NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity

feat(harmony_config): unified config layer (ADR-020) — ConfigClient, ConfigClass, masking #304

Merged
johnride merged 4 commits from pr/harmony-config-layer into master 2026-05-29 16:15:56 +00:00
Conversation 0 Commits 4 Files Changed 14 +954 -296
stremblay commented 2026-05-28 18:13:27 +00:00
Owner
Copy Link

Summary

Implements the ADR-020 unified config+secret layer: one ConfigClient
resolution chain (env → OpenBao → prompt) where the Rust struct is the schema,
with first-class secret handling. Compiles against current master's
harmony_secret.

Changes

  • ConfigClass (Standard/Secret) + #[config(secret)] derive; class plumbed
    through the ConfigSource trait.
  • ConfigManagerConfigClient rename; for_namespace() constructor +
    opt-out Builder.
  • Per-class secret masking: password prompts echo *, formatted output renders
    ****.
  • get_or_prompt persists prompted values to every writable source (was
    stopping at the first, so OpenBao never saw team-scale values).
  • SQLite dropped from the canonical chain (cleartext-at-rest) and namespaced
    per-binary when explicitly opted in.
  • Prompt banner identifies which struct is being filled; serde-rename caveat
    documented; swallowed StoreSource errors now logged.
  • Docs: ADR-020-1 documents the actual OPENBAO_URL/VAULT_ADDR var; ROADMAP/01
    and a firewall_pair comment updated to ConfigClient.

Consumer fix

The rename updates its one in-tree consumer — a 2-line call-site change in
example-harmony-sso — so master stays green. The example's full ADR-020
rework lands in the example PR.

Context

PR 2 of 4 splitting feat/unified-config-and-secrets. Independent — merge in
any order.

Verification

cargo check --workspace --all-targets --all-features, cargo fmt --check,
cargo test -p harmony_config (45 passing), clippy clean.

## Summary Implements the ADR-020 unified config+secret layer: one `ConfigClient` resolution chain (env → OpenBao → prompt) where the Rust struct is the schema, with first-class secret handling. Compiles against current `master`'s `harmony_secret`. ## Changes - `ConfigClass` (Standard/Secret) + `#[config(secret)]` derive; class plumbed through the `ConfigSource` trait. - `ConfigManager` → `ConfigClient` rename; `for_namespace()` constructor + opt-out `Builder`. - Per-class secret masking: password prompts echo `*`, formatted output renders `****`. - `get_or_prompt` persists prompted values to every writable source (was stopping at the first, so OpenBao never saw team-scale values). - SQLite dropped from the canonical chain (cleartext-at-rest) and namespaced per-binary when explicitly opted in. - Prompt banner identifies which struct is being filled; serde-rename caveat documented; swallowed `StoreSource` errors now logged. - Docs: ADR-020-1 documents the actual `OPENBAO_URL`/`VAULT_ADDR` var; `ROADMAP/01` and a `firewall_pair` comment updated to `ConfigClient`. ## Consumer fix The rename updates its one in-tree consumer — a 2-line call-site change in `example-harmony-sso` — so `master` stays green. The example's full ADR-020 rework lands in the example PR. ## Context PR 2 of 4 splitting `feat/unified-config-and-secrets`. Independent — merge in any order. ## Verification `cargo check --workspace --all-targets --all-features`, `cargo fmt --check`, `cargo test -p harmony_config` (45 passing), clippy clean.
stremblay added 2 commits 2026-05-28 18:13:27 +00:00
feat(harmony_config): unified config layer — ConfigClient, ConfigClass, masking 08b55ee36d 
Net-diff PR (2 of 4) splitting feat/unified-config-and-secrets.
harmony_config + harmony_config_derive; compiles against master's harmony_secret.

- ConfigClass + #[config(secret)] derive; class plumbed through ConfigSource
- ConfigManager -> ConfigClient rename + for_namespace + Builder
- per-class secret masking: input echoes '*', output renders '****'
- get_or_prompt persists to every writable source
- SQLite dropped from the canonical chain (cleartext-at-rest) + namespaced
- prompt banner; serde-rename caveat docs; store-error logging
- docs: ADR-020-1 names OPENBAO_URL/VAULT_ADDR; ROADMAP/01 + firewall_pair rename

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(harmony_config): migrate example-harmony-sso call site to ConfigClient
All checks were successful
Run Check Script / check (pull_request) Successful in 2m52s
Details
aa709aa68b 
The ConfigManager->ConfigClient rename in this PR updates its in-tree
consumer so master stays green. Minimal 2-line call-site fix; the
example's full ADR-020 rework lands in the example PR.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
johnride added 2 commits 2026-05-29 16:12:46 +00:00
Merge branch 'master' into pr/harmony-config-layer d0f9ba8d0f
feat: harmony_config densification of code and comments, remove much bloat
All checks were successful
Run Check Script / check (pull_request) Successful in 2m21s
Details
f37ab6aba1
johnride merged commit 1643b10139 into master 2026-05-29 16:15:56 +00:00
johnride deleted branch pr/harmony-config-layer 2026-05-29 16:15:57 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Architecture Decision Record
Good first issue
RFC
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
johnride jvtrudel reda stremblay
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NationTech/harmony#304
No description provided.
Delete Branch "pr/harmony-config-layer"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?