From 00d5a8cd58263f309ef9b400a2c75db4622ebc10 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Mon, 6 Apr 2026 17:51:07 -0700
Subject: [PATCH] fix(spa): replace double JSON.parse with valibot validation
 in helpers.ts (#3210)

Fixes #3203

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .claude/skills/setup-spa/helpers.ts | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/.claude/skills/setup-spa/helpers.ts b/.claude/skills/setup-spa/helpers.ts
index a2cf6fae..b577c4c0 100644
--- a/.claude/skills/setup-spa/helpers.ts
+++ b/.claude/skills/setup-spa/helpers.ts
@@ -54,6 +54,20 @@ interface RawThread {
   pr_urls: string | null;
 }
 
+const PrUrlsSchema = v.array(v.string());
+
+function parsePrUrls(raw: string | null): string[] | undefined {
+  if (!raw) return undefined;
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return undefined;
+  }
+  const result = v.safeParse(PrUrlsSchema, parsed);
+  return result.success ? result.output : undefined;
+}
+
 function rowToThread(r: RawThread): ThreadRow {
   return {
     channel: r.channel,
@@ -62,11 +76,7 @@ function rowToThread(r: RawThread): ThreadRow {
     createdAt: r.created_at,
     userId: r.user_id ?? undefined,
     lastActivityAt: r.last_activity_at ?? undefined,
-    prUrls: r.pr_urls
-      ? Array.isArray(JSON.parse(r.pr_urls))
-        ? JSON.parse(r.pr_urls).filter(isString)
-        : undefined
-      : undefined,
+    prUrls: parsePrUrls(r.pr_urls),
   };
 }