Summary
Opening a workflow YAML file in the editor (without making any changes or saving) causes the file to be silently and destructively modified on disk. The modifications include comment removal, quote style changes, array format changes, key reordering, config block deletion, and injection of new blocks.
Reproduction
Input file (service.yaml) before opening in editor:
name: my-service
version: "1.0"
# Validation settings for template references
engine:
validation:
templateRefs: warn
modules:
- name: web-server
type: http.server
dependsOn: [web-router]
config:
address: ":8080"
readTimeout: "30s"
writeTimeout: "30s"
- name: web-router
type: http.router
config:
cors:
allowedOrigins: ["${CORS_ORIGINS:-http://localhost:3000}"]
allowedMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
allowedHeaders:
- "Authorization"
- "Content-Type"
- name: auth
type: auth.m2m
config:
clients:
- clientId: "${CLIENT_ID}"
clientSecret: "${CLIENT_SECRET}"
scopes: [admin, read, write]
description: "Primary API client"
# Allow cross-token introspection for external services
introspect:
allowOthers: true
- name: authz
type: authz.casbin
config:
roleAssignments:
- ["${CLIENT_ID}", "api_client"]
policies:
- ["api_client", "/v1/resources", "*"]
- ["api_client", "/v1/resources/*", "*"]
# Health check pipeline
pipelines:
health:
trigger:
type: http
method: GET
path: /healthz
steps:
- name: respond
type: step.json_response
config:
status: 200
body:
status: ok
time: "{{now \"RFC3339\"}}"After simply opening the file in the editor (no user edits, no save):
version: "1.0"
name: my-service
modules:
- name: web-server
type: http.server
config:
address: ':8080'
readTimeout: 30s
writeTimeout: 30s
dependsOn:
- web-router
- name: web-router
type: http.router
config:
cors:
allowedOrigins:
- ${CORS_ORIGINS:-http://localhost:3000}
allowedMethods:
- GET
- POST
- PUT
- DELETE
- OPTIONS
allowedHeaders:
- Authorization
- Content-Type
- name: auth
type: auth.m2m
config:
clients:
- clientId: ${CLIENT_ID}
clientSecret: ${CLIENT_SECRET}
scopes:
- admin
- read
- write
description: Primary API client
introspect:
allowOthers: true
- name: authz
type: authz.casbin
config:
roleAssignments:
- - ${CLIENT_ID}
- api_client
policies:
- - api_client
- /v1/resources
- '*'
- - api_client
- /v1/resources/*
- '*'
triggers: {}
pipelines:
health:
trigger:
type: http
method: GET
path: /healthz
steps:
- name: respond
type: step.json_response
config:
status: 200
body:
status: ok
time: '{{now "RFC3339"}}'Changes made silently on open (7 categories)
| # |
Category |
Example |
Impact |
| 1 |
Comments deleted |
All # comments removed |
Loss of documentation and intent |
| 2 |
Config blocks deleted |
engine: block removed entirely |
Functional breakage — validation settings lost |
| 3 |
Quote style changed |
"30s" → 30s, ":8080" → ':8080' |
Inconsistent with author intent; mixed single/double/unquoted |
| 4 |
Inline arrays exploded |
[admin, read, write] → 3-line block |
File grows significantly; harder to scan |
| 5 |
Tuple arrays exploded |
["client", "/path", "*"] → nested block |
Casbin policies become unreadable; triples line count |
| 6 |
Keys reordered |
name moved after version; dependsOn moved to end of module |
Breaks author's intentional logical grouping |
| 7 |
Blocks injected |
triggers: {} added between workflows and pipelines |
Adds config that wasn't present in the original |
Functional impact
Item #2 is the most critical — the engine: top-level block is silently deleted. This contains runtime configuration (engine.validation.templateRefs: warn) that affects engine behavior. The editor appears to drop any top-level keys it doesn't recognize, which means opening a file in the editor can break a working deployment.
Expected behavior
- Opening a file should NEVER modify it unless the user explicitly requests formatting or saves
- If reformatting is offered, it should be opt-in (e.g., a "Format Document" command), not automatic on load
- Comments must be preserved — they are valid YAML and carry semantic meaning
- Unknown/unrecognized top-level config blocks (like
engine:) must be preserved as passthrough, not deleted
- Quote style, array format, and key ordering should be preserved (round-trip fidelity)
Environment
- IDE: VS Code with workflow-editor extension
- OS: macOS
Summary
Opening a workflow YAML file in the editor (without making any changes or saving) causes the file to be silently and destructively modified on disk. The modifications include comment removal, quote style changes, array format changes, key reordering, config block deletion, and injection of new blocks.
Reproduction
Input file (
service.yaml) before opening in editor:After simply opening the file in the editor (no user edits, no save):
Changes made silently on open (7 categories)
#comments removedengine:block removed entirely"30s"→30s,":8080"→':8080'[admin, read, write]→ 3-line block["client", "/path", "*"]→ nested blocknamemoved afterversion;dependsOnmoved to end of moduletriggers: {}added between workflows and pipelinesFunctional impact
Item #2 is the most critical — the
engine:top-level block is silently deleted. This contains runtime configuration (engine.validation.templateRefs: warn) that affects engine behavior. The editor appears to drop any top-level keys it doesn't recognize, which means opening a file in the editor can break a working deployment.Expected behavior
engine:) must be preserved as passthrough, not deletedEnvironment