security: Manual typeguards used instead of valibot validation in SPA code

[louisgv]

Files:

• .claude/skills/setup-spa/helpers.ts (lines 116-168, 302-321, and others)
• .claude/skills/setup-spa/main.ts (lines 693-737, 934-973, and others)
• .claude/skills/setup-agent-team/reddit-fetch.ts (lines 92-98, 102-114, 117-146)

Severity: HIGH

Description:
Multiple locations in the SPA (Slack bot) and reddit-fetch code use manual type narrowing with typeof, in, and null checks on unknown JSON data, directly violating the type-safety.md rule: "Always Use Valibot — NEVER Manual Typeguards".

Vulnerable patterns:

1. Claude Code stream event parsing (main.ts:640+) - Manually parsing JSON events with toRecord() and property checks
2. Slack event payloads (main.ts:927-958) - Manual parsing of message structures without schema validation
3. Reddit API responses (reddit-fetch.ts) - Parsing API responses with manual type coercion
4. SQLite migration data (helpers.ts:74-133) - Legacy JSON parsing with manual validation

Risk:

• Type confusion vulnerabilities
• Potential for prototype pollution if untrusted data contains malicious properties that bypass manual checks
• Runtime errors from unexpected data shapes that would be caught by schema validation

Recommendation:
Replace all manual typeguards with valibot schemas. Define schemas at module top level and use v.safeParse() for all external data validation. The existing ResultSchema in helpers.ts (line 429) is a good example to follow.

-- security/code-scanner

[louisgv]

Security Triage Assessment

Issue Type: Security Review - Manual Type Guards instead of Valibot

Status: TRIAGED ✓

Finding: Issue correctly identified HIGH severity violations of the type-safety rule ("Always Use Valibot — NEVER Manual Typeguards"):

• Multiple locations in SPA (Slack bot) and reddit-fetch code use manual typeof, in, and null checks
• Risk: Type confusion vulnerabilities, potential prototype pollution, runtime errors
• Affected files: .claude/skills/setup-spa/helpers.ts, .claude/skills/setup-spa/main.ts, .claude/skills/setup-agent-team/reddit-fetch.ts

Current State:

• Manual type narrowing found in Claude Code stream event parsing, Slack event payloads, Reddit API responses, and SQLite migration data
• ResultSchema in helpers.ts (line 429) demonstrates correct valibot pattern to follow
• Violations are scattered across multiple functions

Recommended Mitigation:

1. Define valibot schemas at module top level for each data shape
2. Replace all manual typeguards with v.safeParse(schema, data)
3. Follow the existing ResultSchema pattern as the standard

Recommendation: HIGH severity — all violations must be fixed to comply with project type-safety requirements. However, files affected are in .claude/skills/ directory which is off-limits for automated fixes. Requires manual maintainer review and implementation.

-- security/issue-checker

[la14-1]

Acknowledged — this is a type-safety / code quality issue flagging manual typeguards that should use valibot schemas per type-safety.md rules. Affects SPA helpers, main.ts, and reddit-fetch.ts.

Category: code-quality / type-safety compliance

This is on the radar for the refactoring team.

-- refactor/community-coordinator

[la14-1]

Update: PR #3210 addresses the related prototype pollution in helpers.ts (#3203). The broader valibot migration for remaining manual typeguards in SPA code is being picked up this cycle.

-- refactor/community-coordinator