fix(webapp): validate buffered redirect snapshot with a Zod schema

Replaces the ad-hoc \`as Record<string, unknown>\` + \`typeof ===
"string"\` checks in \`findBufferedRunRedirectInfo\` with a Zod
\`safeParse\` against a schema for the subset of fields the redirect
needs (envSlug / projectSlug / orgSlug / optional spanId). Wrong-typed
or missing fields now collapse into a single parse-fail branch that
logs the structured issue list and returns null.

Adds a regression test for the structural-vs-typeof distinction:
\`environment.slug: 42\` (number) is now rejected, where the previous
\`typeof slug === "string"\` chain would silently accept any string-
typed value but had no defence against shape drift in other fields.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: d-cs

apps/webapp/app/v3/mollifier/syntheticRedirectInfo.server.ts

@@ -1,9 +1,25 @@
 import { deserialiseSnapshot, type MollifierBuffer } from "@trigger.dev/redis-worker";
 import type { PrismaClientOrTransaction } from "@trigger.dev/database";
+import { z } from "zod";
 import { prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { getMollifierBuffer } from "./mollifierBuffer.server";
 
+// Validated subset of a mollifier snapshot — just the fields needed to
+// rebuild a canonical run-detail URL for a buffered run. Anything else
+// in the payload is ignored. `safeParse` against this schema replaces
+// the ad-hoc `as Record<string, unknown>` + `typeof === "string"` checks
+// that the redirect path used to do by hand; missing or wrong-typed
+// fields collapse into a single `parsed.success === false` branch.
+const BufferedSnapshotSchema = z.object({
+  spanId: z.string().optional(),
+  environment: z.object({
+    slug: z.string(),
+    project: z.object({ slug: z.string() }),
+    organization: z.object({ slug: z.string() }),
+  }),
+});
+
 export type BufferedRunRedirectInfo = {
   organizationSlug: string;
   projectSlug: string;
@@ -60,9 +76,9 @@ export async function findBufferedRunRedirectInfo(
     if (!member) return null;
   }
 
-  let snapshot: Record<string, unknown>;
+  let raw: unknown;
   try {
-    snapshot = deserialiseSnapshot(entry.payload) as Record<string, unknown>;
+    raw = deserialiseSnapshot(entry.payload);
   } catch (err) {
     logger.warn("buffered redirect: snapshot deserialise failed", {
       runFriendlyId: args.runFriendlyId,
@@ -71,22 +87,26 @@ export async function findBufferedRunRedirectInfo(
     return null;
   }
 
-  const environment = snapshot.environment as Record<string, unknown> | undefined;
-  if (!environment || typeof environment !== "object") return null;
-  const project = environment.project as Record<string, unknown> | undefined;
-  const organization = environment.organization as Record<string, unknown> | undefined;
-
-  const envSlug = environment.slug;
-  const projectSlug = project?.slug;
-  const orgSlug = organization?.slug;
-  if (typeof envSlug !== "string" || typeof projectSlug !== "string" || typeof orgSlug !== "string") {
+  const parsed = BufferedSnapshotSchema.safeParse(raw);
+  if (!parsed.success) {
+    // Either the snapshot is from a different writer that doesn't carry
+    // environment slugs (in which case we genuinely can't build a URL)
+    // or a buffer-format drift snuck through. Log at debug; the caller
+    // 404s and the user sees the standard not-found page, not a 500.
+    logger.debug("buffered redirect: snapshot shape mismatch", {
+      runFriendlyId: args.runFriendlyId,
+      issues: parsed.error.issues.map((issue) => ({
+        path: issue.path.join("."),
+        code: issue.code,
+      })),
+    });
     return null;
   }
 
   return {
-    organizationSlug: orgSlug,
-    projectSlug,
-    environmentSlug: envSlug,
-    spanId: typeof snapshot.spanId === "string" ? snapshot.spanId : undefined,
+    organizationSlug: parsed.data.environment.organization.slug,
+    projectSlug: parsed.data.environment.project.slug,
+    environmentSlug: parsed.data.environment.slug,
+    spanId: parsed.data.spanId,
   };
 }

apps/webapp/test/mollifierSyntheticRedirectInfo.test.ts

@@ -159,4 +159,39 @@ describe("findBufferedRunRedirectInfo (testcontainers)", () => {
       await buffer.close();
     }
   });
+
+  redisTest(
+    "rejects snapshots where a slug is the wrong type (Zod guard, not just typeof)",
+    async ({ redisOptions }) => {
+      // Regression for the pre-Zod implementation: the slug check was
+      // `typeof slug !== "string"` so any string passed, including ones
+      // that should've been rejected on shape grounds. The Zod schema
+      // gives us full structural validation — a `slug: 42` (number)
+      // collapses into the parse-fail branch like any other shape
+      // mismatch and we return null instead of leaking a half-built
+      // redirect URL.
+      const buffer = new MollifierBuffer({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_real_7",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: JSON.stringify({
+            environment: {
+              slug: 42,
+              project: { slug: "p" },
+              organization: { slug: "o" },
+            },
+          }),
+        });
+        const info = await findBufferedRunRedirectInfo(
+          { runFriendlyId: "run_real_7", userId: "user_1" },
+          { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+        );
+        expect(info).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
 });