fix: harden settings backup and env warnings

Author: ndycode

lib/config.ts

@@ -645,7 +645,7 @@ function resolveBooleanSetting(
 		envValue === undefined
 	) {
 		logConfigWarnOnce(
-			`Ignoring invalid boolean env ${envName}=${JSON.stringify(rawEnvValue)}. Expected 0/1, true/false, or yes/no.`,
+			`Ignoring invalid boolean env ${envName}. Expected 0/1, true/false, or yes/no.`,
 		);
 	}
 	if (envValue !== undefined) return envValue;
@@ -677,7 +677,7 @@ function resolveNumberSetting(
 		envValue === undefined
 	) {
 		logConfigWarnOnce(
-			`Ignoring invalid numeric env ${envName}=${JSON.stringify(rawEnvValue)}. Expected a finite number.`,
+			`Ignoring invalid numeric env ${envName}. Expected a finite number.`,
 		);
 	}
 	const candidate = envValue ?? configValue ?? defaultValue;

lib/unified-settings.ts

@@ -21,7 +21,11 @@ const UNIFIED_SETTINGS_BACKUP_PATH = `${UNIFIED_SETTINGS_PATH}.bak`;
 const RETRYABLE_FS_CODES = new Set(["EBUSY", "EPERM"]);
 const TRANSIENT_READ_FS_CODES = new Set(["EBUSY", "EAGAIN"]);
 let settingsWriteQueue: Promise<void> = Promise.resolve();
-let backupDerivedReadPending = false;
+
+type SettingsReadResult = {
+	record: JsonRecord | null;
+	usedBackup: boolean;
+};
 
 function isRetryableFsError(error: unknown): boolean {
 	const code = (error as NodeJS.ErrnoException | undefined)?.code;
@@ -137,8 +141,10 @@ function shouldFallbackToSettingsBackup(
  * When the current in-memory state was recovered from backup, snapshotting is
  * skipped so a corrupt primary cannot overwrite the only known-good backup.
  */
-function trySnapshotUnifiedSettingsBackupSync(): void {
-	if (backupDerivedReadPending) {
+function trySnapshotUnifiedSettingsBackupSync(options?: {
+	skipBecauseBackupRead?: boolean;
+}): void {
+	if (options?.skipBecauseBackupRead) {
 		return;
 	}
 	if (!existsSync(UNIFIED_SETTINGS_PATH)) {
@@ -160,8 +166,10 @@ function trySnapshotUnifiedSettingsBackupSync(): void {
 /**
  * Async variant of `trySnapshotUnifiedSettingsBackupSync`.
  */
-async function trySnapshotUnifiedSettingsBackupAsync(): Promise<void> {
-	if (backupDerivedReadPending) {
+async function trySnapshotUnifiedSettingsBackupAsync(options?: {
+	skipBecauseBackupRead?: boolean;
+}): Promise<void> {
+	if (options?.skipBecauseBackupRead) {
 		return;
 	}
 	if (!existsSync(UNIFIED_SETTINGS_PATH)) {
@@ -190,26 +198,29 @@ async function trySnapshotUnifiedSettingsBackupAsync(): Promise<void> {
  * - Windows: file locking on Windows may cause reads to fail; in those cases this function returns `null`.
  * - Sensitive data: this function performs no token or secret redaction; any sensitive values present in the file are returned as-is and callers are responsible for redaction before logging or external exposure.
  */
-function readSettingsRecordSync(): JsonRecord | null {
+function readSettingsRecordSyncInternal(): SettingsReadResult {
 	const primaryExists = existsSync(UNIFIED_SETTINGS_PATH);
 	try {
 		const primaryRecord = readSettingsRecordSyncFromPath(UNIFIED_SETTINGS_PATH);
 		if (primaryRecord) {
-			return primaryRecord;
+			return { record: primaryRecord, usedBackup: false };
 		}
 	} catch (error) {
 		if (!shouldFallbackToSettingsBackup(primaryExists, error)) {
 			throw error;
 		}
 		const backupRecord = readSettingsBackupSync();
 		if (backupRecord) {
-			backupDerivedReadPending = true;
-			return backupRecord;
+			return { record: backupRecord, usedBackup: true };
 		}
 		throw error;
 	}
 
-	return null;
+	return { record: null, usedBackup: false };
+}
+
+function readSettingsRecordSync(): JsonRecord | null {
+	return readSettingsRecordSyncInternal().record;
 }
 
 /**
@@ -219,28 +230,31 @@ function readSettingsRecordSync(): JsonRecord | null {
  *
  * @returns The parsed settings record as an object clone, or `null` if unavailable or invalid.
  */
-async function readSettingsRecordAsync(): Promise<JsonRecord | null> {
+async function readSettingsRecordAsyncInternal(): Promise<SettingsReadResult> {
 	const primaryExists = existsSync(UNIFIED_SETTINGS_PATH);
 	try {
 		const primaryRecord = await readSettingsRecordAsyncFromPath(
 			UNIFIED_SETTINGS_PATH,
 		);
 		if (primaryRecord) {
-			return primaryRecord;
+			return { record: primaryRecord, usedBackup: false };
 		}
 	} catch (error) {
 		if (!shouldFallbackToSettingsBackup(primaryExists, error)) {
 			throw error;
 		}
 		const backupRecord = await readSettingsBackupAsync();
 		if (backupRecord) {
-			backupDerivedReadPending = true;
-			return backupRecord;
+			return { record: backupRecord, usedBackup: true };
 		}
 		throw error;
 	}
 
-	return null;
+	return { record: null, usedBackup: false };
+}
+
+async function readSettingsRecordAsync(): Promise<JsonRecord | null> {
+	return (await readSettingsRecordAsyncInternal()).record;
 }
 
 /**
@@ -275,20 +289,24 @@ function normalizeForWrite(record: JsonRecord): JsonRecord {
  *
  * @param record - The settings object to persist; it will be normalized to include the unified settings version.
  */
-function writeSettingsRecordSync(record: JsonRecord): void {
+function writeSettingsRecordSync(
+	record: JsonRecord,
+	options?: { skipBackupSnapshot?: boolean },
+): void {
 	mkdirSync(getCodexMultiAuthDir(), { recursive: true });
 	const payload = normalizeForWrite(record);
 	const data = `${JSON.stringify(payload, null, 2)}\n`;
 	const tempPath = `${UNIFIED_SETTINGS_PATH}.${process.pid}.${Date.now()}.tmp`;
-	trySnapshotUnifiedSettingsBackupSync();
+	trySnapshotUnifiedSettingsBackupSync({
+		skipBecauseBackupRead: options?.skipBackupSnapshot,
+	});
 	writeFileSync(tempPath, data, "utf8");
 	let moved = false;
 	try {
 		for (let attempt = 0; attempt < 5; attempt += 1) {
 			try {
 				renameSync(tempPath, UNIFIED_SETTINGS_PATH);
 				moved = true;
-				backupDerivedReadPending = false;
 				return;
 			} catch (error) {
 				if (!isRetryableFsError(error) || attempt >= 4) {
@@ -328,20 +346,24 @@ function writeSettingsRecordSync(record: JsonRecord): void {
  *
  * @param record - The settings object to persist; it will be normalized (version set)
  */
-async function writeSettingsRecordAsync(record: JsonRecord): Promise<void> {
+async function writeSettingsRecordAsync(
+	record: JsonRecord,
+	options?: { skipBackupSnapshot?: boolean },
+): Promise<void> {
 	await fs.mkdir(getCodexMultiAuthDir(), { recursive: true });
 	const payload = normalizeForWrite(record);
 	const data = `${JSON.stringify(payload, null, 2)}\n`;
 	const tempPath = `${UNIFIED_SETTINGS_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
-	await trySnapshotUnifiedSettingsBackupAsync();
+	await trySnapshotUnifiedSettingsBackupAsync({
+		skipBecauseBackupRead: options?.skipBackupSnapshot,
+	});
 	await fs.writeFile(tempPath, data, "utf8");
 	let moved = false;
 	try {
 		for (let attempt = 0; attempt < 5; attempt += 1) {
 			try {
 				await fs.rename(tempPath, UNIFIED_SETTINGS_PATH);
 				moved = true;
-				backupDerivedReadPending = false;
 				return;
 			} catch (error) {
 				if (!isRetryableFsError(error) || attempt >= 4) {
@@ -413,9 +435,12 @@ export function loadUnifiedPluginConfigSync(): JsonRecord | null {
  * @param pluginConfig - Key/value map representing plugin configuration to persist
  */
 export function saveUnifiedPluginConfigSync(pluginConfig: JsonRecord): void {
-	const record = readSettingsRecordSync() ?? {};
-	record.pluginConfig = { ...pluginConfig };
-	writeSettingsRecordSync(record);
+	const { record, usedBackup } = readSettingsRecordSyncInternal();
+	const nextRecord = record ?? {};
+	nextRecord.pluginConfig = { ...pluginConfig };
+	writeSettingsRecordSync(nextRecord, {
+		skipBackupSnapshot: usedBackup,
+	});
 }
 
 /**
@@ -430,9 +455,12 @@ export function saveUnifiedPluginConfigSync(pluginConfig: JsonRecord): void {
  */
 export async function saveUnifiedPluginConfig(pluginConfig: JsonRecord): Promise<void> {
 	await enqueueSettingsWrite(async () => {
-		const record = await readSettingsRecordAsync() ?? {};
-		record.pluginConfig = { ...pluginConfig };
-		await writeSettingsRecordAsync(record);
+		const { record, usedBackup } = await readSettingsRecordAsyncInternal();
+		const nextRecord = record ?? {};
+		nextRecord.pluginConfig = { ...pluginConfig };
+		await writeSettingsRecordAsync(nextRecord, {
+			skipBackupSnapshot: usedBackup,
+		});
 	});
 }
 
@@ -473,8 +501,11 @@ export async function saveUnifiedDashboardSettings(
 	dashboardDisplaySettings: JsonRecord,
 ): Promise<void> {
 	await enqueueSettingsWrite(async () => {
-		const record = await readSettingsRecordAsync() ?? {};
-		record.dashboardDisplaySettings = { ...dashboardDisplaySettings };
-		await writeSettingsRecordAsync(record);
+		const { record, usedBackup } = await readSettingsRecordAsyncInternal();
+		const nextRecord = record ?? {};
+		nextRecord.dashboardDisplaySettings = { ...dashboardDisplaySettings };
+		await writeSettingsRecordAsync(nextRecord, {
+			skipBackupSnapshot: usedBackup,
+		});
 	});
 }

test/config-save.test.ts

@@ -190,6 +190,42 @@ describe("plugin config save paths", () => {
     }
   });
 
+  it("redacts raw values from invalid numeric env override warnings", async () => {
+    process.env.CODEX_AUTH_PARALLEL_PROBING_MAX_CONCURRENCY = "secret-value";
+    vi.resetModules();
+    const logWarnMock = vi.fn();
+
+    vi.doMock("../lib/logger.js", async () => {
+      const actual =
+        await vi.importActual<typeof import("../lib/logger.js")>(
+          "../lib/logger.js",
+        );
+      return {
+        ...actual,
+        logWarn: logWarnMock,
+      };
+    });
+
+    try {
+      const { getParallelProbingMaxConcurrency } = await import(
+        "../lib/config.js"
+      );
+      expect(
+        getParallelProbingMaxConcurrency({ parallelProbingMaxConcurrency: 4 }),
+      ).toBe(4);
+      expect(logWarnMock).toHaveBeenCalledWith(
+        expect.stringContaining(
+          "Ignoring invalid numeric env CODEX_AUTH_PARALLEL_PROBING_MAX_CONCURRENCY.",
+        ),
+      );
+      expect(logWarnMock).not.toHaveBeenCalledWith(
+        expect.stringContaining("secret-value"),
+      );
+    } finally {
+      vi.doUnmock("../lib/logger.js");
+    }
+  });
+
   it("normalizes fallback chain and drops invalid entries", async () => {
     const { getUnsupportedCodexFallbackChain } =
       await import("../lib/config.js");