From 9955a2f10c034dac60bc17cde6b80b432e21d9d3 Mon Sep 17 00:00:00 2001
From: Claudomator <claudomator@claudomator>
Date: Sun, 8 Mar 2026 07:47:17 +0000
Subject: security(cli): validate --parallel flag is positive in run command

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 internal/cli/run.go      |  4 ++++
 internal/cli/run_test.go | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 internal/cli/run_test.go

(limited to 'internal/cli')

diff --git a/internal/cli/run.go b/internal/cli/run.go
index c666406..ed831f5 100644
--- a/internal/cli/run.go
+++ b/internal/cli/run.go
@@ -36,6 +36,10 @@ func newRunCmd() *cobra.Command {
 }
 
 func runTasks(file string, parallel int, dryRun bool) error {
+	if parallel < 1 {
+		return fmt.Errorf("--parallel must be at least 1, got %d", parallel)
+	}
+
 	tasks, err := task.ParseFile(file)
 	if err != nil {
 		return fmt.Errorf("parsing: %w", err)
diff --git a/internal/cli/run_test.go b/internal/cli/run_test.go
new file mode 100644
index 0000000..705fe29
--- /dev/null
+++ b/internal/cli/run_test.go
@@ -0,0 +1,18 @@
+package cli
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestRunTasks_InvalidParallel(t *testing.T) {
+	for _, parallel := range []int{0, -1, -100} {
+		err := runTasks("ignored.yaml", parallel, false)
+		if err == nil {
+			t.Fatalf("parallel=%d: expected error, got nil", parallel)
+		}
+		if !strings.Contains(err.Error(), "--parallel") {
+			t.Errorf("parallel=%d: error should mention --parallel flag, got: %v", parallel, err)
+		}
+	}
+}
-- 
cgit v1.2.3