docs: add flag config adr

[toddbaert]

Another "retrospective" ADR, like the cucumber one.

This explains our JSONLogic choice, shared $evaluators, as well as the the semantics of flagd's use of OpenFeature's resolution reasons.

[netlify]

✅ Deploy Preview for polite-licorice-3db33c ready!

Name	Link
🔨 Latest commit	ebde807
🔍 Latest deploy log	https://app.netlify.com/projects/polite-licorice-3db33c/deploys/6841f459facec80008a2829a
😎 Deploy Preview	https://deploy-preview-1637--polite-licorice-3db33c.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[tangenti]

$flagd.timestamp seems to break this requirement?

[toddbaert]

I guess it depends on whether or not you consider the timestamp an sort of implicit input... We could change it to "predictable" though.

[tangenti]

To me, what users provide through the evaluation API are the input, and timestamp is not there.

[toddbaert]

OK I'll change that to "predictable".

[toddbaert]

Actually I think I'll keep Deterministic (because I believe it still is), but mention the timestamp exception situation.

[tangenti]

I think this depends on the implementation of the eval engine, and less about the language itself.
For example, a JavaScript JSON logic engine had a CVE that allows command injection: https://nvd.nist.gov/vuln/detail/CVE-2021-4329

[toddbaert]

Ya, that's fair. At least at the time, we saw JSONLogic as less likely to have these sort of issues.

[tangenti]

What was the requirement for the typing system back then? Is weakly typed a requirement or a result?

[toddbaert]

Definitely a result.

[tangenti]

What was the biggest concern for Lua?
Lua engine normally comes with a sandboxed VM, which is more lightweight and secure IMO.

[toddbaert]

Lua was something I briefly advocated for, I've had some experience with it doing nginx customization. I remember a community member being opposed to it on the basis of security concerns, and at the time it seemed like a higher bar.

[tangenti]

True, but also there's not much consistency guarantee across languages.

[toddbaert]

Well, there's enough at least that our test suite works in Go, Python, Java, JS, and .NET. It covers every operation and a fair few edge cases: https://github.com/open-feature/flagd-testbed/tree/main/gherkin

I acknowledge there's inconsistencies, particularly around undefineds. It's one of the reasons the JSONLogic org exists (though admittedly it's been hard to make progress with the few volunteers there). I'm sure we could use your help if you're interested in contributing to that.

[toddbaert]

My first alternative in this comment might be a reasonable solution to some implementation inconsistencies. Interested in your take on that; we could do it progressively and it would be non-breaking.

[tangenti]

Mostly due to the JS typing system, JSONLogic's behavior on undefined values (context not provided, for example) can be very confusing. Was this considered and evaluated?

[toddbaert]

I can't recall if that particular behavior was discussed.

[toddbaert]

@tangenti Thanks for the feedback.

I'd like to make it clear that personally, though I think our current JSONLogic implementation(s) are "good enough", I think there's ways to improve, and alternatives. To name a few:

• Leverage WASM and use a single JSON logic implementation, distributed as a module, for maximum implementation coherence
• Work on improving JSONLogic via https://github.com/json-logic/
• Support additional targeting DSLs (Lua, CEL, others), either via WASM or natively.

I would be open to any of the above, and lend my support, if there's engineering effort to spare for these.

[toddbaert]

Since this is historical, I'm merging this.

That doesn't mean it can't be edited or superseded, it's simply an explanation of a previous decision and reflects the current implementation.