feat(vault): support configurable ENVECTOR_EVAL_MODE (rmp/mm)#60
Draft
heeyeon01 wants to merge 22 commits into
Draft
feat(vault): support configurable ENVECTOR_EVAL_MODE (rmp/mm)#60heeyeon01 wants to merge 22 commits into
heeyeon01 wants to merge 22 commits into
Conversation
…ar (#59) Hardcoded eval_mode="rmp" in vault_core.py prevented connecting to envector-msa >= 1.4.0 which uses MM (Multi-Multiplication) mode. Read eval mode from ENVECTOR_EVAL_MODE env var (default: rmp for backward compat with envector.io cloud / 1.2.x deployments). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Raise ValueError at startup if ENVECTOR_EVAL_MODE is not one of the
supported values {"rmp", "mm"}, so misconfiguration fails fast with a
clear message instead of propagating an opaque SDK error.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…59) Remove cloud/deployment-type framing in favor of version-based guidance, which stays accurate as envector-msa versions evolve. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
After envector version v1.4.0, we cannot choose the |
|
As Junghwad said + AFAIK, there is no more 'rmp' mode. mm only. |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ecurity (#59) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…OM (#59) pyenvector 1.4.0's generate_keys() unconditionally converts the 849MB EvalKey.bin to JSON, OOMing containers under ~8GB. The eval key is unused in MM mode, so monkey-patch KeyManager.eval_bin_to_json to write a 1-byte dummy instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…59) Bump MAX_MESSAGE_LENGTH from 256MB to ~1.95GB (under INT32_MAX) so the ~1.2GB EvalKey produced by pyenvector >= 1.4.0 can be transmitted. This replaces the MM-mode eval_bin_to_json skip workaround introduced in eececef, which is no longer needed now that the larger payload fits within the gRPC limit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ndle (#59) Propagate the server's ENVECTOR_TLS setting to agents through the public key bundle so they can match the Vault's enVector connection security mode without separate configuration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…CT (#59) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Empty vault/proto/__init__.py combined with `vault` on PYTHONPATH made `vault/proto/` register as a top-level `proto` package, shadowing the `proto-plus` package that google-cloud libraries depend on. After pyenvector started importing google.cloud.secretmanager/storage, every test collection failed with `module 'proto' has no attribute 'module'`. Drop the empty __init__.py and import the generated stubs as top-level modules (vault/proto is already on PYTHONPATH). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The installer offered "mm" as an eval mode choice, but vault_core only
accepts {"rmp", "mm32"}, so selecting it produced an invalid config.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…:CryptoLabInc/rune-admin into worktree-issue-59-configurable-eval-mode
vault/ is on PYTHONPATH, so vault/proto/__init__.py made `import proto`
resolve to our empty package instead of the proto-plus PyPI module. With
pyenvector 1.4.0 pulling in google-cloud-secretmanager, `proto.module(...)`
failed at import time — breaking fresh-venv unit test collection and
Docker container startup.
Rename vault/proto/ to vault/_proto/ so the name `proto` no longer exists
in our import path. Update Dockerfile, buf.yaml, proto-gen.sh, .gitignore,
PYTHONPATH in .mise{,ci}.toml, and docs accordingly. Stub imports in
vault_grpc_server.py switch to bare form, matching the style already used
by vault_service_pb2_grpc.py.
This supersedes dad52be (reverted in 839a25a), which deleted __init__.py
without carrying the rename through the rest of the toolchain.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
eval_mode was hardcoded to "rmp" in vault_core.py, blocking users on envector-msa ≥ 1.4.0-alpha which requires "mm" mode. Invalid values also silently propagated to the SDK with an opaque error.
TL;DR
Make FHE eval mode configurable via ENVECTOR_EVAL_MODE env var, with startup-time validation.
Summary
vault_core.py: read ENVECTOR_EVAL_MODE env var (default "mm"), validate against allowlist {"rmp", "mm"} in ensure_vault() — invalid values raise ValueError with a clear message at startupdocker-compose.yml: expose ENVECTOR_EVAL_MODE=${ENVECTOR_EVAL_MODE:mm} to the container.env.example: document rmp vs mm difference and the key-regeneration requirementtests/unit/test_eval_mode.py: 7 unit tests covering env var reading, ev.init() call args, and allowlist guard behaviorAlternatives
Test plan