fix: validate dateTo/dateFrom are parseable dates before reaching AppleScript

Adds .refine() to DATE_FILTER_SCHEMA that rejects strings like "31" or "abc"
that pass the regex but crash AppleScript's date coercion.

src/index.ts

@@ -48,6 +48,9 @@ const DATE_FILTER_SCHEMA = z
     /^[a-zA-Z0-9 ,/\-:]+$/,
     "Date must contain only alphanumeric characters, spaces, commas, slashes, hyphens, and colons"
   )
+  .refine((val) => !isNaN(new Date(val).getTime()), {
+    message: "Date string must be a valid date (e.g., 'January 1, 2026' or '2026-03-15')",
+  })
   .optional();
 
 // Read version from package.json to keep it in sync

src/security.test.ts

@@ -22,6 +22,9 @@ const DATE_FILTER_SCHEMA = z
     /^[a-zA-Z0-9 ,/\-:]+$/,
     "Date must contain only alphanumeric characters, spaces, commas, slashes, hyphens, and colons"
   )
+  .refine((val) => !isNaN(new Date(val).getTime()), {
+    message: "Date string must be a valid date (e.g., 'January 1, 2026' or '2026-03-15')",
+  })
   .optional();
 
 describe("MESSAGE_ID_SCHEMA", () => {
@@ -96,6 +99,12 @@ describe("DATE_FILTER_SCHEMA", () => {
   it("rejects strings with parentheses", () => {
     expect(() => DATE_FILTER_SCHEMA.parse("date(2026)")).toThrow();
   });
+
+  it("rejects non-parseable date strings", () => {
+    expect(() => DATE_FILTER_SCHEMA.parse("31")).toThrow();
+    expect(() => DATE_FILTER_SCHEMA.parse("abc")).toThrow();
+    expect(() => DATE_FILTER_SCHEMA.parse("1234567890")).toThrow();
+  });
 });
 
 describe("saveAttachment input validation", () => {