fix(frontend): use parsed Zod output and pin id/chainId in customEvmNetworksStore

Two defense-in-depth changes on the store's write paths:

- add and update now build the stored entry from parsed.data rather than
  the raw input/merged object. Zod strips unknown keys by default, so
  parsed.data is the canonical schema shape; the prior code left any
  caller-supplied extra properties in the in-memory state.
- update explicitly pins id and chainId to the existing entry's values
  before validation. TypeScript already excludes these from
  CustomEvmNetworkPatch, but an `as any` caller could previously sneak
  them in; the schema would not catch an id that no longer corresponds
  to its chainId.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: sbpublic

src/frontend/src/eth/stores/custom-evm-networks.store.ts

@@ -109,7 +109,7 @@ export const initCustomEvmNetworksStore = (): CustomEvmNetworksStore => {
 				if (!parsed.success) {
 					throw new Error(`Invalid custom EVM network: ${parsed.error.message}`);
 				}
-				const entry: CustomEvmNetwork = { ...input, id: toNetworkId(input.chainId) };
+				const entry: CustomEvmNetwork = { ...parsed.data, id: toNetworkId(parsed.data.chainId) };
 				const next: CustomEvmNetwork[] = [...current, entry];
 				persist(next);
 				return next;
@@ -121,13 +121,19 @@ export const initCustomEvmNetworksStore = (): CustomEvmNetworksStore => {
 				if (index === -1) {
 					throw new Error(`No custom EVM network with chainId ${chainId} exists; cannot update.`);
 				}
-				const merged: CustomEvmNetwork = { ...current[index], ...patch };
+				const existing = current[index];
+				const merged: CustomEvmNetwork = {
+					...existing,
+					...patch,
+					id: existing.id,
+					chainId: existing.chainId
+				};
 				const parsed = CustomEvmNetworkSchema.safeParse(merged);
 				if (!parsed.success) {
 					throw new Error(`Invalid custom EVM network update: ${parsed.error.message}`);
 				}
 				const next = [...current];
-				next[index] = merged;
+				next[index] = parsed.data;
 				persist(next);
 				return next;
 			});

src/frontend/src/tests/eth/stores/custom-evm-networks.store.spec.ts

@@ -190,6 +190,14 @@ describe('custom-evm-networks.store', () => {
 			expect(get(store)).toEqual([]);
 		});
 
+		it('strips unknown caller-supplied properties', () => {
+			const store = initCustomEvmNetworksStore();
+
+			store.add({ ...optimism, junk: 'ignored' } as CustomEvmNetworkInput);
+
+			expect(get(store)[0]).not.toHaveProperty('junk');
+		});
+
 		it('supports multiple distinct chains', () => {
 			const store = initCustomEvmNetworksStore();
 
@@ -224,6 +232,23 @@ describe('custom-evm-networks.store', () => {
 
 			expect(() => store.update({ chainId: 999n, patch: { name: 'x' } })).toThrow(/cannot update/);
 		});
+
+		it('preserves id and chainId even if a caller tries to override them', () => {
+			const store = initCustomEvmNetworksStore();
+			store.add(optimism);
+			const originalId = get(store)[0].id;
+
+			store.update({
+				chainId: 10n,
+				patch: { id: Symbol('hacked'), chainId: 99n, name: 'renamed' } as never
+			});
+
+			const [network] = get(store);
+
+			expect(network.id).toBe(originalId);
+			expect(network.chainId).toBe(10n);
+			expect(network.name).toBe('renamed');
+		});
 	});
 
 	describe('remove', () => {