

@@ -1,6 +1,6 @@
 module github.com/naiba/bonds
 
-go 1.25.2
+go 1.25.10
 
 require (
 	github.com/6tail/lunar-go v1.4.6
@@ -20,7 +20,8 @@ require (
 	github.com/pquerna/otp v1.5.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/swaggo/echo-swagger v1.4.1
-	golang.org/x/crypto v0.48.0
+	github.com/swaggo/swag v1.16.6
+	golang.org/x/crypto v0.50.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlite v1.6.0
 	gorm.io/gorm v1.31.1
@@ -81,20 +82,19 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/swaggo/files/v2 v2.0.0 // indirect
-	github.com/swaggo/swag v1.16.6 // indirect
 	github.com/teambition/rrule-go v1.8.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.etcd.io/bbolt v1.4.0 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

server/go.sum

@@ -212,26 +212,26 @@ go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
 go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
 golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

server/internal/handlers/handlers_test.go

@@ -69,10 +69,11 @@ type userData struct {
 }
 
 type vaultData struct {
-	ID          string `json:"id"`
-	AccountID   string `json:"account_id"`
-	Name        string `json:"name"`
-	Description string `json:"description"`
+	ID            string `json:"id"`
+	AccountID     string `json:"account_id"`
+	Name          string `json:"name"`
+	Description   string `json:"description"`
+	UserContactID string `json:"user_contact_id"`
 }
 
 type contactData struct {

server/internal/handlers/permission_test.go

@@ -493,6 +493,63 @@ func TestCrossVaultToggleFavoriteBlocked(t *testing.T) {
 	}
 }
 
+func TestCrossAccountContactMoveBlocked(t *testing.T) {
+	ts := setupTestServer(t)
+	token1, _ := ts.registerTestUser(t, "cross-account-move-owner@example.com")
+	vault1 := ts.createTestVault(t, token1, "Move Owner Vault")
+	contact1 := ts.createTestContact(t, token1, vault1.ID, "MoveContact")
+
+	token2, _ := ts.registerTestUser(t, "cross-account-move-intruder@example.com")
+	vault2 := ts.createTestVault(t, token2, "Move Intruder Vault")
+
+	path := fmt.Sprintf("/api/vaults/%s/contacts/%s/move", vault1.ID, contact1.ID)
+	body := fmt.Sprintf(`{"target_vault_id":"%s"}`, vault2.ID)
+	rec := ts.doRequest(http.MethodPost, path, body, token1)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("expected 404 for cross-account contact move, got %d: %s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestCrossAccountContactMoveWithSharedUserBlocked(t *testing.T) {
+	ts := setupTestServer(t)
+	token1, auth1 := ts.registerTestUser(t, "shared-cross-account-owner@example.com")
+	vault1 := ts.createTestVault(t, token1, "Shared Move Owner Vault")
+	contact1 := ts.createTestContact(t, token1, vault1.ID, "SharedMoveContact")
+
+	token2, _ := ts.registerTestUser(t, "shared-cross-account-other@example.com")
+	vault2 := ts.createTestVault(t, token2, "Shared Move Other Vault")
+	addUserToVault(t, ts, auth1.User.ID, vault2.ID, models.PermissionEditor)
+
+	path := fmt.Sprintf("/api/vaults/%s/contacts/%s/move", vault1.ID, contact1.ID)
+	body := fmt.Sprintf(`{"target_vault_id":"%s"}`, vault2.ID)
+	rec := ts.doRequest(http.MethodPost, path, body, token1)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("expected 404 for cross-account shared-user contact move, got %d: %s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestShadowContactMoveBlocked(t *testing.T) {
+	ts := setupTestServer(t)
+	token, _ := ts.registerTestUser(t, "shadow-move-owner@example.com")
+	sourceVault := ts.createTestVault(t, token, "Shadow Source Vault")
+	targetVault := ts.createTestVault(t, token, "Shadow Target Vault")
+
+	path := fmt.Sprintf("/api/vaults/%s/contacts/%s/move", sourceVault.ID, sourceVault.UserContactID)
+	body := fmt.Sprintf(`{"target_vault_id":"%s"}`, targetVault.ID)
+	rec := ts.doRequest(http.MethodPost, path, body, token)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("expected 404 for shadow contact move, got %d: %s", rec.Code, rec.Body.String())
+	}
+
+	var contact models.Contact
+	if err := ts.db.First(&contact, "id = ?", sourceVault.UserContactID).Error; err != nil {
+		t.Fatalf("failed to load shadow contact: %v", err)
+	}
+	if contact.VaultID != sourceVault.ID {
+		t.Errorf("expected shadow contact to remain in source vault %s, got %s", sourceVault.ID, contact.VaultID)
+	}
+}
+
 // ==================== C. Viewer Permission Enforcement ====================
 
 func setupViewerTest(t *testing.T) (ts *testServer, adminToken string, viewerToken string, vaultID string, contactID string) {

server/internal/services/contact_move.go

@@ -20,26 +20,26 @@ func NewContactMoveService(db *gorm.DB) *ContactMoveService {
 
 func (s *ContactMoveService) Move(contactID, currentVaultID, targetVaultID, userID string) (*dto.ContactResponse, error) {
 	var contact models.Contact
-	if err := s.db.Where("id = ? AND vault_id = ?", contactID, currentVaultID).First(&contact).Error; err != nil {
+	if err := s.db.Joins("Vault").Where("contacts.id = ? AND contacts.vault_id = ? AND contacts.can_be_deleted = ?", contactID, currentVaultID, true).First(&contact).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, ErrContactNotFound
 		}
 		return nil, err
 	}
 
-	var targetVault models.Vault
-	if err := s.db.Where("id = ?", targetVaultID).First(&targetVault).Error; err != nil {
+	var targetUserVault models.UserVault
+	if err := s.db.Joins("JOIN vaults ON vaults.id = user_vault.vault_id").Where("user_vault.user_id = ? AND user_vault.vault_id = ? AND user_vault.permission <= ? AND vaults.account_id = ?", userID, targetVaultID, models.PermissionEditor, contact.Vault.AccountID).First(&targetUserVault).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, ErrTargetVaultNotFound
 		}
 		return nil, err
 	}
 
-	contact.VaultID = targetVaultID
-	if err := s.db.Save(&contact).Error; err != nil {
+	if err := s.db.Model(&models.Contact{}).Where("id = ?", contact.ID).Update("vault_id", targetVaultID).Error; err != nil {
 		return nil, err
 	}
 
+	contact.VaultID = targetVaultID
 	resp := toContactResponse(&contact, false)
 	return &resp, nil
 }

server/internal/services/contact_move_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/naiba/bonds/internal/dto"
+	"github.com/naiba/bonds/internal/models"
 	"github.com/naiba/bonds/internal/testutil"
 )
 
@@ -53,6 +54,37 @@ func TestMoveContact(t *testing.T) {
 	if resp.VaultID != vault2ID {
 		t.Errorf("Expected vault_id '%s', got '%s'", vault2ID, resp.VaultID)
 	}
+
+	var contact models.Contact
+	if err := svc.db.First(&contact, "id = ?", contactID).Error; err != nil {
+		t.Fatalf("Load moved contact failed: %v", err)
+	}
+	if contact.VaultID != vault2ID {
+		t.Errorf("Expected persisted vault_id '%s', got '%s'", vault2ID, contact.VaultID)
+	}
+}
+
+func TestMoveContactTargetVaultViewerBlocked(t *testing.T) {
+	svc, contactID, vault1ID, vault2ID, userID := setupContactMoveTest(t)
+
+	if err := svc.db.Model(&models.UserVault{}).
+		Where("user_id = ? AND vault_id = ?", userID, vault2ID).
+		Update("permission", models.PermissionViewer).Error; err != nil {
+		t.Fatalf("Update target vault permission failed: %v", err)
+	}
+
+	_, err := svc.Move(contactID, vault1ID, vault2ID, userID)
+	if err != ErrTargetVaultNotFound {
+		t.Errorf("Expected ErrTargetVaultNotFound, got %v", err)
+	}
+
+	var contact models.Contact
+	if err := svc.db.First(&contact, "id = ?", contactID).Error; err != nil {
+		t.Fatalf("Load contact failed: %v", err)
+	}
+	if contact.VaultID != vault1ID {
+		t.Errorf("Expected contact to remain in vault '%s', got '%s'", vault1ID, contact.VaultID)
+	}
 }
 
 func TestMoveContactNotFound(t *testing.T) {