chore: change from nomad to k8s

[coodos]

Description of change

Switch from consul & nomad to Kubernetes.

Reason: Nomad was being annoying with CNI unless you use their shitty hosted version which was annoying to deal with anyways.

Issue Number

Type of change

• Breaking (any change that would cause existing functionality to not work as expected)

How the change has been tested

By provisioning evaults

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• New Features

  • The app layout now dynamically adjusts to device safe areas, improving display on devices with notches or special screen insets.
  • Added support for momentum scrolling on iOS and consistent scrollbar hiding across browsers for a smoother user experience.
  • Introduced database-backed vault registration and resolution with secure token-based access.
  • Added PostgreSQL support with TypeORM integration for managing vault data.

• Refactor

  • eVault provisioning now uses Kubernetes instead of Nomad, streamlining the deployment process and improving reliability.
  • Provisioning logic is consolidated for simplicity and maintainability.
  • Replaced service discovery via Consul with database queries for vault resolution.

• Chores

  • Added new dependencies for Kubernetes client, SHA-256 hashing, PostgreSQL, TypeORM, and related tools.

• Style

  • Improved code formatting and consistency in the eVault core module.
  • Enhanced type safety by refining type annotations in web3 adapter and tests.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes migrate the eVault provisioning system from Nomad to Kubernetes, replacing the job generation and submission logic with direct Kubernetes resource creation. The provisionEVault function now handles all provisioning steps, including namespace, storage, deployment, and service creation. Additional updates include dependency additions, layout adjustments for safe area insets, code formatting improvements, and the introduction of a database-backed vault registry replacing Consul.

Changes

File(s)	Change Summary
infrastructure/eid-wallet/src/routes/+layout.svelte	Refactored layout to dynamically compute and apply top safe area inset, updated container heights, and global styles.
infrastructure/evault-core/src/evault.ts	Reformatted code for consistent style and indentation; no logic changes.
infrastructure/evault-provisioner/package.json	Added @kubernetes/client-node and sha256 as dependencies.
infrastructure/evault-provisioner/src/index.ts	Simplified provisioning flow by replacing Nomad job logic with a single provisionEVault call; updated env loading and port.
infrastructure/evault-provisioner/src/templates/evault.nomad.ts	Removed Nomad job generation; added provisionEVault for direct Kubernetes provisioning and resource management.
infrastructure/evault-provisioner/src/listeners/alloc.ts	Deleted event emitter-based allocation status polling for Nomad allocations.
infrastructure/web3-adapter/src/tests/evault.test.ts	Updated type annotation from any to unknown for GraphQL query variables parameter.
infrastructure/web3-adapter/src/adapter.ts	Updated type signatures from any to unknown for transform functions and data parameters in Web3Adapter.
platforms/registry/package.json	Added TypeORM, PostgreSQL client, and related scripts for database migrations.
platforms/registry/src/config/database.ts	Added TypeORM DataSource configuration for PostgreSQL with entities and migrations.
platforms/registry/src/consul.ts	Removed service resolution via Consul.
platforms/registry/src/entities/Vault.ts	Added new Vault entity class for database persistence.
platforms/registry/src/index.ts	Replaced Consul service resolution with database-backed VaultService; added /register endpoint with auth; DB init.
platforms/registry/src/migrations/1748865359304-migration.ts	Added migration to create vault table with columns id, ename, uri, and evault.
platforms/registry/src/migrations/README.md	Added documentation for migration management and best practices.
platforms/registry/src/services/VaultService.ts	Added VaultService class for CRUD operations on Vault entities using TypeORM repository.
platforms/registry/tsconfig.json	Enabled experimental decorators and metadata emission; updated lib and exclude settings.

Sequence Diagram(s)

sequenceDiagram
    participant API as Provisioner API (index.ts)
    participant K8S as Kubernetes Cluster
    participant PVC as PersistentVolumeClaims
    participant NS as Namespace
    participant DEP as Deployment
    participant SVC as Service

    API->>API: Receive provision request (w3id, eVaultId)
    API->>API: Call provisionEVault(w3id, eVaultId)
    API->>K8S: Create Namespace (w3id)
    API->>K8S: Create PVC for Neo4j data
    API->>K8S: Create PVC for eVault storage
    API->>K8S: Create PVC for eVault secrets
    API->>K8S: Create Deployment (Neo4j + eVault containers)
    API->>K8S: Create Service (LoadBalancer for eVault)
    API->>K8S: Fetch and determine service URL
    API-->>API: Return service URI
    API->>Registry: Register URI via authenticated POST
    API-->>Client: Respond with URI

Loading

Possibly related PRs

• fix: layouts #119: Modifies layout-related files in the eid-wallet routes, adjusting height and scrolling behavior using dynamic viewport units and safe area insets, directly related to layout improvements in this PR.
• chore: change from nomad to k8s #179: Implements the migration of eVault provisioning from Nomad to Kubernetes and updates layout handling for safe area insets, closely related to this PR’s core changes.
• Feat/registry and evault provisioning #106: Implements registry and eVault provisioning features using Nomad and Consul, related to this PR which replaces Nomad with Kubernetes provisioning and adds database-backed registry.

Poem

A hop, a leap, from Nomad we depart,
Kubernetes now cradles eVault’s beating heart.
With namespaces, PVCs, and services spun,
The cluster awakens—provisioning begun!
Safe areas respected, layouts anew,
Rabbits rejoice in the clouds’ gentle dew.
🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c817701 and 518d2ef.

📒 Files selected for processing (2)

• infrastructure/eid-wallet/src/routes/+layout.svelte (2 hunks)
• infrastructure/evault-provisioner/src/templates/evault.nomad.ts (2 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

infrastructure/eid-wallet/src/routes/+layout.svelte (1)

56-60: Consider removing debug logging and adding error handling.

The safe area implementation looks good, but there are a couple of improvements to consider:

1. The debug logging on line 59 should be removed before production
2. The parseFloat operation could benefit from more robust error handling

-const safeAreaTop = $derived.by(() => parseFloat(getComputedStyle(document.documentElement).getPropertyValue('--safe-top')) || 0);
-
-
-$effect(() => console.log("top",  safeAreaTop))
+const safeAreaTop = $derived.by(() => {
+  const value = getComputedStyle(document.documentElement).getPropertyValue('--safe-top');
+  const parsed = parseFloat(value);
+  return !isNaN(parsed) ? parsed : 0;
+});

infrastructure/evault-provisioner/src/templates/evault.nomad.ts (1)

108-109: Improve logging to avoid exposing sensitive data.

Logging the entire service response object could expose sensitive Kubernetes metadata.

Log only the necessary information:

-    const res = await coreApi.readNamespacedService({ name: 'evault-service', namespace: namespaceName });
-    console.log(JSON.stringify(res))
+    const res = await coreApi.readNamespacedService({ name: 'evault-service', namespace: namespaceName });
+    const nodePort = res.body.spec?.ports?.[0]?.nodePort;
+    console.log(`eVault service created successfully. NodePort: ${nodePort}, Namespace: ${namespaceName}`);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f446256 and d3276cb.

⛔ Files ignored due to path filters (2)

• infrastructure/eid-wallet/src-tauri/gen/apple/eid-wallet.xcodeproj/project.pbxproj is excluded by !**/gen/**
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• infrastructure/eid-wallet/src/routes/+layout.svelte (2 hunks)
• infrastructure/evault-core/src/evault.ts (2 hunks)
• infrastructure/evault-provisioner/package.json (1 hunks)
• infrastructure/evault-provisioner/src/index.ts (2 hunks)
• infrastructure/evault-provisioner/src/templates/evault.nomad.ts (2 hunks)

🧰 Additional context used

🪛 GitHub Actions: Check Code

infrastructure/eid-wallet/src/routes/+layout.svelte

[warning] 112-112: Unused CSS selector "body" (svelte)

---

[warning] 119-119: Unused CSS selector "body::-webkit-scrollbar" (svelte)

🪛 Biome (1.9.4)

infrastructure/evault-provisioner/src/templates/evault.nomad.ts

[error] 22-22: Reassigning a function parameter is confusing.

The parameter is declared here:

Use a local variable instead.

(lint/style/noParameterAssign)

🔇 Additional comments (5)

infrastructure/eid-wallet/src/routes/+layout.svelte (1)

96-104: LGTM: Dynamic safe area implementation is well-structured.

The dynamic height calculations using safe area insets are implemented correctly. The use of Tailwind's calc() function with the computed safe area value ensures proper UI adaptation across different devices.

infrastructure/evault-provisioner/package.json (1)

14-14:

❓ Verification inconclusive

Verify dependency versions for security and compatibility.

The new dependencies support the Kubernetes migration well:

• @kubernetes/client-node for Kubernetes API interaction
• sha256 for password hashing (likely for Neo4j)

Please verify that these dependency versions are secure and up-to-date:

Also applies to: 19-19

---

🏁 Script executed:

#!/bin/bash
# Check for security advisories and latest versions
echo "Checking @kubernetes/client-node..."
npm view @kubernetes/client-node versions --json | jq '.[-5:]'

echo "Checking sha256..."
npm view sha256 versions --json | jq '.[-5:]'

# Check for known vulnerabilities
npm audit --audit-level moderate

Length of output: 718

---

Dependency versions are up-to-date; please run a security audit

• infrastructure/evault-provisioner/package.json
  • @kubernetes/client-node@^1.3.0 → latest published is 1.3.0
  • sha256@^0.2.0 → latest published is 0.2.0

The npm audit step failed due to a missing lockfile. Please generate one (npm i --package-lock-only) and then rerun:

npm audit --audit-level moderate

to confirm there are no known vulnerabilities.

infrastructure/evault-core/src/evault.ts (2)

6-9: LGTM: Improved import formatting.

The import statement formatting is more consistent and readable.

🧰 Tools

🪛 Biome (1.9.4)

[error] 5-9: Some named imports are only used as types.

This import is only used as a type.

This import is only used as a type.

This import is only used as a type.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Add inline type keywords.

(lint/style/useImportType)

---

20-102: LGTM: Consistent code formatting throughout the class.

The reformatting improves code readability and maintains consistent indentation throughout the EVault class. No functional changes were made, which is appropriate for this refactoring.

infrastructure/evault-provisioner/src/index.ts (1)

3-3: LGTM: Import updated for Kubernetes provisioning.

The import change from Nomad job generation to Kubernetes provisioning aligns perfectly with the PR objectives of migrating from Nomad to Kubernetes.

[coderabbitai]

Note

Generated docstrings for this pull request at #181

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (5)

infrastructure/evault-provisioner/src/index.ts (1)

73-73: ⚠️ Potential issue

Add error handling to the provisionEVault function.

The provisionEVault function lacks proper error handling and status monitoring for Kubernetes resources. This could leave resources in an inconsistent state if provisioning fails.

Run the following script to verify the current implementation:

#!/bin/bash
# Check the provisionEVault implementation for error handling
ast-grep --pattern $'export async function provisionEVault($$$) {
  $$$
}'

infrastructure/evault-provisioner/src/templates/evault.nomad.ts (4)

22-26: Fix parameter handling, utilize eVaultId, and strengthen password generation.

This duplicates previous feedback about avoiding parameter reassignment and using secure password generation.

🧰 Tools

🪛 Biome (1.9.4)

[error] 24-24: Reassigning a function parameter is confusing.

The parameter is declared here:

Use a local variable instead.

(lint/style/noParameterAssign)

---

33-36: Add namespace name sanitization and error handling.

This duplicates previous feedback about sanitizing namespace names for Kubernetes DNS requirements and handling "already exists" errors.

---

70-95: Improve container configuration for production readiness.

This duplicates previous feedback about adding resource limits, security contexts, and using versioned container tags.

---

22-162: Add comprehensive error handling and consider breaking down the function.

This duplicates previous feedback about the function lacking error handling and being too large, which could leave resources in an inconsistent state.

🧰 Tools

🪛 Biome (1.9.4)

[error] 24-24: Reassigning a function parameter is confusing.

The parameter is declared here:

Use a local variable instead.

(lint/style/noParameterAssign)

🧹 Nitpick comments (13)

infrastructure/evault-core/src/w3id/w3id.ts (2)

40-66: Improve error handling for key management operations.

The current try-catch block silently creates new keys when existing ones can't be retrieved. Consider adding more specific error handling to distinguish between "seed not found" and other potential errors (e.g., decryption failures, file system errors).

-        } catch {
+        } catch (error) {
+            // Only create new seed if it doesn't exist, re-throw other errors
+            if (error instanceof Error && !error.message.includes('No seed found')) {
+                throw error;
+            }
             // If no seed exists, create new one

---

15-19: Consider adding JSDoc documentation for the options parameter.

The get method has complex initialization logic and would benefit from clear documentation about when options are required versus optional.

+    /**
+     * Gets or creates a W3ID instance with persistent key management.
+     * @param options - Required for first initialization, optional for subsequent calls
+     * @param options.id - The W3ID identifier
+     * @param options.driver - Neo4j driver for log storage
+     * @param options.password - Password for encrypting stored keys (required on first call)
+     */
     static async get(options?: {

platforms/registry/src/migrations/1748865359304-migration.ts (2)

1-1: Use import type for TypeORM interfaces.

The static analysis correctly identifies that these imports are only used as types.

-import { MigrationInterface, QueryRunner } from "typeorm";
+import type { MigrationInterface, QueryRunner } from "typeorm";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

7-7: Consider adding constraints and indexes for better data integrity and performance.

The current table creation lacks important constraints and indexes that might be needed for a production vault registry.

Consider these improvements to the table schema:

-        await queryRunner.query(`CREATE TABLE "vault" ("id" SERIAL NOT NULL, "ename" character varying NOT NULL, "uri" character varying NOT NULL, "evault" character varying NOT NULL, CONSTRAINT "PK_dd0898234c77f9d97585171ac59" PRIMARY KEY ("id"))`);
+        await queryRunner.query(`CREATE TABLE "vault" (
+            "id" SERIAL NOT NULL, 
+            "ename" character varying(255) NOT NULL UNIQUE, 
+            "uri" character varying(2048) NOT NULL, 
+            "evault" character varying(1024) NOT NULL, 
+            CONSTRAINT "PK_dd0898234c77f9d97585171ac59" PRIMARY KEY ("id")
+        )`);
+        await queryRunner.query(`CREATE INDEX "IDX_vault_ename" ON "vault" ("ename")`);

This adds:

• Column length limits to prevent excessively large data
• Unique constraint on ename (assuming vault names should be unique)
• Index on ename for faster lookups

platforms/registry/src/config/database.ts (2)

4-4: Use Node.js import protocol for built-in modules.

The static analysis correctly suggests using the node: protocol for Node.js built-in modules.

-import { join } from "path"
+import { join } from "node:path"

🧰 Tools

🪛 Biome (1.9.4)

[error] 4-4: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

11-13: Consider adding SSL configuration for production environments.

The database configuration lacks SSL settings which are typically required for production PostgreSQL connections.

     url: process.env.REGISTRY_DATABASE_URL || "postgresql://postgres:postgres@localhost:5432/registry",
+    ssl: process.env.NODE_ENV === "production" ? { rejectUnauthorized: false } : false,
     synchronize: process.env.NODE_ENV !== "production",

Note: Adjust SSL settings based on your specific PostgreSQL configuration requirements.

platforms/registry/src/migrations/README.md (1)

44-44: Fix grammar in the best practices section.

The static analysis correctly identifies an adverb placement issue.

-5. Always backup your database before running migrations in production
+5. Always back up your database before running migrations in production

Or alternatively:

-5. Always backup your database before running migrations in production
+5. Back up your database before running migrations in production

platforms/registry/src/services/VaultService.ts (4)

1-2: Use import type for TypeORM interfaces.

The static analysis correctly identifies that these imports are only used as types.

-import { Repository } from "typeorm"
-import { Vault} from "../entities/Vault"
+import type { Repository } from "typeorm"
+import type { Vault } from "../entities/Vault"

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

24-27: Optimize the update method to reduce database calls.

The current update implementation makes two database calls, which is inefficient and can lead to race conditions.

     async update(id: number, data: Partial<Vault>): Promise<Vault| null> {
-        await this.serviceRepository.update(id, data)
-        return await this.findOne(id)
+        const result = await this.serviceRepository.update(id, data)
+        if (result.affected === 0) {
+            return null
+        }
+        return await this.findOne(id)
     }

Or use a more efficient approach with preload and save:

     async update(id: number, data: Partial<Vault>): Promise<Vault| null> {
-        await this.serviceRepository.update(id, data)
-        return await this.findOne(id)
+        const vault = await this.serviceRepository.preload({ id, ...data })
+        if (!vault) {
+            return null
+        }
+        return await this.serviceRepository.save(vault)
     }

---

7-10: Consider adding input validation for vault creation.

The service accepts string parameters without validation, which could lead to data quality issues.

     async create(ename: string, uri: string, evault: string): Promise<Vault> {
+        if (!ename?.trim() || !uri?.trim() || !evault?.trim()) {
+            throw new Error('All fields (ename, uri, evault) are required and cannot be empty')
+        }
         const service = this.serviceRepository.create({ ename, uri, evault })
         return await this.serviceRepository.save(service)
     }

---

29-31: Consider returning deletion success indicator.

The delete method doesn't indicate whether the deletion was successful or if the entity existed.

-    async delete(id: number): Promise<void> {
-        await this.serviceRepository.delete(id)
+    async delete(id: number): Promise<boolean> {
+        const result = await this.serviceRepository.delete(id)
+        return result.affected !== undefined && result.affected > 0
     }

infrastructure/evault-provisioner/src/index.ts (1)

7-8: Use the node: protocol for Node.js builtin modules.

For better clarity and to follow Node.js best practices, prefix builtin modules with node:.

Apply this diff:

-import path from "path";
-import { fileURLToPath } from "url";
+import path from "node:path";
+import { fileURLToPath } from "node:url";

🧰 Tools

🪛 Biome (1.9.4)

[error] 7-7: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

[error] 8-8: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/evault-provisioner/src/templates/evault.nomad.ts (1)

1-5: Improve import statements and remove unused imports.

• Use the node: protocol for Node.js builtin modules as recommended by static analysis
• The json import from Express appears unused in this file

-import { execSync } from "child_process";
-import { json } from "express";
+import { execSync } from "node:child_process";

🧰 Tools

🪛 Biome (1.9.4)

[error] 3-3: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bd73cc5 and c817701.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (15)

• infrastructure/evault-core/src/w3id/w3id.ts (1 hunks)
• infrastructure/evault-provisioner/src/index.ts (4 hunks)
• infrastructure/evault-provisioner/src/listeners/alloc.ts (0 hunks)
• infrastructure/evault-provisioner/src/templates/evault.nomad.ts (2 hunks)
• infrastructure/web3-adapter/src/__tests__/evault.test.ts (1 hunks)
• infrastructure/web3-adapter/src/adapter.ts (3 hunks)
• platforms/registry/package.json (1 hunks)
• platforms/registry/src/config/database.ts (1 hunks)
• platforms/registry/src/consul.ts (0 hunks)
• platforms/registry/src/entities/Vault.ts (1 hunks)
• platforms/registry/src/index.ts (3 hunks)
• platforms/registry/src/migrations/1748865359304-migration.ts (1 hunks)
• platforms/registry/src/migrations/README.md (1 hunks)
• platforms/registry/src/services/VaultService.ts (1 hunks)
• platforms/registry/tsconfig.json (1 hunks)

💤 Files with no reviewable changes (2)

• platforms/registry/src/consul.ts
• infrastructure/evault-provisioner/src/listeners/alloc.ts

✅ Files skipped from review due to trivial changes (4)

• platforms/registry/tsconfig.json
• infrastructure/web3-adapter/src/tests/evault.test.ts
• platforms/registry/src/entities/Vault.ts
• infrastructure/web3-adapter/src/adapter.ts

🧰 Additional context used

🧬 Code Graph Analysis (2)

infrastructure/evault-provisioner/src/index.ts (1)

infrastructure/evault-provisioner/src/templates/evault.nomad.ts (1)

• provisionEVault (22-162)

infrastructure/evault-core/src/w3id/w3id.ts (5)

infrastructure/evault-core/src/secrets/secrets-store.ts (1)

• SecretsStore (25-126)

infrastructure/w3id/src/w3id.ts (2)

• W3ID (9-30)
• W3IDBuilder (32-158)

infrastructure/evault-core/src/w3id/log-service.ts (1)

• LogService (8-42)

infrastructure/evault-core/src/utils/signer.ts (1)

• createSigner (32-44)

infrastructure/evault-core/src/utils/codec.ts (1)

• uint8ArrayToHex (1-5)

🪛 Biome (1.9.4)

platforms/registry/src/services/VaultService.ts

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

platforms/registry/src/index.ts

[error] 27-27: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

[error] 27-27: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

infrastructure/evault-provisioner/src/index.ts

[error] 7-7: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

[error] 8-8: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/evault-provisioner/src/templates/evault.nomad.ts

[error] 3-3: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

[error] 24-24: Reassigning a function parameter is confusing.

The parameter is declared here:

Use a local variable instead.

(lint/style/noParameterAssign)

infrastructure/evault-core/src/w3id/w3id.ts

[error] 32-32: Forbidden non-null assertion.

(lint/style/noNonNullAssertion)

platforms/registry/src/config/database.ts

[error] 4-4: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

platforms/registry/src/migrations/1748865359304-migration.ts

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

🪛 LanguageTool

platforms/registry/src/migrations/README.md

[style] ~43-~43: The adverb ‘Always’ is usually put between ‘have’ and ‘been’.
Context: .... Never modify existing migrations that have been committed 5. Always backup your database before running mig...

(ADVERB_WORD_ORDER)

🔇 Additional comments (8)

platforms/registry/src/migrations/README.md (1)

1-44: Excellent documentation for migration management.

This README provides comprehensive guidance for database migrations including commands, conventions, and best practices. The structure is clear and will help developers manage schema changes effectively.

🧰 Tools

🪛 LanguageTool

[style] ~43-~43: The adverb ‘Always’ is usually put between ‘have’ and ‘been’.
Context: .... Never modify existing migrations that have been committed 5. Always backup your database before running mig...

(ADVERB_WORD_ORDER)

infrastructure/evault-provisioner/src/index.ts (3)

15-15: Port change looks good.

The port change from 3000 to 3001 helps avoid potential conflicts with other services.

---

76-84: Registry integration looks secure and well-implemented.

Good implementation with:

• Proper authentication using shared secret
• Clear payload structure
• Integration with the new database-backed registry service

---

86-89: Response structure improvement.

Returning the URI directly is more useful for clients than the previous Nomad job name.

platforms/registry/package.json (1)

1-36: Database migration dependencies and scripts look good.

The additions properly support the migration from Consul to a PostgreSQL database:

• TypeORM with PostgreSQL driver for ORM functionality
• Migration scripts follow TypeORM conventions
• Appropriate type definitions included

platforms/registry/src/index.ts (3)

13-25: Database initialization is well-implemented.

Good practices:

• Proper async/await usage
• Clear error logging
• Fails fast on initialization errors

---

40-58: Well-structured vault registration endpoint.

Good implementation with:

• Authentication via preHandler middleware
• Input validation for required fields
• Proper error handling and status codes

---

82-104: Database-backed service resolution looks good.

Successfully migrated from Consul to database with:

• Clean service lookup via VaultService
• Proper 404 handling for missing services
• Consistent response structure