fix(monday): deduplicate numeric ID validation, sanitize limit/page params

- Refactor sanitizeNumericId to delegate to validateMondayNumericId
  from input-validation.ts, eliminating duplicated regex logic
- Add sanitizeLimit helper for safe integer coercion with bounds
- Apply sanitizeLimit to limit/page params in list_boards, get_items,
  and search_items for consistent validation across all GraphQL params

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/tools/monday/get_items.ts

@@ -3,6 +3,7 @@ import {
   extractMondayError,
   MONDAY_API_URL,
   mondayHeaders,
+  sanitizeLimit,
   sanitizeNumericId,
 } from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -85,7 +86,7 @@ export const mondayGetItemsTool: ToolConfig<MondayGetItemsParams, MondayGetItems
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => {
-      const limit = params.limit ?? 25
+      const limit = sanitizeLimit(params.limit, 25, 500)
       const boardId = sanitizeNumericId(params.boardId, 'boardId')
       if (params.groupId) {
         return {

apps/sim/tools/monday/list_boards.ts

@@ -1,5 +1,10 @@
 import type { MondayListBoardsParams, MondayListBoardsResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeLimit,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayListBoardsTool: ToolConfig<MondayListBoardsParams, MondayListBoardsResponse> = {
@@ -39,8 +44,8 @@ export const mondayListBoardsTool: ToolConfig<MondayListBoardsParams, MondayList
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => {
-      const limit = params.limit ?? 25
-      const page = params.page ?? 1
+      const limit = sanitizeLimit(params.limit, 25, 500)
+      const page = sanitizeLimit(params.page, 1, 10000)
       return {
         query: `query { boards(limit: ${limit}, page: ${page}, state: active) { id name description state board_kind items_count url updated_at } }`,
       }

apps/sim/tools/monday/search_items.ts

@@ -3,6 +3,7 @@ import {
   extractMondayError,
   MONDAY_API_URL,
   mondayHeaders,
+  sanitizeLimit,
   sanitizeNumericId,
 } from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -58,7 +59,7 @@ export const mondaySearchItemsTool: ToolConfig<MondaySearchItemsParams, MondaySe
       method: 'POST',
       headers: (params) => mondayHeaders(params.accessToken),
       body: (params) => {
-        const limit = params.limit ?? 25
+        const limit = sanitizeLimit(params.limit, 25, 500)
         if (params.cursor) {
           return {
             query: `query { next_items_page(limit: ${limit}, cursor: ${JSON.stringify(params.cursor)}) { cursor items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } }`,

apps/sim/tools/monday/utils.ts

@@ -1,3 +1,5 @@
+import { validateMondayNumericId } from '@/lib/core/security/input-validation'
+
 export const MONDAY_API_URL = 'https://api.monday.com/v2'
 
 export function mondayHeaders(accessToken: string): Record<string, string> {
@@ -9,15 +11,24 @@ export function mondayHeaders(accessToken: string): Record<string, string> {
 }
 
 /**
- * Validates that a Monday.com numeric ID (boardId, itemId, etc.) contains only digits.
- * Throws with a user-friendly message if invalid, preventing GraphQL injection.
+ * Validates a Monday.com numeric ID and returns the sanitized string.
+ * Delegates to validateMondayNumericId; throws on invalid input.
  */
 export function sanitizeNumericId(value: string | number, paramName: string): string {
-  const str = String(value).trim()
-  if (!/^\d+$/.test(str)) {
-    throw new Error(`${paramName} must be a numeric integer`)
+  const result = validateMondayNumericId(value, paramName)
+  if (!result.isValid) {
+    throw new Error(result.error!)
   }
-  return str
+  return result.sanitized!
+}
+
+/**
+ * Coerces a limit/page param to a safe integer within bounds.
+ */
+export function sanitizeLimit(value: number | undefined, defaultVal: number, max: number): number {
+  const n = Number(value ?? defaultVal)
+  if (!Number.isFinite(n) || n < 1) return defaultVal
+  return Math.min(n, max)
 }
 
 export function extractMondayError(data: Record<string, unknown>): string | null {