[#1654] Added config verification check to provision.sh.

[AlexSkrypnyk]

Closes #1654

Summary by CodeRabbit

• New Features

  • Added configuration verification during database provisioning to detect and prevent unintended configuration changes after database updates.

• Documentation

  • Updated provisioning documentation to include the new configuration verification step in the provisioning workflow.

• Tests

  • Added test coverage for configuration verification scenarios during provisioning.

[coderabbitai]

Walkthrough

A new feature flag VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE prevents provisioning from silently overwriting configuration modified by database update hooks. When enabled, the provisioning script exports active configuration before and after database updates, compares them, and fails if differences are detected. Documentation and test coverage were added.

Changes

Cohort / File(s)	Summary
Configuration & Documentation .env, .vortex/docs/content/development/variables.mdx, .vortex/docs/content/drupal/provision.mdx	Added environment variable definition and documentation entries for the new config verification feature; updated provisioning workflow documentation to reflect new verification step 7 and renumbered sanitization step to 8.
Implementation scripts/vortex/provision.sh	Added conditional verification logic that exports configuration before/after database updates, performs diff comparison, and fails provisioning with detailed output if changes are detected; includes preflight checks for required utilities (diff, mktemp).
Test Coverage .vortex/tests/bats/unit/provision.bats	Added two new test cases: one verifying config remains unchanged after updates, and one asserting provisioning fails when config is modified by updatedb hooks; tests follow existing patterns for DB-driven provisioning scenarios.

Sequence Diagram

sequenceDiagram
    participant Provisioning as Provisioning Script
    participant Drush
    participant ConfigBefore as Config Export (Before)
    participant ConfigAfter as Config Export (After)
    participant Diff as Diff Comparison
    participant FileSystem as File System

    rect rgba(100, 150, 200, 0.5)
        Note over Provisioning: VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE enabled
    end

    Provisioning->>Drush: drush config:export (pre-update)
    Drush->>ConfigBefore: Write config snapshot
    ConfigBefore->>FileSystem: Store to temp directory

    rect rgba(150, 150, 100, 0.5)
        Provisioning->>Drush: drush updatedb (run updates)
    end

    Provisioning->>Drush: drush config:export (post-update)
    Drush->>ConfigAfter: Write config snapshot
    ConfigAfter->>FileSystem: Store to temp directory

    rect rgba(200, 150, 150, 0.5)
        Provisioning->>Diff: Compare pre and post config
        Diff->>FileSystem: Recursive diff
    end

    alt Differences detected
        Diff-->>Provisioning: Diff output with changes
        Provisioning->>Provisioning: FAIL provisioning<br/>Output diff & paths
    else No differences
        Diff-->>Provisioning: No output
        Provisioning->>Provisioning: Continue provisioning
    end

    Provisioning->>FileSystem: Clean temp directories

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Simplified provision to use direct commands. #2303: Also modifies the provisioning flow, database update steps, and related tests with configuration handling logic.
• Fixed provision script erroneously using DRUPAL_CONFIG_PATH variable. #1757: Also modifies config-handling logic in scripts/vortex/provision.sh, including site config file checks and config export operations.

Suggested labels

PR: Needs review

Poem

🐰 A guard against the config drift so deep,
We export before the updates creep,
Then check again, make sure it's right,
Or fail the build and shed some light!
No silent overwrites in the dark,
Just honest diffs that leave a mark. 🔍

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a config verification check to provision.sh, and references the issue number for traceability.
Linked Issues check	✅ Passed	The pull request fully implements the requirements from issue #1654: introduces VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE to detect config changes from hooks and fail provisioning when config is modified.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the config verification feature: environment variable definition, documentation updates, test cases, and the core verification logic in provision.sh.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/1654-fail-config-update

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/docs/content/development/variables.mdx:
- Line 404: The docs incorrectly list the default for the environment variable
VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE as UNDEFINED; update the
table entry to show the concrete default value 0 so it matches the runtime
default set by the provisioning script (the variable uses shell parameter
expansion to default to 0 when unset).

In `@scripts/vortex/provision.sh`:
- Around line 316-343: Add a brief inline comment near the block that creates
and conditionally removes the temp dirs (around variables config_before and
config_after and the rm -rf call) stating that the temporary export directories
are intentionally preserved when configuration drift is detected (i.e., when
fail is invoked) to allow debugging/inspection, while they are removed on
success (pass), so the preserved dirs are not a resource leak but expected
behavior; place the comment just above the config_before/config_after creation
or just above the rm -rf to make the intent clear next to the relevant symbols.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for the variable and its context in provision.sh
rg -n -C5 'VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE' scripts/vortex/provision.sh

Repository: drevops/vortex

Length of output: 1967

---

Update documentation: default value should be 0, not UNDEFINED.

Line 404 documents the default as UNDEFINED, but scripts/vortex/provision.sh line 45 sets the actual default to 0:

VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE="${VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE:-0}"

Update the table to reflect the concrete default value of 0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/docs/content/development/variables.mdx at line 404, The docs
incorrectly list the default for the environment variable
VORTEX_PROVISION_VERIFY_CONFIG_UNCHANGED_AFTER_UPDATE as UNDEFINED; update the
table entry to show the concrete default value 0 so it matches the runtime
default set by the provisioning script (the variable uses shell parameter
expansion to default to 0 when unset).

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider documenting that temp directories are intentionally preserved on failure.

The implementation correctly preserves the config_before and config_after directories when configuration drift is detected (lines 332-333), allowing users to inspect the differences. However, these directories are cleaned up on success (line 338) but not on failure.

This is good behavior for debugging, but consider adding a brief comment noting this is intentional, as it could appear to be a resource leak at first glance.

💡 Optional: Add clarifying comment

   if [ -n "${config_diff}" ]; then
     fail "Configuration was changed by database updates."
     note "The following configuration files were changed:"
     echo "${config_diff}"
+    # Preserving temp directories for inspection - not cleaning up intentionally.
     note "Configuration before updates: ${config_before}"
     note "Configuration after updates:  ${config_after}"
     note "Review the update hooks and manually export updated configuration."
     exit 1
   fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/vortex/provision.sh` around lines 316 - 343, Add a brief inline
comment near the block that creates and conditionally removes the temp dirs
(around variables config_before and config_after and the rm -rf call) stating
that the temporary export directories are intentionally preserved when
configuration drift is detected (i.e., when fail is invoked) to allow
debugging/inspection, while they are removed on success (pass), so the preserved
dirs are not a resource leak but expected behavior; place the comment just above
the config_before/config_after creation or just above the rm -rf to make the
intent clear next to the relevant symbols.

[AlexSkrypnyk]

Code Coverage Report:
  2026-02-18 10:51:22

 Summary:
  Classes:  0.00% (0/1)
  Methods:  0.00% (0/2)
  Lines:   94.65% (177/187)

[github-actions]

Code Coverage Report:
  2026-02-18 10:53:31

 Summary:
  Classes:  0.00% (0/1)
  Methods:  0.00% (0/2)
  Lines:   94.65% (177/187)

[AlexSkrypnyk]

Code Coverage Report:
  2026-02-18 10:54:30

 Summary:
  Classes:  0.00% (0/1)
  Methods:  0.00% (0/2)
  Lines:   94.65% (177/187)

[AlexSkrypnyk]

Code Coverage Report:
  2026-02-18 10:54:37

 Summary:
  Classes:  0.00% (0/1)
  Methods:  0.00% (0/2)
  Lines:   94.65% (177/187)

[codecov]

Codecov Report

❌ Patch coverage is 88.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.19%. Comparing base (7978686) to head (b270ba7).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
scripts/vortex/provision.sh	88.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2304      +/-   ##
==========================================
- Coverage   77.72%   77.19%   -0.54%     
==========================================
  Files         117      110       -7     
  Lines        6182     6047     -135     
  Branches       44        0      -44     
==========================================
- Hits         4805     4668     -137     
- Misses       1377     1379       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.