feat(cli): implement nested object value manipulation functions

Added `setNestedValue` and `getNestedValue` functions to safely set and retrieve values in nested objects using dot notation, while preventing prototype pollution. Updated imports in relevant files to utilize these new utility functions, removing redundant implementations.

Author: sroussey

examples/cli/src/input/prompt.ts

@@ -4,7 +4,8 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import type { DataPortSchemaObject, DataPortSchemaNonBoolean } from "@workglow/util";
+import type { DataPortSchemaNonBoolean, DataPortSchemaObject } from "@workglow/util";
+import { getNestedValue } from "../util";
 import { deepMerge } from "./resolve-input";
 
 export interface PromptFieldDescriptor {
@@ -79,11 +80,7 @@ function evaluateConditionalRequired(
         break;
       }
 
-      if (
-        typeof constraint === "object" &&
-        constraint !== null &&
-        "const" in constraint
-      ) {
+      if (typeof constraint === "object" && constraint !== null && "const" in constraint) {
         if (inputValue !== (constraint as { const: unknown }).const) {
           matches = false;
           break;
@@ -184,18 +181,6 @@ function collectMissingFields(
   }
 }
 
-function getNestedValue(obj: Record<string, unknown>, key: string): unknown {
-  const parts = key.split(".");
-  let current: unknown = obj;
-  for (const part of parts) {
-    if (current === null || current === undefined || typeof current !== "object") {
-      return undefined;
-    }
-    current = (current as Record<string, unknown>)[part];
-  }
-  return current;
-}
-
 function formatKeyAsLabel(key: string): string {
   return key
     .replace(/_/g, " ")

examples/cli/src/input/schema-flags.ts

@@ -4,7 +4,8 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import type { DataPortSchemaObject, DataPortSchemaNonBoolean } from "@workglow/util";
+import type { DataPortSchemaNonBoolean, DataPortSchemaObject } from "@workglow/util";
+import { setNestedValue } from "../util";
 
 type SchemaProperty = DataPortSchemaNonBoolean;
 
@@ -104,20 +105,6 @@ function coerceValue(
   }
 }
 
-function setNestedValue(obj: Record<string, unknown>, key: string, value: unknown): void {
-  const parts = key.split(".");
-  let current: Record<string, unknown> = obj;
-
-  for (let i = 0; i < parts.length - 1; i++) {
-    if (!(parts[i] in current) || typeof current[parts[i]] !== "object") {
-      current[parts[i]] = {};
-    }
-    current = current[parts[i]] as Record<string, unknown>;
-  }
-
-  current[parts[parts.length - 1]] = value;
-}
-
 /**
  * Parse config flags from argv based on a config schema.
  *

examples/cli/src/ui/SchemaPromptApp.tsx

@@ -4,31 +4,18 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import React, { useState, useCallback, useRef } from "react";
+import { ConfirmInput, Select, TextInput } from "@inkjs/ui";
 import { Box, Text, useInput } from "ink";
-import { TextInput, Select, ConfirmInput } from "@inkjs/ui";
+import React, { useCallback, useRef, useState } from "react";
 import type { PromptFieldDescriptor } from "../input/prompt";
+import { setNestedValue } from "../util";
 
 interface SchemaPromptAppProps {
   readonly fields: readonly PromptFieldDescriptor[];
   readonly onComplete: (values: Record<string, unknown>) => void;
   readonly onCancel: () => void;
 }
 
-function setNestedValue(obj: Record<string, unknown>, key: string, value: unknown): void {
-  const parts = key.split(".");
-  let current: Record<string, unknown> = obj;
-
-  for (let i = 0; i < parts.length - 1; i++) {
-    if (!(parts[i] in current) || typeof current[parts[i]] !== "object") {
-      current[parts[i]] = {};
-    }
-    current = current[parts[i]] as Record<string, unknown>;
-  }
-
-  current[parts[parts.length - 1]] = value;
-}
-
 function coercePromptValue(raw: string, field: PromptFieldDescriptor): unknown {
   switch (field.type) {
     case "number":
@@ -110,7 +97,11 @@ function isTextField(field: PromptFieldDescriptor): boolean {
   return field.type !== "enum" && field.type !== "boolean";
 }
 
-export function SchemaPromptApp({ fields, onComplete, onCancel }: SchemaPromptAppProps): React.ReactElement {
+export function SchemaPromptApp({
+  fields,
+  onComplete,
+  onCancel,
+}: SchemaPromptAppProps): React.ReactElement {
   const [focusedIndex, setFocusedIndex] = useState(0);
   const valuesRef = useRef<Record<string, unknown>>({});
   const rawValuesRef = useRef<Record<string, string>>({});
@@ -290,7 +281,11 @@ function FieldWidget({
   if (field.type === "enum" && field.enumValues) {
     const options = field.enumValues.map((v) => ({ label: v, value: v }));
     return (
-      <Select options={options} defaultValue={previousValue} onChange={(value) => onSubmit(value)} />
+      <Select
+        options={options}
+        defaultValue={previousValue}
+        onChange={(value) => onSubmit(value)}
+      />
     );
   }
 

examples/cli/src/util.ts

@@ -6,6 +6,48 @@
 
 import { writeFile } from "fs/promises";
 
+const PROTOTYPE_POLLUTION_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+
+/**
+ * Set a value on an object using dot-notation key (e.g. "a.b.c").
+ * Creates intermediate objects as needed. Skips keys that could cause prototype pollution.
+ */
+export function setNestedValue(obj: Record<string, unknown>, key: string, value: unknown): void {
+  const parts = key.split(".");
+  for (const part of parts) {
+    if (PROTOTYPE_POLLUTION_KEYS.has(part)) return;
+  }
+  let current: Record<string, unknown> = obj;
+
+  for (let i = 0; i < parts.length - 1; i++) {
+    if (!(parts[i] in current) || typeof current[parts[i]] !== "object") {
+      current[parts[i]] = {};
+    }
+    current = current[parts[i]] as Record<string, unknown>;
+  }
+
+  current[parts[parts.length - 1]] = value;
+}
+
+/**
+ * Get a value from an object using dot-notation key (e.g. "a.b.c").
+ * Returns undefined if any segment is missing or if the key would touch prototype-pollution-sensitive properties.
+ */
+export function getNestedValue(obj: Record<string, unknown>, key: string): unknown {
+  const parts = key.split(".");
+  for (const part of parts) {
+    if (PROTOTYPE_POLLUTION_KEYS.has(part)) return undefined;
+  }
+  let current: unknown = obj;
+  for (const part of parts) {
+    if (current === null || current === undefined || typeof current !== "object") {
+      return undefined;
+    }
+    current = (current as Record<string, unknown>)[part];
+  }
+  return current;
+}
+
 /**
  * Read all of stdin as a string.
  */

packages/storage/src/vector/PostgresVectorStorage.ts

@@ -4,13 +4,13 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import { cosineSimilarity } from "@workglow/util";
 import type {
   DataPortSchemaObject,
   FromSchema,
   TypedArray,
   TypedArraySchemaOptions,
 } from "@workglow/util";
-import { cosineSimilarity } from "@workglow/util";
 import type { Pool } from "pg";
 import { PostgresTabularStorage } from "../tabular/PostgresTabularStorage";
 import {