fix(admin): relax userId validation in gastown router for legacy oauth/* IDs

[jrf0110]

Summary

Relax userId input validation in admin.gastown.getUserTowns and admin.gastown.getUserRigs from z.string().uuid() to z.string().min(1), allowing legacy oauth/... user IDs to pass validation. The downstream gastown service already accepts arbitrary string IDs — the Zod UUID constraint was the only thing rejecting them.

Verification

Loaded the admin Gas Town tab for a user with an oauth/google/... ID and confirmed it renders without a BAD_REQUEST error.

Visual Changes

N/A

Reviewer Notes

Single-file change, two identical validator relaxations. No other admin router constrains userId to UUID.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Minimal, correct fix: relaxing userId validation from z.string().uuid() to z.string().min(1) in two admin-only gastown procedures to support legacy oauth/... user IDs, consistent with all other admin router procedures.

Files Reviewed (1 file)

• apps/web/src/routers/admin/gastown-router.ts

---

Note: A theoretical path traversal concern exists because input.userId is interpolated directly into URL paths sent to the gastown service (e.g. /api/users/${input.userId}/towns). However, this is admin-only behind adminProcedure (requires is_admin: true), and the gastown service is an internal Cloudflare Worker protected by CF Access + short-lived admin JWTs — the exploitable surface is negligible. If future non-admin procedures adopt this pattern, consider URL-encoding the userId before interpolation.

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-sonnet-4.6 · 394,098 tokens}

_{Review guidance: REVIEW.md from base branch main}