feat(line): first-class [line] trust section (Phase 1)#1365
Conversation
Add a [line] config section for L3 identity trust, replacing the uniform GATEWAY_ALLOW_ALL_USERS/GATEWAY_ALLOWED_USERS env vars for LINE. First slice of #1355, mirroring the [telegram] pattern (#1297). - config.rs: LineConfig { allow_all_users, allowed_users } with LINE_ALLOW_ALL_USERS / LINE_ALLOWED_USERS env fallbacks and deny-all default (identity-trust-none ADR). Trust-only by design — channel credentials stay on LINE_CHANNEL_SECRET / LINE_CHANNEL_ACCESS_TOKEN. - main.rs: [line] (or LINE_* env) overrides the uniform GATEWAY_* seed in the trust registry, exactly like the telegram override. When LINE is active and still driven by the legacy GATEWAY_* env, log a Phase 1 deprecation warning (becomes an error in Phase 2, #1356). - docs: config.toml.example, config-reference.md ([line] section), line.md (User Trust section + env table). - tests: TOML parse + all env resolution scenarios in one test fn (env-race safety, same pattern as telegram_resolve_all_scenarios). Group policy (open/members) and Reply-API deny-echo are follow-ups on the issue. Refs #1355, umbrella #1356, ADR #1291.
|
Note LGTM ✅ — Clean first-class What This PR DoesLINE identity trust was tied to the uniform How It Works
Findings
What's Good (🟢)
Baseline Check
5️⃣ Three Reasons We Might Not Need This PR
|
…(Phase 1)
Clone the [line] pattern to the three remaining gateway platforms via a
shared PlatformTrustConfig (allow_all_users/allowed_users with
{PREFIX}_ALLOW_ALL_USERS / {PREFIX}_ALLOWED_USERS env fallbacks and
deny-all default). Env prefixes follow the adapters' existing
conventions: WECOM, GOOGLE_CHAT, TEAMS.
main.rs gains a platform_trust_override helper that applies the
first-class section (or its env) over the uniform GATEWAY_* seed, and
logs the shared Phase 1 deprecation warning when an active platform is
still trust-driven by the legacy env (activity signals: WECOM_CORP_ID,
GOOGLE_CHAT_ENABLED, TEAMS_APP_ID — same as has_unified_platform_env).
Trust-only by design: platform credentials stay on the gateway env
vars. Platforms needing richer trust fields later (trusted_bot_ids for
wecom/teams per their issues) graduate to their own struct, as LINE
will for group policy.
Docs: config.toml.example, config-reference.md (combined section with
per-platform sender-ID formats), wecom.md, google-chat.md,
msteams-selfhosted.md.
Refs #1358 #1359 #1360, umbrella #1356, ADR #1291. Stacked on #1365.
What problem does this solve?
LINE trust is currently controlled only by the uniform
GATEWAY_ALLOW_ALL_USERS/GATEWAY_ALLOWED_USERSenv vars, which apply to ALL gateway platforms at once — no per-platform granularity. Since the Phase 3 deny-all default flip, LINE deployments must setGATEWAY_ALLOW_ALL_USERS=true(opening every gateway platform) just to keep LINE working — the exact operator pain reported on the issue.First slice of #1355 (umbrella #1356): a first-class
[line]section, mirroring the[telegram]pattern from #1297. Group policy (open/members) and Reply-API deny-echo remain on the issue as follow-ups.At a Glance
Proposed Solution
crates/openab-core/src/config.rs—LineConfig { allow_all_users: Option<bool>, allowed_users: Option<Vec<String>> }with per-field resolution[line]→LINE_ALLOW_ALL_USERS/LINE_ALLOWED_USERSenv → deny-all default (identity-trust-none ADR). Trust-only by design: channel credentials stay on theLINE_CHANNEL_SECRET/LINE_CHANNEL_ACCESS_TOKENenv vars the webhook adapter reads.src/main.rs— the resolved[line]values override the uniformGATEWAY_*seed in the trust registry, exactly like the telegram override (also resolves env-only, matching the Telegram pattern). When no first-class LINE trust config exists, the unified LINE adapter is active, and the legacyGATEWAY_*env is set, a Phase 1 deprecation warning tells operators to migrate before Phase 2 turns it into an error.config.toml.example[line]block,docs/config-reference.mdnew## [line]section,docs/line.mdUser Trust section + env var table rows with the deprecation callout.Why this approach?
Backward-compatible by construction: existing LINE deployments driven by
GATEWAY_*env keep working unchanged (warning only, per the umbrella's Phase 1 → 2 → 3 plan), and the[line]override is opt-in. Reuses the exact[telegram]resolution/override shape (#1297), so the remaining platforms (#1358–#1360) become mechanical clones of this PR.Validation
At
57cc547(macOS arm64, rebased on2f0342b):cargo clippy --workspace --all-features -- -D warnings— cleancargo clippy --workspace -- -D warnings(default features) — cleancargo check -p openab-core --no-default-features— passcargo check --features unified(line feature on) — passcargo test -p openab-core --all-features— 656 passed, 1 failed:secrets::tests::resolve_exec_nonzero_exit, the known pre-existing macOS-only failure (also fails on unmodifiedmain)rustfmt --check— no new drift (config.rs 0→0, main.rs 4→4 vsmainbaseline)docs/platforms/schema/line.tomlreviewed: its trust-gate claims describe the shared ingress gate, which is unchanged by this PR — no schema update required (conformance CI not triggered).Tests
line_section_parses_from_toml—[line]parse + absent-section →Noneline_resolve_all_scenarios— six env-resolution scenarios in one test fn (env vars are process-global; single-fn pattern mirrorstelegram_resolve_all_scenariosfor parallel-test safety): deny-all default, config-wins-over-env, comma-separated env fallback with trimming, empty-string flag treated as unset,"0"/"false"parsing, explicit empty list = deny-allRefs #1355 (first slice — group policy + Reply-API deny-echo remain), umbrella #1356, ADR #1291.