fix(server): guard traverseContractProcedures against null/undefined exports

jameskranz · claude · jameskranz · commit bd87f7ed517c · 2026-04-08T09:54:55.000-07:00
getHiddenRouterContract reads a symbol property and throws on null or
undefined. Recursing into a child export of `null` (e.g.
`export const X = null`) crashed before any guard ran. Move the
typeof/null guard above the hidden-contract lookup, and update the test
to use a fixture containing null/undefined so the crash path is covered.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/server/src/router-utils.test.ts b/packages/server/src/router-utils.test.ts
@@ -290,18 +290,11 @@ describe('router modules that export primitives alongside procedures', () => {
   })
 
   describe('traverseContractProcedures', () => {
-    it('traverses procedures and skips primitive exports', () => {
-      // null/undefined are excluded here because getHiddenRouterContract
-      // is called before the type guard and does not handle null
-      const moduleWithStringExports = {
-        getUser: pong,
-        listUsers: pong,
-        API_VERSION: 'v2',
-        MAX_PAGE_SIZE: 100,
-        ENABLE_CACHE: true,
-      } as any
+    it('traverses procedures and skips primitive, null, and undefined exports', () => {
       const callback = vi.fn()
-      traverseContractProcedures({ router: moduleWithStringExports, path: [] }, callback)
+      expect(() =>
+        traverseContractProcedures({ router: moduleWithPrimitives, path: [] }, callback),
+      ).not.toThrow()
       expect(callback).toHaveBeenCalledTimes(2)
       expect(callback).toHaveBeenCalledWith({ contract: pong, path: ['getUser'] })
       expect(callback).toHaveBeenCalledWith({ contract: pong, path: ['listUsers'] })
diff --git a/packages/server/src/router-utils.ts b/packages/server/src/router-utils.ts
@@ -192,6 +192,13 @@ export function traverseContractProcedures(
   callback: (options: TraverseContractProcedureCallbackOptions) => void,
   lazyOptions: LazyTraverseContractProceduresOptions[] = [],
 ): LazyTraverseContractProceduresOptions[] {
+  // Guard before reading the hidden-contract symbol so that null/undefined
+  // child exports don't crash in `getHiddenRouterContract`. Primitives like
+  // strings autobox safely; only null/undefined throw on symbol access.
+  if (typeof options.router !== 'object' || options.router === null) {
+    return lazyOptions
+  }
+
   let currentRouter: AnyContractRouter | Lazyable<AnyRouter> = options.router
 
   const hiddenContract = getHiddenRouterContract(options.router)
