From d30a092df552698e0cc86c5fe8b37c5dfd13af26 Mon Sep 17 00:00:00 2001
From: Jared Miller <jared@smell.flowers>
Date: Wed, 28 Jan 2026 13:59:38 -0500
Subject: [PATCH] Validate state values in WebSocket message handler

---
 src/server.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/server.ts b/src/server.ts
index 1337d51..dcfe9f2 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -447,8 +447,9 @@ const server = Bun.serve<SessionData>({
         // Handle state message
         if (msg.type === "state") {
           const sessionState = sessionStates.get(ws.data.sessionId);
-          if (sessionState && msg.state) {
-            sessionState.state = msg.state;
+          const validStates = ["ready", "thinking", "permission", "question", "complete", "interrupted"];
+          if (sessionState && msg.state && validStates.includes(msg.state)) {
+            sessionState.state = msg.state as SessionState["state"];
             sessionState.dirty = true;
             // Broadcast SSE state event
             broadcastSSE({