Skip to content

apollo_node_config,apollo_node,deployment: source private_parameters from secrets schema, drop value config schema#14648

Open
nimrod-starkware wants to merge 1 commit into
nimrod/jsonnet/retire-replacer-generationfrom
nimrod/jsonnet/source-private-params-from-secrets-schema
Open

apollo_node_config,apollo_node,deployment: source private_parameters from secrets schema, drop value config schema#14648
nimrod-starkware wants to merge 1 commit into
nimrod/jsonnet/retire-replacer-generationfrom
nimrod/jsonnet/source-private-params-from-secrets-schema

Conversation

@nimrod-starkware

Copy link
Copy Markdown
Contributor

private_parameters() now reads the committed config_secrets_schema.json (a BTreeSet of
ParamPath) instead of deriving from config_schema.json + CONFIG_POINTERS at runtime,
removing the runtime dependency on both. Delete the value config_schema.json (4147 lines)
and the CONFIG_SCHEMA_PATH const (the native loader never read it; the per-param CLI
parser that did is gone), and remove its now-broken COPY from the sequencer Dockerfile.
Repurpose update_apollo_node_config_schema to regenerate ONLY the secrets schema, and
split the up-to-date guard to assert only the secrets schema. A transient equivalence test
(private_parameters_matches_config_dump_derivation) proves the file-sourced set equals the
old dump()+CONFIG_POINTERS derivation (no drift); it is marked for removal with the later
SerializeConfig/CONFIG_POINTERS teardown.

config_secrets_schema.json regenerates byte-identical; apollo_node_config 30/30 and
apollo_deployments 9/9 green.

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com

@reviewable-StarkWare

Copy link
Copy Markdown

This change is Reviewable

nimrod-starkware commented Jun 28, 2026

Copy link
Copy Markdown
Contributor Author

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/retire-replacer-generation branch from 89ab258 to c0351e0 Compare June 28, 2026 10:14
@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/source-private-params-from-secrets-schema branch from 84755fc to 3c4b392 Compare June 28, 2026 10:14
@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/source-private-params-from-secrets-schema branch from 3c4b392 to dbff560 Compare June 28, 2026 10:30
@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/retire-replacer-generation branch from 4f5f772 to ece79f9 Compare June 28, 2026 14:04
@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/source-private-params-from-secrets-schema branch from dbff560 to 16c545d Compare June 28, 2026 14:04
@nimrod-starkware nimrod-starkware self-assigned this Jun 29, 2026
@nimrod-starkware nimrod-starkware marked this pull request as ready for review June 29, 2026 11:24
@cursor

cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Touches how private/secret config keys are resolved at runtime and deployment packaging; behavior is guarded by equivalence and up-to-date tests, but operators or tools that still expected config_schema.json would break.

Overview
private_parameters() now loads the committed config_secrets_schema.json (a serialized BTreeSet of param paths) instead of scanning the old full value schema and applying CONFIG_POINTERS at runtime.

The large config_schema.json artifact and CONFIG_SCHEMA_PATH are removed; the sequencer Dockerfile no longer copies that file. update_apollo_node_config_schema only regenerates the secrets schema from a config dump + pointers, and default_config_file_is_up_to_date checks that file alone. A transient test asserts file-sourced private params still match the historical dump derivation.

Reviewed by Cursor Bugbot for commit 06d2a21. Bugbot is set up for automated code reviews on this repo. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 16c545d. Configure here.

Comment thread crates/apollo_node_config/src/config_test.rs
@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/retire-replacer-generation branch from ece79f9 to 3be73e0 Compare July 1, 2026 08:25
@nimrod-starkware nimrod-starkware force-pushed the nimrod/jsonnet/source-private-params-from-secrets-schema branch from 16c545d to 6bc770e Compare July 1, 2026 08:25
…from secrets schema, drop value config schema

private_parameters() now reads the committed config_secrets_schema.json (a BTreeSet of
ParamPath) instead of deriving from config_schema.json + CONFIG_POINTERS at runtime,
removing the runtime dependency on both. Delete the value config_schema.json (4147 lines)
and the CONFIG_SCHEMA_PATH const (the native loader never read it; the per-param CLI
parser that did is gone), and remove its now-broken COPY from the sequencer Dockerfile.
Repurpose update_apollo_node_config_schema to regenerate ONLY the secrets schema, and
split the up-to-date guard to assert only the secrets schema. A transient equivalence test
(private_parameters_matches_config_dump_derivation) proves the file-sourced set equals the
old dump()+CONFIG_POINTERS derivation (no drift); it is marked for removal with the later
SerializeConfig/CONFIG_POINTERS teardown.

config_secrets_schema.json regenerates byte-identical; apollo_node_config 30/30 and
apollo_deployments 9/9 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants