ci(config): enforce lowerCamelCase and max depth in reference.conf

[bladehan1]

What does this PR do?

Adds a CI gate that scans common/src/main/resources/reference.conf and fails the build when any key violates either of:

1. Every named path segment matches ^[a-z][a-zA-Z0-9]*$ (lowerCamelCase — required by ConfigBeanFactory auto-binding).
2. Total path depth is <= 6. Each list/array step counts as one additional level — e.g. rate.limiter.rpc[].component is depth 5 (rate=1, limiter=2, rpc=3, []=4, component=5).

Implementation:

• .github/scripts/check_reference_conf.py — parses via pyhocon, the reference Python HOCON implementation. Returns a fully-merged ConfigTree where dotted-form keys expand into nested objects — the same canonical key set Typesafe Config / ConfigBeanFactory see at runtime. Handles triple-strings, substitutions, includes, +=, block comments, etc. without us re-implementing the grammar.
• Walker recurses into object elements of arrays so inner fields (e.g. each entry in rate.limiter.rpc = [{ component=..., ... }]) are validated the same way. Element keys are deduplicated across list entries because well-formed arrays use homogeneous object shapes.
• Violation checks apply only to leaf keys — a single user-declared deep key produces exactly one report (not once per intermediate node along the way).
• Integrated as a Validate reference.conf key names and depth step in the existing checkstyle job of .github/workflows/pr-check.yml — saves runner-minutes vs a standalone workflow.
• On violation: emits one consolidated GHA annotation (::error file=...) with all entries packed via %0A so they show in the Checks panel; sys.exit(1) is the sole failure driver (no exit 1 in the workflow shell wrapper).
• --debug flag prints every parsed key with its depth in walk order; trailing / marks namespace intermediates. Useful for manual verification against the source file.

Why are these changes required?

Without an automated gate, key names in reference.conf have drifted: 4 legacy keys (node.http.PBFTEnable, node.http.PBFTPort, node.rpc.PBFTEnable, node.rpc.PBFTPort) start with an uppercase acronym and require manual normalization in Args.java. Each additional drift costs reviewer attention and risks silent ConfigBeanFactory binding failures.

The 4 existing violators are grandfathered via an explicit ALLOWLIST so the gate fails only on new violations.

This PR has been tested by:

• Unit Tests — local dry-run on common/src/main/resources/reference.conf returns OK: ... 294 keys, all lowerCamelCase, depth <= 6 (exit 0). The 294 includes 13 array-element fields under genesis.block.assets[], genesis.block.witnesses[], and event.subscribe.topics[].
• Manual Testing — injected probes on a throw-away file: a bad-cased key, a name with an underscore, a name starting with a digit, and a 7-level nested chain (one over the limit). The gate failed with one report line per declaration and a consolidated ::error annotation; reverting passes again.
• --debug output manually eyeballed against the source file; depth column shows the [] array steps explicitly so MAX_DEPTH math is verifiable by inspection.

Follow up

• Out of scope here, but could be tackled later: renaming the 4 PBFT keys (requires a compatibility shim in Args.java since user config.conf files use the legacy names).
• A separate gate to confirm bean-field ↔ key parity (each new key has a matching XxxConfig.java field) — deliberately not coupled with this PR.

Extra details

• MAX_DEPTH = 6 (current max is 5, one level of headroom).
• KEY_REGEX = ^[a-z][a-zA-Z0-9]*$; allowlist contains exactly the 4 PBFT keys.
• pBFTExpireNum, allowPBFT, isOpenFullTcpDisconnect start with lowercase and pass the regex unchanged.
• Commented-out examples in reference.conf (e.g. node.shutdown.BlockTime) are not seen by pyhocon, so they don't need to be allowlisted.

---

Summary by cubic

Adds a CI gate to enforce lowerCamelCase and a max depth of 5 for reference.conf keys, including keys inside arrays. Uses pyhocon, emits one consolidated ::error on violations, allowlists four legacy PBFT* keys, and supports --debug.

• New Features
  • Runs .github/scripts/check_reference_conf.py in the checkstyle job.
  • Sets up Python 3.11 with pip cache and installs pinned pyhocon from .github/scripts/requirements.txt in .github/workflows/pr-check.yml.

^{Written for commit 33928a0. Summary will update on new commits. Review in cubic}

Summary by CodeRabbit

• Chores
  • Added a new CLI configuration validator that inspects config keys for naming (lowerCamelCase) and nesting depth, offers a debug mode to list parsed keys, prints grouped violation summaries, and exits non‑zero on failures.
  • Integrated the validator into CI so detected violations produce a consolidated error annotation and fail the check to prevent regressions.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a Python CLI .github/scripts/check_reference_conf.py that parses reference.conf (via pyhocon), walks all dotted keys to enforce lowerCamelCase segments and a maximum key depth (with an allowlist), reports violations (with a consolidated GitHub Actions ::error), and wires the check into the checkstyle CI job.

Changes

Reference Configuration Validation

Layer / File(s)	Summary
Module docstring, imports and rules .github/scripts/check_reference_conf.py	Adds module header/usage, checks for pyhocon, and defines MAX_DEPTH, KEY_REGEX, and ALLOWLIST.
ConfigTree traversal (walk) .github/scripts/check_reference_conf.py	Adds walk(node, path, depth) to traverse ConfigTree and lists, treating arrays as synthetic [] depth steps and deduplicating homogeneous entries while yielding dotted paths and leaf/namespace metadata.
Main CLI parsing and debug output .github/scripts/check_reference_conf.py	Implements main(argv) argument parsing (including --debug), validates input path, parses the file via ConfigFactory.parse_file, and optionally prints walked key list with depth and leaf/namespace markers.
Validation, reporting, and CI annotations .github/scripts/check_reference_conf.py	Filters leaves, computes per-segment format violations (applying ALLOWLIST) and depth violations, prints grouped summaries, emits one consolidated GitHub Actions ::error annotation for offending entries or parse errors, and returns exit codes 0/1/2.
Success path, entrypoint, and CI integration .github/scripts/check_reference_conf.py, .github/workflows/pr-check.yml	Prints OK with total key count on success and returns 0; adds if __name__ == "__main__": sys.exit(main(sys.argv)); updates the checkstyle job to install Python 3.11, install pyhocon, and run the validator against common/src/main/resources/reference.conf before JDK setup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through keys both deep and wide,
Checking camel segments with careful pride,
If nesting climbs beyond our cap, I cry—
A CI bell rings and the errors fly,
Back to the burrow to tidy each line.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci(config): enforce lowerCamelCase and max depth in reference.conf' directly and clearly summarizes the main change: adding CI validation to enforce lowerCamelCase naming and maximum depth constraints in the reference.conf configuration file.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/reference-conf-gate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/check_reference_conf.py:
- Around line 108-117: The parser only pushes the key prefix into frames when
the delimiter is a literal '{', so cases like "foo = {", "foo: {", or "foo = [ {
... } ]" lose the "foo" prefix; update the branch in the block around ident
handling (the code that checks p2 < n and src[p2] in '=:{') to treat a following
'{' or '[' as a nested-value indicator regardless of whether the delimiter was
'=' or ':' and push the full_parts prefix onto frames; if src[p2] == '{' push
{"kind":"obj","prefix":full_parts}, if src[p2] == '[' push
{"kind":"arr","prefix":full_parts}, and set pos = p2 + 1 in both cases so nested
object/array keys retain the parent key prefix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ac43e6ed-37ff-4ccc-b11a-352a56d2c404

📥 Commits

Reviewing files that changed from the base of the PR and between 381d369 and ef5dd53.

📒 Files selected for processing (2)

• .github/scripts/check_reference_conf.py
• .github/workflows/pr-check.yml

[cubic-dev-ai]

2 issues found across 2 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-check.yml:
- Around line 106-113: Pin the GitHub action and the pyhocon install to
immutable versions: replace uses: actions/setup-python@v5 with the action
referenced by its full commit SHA (e.g., actions/setup-python@<commit-sha>) and
change the pip install step to install a specific pyhocon release (e.g., pip
install pyhocon==<version>), updating the workflow steps that currently
reference actions/setup-python@v5 and the pip install command so the action and
dependency are immutable and reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 423dc7fa-48b7-40eb-80e8-3482cc0ee539

📥 Commits

Reviewing files that changed from the base of the PR and between ef5dd53 and e7d540a.

📒 Files selected for processing (2)

• .github/scripts/check_reference_conf.py
• .github/workflows/pr-check.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/check_reference_conf.py:
- Line 54: The constant MAX_DEPTH is set one too high; change MAX_DEPTH from 6
to 5 to enforce the PR contract of <= 5 depth (update the variable MAX_DEPTH in
this script and any tests or references that assume the limit); ensure any
related comparisons or error messages referencing MAX_DEPTH still reflect the
new value.
- Around line 84-95: The walk function currently only increments and emits the
synthetic array step (array_path/array_depth) when list elements are ConfigTree,
so pure scalar lists never report the array step; modify the list branch in walk
(the variables node, array_path, array_depth, seen) to always emit the
array_path once for scalar elements: detect if the list contains any
non-ConfigTree scalars (or no ConfigTree yielded subpaths) and yield array_path
with array_depth and sub_leaf=True (or appropriate leaf flag) exactly once
before/if you skip into per-element traversal, and still keep the existing logic
for ConfigTree elements while using seen to avoid duplicate sub_path emissions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6b6d3ef0-c4ee-4a5f-b0ed-98edebc650b2

📥 Commits

Reviewing files that changed from the base of the PR and between e7d540a and 52d2e77.

📒 Files selected for processing (2)

• .github/scripts/check_reference_conf.py
• .github/workflows/pr-check.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/scripts/check_reference_conf.py (1)

55-60: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore the agreed depth gate (MAX_DEPTH = 6).

This change tightens the validator from the agreed <= 6 contract to <= 5, which can fail CI for a single additional nesting level that was intentionally buffered.

Suggested fix

-# Set at the current max depth of reference.conf (5). No buffer: a mature
-# project should not allow silent drift, so any new key going deeper must
-# bump MAX_DEPTH via an explicit, reviewed change (deeper trees hurt
-# readability and complicate ConfigBeanFactory mapping).
-MAX_DEPTH = 5
+# Current observed max depth in reference.conf is 5; keep +1 buffer to avoid
+# CI flakiness on a single incremental nesting change. Any increase beyond 6
+# must be an explicit, reviewed decision.
+MAX_DEPTH = 6

Based on learnings: In .github/scripts/check_reference_conf.py, treat MAX_DEPTH = 6 as an intentional safety buffer (current deepest path is 5), and avoid changing that contract silently.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/check_reference_conf.py around lines 55 - 60, Restore the
agreed depth gate by changing the constant MAX_DEPTH from 5 back to 6 in the
module (the line defining MAX_DEPTH = 5). Update the adjacent comment if needed
to reflect that MAX_DEPTH is intentionally 6 as a safety buffer; leave KEY_REGEX
unchanged. Ensure any unit tests or usages that depend on MAX_DEPTH reference
this constant name so the validator allows up to 6 levels.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/scripts/check_reference_conf.py:
- Around line 55-60: Restore the agreed depth gate by changing the constant
MAX_DEPTH from 5 back to 6 in the module (the line defining MAX_DEPTH = 5).
Update the adjacent comment if needed to reflect that MAX_DEPTH is intentionally
6 as a safety buffer; leave KEY_REGEX unchanged. Ensure any unit tests or usages
that depend on MAX_DEPTH reference this constant name so the validator allows up
to 6 levels.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 78e58979-a8fb-439c-8c76-25ef78ff386f

📥 Commits

Reviewing files that changed from the base of the PR and between ef37233 and 2b2fa79.

📒 Files selected for processing (2)

• .github/scripts/check_reference_conf.py
• .github/workflows/pr-check.yml