Skip to content

feat(app): integrate Vault config source into startup flow (#299)#311

Open
crrow wants to merge 2 commits intomainfrom
codex/vault-app-integration
Open

feat(app): integrate Vault config source into startup flow (#299)#311
crrow wants to merge 2 commits intomainfrom
codex/vault-app-integration

Conversation

@crrow
Copy link
Copy Markdown
Collaborator

@crrow crrow commented Mar 13, 2026

Summary

  • add optional Vault configuration to AppConfig and pull/merge Vault values before app infrastructure boot
  • seed settings from the bootstrapped config, push KV writebacks back to Vault, and keep settings updated with a background Vault watcher
  • add serde/bootstrap/watcher/config-sync coverage for vault-enabled and vault-disabled flows

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Refactor
  • CI / Infrastructure
  • Documentation

Closes

Closes #299

Test plan

  • 🧪 Running tests with nextest... passes
  • 🔍 Running clippy... passes
  • Tested locally

Validated with:

  • 🔧 Formatting protobuf files...
    🔧 Formatting Rust code...
    🔧 Formatting TOML files...
    🔧 Formatting YAML files...
    🔧 Formatting with hawkeye...
    2026-03-13T10:21:56.042412Z WARN hawkeye::cli: Processing unknown files: ["/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/crates/cmd/wix/main.wxs", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/crates/integrations/mcp/justfile", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/crates/common/yunara-store/justfile", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/justfile", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/env.local.example", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/.yamllint", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/execution/workers/rara-py-worker/justfile", "/Users/ryan/code/rararulab/rara/.worktrees/codex-vault-app-integration/execution/workers/rara-py-worker/.python-version"]
    ✅ All formatting complete!

running 18 tests
test tools::settings::tests::non_sensitive_keys_not_masked ... ok
test tools::mita_evolve_soul::tests::tool_has_required_params ... ok
test tools::settings::tests::mask_sensitive_keys ... ok
test vault_watcher::tests::versions_changed_detects_metadata_updates ... ok
test flatten::tests::unflatten_empty_map_returns_none ... ok
test vault_watcher::tests::build_settings_patches_updates_changed_values ... ok
test vault_bootstrap::tests::pull_and_merge_returns_false_when_no_vault_configured ... ok
test vault_bootstrap::tests::merge_vault_pairs_does_not_override_when_empty ... ok
test config_sync::tests::appconfig_without_vault_parses ... ok
test config_sync::tests::appconfig_with_vault_yaml_roundtrip ... ok
test vault_bootstrap::tests::merge_vault_pairs_overrides_llm ... ok
test flatten::tests::roundtrip_flatten_unflatten ... ok
test config_sync::tests::appconfig_yaml_roundtrip ... ok
test tests::app_config_loads_from_global_fallback_when_local_is_missing ... ok
test tests::app_config_prefers_local_override_over_global ... ok
test config_sync::tests::writeback_without_vault_still_works ... ok
test config_sync::tests::initial_sync_prefers_bootstrapped_config ... ok
test config_sync::tests::sync_from_file_populates_kv ... ok

test result: ok. 18 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.03s

running 1 test
test anchor_checkout_roundtrip ... ignored, uses the real LLM provider — run with: cargo test -p rara-app --test anchor_checkout_e2e -- --ignored --nocapture

test result: ok. 0 passed; 0 failed; 1 ignored; 0 measured; 0 filtered out; finished in 0.00s

running 1 test
test real_model_soak_test_survives_long_tape_pressure ... ignored, uses the real LLM provider configured in config.yaml and runs a long soak

test result: ok. 0 passed; 0 failed; 1 ignored; 0 measured; 0 filtered out; finished in 0.00s

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

  • 🔨 Running compilation check...

Notes:

  • is currently blocked by pre-existing warnings in , , and outside this app integration change.

crrow and others added 2 commits March 13, 2026 18:21
@crrow
feat(app): integrate vault config source into startup flow (#299)
3e391ab 
Integrate rara-vault into rara-app startup and config sync paths.

- add optional vault config to AppConfig and bootstrap merge logic\n- seed settings from bootstrapped config, plus add watcher and vault writeback\n- cover vault serde, merge, watcher, and config sync behavior with tests
@crrow @claude
fix(vault): address PR review issues for vault app integration (#299)
7892f07 
- Consolidate VaultClient creation: build once in start_with_options,
  share via Arc across bootstrap, config_sync, and watcher (was 3
  separate login calls)
- Prevent vault watcher ↔ config_sync echo loop: shared AtomicU64
  timestamp tracks last push, watcher skips apply within 5s grace window
- Fix config_path resolution: prefer local ./config.yaml if exists,
  fall back to rara_paths::config_file() (was hardcoded to cwd)
- Remove hardcoded defaults for VaultConfig.mount_path and
  fallback_to_local (must be explicit in YAML)
- Replace filter_map that never filters with map in flatten_value
- Refactor vault_bootstrap::pull_and_merge to accept &VaultClient
  instead of creating its own

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(app): integrate Vault config source into AppConfig startup flow

1 participant

@crrow