From 61e6e778e0a9d16c91717253fc68d8d9d124ff5c Mon Sep 17 00:00:00 2001
From: Arthur Belleville <arthur.belleville@datadoghq.com>
Date: Fri, 15 May 2026 10:19:48 +0200
Subject: [PATCH] fix(04-WR-04): guard against int32 overflow in
 TaskCreateHandler position arithmetic

maxPos + 100 could silently overflow to a negative value when maxPos
approached MaxInt32. Added a maxAllowedPosition guard that returns a
validation error before the InsertTask call if the column position space
is exhausted.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 backend/internal/web/handlers_tasks.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/backend/internal/web/handlers_tasks.go b/backend/internal/web/handlers_tasks.go
index 0a201c2..74d7287 100644
--- a/backend/internal/web/handlers_tasks.go
+++ b/backend/internal/web/handlers_tasks.go
@@ -190,6 +190,27 @@ func TaskCreateHandler(deps TasksDeps) http.HandlerFunc {
 			return
 		}
 
+		const maxAllowedPosition = int32(2_000_000_000)
+		if maxPos > maxAllowedPosition-100 {
+			errs.General = "Column has too many tasks."
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			if r.Header.Get("HX-Request") == "true" {
+				w.Header().Set("HX-Retarget", "#add-task-slot-"+statusStr)
+				w.Header().Set("HX-Reswap", "innerHTML")
+				w.WriteHeader(http.StatusUnprocessableEntity)
+				_ = templates.TaskCreateFormFragment(
+					tablo.ID,
+					status,
+					templates.TaskCreateForm{Title: title, Status: statusStr},
+					errs,
+					csrf.Token(r),
+				).Render(ctx, w)
+				return
+			}
+			http.Redirect(w, r, "/tablos/"+tablo.ID.String(), http.StatusSeeOther)
+			return
+		}
+
 		task, err := deps.Queries.InsertTask(ctx, sqlc.InsertTaskParams{
 			TabloID:     tablo.ID,
 			Title:       title,