[BUG] Goal progress can be arbitrarily modified through the PATCH endpoint without verification against actual GitHub activity

[Ridanshi]

Bug Summary

The goal update endpoint allows clients to directly modify goal progress values.

Progress updates are accepted without validating that the reported activity actually occurred on GitHub.

Describe the bug

The PATCH endpoint accepts a client-supplied current value and stores it after basic validation.

The endpoint verifies:

• value type
• non-negative values
• current <= target

However, it does not verify whether the submitted progress corresponds to actual GitHub activity.

Users can therefore mark goals as completed without performing the underlying work.

To Reproduce

1. Create a goal with a target value.
2. Submit a PATCH request containing:

{
"current": target
}

3. Observe that the goal becomes complete.
4. Verify that no GitHub activity was required.

Expected behavior

Goal progress should be derived from verified activity sources.

Client requests should not be able to arbitrarily mark goals as completed.

Actual behavior

Progress values are accepted directly from the client.

Additional context

Affected file:

src/app/api/goals/[id]/route.ts

Potential impact:

• inaccurate achievement tracking
• misleading progress reporting
• inconsistent goal completion state
• reduced trust in activity metrics

This issue primarily affects goal integrity rather than GitHub contribution statistics themselves.

[Ridanshi]

Hi @Priyanshu-byte-coder,
I investigated this issue and would like to work on a fix.

The goal update endpoint currently allows clients to directly set progress values without validating the underlying activity source.

I plan to:

• restrict direct manipulation of goal progress
• preserve legitimate goal-tracking workflows
• add regression coverage ensuring progress is derived from verified activity

Please assign this issue to me.