[Security][Critical] Unknown model names tracked at zero cost, bypassing budget enforcement entirely

[anshul23102]

Summary

src/core/costEngine.ts catches errors from getPricing() and returns { totalCost: 0 } for any unrecognized model. The budget manager receives zero cost and never increments totalSpent.

Affected File

src/core/costEngine.ts

try {
  pricing = pricingRegistry.getPricing(model);
} catch {
  return { inputCost: 0, outputCost: 0, totalCost: 0 }; // budget bypass
}

Impact

An attacker who discovers any unlisted model name makes unlimited LLM calls without consuming any declared budget, completely defeating the cost enforcement the library promises.

Suggested Fix

Treat unknown models as a hard error at track() time:

if (!pricing) throw new Error(`Unknown model: ${model}. Add it to the pricing registry.`);

Severity

Critical

[anshul23102]

@Ruthwik000 could you please assign this issue to me? I would like to work on it.

assign/

gssoc'26

[anshul23102]

@Ruthwik000 Could you please assign/ this issue to me? I would like to work on it under GSSoC '26.