Merged
Conversation
maybe_reload returned False on FileNotFoundError, so a deleted cache.enc left the live serve process serving the entries it had loaded at startup. Forever. Clearing on vanish forces the next lookup through the provider, which is what the operator expects after wiping the cache.
….bak cache init went straight to atomic rename, so re-running it on a populated cache wiped every entry with no recovery path. Now it refuses if the file exists and only proceeds with --force, in which case the previous file is moved to <name>.bak-<UTC timestamp> before the new empty cache is written.
Adds OrphanedSecretsError and a check in run_setup that scans every shell-driver Podman secret for a backing mapping file in state_dir. Missing mapping means lookups return 404 and the consuming container fails to start; before this commit setup would happily complete without surfacing the condition. Drift detection still fires when relevant; orphan takes precedence since it produces hard failures rather than missing env vars.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three discrete fixes, one PR — they all surfaced from a single recovery on a homelab where a stale-but-reachable in-memory cache, a clobbered cache file, and a quietly orphaned set of HSM-encrypted Podman secrets compounded into Infisical refusing to start.
1.
cache: clear in-memory entries when backing file vanishesCache.maybe_reload()swallowedFileNotFoundErrorand returned False, so once acache.encwas deleted the runningpsi servekept handing out the entries it had loaded at startup. Now a vanished file clears the in-memory dict, logs a warning, and the next lookup falls through to the provider.2.
cli: refuse to clobber existing cache.enc without --force, rotate to .bakpsi cache initwent straight to an atomic rename, so re-running it on a populated cache silently wiped every entry. The new behaviour:cache.encexists, refuse unless--forceis passed.--force, rename the existing file to<name>.bak-<UTC timestamp>first, then write fresh.3.
setup: surface orphaned podman secrets and exit non-zero_classify_secretsalready detected Podman shell secrets without a mapping file — but only in--dry-run. Regularpsi setupwould happily report success while leaving the host in a state where the next container start fails. AddsOrphanedSecretsError, a_check_orphanspass after the workload loop, per-secret warnings, and a non-zero exit. Orphan takes precedence over drift since it produces hard container-start failures rather than missing env vars.Test plan
uv run pytest -q— 376 passeduv run ruff check psi/ tests/— cleanuv run ruff format --check psi/ tests/— clean (one auto-format applied)uv run ty check— cleanTestMaybeReload::test_clears_entries_when_file_vanishes_after_load,TestGuardExistingCache(3 cases),TestCheckOrphans(3 cases),TestRunSetupOrphanExit(3 cases)