Skip to content

fix(deploy): distrust secret hash state without matching updateTime#1809

Draft
dqn wants to merge 2 commits into
fix/secrets-state-deploy-lockfrom
fix/secret-state-update-time-evidence
Draft

fix(deploy): distrust secret hash state without matching updateTime#1809
dqn wants to merge 2 commits into
fix/secrets-state-deploy-lockfrom
fix/secret-state-update-time-evidence

Conversation

@dqn

@dqn dqn commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

A secret changed outside the current checkout (a deploy from another machine,
or a console-side edit) could be silently skipped by the next deploy whose
desired value matched the locally stored hash; the hash state now also records
the platform's updateTime for each secret and distrusts the hash when the
remote timestamp no longer matches.

Behavior

  • A planned secret update is skipped only when the stored hash AND the stored
    updateTime both match the value listed from the platform at plan time.
  • The stored updateTime comes from this deploy's own create/update response —
    never from a post-apply re-list, which could pair our hash with another
    writer's timestamp.
  • Missing evidence always falls back to updating, never to skipping: a state
    file from an older SDK (schema v1), a retried create whose response was
    synthesized empty, or a platform response without updateTime.
  • After upgrading, the first deploy re-pushes managed secrets once to seed the
    new state format (same values; no user action needed).

Verified against the platform

Create/update responses and list responses populate updateTime and agree
exactly (scratch workspace, deleted after). One caveat: the timestamp has
second granularity, so two writers hitting the same secret within the same
second remain indistinguishable — a platform-side generation counter or etag
would close that last window.

Notes

dqn added 2 commits July 17, 2026 21:50
…eTime

The local hash state could suppress a needed secret update after the remote
value changed out of band (a deploy from another checkout, or a console-side
edit): the stored hash still matched the desired value, so the deploy skipped
the update while the platform held something else.

Secrets state now stores the updateTime returned by this deploy's own create
and update responses alongside each hash (schema version 2), and a planned
update is skipped only when both the hash and the remote updateTime match.
Missing evidence — a v1 state file, an empty retried create response, or a
platform that omits updateTime — always falls back to updating, never to
skipping.
@changeset-bot

changeset-bot Bot commented Jul 17, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: d8700fd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@tailor-platform/sdk Patch
@tailor-platform/create-sdk Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jul 17, 2026

Copy link
Copy Markdown

Open in StackBlitz

pnpm add https://pkg.pr.new/@tailor-platform/create-sdk@d8700fd
pnpm add https://pkg.pr.new/@tailor-platform/sdk@d8700fd

commit: d8700fd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant