feat(billingtype): reject non-finite btHourlyRate at the schema layer#206
Merged
CryptoJones merged 1 commit intoMay 19, 2026
Merged
Conversation
`btHourlyRate` was typed `z.coerce.number().nonnegative()`. `.nonnegative()` correctly blocks negative rates (a -\$50/hr rate is operator error), but it does NOT block `Infinity` — `Infinity >= 0` is `true` so the refinement lets it through. The coerce path also turns the string `"Infinity"` into the float, so a client without an Infinity literal in JSON can still land `inf` in the underlying DOUBLE column. An `inf` in `btHourlyRate` silently contaminates every downstream total: invoice line totals, time-entry rate math, billing reports, anything that multiplies hours by this rate. The arithmetic doesn't fail — it just yields `inf` (or `NaN` from `0 * inf`) in the result. Fix: chain `.finite()` ahead of `.nonnegative()` in a shared `btHourlyRateField` validator. Mirrors `cpayAmountField` (#172), `injbAmountField` (#180), `polPriceField` (#194). Zero remains a valid rate (pro-bono engagements, internal-only billing entries). Pinned in `tests/api/billingtype.test.js` with 4 new tests: - POST non-finite → 400 - POST negative → 400 (existing nonnegative gate, pinned so a refactor can't accidentally relax it) - POST zero → not 400 (preserves pro-bono use case) - PATCH non-finite → 400 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
CryptoJones
added a commit
that referenced
this pull request
May 19, 2026
…212) `invitQty` was typed `z.coerce.number()`, which accepts the infinities and the coerce path turns the string `"Infinity"` into the float. An `inf` qty in the DOUBLE column silently corrupts every downstream consumer that does arithmetic against it — PO line receiving, inventory-transaction net-position rollups, valuation reports. Pin `.finite()` at the boundary via a shared `invitQtyField`. Zero and negatives remain valid: a 0 on-hand qty for an out-of-stock item is legitimate, and negative qtys cover backorders and historical reconciliation entries that some accounting flows allow. Mirrors polQtyField / polPriceField (#194) and btHourlyRateField (#206). Pinned in `tests/api/inventoryitem.test.js` with 4 new tests: non-finite rejection (POST + PATCH), zero accepted, negative accepted. Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #205.
Summary
btHourlyRatewasz.coerce.number().nonnegative()..nonnegative()blocks negative rates but notInfinity(Infinity >= 0 is true)."Infinity"from JSON coerces past the gate, landsinfin the DOUBLE column, contaminates downstream totals.Chain
.finite()ahead of.nonnegative()in a sharedbtHourlyRateField. MirrorscpayAmountField(#172),injbAmountField(#180),polPriceField(#194). Zero still valid (pro-bono engagements).Test plan
npm run lintcleannpm test— 652 → 656 (+4 tests covering finite/negative/zero/PATCH)Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/