Fix REST endpoint /set allowing clients to set serverOnlyFields

[pubkey]

This PR contains:

• A BUGFIX
• IMPROVED TESTS

Describe the problem you have without this PR

The REST endpoint /set operation was allowing clients to populate serverOnlyFields when inserting NEW documents. While updates to existing documents already stripped client-supplied values for these fields, the insert path passed the client document directly to RxCollection.insert() without filtering. This allowed clients to persist arbitrary values into fields documented as server-only, violating the security contract.

Changes Made

1. New helper function (stripServerOnlyFieldsMonad in src/plugins/server/helper.ts):

   • Creates a function that removes server-only fields from client documents
   • Unlike the existing removeServerOnlyFieldsMonad, it doesn't assign undefined to RxDB internal meta fields, making it safe for RxCollection.insert()

2. Updated REST endpoint handler (src/plugins/server/endpoint-rest.ts):

   • Imports and uses the new stripServerOnlyFieldsMonad function
   • Strips server-only fields from client documents before inserting new documents via /set
   • Ensures consistent behavior between insert and update operations

3. Added test coverage (test/unit/endpoint-rest.test.ts):

   • New test verifies that clients cannot set serverOnlyFields when creating new documents via /set
   • Uses humanDefault schema where lastName is optional to validate the security fix

4. Updated CHANGELOG.md with bug fix description

Test Plan

The added unit test 'should not allow clients to set serverOnlyFields when inserting NEW documents via /set' covers this fix by:

• Creating a document with a server-only field set to a client-provided value
• Verifying the server-only field was not persisted with the client's value
• Confirming the documented contract is enforced

https://claude.ai/code/session_017a16qgJ3hi4Zap9dJF46nx