fix: split github contracts from script check
This commit is contained in:
@@ -54,6 +54,19 @@ function assertSecretFree(output: string): void {
|
||||
}
|
||||
}
|
||||
|
||||
function assertLegacyFrozenWrite(result: { status: number | null; stdout: string; stderr: string; json: JsonRecord | null }, command: string): void {
|
||||
assertCondition(result.status !== 0 && result.json?.ok === false, `${command} should be frozen`, result.json ?? { stdout: result.stdout, stderr: result.stderr });
|
||||
const data = nestedRecord(result.json?.data, []);
|
||||
assertCondition(data.ok === false, `${command} frozen payload should be ok=false`, data);
|
||||
assertCondition(data.frozen === true, `${command} frozen payload should expose frozen=true`, data);
|
||||
assertCondition(data.mutation === false, `${command} frozen payload should be non-mutating`, data);
|
||||
assertCondition(data.degradedReason === "legacy-code-queue-frozen", `${command} should use the legacy frozen reason`, data);
|
||||
const replacement = nestedRecord(data, ["replacement"]);
|
||||
assertCondition(String(replacement.queueSubmit || "").includes("agentrun v01 queue submit"), `${command} should point to AgentRun queue submit`, replacement);
|
||||
const legacy = nestedRecord(data, ["legacy"]);
|
||||
assertCondition(legacy.noDoubleWrite === true, `${command} should document no double-write`, legacy);
|
||||
}
|
||||
|
||||
export function runCodeQueueSubmitExecutionModeContract(): JsonRecord {
|
||||
assertCondition(normalizeRequestedCodeExecutionMode("full-access") === "full-access", "shared parser should preserve short requested mode ids");
|
||||
assertCondition(normalizeCodeExecutionMode("full-access") === "default", "shared execution-mode normalizer should keep full-access on effective default");
|
||||
@@ -61,33 +74,12 @@ export function runCodeQueueSubmitExecutionModeContract(): JsonRecord {
|
||||
assertCondition(requestedCodeExecutionModeIsRecognized("default") === true, "shared recognition helper should accept default mode");
|
||||
|
||||
const defaultMode = runCli(["codex", "submit", "execution mode default smoke", "--dry-run"]);
|
||||
assertCondition(defaultMode.status === 0 && defaultMode.json?.ok === true, "default submit dry-run should succeed", defaultMode.json ?? { stdout: defaultMode.stdout, stderr: defaultMode.stderr });
|
||||
assertLegacyFrozenWrite(defaultMode, "codex submit");
|
||||
assertSecretFree(defaultMode.stdout);
|
||||
const defaultData = nestedRecord(defaultMode.json?.data, []);
|
||||
const defaultRequest = nestedRecord(defaultData, ["request"]);
|
||||
const defaultExecutionMode = nestedRecord(defaultData, ["executionMode"]);
|
||||
const defaultPermissions = nestedRecord(defaultData, ["runnerPermissions"]);
|
||||
assertCondition(defaultRequest.executionMode === undefined, "default payload should omit executionMode so service default is authoritative", defaultRequest);
|
||||
assertCondition(defaultExecutionMode.requested === null, "default mode should show no explicit requested mode", defaultExecutionMode);
|
||||
assertCondition(defaultExecutionMode.effective === "default", "default mode should expose effective default", defaultExecutionMode);
|
||||
assertCondition(defaultExecutionMode.normalized === false, "default mode should not be reported as normalized", defaultExecutionMode);
|
||||
assertCondition(defaultExecutionMode.recognized === true, "default mode should be recognized", defaultExecutionMode);
|
||||
assertCondition(defaultPermissions.observed === false && defaultPermissions.perTaskOverrideSupported === false, "dry-run should mark runner permissions unobserved and non per-task", defaultPermissions);
|
||||
|
||||
const fullAccess = runCli(["codex", "submit", "execution mode full access smoke", "--execution-mode", "full-access", "--dry-run"]);
|
||||
assertCondition(fullAccess.status === 0 && fullAccess.json?.ok === true, "full-access submit dry-run should succeed", fullAccess.json ?? { stdout: fullAccess.stdout, stderr: fullAccess.stderr });
|
||||
assertLegacyFrozenWrite(fullAccess, "codex submit");
|
||||
assertSecretFree(fullAccess.stdout);
|
||||
const fullData = nestedRecord(fullAccess.json?.data, []);
|
||||
const fullRequest = nestedRecord(fullData, ["request"]);
|
||||
const fullExecutionMode = nestedRecord(fullData, ["executionMode"]);
|
||||
assertCondition(fullRequest.executionMode === "full-access", "payload should preserve the requested executionMode value for backend visibility", fullRequest);
|
||||
assertCondition(fullExecutionMode.requested === "full-access", "full-access request should be visible", fullExecutionMode);
|
||||
assertCondition(fullExecutionMode.effective === "default", "full-access should normalize to the effective default runtime mode", fullExecutionMode);
|
||||
assertCondition(fullExecutionMode.recognized === false, "full-access should not be treated as a recognized Code Queue execution mode", fullExecutionMode);
|
||||
assertCondition(fullExecutionMode.normalized === true, "full-access should explicitly show normalization", fullExecutionMode);
|
||||
assertCondition(fullExecutionMode.requestedLooksLikeSandbox === true, "full-access should be classified as a sandbox-like request", fullExecutionMode);
|
||||
assertCondition(String(fullExecutionMode.permissionBoundary || "").includes("runnerPermissions.sandbox"), "permission boundary should point at runnerPermissions.sandbox", fullExecutionMode);
|
||||
assertCondition(String(fullExecutionMode.warning || "").includes("not applied"), "full-access warning should say it is not a per-task sandbox override", fullExecutionMode);
|
||||
|
||||
const promptText = "submitted full-access prompt body must stay omitted";
|
||||
const submitted = compactSubmitSuccessResponseForTest({
|
||||
@@ -138,11 +130,11 @@ export function runCodeQueueSubmitExecutionModeContract(): JsonRecord {
|
||||
return {
|
||||
ok: true,
|
||||
checks: [
|
||||
"default codex submit dry-run omits executionMode, reports effective default, and marks runner permissions unobserved",
|
||||
"--execution-mode full-access preserves requested mode, reports effective default, and warns that sandbox permissions are service-level",
|
||||
"legacy codex submit dry-run is frozen and points to AgentRun",
|
||||
"legacy --execution-mode full-access submit dry-run is frozen without printing credentials",
|
||||
"real submit summary fixture exposes requested/effective mode plus observed runnerPermissions without prompt echo",
|
||||
"shared execution-mode helpers preserve requested full-access while normalizing effective runtime to default",
|
||||
"execution-mode dry-run output does not print credential assignments",
|
||||
"execution-mode frozen output does not print credential assignments",
|
||||
],
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user