refactor(x402): drive verifier deployment from helmfile, not Go-side kubectl apply#520
Closed
bussyjd wants to merge 1 commit into
Closed
refactor(x402): drive verifier deployment from helmfile, not Go-side kubectl apply#520bussyjd wants to merge 1 commit into
bussyjd wants to merge 1 commit into
Conversation
…kubectl apply Kills CLAUDE.md pitfall #9 forever. The previous code path had two problems that compounded: 1. EnsureVerifier did kubectl apply of embed.FS x402.yaml directly, overwriting whatever helmfile had installed. Under OBOL_DEVELOPMENT=true, this stripped local-build image pins back to registry-pinned digests — silently bypassing every dev edit to the verifier. 2. To work around (1), setup.go carried a DUPLICATE copy of the image-pin rewrite regex from internal/defaults/defaults.go (with a code comment confessing "duplicated here to avoid an import cycle"). Every fix to the regex (e.g. pitfall #12's alternation- order fix) had to be applied in two places — which is exactly the kind of footgun that produces silent bypasses. Now EnsureVerifier shells out to helmfile --selector name=base sync against the helmfile state already used by obol stack up. Since helmfile reads the manifests from \$OBOL_CONFIG_DIR/defaults/ — which is populated by defaults.CopyInfrastructure with the canonical regex already applied — the dev-rewrite happens exactly once, in exactly one place. - Deletes the duplicate devLocallyBuiltImageBases + regex from internal/x402/setup.go. - EnsureVerifier now: RefreshInfrastructureIfChanged(); helmfile sync --selector name=base. - Deletes internal/x402/manifest_devmode_test.go — the canonical regression test is internal/defaults/defaults_test.go:: TestCopyInfrastructure_DevModeRewritesDigestPins which still guards the rewrite at its single source. - Adds a structural test (setup_structure_test.go) asserting setup.go does not import the regexp package, making re-introduction of the duplicate fail at test time. The duplicate-regex footgun is now structurally impossible to re-introduce.
6 tasks
Collaborator
Author
|
Superseded by bundle PR #536 — closing in favor of the consolidated merge target. Original branch and history preserved. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
CLAUDE.md pitfall #9 documented a real production bug class:
EnsureVerifier'skubectl applyofx402.yamloverwrites whatever helmfile installed. The fix at the time (commit5a10fb8) was to rewrite image pins in-memory before applying. But that meant the dev-pin rewrite regex now lives in two places —internal/defaults/defaults.go:124(canonical) andinternal/x402/setup.go:74(duplicate, with a code-comment apology about an import cycle).Pitfall #12 then fixed a regex-alternation bug — in both files. Every future fix to the rewrite needs to be applied in both places. That's a footgun.
Before
After
What changed
internal/x402/setup.go- deleted ~60 lines of duplicate regex + image-base list.EnsureVerifiernow invokes helmfile against thebaserelease (matching the existing release ininternal/embed/infrastructure/helmfile.yamlwhosechart: ./baserenders the x402 manifests).internal/x402/manifest_devmode_test.go- deleted. Canonical regression test lives ininternal/defaults/defaults_test.go::TestCopyInfrastructure_DevModeRewritesDigestPins.internal/x402/setup_structure_test.go- structural test assertinginternal/x402/setup.godoes not import theregexppackage (string check + AST check). Re-introducing the duplicate fails at test time.Call sites of
EnsureVerifierreviewedOnly one caller in the codebase:
x402.Setup(same file), which is invoked fromcmd/obol/sell.go:2615andcmd/obol/sell.go:2631(theobol sell pricingcommand).obol stack updoes not callEnsureVerifierdirectly — it usesinternal/stack.syncDefaults(helmfile) which already deploys x402.yaml via thebaserelease. After this PR, both code paths reconcile the verifier through the same helmfile invocation pattern.Other duplicate-regex copies in the codebase
Searched the tree for
devLocallyBuiltImageBases,rewriteDevDigestPins, andrewriteDevImagePinsInManifest. After this PR, the only remaining references are ininternal/defaults/defaults.go(canonical implementation) andinternal/defaults/defaults_test.go(canonical regression test). No other duplicates exist.Test plan
go build ./...cleango test ./internal/x402/...green (24 packages, structural test passes)go test ./internal/defaults/...greenTestCopyInfrastructure_DevModeRewritesDigestPins(canonical regression test) still passesTestEnsureVerifier_NoInlineRegex(new structural test) passes; would fail ifregexpis re-imported into setup.goOBOL_DEVELOPMENT=true obol sell pricing --wallet 0x... --chain base-sepolia- confirm the verifier Deployment ends up with:latestimages (dev rewrite applied via helmfile path)Closes
CLAUDE.md pitfall #9 (
EnsureVerifieroverwrites helmfile's image pin underOBOL_DEVELOPMENT=true) - structurally now impossible.