Add defensive input validation and non-string input test for generateViolationId

Agent-Logs-Url: https://github.com/mgifford/daily-dap/sessions/9f0ef740-63b7-4d90-a93d-228cb1518e0b

Co-authored-by: mgifford <116832+mgifford@users.noreply.github.com>

Author: Copilot

src/publish/render-pages.js

@@ -36,11 +36,14 @@ function formatCompact(n) {
  * @returns {string} A short stable identifier, e.g. "DAP-a1b2c3d4"
  */
 export function generateViolationId(pageUrl, ruleId, selector = '') {
-  const normalizedUrl = pageUrl
+  const safeUrl = typeof pageUrl === 'string' ? pageUrl : '';
+  const safeRuleId = typeof ruleId === 'string' ? ruleId : '';
+  const safeSelector = typeof selector === 'string' ? selector : '';
+  const normalizedUrl = safeUrl
     .replace(/^https?:\/\//i, '')
     .replace(/\/+$/, '')
     .toLowerCase();
-  const seed = `${normalizedUrl}|${ruleId}|${selector}`;
+  const seed = `${normalizedUrl}|${safeRuleId}|${safeSelector}`;
   const hash = createHash('sha256').update(seed).digest('hex').slice(0, 8);
   return `DAP-${hash}`;
 }
@@ -1835,7 +1838,9 @@ function renderAxeFindingItems(items = [], pageUrl = '', ruleId = '') {
   return items
     .map(
       (item, index) => {
-        const elementId = pageUrl && ruleId ? generateViolationId(pageUrl, ruleId, item.selector ?? '') : '';
+        const elementId = typeof pageUrl === 'string' && pageUrl.length > 0 && typeof ruleId === 'string' && ruleId.length > 0
+          ? generateViolationId(pageUrl, ruleId, item.selector ?? '')
+          : '';
         return `
       <div class="axe-item">
         <p><strong>Element ${index + 1}</strong>${elementId ? ` <code class="violation-id" title="Stable identifier for this accessibility violation">${escapeHtml(elementId)}</code>` : ''}</p>

tests/unit/render-pages.test.js

@@ -777,6 +777,12 @@ test('generateViolationId produces finding-level ID when selector is empty', ()
   assert.match(id, /^DAP-[0-9a-f]{8}$/, 'Should be DAP- followed by 8 hex characters');
 });
 
+test('generateViolationId handles non-string inputs gracefully', () => {
+  const id = generateViolationId(null, undefined, 42);
+  assert.ok(id.startsWith('DAP-'), 'Should still return a DAP-prefixed ID with non-string inputs');
+  assert.match(id, /^DAP-[0-9a-f]{8}$/, 'Should be DAP- followed by 8 hex characters');
+});
+
 test('buildFindingCopyText includes page URL and finding details', () => {
   const pageUrl = 'https://informeddelivery.usps.com';
   const finding = {