fix(config): reject empty roots and invalid ports

Author: PatrickSys

src/server/config.ts

@@ -55,7 +55,11 @@ export async function loadServerConfig(): Promise<ServerConfig | null> {
     result.projects = (config.projects as unknown[])
       .filter((p): p is Record<string, unknown> => typeof p === 'object' && p !== null)
       .map((p) => {
-        const rawRoot = typeof p.root === 'string' ? p.root : '';
+        const rawRoot = typeof p.root === 'string' ? p.root.trim() : '';
+        if (!rawRoot) {
+          console.error('[config] Skipping project entry with missing or empty root');
+          return null;
+        }
         const resolvedRoot = path.resolve(expandTilde(rawRoot));
         const proj: ProjectConfig = { root: resolvedRoot };
         if (Array.isArray(p.excludePatterns)) {
@@ -64,7 +68,8 @@ export async function loadServerConfig(): Promise<ServerConfig | null> {
           );
         }
         return proj;
-      });
+      })
+      .filter((project): project is ProjectConfig => project !== null);
   }
 
   // Resolve server options
@@ -79,7 +84,7 @@ export async function loadServerConfig(): Promise<ServerConfig | null> {
     if (srv.port !== undefined) {
       const portValue = srv.port;
       const portNum = typeof portValue === 'number' ? portValue : Number(portValue);
-      if (Number.isInteger(portNum) && portNum > 0) {
+      if (Number.isInteger(portNum) && portNum > 0 && portNum <= 65535) {
         result.server.port = portNum;
       } else {
         console.error(`[config] Ignoring invalid server.port: ${portValue}`);

tests/server-config.test.ts

@@ -86,6 +86,28 @@ describe('loadServerConfig', () => {
     });
   });
 
+  it('skips project entries with missing or empty roots instead of resolving cwd', async () => {
+    const errorSpy = vi.spyOn(console, 'error');
+    const config = JSON.stringify({
+      projects: [{}, { root: '   ' }, { root: 'valid-root' }]
+    });
+
+    await withTempConfig(config, async (filePath) => {
+      process.env.CODEBASE_CONTEXT_CONFIG_PATH = filePath;
+      const result = await loadServerConfig();
+
+      expect(result).not.toBeNull();
+      expect(result!.projects).toEqual([{ root: path.resolve('valid-root') }]);
+      expect(errorSpy).toHaveBeenCalledTimes(2);
+      expect(errorSpy.mock.calls[0][0]).toMatch(
+        /\[config\] Skipping project entry with missing or empty root/
+      );
+      expect(errorSpy.mock.calls[1][0]).toMatch(
+        /\[config\] Skipping project entry with missing or empty root/
+      );
+    });
+  });
+
   it('returns valid config for well-formed input with projects and server.port', async () => {
     // Use absolute paths that are valid on all platforms
     const projA = path.join(os.tmpdir(), 'ccc-test-proj-a');
@@ -147,6 +169,18 @@ describe('loadServerConfig', () => {
     });
   });
 
+  it('drops server.port with a warning when value exceeds 65535', async () => {
+    const errorSpy = vi.spyOn(console, 'error');
+    const config = JSON.stringify({ server: { port: 65536 } });
+    await withTempConfig(config, async (filePath) => {
+      process.env.CODEBASE_CONTEXT_CONFIG_PATH = filePath;
+      const result = await loadServerConfig();
+      expect(result!.server?.port).toBeUndefined();
+      expect(errorSpy).toHaveBeenCalledOnce();
+      expect(errorSpy.mock.calls[0][0]).toMatch(/\[config\] Ignoring invalid server\.port: 65536/);
+    });
+  });
+
   it('respects CODEBASE_CONTEXT_CONFIG_PATH env var', async () => {
     const config = JSON.stringify({ server: { port: 4242 } });
     await withTempConfig(config, async (filePath) => {