fix: transaction safety, parsePeriodToMs consistency, SQL injection prevention

Author: ericallam

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx

@@ -336,19 +336,19 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 // ─── Helpers ─────────────────────────────────────────────
 
 function parsePeriodToMs(period: string): number {
-  const match = period.match(/^(\d+)([hdwm])$/);
+  const match = period.match(/^(\d+)([mhdw])$/);
   if (!match) return 7 * 24 * 60 * 60 * 1000; // default 7d
   const [, numStr, unit] = match;
   const num = parseInt(numStr, 10);
   switch (unit) {
+    case "m":
+      return num * 60 * 1000;
     case "h":
       return num * 60 * 60 * 1000;
     case "d":
       return num * 24 * 60 * 60 * 1000;
     case "w":
       return num * 7 * 24 * 60 * 60 * 1000;
-    case "m":
-      return num * 30 * 24 * 60 * 60 * 1000;
     default:
       return 7 * 24 * 60 * 60 * 1000;
   }
@@ -1523,7 +1523,9 @@ function MetricsTab({
   to: string | null;
 }) {
   const { values: filterValues } = useSearchParams();
-  const versionFilters = filterValues("versions").filter((v) => v !== "");
+  const versionFilters = filterValues("versions")
+    .map(Number)
+    .filter((n) => Number.isInteger(n) && n > 0);
   const models = filterValues("models").filter((v) => v !== "");
   const operations = filterValues("operations").filter((v) => v !== "");
   const providers = filterValues("providers").filter((v) => v !== "");
@@ -1641,7 +1643,9 @@ function VersionPerformanceSection({
   to: string | null;
 }) {
   const { values: filterValues } = useSearchParams();
-  const versionFilters = filterValues("versions").filter((v) => v !== "");
+  const versionFilters = filterValues("versions")
+    .map(Number)
+    .filter((n) => Number.isInteger(n) && n > 0);
   const models = filterValues("models").filter((v) => v !== "");
   const operations = filterValues("operations").filter((v) => v !== "");
   const providers = filterValues("providers").filter((v) => v !== "");

apps/webapp/app/v3/services/promptService.server.ts

@@ -48,10 +48,14 @@ export class PromptService extends BaseService {
     }
   ) {
     const contentHash = createHash("sha256").update(data.textContent).digest("hex").slice(0, 16);
-    const nextVersion = await this.#getNextVersionNumber(promptId);
 
-    // Remove any existing override, then create new — wraps in transaction
-    await prisma.$transaction(async (tx) => {
+    const result = await prisma.$transaction(async (tx) => {
+      const latest = await tx.promptVersion.findFirst({
+        where: { promptId },
+        orderBy: { version: "desc" },
+      });
+      const nextVersion = (latest?.version ?? 0) + 1;
+
       await tx.$executeRaw`
         UPDATE "prompt_versions"
         SET "labels" = array_remove("labels", 'override')
@@ -71,9 +75,11 @@ export class PromptService extends BaseService {
           createdBy: data.createdBy,
         },
       });
+
+      return { version: nextVersion };
     });
 
-    return { version: nextVersion };
+    return result;
   }
 
   async updateOverride(
@@ -127,8 +133,18 @@ export class PromptService extends BaseService {
       );
     }
 
-    await this.#removeLabel(promptId, "override");
-    await this.#addLabel(versionId, "override");
+    await prisma.$transaction(async (tx) => {
+      await tx.$executeRaw`
+        UPDATE "prompt_versions"
+        SET "labels" = array_remove("labels", 'override')
+        WHERE "promptId" = ${promptId} AND 'override' = ANY("labels")
+      `;
+      await tx.$executeRaw`
+        UPDATE "prompt_versions"
+        SET "labels" = array_append("labels", 'override')
+        WHERE "id" = ${versionId} AND NOT ('override' = ANY("labels"))
+      `;
+    });
   }
 
   async #removeLabel(promptId: string, label: string) {