fix(builder): sanitize standalone payload against schema fields

Author: EvanSchleret

.github/workflows/release.yml .github/workflows/publish.yml.github/workflows/release.yml renamed to .github/workflows/publish.yml

@@ -1,16 +1,16 @@
-name: Release
+name: Publish
 
 on:
-  release:
-    types:
-      - published
+  push:
+    tags:
+      - "v*"
 
 permissions:
   contents: read
   id-token: write
 
 concurrency:
-  group: release-${{ github.workflow }}-${{ github.ref }}
+  group: publish-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
@@ -46,9 +46,6 @@ jobs:
     name: Publish to npm
     runs-on: ubuntu-latest
     needs: quality
-    permissions:
-      contents: read
-      id-token: write
 
     steps:
       - name: Checkout
@@ -62,27 +59,36 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v6
         with:
-          node-version: "22"
+          node-version: "22.14.0"
+          check-latest: true
           registry-url: "https://registry.npmjs.org"
 
+      - name: Update npm
+        run: npm install -g npm@^11.5.1
+
+      - name: Show versions
+        run: |
+          node --version
+          npm --version
+          echo "GITHUB_REF=${GITHUB_REF}"
+          echo "GITHUB_REF_NAME=${GITHUB_REF_NAME}"
+
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
-      - name: Sync version from release tag
+      - name: Verify tag matches package.json
         run: |
-          TAG="${{ github.event.release.tag_name }}"
+          TAG="${GITHUB_REF_NAME}"
           VERSION="${TAG#v}"
+          PACKAGE_VERSION="$(node -p "require('./package.json').version")"
 
-          if ! echo "$VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z.]+)?(\+[0-9A-Za-z.-]+)?$'; then
-            echo "Invalid release tag: $TAG"
-            echo "Expected semver tag like v1.2.3 or 1.2.3"
+          if [ "$VERSION" != "$PACKAGE_VERSION" ]; then
+            echo "Tag version ($VERSION) does not match package.json version ($PACKAGE_VERSION)"
             exit 1
           fi
 
-          npm version "$VERSION" --no-git-tag-version --allow-same-version
-
       - name: Build package
         run: bun run build
 
       - name: Publish package
-        run: npm publish --access public
+        run: npm publish --provenance

.github/workflows/version.yml

@@ -0,0 +1,59 @@
+name: Version
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_type:
+        description: Release type
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+permissions:
+  contents: write
+
+concurrency:
+  group: version-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  version:
+    name: Bump version and create tag
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.14.0"
+          check-latest: true
+
+      - name: Update npm
+        run: npm install -g npm@^11.5.1
+
+      - name: Show versions
+        run: |
+          node --version
+          npm --version
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Bump version
+        run: |
+          npm version ${{ inputs.release_type }} -m "chore(release): %s"
+
+      - name: Push commit and tag
+        run: |
+          git push origin HEAD
+          git push origin --tags

src/runtime/renderers/default/FormForgeRenderer.vue

@@ -278,6 +278,53 @@ function getResolvedZodSchema(): object | undefined {
   return internalForm.zodSchema.value as object | undefined
 }
 
+function resolveSchemaFieldNames(schema: FormForgeFormSchema): Set<string> {
+  const names = new Set<string>()
+
+  if (Array.isArray(schema.fields)) {
+    for (const field of schema.fields) {
+      if (typeof field.name === 'string' && field.name !== '') {
+        names.add(field.name)
+      }
+    }
+  }
+
+  if (Array.isArray(schema.pages)) {
+    for (const page of schema.pages) {
+      if (!Array.isArray(page.fields)) {
+        continue
+      }
+
+      for (const field of page.fields) {
+        if (typeof field.name === 'string' && field.name !== '') {
+          names.add(field.name)
+        }
+      }
+    }
+  }
+
+  return names
+}
+
+function sanitizePayloadWithSchema(value: FormForgeSubmissionPayload, schema: FormForgeFormSchema): FormForgeSubmissionPayload {
+  if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+    return {}
+  }
+
+  const allowedFieldNames = resolveSchemaFieldNames(schema)
+  const sanitizedPayload: FormForgeSubmissionPayload = {}
+
+  for (const [key, entryValue] of Object.entries(value)) {
+    if (!allowedFieldNames.has(key)) {
+      continue
+    }
+
+    sanitizedPayload[key] = entryValue
+  }
+
+  return sanitizedPayload
+}
+
 const formState = computed<FormForgeSubmissionPayload>({
   get: () => {
     const value = usesExternalModel.value
@@ -288,6 +335,13 @@ const formState = computed<FormForgeSubmissionPayload>({
       return {}
     }
 
+    if (usesExternalModel.value) {
+      const schema = getResolvedSchema()
+      if (schema !== null) {
+        return sanitizePayloadWithSchema(value, schema)
+      }
+    }
+
     return value
   },
   set: (value: FormForgeSubmissionPayload): void => {
@@ -300,6 +354,26 @@ const formState = computed<FormForgeSubmissionPayload>({
   }
 })
 
+watch(
+  () => [usesExternalModel.value, getResolvedSchema(), unwrapModelValueProp(props.modelValue)] as const,
+  ([externalModel, schema, modelValue]) => {
+    if (!externalModel || schema === null) {
+      return
+    }
+
+    const sanitizedValue = sanitizePayloadWithSchema(modelValue, schema)
+    if (areValuesEqual(modelValue, sanitizedValue)) {
+      return
+    }
+
+    emit('update:modelValue', sanitizedValue)
+  },
+  {
+    immediate: true,
+    deep: true
+  }
+)
+
 const displayPages = computed<FormForgePageSchema[]>(() => {
   const schema = getResolvedSchema()
   if (schema === null) {
@@ -1234,6 +1308,24 @@ function getFieldMetaUi(field: FormForgeFieldSchema): { formField?: FormForgeDyn
   }
 }
 
+function mergeUiClass(defaultClass: string, value: unknown): string {
+  if (typeof value !== 'string' || value.trim() === '') {
+    return defaultClass
+  }
+
+  return `${defaultClass} ${value}`
+}
+
+function getResolvedFormFieldUi(field: FormForgeFieldSchema): FormForgeDynamicObject {
+  const metaUi = getFieldMetaUi(field).formField
+
+  return {
+    ...metaUi,
+    label: mergeUiClass('text-default', metaUi?.label),
+    help: mergeUiClass('text-muted', metaUi?.help)
+  }
+}
+
 function getFieldValue(field: FormForgeFieldSchema): FormForgeSubmissionPayload[string] {
   return formState.value[field.name]
 }
@@ -1514,7 +1606,7 @@ async function onSubmit(): Promise<void> {
         >
           <h3
             v-if="page.title !== ''"
-            class="text-base font-semibold"
+            class="text-base font-semibold text-default"
           >
             {{ page.title }}
           </h3>
@@ -1535,7 +1627,7 @@ async function onSubmit(): Promise<void> {
             :label="field.label"
             :help="field.help_text"
             :required="isFieldRequired(field)"
-            :ui="getFieldMetaUi(field).formField"
+            :ui="getResolvedFormFieldUi(field)"
             @focusout="() => onFieldBlur(field.name)"
           >
             <UInput