From 2e02d155afd4ca971b1dae005a7df578e5317703 Mon Sep 17 00:00:00 2001
From: Marko Djordjevic <marko.homoludens@gmail.com>
Date: Wed, 18 Feb 2026 11:14:00 +0100
Subject: [PATCH] feat: add Zod schema validation to training/start route (task
 4.4)

Validates model_type as a non-empty string using .safeParse(); returns
HTTP 400 with error details on invalid input. Marks task 4.4 as done.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 openspec/changes/code-review-fix/tasks.md |  2 +-
 src/app/api/training/start/route.ts       | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/openspec/changes/code-review-fix/tasks.md b/openspec/changes/code-review-fix/tasks.md
index 93505e4..86644a9 100644
--- a/openspec/changes/code-review-fix/tasks.md
+++ b/openspec/changes/code-review-fix/tasks.md
@@ -29,7 +29,7 @@
 - [x] 4.1 `[sonnet]` Add Zod schema validation to `src/app/api/predict/route.ts` (validate pair, timeframe, candles array)
 - [x] 4.2 `[sonnet]` Add Zod schema validation to `src/app/api/predict/batch/route.ts` (validate pair, timeframe, start_date, end_date)
 - [x] 4.3 `[sonnet]` Add Zod schema validation to `src/app/api/model/load/route.ts` (validate run_id)
-- [ ] 4.4 `[sonnet]` Add Zod schema validation to `src/app/api/training/start/route.ts` (validate model_type)
+- [x] 4.4 `[sonnet]` Add Zod schema validation to `src/app/api/training/start/route.ts` (validate model_type)
 - [ ] 4.5 `[sonnet]` Add Zod schema validation to `src/app/api/patterns/detect/route.ts` (validate candles, patterns array)
 - [ ] 4.6 `[sonnet]` Replace `error.message` with generic `"Internal server error"` in all catch blocks across 7+ route files: `health/route.ts`, `candles/route.ts`, `annotations/route.ts`, `annotations/[id]/route.ts`, `upload/route.ts`, `export/route.ts`, `span-annotations/export/route.ts`
 - [ ] 4.7 `[sonnet]` Require `chartId` for bulk delete in `src/app/api/annotations/route.ts` — reject `?all=true` without chartId with HTTP 400
diff --git a/src/app/api/training/start/route.ts b/src/app/api/training/start/route.ts
index 0ed45f4..5e73b65 100644
--- a/src/app/api/training/start/route.ts
+++ b/src/app/api/training/start/route.ts
@@ -1,8 +1,13 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
 
 const INFERENCE_API_URL = process.env.INFERENCE_API_URL || 'http://localhost:8001';
 const INFERENCE_API_TIMEOUT = parseInt(process.env.INFERENCE_API_TIMEOUT || '10000', 10);
 
+const TrainingStartRequestSchema = z.object({
+  model_type: z.string().min(1, 'model_type must be a non-empty string'),
+});
+
 export async function POST(request: NextRequest) {
   const controller = new AbortController();
   const timeoutId = setTimeout(() => controller.abort(), INFERENCE_API_TIMEOUT);
@@ -10,10 +15,21 @@ export async function POST(request: NextRequest) {
   try {
     const body = await request.json();
 
+    const result = TrainingStartRequestSchema.safeParse(body);
+    if (!result.success) {
+      clearTimeout(timeoutId);
+      return NextResponse.json(
+        { error: 'Invalid request', details: result.error.flatten() },
+        { status: 400 }
+      );
+    }
+
+    const validatedBody = result.data;
+
     const response = await fetch(`${INFERENCE_API_URL}/training/start`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json', 'X-API-Key': process.env.API_KEY || '' },
-      body: JSON.stringify(body),
+      body: JSON.stringify(validatedBody),
       signal: controller.signal,
     });
     clearTimeout(timeoutId);