fix: enforce hasPassword to be a boolean

packages/api/src/dto/resume.test.ts

@@ -0,0 +1,35 @@
+import { describe, expect, it } from "vitest";
+import { defaultResumeData } from "@reactive-resume/schema/resume/default";
+import { redactResumeForViewer } from "../helpers/resume-access-policy";
+import { resumeDto } from "./resume";
+
+describe("resume DTO output validation", () => {
+	it("accepts public resume responses after owner-only fields are redacted", () => {
+		const dbResume = {
+			id: "019e128d-0598-75d2-ae6a-771e2eb84614",
+			userId: "019bef93-a165-72cb-9c0e-d96e00000000",
+			name: "Armed Amaranth Catshark",
+			slug: "armed-amaranth-catshark",
+			tags: [],
+			data: {
+				...defaultResumeData,
+				metadata: {
+					...defaultResumeData.metadata,
+					notes: "owner-only notes",
+				},
+			},
+			isPublic: true,
+			isLocked: false,
+			hasPassword: false,
+		};
+
+		const publicResume = {
+			...redactResumeForViewer(dbResume, false),
+			hasPassword: dbResume.hasPassword,
+		};
+
+		expect(publicResume.name).toBe("");
+		expect(publicResume.data.metadata.notes).toBe("");
+		expect(resumeDto.getBySlug.output.safeParse(publicResume).success).toBe(true);
+	});
+});

packages/api/src/services/resume.ts

@@ -127,7 +127,7 @@ const analysis = {
 	},
 };
 
-function toSharedResumeResponse<TPassword extends boolean>(
+function toSharedResumeResponse(
 	resume: {
 		id: string;
 		name: string;
@@ -137,7 +137,7 @@ function toSharedResumeResponse<TPassword extends boolean>(
 		isPublic: boolean;
 		isLocked: boolean;
 	},
-	hasPassword: TPassword,
+	hasPassword: boolean,
 ) {
 	return {
 		id: resume.id,