CLI deploy: env layering and secrets-aware sync

[antidmg]

Summary

• add deploy-time env parsing from --env-file and repeated --env KEY=VALUE flags with deterministic precedence
• share env expansion behavior through runtime validation helpers so deploy/serve execution paths stay aligned
• persist deploy env checksums in CLI state and avoid skipping deploy when only secrets changed
• keep deploy file scanning safe by excluding local config and env files from uploaded app content

Summary by CodeRabbit

Release Notes

• New Features

  • Support for passing environment variables via command flags and .env files during deployment
  • Secret management for deployed applications (list, set, and delete secrets)
  • .statespaceignore file support to exclude files from deployment
  • Persistent deployment state tracking for improved redeploy decisions

• Bug Fixes

  • .env files are no longer automatically loaded during serve operations

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f2b28101-cb47-4e80-9ed4-c5264596fa26

📥 Commits

Reviewing files that changed from the base of the PR and between fb114d9 and 440d8cc.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• binaries/statespace-cli/Cargo.toml
• binaries/statespace-cli/src/args.rs
• binaries/statespace-cli/src/commands/deploy.rs
• binaries/statespace-cli/src/commands/env.rs
• binaries/statespace-cli/src/commands/mod.rs
• binaries/statespace-cli/src/commands/serve.rs
• binaries/statespace-cli/src/config.rs
• binaries/statespace-cli/src/gateway/client.rs
• binaries/statespace-cli/src/main.rs
• binaries/statespace-cli/src/state.rs
• binaries/statespace-cli/tests/serve_query_env_integration.rs

---

Walkthrough

The PR adds environment variable and secret management to the CLI, introducing persistent deploy state, support for environment file and CLI flag overrides, secret synchronization during deployment, and .statespaceignore file support for excluding files from deployment.

Changes

Cohort / File(s)	Summary
Dependencies binaries/statespace-cli/Cargo.toml	Added ignore = "0.4.25" dependency for file matching against ignore rules.
Deploy State & Persistence binaries/statespace-cli/src/state.rs, binaries/statespace-cli/src/main.rs	Introduced DeployState structure with load/save mechanisms for persistent deployment metadata (deployment ID, name, URL, auth token, checksums). Updated deploy command call sites to pass config_path to run_deploy.
Environment Variable Management binaries/statespace-cli/src/commands/env.rs, binaries/statespace-cli/src/config.rs, binaries/statespace-cli/src/args.rs	Added resolve_env_overrides function to merge env from config, env files, and CLI flags with proper precedence. Added load_merged_app_env to merge global and app-specific environment variables. Extended AppDeployArgs with env_vars and env_file fields.
Secret Management & Deployment Logic binaries/statespace-cli/src/commands/deploy.rs, binaries/statespace-cli/src/gateway/client.rs	Enhanced DeployGateway trait with list_secret_keys, set_secret, and delete_secret methods. Updated deploy flow to synchronize environment secrets after app deployment. Added .statespaceignore support and ignore matcher to exclude local config/env files and respect ignore rules during file collection.
Command Integration binaries/statespace-cli/src/commands/mod.rs, binaries/statespace-cli/src/commands/serve.rs	Exposed new env module. Updated serve command to use load_merged_app_env and resolve_env_overrides for environment loading instead of inline parsing, simplifying env handling.
Integration Tests binaries/statespace-cli/tests/serve_query_env_integration.rs	Added test verifying .env files are not auto-loaded by the serve command.

Sequence Diagram

sequenceDiagram
    participant CLI as User/CLI
    participant DeployCmd as Deploy Command
    participant Config as Config/Env System
    participant Gateway as Gateway/Client
    participant Remote as Remote API

    CLI->>DeployCmd: run_deploy(args, config_path)
    DeployCmd->>Config: load_merged_app_env(config_path, app_dir)
    Config-->>DeployCmd: merged_env: HashMap
    DeployCmd->>Config: resolve_env_overrides(env, flags, file)
    Config-->>DeployCmd: resolved_env: HashMap
    DeployCmd->>DeployCmd: checksum_env_map(resolved_env)
    DeployCmd->>Gateway: create/upsert app deployment
    Gateway->>Remote: POST /apps (with deployment)
    Remote-->>Gateway: success
    DeployCmd->>Gateway: list_secret_keys(environment_id)
    Gateway->>Remote: GET /secrets (environment_id)
    Remote-->>Gateway: [existing_keys]
    DeployCmd->>DeployCmd: sync_environment_secrets(desired, existing)
    DeployCmd->>Gateway: set_secret(environment_id, key, value)
    Gateway->>Remote: POST /secrets (key, value)
    Remote-->>Gateway: success
    DeployCmd->>Gateway: delete_secret(environment_id, old_key)
    Gateway->>Remote: DELETE /secrets (old_key)
    Remote-->>Gateway: success
    DeployCmd->>DeployCmd: save_state(checksums, sync_summary)
    DeployCmd-->>CLI: deployment complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~65 minutes

Possibly related PRs

• Remove .statespace/state.json from deploy #145 — Removes the same .statespace/state.json deploy state machinery (state.rs and deploy-target logic) that this PR adds, creating a direct conflict in deploy state persistence approach.
• Deploy seed templates #141 — Modifies the same AppDeployArgs structure and run_deploy signature in the deploy command, extending related deployment infrastructure changes.
• Fix secrets endpoints: use /api/v1 and shared response parser #106 — Extends the CLI secrets API by adding/adjusting list_secret_keys, set_secret, and delete_secret methods on the gateway client that this PR introduces.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main changes: environment layering for deploy and secrets-aware synchronization.
Description check	✅ Passed	The PR description includes all required template sections (Summary, Changes, Testing checklist, and a Checklist item for docs). However, the description uses a customized validation approach with specific cargo commands rather than the exact checklist format specified in the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/deploy-env-secrets-sync

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}