fix(core): typesVersions entry for v3/chat-client + inline CodeQL guards

ericallam · ericallam · commit b8b1b8aaa257 · 2026-04-30T21:34:51.000+01:00
- typesVersions: add `v3/chat-client` mapping. The export was declared in
  `tshy.exports` and the conditional export block but missing from
  `typesVersions` — `attw --pack` flagged "@trigger.dev/core/v3/chat-client"
  as `node10: 💀 Resolution failed`.
- chat.store JSON Patch: add an `assertSafeKey` guard at the assignment
  sites in `removeAt` / `insertAt`. parseJsonPointer already rejects
  `__proto__` / `constructor` / `prototype`, but CodeQL's prototype-pollution
  analysis doesn't trace through the parser boundary — the local check at
  the assignment keeps the static analysis happy and is also a real
  defense-in-depth backstop against any future caller that bypasses
  parseJsonPointer.
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -89,6 +89,9 @@
       "v3/errors": [
         "dist/commonjs/v3/errors.d.ts"
       ],
+      "v3/chat-client": [
+        "dist/commonjs/v3/chat-client.d.ts"
+      ],
       "v3/logger-api": [
         "dist/commonjs/v3/logger-api.d.ts"
       ],
diff --git a/packages/core/src/v3/chat-client.ts b/packages/core/src/v3/chat-client.ts
@@ -113,10 +113,21 @@ function readPointer(doc: unknown, tokens: string[]): unknown {
   return cursor;
 }
 
+// Defense-in-depth: parseJsonPointer already rejects these segments, but
+// CodeQL's prototype-pollution analysis doesn't trace through that boundary.
+// The local check at the assignment site keeps the static analysis happy and
+// guards against any future caller that bypasses parseJsonPointer.
+function assertSafeKey(token: string): void {
+  if (FORBIDDEN_POINTER_SEGMENTS.has(token)) {
+    throw new Error(`Refusing to mutate forbidden key "${token}"`);
+  }
+}
+
 function removeAt(parent: any, lastToken: string): void {
   if (Array.isArray(parent)) {
     parent.splice(Number(lastToken), 1);
   } else if (parent && typeof parent === "object") {
+    assertSafeKey(lastToken);
     delete parent[lastToken];
   } else {
     throw new Error("Cannot remove: parent is not a container");
@@ -129,6 +140,7 @@ function insertAt(parent: any, lastToken: string, value: unknown, op: "add" | "r
     if (op === "add") parent.splice(idx, 0, value);
     else parent[idx] = value;
   } else if (parent && typeof parent === "object") {
+    assertSafeKey(lastToken);
     parent[lastToken] = value;
   } else {
     throw new Error("Cannot insert: parent is not a container");
