chore(config): service.json becomes factory-image only (SVC-4, #753) #792

Merged

dev merged 3 commits from dev/753 into main

2026-05-03 17:17:08 +00:00

dev commented

2026-05-03 16:41:54 +00:00

Collaborator

Closes #753

Summary

loadWebhookConfig no longer reads service.json at runtime; all service-infra fields now come from getServiceConfig() (DB) — the DB row is seeded at boot by syncServiceConfigBuiltin
Webhook secret resolution order: WEBHOOK_SECRET env var → svcDb.webhook_secret_ref secret table entry (via decryptSync)
syncBuiltinsFromRepo() moved to run before loadWebhookConfig() in main.ts so the service_config builtin row exists when the loader calls getServiceConfig()
Deprecation warnings for legacy agents.json service-infra fields now point to /api/service-config instead of service.json
service-config-schema.ts fields annotated with boot-time only comments
builtin-sync.ts: emits a warning when service.json changes, directing to the dashboard
Docs updated: docs/configuration.md and docs/modules.md

Test plan

bun test apps/server/src/shared/config/webhook-config.test.ts — all tests pass
bun test apps/server/src/http/webhook.test.ts — all 42 tests pass
bun test apps/server/src/ — 3241 pass, 0 fail
just qa (typecheck + lint + format) — clean

🤖 Generated with Claude Code

Closes #753 ## Summary - `loadWebhookConfig` no longer reads `service.json` at runtime; all service-infra fields now come from `getServiceConfig()` (DB) — the DB row is seeded at boot by `syncServiceConfigBuiltin` - Webhook secret resolution order: `WEBHOOK_SECRET` env var → `svcDb.webhook_secret_ref` secret table entry (via `decryptSync`) - `syncBuiltinsFromRepo()` moved to run **before** `loadWebhookConfig()` in `main.ts` so the `service_config` builtin row exists when the loader calls `getServiceConfig()` - Deprecation warnings for legacy `agents.json` service-infra fields now point to `/api/service-config` instead of `service.json` - `service-config-schema.ts` fields annotated with boot-time only comments - `builtin-sync.ts`: emits a warning when `service.json` changes, directing to the dashboard - Docs updated: `docs/configuration.md` and `docs/modules.md` ## Test plan - [x] `bun test apps/server/src/shared/config/webhook-config.test.ts` — all tests pass - [x] `bun test apps/server/src/http/webhook.test.ts` — all 42 tests pass - [x] `bun test apps/server/src/` — 3241 pass, 0 fail - [x] `just qa` (typecheck + lint + format) — clean 🤖 Generated with [Claude Code](https://claude.com/claude-code)

dev added 2 commits

2026-05-03 16:41:54 +00:00

chore(config): service.json becomes factory-image only (SVC-4, #753 ) 613810b7b7

- loadWebhookConfig no longer reads service.json at runtime; fields come
  from getServiceConfig() (builtin/global DB row) instead.
- syncBuiltinsFromRepo is now called before loadWebhookConfig in main.ts
  so the service_config builtin row exists when the loader runs.
- syncServiceConfigBuiltin emits a deprecation warning when service.json
  changes post-deploy, pointing operators to /api/service-config.
- LEGACY_SERVICE_FIELDS warning in loadWebhookConfig updated to point to
  the dashboard endpoint.
- Webhook secret read via the secret table (webhook_secret_ref) instead
  of a file path in serviceRaw.
- service-config-schema.ts fields annotated as boot-time builtin sync only.
- docs/configuration.md and docs/modules.md reflect new boot flow.
- Tests updated: writeSplitConfig seeds the DB via syncServiceConfigBuiltin;
  pipeline defaults verified; env-var-only paths simplified.

Closes #753

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix(tests): update webhook.test.ts for SVC-4 — set WEBHOOK_SECRET env var in beforeAll

qa / dockerfile (pull_request) Successful in 6s

Details

qa / qa-1 (pull_request) Successful in 1m50s

Details

qa / qa (pull_request) Successful in 0s

Details

c7e4ea8190

After SVC-4 (#753), loadWebhookConfig no longer reads webhook_secret_file
from agents.json at runtime. The shared secret now comes from the
WEBHOOK_SECRET env var (or the DB secret table via webhook_secret_ref).

Set WEBHOOK_SECRET=FAKE_SECRET temporarily in beforeAll and in the
"fails closed" test's finally/restore block so config.secret is
populated correctly for fallback-secret tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

dev requested review from reviewer

2026-05-03 16:43:49 +00:00

reviewer approved these changes

2026-05-03 16:46:18 +00:00

reviewer left a comment

All AC met. syncBuiltinsFromRepo correctly moved before loadWebhookConfig; webhook-config.ts reads from getServiceConfig() not file; secret resolution chain (env → DB ref) is sound; schema comments match spec wording.

Nit: per-field inline comments in service-config-schema.ts are identical repetitions of the class-level jsdoc — harmless.

All AC met. `syncBuiltinsFromRepo` correctly moved before `loadWebhookConfig`; `webhook-config.ts` reads from `getServiceConfig()` not file; secret resolution chain (env → DB ref) is sound; schema comments match spec wording. Nit: per-field inline comments in `service-config-schema.ts` are identical repetitions of the class-level jsdoc — harmless.

reviewer commented

2026-05-03 16:46:32 +00:00

Collaborator

PR has conflicts — please rebase on main before merging.