feat: Add config validation and ConfigWatcher tests

- Add config validation for unknown keys (shows warning in menu bar)
- Add ConfigWatcher test coverage (7 new tests)
- Show config warnings/errors in status bar menu
- Update config-examples.yml with security best practices
- Document allowed_schemes behavior (replaces defaults, not additive)
- Use private servers for all script-based examples

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: laurentftech

README.md

@@ -25,6 +25,7 @@ Receive push notifications on your Mac from any source — servers, IoT devices,
 - **Priority Mapping**: Maps ntfy priority levels to macOS interruption levels (critical, time-sensitive)
 - **Menu Bar App**: Runs in the menu bar with quick access to config and reload
 - **Live Config Reload**: Configuration changes are detected and applied automatically
+- **Config Validation**: Warns about unknown keys and typos in the menu bar
 - **Click to Open**: Click notifications to open in browser (configurable per topic)
 - **Automatic Permission Request**: Prompts for notification permission on first launch
 
@@ -117,6 +118,8 @@ ntfy-macos serve
 On first launch, the app will automatically request notification permission.
 
 The app runs in the menu bar with options to:
+- **Server Status**: Shows connection state for each server (green=connected, red=disconnected, orange flashing=connecting)
+- **Config Warning**: Displays warnings for unknown keys or typos (orange indicator)
 - **Edit Config**: Open config file in your default editor
 - **Show Config in Finder**: Reveal config directory
 - **Reload Config**: Apply configuration changes
@@ -171,8 +174,8 @@ servers:
 - `url` (required): Server URL (e.g., `https://ntfy.sh`)
 - `token` (optional): Authentication token (can also be stored in Keychain)
 - `topics` (required): List of topics to subscribe to
-- `allowed_schemes` (optional): List of URL schemes allowed for click/action URLs (default: `["http", "https"]`)
-- `allowed_domains` (optional): List of domains allowed for click/action URLs (supports wildcards like `*.example.com`)
+- `allowed_schemes` (optional): List of URL schemes allowed for click/action URLs (default: `["http", "https"]`). **Replaces defaults** — setting `[https, myapp]` blocks http; setting `[myapp]` blocks both http and https
+- `allowed_domains` (optional): List of domains allowed for click/action URLs (supports wildcards like `*.example.com`). Not set = all domains allowed
 
 #### Topic Fields
 
@@ -302,7 +305,10 @@ servers:
       - name: alerts
 ```
 
-**Note**: The config file is validated at startup — world-writable config files are rejected for security.
+**Config Validation**: The configuration is validated at startup and on reload:
+- World-writable config files are rejected for security
+- Unknown keys (typos, misplaced options) trigger a warning in the menu bar
+- Invalid YAML or missing required fields prevent the app from starting
 
 ## Priority Mapping
 

Sources/Config.swift

@@ -125,11 +125,27 @@ struct AppConfig: Codable {
     }
 }
 
-enum ConfigError: Error {
+enum ConfigError: Error, LocalizedError {
     case fileNotFound
     case invalidYAML(Error)
     case decodingError(Error)
     case insecureFilePermissions(String)
+    case unknownKeys(String)
+
+    var errorDescription: String? {
+        switch self {
+        case .fileNotFound:
+            return "Configuration file not found"
+        case .invalidYAML(let error):
+            return "Invalid YAML: \(error.localizedDescription)"
+        case .decodingError(let error):
+            return "Configuration error: \(error.localizedDescription)"
+        case .insecureFilePermissions(let message):
+            return message
+        case .unknownKeys(let details):
+            return "Unknown configuration keys:\n\(details)"
+        }
+    }
 }
 
 final class ConfigManager: @unchecked Sendable {
@@ -170,17 +186,93 @@ final class ConfigManager: @unchecked Sendable {
             throw ConfigError.fileNotFound
         }
 
+        // Validate for unknown keys before decoding (warnings only, doesn't block loading)
+        let unknownKeysWarning = checkForUnknownKeys(in: yamlString)
+
         let decoder = YAMLDecoder()
         do {
             let decodedConfig = try decoder.decode(AppConfig.self, from: yamlString)
             lock.lock()
             defer { lock.unlock() }
             self._config = decodedConfig
+            self._configWarning = unknownKeysWarning
         } catch {
             throw ConfigError.decodingError(error)
         }
     }
 
+    /// Warning message for unknown keys (doesn't prevent loading)
+    private var _configWarning: String?
+    var configWarning: String? {
+        lock.lock()
+        defer { lock.unlock() }
+        return _configWarning
+    }
+
+    /// Known keys at each level of the config
+    private static let knownRootKeys: Set<String> = ["servers"]
+    private static let knownServerKeys: Set<String> = ["url", "token", "topics", "allowed_schemes", "allowed_domains"]
+    private static let knownTopicKeys: Set<String> = ["name", "icon_path", "icon_symbol", "auto_run_script", "silent", "click_url", "actions"]
+    private static let knownActionKeys: Set<String> = ["title", "type", "path", "url"]
+
+    /// Checks YAML for unknown keys that would be silently ignored
+    /// Returns warning message if unknown keys found, nil otherwise
+    private func checkForUnknownKeys(in yamlString: String) -> String? {
+        guard let yaml = try? Yams.load(yaml: yamlString) as? [String: Any] else {
+            return nil  // Let the decoder handle invalid YAML
+        }
+
+        var warnings: [String] = []
+
+        // Check root level
+        for key in yaml.keys {
+            if !Self.knownRootKeys.contains(key) {
+                warnings.append("Unknown key '\(key)' at root level")
+            }
+        }
+
+        // Check servers
+        if let servers = yaml["servers"] as? [[String: Any]] {
+            for (serverIndex, server) in servers.enumerated() {
+                let serverUrl = server["url"] as? String ?? "server[\(serverIndex)]"
+                for key in server.keys {
+                    if !Self.knownServerKeys.contains(key) {
+                        warnings.append("Unknown key '\(key)' in server '\(serverUrl)'")
+                    }
+                }
+
+                // Check topics
+                if let topics = server["topics"] as? [[String: Any]] {
+                    for (topicIndex, topic) in topics.enumerated() {
+                        let topicName = topic["name"] as? String ?? "topic[\(topicIndex)]"
+                        for key in topic.keys {
+                            if !Self.knownTopicKeys.contains(key) {
+                                warnings.append("Unknown key '\(key)' in topic '\(topicName)' (server: \(serverUrl))")
+                            }
+                        }
+
+                        // Check actions
+                        if let actions = topic["actions"] as? [[String: Any]] {
+                            for (actionIndex, action) in actions.enumerated() {
+                                let actionTitle = action["title"] as? String ?? "action[\(actionIndex)]"
+                                for key in action.keys {
+                                    if !Self.knownActionKeys.contains(key) {
+                                        warnings.append("Unknown key '\(key)' in action '\(actionTitle)' (topic: \(topicName))")
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        if warnings.isEmpty {
+            return nil
+        }
+        return warnings.joined(separator: "\n")
+    }
+
     /// Validates that the config file has secure permissions (not world-writable)
     private func validateFilePermissions(at path: String) throws {
         let fileManager = FileManager.default

Sources/StatusBarController.swift

@@ -6,12 +6,14 @@ class StatusBarController: NSObject {
     private var menu: NSMenu?
     private var statusMenuItem: NSMenuItem?
     private var serversSubmenu: NSMenu?
+    private var errorMenuItem: NSMenuItem?
     var onReloadConfig: (() -> Void)?
 
     // Connection tracking
     private var serverStatuses: [String: ServerConnectionStatus] = [:]
     private var connectingAnimationTimer: Timer?
     private var connectingAnimationVisible: Bool = true
+    private var currentConfigError: String?
 
     enum ConnectionState {
         case connecting    // Never connected yet (orange, flashing)
@@ -65,6 +67,12 @@ class StatusBarController: NSObject {
         statusMenuItem?.isEnabled = false
         menu?.addItem(statusMenuItem!)
 
+        // Error menu item (hidden by default)
+        errorMenuItem = NSMenuItem(title: "", action: nil, keyEquivalent: "")
+        errorMenuItem?.isEnabled = false
+        errorMenuItem?.isHidden = true
+        menu?.addItem(errorMenuItem!)
+
         // Servers submenu showing individual server statuses
         let serversItem = NSMenuItem(title: "Servers", action: nil, keyEquivalent: "")
         serversSubmenu = NSMenu()
@@ -221,6 +229,44 @@ class StatusBarController: NSObject {
         statusMenuItem?.title = status
     }
 
+    /// Shows a configuration error in the menu (in red)
+    func showConfigError(_ error: String) {
+        currentConfigError = error
+        errorMenuItem?.isHidden = false
+
+        // Create attributed string with red color
+        let attributes: [NSAttributedString.Key: Any] = [
+            .foregroundColor: NSColor.systemRed,
+            .font: NSFont.systemFont(ofSize: 13)
+        ]
+        let attributedTitle = NSAttributedString(string: "⚠️ Config Error", attributes: attributes)
+        errorMenuItem?.attributedTitle = attributedTitle
+        errorMenuItem?.toolTip = error
+    }
+
+    /// Shows a configuration warning in the menu (in orange)
+    func showConfigWarning(_ warning: String) {
+        currentConfigError = warning
+        errorMenuItem?.isHidden = false
+
+        // Create attributed string with orange color
+        let attributes: [NSAttributedString.Key: Any] = [
+            .foregroundColor: NSColor.systemOrange,
+            .font: NSFont.systemFont(ofSize: 13)
+        ]
+        let attributedTitle = NSAttributedString(string: "⚠️ Config Warning", attributes: attributes)
+        errorMenuItem?.attributedTitle = attributedTitle
+        errorMenuItem?.toolTip = warning
+    }
+
+    /// Clears any config error/warning from the menu
+    func clearConfigError() {
+        currentConfigError = nil
+        errorMenuItem?.isHidden = true
+        errorMenuItem?.attributedTitle = nil
+        errorMenuItem?.toolTip = nil
+    }
+
     /// Initialize server tracking from config
     func initializeServers(servers: [(url: String, topics: [String])]) {
         stopConnectingAnimation()

Sources/main.swift

@@ -173,8 +173,21 @@ final class NtfyMacOS: NtfyClientDelegate, @unchecked Sendable {
         // Reload config file
         do {
             try ConfigManager.shared.loadConfig(from: nil)
+            DispatchQueue.main.async {
+                // Check for config warnings (unknown keys, etc.)
+                if let warning = ConfigManager.shared.configWarning {
+                    Log.info("Configuration warning: \(warning)")
+                    StatusBarController.shared.showConfigWarning(warning)
+                } else {
+                    StatusBarController.shared.clearConfigError()
+                }
+            }
         } catch {
             Log.error("Failed to reload configuration: \(error)")
+            let errorMessage = (error as? LocalizedError)?.errorDescription ?? "\(error)"
+            DispatchQueue.main.async {
+                StatusBarController.shared.showConfigError(errorMessage)
+            }
             return
         }
 
@@ -546,6 +559,12 @@ DispatchQueue.main.async {
         StatusBarController.shared.onReloadConfig = {
             CLI.ntfyAppInstance?.reloadConfig()
         }
+
+        // Show any initial config warnings
+        if let warning = ConfigManager.shared.configWarning {
+            Log.info("Configuration warning: \(warning)")
+            StatusBarController.shared.showConfigWarning(warning)
+        }
     }
 }