From 5c0c4b8488780831dd1bc881728566ca0a49b85d Mon Sep 17 00:00:00 2001
From: clarboncy <84044806+clarboncy@users.noreply.github.com>
Date: Sat, 27 Jun 2026 09:13:58 -0400
Subject: [PATCH 1/2] fix: prevent client-controlled field injection in
 sendMessage (#9034)

---
 apps/api/src/services/messageService.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/api/src/services/messageService.js b/apps/api/src/services/messageService.js
index ef13fe6940..f1c788fd7d 100644
--- a/apps/api/src/services/messageService.js
+++ b/apps/api/src/services/messageService.js
@@ -5,7 +5,7 @@ export async function listMessages() {
 }
 
 export async function sendMessage(payload) {
-  const message = { id: `msg_${Date.now()}`, ...payload, sentAt: new Date().toISOString() };
+  const message = { ...payload, id: `msg_${Date.now()}`, sentAt: new Date().toISOString() };
   messages.push(message);
   return message;
 }

From 43a4609b1f631d94fbf80191d140e97ae33db5df Mon Sep 17 00:00:00 2001
From: clarboncy <84044806+clarboncy@users.noreply.github.com>
Date: Sat, 27 Jun 2026 09:14:02 -0400
Subject: [PATCH 2/2] fix: prevent client-controlled field injection in
 createJob (#9034)

---
 apps/api/src/services/jobService.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/api/src/services/jobService.js b/apps/api/src/services/jobService.js
index b677c13eca..3c64ddbc03 100644
--- a/apps/api/src/services/jobService.js
+++ b/apps/api/src/services/jobService.js
@@ -5,7 +5,7 @@ export async function listJobs() {
 }
 
 export async function createJob(payload) {
-  const job = { id: `job_${Date.now()}`, status: "open", ...payload };
+  const job = { ...payload, id: `job_${Date.now()}`, status: "open" };
   jobs.push(job);
   return job;
 }