Skip to content

config tiers: input-validation + cache-invalidation gaps (NaN pass-through, parse-failure caching) — from #368 split #501

Description

@griffinwork40

Input-validation and cache-invalidation gaps surfaced (report-only, not fixed) during the #368 config.ts tier split (PR #493). All predate the split — verbatim. Part of #360.

  1. NaN pass-through (config/env-tier.ts:186,190): AFK_MAX_TOKENS=abc / AFK_TEMPERATURE=abc yield NaN via parseInt/parseFloat with no validation; NaN flows into CliConfig.maxTokens/temperature and wins the merge over defaults.
  2. loadJsonConfig parse-failure fall-through caches the wrong tier permanently (config/json-tier.ts:273-279): a malformed cwd afk.config.json falls through to the user-global file and memoizes THAT — a later fix to the cwd file is invisible until _resetConfigCache()/process restart.
  3. json.systemPrompt truthiness check (config/json-tier.ts:102): uses if (json.systemPrompt) not a typeof guard like its siblings, so a non-string truthy value ({"systemPrompt": 5}) is assigned unvalidated.
  4. _resetConfigCache clears envConfigCache but not the dotenv-loaded flag (facade config.ts:67): after reset, loadEnvConfig re-reads process.env but never re-reads .env files — tests writing new .env fixtures between cases can be silently ignored. (Intentional per comment, but a footgun.)
  5. importFrom cwd-exclusion compares by exact string path (config/json-tier.ts:217): a symlinked/case-variant cwd defeats the project-local exclusion. Defense-in-depth only (real gate is loadImportFromConfig).

Source: PR #493 "Suspected findings."

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions