fix: form-builder multistep data parsing

[olliethedev]

Summary

• fix form-builder multistep data parsing

Type of change

• Bug fix
• New plugin
• Feature / enhancement to an existing plugin
• Documentation
• Chore / refactor / tooling

Checklist

• pnpm build passes
• pnpm typecheck passes
• pnpm lint passes
• Tests added or updated (unit and/or E2E)
• Docs updated (docs/content/docs/) if consumer-facing types or behavior changed
• All three codegen-projects create successfully and pass E2E tests
• New plugin: submission checklist in CONTRIBUTING.md completed

Screenshots

---

Note

Medium Risk
Changes schema I/O behavior and public types for form-builder multi-step forms; incorrect mapping could misplace fields across steps, but scope is limited and covered by new unit tests.

Overview
Fixes multi-step form-builder schema parsing to support Zod-generated schemas that encode step placement via a root-level stepGroupMap, while keeping per-property stepGroup as the preferred source.

Updates JSONSchema typings to include stepGroupMap, threads it through jsonSchemaToFieldsAndSteps/propertiesToFields (including fallback fields), and adds a dedicated export (@workspace/ui/components/form-builder/schema-utils) plus comprehensive regression/round-trip tests. Also bumps @btst/stack version to 2.11.6.

^{Reviewed by Cursor Bugbot for commit 2b2432c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-stack-docs	Ready	Preview, Comment	Apr 17, 2026 9:28pm
better-stack-playground	Ready	Preview, Comment	Apr 17, 2026 9:28pm

[cursor]

Security Review — No High-Confidence Vulnerabilities Found

This PR is a targeted bug fix for form-builder multi-step schema parsing. After reviewing the full diff against each threat category, no exploitable security vulnerabilities were identified.

Threat Evaluation

Area	Finding
Injection (SQL / command / path traversal)	No server-side execution, filesystem access, or DB queries. Values from stepGroupMap are integer step indices only.
Prototype pollution	Lookup is stepGroupMap?.[key] where key is always derived from iterating schema.properties. The map's own keys are never used to write to other objects.
Authn / authz	No permission checks added or removed.
Secrets / token leakage	No secrets or tokens involved.
Unsafe deserialization / XSS	stepGroupMap values feed into field.stepGroup (a tab-selection index), not into HTML rendering. No XSS surface.
Supply-chain / dependencies	No new dependencies introduced.

Notes

• The new stepGroupMap type is Record<string, number>. At runtime, a malformed schema could supply non-numeric values; however the impact is limited to incorrect step-tab assignment in the UI — no injection or escalation path exists.
• The new @workspace/ui/components/form-builder/schema-utils export path exposes an existing internal module publicly. The module contains no privileged logic or sensitive data.
• Test coverage for the new code path is comprehensive (both encoding paths, precedence, and round-trips).

No remediation required for this PR.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[github-actions]

✅ Shadcn registry updated — registry JSON files were rebuilt and committed to this branch.