Commit 112eb22
* feat(#3299): runtime configuration engine with Zod validation
Implements the runtime configuration engine for boost-backend:
- RuntimeConfigResolver: two-layer config resolution (DB override →
YAML baseline) with cacheService (30s TTL, immediate invalidation
on write). Single cache layer, no duplicate wrappers.
- AdminConfigService: DB-backed config overrides using the
boost_admin_config table. Validates all writes against Zod schemas
and enforces configScope (yaml-only fields rejected for DB writes).
- Zod schemas as single source of truth: all 15 admin-configurable
fields defined with schema, configScope annotation (yaml-only,
db-overridable, db-only), and descriptions. config.d.ts generated
from the same schema definitions.
- Credential encryption: AES-256-GCM encryption for sensitive
DB-stored values (e.g., DevSpaces credentials) with configurable
encryption secret.
- Schema version tracking: stores schema version alongside DB values.
On startup, re-validates all stored values against current schemas
and removes invalid overrides (restoring YAML baseline).
- Plugin wired with coreServices.cache and coreServices.database
dependencies, satisfying the cache-from-day-one architecture rule.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(boost): address security review findings for runtime config engine
- Add boost.admin permission check to /config/status endpoint
- Redact sensitive fields in /config/status response
- Return generic error message, log details server-side
- Exclude sensitive fields from effective-config cache
- Fetch sensitive fields fresh from DB on cache hit
- Replace SELECT-then-INSERT/UPDATE with atomic onConflict().merge()
- Return undefined + log warning when encryptionSecret missing on read
- Clear cached knexPromise on rejection for retry
- Add encryptionSecret to config.d.ts with @visibility secret
- Replace require('crypto') with ES import for createHash
- Fix misleading codegen comment in config.d.ts
- Add upsert-update test case
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
* fix(boost): regenerate API report for CI compatibility
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(boost): address round-3 security findings
- Guard isSensitiveField against unknown DB keys (nil-deref)
- Wrap JSON.parse in try/catch in getOverride/getAllOverrides
- Warn at startup when encrypted DB values exist without encryptionSecret
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(boost): tighten API surface and harden error paths
- Remove encryptValue/decryptValue from public exports (internal only)
- Mark encryptionSecret, set(), remove() as @internal
- Auto-delete corrupt JSON rows in getOverride
- Handle decryption failures from rotated secrets gracefully
- Use knex.fn.now() for DB timestamps instead of client-side Date
- Add tests for corrupt JSON and rotated-secret error paths
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
* fix(boost): prevent data loss on secret rotation and add auth policy
- validateStoredValues: separate decryption errors from validation errors.
Rows that fail decryption (rotated secret) are kept intact with a
warning instead of being deleted. Only rows that fail Zod schema
validation after successful decryption are removed.
- Add httpRouter.addAuthPolicy for /config/status endpoint to match
the pattern used by all other endpoints in the codebase.
- Add tests for both new behaviors (2 new test cases, 79 total).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
---------
Signed-off-by: gabemontero <gmontero@redhat.com>
Co-authored-by: fullsend-code <278716306+fullsend-ai-coder[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: gabemontero <gmontero@redhat.com>
1 parent 2985dab commit 112eb22
15 files changed
Lines changed: 2298 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
39 | | - | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
40 | 42 | | |
41 | 43 | | |
42 | 44 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
12 | 14 | | |
13 | 15 | | |
14 | 16 | | |
| 17 | + | |
15 | 18 | | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
16 | 38 | | |
17 | 39 | | |
18 | 40 | | |
| |||
27 | 49 | | |
28 | 50 | | |
29 | 51 | | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
30 | 55 | | |
31 | 56 | | |
32 | 57 | | |
33 | 58 | | |
34 | 59 | | |
35 | 60 | | |
36 | 61 | | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
37 | 142 | | |
38 | 143 | | |
39 | 144 | | |
40 | 145 | | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
41 | 157 | | |
42 | 158 | | |
43 | 159 | | |
44 | 160 | | |
45 | 161 | | |
46 | 162 | | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
47 | 169 | | |
48 | 170 | | |
49 | 171 | | |
| |||
62 | 184 | | |
63 | 185 | | |
64 | 186 | | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
65 | 207 | | |
66 | 208 | | |
67 | 209 | | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
68 | 216 | | |
69 | 217 | | |
70 | 218 | | |
| |||
0 commit comments