Implement Isolated Config (#27)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Kurt McKee <contactme@kurtmckee.org>

Author: 3 people

.gitignore

@@ -7,4 +7,5 @@
 /.tox/
 poetry.lock
 __pycache__/
+.globus_registered_api/
 .venv/

changelog.d/20260212_190533_derek_cli_config_sc_47400.rst

@@ -0,0 +1,5 @@
+
+Changed
+-------
+
+*   Reshape ``RegisteredAPIConfig`` to better align with isolated repository structures.

src/globus_registered_api/config.py

@@ -6,26 +6,124 @@
 from __future__ import annotations
 
 import typing as t
+from pathlib import Path
+from uuid import UUID
 
-from globus_sdk import Scope
+import click
+import openapi_pydantic as oa
+from pydantic import BaseModel
+from pydantic import Field
 
+from globus_registered_api.domain import HTTPMethod
+from globus_registered_api.domain import TargetSpecifier
 
-class RegisteredAPIConfig(t.TypedDict, total=False):
-    openapi_uri: str
-    globus_auth: GlobusAuthConfig
+_CONFIG_PATH = Path(".globus_registered_api/config.json")
 
 
-class GlobusAuthConfig(t.TypedDict, total=False):
-    # Every scope used by the service mapped onto a brief human-readable description.
-    scopes: dict[Scope, ScopeConfig]
+class RegisteredAPIConfig(BaseModel):
+    # Central config, supplied at repository initialization time.
+    core: CoreConfig
 
+    # A list of target configurations.
+    # A target defines maps onto a Registered API to be synchronized via publish.
+    targets: list[TargetConfig]
 
-class ScopeConfig(t.TypedDict, total=False):
-    # A brief human-readable description of the scope.
-    description: str | None
+    # A list of roles, defining access control for identities and groups.
+    # Entities within this list must be unique (w.r.t their type and id).
+    roles: list[RoleConfig]
 
-    # The targets which a caller consents to when consenting to this scope.
-    # Either in the form of:
-    #   * A list of TargetSpecifiers in the form `["POST /v2/obj", "GET /v2/obj/{id}"]`
-    #   * The wildcard character "*", indicating that this scope applies to all targets.
-    targets: t.Sequence[str] | t.Literal["*"]
+    def commit(self) -> None:
+        """
+        Write the current config state to disk.
+        """
+        _CONFIG_PATH.parent.mkdir(exist_ok=True)
+        _CONFIG_PATH.write_text(self.model_dump_json(indent=4))
+
+    @classmethod
+    def load(cls) -> RegisteredAPIConfig:
+        """
+        Read the config from disk, loading it into a RegisteredAPIConfig instance.
+
+        :raises click.Abort: if no config file exists.
+        :raises ValidationError: if the config data is malformed in some way.
+        """
+        if not cls.exists():
+            click.echo("Error: Missing repository config file.")
+            click.echo("Run 'globus-registered-api init' first to create a repository.")
+            raise click.Abort()
+
+        return cls.model_validate_json(_CONFIG_PATH.read_text())
+
+    @classmethod
+    def exists(cls) -> bool:
+        """
+        :return: True if a config file exists on disk, False otherwise.
+        """
+        return _CONFIG_PATH.is_file()
+
+
+class CoreConfig(BaseModel):
+    """
+    A core config entry containing top-level service information.
+    """
+
+    # The common prefix URL for all API targets.
+    base_url: str
+
+    # The OpenAPI specification for this repository.
+    # This must be either an inline OpenAPI document or a file path/URL pointing to one.
+    specification: str | oa.OpenAPI
+
+
+class TargetConfig(BaseModel):
+    """
+    A configuration entry for a single target within a Registered API service.
+    """
+
+    # A relative API path string (e.g., /resource/{id}/action).
+    # This will be appended to the core.base_url to form the full target URL.
+    path: str
+
+    # The HTTP method for this target.
+    method: HTTPMethod
+
+    # A persistent human-readable name for the target.
+    # E.g., create-resource
+    alias: str
+
+    # The list of globus-auth scope strings which independently consent to this target.
+    scope_strings: list[str] = Field(default_factory=list)
+
+    @property
+    def sort_key(self) -> tuple[str, ...]:
+        # Sort by path then method, disambiguating duplicate targets by alias.
+        return self.path, self.method, self.alias
+
+    @property
+    def specifier(self) -> TargetSpecifier:
+        return TargetSpecifier.create(self.method, self.path)
+
+    def __str__(self) -> str:
+        return f"{self.alias} ({self.method} {self.path})"
+
+
+class RoleConfig(BaseModel):
+    """
+    A configuration entry for a single identity or group.
+    """
+
+    # The type of entity this role identifies.
+    #   'identity' refers to an entity as recognized by Globus Auth service.
+    #   'group' refers to a group managed in the Globus Groups service.
+    type: t.Literal["identity", "group"]
+
+    # The UUID of the identity or group.
+    id: UUID
+
+    # The degree of permission granted to this entity.
+    access_level: t.Literal["owner", "admin", "viewer"]
+
+    @property
+    def sort_key(self) -> tuple[str, ...]:
+        # Sort by type, then id for consistent ordering.
+        return self.type, str(self.id)

src/globus_registered_api/domain.py

@@ -106,3 +106,8 @@ def load(cls, value: str) -> TargetSpecifier:
             path=match.group("path"),
             content_type=match.group("content_type") or "*",
         )
+
+    def __str__(self) -> str:
+        if self.content_type == "*":
+            return f"{self.method} {self.path}"
+        return f"{self.method} {self.path} {self.content_type}"

src/globus_registered_api/openapi/enchricher/security_scheme.py

@@ -8,7 +8,7 @@
 from globus_registered_api.config import RegisteredAPIConfig
 
 from .interface import SchemaMutation
-from .security_scheme import InjectDefaultSecuritySchemas
+from .security_scheme import InjectSecuritySchemes
 
 
 class OpenAPIEnricher:
@@ -19,10 +19,8 @@ class OpenAPIEnricher:
     RegisteredAPI.
     """
 
-    def __init__(self, config: RegisteredAPIConfig, environment: str) -> None:
-        self.mutations: list[SchemaMutation] = [
-            InjectDefaultSecuritySchemas(config, environment),
-        ]
+    def __init__(self, config: RegisteredAPIConfig) -> None:
+        self.mutations: list[SchemaMutation] = [InjectSecuritySchemes(config)]
 
     def enrich(self, schema: oa.OpenAPI) -> oa.OpenAPI:
         """