Operational: Config YAML loader has no validation of critical fields #91

New issue

Open

opened 2026-05-11 13:48:53 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:53 +00:00

Owner

Severity: Medium

Location

crates/hero_aibroker_lib/src/registry/loader.rs and registry/types.rs

Finding

The config loader deserializes YAML directly into structs with no validation:

let config: ModelsConfig = serde_yaml::from_str(&content)?;

No validation that provider names match registered providers
No validation that model aliases are unique
No validation of priority values
No validation of endpoint URLs
Invalid configs load silently and fail at runtime

Recommendation

Add a validate() method on all config types
Check provider references at load time
Validate URL formats
Return structured validation errors with field paths

## Severity: Medium ## Location `crates/hero_aibroker_lib/src/registry/loader.rs` and `registry/types.rs` ## Finding The config loader deserializes YAML directly into structs with no validation: ```rust let config: ModelsConfig = serde_yaml::from_str(&content)?; ``` - No validation that provider names match registered providers - No validation that model aliases are unique - No validation of priority values - No validation of endpoint URLs - Invalid configs load silently and fail at runtime ## Recommendation - Add a `validate()` method on all config types - Check provider references at load time - Validate URL formats - Return structured validation errors with field paths