@kaavee315draftchecks…fix/mcp-json-actions-validation → master2 files · +231 −3updated 6d agoIn apps/apollo/src/lib/mcp/core/validateRequest.ts (lines 180-184), the Prisma Json columns actions and authConfigs on McpServer were cast directly to string[] with as string[] and no runtime validation. If the database ever stores a non-array value (null, object, number, etc.) these casts would silently produce wrong types, causing downstream panics or incorrect behavior (e.g., allowed_tools becoming an object instead of an array).
The fix parses each column with z.array(z.string()).safeParse() -- the same defensive pattern already used for ProjectConfigSchema.safeParse a few lines above -- and falls back to serverResult.val.allowedTools (for actions) or [] (for authConfigs) when parsing fails. This is a non-breaking, purely defensive guard.
ProjectConfigSchema.safeParse pattern in the same function to ensure consistency.allowed_tools fallback path (serverResult.val.allowedTools) was already in the original code; the new code preserves that exact fallback, so behaviour for the happy path (valid string[]) is unchanged.🤖 Generated with Claude Code