Architecture TypeScript active any

External data is not cast directly into trusted types

typescript-arch-001

Intent

TypeScript types disappear at runtime, so external data must be validated before it is treated as trusted.

Applicability

Applies when the diff accepts HTTP bodies, queue payloads, environment config, or JSON from external systems.

What to inspect

as SomeType, angle-bracket casts, non-null assertions on external values, and visible runtime validation.

Pass criteria

External data is validated at runtime before being treated as a trusted type.

Fail criteria

The diff casts request, message, or config data directly into trusted types with no visible runtime validation.

Do not flag

Values already validated earlier in the same visible flow and narrow test fixtures.

Confidence guidance

HIGH when the unvalidated cast is direct. MEDIUM when validation may happen out of scope. LOW when data provenance is unclear.

Remediation

Validate first, then convert the validated payload into the trusted type.

Pass example

const parsed = OrderSchema.parse(req.body);

Fail example

const parsed = req.body as Order;