fix: address PR review feedback

- Log warning when config file exists but CONFIG_PASSPHRASE is unset
- Rescue ArgumentError in decrypt for corrupted/non-Base64 data
- Add blob length validation before attempting decryption
- Enforce unique slack_team_id in add_project and validate on update
- Require non-empty passphrases in TUI prompts
- Replace send() with explicit lambda dispatch table in menu loop
- Add required: true to team_id field in edit flow
- Show restart reminder when exiting TUI with configured projects

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: markhallen

app.rb

@@ -50,11 +50,17 @@
   config_path = File.join(settings.root, '.config', 'projects.enc')
   config_passphrase = ENV.fetch('CONFIG_PASSPHRASE', nil)
 
-  if File.exist?(config_path) && config_passphrase
-    project_config = Config::ProjectConfig.new(config_path: config_path)
-    project_config.load!(config_passphrase)
-    set :project_config, project_config
-    settings.logger.info "Loaded #{project_config.projects.length} project(s) from encrypted config"
+  if File.exist?(config_path)
+    if config_passphrase
+      project_config = Config::ProjectConfig.new(config_path: config_path)
+      project_config.load!(config_passphrase)
+      set :project_config, project_config
+      settings.logger.info "Loaded #{project_config.projects.length} project(s) from encrypted config"
+    else
+      set :project_config, nil
+      settings.logger.warn 'Encrypted project config found but CONFIG_PASSPHRASE is not set; ' \
+                           'falling back to environment variable credentials'
+    end
   else
     set :project_config, nil
   end

lib/cli/tui.rb

@@ -18,6 +18,7 @@ def run
       @passphrase = prompt_passphrase
       @config.load!(@passphrase)
       main_menu_loop
+      @prompt.warn('Restart the running app for config changes to take effect.') unless @config.empty?
     rescue Config::Encryption::DecryptionError
       @prompt.error('Wrong passphrase. Unable to decrypt config file.')
       exit 1
@@ -27,11 +28,11 @@ def run
 
     def prompt_passphrase
       if File.exist?(@config_path)
-        @prompt.mask('Enter config passphrase:')
+        @prompt.mask('Enter config passphrase:', required: true)
       else
         @prompt.ok('No config file found. Creating a new one.')
-        passphrase = @prompt.mask('Choose a passphrase for encrypting your config:')
-        confirm = @prompt.mask('Confirm passphrase:')
+        passphrase = @prompt.mask('Choose a passphrase for encrypting your config:', required: true)
+        confirm = @prompt.mask('Confirm passphrase:', required: true)
         unless passphrase == confirm
           @prompt.error('Passphrases do not match.')
           exit 1
@@ -41,12 +42,19 @@ def prompt_passphrase
     end
 
     def main_menu_loop
+      handlers = {
+        add_project: -> { add_project },
+        edit_project: -> { edit_project },
+        remove_project: -> { remove_project },
+        list_projects: -> { list_projects },
+      }
+
       loop do
         choices = build_menu_choices
         action = @prompt.select('What would you like to do?', choices)
         break if action == :exit
 
-        send(action)
+        handlers[action]&.call
       end
     end
 
@@ -94,8 +102,8 @@ def edit_project
       project = @config.find_by_name(name)
       updates = {}
 
-      updates[:name] = @prompt.ask('Project name:', default: project[:name])
-      updates[:slack_team_id] = @prompt.ask('Slack team ID:', default: project[:slack_team_id])
+      updates[:name] = @prompt.ask('Project name:', default: project[:name], required: true)
+      updates[:slack_team_id] = @prompt.ask('Slack team ID:', default: project[:slack_team_id], required: true)
       updates[:slack_bot_token] = prompt_optional_mask('Slack bot token:', project[:slack_bot_token])
       updates[:github_token] = prompt_optional_mask('GitHub token:', project[:github_token])
       updates[:default_github_org] = @prompt.ask('Default GitHub org:', default: project[:default_github_org])

lib/config/encryption.rb

@@ -31,8 +31,11 @@ def self.encrypt(plaintext, passphrase)
       Base64.strict_encode64(blob)
     end
 
+    MIN_BLOB_LENGTH = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH
+
     def self.decrypt(encoded_blob, passphrase)
       blob = Base64.strict_decode64(encoded_blob)
+      raise DecryptionError, 'Data too short — file may be corrupted' if blob.bytesize < MIN_BLOB_LENGTH
 
       salt = blob[0, SALT_LENGTH]
       iv = blob[SALT_LENGTH, IV_LENGTH]
@@ -48,7 +51,7 @@ def self.decrypt(encoded_blob, passphrase)
       cipher.auth_tag = auth_tag
 
       cipher.update(ciphertext) + cipher.final
-    rescue OpenSSL::Cipher::CipherError
+    rescue OpenSSL::Cipher::CipherError, ArgumentError
       raise DecryptionError, 'Decryption failed — wrong passphrase or corrupted data'
     end
 

lib/config/project_config.rb

@@ -46,6 +46,9 @@ def add_project(attrs)
       raise ArgumentError, 'Project name is required' if project[:name].to_s.strip.empty?
       raise ArgumentError, 'Slack team ID is required' if project[:slack_team_id].to_s.strip.empty?
       raise ArgumentError, "Project '#{project[:name]}' already exists" if find_by_name(project[:name])
+      if find_by_team_id(project[:slack_team_id])
+        raise ArgumentError, "Team ID '#{project[:slack_team_id]}' already in use"
+      end
 
       @projects << project
       project
@@ -59,6 +62,8 @@ def update_project(name, attrs)
         sym_key = key.to_sym
         project[sym_key] = value if project.key?(sym_key)
       end
+
+      validate_project!(project)
       project
     end
 
@@ -80,6 +85,14 @@ def empty?
 
     private
 
+    def validate_project!(project)
+      raise ArgumentError, 'Project name is required' if project[:name].to_s.strip.empty?
+      raise ArgumentError, 'Slack team ID is required' if project[:slack_team_id].to_s.strip.empty?
+
+      duplicate = @projects.find { |p| p[:slack_team_id] == project[:slack_team_id] && p != project }
+      raise ArgumentError, "Team ID '#{project[:slack_team_id]}' already in use" if duplicate
+    end
+
     def normalize_project(attrs)
       {
         name: attrs[:name] || attrs['name'],