chore: security, performance, and dependency sweep#411
Merged
Conversation
Migrate all 9 packages from Zod 3.22.x to Zod 4.3.6. This is a
breaking change for downstream TypeScript consumers who compile
against exported @peac/schema types (z.infer<> types are not
assignment-compatible across Zod majors).
Schema changes:
- z.record() single-arg form removed in Zod 4: add explicit
z.string() key schema in 5 locations (schema, control, mcp-server)
- .default({}) on object schemas requires output-type-compatible
values in Zod 4: use .prefault({}) for input-type defaults (policy.ts)
- ZodError.errors alias removed: use .issues in test assertions
- issue.path typed as PropertyKey[] (was (string | number)[]): add
casts at 2 call sites (protocol/issue.ts, cli/validators.ts)
No behavioral changes to schema validation, receipt issuance, or
verification. All 4138 tests pass across 167 test files.
Workspace enforcement:
- pnpm.overrides forces zod@^4.3.6 across all workspace packages
- Prevents mixed Zod 3/4 which causes runtime TypeError
- Update performance baselines with Zod 4 benchmarks (measured) - Create OWASP Top 10 for Agentic Applications alignment mapping (ASI-01 through ASI-10) - Verify audit-gate allowlist freshness (3 active entries, all within 30-day ceiling) - All 10 OWASP ASI risks mapped to specific PEAC mitigations with test file citations
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tests/perf/baseline-results.jsonwith measured Zod 4 benchmarks (parseReceiptClaims commerce ~388K ops/sec, attestation ~792K ops/sec)docs/security/OWASP-ASI-MAPPING.mdmapping all 10 OWASP Top 10 for Agentic Applications risks (ASI-01 through ASI-10) to specific PEAC mitigations with test file citationsOWASP ASI Coverage
All 10 risks mapped to specific mitigations and test files:
Performance Baselines (Zod 4)
Test plan
pnpm auditpasses (zero high/critical unallowlisted)