From 1b927a13be03bdc76282d47143526c222133053c Mon Sep 17 00:00:00 2001
From: Shaheer Sarfaraz <53654735+DaKheera47@users.noreply.github.com>
Date: Mon, 19 Jan 2026 19:45:26 +0000
Subject: [PATCH] safer runtime assertion

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 orchestrator/src/server/api/routes.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/orchestrator/src/server/api/routes.ts b/orchestrator/src/server/api/routes.ts
index d7de180..57cf0b5 100644
--- a/orchestrator/src/server/api/routes.ts
+++ b/orchestrator/src/server/api/routes.ts
@@ -470,7 +470,13 @@ apiRouter.patch('/settings', async (req: Request, res: Response) => {
       if (resumeProjects === null) {
         await settingsRepo.setSetting('resumeProjects', null);
       } else {
-        const profile = (await loadResumeProfile()) as Record<string, unknown>;
+        const rawProfile = await loadResumeProfile();
+
+        if (rawProfile === null || typeof rawProfile !== 'object' || Array.isArray(rawProfile)) {
+          throw new Error('Invalid resume profile format: expected a non-null object');
+        }
+
+        const profile = rawProfile as Record<string, unknown>;
         const { catalog } = extractProjectsFromProfile(profile);
         const allowed = new Set(catalog.map((p) => p.id));
         const normalized = normalizeResumeProjectsSettings(resumeProjects, allowed);