Receipt · d9ae4fa5-1

Budget config and record/restore accept invalid values leading to NaN/Infinity and inconsistent state

api-contractmedium

repo 56f59a0d·PR #3·reviewed 4 days ago

The finding

src/budget.ts:58-68
src/budget.ts:90-95
src/budget.ts:70-75
src/budget.ts:77-82
src/budget.ts:131-144

No validation prevents zero/negative/NaN values for maxTokens, maxTurns, or costs. Division by zero yields Infinity; NaN inputs propagate through percentages and costs; negative tokens/costs produce nonsensical snapshots. record/restore also allow negative or NaN, enabling inconsistent internal state.

Fix

Validate and clamp config: require maxTokens/maxTurns > 0; clamp warnAtPercent to [0,100]; require costs >= 0. In record/restore, coerce inputs to non-negative finite numbers and reject/throw on invalid values.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

108.7s · error

openai

claude-opus-4-7

132.8s · error

Total

wall-clock review time · est. inference cost

132.8s · $0.40

Sweeper

closed at SHA

still open

internal review id · d9ae4fa5

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Original review comment
https://github.com/AntFleet/bench-mythos-router/pull/3#issuecomment-4540078355

full anatomy →← back to all receipts