Problem — a silent misconfiguration footgun
autumn deploy up uploads only three things to the host: the release binary ({release}/{app}), the 0600 env file ({app_dir}/shared/autumn.env, containing only AUTUMN_SECURITY__SIGNING_SECRET and, for DB-backed apps, AUTUMN_DATABASE__URL), and the systemd unit. It does not copy the project's autumn.toml.
The generated unit sets WorkingDirectory to the release dir (which contains only the binary) and does not set AUTUMN_MANIFEST_DIR, so at runtime find_config_file_named("autumn.toml") finds nothing and config load returns None. Every non-secret setting therefore resolves to its default on the server, layered only with the two secret env values. autumn build --embed bakes in static assets + i18n locales only — not config.
Net effect: a deployed app can pass health/readiness checks while silently running defaults for auth, jobs/scheduler backend, health/telemetry paths, CORS, trusted-hosts, signing-secret rotation (previous_secrets), and any other […] you set — i.e. a different configuration than the one you tested locally. The operator gets no signal.
Current mitigations (manual, awkward)
- Hand-place
autumn.toml in each ephemeral timestamped release dir on the host, or
- Hand-maintain
AUTUMN_* env overrides in shared/autumn.env duplicating every non-default toml setting.
Documented as a known limitation in docs/guide/deployment.md (via #1950).
Proposed fix
Upload the app's config as part of the deploy — e.g. copy autumn.toml into the release dir, or into shared/ with the systemd unit pointing AUTUMN_MANIFEST_DIR at it so it persists across releases.
Design questions to resolve
- Which config to deploy — the raw
autumn.toml, or the merged/profile-resolved effective config? (Profiles + .env layering happen at load time; the host won't have the local .env.)
- Secrets stay out of it — secrets must remain in the
0600 env file, never written into a world-readable autumn.toml on the host.
- Profile/
.env parity — decide how .env.<profile> layering is represented on the host (env file vs uploaded dotenv), so the deployed effective config matches intent.
Part of #1607 (follow-up to the deploy execution slices). Surfaced by Codex review on #1950.
Problem — a silent misconfiguration footgun
autumn deploy upuploads only three things to the host: the release binary ({release}/{app}), the0600env file ({app_dir}/shared/autumn.env, containing onlyAUTUMN_SECURITY__SIGNING_SECRETand, for DB-backed apps,AUTUMN_DATABASE__URL), and the systemd unit. It does not copy the project'sautumn.toml.The generated unit sets
WorkingDirectoryto the release dir (which contains only the binary) and does not setAUTUMN_MANIFEST_DIR, so at runtimefind_config_file_named("autumn.toml")finds nothing and config load returnsNone. Every non-secret setting therefore resolves to its default on the server, layered only with the two secret env values.autumn build --embedbakes in static assets + i18n locales only — not config.Net effect: a deployed app can pass health/readiness checks while silently running defaults for auth, jobs/scheduler backend, health/telemetry paths, CORS, trusted-hosts, signing-secret rotation (
previous_secrets), and any other[…]you set — i.e. a different configuration than the one you tested locally. The operator gets no signal.Current mitigations (manual, awkward)
autumn.tomlin each ephemeral timestamped release dir on the host, orAUTUMN_*env overrides inshared/autumn.envduplicating every non-default toml setting.Documented as a known limitation in
docs/guide/deployment.md(via #1950).Proposed fix
Upload the app's config as part of the deploy — e.g. copy
autumn.tomlinto the release dir, or intoshared/with the systemd unit pointingAUTUMN_MANIFEST_DIRat it so it persists across releases.Design questions to resolve
autumn.toml, or the merged/profile-resolved effective config? (Profiles +.envlayering happen at load time; the host won't have the local.env.)0600env file, never written into a world-readableautumn.tomlon the host..envparity — decide how.env.<profile>layering is represented on the host (env file vs uploaded dotenv), so the deployed effective config matches intent.Part of #1607 (follow-up to the deploy execution slices). Surfaced by Codex review on #1950.