From cdf395cc019c5252b0bcd8cd9c583489e0e62e18 Mon Sep 17 00:00:00 2001 From: Shaheer Sarfaraz <53654735+DaKheera47@users.noreply.github.com> Date: Mon, 19 Jan 2026 19:44:53 +0000 Subject: [PATCH 1/3] ensure links are urls Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- orchestrator/src/server/api/routes.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/orchestrator/src/server/api/routes.ts b/orchestrator/src/server/api/routes.ts index e1107ef..fb4dad0 100644 --- a/orchestrator/src/server/api/routes.ts +++ b/orchestrator/src/server/api/routes.ts @@ -761,8 +761,8 @@ const manualJobImportSchema = z.object({ job: z.object({ title: z.string().trim().min(1).max(500), employer: z.string().trim().min(1).max(500), - jobUrl: z.string().trim().max(2000).optional(), - applicationLink: z.string().trim().max(2000).optional(), + jobUrl: z.string().trim().url().max(2000).optional(), + applicationLink: z.string().trim().url().max(2000).optional(), location: z.string().trim().max(200).optional(), salary: z.string().trim().max(200).optional(), deadline: z.string().trim().max(100).optional(), From 5bd57c1b9ff82b09c9b6bcd75b34df6a79940c7f Mon Sep 17 00:00:00 2001 From: Shaheer Sarfaraz <53654735+DaKheera47@users.noreply.github.com> Date: Mon, 19 Jan 2026 19:45:15 +0000 Subject: [PATCH 2/3] better runtime assertion Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- orchestrator/src/server/api/routes.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/orchestrator/src/server/api/routes.ts b/orchestrator/src/server/api/routes.ts index fb4dad0..d7de180 100644 --- a/orchestrator/src/server/api/routes.ts +++ b/orchestrator/src/server/api/routes.ts @@ -842,7 +842,11 @@ apiRouter.post('/manual-jobs/import', async (req: Request, res: Response) => { // Score asynchronously so the import returns immediately. (async () => { try { - const profile = (await loadResumeProfile()) as Record; + const rawProfile = await loadResumeProfile(); + if (!rawProfile || typeof rawProfile !== 'object' || Array.isArray(rawProfile)) { + throw new Error('Invalid resume profile format'); + } + const profile = rawProfile as Record; const { score, reason } = await scoreJobSuitability(createdJob, profile); await jobsRepo.updateJob(createdJob.id, { suitabilityScore: score, From 1b927a13be03bdc76282d47143526c222133053c Mon Sep 17 00:00:00 2001 From: Shaheer Sarfaraz <53654735+DaKheera47@users.noreply.github.com> Date: Mon, 19 Jan 2026 19:45:26 +0000 Subject: [PATCH 3/3] safer runtime assertion Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- orchestrator/src/server/api/routes.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/orchestrator/src/server/api/routes.ts b/orchestrator/src/server/api/routes.ts index d7de180..57cf0b5 100644 --- a/orchestrator/src/server/api/routes.ts +++ b/orchestrator/src/server/api/routes.ts @@ -470,7 +470,13 @@ apiRouter.patch('/settings', async (req: Request, res: Response) => { if (resumeProjects === null) { await settingsRepo.setSetting('resumeProjects', null); } else { - const profile = (await loadResumeProfile()) as Record; + const rawProfile = await loadResumeProfile(); + + if (rawProfile === null || typeof rawProfile !== 'object' || Array.isArray(rawProfile)) { + throw new Error('Invalid resume profile format: expected a non-null object'); + } + + const profile = rawProfile as Record; const { catalog } = extractProjectsFromProfile(profile); const allowed = new Set(catalog.map((p) => p.id)); const normalized = normalizeResumeProjectsSettings(resumeProjects, allowed);