fix: harden input validation on admin resolve endpoint

Address code review and security review findings:
- Validate attemptId as UUID before hitting DB
- Reject whitespace-only reason, enforce 1000-char limit
- Validate score values are finite numbers in 0-100 range
- Reject array scores
- Map TOCTOU race condition to 409 instead of 500
- Surface module/credential side-effect failures as warnings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bokelley

server/src/routes/certification.ts

@@ -931,15 +931,23 @@ export function createCertificationRouters() {
   adminRouter.post('/attempts/:attemptId/resolve', async (req, res) => {
     try {
       const { attemptId } = req.params;
+      const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!UUID_RE.test(attemptId)) {
+        return res.status(400).json({ error: 'Invalid attempt ID format' });
+      }
+
       const { action, scores, reason } = req.body as {
         action: 'cancel' | 'complete';
         scores?: Record<string, number>;
         reason: string;
       };
 
-      if (!reason || typeof reason !== 'string') {
+      if (!reason || typeof reason !== 'string' || reason.trim().length === 0) {
         return res.status(400).json({ error: 'reason is required' });
       }
+      if (reason.length > 1000) {
+        return res.status(400).json({ error: 'reason must be under 1000 characters' });
+      }
       if (action !== 'cancel' && action !== 'complete') {
         return res.status(400).json({ error: 'action must be "cancel" or "complete"' });
       }
@@ -954,36 +962,62 @@ export function createCertificationRouters() {
       }
 
       if (action === 'cancel') {
-        const updated = await certDb.cancelAttempt(attemptId, reason);
-        return res.json({ attempt: updated });
+        try {
+          const updated = await certDb.cancelAttempt(attemptId, reason.trim());
+          return res.json({ attempt: updated });
+        } catch (err) {
+          if (err instanceof Error && err.message.includes('not in_progress')) {
+            return res.status(409).json({ error: 'Attempt is no longer in_progress' });
+          }
+          throw err;
+        }
       }
 
       // action === 'complete'
-      if (!scores || typeof scores !== 'object' || Object.keys(scores).length === 0) {
-        return res.status(400).json({ error: 'scores are required for complete action' });
+      if (!scores || Array.isArray(scores) || typeof scores !== 'object' || Object.keys(scores).length === 0) {
+        return res.status(400).json({ error: 'scores must be a non-empty object' });
       }
+      const scoreValues = Object.values(scores);
+      if (!scoreValues.every(s => typeof s === 'number' && Number.isFinite(s))) {
+        return res.status(400).json({ error: 'All score values must be finite numbers' });
+      }
+      if (!scoreValues.every(s => s >= 0 && s <= 100)) {
+        return res.status(400).json({ error: 'Score values must be between 0 and 100' });
+      }
+
       const overallScore = Math.round(
-        Object.values(scores).reduce((sum, s) => sum + s, 0) / Object.values(scores).length
+        scoreValues.reduce((sum, s) => sum + s, 0) / scoreValues.length
       );
-      const passing = Object.values(scores).every(s => s >= 70) && overallScore >= 70;
-
-      const updated = await certDb.adminCompleteAttempt(attemptId, scores, overallScore, passing, reason);
+      const passing = scoreValues.every(s => s >= 70) && overallScore >= 70;
+
+      let updated;
+      try {
+        updated = await certDb.adminCompleteAttempt(attemptId, scores, overallScore, passing, reason.trim());
+      } catch (err) {
+        if (err instanceof Error && err.message.includes('not in_progress')) {
+          return res.status(409).json({ error: 'Attempt is no longer in_progress' });
+        }
+        throw err;
+      }
 
       // If passing, also mark the module as completed and check credentials
+      const warnings: string[] = [];
       if (passing && updated.module_id) {
         try {
           await certDb.completeModule(updated.workos_user_id, updated.module_id, scores);
         } catch (modError) {
+          warnings.push('Module completion failed — run backfill');
           logger.error({ error: modError, attemptId, moduleId: updated.module_id }, 'Failed to mark module complete after admin resolve');
         }
         try {
           await certDb.checkAndAwardCredentials(updated.workos_user_id);
         } catch (credError) {
+          warnings.push('Credential check failed — run backfill');
           logger.error({ error: credError, attemptId }, 'Failed to check credentials after admin resolve');
         }
       }
 
-      return res.json({ attempt: updated });
+      return res.json({ attempt: updated, ...(warnings.length > 0 && { warnings }) });
     } catch (error) {
       logger.error({ error, attemptId: req.params.attemptId }, 'Failed to resolve stuck attempt');
       res.status(500).json({ error: 'Internal server error' });