fix: block direct progress updates on activity-derived goals

[Ridanshi]

Closes #1753

Problem

PATCH /api/goals/[id] accepted any client-supplied current value — including one equal to target — regardless of the goal's unit type. For goals whose progress is meant to come from verified GitHub activity (unit: "commits" or unit: "prs"), this allowed a user to mark a goal complete without a single real commit or pull request:

PATCH /api/goals/<id>
{ "current": 50 }   # target is 50, but user has 0 real commits
→ 200 OK

The sync endpoint (POST /api/goals/sync) queries the GitHub Search API and is the only trusted source for progress on activity-derived goals. Accepting client values in PATCH breaks that trust boundary.

Root cause

The PATCH handler performed only typeof current !== "number" || current < 0, which passes for any non-negative number including floats and values exceeding the goal target. No check existed for the goal's unit type.

Fix

src/app/api/goals/[id]/route.ts

• Introduces ACTIVITY_DERIVED_UNITS = new Set(["commits", "prs"]).
• After fetching the existing goal, returns 422 if existingGoal.unit is in that set. The error message directs callers to the sync endpoint.
• Tightens the input validation: current must now be a non-negative integer (rejects floats such as 5.5).
• Adds an upper-bound check so current cannot exceed the goal's target on manually tracked goals.

Manually tracked goals (any unit other than "commits" / "prs", e.g. "hours", "tasks", or custom strings) continue to accept client-supplied progress exactly as before.

The GitHub sync route is unaffected — it calls supabaseAdmin…update({ current }) directly and bypasses the PATCH handler entirely.

Tests

test/goals-patch-integrity.test.ts — 19 new tests:

Category	Cases
Authentication	unauthenticated session, unresolved user
Input validation	missing field, float, negative, string
Goal not found	ownership-scoped lookup returns null
Activity-derived guard	commits goal → 422, prs goal → 422, regression for #1753 (setting current = target on commits), partial update on prs
Upper-bound guard	current > target → 400
Legitimate manual updates	hours, custom unit, reset to 0, completing at target
Webhook dispatch	fires on first completion, silent when already complete, silent when not yet complete

All 19 pass; the single pre-existing failure in test/dateUtils.test.ts (timezone boundary, unrelated to goals) was already present on main before this branch.

[vercel]

@Ridanshi is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

Thanks for your first PR on DevTrack! 🎉

A maintainer will review it within 48 hours. While you wait:

• Make sure CI is passing (type-check + lint)
• Double-check the PR description is filled out and the issue is linked
• Feel free to ask questions in Discussions if you need help

If you find DevTrack useful, a ⭐ star on the repo is always appreciated — it helps the project grow and attract more contributors!

[github-actions]

🎉 Merged! Thanks for contributing to DevTrack.

If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers.

Keep an eye on open issues for your next contribution!