fix(integrations): accept serializer nulls for optional vanta params

[waleedlatif1]

Summary

• Fixes "Invalid input: expected string, received null" when running Vanta operations with empty optional fields (e.g., List Vulnerabilities with no filters)
• Root cause: the workflow serializer emits null for untouched subblock values (serializer/index.ts ?? null), but the Vanta query contract validated optional fields with .optional(), which accepts omission/undefined and rejects null. Operations whose optional fields are remapped in the block params fn (e.g., List Frameworks) were unaffected; operations with same-named pass-through fields (List Vulnerabilities, List Tests, List Risk Scenarios, etc.) failed
• Fix: all optional body fields in the Vanta contract now use .nullish(), matching the existing Daytona contract convention; the routes already skip null values when building Vanta API URLs (buildVantaUrl/splitVantaCommaList), and region handling in tools/vanta/utils.ts now tolerates null
• Required identifiers (frameworkId, documentId, …) intentionally stay strict
• Adds a contract regression test covering serializer-null payloads for the affected operations, null-rejection on required IDs, and enum validation

Note: the CrowdStrike query contract has the same latent .optional() pattern for its filter params — flagged for a separate follow-up since it predates this PR.

Type of Change

• Bug fix

Testing

• New vanta.test.ts contract tests (6) pass; existing registry suites pass
• Typecheck, biome, and check:api-validation:strict all clean

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 12, 2026 11:57pm

[cursor]

PR Summary

Low Risk
Contract-only validation widening for optional fields; downstream URL building already ignores nulls, with no change to required credentials or IDs.

Overview
Fixes Vanta tool runs failing validation when optional workflow fields are left empty, because the serializer sends null while the query/upload contracts only allowed omission via .optional().

Optional body fields across vantaQueryBodySchema (filters, pagination, region, etc.) and related upload optional fields are switched to .nullish(), aligned with other tool contracts. Required IDs stay strict. getVantaBaseUrl and token region typing now accept null (still defaulting to us).

Adds vanta.test.ts regression tests for serializer-null payloads, required-ID rejection, and enum validation.

^{Reviewed by Cursor Bugbot for commit 735815f. Configure here.}

[greptile-apps]

Greptile Summary

Fixes a validation error thrown when the workflow serializer emits null for untouched optional Vanta block fields. All optional fields in the Vanta query, upload, and download contracts are migrated from .optional() to .nullish(), and getVantaBaseUrl/VantaTokenParams are updated to accept null for region. The existing buildVantaUrl and splitVantaCommaList helpers already skipped null values when constructing API URLs, so no route-handler changes were needed.

• ~40 optional Zod fields across list/filter schemas migrated from .optional() to .nullish(); required identifiers (frameworkId, documentId, etc.) intentionally remain strict.
• getVantaBaseUrl signature and VantaTokenParams.region widened to VantaRegion | null | undefined; the ?? 'us' fallback handles null transparently.
• New vanta.test.ts adds 6 contract regression tests covering serializer-null payloads, null-rejection on required IDs, and enum validation.

Confidence Score: 5/5

The change is safe to merge: it widens validation to accept null on optional fields that were already being skipped at the URL-building layer, and all required identifiers remain strict.

The fix is targeted and well-scoped — ~40 .optional() calls become .nullish() to match what the serializer already emits. The downstream buildVantaUrl/splitVantaCommaList helpers have always skipped null values, so runtime behavior for non-null inputs is unchanged. New contract tests confirm both null acceptance and continued rejection of nulls on required fields. No route logic or output schemas were altered.

No files require special attention. The PR description correctly notes that the CrowdStrike contract has the same latent pattern, but that is out of scope here.

Important Files Changed

Filename	Overview
apps/sim/lib/api/contracts/tools/vanta.ts	All optional schema fields migrated from .optional() to .nullish() to accept serializer-emitted nulls; required identifiers remain strict.
apps/sim/tools/vanta/utils.ts	Updated getVantaBaseUrl signature and VantaTokenParams.region to accept null; existing ?? 'us' fallback already handles null correctly.
apps/sim/lib/api/contracts/tools/vanta.test.ts	New test file covering serializer-null payloads for affected operations, null-rejection on required IDs, and enum validation.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Workflow Serializer] -->|emits null for empty subblock| B[POST /api/tools/vanta/query]
    B --> C{Contract Validation}
    C -->|optional fields use .nullish| D[Parsed body with null fields]
    C -->|required IDs use .string.min1| E[Reject null - 400]
    D --> F[buildVantaApiRequest]
    F --> G[buildVantaUrl]
    G -->|null values skipped| H[Vanta API URL]
    H --> I[fetchVantaWithAuth]
    I --> J[Vanta REST API]
    K[region is null] --> L[getVantaBaseUrl - defaults to us]
    L --> J

Loading

_{Reviews (1): Last reviewed commit: "fix(integrations): accept serializer nul..." | Re-trigger Greptile}

[waleedlatif1]

Closing — this per-contract approach fixes symptoms file-by-file. The root cause (workflow serializer emits null for empty optional inputs) should be fixed once at the tool-execution boundary instead. Follow-up coming.