fix(engine): use saturating casts for token counts in streaming

[echobt]

Summary

Fixes #5188 - streaming.rs uses unchecked narrowing casts.

Problem

Token count conversions can silently truncate on very large values.

Solution

Used saturating conversion to cap at u32::MAX instead of truncating.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes integer overflow and truncation issues across three critical modules by implementing safe type conversions with saturation semantics.

Key Changes:

• streaming.rs: Introduced saturating_i64_to_u32 helper to safely convert token counts from i64 to u32, clamping negative values to 0 and values exceeding u32::MAX to u32::MAX instead of silently truncating
• mention.rs: Added UTF-8 boundary-safe slicing functions (safe_slice_up_to, safe_slice_from) to prevent panic when slicing strings at invalid character boundaries in multi-byte Unicode text
• renderer.rs: Used u16::try_from().unwrap_or(u16::MAX) with saturating addition to prevent usize to u16 overflow when calculating widget heights

Impact:
All changes prevent potential runtime panics and data corruption from unchecked casts. The comprehensive test coverage added for UTF-8 boundary cases demonstrates thorough consideration of edge cases. The saturation approach ensures graceful degradation rather than silent truncation or panic.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• All changes implement defensive programming best practices using saturating conversions instead of unchecked casts. The fixes are well-tested (especially the UTF-8 boundary tests), clearly documented, and address real overflow/truncation vulnerabilities
• No files require special attention

Important Files Changed

Filename	Overview
src/cortex-engine/src/streaming.rs	Added saturating_i64_to_u32 function to safely convert token counts from i64 to u32, preventing silent truncation on large values
src/cortex-agents/src/mention.rs	Added UTF-8 boundary-safe slicing helpers (safe_slice_up_to, safe_slice_from) to prevent panics when slicing multi-byte characters
src/cortex-tui/src/interactive/renderer.rs	Used try_from with saturation to prevent usize to u16 overflow when calculating widget height

Sequence Diagram

sequenceDiagram
    participant LLM as LLM Provider
    participant Client as Client (TokenUsage)
    participant Stream as Streaming Module
    participant TUI as TUI Renderer
    participant Agent as Agent Mention Parser
    
    Note over LLM,Client: Token Count Conversion Flow
    LLM->>Client: Returns token counts (i64)
    Client->>Stream: TokenUsage {input_tokens: i64, output_tokens: i64}
    Stream->>Stream: saturating_i64_to_u32(value)
    Note right of Stream: Clamps negative to 0<br/>Clamps > u32::MAX to u32::MAX
    Stream->>Stream: StreamTokenUsage {u32 fields}
    
    Note over TUI: Height Calculation Flow
    TUI->>TUI: Calculate items_count (usize)
    TUI->>TUI: u16::try_from(items_count)
    alt items_count > u16::MAX
        TUI->>TUI: Returns u16::MAX
    else items_count <= u16::MAX
        TUI->>TUI: Returns items_count as u16
    end
    TUI->>TUI: saturating_add for total height
    
    Note over Agent: UTF-8 Safe Slicing Flow
    Agent->>Agent: Detect mention position (byte index)
    Agent->>Agent: safe_slice_up_to(text, pos)
    alt pos is not char boundary
        Agent->>Agent: Search backwards for valid boundary
    end
    Agent->>Agent: safe_slice_from(text, pos)
    alt pos is not char boundary
        Agent->>Agent: Search forwards for valid boundary
    end
    Agent->>Agent: Return sliced strings safely

Loading

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[echobt]

Consolidated into #71 - fix: consolidated numeric overflow/underflow prevention with saturating operations