Unvalidated profile fields written to DB (shape and size constraints missing)

The profile update path persisted incoming fields to MongoDB without enforcing shape (allowed keys, types) or size constraints (maximum string length, max document size). Adversarial inputs could grow document size, inject unexpected fields, or set values that broke downstream consumers.

• Storage and bandwidth amplification: oversized fields inflate document size and downstream egress.
• Downstream consumer failures: code that assumes a particular field type or length crashes on adversarial data.
• Increased risk of injection-style issues at consumer points that do not re-validate.

Add schema-level validation on the profile model (mongoose schema, zod, or equivalent). Enforce a closed list of allowed keys, type constraints, and per-field length caps. Reject unknown keys at the API layer before writing to the database.

Ipal Network: Confirmed. Zealynx: Fixed.