Harden URL parseInt with isFinite guards

Adds parseFiniteInt() to webapp searchParams utils. parseInt() accepts
garbage-suffixed numbers and returns NaN for non-numeric input, both of
which silently nudge time-range and pagination semantics. Apply at the
agent, standard, and scheduled task landing-page loaders.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: samejr

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.agents.$agentParam/route.tsx

@@ -48,6 +48,7 @@ import {
   v3EnvironmentPath,
   v3PlaygroundAgentPath,
 } from "~/utils/pathBuilder";
+import { parseFiniteInt } from "~/utils/searchParams";
 
 export const meta: MetaFunction<typeof loader> = ({ data }) => {
   const slug = (data as { agent?: AgentDetail | null } | undefined)?.agent?.slug;
@@ -75,10 +76,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const url = new URL(request.url);
   const period = url.searchParams.get("period") ?? undefined;
-  const fromStr = url.searchParams.get("from");
-  const toStr = url.searchParams.get("to");
-  const from = fromStr ? parseInt(fromStr, 10) : undefined;
-  const to = toStr ? parseInt(toStr, 10) : undefined;
+  const from = parseFiniteInt(url.searchParams.get("from"));
+  const to = parseFiniteInt(url.searchParams.get("to"));
   const cursor = url.searchParams.get("cursor") ?? undefined;
   const directionRaw = url.searchParams.get("direction") ?? undefined;
   const direction = directionRaw ? DirectionSchema.parse(directionRaw) : undefined;

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.tasks.scheduled.$taskParam/route.tsx

@@ -83,6 +83,7 @@ import {
   v3SchedulesAddOnPath,
   v3TestTaskPath,
 } from "~/utils/pathBuilder";
+import { parseFiniteInt } from "~/utils/searchParams";
 
 export const meta: MetaFunction<typeof loader> = ({ data }) => {
   const slug = (data as { task?: TaskDetail | null } | undefined)?.task?.slug;
@@ -108,10 +109,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const url = new URL(request.url);
   const period = url.searchParams.get("period") ?? undefined;
-  const fromStr = url.searchParams.get("from");
-  const toStr = url.searchParams.get("to");
-  const from = fromStr ? parseInt(fromStr, 10) : undefined;
-  const to = toStr ? parseInt(toStr, 10) : undefined;
+  const from = parseFiniteInt(url.searchParams.get("from"));
+  const to = parseFiniteInt(url.searchParams.get("to"));
   const cursor = url.searchParams.get("cursor") ?? undefined;
   const directionRaw = url.searchParams.get("direction") ?? undefined;
   const direction = directionRaw ? DirectionSchema.parse(directionRaw) : undefined;
@@ -144,8 +143,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     })
     .catch(() => ({ data: [], statuses: [] } satisfies TaskActivity));
 
-  const pageRaw = parseInt(url.searchParams.get("page") ?? "1", 10);
-  const schedulesPage = Number.isFinite(pageRaw) && pageRaw > 0 ? pageRaw : 1;
+  const pageRaw = parseFiniteInt(url.searchParams.get("page"));
+  const schedulesPage = pageRaw !== undefined && pageRaw > 0 ? pageRaw : 1;
 
   // Resolved synchronously — the bottom usage bar reads `limits` and
   // `canPurchaseSchedules` directly from it, and the limit-exceeded

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.tasks.standard.$taskParam/route.tsx

@@ -47,6 +47,7 @@ import {
   v3QueuesPath,
   v3TestTaskPath,
 } from "~/utils/pathBuilder";
+import { parseFiniteInt } from "~/utils/searchParams";
 
 export const meta: MetaFunction<typeof loader> = ({ data }) => {
   const slug = (data as { task?: TaskDetail | null } | undefined)?.task?.slug;
@@ -70,10 +71,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const url = new URL(request.url);
   const period = url.searchParams.get("period") ?? undefined;
-  const fromStr = url.searchParams.get("from");
-  const toStr = url.searchParams.get("to");
-  const from = fromStr ? parseInt(fromStr, 10) : undefined;
-  const to = toStr ? parseInt(toStr, 10) : undefined;
+  const from = parseFiniteInt(url.searchParams.get("from"));
+  const to = parseFiniteInt(url.searchParams.get("to"));
   const cursor = url.searchParams.get("cursor") ?? undefined;
   const directionRaw = url.searchParams.get("direction") ?? undefined;
   const direction = directionRaw ? DirectionSchema.parse(directionRaw) : undefined;

apps/webapp/app/utils/searchParams.ts

@@ -18,6 +18,18 @@ export const runIdsQueryParam = z
     return [...new Set(ids)].slice(0, 100);
   });
 
+/**
+ * `parseInt` accepts garbage-suffixed numbers (`parseInt("123abc", 10) === 123`)
+ * and returns `NaN` for non-numeric input. Use this helper at loader boundaries
+ * for URL-supplied integer params so a malformed URL silently falls back to
+ * `undefined` rather than nudging downstream logic with a partial or NaN value.
+ */
+export function parseFiniteInt(value: string | null | undefined): number | undefined {
+  if (value == null || value === "") return undefined;
+  const n = Number.parseInt(value, 10);
+  return Number.isFinite(n) ? n : undefined;
+}
+
 export function objectToSearchParams(
   obj:
     | undefined