feat(api): load runtime config from yaml
alice.dev·
codex/pr243-api → main·
9 files +537 -11
Migrates the api service's runtime config out of env vars and into a shared YAML loader with env-over-file precedence and a blocked-fields policy for secrets.
Correctness
Conventions
Performance
Tests
Security
Key findings
cors_origins changed from list[str] to str without callout in PR body — undocumented public-shape change.- Settings instantiated twice during
load_settings() just to read the default config_path.
- Blocked-fields policy correctly blocks
database_url, rabbitmq_url, frame_ingest_token.
Solid refactor, only nits remain.
fix(consumer): harden placement guard
bob.dev·
fix/placement-guard → main·
5 files +128 -21
Rejects candidates more than 15m from a trusted anchor and falls back to the anchor itself. Includes a regression test for the 100m drift scenario.
Correctness
Conventions
Performance
Tests
Security
Tight, focused fix with a clear test.
chore(ci): standardize compose env policy
alice.dev·
chore/compose-policy → main·
22 files +311 -44
Adds a compose env policy gate to pre-commit + CI. Disallows hardcoded credentials and runtime knobs in any docker-compose file.
Correctness
Conventions
Performance
Tests
Security
A durable guardrail — clean addition.
feat(experimental): rollup of feature branches
charlie.dev·
experimental → main·
189 files +12,215 -1,354
A long-lived umbrella branch combining 7 separate feature PRs. Most have already been merged independently — this branch duplicates merged work.
Correctness
Conventions
Performance
Tests
Security
Rebase or close in favor of the constituent merged PRs.