musiclink/docs/reviews/config-packaging.md

Code Review: Config & Packaging

Scope

• pkg/config/
• config.example.toml
• go.mod, go.sum
• flake.nix
• vendor/

Findings

✅ Strengths

• Config validation enforces required Matrix fields and defaults state store path.
• Example config mirrors the runtime schema and is easy to follow.
• Nix flake uses buildGoModule and includes systemd hardening defaults.

⚠️ Issues / Opportunities

1. vendorHash = null hides dependency drift

   • flake.nix is set to vendorHash = null, so Nix will accept the vendor tree without integrity verification.
   • Consider pinning a hash once the vendor tree is stable.

2. Go toolchain version mismatch in dev shell

   • go.mod specifies Go 1.24.0, but the dev shell uses pkgs.go (likely 1.23).
   • Consider pinning go_1_24 in devShell to match the module requirement.

3. Config file parsing assumes local disk

   • Config load is file-only; no env overrides for access tokens.
   • Consider documenting secret handling if deploying in production.

Notes

• config.toml is ignored by git; ensure deployments generate a proper Matrix config.