---
name: type-hardening
description: Eliminate `any` types, tighten Zod schemas, and enforce strict TypeScript across the monorepo
triggers:
  - "harden types"
  - "fix any types"
  - "type safety"
  - "strict typescript"
---

# Type Hardening Skill

Systematically eliminate unsafe types and strengthen schema validation across
the Entitlement OS monorepo.

## Workflow

1. **Scan** — Find all `any` types and weak typing:
   ```
   rg '\bany\b' --type ts --glob '!node_modules' --glob '!*.d.ts' -c
   rg 'as any' --type ts --glob '!node_modules' -l
   rg '@ts-ignore' --type ts --glob '!node_modules' -l
   rg '@ts-expect-error' --type ts --glob '!node_modules' -l
   ```

2. **Prioritize** — Fix in order of blast radius:
   - `packages/shared/` (Zod schemas used everywhere)
   - `packages/openai/` (API response types)
   - `packages/db/` (Prisma types, usually already strong)
   - `packages/evidence/` (hash/extract types)
   - `apps/web/` API routes (request/response types)
   - `apps/web/` components (props types)
   - `apps/worker/` (workflow input/output types)

3. **For each `any` found:**
   - Determine the actual type from usage context
   - Replace `any` with the concrete type or a Zod-inferred type
   - If the type is truly unknown, use `unknown` with a type guard
   - Never use `as any` — use proper type narrowing instead
   - Add Zod `.parse()` at system boundaries

4. **Zod schema tightening:**
   - Ensure all API route handlers validate input with `.parse()`
   - Ensure all OpenAI response schemas use `.strict()`
   - Add `.brand()` for nominal types where confusion is possible
   - Verify no `.passthrough()` on security-sensitive schemas

5. **Verify** — After each file:
   ```
   pnpm typecheck
   pnpm test
   ```

## Rules

- Never introduce `@ts-ignore` or `@ts-expect-error`
- Never weaken existing Zod schemas
- Prefer Zod `.infer<>` over manual type declarations
- Keep changes minimal — one type fix per commit is fine
- If a type requires a new shared type, add it to `packages/shared/`