Skip to content

DRAFT: fix(types): validate unsafe response casts#839

Open
open-inspect[bot] wants to merge 1 commit into
mainfrom
automation/unsafe-cast-sweep-20260627
Open

DRAFT: fix(types): validate unsafe response casts#839
open-inspect[bot] wants to merge 1 commit into
mainfrom
automation/unsafe-cast-sweep-20260627

Conversation

@open-inspect

@open-inspect open-inspect Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

This is an automated nightly unsafe-cast remediation sweep. It replaces selected high-risk response-boundary assertions with Zod validation following the TypeScript Coding Standards unsafe-cast / parse-don't-assert guidance and the Zod boundary-validation pattern established in PR #807. This PR is marked DRAFT in the title/body because two exact verification gates are blocked in this workspace, as detailed below.

Requested label: automation:unsafe-cast

Findings Fixed

file:line risk cast removed how it was fixed
packages/web/src/lib/auth.ts:77 HIGH (await response.json()) as GithubEmail[] from GitHub's /user/emails API, feeding auth allowlist email resolution Package-local Zod schema in github-email-schema.ts; validates consumed fields and accepts visibility: null; malformed responses fail closed with []
packages/github-bot/src/handlers.ts:69 HIGH (await response.json()) as { sessionId: string }, feeding GitHub bot session state Package-local Zod schema in control-plane-responses.ts; invalid success responses throw through the existing session creation error path
packages/github-bot/src/handlers.ts:91 HIGH (await response.json()) as { messageId: string }, feeding GitHub bot message state Package-local Zod schema in control-plane-responses.ts; invalid success responses throw through the existing prompt delivery error path

Verification

command result
npm run build -w @open-inspect/shared PASS
npm run build -w @open-inspect/github-bot PASS
npm run build -w @open-inspect/web FAIL: TypeScript passes, then prerender of /automations/new fails with TypeError: Cannot read properties of null (reading 'useContext'); this page was not touched by this change
npm run typecheck PASS
npm run lint FAIL: root lint scans pre-existing untracked .opencode/ tooling files and reports globals such as process, fetch, Headers; committed files are clean
npm run lint -- --ignore-pattern '.opencode/**' PASS
npm run lint -w @open-inspect/shared PASS
npm run lint -w @open-inspect/github-bot PASS
npm run lint -w @open-inspect/web PASS
npm test -w @open-inspect/shared PASS
npm test -w @open-inspect/github-bot PASS
npm test -w @open-inspect/web PASS

Dependency Check

Added zod@^4.4.3 to @open-inspect/web for a genuinely package-local auth boundary. package-lock.json changed only to add the corresponding packages/web dependency entry; no unrelated lockfile churn remains.


Created with Open-Inspect

@github-actions

Copy link
Copy Markdown

Terraform Validation Results

Step Status
Format
Init
Validate

Note: Terraform plan was skipped because secrets are not configured. This is expected for external contributors. See docs/GETTING_STARTED.md for setup instructions.

Pushed by: @open-inspect[bot], Action: pull_request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants