fix: narrow valid package types and harden snapshot upload

- Remove mas, pip, gem, cargo, go from validTypes — only formula, cask,
  tap, npm are supported by both CLI and dashboard
- Add Content-Length pre-check (413) before parsing snapshot body
- Keep post-parse fallback check for spoofed Content-Length
- Add regression test asserting removed types are rejected
- Update JSDoc to match new allowlist

Author: fullstackjam

src/lib/server/validation.test.ts

@@ -292,9 +292,8 @@ describe('validatePackages', () => {
 		expect(result.valid).toBe(true);
 	});
 
-	it('should accept packages with slashes (go modules, npm scopes)', () => {
+	it('should accept packages with slashes (npm scopes)', () => {
 		const packages = [
-			{ name: 'github.com/user/repo', type: 'go' },
 			{ name: '@org/package', type: 'npm' }
 		];
 		const result = validatePackages(packages);
@@ -417,7 +416,7 @@ describe('validatePackages', () => {
 	});
 
 	it('should accept all valid package types', () => {
-		const types = ['formula', 'cask', 'tap', 'mas', 'npm', 'pip', 'gem', 'cargo', 'go'];
+		const types = ['formula', 'cask', 'tap', 'npm'];
 		for (const type of types) {
 			const packages = [{ name: 'valid-package', type }];
 			const result = validatePackages(packages);
@@ -426,6 +425,14 @@ describe('validatePackages', () => {
 		}
 	});
 
+	it('should reject previously-allowed types that are no longer valid', () => {
+		for (const type of ['pip', 'gem', 'cargo', 'mas', 'go']) {
+			const result = validatePackages([{ name: 'pkg', type }]);
+			expect(result.valid).toBe(false);
+			expect(result.error).toContain('Invalid package type');
+		}
+	});
+
 	it('should reject description longer than 500 characters', () => {
 		const packages = [
 			{

src/lib/server/validation.ts

@@ -140,7 +140,7 @@ interface Package {
 
 /** Validates packages array: prevents shell injection in package names.
  *  Package names must match standard package manager formats (alphanumeric, hyphens, underscores, dots, slashes for scoped packages).
- *  Types must be: formula, cask, tap, mas, npm, pip, gem, cargo, go.
+ *  Types must be: formula, cask, tap, npm.
  *  Maximum 500 packages per config. */
 export function validatePackages(packages: unknown): ValidationResult {
 	if (!packages) {
@@ -155,7 +155,7 @@ export function validatePackages(packages: unknown): ValidationResult {
 		return { valid: false, error: 'Maximum 500 packages allowed' };
 	}
 
-	const validTypes = ['formula', 'cask', 'tap', 'mas', 'npm', 'pip', 'gem', 'cargo', 'go'];
+	const validTypes = ['formula', 'cask', 'tap', 'npm'];
 
 	for (let i = 0; i < packages.length; i++) {
 		const pkg = packages[i];

src/routes/api/configs/from-snapshot/+server.ts

@@ -16,6 +16,11 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 		return json({ error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rl.retryAfter! / 1000)) } });
 	}
 
+	const contentLength = parseInt(request.headers.get('content-length') ?? '0', 10);
+	if (contentLength > 1_048_576) {
+		return json({ error: 'Snapshot payload too large (max 1MB)' }, { status: 413 });
+	}
+
 	let body;
 	try {
 		body = await request.json();
@@ -33,9 +38,10 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 	const validVisibilities = ['public', 'unlisted', 'private'];
 	const validVisibility = validVisibilities.includes(visibility) ? visibility : 'unlisted';
 
+	// Post-parse size check as a fallback (Content-Length can be spoofed or absent).
 	const snapshotSize = JSON.stringify(snapshot).length;
-	if (snapshotSize > 100000) {
-		return json({ error: 'Snapshot payload too large (max 100KB)' }, { status: 400 });
+	if (snapshotSize > 1_048_576) {
+		return json({ error: 'Snapshot payload too large (max 1MB)' }, { status: 413 });
 	}
 
 	const base_preset = snapshot.matched_preset || 'developer';