fix(cli): validate VRL with --no-environment#25161
Open
pront wants to merge 9 commits into
Open
Conversation
github-actions
Bot
added
the
domain: transforms
This was referenced Apr 10, 2026
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
3 times, most recently
from
e9d4c36 to
fd1b169
Compare
github-actions
Bot
added
the
domain: topology
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
3 times, most recently
from
ed733f4 to
8b87dfe
Compare
pront
changed the title
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
2 times, most recently
from
187f6f2 to
33903f0
Compare
github-actions
Bot
removed
the
domain: topology
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
3 times, most recently
from
607ad63 to
5465781
Compare
github-actions
Bot
added
docs review on hold
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
from
5465781 to
2504092
Compare
github-actions
Bot
added
the
docs review on hold
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
2 times, most recently
from
fb35df8 to
54393be
Compare
github-actions
Bot
removed
the
domain: external docs
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 54393bea2d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
from
54393be to
24d9506
Compare
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
from
24d9506 to
b3e7b2a
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b3e7b2ac8b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
vector validate --no-environment now catches VRL compilation errors and invalid condition expressions in transforms before any environment resources are available. Design: - Add validate(&TransformContext) to TransformConfig; remap and filter implement it to compile VRL programs and conditions respectively - route, exclusive_route, and sample also validate their condition fields - Introduce validate_transforms(), called in both --no-environment and normal validate paths, which builds stub enrichment tables from the config so VRL can resolve table name references without loading data - Remove the validate() call from check_outputs: that function is for graph/wiring checks only; transform compilation belongs in validate_transforms() - Short-circuit environment checks when transform validation fails to avoid running health checks against external services for known-invalid configs - Add transforms-filter and transforms-aws_ec2_metadata to cli-tests feature set so the new integration tests compile correctly - Convert all CLI integration test configs to YAML; add create_yaml_file helper so test files carry the .yaml extension Vector uses for format detection Fixes #15037
pront
force-pushed
the
codex/fix-validate-no-environment-vrl
branch
from
b3e7b2a to
6077a2f
Compare
… cli-test features check_outputs checks output port names against reserved names using get_transform_output_ids, which includes auto-generated ports like the _unmatched output that route/exclusive_route emit by default. Checking _unmatched there falsely rejects all valid route configs. The reserved route name check belongs in route::validate (called via validate_transforms), not in the shared graph validation path. Also add transforms-filter and transforms-aws_ec2_metadata to the cli-tests feature set so the new integration tests compile in CI.
…t transform validation Clean separation between two distinct validation concerns: - validate(): structural config checks (reserved names, duplicate routes, invalid sample rates). Always safe to call, runs via check_outputs on every config load path including normal startup and reload. - validate_env(): environment-dependent checks (VRL compilation, condition building). Called only by validate_transforms() in vector validate with a real TransformContext that includes stub enrichment tables. remap and filter implement validate_env() for VRL/condition compilation. route, exclusive_route, and sample split their existing validate() into structural checks (validate) and condition compilation (validate_env). validate_transforms() calls both on each transform. Also adds a negative integration test asserting that an invalid filter condition is caught under --no-environment.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 973f13b5e5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…uce transforms These transforms compile AnyCondition fields only in build(), so invalid conditions were silently accepted under --no-environment. Now validate_env() covers: delay.condition, window.forward_when/flush_when, throttle.exclude, and reduce.ends_when/starts_when.
…to validate() Constraints that don't require environment resources were previously only checked inside build(), so they weren't caught by vector validate --no-environment or normal config compilation: - delay: zero delay duration - throttle: zero threshold or window_secs - reduce: mutually exclusive ends_when/starts_when
validate_merge_strategies() in transform.rs only ran during build(), so --no-environment silently accepted indexed paths like foo[0]. Move the check into ReduceConfig::validate() so it runs on all config load paths.
…s of transform errors Gating validate_environment on the transform pass result meant a VRL error would suppress environment/component errors, giving users an incomplete error picture. Both passes now run independently and their results are combined.
thomasqueirozb
approved these changes
Jun 25, 2026
github-actions
Bot
removed
the
docs review on hold
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vector validate --no-environmentis meant for validating configs without access to environment resources (network, file system, external services). However, it silently skipped transform-level VRL and condition compilation, so errors like unhandled fallible function calls or type mismatches went unreported unless the full environment was available.This PR fixes that by unifying the validation path: transform compilation now runs in both
--no-environmentand normal mode, with the normal mode additionally running the full environment checks on top. Stub enrichment tables are registered from the config so VRL can validate enrichment table name references without loading actual data.As a cleanup, the
validate()call was also removed fromcheck_outputs— that function is for graph/wiring checks only and should not invoke environment-dependent logic.Vector configuration
Broken VRL — caught with
--no-environment:Broken condition — caught with
--no-environment:Valid config — passes:
How did you test this PR?
Also ran the CLI integration test suite:
cargo test --test integration --features cli-testsChange Type
Is this a breaking change?
Does this PR include user facing changes?
changelog.d/15037_validate_no_environment_vrl.fix.mdReferences