Dark-Alex-17/loki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Migrate the vault/bare_init logic

Browse Source
This commit is contained in:
Alex Clarke
2026-04-19 18:00:14 -06:00
parent f1914f6bd4
commit 0e427dc4ba
4 changed files with 208 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/implementation/PHASE-1-STEP-16c-NOTES.md
+196
View File
@@ -0,0 +1,196 @@
# Phase 1 Step 16c — Implementation Notes
## Status
Done.
## Plan reference
- Parent plan: `docs/implementation/PHASE-1-STEP-16-NOTES.md`
- Sub-phase goal: "Migrate Vault onto AppState; Vault::init takes
`&AppConfig`"
## Summary
Changed `Vault::init(&Config)` and `Vault::init_bare()` to operate on
`AppConfig` instead of `Config`. Simplified `Vault::handle_vault_flags`
to accept a `&Vault` directly instead of extracting one from a Config
argument. Deleted the duplicate `Config::vault_password_file` method
(the canonical version lives on `AppConfig`).
Vault is now fully Config-independent at the signature level. The
`Config.vault` runtime field still exists because it's populated
inside `Config::init` (for the current bridge-era flow), but nothing
about `Vault`'s API references `Config` anymore. The field itself
gets deleted in Step 16f when Config becomes a pure POJO.
## What was changed
### `src/vault/mod.rs`
**Signature change:**
```rust
// Before
pub fn init(config: &Config) -> Self
// After
pub fn init(config: &AppConfig) -> Self
```
**`Vault::init_bare` now uses `AppConfig::default()`** instead of
`Config::default()` to get the default vault password file path.
Behavioral parity — both `.default().vault_password_file()` calls
resolve to the same path (the fallback from `gman::config`).
**`Vault::handle_vault_flags` simplified:**
```rust
// Before
pub fn handle_vault_flags(cli: Cli, config: Config) -> Result<()>
// After
pub fn handle_vault_flags(cli: Cli, vault: &Vault) -> Result<()>
```
The old signature took a `Config` by value just to extract
`config.vault`. The new signature takes the Vault directly, which
decouples this function from Config entirely. Callers pass
`&config.vault` or equivalent.
**Import updated:**
- `use crate::config::Config` removed
- `use crate::config::AppConfig` added
### `src/config/mod.rs`
**In `Config::init`:**
```rust
// Before
let vault = Vault::init(config);
// After
let vault = Vault::init(&config.to_app_config());
```
This is a transitional call — `Config::init` builds a temporary
`AppConfig` via the bridge just to satisfy the new signature. This
temporary conversion disappears in Step 16e when `main.rs` stops
calling `Config::init` entirely and `AppConfig` is built first.
**Deleted `Config::vault_password_file`** method. The identical body
lives on `AppConfig`. All callers go through AppConfig now.
### `src/main.rs`
**Vault-flags path:**
```rust
// Before
return Vault::handle_vault_flags(cli, Config::init_bare()?);
// After
let cfg = Config::init_bare()?;
return Vault::handle_vault_flags(cli, &cfg.vault);
```
This is a minor restructure — same observable behavior, but the
Vault is extracted from the Config and passed directly. Makes the
vault-flags path obvious about what it actually needs (a Vault, not
a Config).
## Behavior parity
- `Vault::init` reads `config.vault_password_file()` — identical
method on both Config and AppConfig (removed from Config in this
step, kept on AppConfig).
- Password file initialization (`ensure_password_file_initialized`)
still runs in `Vault::init` as before.
- `Vault::init_bare` fallback path resolves to the same default
password file location.
- `handle_vault_flags` operates on the same Vault instance either
way — just receives it directly instead of indirectly via Config.
## Files modified
- `src/vault/mod.rs` — imports, `init` signature, `init_bare`
fallback source, `handle_vault_flags` signature.
- `src/config/mod.rs` — transitional `to_app_config()` call in
`Config::init`; deleted duplicate `vault_password_file` method.
- `src/main.rs` — vault-flags path takes `&cfg.vault` directly.
## Assumptions made
1. **`AppConfig::default().vault_password_file()` behaves identically
to `Config::default().vault_password_file()`.** Verified by
comparing method bodies — identical logic, same fallback via
`gman::config::Config::local_provider_password_file()`. Tests
confirm 122 passing, no regressions.
2. **Transitional `&config.to_app_config()` in `Config::init` is
acceptable.** The conversion happens once per Config::init call
— trivial cost for a non-hot path. Disappears entirely in 16e.
3. **`handle_vault_flags` taking `&Vault` is a strict improvement.**
The old signature took `Config` by value (wasteful for a function
that only needed one field). The new signature is honest about
its dependency.
4. **`Config.vault` field stays for now.** The `#[serde(skip)]` field
on Config still exists because `Config::init` populates it for
downstream Bridge flow consumers. Deletion deferred to 16f.
## Open questions
1. **Should `Vault::init` return `Result<Self>` instead of panicking?**
Currently uses `.expect("Failed to initialize password file")`.
The vault flags path can't do anything useful without a vault,
so panic vs early return is pragmatically equivalent. Leaving
as-is to minimize change surface in 16c.
2. **Is `Config::init_bare` still needed after 16e?** It's called
from the oauth path in `main.rs`. In 16e we'll audit whether
those paths really need full Config init or just an AppConfig.
Deferred to 16e.
## Verification
- `cargo check` — clean, zero warnings
- `cargo clippy` — clean, zero warnings
- `cargo test` — 122 passing, zero failures
- Grep confirmation:
- `Vault::init(` has one caller (in `Config::init`); one
remaining via test path (none found — deferred to 16d/16e where
AppState::init will own vault construction)
- `Vault::init_bare(` has one caller (via `interpolate_secrets`
flow); no other references
- `Config::vault_password_file` — zero references anywhere
- `Vault::handle_vault_flags` — single caller in `main.rs`,
signature verified
## Remaining work for Step 16
- **16d**: Build `AppState::init(app_config, ...).await` that takes
ownership of vault construction (replacing the current
`AppState { vault: cfg.vault.clone(), ... }` pattern).
- **16e**: Switch `main.rs` and all 15 `Config::init()` callers to
the new flow.
- **16f**: Delete `Config.vault` field, `Config::init`, bridge.rs,
and all remaining Config runtime fields.
## Migration direction preserved
Before 16c:
```
Vault::init(&Config) ← tight coupling to Config
Vault::init_bare() ← uses Config::default() internally
handle_vault_flags(Cli, Config) ← takes Config, extracts vault
Config::vault_password_file() ← duplicate with AppConfig's
```
After 16c:
```
Vault::init(&AppConfig) ← depends only on AppConfig
Vault::init_bare() ← uses AppConfig::default() internally
handle_vault_flags(Cli, &Vault) ← takes Vault directly
Config::vault_password_file() ← DELETED
```
The Vault module now has no Config dependency in its public API.
This means Step 16d can build `AppState::init` that calls
`Vault::init(&app_config)` without touching Config at all. It also
means `Config` is one step closer to being a pure POJO — one fewer
method on its surface, one fewer implicit dependency.
src/config/mod.rs
+1 -11
View File
@@ -356,7 +356,7 @@ impl Config {
};
let setup = async |config: &mut Self| -> Result<()> {
let vault = Vault::init(config);
let vault = Vault::init(&config.to_app_config());
let (parsed_config, missing_secrets) = interpolate_secrets(&content, &vault);
if !missing_secrets.is_empty() && !info_flag {
@@ -411,16 +411,6 @@ impl Config {
Ok(config)
}
pub fn vault_password_file(&self) -> PathBuf {
match &self.vault_password_file {
Some(path) => match path.exists() {
true => path.clone(),
false => gman::config::Config::local_provider_password_file(),
},
None => gman::config::Config::local_provider_password_file(),
}
}
pub fn sessions_dir(&self) -> PathBuf {
match &self.agent {
None => match env::var(get_env_name("sessions_dir")) {
src/main.rs
+2 -1
View File
@@ -92,7 +92,8 @@ async fn main() -> Result<()> {
}
if vault_flags {
return Vault::handle_vault_flags(cli, Config::init_bare()?);
let cfg = Config::init_bare()?;
return Vault::handle_vault_flags(cli, &cfg.vault);
}
let abort_signal = create_abort_signal();
src/vault/mod.rs
+9 -9
View File
@@ -5,7 +5,7 @@ pub use utils::create_vault_password_file;
pub use utils::interpolate_secrets;
use crate::cli::Cli;
use crate::config::Config;
use crate::config::AppConfig;
use crate::vault::utils::ensure_password_file_initialized;
use anyhow::{Context, Result};
use fancy_regex::Regex;
@@ -26,7 +26,7 @@ pub type GlobalVault = Arc<Vault>;
impl Vault {
pub fn init_bare() -> Self {
let vault_password_file = Config::default().vault_password_file();
let vault_password_file = AppConfig::default().vault_password_file();
let local_provider = LocalProvider {
password_file: Some(vault_password_file),
git_branch: None,
@@ -36,7 +36,7 @@ impl Vault {
Self { local_provider }
}
pub fn init(config: &Config) -> Self {
pub fn init(config: &AppConfig) -> Self {
let vault_password_file = config.vault_password_file();
let mut local_provider = LocalProvider {
password_file: Some(vault_password_file),
@@ -130,25 +130,25 @@ impl Vault {
Ok(secrets)
}
pub fn handle_vault_flags(cli: Cli, config: Config) -> Result<()> {
pub fn handle_vault_flags(cli: Cli, vault: &Vault) -> Result<()> {
if let Some(secret_name) = cli.add_secret {
config.vault.add_secret(&secret_name)?;
vault.add_secret(&secret_name)?;
}
if let Some(secret_name) = cli.get_secret {
config.vault.get_secret(&secret_name, true)?;
vault.get_secret(&secret_name, true)?;
}
if let Some(secret_name) = cli.update_secret {
config.vault.update_secret(&secret_name)?;
vault.update_secret(&secret_name)?;
}
if let Some(secret_name) = cli.delete_secret {
config.vault.delete_secret(&secret_name)?;
vault.delete_secret(&secret_name)?;
}
if cli.list_secrets {
config.vault.list_secrets(true)?;
vault.list_secrets(true)?;
}
Ok(())