fix(marketplace): clamp listing page queries

[Jorel97]

Summary

• normalize MCP and skills listing page query values to finite integer pages >= 1
• prevent negative Supabase ranges from invalid page inputs
• add regression coverage for negative and fractional page values

Fixes #320.

Testing

• Not run locally: this workspace has Node but no npm/pnpm/npx/corepack available to install or invoke Vitest.

[greptile-apps]

Greptile Summary

This PR fixes a bug where invalid page query parameters (negative, fractional, or astronomically large values like 1e308) could produce negative or Infinity Supabase range offsets, causing 500 errors. A parsePage helper with a MAX_PAGE = 100_000 ceiling, Math.trunc, and Number.isFinite guard is added to both mcp/route.ts and skills/route.ts.

• parsePage logic: Handles all edge cases correctly — negative → clamped to 1, fractions → truncated, NaN/Infinity strings → default 1, huge finites like 1e308 → capped at 100,000 before the offset multiplication.
• Regression tests: Three new tests per route verify the negative, fractional, and overflow cases with exact range() call assertions; mock chains correctly mirror the no-filter query path.

Confidence Score: 5/5

Safe to merge — the fix correctly bounds page inputs in both routes, and the regression tests verify the exact Supabase range arguments for all problematic input classes.

The parsePage guard handles every problematic input class (negative, zero, fractional, non-numeric, non-finite, and overflow-magnitude values) and the arithmetic for each case has been verified against the test expectations. No new code paths are left unguarded.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/mcp/route.ts	Introduces parsePage with MAX_PAGE = 100_000 cap, Math.trunc, and Number.isFinite guard — correctly prevents the Infinity-offset overflow on inputs like 1e308.
src/app/api/skills/route.ts	Identical parsePage / MAX_PAGE fix applied; logic is correct and symmetric with mcp/route.ts.
src/app/api/mcp/route.test.ts	Three regression tests added: negative page clamped to 1, fractional page truncated, and huge (1e308) page capped at MAX_PAGE. Mock chain matches the no-filter query path in the route.
src/app/api/skills/route.test.ts	Parallel regression tests for skills route; same three cases, all assertions and expected range offsets are mathematically correct.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["GET /api/mcp or /api/skills\n?page=value"] --> B["parsePage(value)"]
    B --> C{"value null/empty?"}
    C -- yes --> D["use '1'"]
    C -- no --> E["Number(value)"]
    D --> E
    E --> F{"Number.isFinite?"}
    F -- no --> G["return 1"]
    F -- yes --> H["Math.trunc(parsed)"]
    H --> I["Math.max(1, truncated)"]
    I --> J["Math.min(result, 100_000)"]
    J --> K["page ∈ [1, 100_000]"]
    K --> L["offset = (page - 1) × 20"]
    L --> M["supabase.range(offset, offset + 19)"]
    M --> N["200 OK"]

Loading

_{Reviews (2): Last reviewed commit: "fix(marketplace): cap listing page bound..." | Re-trigger Greptile}