Summary
runCartsDepAdd in cmd/ox/carts.go (~line 429-430) reads the --type flag and passes it directly to store.AddDep() without validating against carts.DependencyType.IsValid(). Invalid dependency types are stored in the database unchecked.
Suggested fix
depType, _ := cmd.Flags().GetString("type")
depTypeEnum := carts.DependencyType(depType)
if !depTypeEnum.IsValid() {
return fmt.Errorf("invalid dependency type: %s", depType)
}
if err := store.AddDep(cmd.Context(), args[0], args[1], depTypeEnum); err != nil {
return err
}Context
Originally flagged by CodeRabbit as a 🟠 Major finding on #500. That PR is a team-timezone revert and does not touch cmd/ox/carts.go — CodeRabbit surfaced the issue via the regenerated docs/reference/carts/dep/add.mdx in the diff. Filing here so the carts validation fix can land in its own PR with proper test coverage.
Summary
runCartsDepAddincmd/ox/carts.go(~line 429-430) reads the--typeflag and passes it directly tostore.AddDep()without validating againstcarts.DependencyType.IsValid(). Invalid dependency types are stored in the database unchecked.Suggested fix
Context
Originally flagged by CodeRabbit as a 🟠 Major finding on #500. That PR is a team-timezone revert and does not touch
cmd/ox/carts.go— CodeRabbit surfaced the issue via the regenerateddocs/reference/carts/dep/add.mdxin the diff. Filing here so the carts validation fix can land in its own PR with proper test coverage.