Skip to content

Replace runtime Ajv with registry-derived Zod validation#53

Merged
Trailgenic merged 1 commit into
mainfrom
codex/replace-runtime-ajv-with-zod-validation
Jul 16, 2026
Merged

Replace runtime Ajv with registry-derived Zod validation#53
Trailgenic merged 1 commit into
mainfrom
codex/replace-runtime-ajv-with-zod-validation

Conversation

@Trailgenic

Copy link
Copy Markdown
Owner

Motivation

  • Remove runtime reliance on Ajv-generated validator functions (which use runtime codegen incompatible with Cloudflare Workers) and use the registry-derived Zod conversion as the single validation path.
  • Ensure the same schema object is used for both server.registerTool and the handler-boundary check so there is no divergence between declared and enforced schemas.
  • Make schema conversion fail loudly during build/test for unsupported JSON Schema keywords to avoid silent weakening of validation.

Description

  • Deleted the Ajv import and the module-scope Ajv instance and validators map, and replaced runtime validation with registry-derived Zod schemas stored in toolSchemas used by both server.registerTool(inputSchema) and handler validation. (file: lib/mcp-server.js)
  • Implemented zodObjectFromJsonSchema/zodForProperty conversions with support for enum, type variants (string, number, integer, boolean, object, array), numeric/string/array bounds (minimum/maximum/exclusiveMinimum/exclusiveMaximum, minLength/maxLength, pattern, minItems/maxItems), and additionalProperties:false -> .strict(). (file: lib/mcp-server.js)
  • Added assertSupportedSchema that throws on any unrecognized JSON Schema keyword so unsupported features fail loudly at build/test time. (file: lib/mcp-server.js)
  • At the handler boundary, arguments are validated with the generated Zod schema via safeParse, and on failure the existing errorResult shape is returned with the preserved message "Invalid tool arguments." plus readable Zod issue details. (file: lib/mcp-server.js)
  • Added a small shim server.validateToolInput = async (_tool, args) => args; so the SDK internal input-path does not preempt the handler-boundary corrective isError shape expected by tests and consumers. (file: lib/mcp-server.js)
  • Removed ajv from dependencies and regenerated the lockfile, and bumped package/BUILD patch version from 1.4.1 to 1.4.2. (files: package.json, package-lock.json, lib/registry.js)
  • Updated tests to assert fixture/tool parity and explicit Zod-path invalid argument behavior and to assert no Ajv import remains in Worker runtime code. (files: tests/worker.vitest.mjs, tests/registry.test.mjs)
  • Single commit created with the required commit message: Replace runtime Ajv with registry-derived Zod validation affecting lib/mcp-server.js, lib/registry.js, package.json, package-lock.json, tests/worker.vitest.mjs, and tests/registry.test.mjs.

Testing

  • Ran npm ci and npm run lint and both completed successfully; lint checks on the modified files passed.
  • Ran npm test (node test suite) and npm run test:workers (Vitest workerd suite) and all tests passed locally after the change.
  • Ran npm run validate:json, npm run validate:registry, and npm run wrangler:dry-run and each command succeeded locally.
  • Note: pushing this branch to the remote failed from this environment because no origin remote is configured (fatal: 'origin' does not appear to be a git repository), so GitHub Actions CI could not be polled from this checkout and external push/CI verification remains required.

Codex Task

@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
workers Building Building Preview Jul 16, 2026 1:20am

Request Review

@Trailgenic
Trailgenic merged commit 0b6abc9 into main Jul 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant