mirror of
https://github.com/wshobson/agents.git
synced 2026-03-18 09:37:15 +00:00
d2f3886ae1
Repository Restructure: - Move all 83 agent .md files to agents/ subdirectory - Add 15 workflow orchestrators from commands repo to workflows/ - Add 42 development tools from commands repo to tools/ - Update README for unified repository structure The commands repository functionality is now fully integrated, providing complete workflow orchestration and development tooling alongside agents. Directory Structure: - agents/ - 83 specialized AI agents - workflows/ - 15 multi-agent orchestration commands - tools/ - 42 focused development utilities No breaking changes to agent functionality - all agents remain accessible with same names and behavior. Adds workflow and tool commands for enhanced multi-agent coordination capabilities.
49 KiB
49 KiB
model
| model |
|---|
| claude-sonnet-4-0 |
Configuration Validation
You are a configuration management expert specializing in validating, testing, and ensuring the correctness of application configurations. Create comprehensive validation schemas, implement configuration testing strategies, and ensure configurations are secure, consistent, and error-free across all environments.
Context
The user needs to validate configuration files, implement configuration schemas, ensure consistency across environments, and prevent configuration-related errors. Focus on creating robust validation rules, type safety, security checks, and automated validation processes.
Requirements
$ARGUMENTS
Instructions
1. Configuration Analysis
Analyze existing configuration structure and identify validation needs:
Configuration Scanner
import os
import yaml
import json
import toml
import configparser
from pathlib import Path
from typing import Dict, List, Any, Set
class ConfigurationAnalyzer:
def analyze_project(self, project_path: str) -> Dict[str, Any]:
"""
Analyze project configuration files and patterns
"""
analysis = {
'config_files': self._find_config_files(project_path),
'config_patterns': self._identify_patterns(project_path),
'security_issues': self._check_security_issues(project_path),
'consistency_issues': self._check_consistency(project_path),
'validation_coverage': self._assess_validation(project_path),
'recommendations': []
}
self._generate_recommendations(analysis)
return analysis
def _find_config_files(self, project_path: str) -> List[Dict]:
"""Find all configuration files in project"""
config_patterns = [
'**/*.json', '**/*.yaml', '**/*.yml', '**/*.toml',
'**/*.ini', '**/*.conf', '**/*.config', '**/*.env*',
'**/*.properties', '**/config.js', '**/config.ts'
]
config_files = []
for pattern in config_patterns:
for file_path in Path(project_path).glob(pattern):
if not self._should_ignore(file_path):
config_files.append({
'path': str(file_path),
'type': self._detect_config_type(file_path),
'size': file_path.stat().st_size,
'environment': self._detect_environment(file_path)
})
return config_files
def _check_security_issues(self, project_path: str) -> List[Dict]:
"""Check for security issues in configurations"""
issues = []
# Patterns that might indicate secrets
secret_patterns = [
r'(api[_-]?key|apikey)',
r'(secret|password|passwd|pwd)',
r'(token|auth)',
r'(private[_-]?key)',
r'(aws[_-]?access|aws[_-]?secret)',
r'(database[_-]?url|db[_-]?connection)'
]
for config_file in self._find_config_files(project_path):
content = Path(config_file['path']).read_text()
for pattern in secret_patterns:
if re.search(pattern, content, re.IGNORECASE):
# Check if it's a placeholder or actual secret
if self._looks_like_real_secret(content, pattern):
issues.append({
'file': config_file['path'],
'type': 'potential_secret',
'pattern': pattern,
'severity': 'high'
})
return issues
def _check_consistency(self, project_path: str) -> List[Dict]:
"""Check configuration consistency across environments"""
inconsistencies = []
# Group configs by base name
config_groups = defaultdict(list)
for config in self._find_config_files(project_path):
base_name = self._get_base_config_name(config['path'])
config_groups[base_name].append(config)
# Check each group for inconsistencies
for base_name, configs in config_groups.items():
if len(configs) > 1:
keys_by_env = {}
for config in configs:
env = config.get('environment', 'default')
keys = self._extract_config_keys(config['path'])
keys_by_env[env] = keys
# Find missing keys
all_keys = set()
for keys in keys_by_env.values():
all_keys.update(keys)
for env, keys in keys_by_env.items():
missing = all_keys - keys
if missing:
inconsistencies.append({
'config_group': base_name,
'environment': env,
'missing_keys': list(missing),
'severity': 'medium'
})
return inconsistencies
2. Schema Definition and Validation
Implement configuration schema validation:
JSON Schema Validator
// config-validator.ts
import Ajv from 'ajv';
import ajvFormats from 'ajv-formats';
import ajvKeywords from 'ajv-keywords';
import { JSONSchema7 } from 'json-schema';
interface ValidationResult {
valid: boolean;
errors?: Array<{
path: string;
message: string;
keyword: string;
params: any;
}>;
}
export class ConfigValidator {
private ajv: Ajv;
private schemas: Map<string, JSONSchema7> = new Map();
constructor() {
this.ajv = new Ajv({
allErrors: true,
verbose: true,
strict: false,
coerceTypes: true
});
// Add formats support
ajvFormats(this.ajv);
ajvKeywords(this.ajv);
// Add custom formats
this.addCustomFormats();
}
private addCustomFormats() {
// URL format with protocol validation
this.ajv.addFormat('url-https', {
type: 'string',
validate: (data: string) => {
try {
const url = new URL(data);
return url.protocol === 'https:';
} catch {
return false;
}
}
});
// Environment variable reference
this.ajv.addFormat('env-var', {
type: 'string',
validate: /^\$\{[A-Z_][A-Z0-9_]*\}$/
});
// Semantic version
this.ajv.addFormat('semver', {
type: 'string',
validate: /^\d+\.\d+\.\d+(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$/
});
// Port number
this.ajv.addFormat('port', {
type: 'number',
validate: (data: number) => data >= 1 && data <= 65535
});
// Duration format (e.g., "5m", "1h", "30s")
this.ajv.addFormat('duration', {
type: 'string',
validate: /^\d+[smhd]$/
});
}
registerSchema(name: string, schema: JSONSchema7): void {
this.schemas.set(name, schema);
this.ajv.addSchema(schema, name);
}
validate(configData: any, schemaName: string): ValidationResult {
const validate = this.ajv.getSchema(schemaName);
if (!validate) {
throw new Error(`Schema '${schemaName}' not found`);
}
const valid = validate(configData);
if (!valid && validate.errors) {
return {
valid: false,
errors: validate.errors.map(error => ({
path: error.instancePath || '/',
message: error.message || 'Validation error',
keyword: error.keyword,
params: error.params
}))
};
}
return { valid: true };
}
generateSchema(sampleConfig: any): JSONSchema7 {
// Auto-generate schema from sample configuration
const schema: JSONSchema7 = {
type: 'object',
properties: {},
required: []
};
for (const [key, value] of Object.entries(sampleConfig)) {
schema.properties![key] = this.inferSchema(value);
// Make all top-level properties required by default
if (schema.required && !key.startsWith('optional_')) {
schema.required.push(key);
}
}
return schema;
}
private inferSchema(value: any): JSONSchema7 {
if (value === null) {
return { type: 'null' };
}
if (Array.isArray(value)) {
return {
type: 'array',
items: value.length > 0 ? this.inferSchema(value[0]) : {}
};
}
if (typeof value === 'object') {
const properties: Record<string, JSONSchema7> = {};
const required: string[] = [];
for (const [k, v] of Object.entries(value)) {
properties[k] = this.inferSchema(v);
if (v !== null && v !== undefined) {
required.push(k);
}
}
return {
type: 'object',
properties,
required
};
}
// Infer format from value patterns
if (typeof value === 'string') {
if (value.match(/^https?:\/\//)) {
return { type: 'string', format: 'uri' };
}
if (value.match(/^\d{4}-\d{2}-\d{2}$/)) {
return { type: 'string', format: 'date' };
}
if (value.match(/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i)) {
return { type: 'string', format: 'uuid' };
}
}
return { type: typeof value as JSONSchema7['type'] };
}
}
// Example schemas
export const schemas = {
database: {
type: 'object',
properties: {
host: { type: 'string', format: 'hostname' },
port: { type: 'integer', format: 'port' },
database: { type: 'string', minLength: 1 },
user: { type: 'string', minLength: 1 },
password: { type: 'string', minLength: 8 },
ssl: {
type: 'object',
properties: {
enabled: { type: 'boolean' },
ca: { type: 'string' },
cert: { type: 'string' },
key: { type: 'string' }
},
required: ['enabled']
},
pool: {
type: 'object',
properties: {
min: { type: 'integer', minimum: 0 },
max: { type: 'integer', minimum: 1 },
idleTimeout: { type: 'string', format: 'duration' }
}
}
},
required: ['host', 'port', 'database', 'user', 'password'],
additionalProperties: false
},
api: {
type: 'object',
properties: {
server: {
type: 'object',
properties: {
host: { type: 'string', default: '0.0.0.0' },
port: { type: 'integer', format: 'port', default: 3000 },
cors: {
type: 'object',
properties: {
enabled: { type: 'boolean' },
origins: {
type: 'array',
items: { type: 'string', format: 'uri' }
},
credentials: { type: 'boolean' }
}
}
},
required: ['port']
},
auth: {
type: 'object',
properties: {
jwt: {
type: 'object',
properties: {
secret: { type: 'string', minLength: 32 },
expiresIn: { type: 'string', format: 'duration' },
algorithm: {
type: 'string',
enum: ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512']
}
},
required: ['secret', 'expiresIn']
}
}
},
rateLimit: {
type: 'object',
properties: {
windowMs: { type: 'integer', minimum: 1000 },
max: { type: 'integer', minimum: 1 },
message: { type: 'string' }
}
}
},
required: ['server', 'auth']
}
};
3. Environment-Specific Validation
Validate configurations across environments:
Environment Validator
# environment_validator.py
from typing import Dict, List, Set, Any
import os
import re
class EnvironmentValidator:
def __init__(self):
self.environments = ['development', 'staging', 'production']
self.environment_rules = self._define_environment_rules()
def _define_environment_rules(self) -> Dict[str, Dict]:
"""Define environment-specific validation rules"""
return {
'development': {
'allow_debug': True,
'require_https': False,
'allow_wildcards': True,
'min_password_length': 8,
'allowed_log_levels': ['debug', 'info', 'warn', 'error']
},
'staging': {
'allow_debug': True,
'require_https': True,
'allow_wildcards': False,
'min_password_length': 12,
'allowed_log_levels': ['info', 'warn', 'error']
},
'production': {
'allow_debug': False,
'require_https': True,
'allow_wildcards': False,
'min_password_length': 16,
'allowed_log_levels': ['warn', 'error'],
'require_encryption': True,
'require_backup': True
}
}
def validate_config(self, config: Dict, environment: str) -> List[Dict]:
"""Validate configuration for specific environment"""
if environment not in self.environment_rules:
raise ValueError(f"Unknown environment: {environment}")
rules = self.environment_rules[environment]
violations = []
# Check debug settings
if not rules['allow_debug'] and config.get('debug', False):
violations.append({
'rule': 'no_debug_in_production',
'message': 'Debug mode is not allowed in production',
'severity': 'critical',
'path': 'debug'
})
# Check HTTPS requirements
if rules['require_https']:
urls = self._extract_urls(config)
for url_path, url in urls:
if url.startswith('http://') and 'localhost' not in url:
violations.append({
'rule': 'require_https',
'message': f'HTTPS required for {url_path}',
'severity': 'high',
'path': url_path,
'value': url
})
# Check log levels
log_level = config.get('logging', {}).get('level')
if log_level and log_level not in rules['allowed_log_levels']:
violations.append({
'rule': 'invalid_log_level',
'message': f"Log level '{log_level}' not allowed in {environment}",
'severity': 'medium',
'path': 'logging.level',
'allowed': rules['allowed_log_levels']
})
# Check production-specific requirements
if environment == 'production':
violations.extend(self._validate_production_requirements(config))
return violations
def _validate_production_requirements(self, config: Dict) -> List[Dict]:
"""Additional validation for production environment"""
violations = []
# Check encryption settings
if not config.get('security', {}).get('encryption', {}).get('enabled'):
violations.append({
'rule': 'encryption_required',
'message': 'Encryption must be enabled in production',
'severity': 'critical',
'path': 'security.encryption.enabled'
})
# Check backup configuration
if not config.get('backup', {}).get('enabled'):
violations.append({
'rule': 'backup_required',
'message': 'Backup must be configured for production',
'severity': 'high',
'path': 'backup.enabled'
})
# Check monitoring
if not config.get('monitoring', {}).get('enabled'):
violations.append({
'rule': 'monitoring_required',
'message': 'Monitoring must be enabled in production',
'severity': 'high',
'path': 'monitoring.enabled'
})
return violations
def _extract_urls(self, obj: Any, path: str = '') -> List[tuple]:
"""Recursively extract URLs from configuration"""
urls = []
if isinstance(obj, dict):
for key, value in obj.items():
new_path = f"{path}.{key}" if path else key
urls.extend(self._extract_urls(value, new_path))
elif isinstance(obj, list):
for i, item in enumerate(obj):
new_path = f"{path}[{i}]"
urls.extend(self._extract_urls(item, new_path))
elif isinstance(obj, str) and re.match(r'^https?://', obj):
urls.append((path, obj))
return urls
# Cross-environment consistency checker
class ConsistencyChecker:
def check_consistency(self, configs: Dict[str, Dict]) -> List[Dict]:
"""Check configuration consistency across environments"""
issues = []
# Get all unique keys across environments
all_keys = set()
env_keys = {}
for env, config in configs.items():
keys = self._flatten_keys(config)
env_keys[env] = keys
all_keys.update(keys)
# Check for missing keys
for env, keys in env_keys.items():
missing_keys = all_keys - keys
if missing_keys:
issues.append({
'type': 'missing_keys',
'environment': env,
'keys': list(missing_keys),
'severity': 'medium'
})
# Check for type inconsistencies
for key in all_keys:
types_by_env = {}
for env, config in configs.items():
value = self._get_nested_value(config, key)
if value is not None:
types_by_env[env] = type(value).__name__
unique_types = set(types_by_env.values())
if len(unique_types) > 1:
issues.append({
'type': 'type_mismatch',
'key': key,
'types': types_by_env,
'severity': 'high'
})
return issues
4. Configuration Testing Framework
Implement configuration testing:
Config Test Suite
// config-test.ts
import { describe, it, expect, beforeEach } from '@jest/globals';
import { ConfigValidator } from './config-validator';
import { loadConfig } from './config-loader';
interface ConfigTestCase {
name: string;
config: any;
environment: string;
expectedValid: boolean;
expectedErrors?: string[];
}
export class ConfigTestSuite {
private validator: ConfigValidator;
constructor() {
this.validator = new ConfigValidator();
}
async runTests(testCases: ConfigTestCase[]): Promise<TestResults> {
const results: TestResults = {
passed: 0,
failed: 0,
errors: []
};
for (const testCase of testCases) {
try {
const result = await this.runTestCase(testCase);
if (result.passed) {
results.passed++;
} else {
results.failed++;
results.errors.push({
testName: testCase.name,
errors: result.errors
});
}
} catch (error) {
results.failed++;
results.errors.push({
testName: testCase.name,
errors: [error.message]
});
}
}
return results;
}
private async runTestCase(testCase: ConfigTestCase): Promise<TestResult> {
// Load and validate config
const validationResult = this.validator.validate(
testCase.config,
testCase.environment
);
const result: TestResult = {
passed: validationResult.valid === testCase.expectedValid,
errors: []
};
// Check expected errors
if (testCase.expectedErrors && validationResult.errors) {
for (const expectedError of testCase.expectedErrors) {
const found = validationResult.errors.some(
error => error.message.includes(expectedError)
);
if (!found) {
result.passed = false;
result.errors.push(`Expected error not found: ${expectedError}`);
}
}
}
return result;
}
}
// Jest test examples
describe('Configuration Validation', () => {
let validator: ConfigValidator;
beforeEach(() => {
validator = new ConfigValidator();
});
describe('Database Configuration', () => {
it('should validate valid database config', () => {
const config = {
host: 'localhost',
port: 5432,
database: 'myapp',
user: 'dbuser',
password: 'securepassword123'
};
const result = validator.validate(config, 'database');
expect(result.valid).toBe(true);
});
it('should reject invalid port number', () => {
const config = {
host: 'localhost',
port: 70000, // Invalid port
database: 'myapp',
user: 'dbuser',
password: 'securepassword123'
};
const result = validator.validate(config, 'database');
expect(result.valid).toBe(false);
expect(result.errors?.[0].path).toBe('/port');
});
it('should require SSL in production', () => {
const config = {
host: 'prod-db.example.com',
port: 5432,
database: 'myapp',
user: 'dbuser',
password: 'securepassword123',
ssl: { enabled: false }
};
const envValidator = new EnvironmentValidator();
const violations = envValidator.validate_config(config, 'production');
expect(violations).toContainEqual(
expect.objectContaining({
rule: 'ssl_required_in_production'
})
);
});
});
describe('API Configuration', () => {
it('should validate CORS settings', () => {
const config = {
server: {
port: 3000,
cors: {
enabled: true,
origins: ['https://example.com', 'https://app.example.com'],
credentials: true
}
},
auth: {
jwt: {
secret: 'a'.repeat(32),
expiresIn: '1h',
algorithm: 'HS256'
}
}
};
const result = validator.validate(config, 'api');
expect(result.valid).toBe(true);
});
it('should reject short JWT secrets', () => {
const config = {
server: { port: 3000 },
auth: {
jwt: {
secret: 'tooshort',
expiresIn: '1h'
}
}
};
const result = validator.validate(config, 'api');
expect(result.valid).toBe(false);
expect(result.errors?.[0].path).toBe('/auth/jwt/secret');
});
});
});
5. Runtime Configuration Validation
Implement runtime validation and hot-reloading:
Runtime Config Validator
// runtime-validator.ts
import { EventEmitter } from 'events';
import * as chokidar from 'chokidar';
import { ConfigValidator } from './config-validator';
export class RuntimeConfigValidator extends EventEmitter {
private validator: ConfigValidator;
private currentConfig: any;
private watchers: Map<string, chokidar.FSWatcher> = new Map();
private validationCache: Map<string, ValidationResult> = new Map();
constructor() {
super();
this.validator = new ConfigValidator();
}
async initialize(configPath: string): Promise<void> {
// Load initial config
this.currentConfig = await this.loadAndValidate(configPath);
// Setup file watcher for hot-reloading
this.watchConfig(configPath);
}
private async loadAndValidate(configPath: string): Promise<any> {
try {
// Load config
const config = await this.loadConfig(configPath);
// Validate config
const validationResult = this.validator.validate(
config,
this.detectEnvironment()
);
if (!validationResult.valid) {
this.emit('validation:error', {
path: configPath,
errors: validationResult.errors
});
// In development, log errors but continue
if (this.isDevelopment()) {
console.error('Configuration validation errors:', validationResult.errors);
return config;
}
// In production, throw error
throw new ConfigValidationError(
'Configuration validation failed',
validationResult.errors
);
}
this.emit('validation:success', { path: configPath });
return config;
} catch (error) {
this.emit('validation:error', { path: configPath, error });
throw error;
}
}
private watchConfig(configPath: string): void {
const watcher = chokidar.watch(configPath, {
persistent: true,
ignoreInitial: true
});
watcher.on('change', async () => {
console.log(`Configuration file changed: ${configPath}`);
try {
const newConfig = await this.loadAndValidate(configPath);
// Check if config actually changed
if (JSON.stringify(newConfig) !== JSON.stringify(this.currentConfig)) {
const oldConfig = this.currentConfig;
this.currentConfig = newConfig;
this.emit('config:changed', {
oldConfig,
newConfig,
changedKeys: this.findChangedKeys(oldConfig, newConfig)
});
}
} catch (error) {
this.emit('config:error', { error });
}
});
this.watchers.set(configPath, watcher);
}
private findChangedKeys(oldConfig: any, newConfig: any): string[] {
const changed: string[] = [];
const findDiff = (old: any, new_: any, path: string = '') => {
// Check all keys in old config
for (const key in old) {
const currentPath = path ? `${path}.${key}` : key;
if (!(key in new_)) {
changed.push(`${currentPath} (removed)`);
} else if (typeof old[key] === 'object' && typeof new_[key] === 'object') {
findDiff(old[key], new_[key], currentPath);
} else if (old[key] !== new_[key]) {
changed.push(currentPath);
}
}
// Check for new keys
for (const key in new_) {
if (!(key in old)) {
const currentPath = path ? `${path}.${key}` : key;
changed.push(`${currentPath} (added)`);
}
}
};
findDiff(oldConfig, newConfig);
return changed;
}
validateValue(path: string, value: any): ValidationResult {
// Use cached schema for performance
const cacheKey = `${path}:${JSON.stringify(value)}`;
if (this.validationCache.has(cacheKey)) {
return this.validationCache.get(cacheKey)!;
}
// Extract schema for specific path
const schema = this.getSchemaForPath(path);
if (!schema) {
return { valid: true }; // No schema defined for this path
}
const result = this.validator.validateValue(value, schema);
this.validationCache.set(cacheKey, result);
return result;
}
async shutdown(): Promise<void> {
// Close all watchers
for (const watcher of this.watchers.values()) {
await watcher.close();
}
this.watchers.clear();
this.validationCache.clear();
}
}
// Type-safe configuration access
export class TypedConfig<T> {
constructor(
private config: T,
private validator: RuntimeConfigValidator
) {}
get<K extends keyof T>(key: K): T[K] {
const value = this.config[key];
// Validate on access in development
if (process.env.NODE_ENV === 'development') {
const result = this.validator.validateValue(String(key), value);
if (!result.valid) {
console.warn(`Invalid config value for ${String(key)}:`, result.errors);
}
}
return value;
}
getOrDefault<K extends keyof T>(key: K, defaultValue: T[K]): T[K] {
return this.config[key] ?? defaultValue;
}
require<K extends keyof T>(key: K): NonNullable<T[K]> {
const value = this.config[key];
if (value === null || value === undefined) {
throw new Error(`Required configuration '${String(key)}' is missing`);
}
return value as NonNullable<T[K]>;
}
}
6. Configuration Migration
Implement configuration migration and versioning:
Config Migration System
# config_migration.py
from typing import Dict, List, Callable, Any
from abc import ABC, abstractmethod
import semver
class ConfigMigration(ABC):
"""Base class for configuration migrations"""
@property
@abstractmethod
def version(self) -> str:
"""Target version for this migration"""
pass
@property
@abstractmethod
def description(self) -> str:
"""Description of what this migration does"""
pass
@abstractmethod
def up(self, config: Dict) -> Dict:
"""Apply migration to config"""
pass
@abstractmethod
def down(self, config: Dict) -> Dict:
"""Revert migration from config"""
pass
def validate(self, config: Dict) -> bool:
"""Validate config after migration"""
return True
class ConfigMigrator:
def __init__(self):
self.migrations: List[ConfigMigration] = []
def register_migration(self, migration: ConfigMigration):
"""Register a migration"""
self.migrations.append(migration)
# Sort by version
self.migrations.sort(key=lambda m: semver.VersionInfo.parse(m.version))
def migrate(self, config: Dict, target_version: str) -> Dict:
"""Migrate config to target version"""
current_version = config.get('_version', '0.0.0')
if semver.compare(current_version, target_version) == 0:
return config # Already at target version
if semver.compare(current_version, target_version) > 0:
# Downgrade
return self._downgrade(config, current_version, target_version)
else:
# Upgrade
return self._upgrade(config, current_version, target_version)
def _upgrade(self, config: Dict, from_version: str, to_version: str) -> Dict:
"""Upgrade config from one version to another"""
result = config.copy()
for migration in self.migrations:
if (semver.compare(migration.version, from_version) > 0 and
semver.compare(migration.version, to_version) <= 0):
print(f"Applying migration to v{migration.version}: {migration.description}")
result = migration.up(result)
if not migration.validate(result):
raise ValueError(f"Migration to v{migration.version} failed validation")
result['_version'] = migration.version
return result
def _downgrade(self, config: Dict, from_version: str, to_version: str) -> Dict:
"""Downgrade config from one version to another"""
result = config.copy()
# Apply migrations in reverse order
for migration in reversed(self.migrations):
if (semver.compare(migration.version, to_version) > 0 and
semver.compare(migration.version, from_version) <= 0):
print(f"Reverting migration from v{migration.version}: {migration.description}")
result = migration.down(result)
# Update version to previous migration's version
prev_version = self._get_previous_version(migration.version)
result['_version'] = prev_version
return result
def _get_previous_version(self, version: str) -> str:
"""Get the version before the given version"""
for i, migration in enumerate(self.migrations):
if migration.version == version:
return self.migrations[i-1].version if i > 0 else '0.0.0'
return '0.0.0'
# Example migrations
class MigrationV1_0_0(ConfigMigration):
@property
def version(self) -> str:
return '1.0.0'
@property
def description(self) -> str:
return 'Initial configuration structure'
def up(self, config: Dict) -> Dict:
# Add default structure
return {
'_version': '1.0.0',
'app': config.get('app', {}),
'database': config.get('database', {}),
'logging': config.get('logging', {'level': 'info'})
}
def down(self, config: Dict) -> Dict:
# Remove version info
result = config.copy()
result.pop('_version', None)
return result
class MigrationV1_1_0(ConfigMigration):
@property
def version(self) -> str:
return '1.1.0'
@property
def description(self) -> str:
return 'Split database config into read/write connections'
def up(self, config: Dict) -> Dict:
result = config.copy()
# Transform single database config to read/write split
if 'database' in result and not isinstance(result['database'], dict):
old_db = result['database']
result['database'] = {
'write': old_db,
'read': old_db.copy() # Same as write initially
}
return result
def down(self, config: Dict) -> Dict:
result = config.copy()
# Revert to single database config
if 'database' in result and 'write' in result['database']:
result['database'] = result['database']['write']
return result
class MigrationV2_0_0(ConfigMigration):
@property
def version(self) -> str:
return '2.0.0'
@property
def description(self) -> str:
return 'Add security configuration section'
def up(self, config: Dict) -> Dict:
result = config.copy()
# Add security section with defaults
if 'security' not in result:
result['security'] = {
'encryption': {
'enabled': True,
'algorithm': 'AES-256-GCM'
},
'tls': {
'minVersion': '1.2',
'ciphers': ['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256']
}
}
return result
def down(self, config: Dict) -> Dict:
result = config.copy()
result.pop('security', None)
return result
7. Configuration Security
Implement secure configuration handling:
Secure Config Manager
// secure-config.ts
import * as crypto from 'crypto';
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
import { KeyVaultSecret, SecretClient } from '@azure/keyvault-secrets';
interface EncryptedValue {
encrypted: true;
value: string;
algorithm: string;
iv: string;
authTag?: string;
}
export class SecureConfigManager {
private secretsCache: Map<string, any> = new Map();
private encryptionKey: Buffer;
constructor(private options: SecureConfigOptions) {
this.encryptionKey = this.deriveKey(options.masterKey);
}
private deriveKey(masterKey: string): Buffer {
return crypto.pbkdf2Sync(masterKey, 'config-salt', 100000, 32, 'sha256');
}
encrypt(value: any): EncryptedValue {
const algorithm = 'aes-256-gcm';
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(algorithm, this.encryptionKey, iv);
const stringValue = JSON.stringify(value);
let encrypted = cipher.update(stringValue, 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();
return {
encrypted: true,
value: encrypted,
algorithm,
iv: iv.toString('hex'),
authTag: authTag.toString('hex')
};
}
decrypt(encryptedValue: EncryptedValue): any {
const decipher = crypto.createDecipheriv(
encryptedValue.algorithm,
this.encryptionKey,
Buffer.from(encryptedValue.iv, 'hex')
);
if (encryptedValue.authTag) {
decipher.setAuthTag(Buffer.from(encryptedValue.authTag, 'hex'));
}
let decrypted = decipher.update(encryptedValue.value, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return JSON.parse(decrypted);
}
async processConfig(config: any): Promise<any> {
const processed = {};
for (const [key, value] of Object.entries(config)) {
if (this.isEncryptedValue(value)) {
// Decrypt encrypted values
processed[key] = this.decrypt(value as EncryptedValue);
} else if (this.isSecretReference(value)) {
// Fetch from secret manager
processed[key] = await this.fetchSecret(value as string);
} else if (typeof value === 'object' && value !== null) {
// Recursively process nested objects
processed[key] = await this.processConfig(value);
} else {
processed[key] = value;
}
}
return processed;
}
private isEncryptedValue(value: any): boolean {
return typeof value === 'object' &&
value !== null &&
value.encrypted === true;
}
private isSecretReference(value: any): boolean {
return typeof value === 'string' &&
(value.startsWith('secret://') ||
value.startsWith('vault://') ||
value.startsWith('aws-secret://'));
}
private async fetchSecret(reference: string): Promise<any> {
// Check cache first
if (this.secretsCache.has(reference)) {
return this.secretsCache.get(reference);
}
let secretValue: any;
if (reference.startsWith('secret://')) {
// Google Secret Manager
secretValue = await this.fetchGoogleSecret(reference);
} else if (reference.startsWith('vault://')) {
// Azure Key Vault
secretValue = await this.fetchAzureSecret(reference);
} else if (reference.startsWith('aws-secret://')) {
// AWS Secrets Manager
secretValue = await this.fetchAWSSecret(reference);
}
// Cache the secret
this.secretsCache.set(reference, secretValue);
return secretValue;
}
private async fetchGoogleSecret(reference: string): Promise<any> {
const secretName = reference.replace('secret://', '');
const client = new SecretManagerServiceClient();
const [version] = await client.accessSecretVersion({
name: `projects/${this.options.gcpProject}/secrets/${secretName}/versions/latest`
});
const payload = version.payload?.data;
if (!payload) {
throw new Error(`Secret ${secretName} has no payload`);
}
return JSON.parse(payload.toString());
}
validateSecureConfig(config: any): ValidationResult {
const errors: string[] = [];
const checkSecrets = (obj: any, path: string = '') => {
for (const [key, value] of Object.entries(obj)) {
const currentPath = path ? `${path}.${key}` : key;
// Check for plaintext secrets
if (this.looksLikeSecret(key) && typeof value === 'string') {
if (!this.isEncryptedValue(value) && !this.isSecretReference(value)) {
errors.push(`Potential plaintext secret at ${currentPath}`);
}
}
// Recursively check nested objects
if (typeof value === 'object' && value !== null && !this.isEncryptedValue(value)) {
checkSecrets(value, currentPath);
}
}
};
checkSecrets(config);
return {
valid: errors.length === 0,
errors: errors.map(message => ({
path: '',
message,
keyword: 'security',
params: {}
}))
};
}
private looksLikeSecret(key: string): boolean {
const secretPatterns = [
'password', 'secret', 'key', 'token', 'credential',
'api_key', 'apikey', 'private_key', 'auth'
];
const lowerKey = key.toLowerCase();
return secretPatterns.some(pattern => lowerKey.includes(pattern));
}
}
8. Configuration Documentation
Generate configuration documentation:
Config Documentation Generator
# config_docs_generator.py
from typing import Dict, List, Any
import json
import yaml
class ConfigDocGenerator:
def generate_docs(self, schema: Dict, examples: Dict) -> str:
"""Generate comprehensive configuration documentation"""
docs = ["# Configuration Reference\n"]
# Add overview
docs.append("## Overview\n")
docs.append("This document describes all available configuration options.\n")
# Add table of contents
docs.append("## Table of Contents\n")
toc = self._generate_toc(schema.get('properties', {}))
docs.extend(toc)
# Add configuration sections
docs.append("\n## Configuration Options\n")
sections = self._generate_sections(schema.get('properties', {}), examples)
docs.extend(sections)
# Add examples
docs.append("\n## Complete Examples\n")
docs.extend(self._generate_examples(examples))
# Add validation rules
docs.append("\n## Validation Rules\n")
docs.extend(self._generate_validation_rules(schema))
return '\n'.join(docs)
def _generate_sections(self, properties: Dict, examples: Dict, level: int = 3) -> List[str]:
"""Generate documentation for each configuration section"""
sections = []
for prop_name, prop_schema in properties.items():
# Section header
sections.append(f"{'#' * level} {prop_name}\n")
# Description
if 'description' in prop_schema:
sections.append(f"{prop_schema['description']}\n")
# Type information
sections.append(f"**Type:** `{prop_schema.get('type', 'any')}`\n")
# Required
if prop_name in prop_schema.get('required', []):
sections.append("**Required:** Yes\n")
# Default value
if 'default' in prop_schema:
sections.append(f"**Default:** `{json.dumps(prop_schema['default'])}`\n")
# Validation constraints
constraints = self._extract_constraints(prop_schema)
if constraints:
sections.append("**Constraints:**")
for constraint in constraints:
sections.append(f"- {constraint}")
sections.append("")
# Example
if prop_name in examples:
sections.append("**Example:**")
sections.append("```yaml")
sections.append(yaml.dump({prop_name: examples[prop_name]}, default_flow_style=False))
sections.append("```\n")
# Nested properties
if prop_schema.get('type') == 'object' and 'properties' in prop_schema:
nested = self._generate_sections(
prop_schema['properties'],
examples.get(prop_name, {}),
level + 1
)
sections.extend(nested)
return sections
def _extract_constraints(self, schema: Dict) -> List[str]:
"""Extract validation constraints from schema"""
constraints = []
if 'enum' in schema:
constraints.append(f"Must be one of: {', '.join(map(str, schema['enum']))}")
if 'minimum' in schema:
constraints.append(f"Minimum value: {schema['minimum']}")
if 'maximum' in schema:
constraints.append(f"Maximum value: {schema['maximum']}")
if 'minLength' in schema:
constraints.append(f"Minimum length: {schema['minLength']}")
if 'maxLength' in schema:
constraints.append(f"Maximum length: {schema['maxLength']}")
if 'pattern' in schema:
constraints.append(f"Must match pattern: `{schema['pattern']}`")
if 'format' in schema:
constraints.append(f"Format: {schema['format']}")
return constraints
# Generate interactive config builder
class InteractiveConfigBuilder:
def generate_html_builder(self, schema: Dict) -> str:
"""Generate interactive HTML configuration builder"""
html = """
<!DOCTYPE html>
<html>
<head>
<title>Configuration Builder</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.config-section { margin: 20px 0; padding: 20px; border: 1px solid #ddd; }
.config-field { margin: 10px 0; }
label { display: inline-block; width: 200px; font-weight: bold; }
input, select { width: 300px; padding: 5px; }
.error { color: red; font-size: 12px; }
.preview { background: #f5f5f5; padding: 20px; margin-top: 20px; }
pre { background: white; padding: 10px; overflow-x: auto; }
</style>
</head>
<body>
<h1>Configuration Builder</h1>
<div id="config-form"></div>
<button onclick="validateConfig()">Validate</button>
<button onclick="exportConfig()">Export</button>
<div class="preview">
<h2>Preview</h2>
<pre id="config-preview"></pre>
</div>
<script>
const schema = """ + json.dumps(schema) + """;
function buildForm() {
const container = document.getElementById('config-form');
container.innerHTML = renderSchema(schema.properties);
}
function renderSchema(properties, prefix = '') {
let html = '';
for (const [key, prop] of Object.entries(properties)) {
const fieldId = prefix ? `${prefix}.${key}` : key;
html += '<div class="config-field">';
html += `<label for="${fieldId}">${key}:</label>`;
if (prop.enum) {
html += `<select id="${fieldId}" onchange="updatePreview()">`;
for (const option of prop.enum) {
html += `<option value="${option}">${option}</option>`;
}
html += '</select>';
} else if (prop.type === 'boolean') {
html += `<input type="checkbox" id="${fieldId}" onchange="updatePreview()">`;
} else if (prop.type === 'number' || prop.type === 'integer') {
html += `<input type="number" id="${fieldId}" onchange="updatePreview()">`;
} else {
html += `<input type="text" id="${fieldId}" onchange="updatePreview()">`;
}
html += `<div class="error" id="${fieldId}-error"></div>`;
html += '</div>';
if (prop.type === 'object' && prop.properties) {
html += '<div class="config-section">';
html += renderSchema(prop.properties, fieldId);
html += '</div>';
}
}
return html;
}
function updatePreview() {
const config = buildConfig();
document.getElementById('config-preview').textContent =
JSON.stringify(config, null, 2);
}
function buildConfig() {
// Build configuration from form values
const config = {};
// Implementation here
return config;
}
function validateConfig() {
// Validate against schema
const config = buildConfig();
// Implementation here
}
function exportConfig() {
const config = buildConfig();
const blob = new Blob([JSON.stringify(config, null, 2)],
{type: 'application/json'});
const url = URL.createObjectURL(blob);
const a = document.createElement('a');
a.href = url;
a.download = 'config.json';
a.click();
}
// Initialize
buildForm();
updatePreview();
</script>
</body>
</html>
"""
return html
Output Format
- Configuration Analysis: Current configuration assessment
- Validation Schemas: JSON Schema definitions for all configs
- Environment Rules: Environment-specific validation rules
- Test Suite: Comprehensive configuration tests
- Migration Scripts: Version migration implementations
- Security Report: Security issues and recommendations
- Documentation: Auto-generated configuration reference
- Validation Pipeline: CI/CD integration for config validation
- Interactive Tools: Configuration builders and validators
Focus on preventing configuration errors, ensuring consistency across environments, and maintaining security best practices.