ENG-3015: Add event listener warning on ConnectionConfig.secrets

[JadeCara]

Summary

• Adds a comment on ConnectionConfig.secrets warning that fidesplus registers SQLAlchemy attribute events on this column for Jira credential auto-sync
• Future developers should use ORM instance-level updates (not bulk/raw SQL) to ensure events fire

Context

Companion to fidesplus#3252 which adds cross-connection credential sync via SQLAlchemy attribute events. This comment is the cheapest, highest-leverage mitigation against silent sync breakage if someone later adds bulk or raw SQL updates to the secrets column.

Test plan

• Comment-only change — no functional impact, no tests needed

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored		Mar 23, 2026 10:39pm
fides-privacy-center	Ignored		Mar 23, 2026 10:39pm

[greptile-apps]

Greptile Summary

This PR adds a 4-line developer-facing warning comment above the ConnectionConfig.secrets column definition, explaining that fidesplus registers SQLAlchemy attribute events on that column for cross-connection Jira credential sync and that future code should use ORM instance-level updates rather than bulk/raw SQL to ensure those events fire. There are no functional changes.

• The comment is accurate, concise, and well-placed directly above the relevant column definition.
• The cross-repo file reference (fidesplus/jira/jira_credential_sync.py) is useful but could become a stale pointer if the file is later moved or renamed in the fidesplus repo — a minor maintenance concern.
• No test changes are needed as this is a documentation-only change.

Confidence Score: 5/5

• Safe to merge — comment-only change with no functional impact.
• No logic, behavior, or schema is modified. The change solely adds a helpful developer warning comment and carries zero risk of regression.
• No files require special attention.

Important Files Changed

Filename	Overview
src/fides/api/models/connectionconfig.py	Adds a 4-line developer warning comment above the secrets column noting that fidesplus registers SQLAlchemy attribute events for Jira credential sync and that bulk/raw SQL updates should be avoided. No functional changes.

_{Reviews (1): Last reviewed commit: "Add event listener warning comment on Co..." | Re-trigger Greptile}

[claude]

Code Review — ENG-3015

This is a comment-only change (4 lines added, 0 deleted) so no functional or security concerns. The note is well-placed, accurate, and will help prevent a subtle cross-repo breakage.

Overall

The comment is clear and covers the essential points: what is listening, why bulk/raw SQL breaks it, and where to find the fidesplus implementation. Good defensive documentation.

Suggestions

Scope of the warning: The comment mentions Jira SaaS → jira_ticket as the current consumer, but if this event-listener pattern is (or becomes) used for other connection types in fidesplus, that parenthetical could become misleading. Worth considering whether "cross-connection credential sync" alone is sufficient without naming the specific integration — or phrasing it as "currently used for…" to signal it may grow.

MutableDict vs. raw SQL distinction: MutableDict.as_mutable(...) already handles in-place dict mutation tracking at the ORM layer, so the real risk this comment is guarding against is bypassing the ORM entirely (e.g., session.execute(update(...)) or Alembic data migrations). The comment correctly says "bulk/raw SQL updates", but calling out "Alembic data migrations" explicitly might make it even clearer for the developer most likely to trip over this.

Nice to Have

The fidesplus path (fidesplus/jira/jira_credential_sync.py) won't be navigable from this repo. Adding a one-line note that the referenced file lives in the fidesplus repo (not this one) would save a future developer a few minutes of searching.

Summary

No issues that block merge. The comment is the right mitigation for protecting a non-obvious cross-repo invariant. The suggestions above are optional polish.

[adamsachs]

thank you for this!