fix(cache-middleware): align config schema, reject bool/non-finite thresholds

Per CodeRabbit on NVIDIA#1879:

1. cache_middleware_config.py was out of sync with the new constructor
   semantics — schema allowed similarity_threshold in [0, 1] and had no
   max_entries field at all, so config-driven instantiation could pass
   values the constructor now rejects. Re-export
   _MIN_FUZZY_THRESHOLD and _DEFAULT_MAX_CACHE_ENTRIES from the module
   and wire both constants into the schema:
     similarity_threshold: ge=_MIN_FUZZY_THRESHOLD, le=1.0
     max_entries: ge=1, default=_DEFAULT_MAX_CACHE_ENTRIES
   Docstrings mirror the constructor's rationale (cache-poisoning for
   threshold, DoS for max_entries).

2. Constructor validation did not reject `bool` (since isinstance(True, int)
   is True in Python) or non-finite floats (NaN / +inf / -inf). Both are
   classic config-bug foot-guns: a boolean silently becoming 0 or 1.0,
   or a parser that hands back NaN from an upstream source, would slip
   past the range comparison. Add explicit:
     - bool rejection on similarity_threshold (before the number check)
     - math.isfinite() check on similarity_threshold
     - bool rejection on max_entries

New tests:
  - test_threshold_bool_is_rejected (parametrized True / False)
  - test_threshold_non_finite_is_rejected (parametrized NaN / +inf / -inf)
  - test_bool_max_entries_is_rejected (parametrized True / False)

Signed-off-by: ColinM-sys <cmcdonough@50words.com>

Author: ColinM-sys

packages/nvidia_nat_core/src/nat/middleware/cache/cache_middleware.py

@@ -30,6 +30,7 @@
 
 import json
 import logging
+import math
 from collections import OrderedDict
 from collections.abc import AsyncIterator
 from typing import Any
@@ -108,17 +109,28 @@ def __init__(
             ValueError: If similarity_threshold is outside [_MIN_FUZZY_THRESHOLD, 1.0]
                 or max_entries is not a positive integer.
         """
+        # Reject bool explicitly — `isinstance(True, int)` is True in Python,
+        # and `True`/`False` silently sneaking through as numeric is a classic
+        # config bug (user passes the wrong key, gets no error). Check bool
+        # FIRST so the "must be a number" message doesn't lie.
+        if isinstance(similarity_threshold, bool):
+            raise ValueError(
+                f"similarity_threshold must be a number, got bool ({similarity_threshold!r})")
         if not isinstance(similarity_threshold, (int, float)):
             raise ValueError(
                 f"similarity_threshold must be a number, got {type(similarity_threshold).__name__}")
+        if not math.isfinite(similarity_threshold):
+            raise ValueError(
+                f"similarity_threshold must be finite, got {similarity_threshold!r}")
         if similarity_threshold < _MIN_FUZZY_THRESHOLD or similarity_threshold > 1.0:
             raise ValueError(
                 f"similarity_threshold={similarity_threshold} is outside the safe range "
                 f"[{_MIN_FUZZY_THRESHOLD}, 1.0]. Lower values make cache-poisoning trivial — "
                 "a crafted input can collide with a legitimate user's cached key. Use 1.0 "
                 "for exact matching (recommended), or a value >= "
                 f"{_MIN_FUZZY_THRESHOLD} for fuzzy matching.")
-        if not isinstance(max_entries, int) or max_entries < 1:
+        # Same bool-as-int foot-gun applies to max_entries.
+        if isinstance(max_entries, bool) or not isinstance(max_entries, int) or max_entries < 1:
             raise ValueError(f"max_entries must be a positive integer, got {max_entries!r}")
 
         super().__init__(is_final=True)

packages/nvidia_nat_core/src/nat/middleware/cache/cache_middleware_config.py

@@ -19,6 +19,8 @@
 from pydantic import Field
 
 from nat.data_models.middleware import FunctionMiddlewareBaseConfig
+from nat.middleware.cache.cache_middleware import _DEFAULT_MAX_CACHE_ENTRIES
+from nat.middleware.cache.cache_middleware import _MIN_FUZZY_THRESHOLD
 
 
 class CacheMiddlewareConfig(FunctionMiddlewareBaseConfig, name="cache"):
@@ -31,14 +33,33 @@ class CacheMiddlewareConfig(FunctionMiddlewareBaseConfig, name="cache"):
         enabled_mode: Controls when caching is active:
             - "always": Cache is always enabled
             - "eval": Cache only active when Context.is_evaluating is True
-        similarity_threshold: Float between 0 and 1 for input matching:
-            - 1.0: Exact string matching (fastest)
-            - < 1.0: Fuzzy matching using difflib similarity
+        similarity_threshold: Float in [_MIN_FUZZY_THRESHOLD, 1.0] for input
+            matching:
+            - 1.0: Exact string matching (fastest, recommended)
+            - >= _MIN_FUZZY_THRESHOLD: Fuzzy matching via difflib. Values
+              below this bound are rejected as a cache-poisoning risk —
+              crafted inputs at lower thresholds can collide with a
+              legitimate user's cached key.
+        max_entries: Upper bound on cached entries. When exceeded, the
+            least-recently-used entry is evicted. Must be a positive int;
+            defaults to _DEFAULT_MAX_CACHE_ENTRIES.
     """
 
     enabled_mode: Literal["always", "eval"] = Field(
         default="eval", description="When caching is enabled: 'always' or 'eval' (only during evaluation)")
-    similarity_threshold: float = Field(default=1.0,
-                                        ge=0.0,
-                                        le=1.0,
-                                        description="Similarity threshold between 0 and 1. Use 1.0 for exact matching")
+    similarity_threshold: float = Field(
+        default=1.0,
+        ge=_MIN_FUZZY_THRESHOLD,
+        le=1.0,
+        description=(
+            f"Similarity threshold in [{_MIN_FUZZY_THRESHOLD}, 1.0]. Use 1.0 for exact matching "
+            "(recommended). Lower values enable fuzzy matching but are bounded below to prevent "
+            "cache-poisoning collisions with legitimate cached keys."),
+    )
+    max_entries: int = Field(
+        default=_DEFAULT_MAX_CACHE_ENTRIES,
+        ge=1,
+        description=("Maximum number of cache entries before LRU eviction. Must be >= 1. "
+                     "Prevents memory-exhaustion DoS from unbounded cache growth under "
+                     "sustained unique inputs."),
+    )

packages/nvidia_nat_core/tests/nat/middleware/test_cache_middleware.py

@@ -346,6 +346,19 @@ def test_threshold_non_numeric_is_rejected(self):
         with pytest.raises(ValueError, match="must be a number"):
             CacheMiddleware(enabled_mode="always", similarity_threshold="high")  # type: ignore[arg-type]
 
+    @pytest.mark.parametrize("bad_bool", [True, False])
+    def test_threshold_bool_is_rejected(self, bad_bool):
+        """`isinstance(True, int)` is True in Python — reject bools explicitly
+        so a config with the wrong key type doesn't silently become 1.0 or 0.0."""
+        with pytest.raises(ValueError, match="got bool"):
+            CacheMiddleware(enabled_mode="always", similarity_threshold=bad_bool)  # type: ignore[arg-type]
+
+    @pytest.mark.parametrize("bad_value", [float("nan"), float("inf"), float("-inf")])
+    def test_threshold_non_finite_is_rejected(self, bad_value):
+        """NaN, +inf, -inf must be rejected before the range comparison."""
+        with pytest.raises(ValueError, match="must be finite"):
+            CacheMiddleware(enabled_mode="always", similarity_threshold=bad_value)
+
 
 class TestMaxEntriesLruEviction:
     """The cache must bound its size to prevent memory-exhaustion DoS.
@@ -367,6 +380,16 @@ def test_negative_max_entries_is_rejected(self):
         with pytest.raises(ValueError, match="positive integer"):
             CacheMiddleware(enabled_mode="always", similarity_threshold=1.0, max_entries=-5)
 
+    @pytest.mark.parametrize("bad_bool", [True, False])
+    def test_bool_max_entries_is_rejected(self, bad_bool):
+        """Same bool-as-int foot-gun protection as similarity_threshold."""
+        with pytest.raises(ValueError, match="positive integer"):
+            CacheMiddleware(
+                enabled_mode="always",
+                similarity_threshold=1.0,
+                max_entries=bad_bool,  # type: ignore[arg-type]
+            )
+
     async def test_cache_evicts_oldest_when_exceeding_max_entries(self, middleware_context):
         """Insert more unique entries than max_entries; verify size stays bounded."""
         mw = CacheMiddleware(