fix: harden config validation and settings recovery

Author: ndycode

lib/config.ts

@@ -199,6 +199,11 @@ export const DEFAULT_PLUGIN_CONFIG: PluginConfig = {
 	preemptiveQuotaMaxDeferralMs: 2 * 60 * 60_000,
 };
 
+const PLUGIN_CONFIG_FIELD_SCHEMAS = PluginConfigSchema.shape;
+const PLUGIN_CONFIG_KEYS = Object.keys(DEFAULT_PLUGIN_CONFIG) as Array<
+	keyof PluginConfig
+>;
+
 /**
  * Return a shallow copy of the default plugin configuration.
  *
@@ -238,6 +243,10 @@ export function loadPluginConfig(): PluginConfig {
 			sourceKind = "file";
 		}
 
+		const normalizedUserConfig = sanitizePluginConfigRecord(userConfig, {
+			warnOnInvalid: true,
+		});
+
 		const hasFallbackEnvOverride =
 			process.env.CODEX_AUTH_FALLBACK_UNSUPPORTED_MODEL !== undefined ||
 			process.env.CODEX_AUTH_FALLBACK_GPT53_TO_GPT52 !== undefined;
@@ -255,16 +264,9 @@ export function loadPluginConfig(): PluginConfig {
 			}
 		}
 
-		const schemaErrors = getValidationErrors(PluginConfigSchema, userConfig);
-		if (schemaErrors.length > 0) {
-			logConfigWarnOnce(
-				`Plugin config validation warnings: ${schemaErrors.slice(0, 3).join(", ")}`,
-			);
-		}
-
 		if (
 			sourceKind === "file" &&
-			isRecord(userConfig) &&
+			normalizedUserConfig !== null &&
 			(process.env.CODEX_MULTI_AUTH_CONFIG_PATH ?? "").trim().length === 0
 		) {
 			logConfigWarnOnce(
@@ -274,7 +276,7 @@ export function loadPluginConfig(): PluginConfig {
 
 		return {
 			...DEFAULT_PLUGIN_CONFIG,
-			...(userConfig as Partial<PluginConfig>),
+			...(normalizedUserConfig ?? {}),
 		};
 	} catch (error) {
 		const configPath = resolvePluginConfigPath() ?? CONFIG_PATH;
@@ -285,6 +287,62 @@ export function loadPluginConfig(): PluginConfig {
 	}
 }
 
+function sanitizePluginConfigRecord(
+	data: unknown,
+	options?: { warnOnInvalid?: boolean },
+): Partial<PluginConfig> | null {
+	if (!isRecord(data)) {
+		return null;
+	}
+
+	if (options?.warnOnInvalid) {
+		const schemaErrors = getValidationErrors(PluginConfigSchema, data);
+		if (schemaErrors.length > 0) {
+			logConfigWarnOnce(
+				`Plugin config validation warnings: ${schemaErrors.slice(0, 3).join(", ")}`,
+			);
+		}
+	}
+
+	const sanitized: Record<string, unknown> = {};
+	for (const key of PLUGIN_CONFIG_KEYS) {
+		const value = data[key];
+		if (value === undefined) {
+			continue;
+		}
+		const schema = PLUGIN_CONFIG_FIELD_SCHEMAS[key];
+		const result = schema.safeParse(value);
+		if (result.success) {
+			sanitized[String(key)] = result.data;
+		}
+	}
+
+	return sanitized as Partial<PluginConfig>;
+}
+
+function sanitizeStoredPluginConfigRecord(
+	data: unknown,
+): Record<string, unknown> {
+	if (!isRecord(data)) {
+		return {};
+	}
+
+	const sanitized: Record<string, unknown> = {};
+	for (const [key, value] of Object.entries(data)) {
+		if (!PLUGIN_CONFIG_KEYS.includes(key as keyof PluginConfig)) {
+			sanitized[key] = value;
+			continue;
+		}
+		const schema = PLUGIN_CONFIG_FIELD_SCHEMAS[key as keyof PluginConfig];
+		const result = schema.safeParse(value);
+		if (result.success) {
+			sanitized[key] = result.data;
+		}
+	}
+
+	return sanitized;
+}
+
 /**
  * Remove a leading UTF‑8 byte order mark (BOM) from the given string if present.
  *
@@ -443,7 +501,8 @@ function resolveStoredPluginConfigRecord(): {
 function sanitizePluginConfigForSave(
 	config: Partial<PluginConfig>,
 ): Record<string, unknown> {
-	const entries = Object.entries(config as Record<string, unknown>);
+	const normalized = sanitizePluginConfigRecord(config as Record<string, unknown>);
+	const entries = Object.entries((normalized ?? {}) as Record<string, unknown>);
 	const sanitized: Record<string, unknown> = {};
 	for (const [key, value] of entries) {
 		if (value === undefined) continue;
@@ -478,8 +537,11 @@ export async function savePluginConfig(
 
 	if (envPath.length > 0) {
 		await withConfigSaveLock(envPath, async () => {
+			const existingConfig = sanitizeStoredPluginConfigRecord(
+				readConfigRecordFromPath(envPath),
+			);
 			const merged = {
-				...(readConfigRecordFromPath(envPath) ?? {}),
+				...(existingConfig ?? {}),
 				...sanitizedPatch,
 			};
 			await writeJsonFileAtomicWithRetry(envPath, merged);
@@ -489,11 +551,16 @@ export async function savePluginConfig(
 
 	const unifiedPath = getUnifiedSettingsPath();
 	await withConfigSaveLock(unifiedPath, async () => {
-		const unifiedConfig = loadUnifiedPluginConfigSync();
+		const unifiedConfig = sanitizeStoredPluginConfigRecord(
+			loadUnifiedPluginConfigSync(),
+		);
 		const legacyPath = unifiedConfig ? null : resolvePluginConfigPath();
+		const legacyConfig = legacyPath
+			? sanitizeStoredPluginConfigRecord(readConfigRecordFromPath(legacyPath))
+			: null;
 		const merged = {
 			...(unifiedConfig ??
-				(legacyPath ? readConfigRecordFromPath(legacyPath) : null) ??
+				legacyConfig ??
 				{}),
 			...sanitizedPatch,
 		};
@@ -510,12 +577,30 @@ export async function savePluginConfig(
  */
 function parseBooleanEnv(value: string | undefined): boolean | undefined {
 	if (value === undefined) return undefined;
-	return value === "1";
+	const normalized = value.trim().toLowerCase();
+	if (normalized.length === 0) return undefined;
+	if (
+		normalized === "1" ||
+		normalized === "true" ||
+		normalized === "yes"
+	) {
+		return true;
+	}
+	if (
+		normalized === "0" ||
+		normalized === "false" ||
+		normalized === "no"
+	) {
+		return false;
+	}
+	return undefined;
 }
 
 function parseNumberEnv(value: string | undefined): number | undefined {
 	if (value === undefined) return undefined;
-	const parsed = Number(value);
+	const trimmed = value.trim();
+	if (trimmed.length === 0) return undefined;
+	const parsed = Number(trimmed);
 	if (!Number.isFinite(parsed)) return undefined;
 	return parsed;
 }
@@ -544,7 +629,13 @@ function resolveBooleanSetting(
 	configValue: boolean | undefined,
 	defaultValue: boolean,
 ): boolean {
-	const envValue = parseBooleanEnv(process.env[envName]);
+	const rawEnvValue = process.env[envName];
+	const envValue = parseBooleanEnv(rawEnvValue);
+	if (rawEnvValue !== undefined && envValue === undefined) {
+		logConfigWarnOnce(
+			`Ignoring invalid boolean env ${envName}=${JSON.stringify(rawEnvValue)}. Expected 0/1, true/false, or yes/no.`,
+		);
+	}
 	if (envValue !== undefined) return envValue;
 	return configValue ?? defaultValue;
 }
@@ -566,7 +657,13 @@ function resolveNumberSetting(
 	defaultValue: number,
 	options?: { min?: number; max?: number },
 ): number {
-	const envValue = parseNumberEnv(process.env[envName]);
+	const rawEnvValue = process.env[envName];
+	const envValue = parseNumberEnv(rawEnvValue);
+	if (rawEnvValue !== undefined && envValue === undefined) {
+		logConfigWarnOnce(
+			`Ignoring invalid numeric env ${envName}=${JSON.stringify(rawEnvValue)}. Expected a finite number.`,
+		);
+	}
 	const candidate = envValue ?? configValue ?? defaultValue;
 	const min = options?.min ?? Number.NEGATIVE_INFINITY;
 	const max = options?.max ?? Number.POSITIVE_INFINITY;

lib/unified-settings.ts

@@ -1,4 +1,5 @@
 import {
+	copyFileSync,
 	existsSync,
 	mkdirSync,
 	renameSync,
@@ -16,6 +17,7 @@ type JsonRecord = Record<string, unknown>;
 export const UNIFIED_SETTINGS_VERSION = 1 as const;
 
 const UNIFIED_SETTINGS_PATH = join(getCodexMultiAuthDir(), "settings.json");
+const UNIFIED_SETTINGS_BACKUP_PATH = `${UNIFIED_SETTINGS_PATH}.bak`;
 const RETRYABLE_FS_CODES = new Set(["EBUSY", "EPERM"]);
 let settingsWriteQueue: Promise<void> = Promise.resolve();
 
@@ -45,6 +47,64 @@ function cloneRecord(value: unknown): JsonRecord | null {
 	return { ...value };
 }
 
+function parseSettingsRecord(content: string): JsonRecord {
+	const parsed = cloneRecord(JSON.parse(content));
+	if (!parsed) {
+		throw new Error("Unified settings must contain a JSON object at the root.");
+	}
+	return parsed;
+}
+
+function readSettingsRecordSyncFromPath(filePath: string): JsonRecord | null {
+	if (!existsSync(filePath)) {
+		return null;
+	}
+	return parseSettingsRecord(readFileSync(filePath, "utf8"));
+}
+
+async function readSettingsRecordAsyncFromPath(
+	filePath: string,
+): Promise<JsonRecord | null> {
+	if (!existsSync(filePath)) {
+		return null;
+	}
+	return parseSettingsRecord(await fs.readFile(filePath, "utf8"));
+}
+
+function trySnapshotUnifiedSettingsBackupSync(): void {
+	if (!existsSync(UNIFIED_SETTINGS_PATH)) {
+		return;
+	}
+	for (let attempt = 0; attempt < 5; attempt += 1) {
+		try {
+			copyFileSync(UNIFIED_SETTINGS_PATH, UNIFIED_SETTINGS_BACKUP_PATH);
+			return;
+		} catch (error) {
+			if (!isRetryableFsError(error) || attempt >= 4) {
+				return;
+			}
+			Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 10 * 2 ** attempt);
+		}
+	}
+}
+
+async function trySnapshotUnifiedSettingsBackupAsync(): Promise<void> {
+	if (!existsSync(UNIFIED_SETTINGS_PATH)) {
+		return;
+	}
+	for (let attempt = 0; attempt < 5; attempt += 1) {
+		try {
+			await fs.copyFile(UNIFIED_SETTINGS_PATH, UNIFIED_SETTINGS_BACKUP_PATH);
+			return;
+		} catch (error) {
+			if (!isRetryableFsError(error) || attempt >= 4) {
+				return;
+			}
+			await sleep(10 * 2 ** attempt);
+		}
+	}
+}
+
 /**
  * Reads and parses the unified settings JSON file from disk.
  *
@@ -56,16 +116,22 @@ function cloneRecord(value: unknown): JsonRecord | null {
  * - Sensitive data: this function performs no token or secret redaction; any sensitive values present in the file are returned as-is and callers are responsible for redaction before logging or external exposure.
  */
 function readSettingsRecordSync(): JsonRecord | null {
-	if (!existsSync(UNIFIED_SETTINGS_PATH)) {
-		return null;
+	try {
+		const primaryRecord = readSettingsRecordSyncFromPath(UNIFIED_SETTINGS_PATH);
+		if (primaryRecord) {
+			return primaryRecord;
+		}
+	} catch (error) {
+		const backupRecord = readSettingsRecordSyncFromPath(
+			UNIFIED_SETTINGS_BACKUP_PATH,
+		);
+		if (backupRecord) {
+			return backupRecord;
+		}
+		throw error;
 	}
 
-	const raw = readFileSync(UNIFIED_SETTINGS_PATH, "utf8");
-	const parsed = cloneRecord(JSON.parse(raw));
-	if (!parsed) {
-		throw new Error("Unified settings must contain a JSON object at the root.");
-	}
-	return parsed;
+	return readSettingsRecordSyncFromPath(UNIFIED_SETTINGS_BACKUP_PATH);
 }
 
 /**
@@ -76,16 +142,24 @@ function readSettingsRecordSync(): JsonRecord | null {
  * @returns The parsed settings record as an object clone, or `null` if unavailable or invalid.
  */
 async function readSettingsRecordAsync(): Promise<JsonRecord | null> {
-	if (!existsSync(UNIFIED_SETTINGS_PATH)) {
-		return null;
+	try {
+		const primaryRecord = await readSettingsRecordAsyncFromPath(
+			UNIFIED_SETTINGS_PATH,
+		);
+		if (primaryRecord) {
+			return primaryRecord;
+		}
+	} catch (error) {
+		const backupRecord = await readSettingsRecordAsyncFromPath(
+			UNIFIED_SETTINGS_BACKUP_PATH,
+		);
+		if (backupRecord) {
+			return backupRecord;
+		}
+		throw error;
 	}
 
-	const raw = await fs.readFile(UNIFIED_SETTINGS_PATH, "utf8");
-	const parsed = cloneRecord(JSON.parse(raw));
-	if (!parsed) {
-		throw new Error("Unified settings must contain a JSON object at the root.");
-	}
-	return parsed;
+	return readSettingsRecordAsyncFromPath(UNIFIED_SETTINGS_BACKUP_PATH);
 }
 
 /**
@@ -125,6 +199,7 @@ function writeSettingsRecordSync(record: JsonRecord): void {
 	const payload = normalizeForWrite(record);
 	const data = `${JSON.stringify(payload, null, 2)}\n`;
 	const tempPath = `${UNIFIED_SETTINGS_PATH}.${process.pid}.${Date.now()}.tmp`;
+	trySnapshotUnifiedSettingsBackupSync();
 	writeFileSync(tempPath, data, "utf8");
 	let moved = false;
 	try {
@@ -176,6 +251,7 @@ async function writeSettingsRecordAsync(record: JsonRecord): Promise<void> {
 	const payload = normalizeForWrite(record);
 	const data = `${JSON.stringify(payload, null, 2)}\n`;
 	const tempPath = `${UNIFIED_SETTINGS_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
+	await trySnapshotUnifiedSettingsBackupAsync();
 	await fs.writeFile(tempPath, data, "utf8");
 	let moved = false;
 	try {

test/config-save.test.ts

@@ -135,11 +135,11 @@ describe("plugin config save paths", () => {
       parallelProbingMaxConcurrency: 7,
     });
 
-    const loaded = loadPluginConfig();
-    expect(loaded.codexMode).toBe(false);
-    expect(loaded.parallelProbing).toBe(true);
-    expect(loaded.parallelProbingMaxConcurrency).toBe(7);
-  });
+		const loaded = loadPluginConfig();
+		expect(loaded.codexMode).toBe(false);
+		expect(loaded.parallelProbing).toBe(true);
+		expect(loaded.parallelProbingMaxConcurrency).toBe(2);
+	});
 
   it("resolves parallel probing settings and clamps concurrency", async () => {
     const { getParallelProbing, getParallelProbingMaxConcurrency } =