Skip to content

fix(config): gate project-context preservation on codeMieUrl equality#400

Merged
8nevil8 merged 5 commits into
mainfrom
fix/cross-env-project-fields-leak
Jul 1, 2026
Merged

fix(config): gate project-context preservation on codeMieUrl equality#400
8nevil8 merged 5 commits into
mainfrom
fix/cross-env-project-fields-leak

Conversation

@8nevil8

@8nevil8 8nevil8 commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes a cross-environment profile leak in ConfigLoader. When --profile <global> is used from a repo whose local .codemie/codemie-cli.config.json declares a different activeProfile with a different codeMieUrl, ConfigLoader preserved codeMieProject, codeMieIntegration, and codeMieUrl from the local team profile via filterProjectFields() / PROJECT_FIELDS. The intent of PROJECT_FIELDS (introduced in c35b54a) is "personal provider on top of team's project context" — a same-env composition. When URLs differ, all three preserved values reference the wrong environment.

The loud failure surfaced while validating EPMCDME-13167 (managed-MCP catalog provisioning into Claude Desktop): proxy connect desktop --profile preview from this repo spawned the proxy daemon with targetUrl=preview but syncCodeMieUrl=prod. The catalog fetch hit prod, oauth2-proxy returned a Keycloak HTML login page, and JSON.parse threw on <!-- Keycl…. Silent paths corrupted by the same leak include SSO credential lookup, skills sync, analytics push, statusline installer, and agent API routing (baseUrl is derived from codeMieUrl in `AgentCLI`).

Changes

  • `src/utils/config.ts`: add private `shouldPreserveProjectContext(localUrl, globalUrl)` helper with inline URL normalization (trailing-slash strip + lowercase). Wire the gate into both `ConfigLoader.load()` and `ConfigLoader.loadWithSources()` (the latter required hoisting `loadGlobalConfigProfile` before the filter decision). `PROJECT_FIELDS` and `filterProjectFields` are unchanged; the gate is applied at the call site.
  • `src/utils/tests/config-project-override.test.ts`: +13 tests — 9 helper unit tests (equal, trailing-slash, case, host differ, either-side-missing, both-missing, empty-string), 3 `load()` integration tests (cross-env drop / same-env preserve / local-URL-missing), 1 `loadWithSources` source-attribution test.
  • `.ai-run/guides/usage/project-config.md`: one-paragraph blockquote noting the URL-equality precondition under "Team profile with personal provider".
  • `.ai-run/guides/project.md`: fix the `## MR Adapter` section to use the `gh` shorthand (the previous `codemie-pr` skill reference does not resolve in this environment).
  • `docs/superpowers/tasks/2026-06-29-cross-env-project-fields-leak/`: SDLC Factory artifacts (plan, qa-report, technical-analysis, decisions/events ledgers) for traceability.

Impact

Before: `--profile ` from a repo with a different local active profile silently routed every `codeMieUrl`-keyed operation (SSO creds, catalog fetch, analytics, agent API) to the local team's environment instead of the selected profile's.

After: cross-env switches honor the selected profile's `codeMieUrl`. Same-env compositions ("personal provider + team's project context") continue to work unchanged. Edge cases handled: missing URL on either side is NOT a conflict (preserves the common case where the local team profile only sets `codeMieProject`).

Unblocks EPMCDME-13167 manual verification — `codemie proxy connect desktop --profile preview` from this repo now stamps all 18 entries (7 bundled defaults + 11 EPAM) into Claude Desktop's managed-MCP config. Verified live post-build.

Checklist

  • Self-reviewed (HITL code-review approved through sdlc-light)
  • Manual testing performed (live: `syncCodeMieUrl` matches `targetUrl`; 18 entries stamped)
  • Documentation updated (`project-config.md` URL precondition, `project.md` adapter fix)
  • No breaking changes (same-env composition unchanged; only cross-env behavior altered)
  • All quality gates pass: license-check, lint (zero warnings), typecheck, build, unit (2162/2163), integration (220/221), commitlint (all branch commits Conventional)

Ticket

None at PR creation time — `codemie-jira-assistant` was unresponsive after 5 retries (3 min). Per `.ai-run/guides/standards/git-workflow.md`, type-scoped branches (`fix/`) are allowed without a ticket prefix. A bug ticket will be filed under epic EPMCDME-4878 (MCP integration) as a sibling to EPMCDME-13167 once Jira is reachable, then linked here.

@8nevil8 8nevil8 force-pushed the fix/cross-env-project-fields-leak branch from 2a74d69 to 897e4b4 Compare June 30, 2026 05:19
@8nevil8 8nevil8 merged commit fd112c7 into main Jul 1, 2026
5 checks passed
@8nevil8 8nevil8 deleted the fix/cross-env-project-fields-leak branch July 1, 2026 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants