From 3361236d3f487ef184fdb3636dbbea519ecec337 Mon Sep 17 00:00:00 2001
From: Marko Djordjevic <marko.homoludens@gmail.com>
Date: Wed, 18 Feb 2026 11:11:58 +0100
Subject: [PATCH] feat: add Zod schema validation to predict API route

- Add CandleSchema validating time, open, high, low, close (number) and optional volume
- Add PredictRequestSchema validating pair (non-empty string), timeframe (non-empty string), candles array
- Use safeParse() and return HTTP 400 with error details on invalid input
- Forward only validated data to the inference service
- Mark task 4.1 as done in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 openspec/changes/code-review-fix/tasks.md |  2 +-
 src/app/api/predict/route.ts              | 28 ++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/openspec/changes/code-review-fix/tasks.md b/openspec/changes/code-review-fix/tasks.md
index 86e43c4..c4b26e0 100644
--- a/openspec/changes/code-review-fix/tasks.md
+++ b/openspec/changes/code-review-fix/tasks.md
@@ -26,7 +26,7 @@
 
 ## 4. API Route Hardening (Next.js)
 
-- [ ] 4.1 `[sonnet]` Add Zod schema validation to `src/app/api/predict/route.ts` (validate pair, timeframe, candles array)
+- [x] 4.1 `[sonnet]` Add Zod schema validation to `src/app/api/predict/route.ts` (validate pair, timeframe, candles array)
 - [ ] 4.2 `[sonnet]` Add Zod schema validation to `src/app/api/predict/batch/route.ts` (validate pair, timeframe, start_date, end_date)
 - [ ] 4.3 `[sonnet]` Add Zod schema validation to `src/app/api/model/load/route.ts` (validate run_id)
 - [ ] 4.4 `[sonnet]` Add Zod schema validation to `src/app/api/training/start/route.ts` (validate model_type)
diff --git a/src/app/api/predict/route.ts b/src/app/api/predict/route.ts
index ef00249..b66be5b 100644
--- a/src/app/api/predict/route.ts
+++ b/src/app/api/predict/route.ts
@@ -1,12 +1,38 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
 
 const INFERENCE_API_URL = process.env.INFERENCE_API_URL || 'http://localhost:8001';
 const INFERENCE_API_TIMEOUT = parseInt(process.env.INFERENCE_API_TIMEOUT || '30000', 10);
 
+const CandleSchema = z.object({
+  time: z.number(),
+  open: z.number(),
+  high: z.number(),
+  low: z.number(),
+  close: z.number(),
+  volume: z.number().optional(),
+});
+
+const PredictRequestSchema = z.object({
+  pair: z.string().min(1),
+  timeframe: z.string().min(1),
+  candles: z.array(CandleSchema),
+});
+
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json();
 
+    const result = PredictRequestSchema.safeParse(body);
+    if (!result.success) {
+      return NextResponse.json(
+        { error: 'Invalid request', details: result.error.flatten() },
+        { status: 400 }
+      );
+    }
+
+    const validatedBody = result.data;
+
     // Forward request to Python inference service
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), INFERENCE_API_TIMEOUT);
@@ -18,7 +44,7 @@ export async function POST(request: NextRequest) {
           'Content-Type': 'application/json',
           'X-API-Key': process.env.API_KEY || '',
         },
-        body: JSON.stringify(body),
+        body: JSON.stringify(validatedBody),
         signal: controller.signal,
       });