fix(cli): reject loose numeric options

steipete · steipete · commit c95d348bb5ef · 2026-05-27T03:52:40.000-04:00
diff --git a/src/cli/capability-cli.test.ts b/src/cli/capability-cli.test.ts
@@ -1896,6 +1896,28 @@ describe("capability cli", () => {
     expectRuntimeErrorContains("Video asset at index 0 has neither buffer nor url");
   });
 
+  it("rejects partial image generate count before provider dispatch", async () => {
+    await expect(
+      runRegisteredCli({
+        register: registerCapabilityCli as (program: Command) => void,
+        argv: ["capability", "image", "generate", "--prompt", "portrait", "--count", "2x"],
+      }),
+    ).rejects.toThrow("exit 1");
+    expectRuntimeErrorContains("--count must be a positive integer");
+    expect(mocks.generateImage).not.toHaveBeenCalled();
+  });
+
+  it("rejects partial image generate timeout before provider dispatch", async () => {
+    await expect(
+      runRegisteredCli({
+        register: registerCapabilityCli as (program: Command) => void,
+        argv: ["capability", "image", "generate", "--prompt", "portrait", "--timeout-ms", "1000ms"],
+      }),
+    ).rejects.toThrow("exit 1");
+    expectRuntimeErrorContains("--timeout-ms must be a finite number");
+    expect(mocks.generateImage).not.toHaveBeenCalled();
+  });
+
   it("routes audio transcribe through transcription, not realtime", async () => {
     await runRegisteredCli({
       register: registerCapabilityCli as (program: Command) => void,
@@ -2475,6 +2497,19 @@ describe("capability cli", () => {
     );
   });
 
+  it("rejects partial web search limit before provider dispatch", async () => {
+    const webSearchRuntime = await import("../web-search/runtime.js");
+    vi.mocked(webSearchRuntime.runWebSearch).mockClear();
+    await expect(
+      runRegisteredCli({
+        register: registerCapabilityCli as (program: Command) => void,
+        argv: ["capability", "web", "search", "--query", "ping", "--limit", "3x"],
+      }),
+    ).rejects.toThrow("exit 1");
+    expectRuntimeErrorContains("--limit must be a positive integer");
+    expect(webSearchRuntime.runWebSearch).not.toHaveBeenCalled();
+  });
+
   it("uses the infer web search provider override when resolving SecretRefs", async () => {
     const unresolvedConfig = {
       tools: { web: { search: { provider: "exa", enabled: true } } },
diff --git a/src/cli/capability-cli.ts b/src/cli/capability-cli.ts
@@ -38,6 +38,10 @@ import type {
   ImageGenerationBackground,
   ImageGenerationOutputFormat,
 } from "../image-generation/types.js";
+import {
+  parseStrictFiniteNumber,
+  parseStrictPositiveInteger,
+} from "../infra/parse-finite-number.js";
 import { buildMediaUnderstandingRegistry } from "../media-understanding/provider-registry.js";
 import type { RunMediaUnderstandingFileResult } from "../media-understanding/runtime-types.js";
 import {
@@ -1156,13 +1160,24 @@ function parseOptionalFiniteNumber(
   if (raw === undefined || (typeof raw === "string" && raw.trim() === "")) {
     return undefined;
   }
-  const value = Number(raw);
-  if (!Number.isFinite(value)) {
+  const value = parseStrictFiniteNumber(raw);
+  if (value === undefined) {
     throw new Error(`${label} must be a finite number`);
   }
   return value;
 }
 
+function parseOptionalPositiveInteger(raw: unknown, label: string): number | undefined {
+  if (raw === undefined || (typeof raw === "string" && raw.trim() === "")) {
+    return undefined;
+  }
+  const value = parseStrictPositiveInteger(raw);
+  if (value === undefined) {
+    throw new Error(`${label} must be a positive integer`);
+  }
+  return value;
+}
+
 function normalizeImageOutputFormat(
   raw: string | undefined,
 ): ImageGenerationOutputFormat | undefined {
@@ -1933,7 +1948,7 @@ export function registerCapabilityCli(program: Command) {
           capability: "image.generate",
           prompt: String(opts.prompt),
           model: opts.model as string | undefined,
-          count: opts.count ? Number.parseInt(String(opts.count), 10) : undefined,
+          count: parseOptionalPositiveInteger(opts.count, "--count"),
           size: opts.size as string | undefined,
           aspectRatio: opts.aspectRatio as string | undefined,
           resolution: opts.resolution as "1K" | "2K" | "4K" | undefined,
@@ -2410,7 +2425,7 @@ export function registerCapabilityCli(program: Command) {
         const result = await runWebSearchCommand({
           query: String(opts.query),
           provider: opts.provider as string | undefined,
-          limit: opts.limit ? Number.parseInt(String(opts.limit), 10) : undefined,
+          limit: parseOptionalPositiveInteger(opts.limit, "--limit"),
         });
         emitJsonOrText(defaultRuntime, Boolean(opts.json), result, formatEnvelopeForText);
       });
diff --git a/src/cli/cron-cli.test.ts b/src/cli/cron-cli.test.ts
@@ -594,6 +594,16 @@ describe("cron cli", () => {
     expect(stdoutText()).toContain('"id": "job-1"');
   });
 
+  it("rejects partial cron runs limit", async () => {
+    await expectCronCommandExit(["cron", "runs", "--id", "job-1", "--limit", "10x"]);
+    expectRuntimeErrorContaining("Invalid --limit");
+    expect(callGatewayFromCli).not.toHaveBeenCalledWith(
+      "cron.runs",
+      expect.anything(),
+      expect.anything(),
+    );
+  });
+
   it("paginates cron show lookups", async () => {
     resetGatewayMock();
     callGatewayFromCli.mockImplementation(
@@ -1352,6 +1362,16 @@ describe("cron cli", () => {
     expect(patch?.patch?.failureAlert?.to).toBe("19098680");
   });
 
+  it("rejects partial failure alert threshold on cron edit", async () => {
+    await expectCronCommandExit(["cron", "edit", "job-1", "--failure-alert-after", "3x"]);
+    expectRuntimeErrorContaining("Invalid --failure-alert-after");
+    expect(callGatewayFromCli).not.toHaveBeenCalledWith(
+      "cron.update",
+      expect.anything(),
+      expect.anything(),
+    );
+  });
+
   it("supports --no-failure-alert on cron edit", async () => {
     callGatewayFromCli.mockClear();
 
diff --git a/src/cli/cron-cli/register.cron-edit.ts b/src/cli/cron-cli/register.cron-edit.ts
@@ -1,6 +1,7 @@
 import type { Command } from "commander";
 import type { CronJob } from "../../cron/types.js";
 import { danger } from "../../globals.js";
+import { parseStrictPositiveInteger } from "../../infra/parse-finite-number.js";
 import { sanitizeAgentId } from "../../routing/session-key.js";
 import { defaultRuntime } from "../../runtime.js";
 import {
@@ -363,8 +364,8 @@ export function registerCronEditCommand(cron: Command) {
           } else if (failureAlertFlag === true || hasFailureAlertFields) {
             const failureAlert: Record<string, unknown> = {};
             if (hasFailureAlertAfter) {
-              const after = Number.parseInt(String(opts.failureAlertAfter), 10);
-              if (!Number.isFinite(after) || after <= 0) {
+              const after = parseStrictPositiveInteger(opts.failureAlertAfter);
+              if (after === undefined) {
                 throw new Error("Invalid --failure-alert-after (must be a positive integer).");
               }
               failureAlert.after = after;
diff --git a/src/cli/cron-cli/register.cron-simple.ts b/src/cli/cron-cli/register.cron-simple.ts
@@ -1,5 +1,6 @@
 import type { Command } from "commander";
 import type { CronDeliveryPreview, CronJob } from "../../cron/types.js";
+import { parseStrictPositiveInteger } from "../../infra/parse-finite-number.js";
 import { defaultRuntime } from "../../runtime.js";
 import { normalizeLowercaseStringOrEmpty } from "../../shared/string-coerce.js";
 import type { GatewayRpcOpts } from "../gateway-rpc.js";
@@ -225,8 +226,10 @@ export function registerCronSimpleCommands(cron: Command) {
       .option("--limit <n>", "Max entries (default 50)", "50")
       .action(async (opts) => {
         try {
-          const limitRaw = Number.parseInt(String(opts.limit ?? "50"), 10);
-          const limit = Number.isFinite(limitRaw) && limitRaw > 0 ? limitRaw : 50;
+          const limit = parseStrictPositiveInteger(opts.limit ?? "50");
+          if (limit === undefined) {
+            throw new Error("Invalid --limit (must be a positive integer).");
+          }
           const id = String(opts.id);
           const res = await callGatewayFromCli("cron.runs", opts, {
             id,
diff --git a/src/cli/nodes-cli.coverage.test.ts b/src/cli/nodes-cli.coverage.test.ts
@@ -212,6 +212,14 @@ describe("nodes-cli coverage", () => {
       args: ["nodes", "camera", "snap", "--node", "mac-1", "--invoke-timeout", "20s"],
       flag: "--invoke-timeout",
     },
+    {
+      args: ["nodes", "camera", "snap", "--node", "mac-1", "--quality", "0.8jpg"],
+      flag: "--quality",
+    },
+    {
+      args: ["nodes", "camera", "snap", "--node", "mac-1", "--quality", "1.1"],
+      flag: "--quality",
+    },
     {
       args: ["nodes", "camera", "clip", "--node", "mac-1", "--invoke-timeout", "90s"],
       flag: "--invoke-timeout",
@@ -224,6 +232,14 @@ describe("nodes-cli coverage", () => {
       args: ["nodes", "screen", "record", "--node", "mac-1", "--invoke-timeout", "120s"],
       flag: "--invoke-timeout",
     },
+    {
+      args: ["nodes", "screen", "record", "--node", "mac-1", "--fps", "10fps"],
+      flag: "--fps",
+    },
+    {
+      args: ["nodes", "screen", "record", "--node", "mac-1", "--fps", "0"],
+      flag: "--fps",
+    },
     {
       args: ["nodes", "notify", "--node", "mac-1", "--title", "Ping", "--invoke-timeout", "15s"],
       flag: "--invoke-timeout",
diff --git a/src/cli/nodes-cli/register.camera.ts b/src/cli/nodes-cli/register.camera.ts
@@ -20,6 +20,7 @@ import {
   buildNodeInvokeParams,
   callGatewayCli,
   nodesCallOpts,
+  parseOptionalNodeFiniteNumber,
   parseOptionalNodeNonNegativeInteger,
   parseOptionalNodePositiveInteger,
   resolveNode,
@@ -134,7 +135,10 @@ export function registerNodesCameraCommands(nodes: Command) {
                   })();
 
           const maxWidth = parseOptionalNodePositiveInteger(opts.maxWidth, "--max-width");
-          const quality = opts.quality ? Number.parseFloat(opts.quality) : undefined;
+          const quality = parseOptionalNodeFiniteNumber(opts.quality, "--quality", {
+            minInclusive: 0,
+            maxInclusive: 1,
+          });
           const delayMs = parseOptionalNodeNonNegativeInteger(opts.delayMs, "--delay-ms");
           const deviceId = normalizeOptionalString(opts.deviceId);
           if (deviceId && facings.length > 1) {
diff --git a/src/cli/nodes-cli/register.screen.ts b/src/cli/nodes-cli/register.screen.ts
@@ -12,6 +12,7 @@ import {
   buildNodeInvokeParams,
   callGatewayCli,
   nodesCallOpts,
+  parseOptionalNodeFiniteNumber,
   parseOptionalNodeNonNegativeInteger,
   parseOptionalNodePositiveInteger,
   resolveNodeId,
@@ -39,7 +40,9 @@ export function registerNodesScreenCommands(nodes: Command) {
           const nodeId = await resolveNodeId(opts, opts.node ?? "");
           const durationMs = parseDurationMs(opts.duration ?? "");
           const screenIndex = parseOptionalNodeNonNegativeInteger(opts.screen ?? "0", "--screen");
-          const fps = Number.parseFloat(opts.fps ?? "10");
+          const fps = parseOptionalNodeFiniteNumber(opts.fps ?? "10", "--fps", {
+            minExclusive: 0,
+          });
           const timeoutMs = parseOptionalNodePositiveInteger(
             opts.invokeTimeout,
             "--invoke-timeout",
diff --git a/src/cli/nodes-cli/rpc.ts b/src/cli/nodes-cli/rpc.ts
@@ -2,6 +2,7 @@ import { randomUUID } from "node:crypto";
 import type { Command } from "commander";
 import type { OperatorScope } from "../../gateway/method-scopes.js";
 import {
+  parseStrictFiniteNumber,
   parseStrictNonNegativeInteger,
   parseStrictPositiveInteger,
 } from "../../infra/parse-finite-number.js";
@@ -96,6 +97,34 @@ export function parseOptionalNodeNonNegativeInteger(
   return parsed;
 }
 
+export function parseOptionalNodeFiniteNumber(
+  value: unknown,
+  flag: string,
+  bounds?: {
+    minExclusive?: number;
+    minInclusive?: number;
+    maxInclusive?: number;
+  },
+): number | undefined {
+  if (!hasOptionalValue(value)) {
+    return undefined;
+  }
+  const parsed = parseStrictFiniteNumber(value);
+  if (parsed === undefined) {
+    throw new Error(`${flag} must be a finite number.`);
+  }
+  if (bounds?.minExclusive !== undefined && parsed <= bounds.minExclusive) {
+    throw new Error(`${flag} must be greater than ${bounds.minExclusive}.`);
+  }
+  if (bounds?.minInclusive !== undefined && parsed < bounds.minInclusive) {
+    throw new Error(`${flag} must be at least ${bounds.minInclusive}.`);
+  }
+  if (bounds?.maxInclusive !== undefined && parsed > bounds.maxInclusive) {
+    throw new Error(`${flag} must be at most ${bounds.maxInclusive}.`);
+  }
+  return parsed;
+}
+
 export function unauthorizedHintForMessage(message: string): string | null {
   const haystack = normalizeLowercaseStringOrEmpty(message);
   if (
diff --git a/src/cli/program.smoke.test.ts b/src/cli/program.smoke.test.ts
@@ -87,6 +87,14 @@ describe("cli program (smoke)", () => {
     expect(options?.timeoutMs).toBeUndefined();
   });
 
+  it("rejects partial tui history limits", async () => {
+    await expect(runProgram(["tui", "--history-limit", "10x"])).rejects.toThrow("exit");
+    expect(runtime.error).toHaveBeenCalledWith(
+      "Error: --history-limit must be a positive integer.",
+    );
+    expect(runTui).not.toHaveBeenCalled();
+  });
+
   it("runs setup wizard when wizard flags are present", async () => {
     await runProgram(["setup", "--remote-url", "ws://example"]);
 
diff --git a/src/cli/tui-cli.ts b/src/cli/tui-cli.ts
@@ -1,4 +1,5 @@
 import type { Command } from "commander";
+import { parseStrictPositiveInteger } from "../infra/parse-finite-number.js";
 import { defaultRuntime } from "../runtime.js";
 import { formatDocsLink } from "../terminal/links.js";
 import { theme } from "../terminal/theme.js";
@@ -41,7 +42,10 @@ export function registerTuiCli(program: Command) {
             `warning: invalid --timeout-ms "${String(opts.timeoutMs)}"; ignoring`,
           );
         }
-        const historyLimit = Number.parseInt(String(opts.historyLimit ?? "200"), 10);
+        const historyLimit = parseStrictPositiveInteger(opts.historyLimit ?? "200");
+        if (historyLimit === undefined) {
+          throw new Error("--history-limit must be a positive integer.");
+        }
         const { runTui } = await import("../tui/tui.js");
         await runTui({
           local: isLocal,
@@ -53,7 +57,7 @@ export function registerTuiCli(program: Command) {
           thinking: opts.thinking as string | undefined,
           message: opts.message as string | undefined,
           timeoutMs,
-          historyLimit: Number.isNaN(historyLimit) ? undefined : historyLimit,
+          historyLimit,
           forceProcessExitOnReturn: true,
         });
       } catch (err) {
diff --git a/src/commands/agent-via-gateway.test.ts b/src/commands/agent-via-gateway.test.ts
@@ -215,6 +215,15 @@ describe("agentCliCommand", () => {
     });
   });
 
+  it("rejects partial gateway timeout values", async () => {
+    await withTempStore(async () => {
+      await expect(
+        agentCliCommand({ message: "hi", to: "+1555", timeout: "10s" }, runtime),
+      ).rejects.toThrow("Invalid --timeout");
+      expect(callGateway).not.toHaveBeenCalled();
+    });
+  });
+
   it("uses gateway by default", async () => {
     await withTempStore(async () => {
       mockGatewaySuccessReply();
diff --git a/src/commands/agent-via-gateway.ts b/src/commands/agent-via-gateway.ts
@@ -14,6 +14,7 @@ import {
 } from "../gateway/call.js";
 import { ADMIN_SCOPE } from "../gateway/operator-scopes.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../gateway/protocol/client-info.js";
+import { parseStrictNonNegativeInteger } from "../infra/parse-finite-number.js";
 import { routeLogsToStderr } from "../logging/console.js";
 import {
   classifySessionKeyShape,
@@ -107,9 +108,9 @@ function protectJsonStdout(opts: Pick<AgentCliOpts, "json">): void {
 function parseTimeoutSeconds(opts: { cfg: OpenClawConfig; timeout?: string }) {
   const raw =
     opts.timeout !== undefined
-      ? Number.parseInt(opts.timeout, 10)
+      ? parseStrictNonNegativeInteger(opts.timeout)
       : (opts.cfg.agents?.defaults?.timeoutSeconds ?? 600);
-  if (Number.isNaN(raw) || raw < 0) {
+  if (raw === undefined) {
     throw new Error(
       `Invalid --timeout. Use seconds as a non-negative integer, for example --timeout 600. Use --timeout 0 to disable the timeout.`,
     );
diff --git a/src/infra/parse-finite-number.test.ts b/src/infra/parse-finite-number.test.ts
@@ -1,6 +1,7 @@
 import { describe, expect, it } from "vitest";
 import {
   parseFiniteNumber,
+  parseStrictFiniteNumber,
   parseStrictInteger,
   parseStrictNonNegativeInteger,
   parseStrictPositiveInteger,
@@ -50,6 +51,22 @@ describe("parseStrictInteger", () => {
   });
 });
 
+describe("parseStrictFiniteNumber", () => {
+  it("parses full finite numbers and rejects partial tokens", () => {
+    expectParserCases(parseStrictFiniteNumber, [
+      { value: "42", expected: 42 },
+      { value: "3.14", expected: 3.14 },
+      { value: ".5", expected: 0.5 },
+      { value: "1e3", expected: 1000 },
+      { value: "3.14ms", expected: undefined },
+      { value: "0abc", expected: undefined },
+      { value: "0x10", expected: undefined },
+      { value: " ", expected: undefined },
+      { value: Number.POSITIVE_INFINITY, expected: undefined },
+    ]);
+  });
+});
+
 describe("parseStrictPositiveInteger", () => {
   it("enforces positive integers", () => {
     expectParserCases(parseStrictPositiveInteger, [
diff --git a/src/infra/parse-finite-number.ts b/src/infra/parse-finite-number.ts
