fix(types): validate unsafe boundary casts

[open-inspect]

This is an automated nightly unsafe-cast remediation. It replaces three high-risk TypeScript assertions at request/internal-session/API trust boundaries with Zod safeParse validation, following the TypeScript Coding Standards unsafe-cast / parse-don't-assert guidance and the Zod boundary-validation pattern established in PR #807.

Finding	Risk	Cast removed	Fix
packages/control-plane/src/routes/session-child-spawn.ts:36	HIGH	(await request.json()) as SpawnChildSessionRequest for child session creation input	Added shared spawnChildSessionRequestSchema with z.infer as the type source and validate the request body with safeParse, preserving the existing 400 title and prompt are required path
packages/control-plane/src/routes/session-child-spawn.ts:82	HIGH	(await spawnContextRes.json()) as SpawnContext for parent session state used to initialize child sessions	Added shared spawnContextSchema with nullable fields modeled explicitly and validate the internal response with safeParse, preserving the existing 500 Failed to get parent session context path
packages/github-bot/src/github-auth.ts:132	HIGH	(await response.json()) as { permission: string } for GitHub collaborator permission authorization response	Added a local Zod response schema and validate with safeParse, preserving { hasPermission: false, error: true } on malformed API responses

Verification:

Command	Result
npm test -w @open-inspect/shared -- src/types/boundary-schemas.test.ts	Passed
npm test -w @open-inspect/github-bot -- test/github-auth.test.ts	Passed
npm test -w @open-inspect/control-plane -- src/router.spawn-child.test.ts	Passed after @open-inspect/shared rebuild refreshed the new exports
npm run build -w @open-inspect/shared	Passed
npm run build -w @open-inspect/control-plane	Passed
npm run build -w @open-inspect/github-bot	Passed
npm test -w @open-inspect/shared	Passed
npm test -w @open-inspect/control-plane	Passed
npm test -w @open-inspect/github-bot	Passed
npm run typecheck	Passed
npm run lint	Passed after temporarily moving the pre-existing untracked .opencode/ tooling directory out of the workspace so the root lint command evaluated tracked repository files
npm run format	Passed
git diff --check	Passed

References: TypeScript Coding Standards unsafe-cast / parse-don't-assert guidance; Zod boundary-validation pattern established in PR #807.

---

Created with Open-Inspect

[github-actions]

Terraform Validation Results

Step	Status
Format	✅
Init	✅
Validate	✅

Note: Terraform plan was skipped because secrets are not configured. This is expected for external contributors. See docs/GETTING_STARTED.md for setup instructions.

Pushed by: @open-inspect[bot], Action: pull_request