ed
7bcb5a8c07
Eliminates 22 call sites that bypassed the AppController state owner
and read/wrote config.toml directly. AppController is now the single
source of truth for self.config; gui_2.py, commands.py, etc. go
through controller.save_config() / controller.load_config().
Production changes:
- src/models.py: rename load_config -> _load_config_from_disk,
save_config -> _save_config_to_disk (private I/O primitives)
- src/app_controller.py: add public load_config()/save_config() methods
that own the state. Update 3 internal call sites and 3 ConductorEngine
call sites to pass max_workers from self.config
- src/multi_agent_conductor.py: ConductorEngine.__init__ now takes
max_workers as a parameter (caller responsibility, not I/O primitive)
- src/external_editor.py: get_default_launcher() takes config as a
parameter; gui_2.py:1311,4776 pass app.config
- src/gui_2.py: 17 sites of models.save_config(X.config) replaced with
X.save_config() (delegates via __getattr__ to controller)
- src/commands.py: save_all() uses app.save_config()
Test changes (route through controller, not I/O primitive):
- tests/conftest.py: mock_app and app_instance fixtures now patch
AppController.load_config/save_config instead of models I/O primitives
- 18 other test files: patches renamed from models._save_config_to_disk
to AppController.save_config (and same for load_config)
- tests/test_app_controller_mcp.py: use SLOP_CONFIG env var instead of
patching removed CONFIG_PATH module constant
- tests/test_parallel_execution.py: pass max_workers=2 explicitly to
ConductorEngine (caller no longer reads config)
- tests/test_gui_paths.py: add save_config=MagicMock() to MockApp;
assert on controller method, not I/O primitive
- tests/test_models_no_top_level_tomli_w.py: still calls private
_save_config_to_disk directly (the only allowed exception; tests
the lazy-load behavior of the primitive itself)
New files:
- scripts/audit_no_models_config_io.py: enforces the rule (--strict,
--json modes; AST-based docstring detection to avoid false positives)
- conductor/code_styleguides/config_state_owner.md: documents the rule
Verification:
- 67 targeted tests pass
- scripts/audit_no_models_config_io.py --strict returns 0
This is the architectural cleanup that surfaced during the
audit_architectural_cheats_20260607 review. Closes the smoke-gun
CONFIG_PATH module constant (already done in 0c7ebf22) AND the
free-function models.load_config/save_config smell.
[conductor(checkpoint): config-iO-refactor-20260607]
3.8 KiB
3.8 KiB
Config I/O State Ownership
Rule: The AppController is the single source of truth for the
in-memory config (self.config) and the only authorized caller of
the file I/O primitives in src/models.py.
Why
- The controller owns the in-memory state. If other modules
write to
config.tomldirectly, the controller'sself.configsilently drifts from disk. Tests can corrupt the user's TOML files; users lose data without warning. - Test isolation breaks. When
models.save_config(...)is called from anywhere insrc/, tests cannot intercept the write without patching the I/O primitive. The test then couples to the file format, not the controller's behavior. - Path resolution can't be enforced. The controller respects
SLOP_CONFIGenv var at call time. Direct calls tomodels.save_configwould only respect it if the path is re-resolved (which it is in_save_config_to_disk, but only because someone remembered).
What is Forbidden in src/
models.load_config(...)(legacy public function)models.save_config(...)(legacy public function)models._load_config_from_disk(...)(private I/O primitive)models._save_config_to_disk(...)(private I/O primitive)
The only allowed call sites are inside AppController itself
(load_config() and save_config() methods).
The Public API
# In AppController:
def load_config(self) -> Dict[str, Any]:
"""Re-read the global config.toml from disk and update self.config."""
self.config = models._load_config_from_disk()
return self.config
def save_config(self) -> None:
"""Flush self.config to disk."""
models._save_config_to_disk(self.config)
Callers (including gui_2.py, commands.py, etc.) go through
the controller:
# In App class methods (gui_2.py): __getattr__ delegates to controller
self.save_config() # -> controller.save_config()
app.save_config() # -> controller.save_config() (via __getattr__)
app.load_config() # -> controller.load_config() (via __getattr__)
# In AppController:
self.save_config() # direct
self.load_config() # direct
Test Patterns
Tests should mock the controller methods, not the I/O primitives:
# CORRECT: route through the controller
with patch('src.app_controller.AppController.load_config',
return_value={'ai': {...}, 'projects': {...}}):
app = App() # controller's load_config returns the mock
with patch('src.app_controller.AppController.save_config'):
app._save_paths() # controller's save_config is a no-op
app.save_config.assert_called_once() # verify the call
# WRONG: patch the I/O primitive
with patch('src.models._save_config_to_disk'): # bypasses the controller
app._save_paths() # still hits the I/O primitive if production bypasses
The mock_app and app_instance fixtures in tests/conftest.py
follow the correct pattern: they patch
AppController.load_config and AppController.save_config to
prevent real I/O and to provide a default config.
Exceptions
The only allowed non-controller call site is the
test_models_no_top_level_tomli_w.py test, which specifically
verifies the lazy-load behavior of the I/O primitive itself
(tomli_w import timing). This test is exempt from the audit.
Enforcement
The scripts/audit_no_models_config_io.py script enforces this rule.
python scripts/audit_no_models_config_io.py— human reportpython scripts/audit_no_models_config_io.py --strict— exit 1 on violationpython scripts/audit_no_models_config_io.py --json— machine output
CI should run the --strict mode on every PR.
See Also
docs/guide_app_controller.md— the AppController's roledocs/guide_models.md— the models moduleconductor/product.md— "Modular Controller Pattern" principle