Add RFC 0001 for field-level environment aliases

[lodyai]

Summary

This branch adds the repository's first Request for Comments,
RFC 0001: Field-level environment aliases,
and indexes it from the documentation contents file. The RFC proposes that
ortho_config grow first-class, field-level environment projections: a
declarative env(...) field attribute binding a configuration field to one or
more environment-variable names, with deterministic intra-environment
precedence (the prefixed canonical name shadows aliases by default),
empty-value handling, and secret-redaction metadata. It is motivated by two
consumers — vk (a GITHUB_TOKEN fallback resolved today by bespoke code) and
podbot (a hand-written environment-to-config-path table) — and lets both
delete that hand-rolled machinery without the crate ever scanning the whole
process environment.

This is a documentation-only change carrying a proposal for review. The RFC
status is Proposed; no runtime, derive-macro, or IR code changes in this
branch. There is no associated roadmap task, issue, or execplan: the document
itself is the deliverable, and it is the artefact under review.

Review walkthrough

• Start with
  docs/rfcs/0001-field-level-environment-aliases.md
  — the proposal itself. Sections 1–4 establish the problem, the current
  single-environment-layer behaviour, and the goals and non-goals.
• The load-bearing decisions live in
  §5 Proposed design:
  the precedence model and the central invariant that aliases select a single
  value before the one environment layer and never concatenate (§5.4), the
  macro attribute grammar (§5.2), the internal resolver glue (§5.3), the
  Secret<T> plus secret-path-set redaction model (§5.5), and the
  backwards-compatible EnvMetadata IR extension with the honest
  ir_version bump (§5.6).
• Review
  §7 Compatibility and migration
  for the before/after vk and podbot migrations and the SemVer impact, and
  §9 Alternatives considered
  and §10 Prior art
  for the rejected options and the precedents they draw on.
• Finish with
  §13 Design-review findings folded in,
  which records the material findings from a multi-perspective review and where
  each was addressed.
• Then check
  docs/contents.md
  for the new "Requests for comments (RFCs)" section linking the document.

Scope notes

• The "environment-variable names as configuration values" primitive
  (podbot's env_allowlist, the proposed env_value_names/EnvPassthrough)
  is deliberately deferred to a planned companion, RFC 0002. The conceptual
  separation is settled in §5.7; the concrete design is out of scope here
  because it shares no mechanism with aliasing beyond the secret vocabulary.
• The document was drafted with assistance from a design-research team and
  prior-art research, then stress-tested through a multi-perspective design
  review before being revised; the panel's verdict was "revise", and the
  material findings are folded into the current draft (see §13).

Validation

• make markdownlint: 61 files linted, 0 errors.
• make nixie: all Mermaid diagrams validated successfully (including
  Figure 1 in the RFC).

References

• Lody session: https://lody.ai/leynos/sessions/0ca23bc1-2da9-4a57-9e65-871da79d3fb5

[sourcery-ai]

Sorry @LodyAI[bot], you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d7552d68-ef1d-4d4c-8ecd-df9accad034c

📥 Commits

Reviewing files that changed from the base of the PR and between 6bb29c1 and b752315.

📒 Files selected for processing (2)

• docs/contents.md
• docs/rfcs/0001-field-level-environment-aliases.md

👮 Files not reviewed due to content moderation or server errors (2)

• docs/contents.md
• docs/rfcs/0001-field-level-environment-aliases.md

---

RFC 0001: Field-level environment aliases

This pull request introduces RFC 0001, the repository's first Request for Comments document, proposing first-class support for field-level environment-variable aliases in the ortho_config crate.

Proposal

The RFC proposes a declarative #[ortho_config(env(...))] field attribute enabling configuration fields to bind to one or more environment-variable names with deterministic intra-environment precedence, empty-value handling, and secret-redaction metadata. The design supports both prefixed canonical names and unprefixed external variables (such as GITHUB_TOKEN), with explicit control over precedence ordering and secret masking.

The resolution model operates by selection rather than concatenation: only one value per field is chosen from the declared candidate variables in a fixed precedence order. The implementation extends the internal EnvMetadata IR structure with canonical, aliases (with priority and prefix metadata), and secret/empty handling flags, advancing the IR version from 1.1 to 1.2.

Motivation and Use Cases

The design addresses two concrete use cases documented in the proposal:

• vk: Currently requires bespoke code to resolve GITHUB_TOKEN fallbacks alongside the prefixed VK_GITHUB_TOKEN canonical name
• podbot: Maintains a hand-written environment-to-config-path mapping table

The proposal moves environment-variable binding logic from consumer code into the library's standard layering, documentation, and redaction machinery, ensuring that external names appear in generated help text, the documentation IR, agent-context output, and provenance records.

Scope and Compatibility

The change maintains backward compatibility and the orthodox precedence order (defaults < files < environment < CLI). Fields without the new attribute behave identically to the current implementation. The RFC is deliberately narrow: it does not add global "scan the whole environment" modes. Every external variable name must be declared explicitly, preventing unintended collisions and ambient secret leakage.

The proposal defers the distinct primitive for "list of environment-variable names" (used by podbot for the env_allowlist pattern) to a planned companion RFC 0002.

Documentation Changes

• docs/contents.md: Adds a new "Requests for comments (RFCs)" section with a link to RFC 0001
• docs/rfcs/0001-field-level-environment-aliases.md: The complete RFC document (1254 lines), including proposed grammar, runtime resolver semantics, Secret<T> masking, migration guidance for existing consumers, testing strategy, alternatives considered, prior art references (pydantic's AliasChoices, Viper's BindEnv, clap's environment handling, config-rs's ignore_empty, GitHub CLI precedent), and design-review findings

The RFC status is Proposed and the document itself is the deliverable under review. The proposal passes markdown linting and Mermaid diagram validation.

Walkthrough

Adds a new RFC document (docs/rfcs/0001-field-level-environment-aliases.md, 1 254 lines) proposing a first-class #[ortho_config(env(...))] attribute with deterministic candidate-selection precedence, empty-value policies, a Secret<T> redaction model, EnvMetadata IR extensions bumped to version 1.2, migration guidance for vk and podbot, and a testing strategy. Updates docs/contents.md to link to the RFC.

Changes

RFC 0001: Field-level environment aliases

Layer / File(s)	Summary
Problem framing, scope, and goals/non-goals docs/contents.md, docs/rfcs/0001-field-level-environment-aliases.md	Contents page gains an RFC section and link; RFC establishes motivation (unprefixed external variables, duplicated precedence logic, invisible bindings, missing secret rails), surveys the current model and consumer re-implementations in vk and podbot, and defines explicit goals and non-goals including refusal of whole-process environment scanning.
env(...) attribute grammar and precedence model docs/rfcs/0001-field-level-environment-aliases.md	Specifies primary/canonical/fallback candidate ordering, empty-value handling, the selection-not-concatenation invariant, and the full env(...) sub-grammar with compile-time validation rules covering group-vs-field scope, conflict detection, and prefixed = false.
Runtime projection table and merge semantics docs/rfcs/0001-field-level-environment-aliases.md	Details const projection table generation, injectable-source variable reading, CsvEnv typing, per-field error accumulation without aborting, and deep-merge onto a prefix-scoped substrate without altering the one-layer append/merge behaviour; includes a substrate-fidelity regression-test requirement.
Secret/redaction model docs/rfcs/0001-field-level-environment-aliases.md	Introduces Secret<T> as a masking newtype for value-copy surfaces and a layer-level secret-path set for structured renderers; defines guarantee scope and residual risk when a field is not typed as Secret<T>.
EnvMetadata IR extensions and documentation surface docs/rfcs/0001-field-level-environment-aliases.md	Renames var_name to canonical, adds ordered aliases with priority and prefixed, represents secret, empty, and canonical prefixed, bumps ir_version to 1.2, specifies generated help/ENVIRONMENT formatting, and adds an optional agent-context env block containing names and policy only.
Requirements, migration guidance, and testing strategy docs/rfcs/0001-field-level-environment-aliases.md	Lists functional, technical, and safety requirements; provides deprecated-shim migration plans for vk and podbot; and defines the testing strategy including precedence parametrised tests, a no-raw-scan negative test with serial guarding, collection merge-safety tests, and secret-redaction coverage.
Alternatives, prior art, open questions, and design-review findings docs/rfcs/0001-field-level-environment-aliases.md	Covers four alternatives with comparison criteria, presents prior art, states open questions, and summarises design-review findings integrated into the revision, plus footnotes/references.

🌿 A field speaks softly, "Just call me by name—
Or the alias I wear, they're all part of my game."
Secret<T> draws a veil, canonical takes the crown,
No scanning the whole env shall ever go down.
One layer, one merge, first-match wins the day—
RFC zero-zero-one has shown us the way! 🎉

🚥 Pre-merge checks | ✅ 19 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Testing (Property / Proof)	⚠️ Warning	RFC 0001 proposes invariants over orderings and state transitions (deterministic precedence, selection-not-concatenation, no whole-env scanning) but specifies only parametrised rstest cases, omitti...	Recommend property tests for precedence ordering, environment-scanning boundaries, and collection-merge invariants; document expected ranges and state transitions tested by generative properties.

✅ Passed checks (19 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title directly and clearly describes the main change: adding RFC 0001 for field-level environment aliases, which aligns perfectly with the changeset.
Description check	✅ Passed	The pull request description is comprehensive and thoroughly related to the changeset, detailing the RFC's objectives, scope, and validation results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Testing (Overall)	✅ Passed	This PR is documentation-only (RFC 0001 with status "Proposed" + index update). No functionality or behavioural changes are introduced; the feature is unimplemented. Testing requirements apply only...
User-Facing Documentation	✅ Passed	RFC 0001 is a proposal document with status "Proposed" and contains no code changes. User-facing functionality documentation is only required for implemented features, not proposals under review.
Developer Documentation	✅ Passed	RFC 0001 with status "Proposed" is a documentation-only proposal; no code, APIs, or architectural changes implemented. Check triggers only for implemented changes requiring developer-guide document...
Module-Level Documentation	✅ Passed	The PR adds only documentation files (docs/contents.md and docs/rfcs/0001-field-level-environment-aliases.md); no code modules are added. Module-level docstring check does not apply to documentatio...
Testing (Unit And Behavioural)	✅ Passed	This PR is a documentation-only RFC proposal with no source code, runtime, or macro changes; the testing check does not apply to documentation proposals awaiting implementation.
Testing (Compile-Time / Ui)	✅ Passed	PR is documentation-only (RFC proposal, no code implementation). Custom check requires compile-time/snapshot tests, applicable only to code changes. No code changes present.
Unit Architecture	✅ Passed	This PR is purely documentation—it adds an RFC proposal and updates a table of contents. The Unit Architecture check applies to code structure and implementation patterns; this PR contains no code...
Domain Architecture	✅ Passed	RFC proposes injectable adapter pattern with internal infrastructure glue (#[doc(hidden)]), limiting public surface to domain concepts (Secret, EnvMetadata, precedence enums). Explicitly forbids...
Observability	✅ Passed	This PR is documentation-only (RFC 0001 proposal with status "Proposed"). No operational behaviour is introduced or altered, hence observability requirements do not apply; check is not applicable.
Security And Privacy	✅ Passed	RFC 0001 proposes field-level environment aliases with explicit per-field variable names, secret redaction (Secret + path-set), strict validation, and no whole-environment scanning; no secrets,...
Performance And Resource Use	✅ Passed	PR is documentation-only (markdown RFC and contents index), containing no executable code, data structures, or algorithms. Performance and resource use checks are not applicable.
Concurrency And State	✅ Passed	PR adds only documentation (RFC design proposal and index). No runtime code, concurrency primitives, shared state, locks, or async execution introduced; check not applicable to documentation-only c...
Architectural Complexity And Maintainability	✅ Passed	The RFC's architectural choices reduce net complexity: field-level aliases replace hand-rolled resolvers in vk and podbot. All new abstractions have explicit justification, clear reuse constraints...
Rust Compiler Lint Integrity	✅ Passed	This PR is documentation-only (1254 lines of RFC + 8 lines in contents.md); no Rust source files, Cargo files, or lint-suppression attributes were modified. The custom check applies only to Rust co...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rfc-0001-env-field-aliases

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}