config-service/README.md

# Config Service

Layered KV config store with scope-based override. Built on Cloudflare Workers + KV.

## Concept

Like git config's `system → global → local` layering:

- **shared** — team-wide config (e.g. `CF_ACCOUNT_ID`, `AWS_REGION`)
- **personal** — per-agent overrides (e.g. `GITEA_TOKEN`, `GH_TOKEN`)

Read: personal wins over shared. Write: must specify scope.

## Auth

Each agent has a token. The service stores `sha256(token) → agent_id` mappings.
Agents can read/write their own personal scope and read (but not write) the shared scope.
Shared scope writes require an admin token.

## API

```
GET    /config/:key          → returns personal value, fallback to shared
GET    /config?scope=shared  → list all shared keys
GET    /config?scope=personal → list all personal keys
PUT    /config/:key          → write to personal scope (default)
PUT    /config/:key?scope=shared → write to shared scope (admin only)
DELETE /config/:key          → delete from personal scope
DELETE /config/:key?scope=shared → delete from shared (admin only)
POST   /config/sync          → returns all resolved keys (personal over shared)
```

Auth header: `Authorization: Bearer <token>`

## Storage Layout (KV)

```
auth:<sha256(token)>           → { "agent_id": "tuanzi", "role": "agent|admin" }
shared:<key>                   → { "value": "...", "updated_at": "..." }
personal:<agent_id>:<key>      → { "value": "...", "updated_at": "..." }
```

## CLI

```bash
cfg get <KEY>                  # read (personal > shared)
cfg set <KEY> <VALUE>          # write to personal
cfg set --shared <KEY> <VALUE> # write to shared (admin)
cfg list                       # list all resolved
cfg list --scope shared        # list shared only
cfg sync                       # sync all to local cache
cfg delete <KEY>               # delete from personal
```