fix: test-login hardening and agent CLI access for harness-config

[ptone]

Summary

• test-login handler hardening (pkg/hub/handlers_test_login.go):
  • M1: Distinguish store.ErrNotFound from transient DB errors in GetUserByEmail — return 500 for unexpected failures instead of silently creating duplicate user records
  • L1: Add http.MaxBytesReader(4096) body size limit before JSON decoding
  • L2: Validate email contains @ before processing
  • L3: Track whether displayName was explicitly provided so the default (email) doesn't overwrite an existing user's display name
• Agent CLI access (cmd/cli_mode.go): Add all harness-config subcommands to agentAllowed so agents can manage harness configs via the CLI
• Tests added for email validation (400) and DB error handling (500)

Fixes 3 (file-browser badge) and 4 (page title) from the brief were already resolved in the codebase.

Refs GoogleCloudPlatform#396

Test plan

• go test ./pkg/hub/ -run TestHandleTestLogin — all tests pass
• go build ./cmd/ — compiles cleanly

[gemini-code-assist]

Code Review

This pull request introduces several harness-config commands to the allowed agent CLI modes, adds request body size limits, basic email validation, and improved database error handling to the test login handler, along with corresponding unit tests. The review feedback suggests aligning the newly added CLI mode map values for consistency and using net/mail.ParseAddress for more robust email validation.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

For better readability and consistency with the existing code in this file, please align the true values for the newly added harness-config commands.

Suggested change

	"harness-config": true,
	"harness-config.list": true,
	"harness-config.show": true,
	"harness-config.install": true,
	"harness-config.sync": true,
	"harness-config.push": true,
	"harness-config.pull": true,
	"harness-config.delete": true,
	"harness-config.reset": true,
	"harness-config.upgrade": true,
	"harness-config": true,
	"harness-config.list": true,
	"harness-config.show": true,
	"harness-config.install": true,
	"harness-config.sync": true,
	"harness-config.push": true,
	"harness-config.pull": true,
	"harness-config.delete": true,
	"harness-config.reset": true,
	"harness-config.upgrade": true,

[gemini-code-assist]

The current email validation is very basic and can be easily bypassed (e.g., with inputs like "@"). For more robust validation, I recommend using net/mail.ParseAddress from the standard library.

To use this, you'll need to add "net/mail" to your imports.

Suggested change

	if !strings.Contains(req.Email, "@") {
	http.Error(w, "email must contain @", http.StatusBadRequest)
	return
	}
	if _, err := mail.ParseAddress(req.Email); err != nil {
	http.Error(w, "invalid email address", http.StatusBadRequest)
	return
	}