Skip to content

[H-6 / Phase 3] [MEDIUM] Zod-parse checkpoint and intake-context deserialization #11

Open
Open
[H-6 / Phase 3] [MEDIUM] Zod-parse checkpoint and intake-context deserialization#11
Labels
tech-debtEligible for automated overnight fixing
@matthewod11-stack

Description

@matthewod11-stack
matthewod11-stack
opened on Apr 17, 2026

Full spec: docs/hardening-roadmap-2026-04-16.md#h-6

Description

Two places cast JSON directly to typed objects after minimal validation: intake-context.ts:110 casts after only checking conversationHistory is an array; checkpoint.ts likely similar. A corrupted or version-drifted file passes the check then fails cryptically deeper in a phase.

Current State

  • packages/intake/src/intake-context.ts:110 uses return parsed as unknown as IntakeContext.
  • packages/core/src/checkpoint.ts — needs audit.

Suggested Fix

  • Define IntakeContextSchema in packages/intake/src/schemas.ts.
  • Replace deserializeContext body with IntakeContextSchema.parse(JSON.parse(json)).
  • Define CheckpointSchema in @sourcerer/core; use it in loadCheckpoint.
  • Add version: 1 field to checkpoint file; reject mismatched versions with clear upgrade message.

Verification

  • pnpm build passes
  • pnpm test passes
  • pnpm typecheck clean
  • Loading malformed checkpoint → specific path error (not cannot read property X of undefined)
  • Loading v0 checkpoint → clear "incompatible checkpoint version" error

Automation Hints

scope: packages/intake/src, packages/core/src/checkpoint.ts
do-not-touch: adapters, output
approach: add-validation
risk: low
max-files-changed: 5
blocked-by: #9
bail-if: intake tests fail

Priority

Medium

Metadata

Metadata

Assignees

No one assigned

    Labels

    tech-debtEligible for automated overnight fixing

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions