fix: use zod for safety check result validation (#15026)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-03-10 22:21:22 -07:00 · 2025-12-14 19:54:28 -08:00
parent 57c7b9ccce
commit fc2a5a42ce
1 changed files with 19 additions and 11 deletions
--- a/packages/core/src/safety/checker-runner.ts
+++ b/packages/core/src/safety/checker-runner.ts
@@ -15,6 +15,23 @@ import type { SafetyCheckInput, SafetyCheckResult } from './protocol.js';
 import { SafetyCheckDecision } from './protocol.js';
 import type { CheckerRegistry } from './registry.js';
 import type { ContextBuilder } from './context-builder.js';
+import { z } from 'zod';
+
+const SafetyCheckResultSchema: z.ZodType<SafetyCheckResult> =
+  z.discriminatedUnion('decision', [
+    z.object({
+      decision: z.literal(SafetyCheckDecision.ALLOW),
+      reason: z.string().optional(),
+    }),
+    z.object({
+      decision: z.literal(SafetyCheckDecision.DENY),
+      reason: z.string().min(1),
+    }),
+    z.object({
+      decision: z.literal(SafetyCheckDecision.ASK_USER),
+      reason: z.string().min(1),
+    }),
+  ]);

 /**
 * Configuration for the checker runner.
@@ -212,17 +229,8 @@ export class CheckerRunner {

        // Try to parse the output
        try {
-          const result: SafetyCheckResult = JSON.parse(stdout);
-
-          // Validate the result structure
-          if (
-            !result.decision ||
-            !Object.values(SafetyCheckDecision).includes(result.decision)
-          ) {
-            throw new Error(
-              'Invalid result: missing or invalid "decision" field',
-            );
-          }
+          const rawResult = JSON.parse(stdout);
+          const result = SafetyCheckResultSchema.parse(rawResult);

          resolve(result);
        } catch (parseError) {