Severity: Low
Area: API — data types / correctness
Location
api/src/runs/handlers.rs:171-172; api/src/pricing.rs:82-84; api/src/runs/runner.rs:465-476
Problem
Token counts are stored as i32 and sourced from the subprocess JSON (PydanticUsage). Large or malformed counts can overflow the i32 columns, and cost is computed from these attacker-influenced values.
Why it matters
Low impact — cost is "approximate" and the values come from the run wrapper — but overflow/negatives produce silently wrong cost accounting.
Suggested fix
Widen token columns/fields to i64 and clamp negatives on deserialize.
Severity: Low
Area: API — data types / correctness
Location
api/src/runs/handlers.rs:171-172;api/src/pricing.rs:82-84;api/src/runs/runner.rs:465-476Problem
Token counts are stored as
i32and sourced from the subprocess JSON (PydanticUsage). Large or malformed counts can overflow thei32columns, and cost is computed from these attacker-influenced values.Why it matters
Low impact — cost is "approximate" and the values come from the run wrapper — but overflow/negatives produce silently wrong cost accounting.
Suggested fix
Widen token columns/fields to
i64and clamp negatives on deserialize.