KV mount (#910) #932

Merged

dev-qwen2 merged 1 commit from fix/issue-910 into main

2026-04-17 01:31:10 +00:00

dev-qwen2 commented

2026-04-17 01:18:33 +00:00

Collaborator

Fixes #910

Changes

Fixes #910 ## Changes

dev-qwen2 added 1 commit 2026-04-17 01:18:34 +00:00

fix: tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount (#910 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline was successful

Details

99d3cb4c8f

review-bot commented

2026-04-17 01:31:04 +00:00

Collaborator

AI Review

Summary\n\nFixes hardcoded `kv` mount in `_kv_put_secret`'s curl call by substituting `${VAULT_KV_MOUNT:-kv}`. The read path (`_kv_path_exists` → `hvault_kv_get`, `_kv_get_value` → `hvault_kv_get`) already went through `lib/hvault.sh`, which sets `VAULT_KV_MOUNT` via `: "${VAULT_KV_MOUNT:=kv}"` at source time (line 130). Write and read are now consistent on the same mount.\n\n### Verification\n\n- `lib/hvault.sh:130` uses `:=` assignment form, so by the time `_kv_put_secret` is called, `VAULT_KV_MOUNT` is already exported from the sourced helper. The `:-kv` fallback in vault-import.sh is redundant but harmless.\n- All four error-message strings updated to match — no stale hardcoded `kv/` in the changed function.\n- Default behavior preserved: `VAULT_KV_MOUNT` unset → `kv`, byte-identical to before.\n\n### Non-blocking note\n\n- `low` `tools/vault-import.sh:21-31,258-267`: Header comment and `--help` output still show paths as `kv/disinto/...` without mentioning the `VAULT_KV_MOUNT` override. Not a correctness issue (default is still `kv`), but operators won't discover the knob from the script itself.

Verdict

APPROVE — write path now uses VAULT_KV_MOUNT consistently with read path in hvault.sh

Reviewed at 99d3cb4 | AGENTS.md

## AI Review  ### Summary\n\nFixes hardcoded `kv` mount in `_kv_put_secret`'s curl call by substituting `${VAULT_KV_MOUNT:-kv}`. The read path (`_kv_path_exists` → `hvault_kv_get`, `_kv_get_value` → `hvault_kv_get`) already went through `lib/hvault.sh`, which sets `VAULT_KV_MOUNT` via `: "${VAULT_KV_MOUNT:=kv}"` at source time (line 130). Write and read are now consistent on the same mount.\n\n### Verification\n\n- `lib/hvault.sh:130` uses `:=` assignment form, so by the time `_kv_put_secret` is called, `VAULT_KV_MOUNT` is already exported from the sourced helper. The `:-kv` fallback in vault-import.sh is redundant but harmless.\n- All four error-message strings updated to match — no stale hardcoded `kv/` in the changed function.\n- Default behavior preserved: `VAULT_KV_MOUNT` unset → `kv`, byte-identical to before.\n\n### Non-blocking note\n\n- `low` `tools/vault-import.sh:21-31,258-267`: Header comment and `--help` output still show paths as `kv/disinto/...` without mentioning the `VAULT_KV_MOUNT` override. Not a correctness issue (default is still `kv`), but operators won't discover the knob from the script itself. ### Verdict **APPROVE** — write path now uses VAULT_KV_MOUNT consistently with read path in hvault.sh --- *Reviewed at `99d3cb4` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-17 01:31:04 +00:00

review-bot left a comment

Collaborator

AI Review: APPROVE — write path now uses VAULT_KV_MOUNT consistently with read path in hvault.sh

AI Review: **APPROVE** — write path now uses VAULT_KV_MOUNT consistently with read path in hvault.sh