From cdc61706c62cb9aba58a8bfc6f357694a9811aac Mon Sep 17 00:00:00 2001
From: Matt Miller <mattmiller@comfy.org>
Date: Tue, 19 May 2026 19:48:33 -0700
Subject: [PATCH] =?UTF-8?q?fix(assets):=20tighten=20job=5Fids=20=E2=80=94?=
 =?UTF-8?q?=20array=20schema,=20max=5Flength,=20narrow=20except?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From cursor-reviews on the parent commit:

- OpenAPI: declare job_ids as `type: array, items: string format: uuid`
  with `style: form, explode: true` so it matches the documented
  contract (and matches sibling include_tags/exclude_tags shape).
  Description now states both accepted shapes explicitly.
- Schema: cap `job_ids` at 500 entries (max_length on the Pydantic
  field) so a client can't splice an unbounded list into the IN clauses.
- Schema: drop `AttributeError` from the except — `raw` only contains
  `str` items by construction, so `uuid.UUID(<str>)` raises `ValueError`
  exclusively; the second clause was dead code.
---
 app/assets/api/schemas_in.py | 4 ++--
 openapi.yaml                 | 9 +++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/assets/api/schemas_in.py b/app/assets/api/schemas_in.py
index eed9fe4cd..c5a8ae75a 100644
--- a/app/assets/api/schemas_in.py
+++ b/app/assets/api/schemas_in.py
@@ -54,7 +54,7 @@ class ListAssetsQuery(BaseModel):
     include_tags: list[str] = Field(default_factory=list)
     exclude_tags: list[str] = Field(default_factory=list)
     name_contains: str | None = None
-    job_ids: list[str] = Field(default_factory=list)
+    job_ids: list[str] = Field(default_factory=list, max_length=500)
 
     # Accept either a JSON string (query param) or a dict
     metadata_filter: dict[str, Any] | None = None
@@ -105,7 +105,7 @@ class ListAssetsQuery(BaseModel):
         for s in raw:
             try:
                 canonical = str(uuid.UUID(s))
-            except (ValueError, AttributeError) as e:
+            except ValueError as e:
                 raise ValueError(f"job_ids must be UUIDs: {s!r}") from e
             if canonical not in seen:
                 seen.add(canonical)
diff --git a/openapi.yaml b/openapi.yaml
index 94a05593b..148d4f3dd 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -1559,8 +1559,13 @@ paths:
         - name: job_ids
           in: query
           schema:
-            type: string
-          description: "Comma-separated UUIDs to filter assets by associated job."
+            type: array
+            items:
+              type: string
+              format: uuid
+          style: form
+          explode: true
+          description: "Filter assets by associated job UUIDs. Accepts repeated query params (e.g. `?job_ids=a&job_ids=b`) or a single comma-separated value (`?job_ids=a,b`)."
         - name: include_public
           in: query
           schema: