feat: add HWLAB dev CD CLI wrapper

This commit is contained in:
Codex
2026-05-23 13:38:24 +00:00
parent 663f55980b
commit 59776aa5d2
7 changed files with 1068 additions and 1 deletions
+2 -1
View File
@@ -65,6 +65,7 @@ UniDesk 是一个以主 server 为统一入口的分布式工作平台;本文
- `bun scripts/cli.ts auth-broker contract|health --dry-run|credential-request --dry-run|pr-preflight --dry-run`:查看 Auth Broker P0 Rust skeleton 与 CLI adapter contractrunner 无 `GH_TOKEN`/`GITHUB_TOKEN` 时返回结构化 `auth-missing`/`broker-needed`,不读取或打印 token 值,规则见 `docs/reference/auth-broker.md`
- `bun scripts/cli.ts gh preflight|auth status|issue ...|pr list|files|diff --stat|read|view|preflight|closeout|create|edit|update|comment` / `bun scripts/code-queue-pr-preflight-example.ts`:通过 REST 执行安全 GitHub issue 读写、脱敏 auth/status 诊断、body-file Markdown 写入、当日滚动简报时间线 ClaudeQQ 通知、escape 扫描、只读 cleanup-plan 和 #20 board-audit、PR changed-file/stat summary、PR 创建/评论 dry-run、REST-only 低噪声 PR title/body 编辑、PR 收口元数据观察(含 merged/closed 区分与 merge commit)、低噪声 PR 收口 preflight 与 runner PR preflight`gh issue/pr read|view` 支持 `owner/repo#number` shorthand`--raw|--full` 是显式完整披露别名,`gh pr diff` 仅支持 `--stat` 紧凑 JSON`gh pr merge` 当前仍结构化拒绝但普通 PR 可按任务边界用 repo-owned GitHub 路径收口,规则见 `docs/reference/cli.md``docs/reference/code-queue-supervision.md`
- `bun scripts/cli.ts commander contract|plan --dry-run|smoke --dry-run|approval request --dry-run|prompt-lint --kind gpt55-pr`:查看 host Codex 指挥官直管微服务 skeleton 的 source/contract、无 daemon smoke 验证计划、.state/commander/ 状态模型、trace summary 聚合、ClaudeQQ 高风险请示草案和 GPT-5.5 PR prompt 边界辅助 lint;当前只返回 dry-run 计划和 backend-core `microservice proxy claudeqq` 授权后候选命令,不接 live bridge、不接管人工指挥官,不发送消息,`prompt-lint` 不作为业务 PR 门禁也不改变 `codex submit` 默认行为,规则见 `docs/reference/host-codex-commander.md`
- `bun scripts/cli.ts hwlab cd status --env dev` / `bun scripts/cli.ts hwlab cd apply --env dev --dry-run`HWLAB DEV CD 指挥侧 wrapper,调用 HWLAB repo-owned 发布脚本并强制 D601 原生 k3s kubeconfig;真实 apply 只暴露 host-commander-only 命令形状,规则见 `docs/reference/hwlab.md`
- `bun scripts/cli.ts ci install/status/run/publish-backend-core/publish-user-service/run-dev-e2e/logs`:在 D601 原生 k3s 上安装和运行 Tekton CI,支持每 commit 检查、Code Queue 只读性能门禁、`CI.json` catalog 驱动的 backend-core 与 user-service commit-pinned 镜像发布和手动触发的 `origin/master:deploy.json#environments.dev` 临时 namespace e2ecatalog/producer/consumer 分工见 `docs/reference/cicd-standardization.md``run-dev-e2e` 的 Git 控制 runner、短 launcher 和 no-CD 边界见 `docs/reference/dev-ci-runner.md`Tekton 规则见 `docs/reference/ci.md`
- `bun scripts/cli.ts codex deploy <commitId>`:旧 Code Queue 兼容部署入口已禁用,原因是它会绕过受控部署边界直连 D601 部署 Code Queue;规则见 `docs/reference/codex-deploy.md`
- `bun scripts/cli.ts codex prompt-lint [prompt|--prompt-file path|--prompt-stdin]` / `codex submit [prompt] [--prompt-file path|--prompt-stdin] [--queue <id>]` / `codex pr-preflight [--remote]``prompt-lint` 在派发/steer 前 dry-run 检查 runner prompt 的 DEV 测试授权分级(`read-only`/`live-read`/`live-mutating`)且不回显 prompt`submit --dry-run` 同时给出 MiniMax/GPT/人工路由建议、该 lint 结果和 requested/effective execution mode;真实提交成功只返回写入确认、task id、服务级 runnerPermissions 和后续查看命令,不回显 prompt;`pr-preflight` 只读检查 D601 scheduler/runner 的 GitHub token、egress 和 PR 能力,PR 型派单前必须使用,规则见 `docs/reference/cli.md``docs/reference/code-queue-supervision.md`
@@ -98,7 +99,7 @@ UniDesk 是一个以主 server 为统一入口的分布式工作平台;本文
- `docs/reference/staff-reference.md`:幕僚长期参考、决策过程和用户偏好摘要;与 `strategy-governance``code-queue-supervision` 配套。
- `docs/reference/secretary-reference.md`:秘书日程管理、时间盒、短期待办捕获和 Todo Note / Decision Center 分流规则。
- `docs/reference/code-queue-supervision.md`:Code Queue 居中调度、并发队列拆分、运行中监控、基础设施缺陷分流和验收收口规则。
- `docs/reference/hwlab.md`HWLAB 指挥侧固定 workspace、D601 原生 k3s 口径、16666/16667 DEV 入口和已验证手动发布路径
- `docs/reference/hwlab.md`HWLAB 指挥侧固定 workspace、D601 原生 k3s 口径、16666/16667 DEV 入口、DEV CD wrapper 和受控发布边界
- `docs/reference/observability.md`:服务日志、任务活性、通用性能指标 API 和性能面板的可观测性规则。
- `docs/reference/microservices.md`:用户服务(兼容命名 `microservice`)的配置、代理、安全边界、unidesk-direct/k3sctl-managed 部署模式、Todo Note/Baidu Netdisk on main-server、k3s Control/Code Queue/MDTODO/Decision Center/FindJob/Pipeline/MET Nonlinear on D601 和验证规则。
- `docs/reference/windows-passthrough.md`WSL provider 通过 SSH 透传调用 Windows cmd/PowerShell、Keil、COM 串口和 Windows 侧 skill 的长期规则。
+1
View File
@@ -31,6 +31,7 @@ CLI 可以从 `master` 快速演进,但必须兼容 `deploy.json` 固定的 CI
- `dev-env prewarm-images [--image image] [--provider-id D601] [--no-pull] [--proxy-url URL] [--pull-timeout-ms N] [--dry-run]` 创建异步 job,通过 UniDesk SSH 维护桥在 D601 上把开发底座依赖镜像从 Docker 缓存导入原生 k3s containerd。默认镜像是 `postgres:16-alpine``rancher/mirrored-library-busybox:1.36.1`,用于避免 `postgres-dev` 与 local-path helper pod 卡在外部 registry 拉取。该命令固定验证 `/etc/rancher/k3s/k3s.yaml` 指向的 native k3s 上下文,并输出 `dev_env_containerd_image_ready=...` 作为成功判据;它不 apply manifest、不修改生产 `unidesk` namespace。
- `artifact-registry plan|render|status|health|install|deploy-backend-core|deploy-service` 管理 D601 host-managed CNCF Distribution registry 的声明、安装、只读检查和 pull-only artifact CD。该 registry 固定为 D601 loopback `127.0.0.1:5000`,由 systemd + Docker Compose 管理,位于 native k3s 故障域外;`deploy-service` 只拉取 CI 已发布的 commit-pinned 镜像、retag/recreate 或导入 native k3s,并做 live commit 验证,不构建 runtime source。`deploy-backend-core` 是 deprecated 兼容名,标准 backend-core prod CD 入口是 `deploy apply --env prod --service backend-core`。长期规则见 `docs/reference/artifact-registry.md`
- `commander contract|plan --dry-run|smoke --dry-run|approval request --dry-run|prompt-lint --kind gpt55-pr` 是 host Codex 指挥官直管微服务 skeleton 入口。当前命令返回 `phase=source-contract`、service/API/state/bridge/prompt/trace/#20/#46/ClaudeQQ 审批边界、.state/commander/ 状态模型、dev 无 daemon smoke contract、dry-run 计划和 GPT-5.5 PR prompt 边界辅助 lint,不接 live bridge、不注入 prompt、不发送 ClaudeQQ。`approval request --dry-run` 会生成 200 字以内中文纯文本 ClaudeQQ 审批草案、`notification-path-unavailable` blocker 和授权后唯一可用的 `bun scripts/cli.ts microservice proxy claudeqq /api/push/text --method POST --body-json '<payload>' --raw` 命令;不得提示使用本机 ClaudeQQ skill、powershell 或本地 server。`prompt-lint` 支持 `--prompt-file``--stdin`,输出 `ok``missingClauses``riskLevel``suggestedPatchSnippet` 且不回显完整 prompt;它是 commander 辅助检查,不是业务 PR 门禁,也不改变 `codex submit` 默认行为。`plan``smoke``approval request` 必须带 `--dry-run`;缺少时返回 `error=dry-run-required`。长期规则见 `docs/reference/host-codex-commander.md`
- `hwlab cd status --env dev``hwlab cd apply --env dev --dry-run` 是 HWLAB DEV CD 指挥侧 wrapper。它只调用 HWLAB repo-owned 受控入口,不内嵌发布 kubectl 逻辑:`status` 汇总 HWLAB repo path、Git clean/main/origin-main、`deploy/deploy.json`/artifact catalog/workloads 一致性、D601 native k3s guard、CD Lease lock、16666/16667 live revision;完整 stdout/stderr 写入 `.state/hwlab-cd/<run-id>/`stdout 只返回有界摘要。wrapper 强制 `KUBECONFIG=/etc/rancher/k3s/k3s.yaml`,任何 `docker-desktop``desktop-control-plane``127.0.0.1:11700` 信号都会结构化拒绝。`apply --dry-run` 调用 HWLAB `scripts/dev-deploy-apply.mjs --dry-run --expect-blocked --kubeconfig /etc/rancher/k3s/k3s.yaml`;真实 apply 只暴露 `scripts/dev-cd-apply.mjs --apply --confirm-dev --confirmed-non-production --write-report` 命令形状并标注 host-commander-only,本 runner 不执行 live apply。长期规则见 `docs/reference/hwlab.md`
- `gh auth status [--repo owner/name]` 探测 GitHub 操作前置条件并输出脱敏 JSON:是否存在 `gh` binary、是否存在 `GH_TOKEN`/`GITHUB_TOKEN` 或可用 `gh auth token` fallback、REST API 是否可达、目标 repo 是否可见、issue 是否可读。degraded reason 必须归类为 `missing-binary``missing-token``auth-failed``github-transient``network-proxy-failed``permission-denied``repo-not-found``repo-forbidden``issue-not-found``pr-not-found``scope-insufficient``validation-failed``invalid-response``unsupported-command`,不得打印 token;失败对象必须包含 `runnerDisposition=infra-blocked|business-failed`runner 应优先用该字段分流。`github-transient` 表示 GitHub DNS/API 连接在收到 HTTP 状态前失败,输出应带 `retryable=true` 或等价 commander action;这不是缺 token、认证失败、权限不足或 PR 语义失败。
- `codex prompt-lint [prompt|--prompt-file path|--prompt-stdin]` 是派发/steer 前的本地 dry-run prompt lint。它只读取 prompt 文本,返回 `dryRun=true``mutation=false``declaredClass``effectiveClass``requiredClass``dispatchDisposition`、缺失或矛盾项和有界 evidence,不访问 live service、不提交任务、不打印完整 prompt。分级固定为 `read-only``live-read``live-mutating`;未声明时按 `read-only` 处理。`codex submit --dry-run``codex steer --dry-run` 会嵌入同一 `promptLint` 结果,帮助指挥官在 dispatch/steer 前发现缺失或矛盾的 live mutation 授权。长期规则见 `docs/reference/code-queue-supervision.md` 的 DEV 测试授权分级。
- `gh issue list [--state open|closed|all] [--limit N] [--repo owner/name] [--json number,title,state,url,updatedAt,createdAt,author,labels]` 通过 GitHub REST 列出 issue,默认 `state=open``limit=30`,输出稳定 JSON 且不依赖系统 `gh` binary。`--limit` 会映射到 GitHub `per_page` 并限制返回数量,避免一次拉爆上下文;未知 state 或未知 `--json` 字段必须结构化失败并带 `runnerDisposition=business-failed`。GitHub issues API 可能混入 PRCLI 会从 `.data.issues` 中过滤 pull request。
+24
View File
@@ -40,6 +40,30 @@ KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl -n hwlab-dev get deploy,svc,pod -o
`frpc` 配置不是 D601 host `/etc/frp/frpc.toml`,而是 `hwlab-dev` namespace 里的 `hwlab-frpc-config` ConfigMap 和 `hwlab-frpc` Deployment。master 侧 `frps` 配置由 `hwlab-frps-dev` 容器挂载 `/opt/hwlab-frp/frps.dev.toml`
## UniDesk HWLAB DEV CD Wrapper
UniDesk 指挥侧固定入口:
```sh
bun scripts/cli.ts hwlab cd status --env dev
bun scripts/cli.ts hwlab cd apply --env dev --dry-run
```
wrapper 的职责是把 host commander 常用的 HWLAB DEV rollout 查看/准备动作收敛到单一入口。它只调用 HWLAB repo-owned 受控脚本,不在 UniDesk 内重写发布流程或拼接 ad hoc `kubectl apply`
- `status` 只读汇总 HWLAB repo path、Git clean/main/origin-main、`deploy/deploy.json`/`deploy/artifact-catalog.dev.json`/`deploy/k8s/base/workloads.yaml` 一致性、D601 native k3s guard、`Lease/hwlab-dev/hwlab-dev-cd-lock`、公网 `16666/16667` live revision。
- `apply --dry-run` 调用 HWLAB `scripts/dev-deploy-apply.mjs --dry-run --expect-blocked --kubeconfig /etc/rancher/k3s/k3s.yaml`,只生成准备/阻塞摘要,不做真实 apply、rollout 或 live verification。
- 完整下游 stdout/stderr、HTTP body 和 kubectl 读命令输出写入 UniDesk `.state/hwlab-cd/<run-id>/` dump 目录;CLI stdout 只显示有界摘要和 dump path。
- wrapper 显式注入 `KUBECONFIG=/etc/rancher/k3s/k3s.yaml`。若 `kubectl config current-context`、server 或 node 摘要出现 `docker-desktop``desktop-control-plane``127.0.0.1:11700`,命令必须拒绝继续。
真实 DEV apply 只允许 host commander 在明确授权后执行。UniDesk wrapper 可以展示受控命令形状:
```sh
node scripts/dev-cd-apply.mjs --apply --confirm-dev --confirmed-non-production --write-report --kubeconfig /etc/rancher/k3s/k3s.yaml
```
本 Code Queue runner 没有 `ROLLOUT_OK` 时不得执行真实 apply、rollout、CD lock 竞争或 live health 复验。
## HWLAB 热修边界
当 HWLAB DEV runtime 的 Secret、环境变量、rollout、DNS、egress 或 provider 权限缺口阻塞业务闭环,并且 Code Queue runner 无法安全完成对应运行态操作时,UniDesk 指挥官只能承担指挥入口、授权确认、监督验收和误判边界收敛。UniDesk reference 可以记录“哪些状态不能被误判”和“哪些动作必须上收”,但不能成为 HWLAB runtime truth。
+9
View File
@@ -23,6 +23,7 @@ import { runGhCommand } from "./src/gh";
import { runCommanderCommand } from "./src/commander";
import { isHelpToken, rootHelp, serverHelp, sshHelp, staticNamespaceHelp } from "./src/help";
import { runServerCleanupCommand } from "./src/server-cleanup";
import { runHwlabCdCommand } from "./src/hwlab-cd";
const remoteOptions = extractRemoteCliOptions(process.argv.slice(2));
const args = remoteOptions.args;
@@ -267,6 +268,14 @@ async function main(): Promise<void> {
return;
}
if (top === "hwlab") {
const result = await runHwlabCdCommand(args.slice(1));
const ok = (result as { ok?: unknown }).ok !== false;
emitJson(commandName, result, ok);
if (!ok) process.exitCode = 1;
return;
}
const config = readConfig();
const autoRemoteCiPublishPlan = autoRemoteCiPublishUserServiceDryRunPlan(config, args);
if (autoRemoteCiPublishPlan.enabled && autoRemoteCiPublishPlan.host !== null) {
+158
View File
@@ -0,0 +1,158 @@
import { spawnSync } from "node:child_process";
import { mkdirSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import { join } from "node:path";
import assert from "node:assert/strict";
type JsonRecord = Record<string, unknown>;
function runCli(args: string[], env: NodeJS.ProcessEnv = {}): JsonRecord {
const result = spawnSync("bun", ["scripts/cli.ts", ...args], {
cwd: process.cwd(),
env: { ...process.env, ...env },
encoding: "utf8",
timeout: 20_000,
});
assert.equal(result.stderr, "", `stderr should be empty: ${result.stderr}`);
assert.notEqual(result.stdout.trim(), "", "CLI must not produce empty output");
const parsed = JSON.parse(result.stdout) as JsonRecord;
if (result.status !== 0) {
assert.equal(parsed.ok, false, `nonzero CLI should return ok=false: ${result.stdout}`);
}
return parsed;
}
function makeFakeHwlabRepo(): string {
const root = join(tmpdir(), `unidesk-hwlab-cd-wrapper-${process.pid}-${Date.now()}`);
mkdirSync(join(root, "scripts"), { recursive: true });
writeFileSync(join(root, "scripts/dev-cd-apply.mjs"), "process.stdout.write(JSON.stringify({ok:true}))\n");
writeFileSync(join(root, "scripts/dev-deploy-apply.mjs"), [
"const dryRun = process.argv.includes('--dry-run');",
"const kubeconfigIndex = process.argv.indexOf('--kubeconfig');",
"process.stdout.write(JSON.stringify({",
" reportVersion: 'v1',",
" status: dryRun ? 'pass' : 'blocked',",
" commitId: 'abc1234',",
" namespace: 'hwlab-dev',",
" endpoint: 'http://74.48.78.17:16667',",
" blockers: [],",
" devDeployApply: {",
" conclusion: { status: 'ready', blockerCount: 0 },",
" artifactPlan: { expectedArtifactCommit: 'abc1234', deployCommitId: 'abc1234', catalogCommitId: 'abc1234', published: true, registryVerified: true, imageCount: 13, requiredServiceCount: 13, unpublishedServices: [] },",
" applyBoundary: { currentMode: 'dry-run', defaultNoWrite: true, mutationAttempted: false, mutationAllowed: false, kubeconfigSource: 'flag:--kubeconfig', writeScope: 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply -k deploy/k8s/dev', noWriteScope: 'server-side dry-run only', forbiddenActions: ['prod-deploy'] },",
" applyStep: { status: 'pass', command: 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply --dry-run=server -k deploy/k8s/dev', mutationAttempted: false },",
" manualCommands: { status: 'ready' }",
" },",
" kubeconfig: kubeconfigIndex >= 0 ? process.argv[kubeconfigIndex + 1] : null",
"}, null, 2));",
].join("\n"));
writeFileSync(join(root, "scripts/deploy-desired-state-plan.mjs"), [
"process.stdout.write(JSON.stringify({",
" kind: 'hwlab-deploy-desired-state-plan',",
" status: 'pass',",
" summary: { desiredCommitId: 'abc1234', desiredImageTag: 'abc1234', artifactState: 'published', ciPublished: true, registryVerified: true, services: 13, workloadContainers: 13, diagnostics: 0, blockers: 0, targetConvergence: 'not_requested' }",
"}, null, 2));",
].join("\n"));
return root;
}
function makeFakeBin(mode: "native" | "desktop"): string {
const bin = join(tmpdir(), `unidesk-hwlab-cd-bin-${process.pid}-${Date.now()}-${mode}`);
mkdirSync(bin, { recursive: true });
const context = mode === "desktop" ? "docker-desktop" : "default";
const server = mode === "desktop" ? "https://127.0.0.1:11700" : "https://127.0.0.1:6443";
const nodes = mode === "desktop" ? "desktop-control-plane" : "d601";
writeFileSync(join(bin, "kubectl"), [
"#!/usr/bin/env bash",
"set -euo pipefail",
"printf 'KUBECONFIG=%s\\n' \"${KUBECONFIG:-}\" >&2",
"if [[ \"$*\" == 'config current-context' ]]; then printf '%s\\n' " + JSON.stringify(context) + "; exit 0; fi",
"if [[ \"$*\" == 'config view --minify -o jsonpath={.clusters[0].cluster.server}' ]]; then printf '%s' " + JSON.stringify(server) + "; exit 0; fi",
"if [[ \"$*\" == 'get nodes -o jsonpath={range .items[*]}{.metadata.name}{\"\\n\"}{end}' ]]; then printf '%s\\n' " + JSON.stringify(nodes) + "; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get lease hwlab-dev-cd-lock -o json' ]]; then printf 'Error from server (NotFound): leases.coordination.k8s.io \"hwlab-dev-cd-lock\" not found\\n' >&2; exit 1; fi",
"printf '{}\\n'",
].join("\n"));
spawnSync("chmod", ["+x", join(bin, "kubectl")]);
return bin;
}
const fakeRepo = makeFakeHwlabRepo();
const nativeBin = makeFakeBin("native");
const desktopBin = makeFakeBin("desktop");
const liveBody = "data:application/json,%7B%22serviceId%22%3A%22hwlab-cloud-web%22%2C%22environment%22%3A%22dev%22%2C%22status%22%3A%22ok%22%2C%22revision%22%3A%22abc1234%22%7D";
const apiBody = "data:application/json,%7B%22serviceId%22%3A%22hwlab-cloud-api%22%2C%22environment%22%3A%22dev%22%2C%22status%22%3A%22ok%22%2C%22revision%22%3A%22abc1234%22%7D";
const help = runCli(["hwlab", "help"]);
assert.equal(help.ok, true);
assert.equal((help.data as JsonRecord).command, "hwlab cd");
const applyDryRun = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(applyDryRun.ok, true);
const dryRunData = applyDryRun.data as JsonRecord;
assert.equal(dryRunData.dryRun, true);
assert.equal(dryRunData.mutation, false);
assert.equal(((dryRunData.d601NativeK3sGuard as JsonRecord).injectedEnv as JsonRecord).KUBECONFIG, "/etc/rancher/k3s/k3s.yaml");
assert.equal((dryRunData.controlledDryRun as JsonRecord).commandOk, true);
assert.equal(((dryRunData.hostCommanderOnlyLiveApply as JsonRecord).commandShape as unknown[]).includes("scripts/dev-cd-apply.mjs"), true);
const realApply = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(realApply.ok, false);
assert.equal((realApply.data as JsonRecord).error, "host-commander-only-real-apply");
const status = runCli([
"hwlab",
"cd",
"status",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
UNIDESK_HWLAB_CD_TEST_FRONTEND_LIVE_URL: liveBody,
UNIDESK_HWLAB_CD_TEST_API_LIVE_URL: apiBody,
});
assert.equal(status.ok, true);
const statusData = status.data as JsonRecord;
assert.equal(((statusData.d601NativeK3sGuard as JsonRecord).injectedEnv as JsonRecord).KUBECONFIG, "/etc/rancher/k3s/k3s.yaml");
assert.equal((statusData.liveRevisions as JsonRecord).status, "observed");
assert.ok(typeof statusData.dumpDir === "string" && String(statusData.dumpDir).includes(".state/hwlab-cd"));
const desktopRefusal = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${desktopBin}:${process.env.PATH ?? ""}`,
});
assert.equal(desktopRefusal.ok, false);
assert.equal((desktopRefusal.data as JsonRecord).error, "native-k3s-guard-refused");
assert.deepEqual((desktopRefusal.data as JsonRecord).d601NativeK3sGuard && ((desktopRefusal.data as JsonRecord).d601NativeK3sGuard as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
console.log(JSON.stringify({ ok: true, checked: "hwlab-cd-wrapper-contract" }));
+3
View File
@@ -1,5 +1,6 @@
import { ghHelp } from "./gh";
import { authBrokerHelp } from "./auth-broker";
import { hwlabHelp } from "./hwlab-cd";
export function rootHelp(): unknown {
return {
@@ -48,6 +49,7 @@ export function rootHelp(): unknown {
{ command: "auth-broker contract|health --dry-run|credential-request --dry-run|pr-preflight --dry-run", description: "Inspect the P0 Rust auth broker and CLI adapter contract without reading token values, writing GitHub, or starting services." },
{ command: "gh preflight|auth|issue|pr", description: "Run safe GitHub issue and PR CRUD/lifecycle operations through REST with body-file update replace/append, comment delete, token diagnostics, PR closeout preflight, hard delete unsupported, and merge blocked." },
{ command: "commander contract|plan --dry-run|smoke --dry-run|approval request --dry-run|prompt-lint --kind gpt55-pr", description: "Host Codex commander skeleton contract, no-daemon smoke plan, dry-run approval preview, and advisory GPT-5.5 PR prompt boundary lint without live bridges, message sends, or submit gating." },
{ command: "hwlab cd status --env dev | hwlab cd apply --env dev --dry-run", description: "Bounded HWLAB DEV CD wrapper that calls HWLAB repo-owned scripts, forces D601 native k3s kubeconfig, refuses Docker Desktop control-plane signals, and writes full stdout/stderr dumps." },
{ command: "code-agent-sandbox", description: "Independent Code Agent Sandbox service skeleton for adapter, mode, and credential-boundary diagnostics." },
{ command: "schedule list|get|runs|run|retry-run|delete", description: "Manage backend-core scheduled tasks and run history; schedule run <id> supports --wait-ms N and retry-run reuses the failed run's schedule." },
{ command: "schedule upsert-pgdata-backup [--time HH:MM] [--remote-base /SERVER_DATA/UNIDESK_PG_DATA]", description: "Create or update the daily PGDATA physical backup task that uploads monthly rotated archives to Baidu Netdisk." },
@@ -483,5 +485,6 @@ export function staticNamespaceHelp(args: string[]): unknown | null {
if (top === "artifact-registry") return artifactRegistryHelp();
if (top === "auth-broker") return authBrokerHelp();
if (top === "gh") return ghHelp();
if (top === "hwlab") return hwlabHelp();
return null;
}
+871
View File
@@ -0,0 +1,871 @@
import { spawn } from "node:child_process";
import { randomBytes } from "node:crypto";
import { createWriteStream, existsSync, mkdirSync, openSync, readSync, statSync, writeFileSync, closeSync } from "node:fs";
import { mkdir, writeFile } from "node:fs/promises";
import { join, resolve } from "node:path";
import { repoRoot, rootPath } from "./config";
type HwlabCdAction = "status" | "apply";
type HwlabCdEnvironment = "dev";
interface HwlabCdOptions {
action: HwlabCdAction;
environment: HwlabCdEnvironment;
dryRun: boolean;
repoPath: string | null;
kubeconfig: string;
timeoutMs: number;
frontendLiveUrl: string;
apiLiveUrl: string;
}
interface CapturedCommand {
id: string;
command: string[];
cwd: string;
ok: boolean;
exitCode: number | null;
signal: NodeJS.Signals | null;
timedOut: boolean;
durationMs: number;
stdoutText: string;
stderrText: string;
dump: {
stdout: string;
stderr: string;
stdoutBytes: number;
stderrBytes: number;
stdoutTail: string;
stderrTail: string;
};
}
interface CommandView {
id: string;
command: string[];
cwd: string;
ok: boolean;
exitCode: number | null;
signal: NodeJS.Signals | null;
timedOut: boolean;
durationMs: number;
dump: {
stdout: string;
stderr: string;
stdoutBytes: number;
stderrBytes: number;
};
}
const namespace = "hwlab-dev";
const lockName = "hwlab-dev-cd-lock";
const nativeKubeconfig = "/etc/rancher/k3s/k3s.yaml";
const defaultFrontendLiveUrl = "http://74.48.78.17:16666/health/live";
const defaultApiLiveUrl = "http://74.48.78.17:16667/health/live";
const parseCaptureLimitBytes = 4 * 1024 * 1024;
const tailChars = 1000;
function isHelpArg(value: string | undefined): boolean {
return value === "help" || value === "--help" || value === "-h";
}
function readOption(argv: string[], index: number, option: string): string {
const value = argv[index];
if (value === undefined || value.length === 0 || value.startsWith("--")) throw new Error(`${option} requires a value`);
return value;
}
function parsePositiveInteger(value: string, option: string): number {
const parsed = Number(value);
if (!Number.isInteger(parsed) || parsed <= 0) throw new Error(`${option} must be a positive integer`);
return parsed;
}
function parseOptions(args: string[]): HwlabCdOptions {
const [scope, actionArg] = args;
if (scope !== "cd") throw new Error("hwlab usage: bun scripts/cli.ts hwlab cd status|apply --env dev");
if (actionArg !== "status" && actionArg !== "apply") throw new Error("hwlab cd usage: status|apply");
const options: HwlabCdOptions = {
action: actionArg,
environment: "dev",
dryRun: false,
repoPath: null,
kubeconfig: nativeKubeconfig,
timeoutMs: 60_000,
frontendLiveUrl: process.env.UNIDESK_HWLAB_CD_TEST_FRONTEND_LIVE_URL ?? defaultFrontendLiveUrl,
apiLiveUrl: process.env.UNIDESK_HWLAB_CD_TEST_API_LIVE_URL ?? defaultApiLiveUrl,
};
let envSeen = false;
for (let index = 2; index < args.length; index += 1) {
const arg = args[index] ?? "";
if (arg === "--env") {
const value = readOption(args, index + 1, arg);
if (value !== "dev") throw new Error("hwlab cd only supports --env dev");
options.environment = value;
envSeen = true;
index += 1;
} else if (arg === "--dry-run") {
options.dryRun = true;
} else if (arg === "--hwlab-repo" || arg === "--repo") {
options.repoPath = readOption(args, index + 1, arg);
index += 1;
} else if (arg === "--kubeconfig") {
const value = readOption(args, index + 1, arg);
if (value !== nativeKubeconfig) {
throw new Error(`hwlab cd requires the D601 native k3s kubeconfig: ${nativeKubeconfig}`);
}
options.kubeconfig = value;
index += 1;
} else if (arg === "--timeout-ms") {
options.timeoutMs = parsePositiveInteger(readOption(args, index + 1, arg), arg);
index += 1;
} else if (arg === "--frontend-live-url") {
options.frontendLiveUrl = readOption(args, index + 1, arg);
index += 1;
} else if (arg === "--api-live-url") {
options.apiLiveUrl = readOption(args, index + 1, arg);
index += 1;
} else if (!isHelpArg(arg)) {
throw new Error(`unknown hwlab cd option: ${arg}`);
}
}
if (!envSeen) throw new Error("hwlab cd requires --env dev");
return options;
}
function makeRunId(): string {
const timestamp = new Date().toISOString().replace(/[:.]/gu, "-");
return `${timestamp}-${process.pid}-${randomBytes(4).toString("hex")}`;
}
function redact(value: string): string {
return value
.replace(/\b(Bearer\s+)[A-Za-z0-9._~+/=-]+/giu, "$1<redacted>")
.replace(/\b(token|password|client-key-data|client-certificate-data|certificate-authority-data)\b(\s*[:=]\s*)(["']?)([^"'\s,}]+)/giu, "$1$2$3<redacted>")
.replace(/\b(postgres(?:ql)?:\/\/[^:\s/@]+:)([^@\s]+)(@)/giu, "$1<redacted>$3");
}
function boundedTail(value: string): string {
const redacted = redact(value);
return redacted.slice(Math.max(0, redacted.length - tailChars));
}
async function runCaptured(command: string[], cwd: string, dumpDir: string, id: string, options: { env?: NodeJS.ProcessEnv; timeoutMs?: number } = {}): Promise<CapturedCommand> {
await mkdir(dumpDir, { recursive: true });
const stdoutPath = join(dumpDir, `${id}.stdout.txt`);
const stderrPath = join(dumpDir, `${id}.stderr.txt`);
writeFileSync(stdoutPath, "", { mode: 0o600 });
writeFileSync(stderrPath, "", { mode: 0o600 });
const startedAt = Date.now();
let timedOut = false;
let stdoutBytes = 0;
let stderrBytes = 0;
let spawnErrorMessage = "";
const stdoutChunks: Buffer[] = [];
const stderrChunks: Buffer[] = [];
const stdout = createWriteStream(stdoutPath, { flags: "a" });
const stderr = createWriteStream(stderrPath, { flags: "a" });
const child = spawn(command[0] ?? "", command.slice(1), {
cwd,
env: options.env ?? process.env,
stdio: ["ignore", "pipe", "pipe"],
});
const timeout = options.timeoutMs === undefined
? null
: setTimeout(() => {
timedOut = true;
child.kill("SIGTERM");
setTimeout(() => child.kill("SIGKILL"), 1000).unref();
}, options.timeoutMs);
child.stdout.on("data", (chunk: Buffer) => {
stdoutBytes += chunk.byteLength;
stdout.write(chunk);
if (stdoutBytes <= parseCaptureLimitBytes) stdoutChunks.push(Buffer.from(chunk));
});
child.stderr.on("data", (chunk: Buffer) => {
stderrBytes += chunk.byteLength;
stderr.write(chunk);
if (stderrBytes <= parseCaptureLimitBytes) stderrChunks.push(Buffer.from(chunk));
});
const closed = await new Promise<{ exitCode: number | null; signal: NodeJS.Signals | null }>((resolveClose) => {
child.on("error", (error) => {
spawnErrorMessage = error.message;
});
child.on("close", (exitCode, signal) => {
resolveClose({ exitCode, signal });
});
});
if (timeout !== null) clearTimeout(timeout);
await new Promise<void>((resolveEnd) => stdout.end(resolveEnd));
await new Promise<void>((resolveEnd) => stderr.end(resolveEnd));
const stdoutText = stdoutBytes <= parseCaptureLimitBytes ? Buffer.concat(stdoutChunks).toString("utf8") : "";
const stderrText = stderrBytes <= parseCaptureLimitBytes ? Buffer.concat(stderrChunks).toString("utf8") : spawnErrorMessage;
const exitCode = spawnErrorMessage.length > 0 && closed.exitCode === null ? 127 : closed.exitCode;
return {
id,
command,
cwd,
ok: exitCode === 0 && !timedOut,
exitCode,
signal: closed.signal,
timedOut,
durationMs: Date.now() - startedAt,
stdoutText,
stderrText,
dump: {
stdout: stdoutPath,
stderr: stderrPath,
stdoutBytes,
stderrBytes,
stdoutTail: boundedTail(stdoutText || readFileTail(stdoutPath)),
stderrTail: boundedTail(stderrText || readFileTail(stderrPath)),
},
};
}
function readFileTail(path: string): string {
try {
const size = statSync(path).size;
const bytesToRead = Math.min(size, tailChars * 4);
const buffer = Buffer.alloc(bytesToRead);
const fd = openSync(path, "r");
try {
readSync(fd, buffer, 0, bytesToRead, size - bytesToRead);
} finally {
closeSync(fd);
}
return buffer.toString("utf8").slice(-tailChars);
} catch {
return "";
}
}
function commandView(result: CapturedCommand): CommandView {
return {
id: result.id,
command: result.command,
cwd: result.cwd,
ok: result.ok,
exitCode: result.exitCode,
signal: result.signal,
timedOut: result.timedOut,
durationMs: result.durationMs,
dump: {
stdout: result.dump.stdout,
stderr: result.dump.stderr,
stdoutBytes: result.dump.stdoutBytes,
stderrBytes: result.dump.stderrBytes,
},
};
}
function parseJson(text: string): unknown | null {
if (text.trim().length === 0) return null;
try {
return JSON.parse(text);
} catch {
return null;
}
}
function asRecord(value: unknown): Record<string, unknown> | null {
return typeof value === "object" && value !== null && !Array.isArray(value) ? value as Record<string, unknown> : null;
}
function stringValue(value: unknown): string | null {
return typeof value === "string" && value.length > 0 ? value : null;
}
function defaultRepoCandidates(provided: string | null): { source: string; path: string }[] {
return [
...(provided === null ? [] : [{ source: "option", path: provided }]),
...(process.env.UNIDESK_HWLAB_REPO === undefined ? [] : [{ source: "env:UNIDESK_HWLAB_REPO", path: process.env.UNIDESK_HWLAB_REPO }]),
{ source: "default", path: "/workspace/hwlab" },
{ source: "default", path: "/home/ubuntu/workspace/hwlab" },
{ source: "default", path: "/home/ubuntu/hwlab-cd-master-cli" },
{ source: "default", path: "/home/ubuntu/hwlab" },
];
}
function resolveHwlabRepo(provided: string | null): Record<string, unknown> {
const candidates = defaultRepoCandidates(provided).map((candidate) => {
const absolutePath = resolve(candidate.path);
const devCdApply = join(absolutePath, "scripts/dev-cd-apply.mjs");
const devDeployApply = join(absolutePath, "scripts/dev-deploy-apply.mjs");
return {
...candidate,
path: absolutePath,
exists: existsSync(absolutePath),
hasDevCdApply: existsSync(devCdApply),
hasDevDeployApply: existsSync(devDeployApply),
};
});
const selected = candidates.find((candidate) => candidate.exists && candidate.hasDevCdApply && candidate.hasDevDeployApply) ?? null;
return {
ok: selected !== null,
selected,
candidates,
};
}
async function gitSummary(repoPath: string, dumpDir: string, timeoutMs: number): Promise<Record<string, unknown>> {
const [branch, head, originMain, statusShort, statusPorcelain] = await Promise.all([
runCaptured(["git", "rev-parse", "--abbrev-ref", "HEAD"], repoPath, dumpDir, "git-branch", { timeoutMs }),
runCaptured(["git", "rev-parse", "HEAD"], repoPath, dumpDir, "git-head", { timeoutMs }),
runCaptured(["git", "rev-parse", "--verify", "origin/main^{commit}"], repoPath, dumpDir, "git-origin-main", { timeoutMs }),
runCaptured(["git", "status", "--short", "--branch"], repoPath, dumpDir, "git-status-short", { timeoutMs }),
runCaptured(["git", "status", "--porcelain=v1"], repoPath, dumpDir, "git-status-porcelain", { timeoutMs }),
]);
const branchName = branch.stdoutText.trim();
const headCommit = head.stdoutText.trim();
const originMainCommit = originMain.stdoutText.trim();
const porcelain = statusPorcelain.stdoutText.trim();
const statusLines = statusShort.stdoutText.trim().split("\n").filter((line) => line.length > 0);
const dirtyLines = porcelain.length === 0 ? [] : porcelain.split("\n").filter((line) => line.length > 0);
return {
ok: branch.ok && head.ok && statusShort.ok && statusPorcelain.ok,
clean: dirtyLines.length === 0,
branch: branchName || null,
onMain: branchName === "main",
headCommit: headCommit || null,
originMainCommit: originMain.ok ? originMainCommit || null : null,
headMatchesOriginMain: originMain.ok && headCommit.length > 0 && headCommit === originMainCommit,
statusShort: statusLines.slice(0, 40),
dirtyCount: dirtyLines.length,
dirtyPreview: dirtyLines.slice(0, 30),
commands: [branch, head, originMain, statusShort, statusPorcelain].map(commandView),
};
}
async function nativeK3sGuard(kubeconfig: string, dumpDir: string, timeoutMs: number): Promise<Record<string, unknown>> {
const env = { ...process.env, KUBECONFIG: kubeconfig };
const [context, server, nodes] = await Promise.all([
runCaptured(["kubectl", "config", "current-context"], repoRoot, dumpDir, "k3s-current-context", { env, timeoutMs }),
runCaptured(["kubectl", "config", "view", "--minify", "-o", "jsonpath={.clusters[0].cluster.server}"], repoRoot, dumpDir, "k3s-server", { env, timeoutMs }),
runCaptured(["kubectl", "get", "nodes", "-o", "jsonpath={range .items[*]}{.metadata.name}{\"\\n\"}{end}"], repoRoot, dumpDir, "k3s-nodes", { env, timeoutMs }),
]);
const contextText = context.stdoutText.trim();
const serverText = server.stdoutText.trim();
const nodeNames = nodes.stdoutText.split("\n").map((line) => line.trim()).filter((line) => line.length > 0);
const combined = `${context.stdoutText}\n${context.stderrText}\n${server.stdoutText}\n${server.stderrText}\n${nodes.stdoutText}\n${nodes.stderrText}`;
const refusalSignals = [
/docker-desktop/iu.test(combined) ? "docker-desktop" : null,
/desktop-control-plane/iu.test(combined) ? "desktop-control-plane" : null,
/127\.0\.0\.1:11700/u.test(combined) ? "127.0.0.1:11700" : null,
].filter((signal): signal is string => signal !== null);
const refusal = refusalSignals.length > 0;
const readable = context.ok && server.ok && nodes.ok;
return {
status: refusal ? "refused" : readable ? "pass" : "blocked",
refusal,
refusalSignals,
kubeconfig,
injectedEnv: { KUBECONFIG: kubeconfig },
currentContext: contextText || null,
apiServer: serverText || null,
nodeNames,
nodeCount: nodeNames.length,
summary: refusal
? "Refusing HWLAB CD because kubectl resolved to a Docker Desktop control plane signal."
: readable
? "D601 native k3s guard passed with explicit KUBECONFIG."
: "D601 native k3s guard could not fully read context, server, and nodes.",
commands: [context, server, nodes].map(commandView),
};
}
function annotation(annotations: Record<string, unknown>, name: string): string | null {
return stringValue(annotations[`hwlab.pikastech.local/${name}`]);
}
function classifyLock(lock: Record<string, unknown> | null): Record<string, unknown> {
if (lock === null || lock.phase === "released") return { held: false, stale: false, retryAfterSeconds: 0, expiresAt: null };
const updatedAt = stringValue(lock.updatedAt) ?? "";
const ttlSeconds = Number(lock.ttlSeconds ?? 3600);
const updatedMs = Number.isFinite(Date.parse(updatedAt)) ? Date.parse(updatedAt) : 0;
const expiresAtMs = updatedMs + (Number.isFinite(ttlSeconds) ? ttlSeconds : 3600) * 1000;
const retryAfterSeconds = Math.max(0, Math.ceil((expiresAtMs - Date.now()) / 1000));
return {
held: retryAfterSeconds > 0,
stale: retryAfterSeconds <= 0,
retryAfterSeconds,
expiresAt: Number.isFinite(expiresAtMs) ? new Date(expiresAtMs).toISOString() : null,
};
}
async function cdLockStatus(kubeconfig: string, guard: Record<string, unknown>, dumpDir: string, timeoutMs: number): Promise<Record<string, unknown>> {
if (guard.refusal === true) {
return {
status: "skipped",
reason: "native-k3s-guard-refused",
present: null,
lockName,
namespace,
};
}
const env = { ...process.env, KUBECONFIG: kubeconfig };
const result = await runCaptured(["kubectl", "-n", namespace, "get", "lease", lockName, "-o", "json"], repoRoot, dumpDir, "cd-lock", { env, timeoutMs });
const text = `${result.stderrText}\n${result.stdoutText}`;
if (!result.ok && /not\s*found|notfound/iu.test(text)) {
return {
status: "absent",
present: false,
held: false,
stale: false,
lockName,
namespace,
command: commandView(result),
};
}
const parsed = asRecord(parseJson(result.stdoutText));
const annotations = asRecord(asRecord(parsed?.metadata)?.annotations) ?? {};
const lock = parsed === null ? null : {
lockBackend: "Lease",
lockName: stringValue(asRecord(parsed.metadata)?.name) ?? lockName,
namespace: stringValue(asRecord(parsed.metadata)?.namespace) ?? namespace,
holderIdentity: stringValue(asRecord(parsed.spec)?.holderIdentity),
resourceVersion: stringValue(asRecord(parsed.metadata)?.resourceVersion),
ownerTaskId: annotation(annotations, "ownerTaskId"),
transactionId: annotation(annotations, "transactionId"),
phase: annotation(annotations, "phase") ?? "unknown",
promotionCommit: annotation(annotations, "promotionCommit"),
deployJsonHash: annotation(annotations, "deployJsonHash"),
targetRef: annotation(annotations, "targetRef"),
targetNamespace: annotation(annotations, "targetNamespace"),
updatedAt: annotation(annotations, "updatedAt") ?? stringValue(asRecord(parsed.spec)?.renewTime),
ttlSeconds: Number(annotation(annotations, "ttlSeconds") ?? asRecord(parsed.spec)?.leaseDurationSeconds ?? 3600),
releaseStatus: annotation(annotations, "releaseStatus"),
releasedAt: annotation(annotations, "releasedAt"),
};
return {
status: result.ok && lock !== null ? "observed" : "blocked",
present: result.ok && lock !== null,
...(lock ?? {}),
...classifyLock(lock),
command: commandView(result),
};
}
function summarizeDesiredState(parsed: unknown, command: CapturedCommand): Record<string, unknown> {
const record = asRecord(parsed);
const summary = asRecord(record?.summary);
return {
status: stringValue(record?.status) ?? (command.ok ? "unknown" : "blocked"),
kind: stringValue(record?.kind),
desiredCommitId: stringValue(summary?.desiredCommitId),
desiredImageTag: stringValue(summary?.desiredImageTag),
artifactState: stringValue(summary?.artifactState),
ciPublished: summary?.ciPublished ?? null,
registryVerified: summary?.registryVerified ?? null,
services: summary?.services ?? null,
workloadContainers: summary?.workloadContainers ?? null,
diagnostics: summary?.diagnostics ?? null,
blockers: summary?.blockers ?? null,
targetConvergence: summary?.targetConvergence ?? null,
command: commandView(command),
parsed: record !== null,
};
}
async function desiredStateStatus(repoPath: string, dumpDir: string, timeoutMs: number): Promise<Record<string, unknown>> {
const script = join(repoPath, "scripts/deploy-desired-state-plan.mjs");
if (!existsSync(script)) {
return { status: "skipped", reason: "scripts/deploy-desired-state-plan.mjs not found" };
}
const result = await runCaptured(["node", "scripts/deploy-desired-state-plan.mjs", "--pretty"], repoPath, dumpDir, "desired-state-plan", { timeoutMs });
return summarizeDesiredState(parseJson(result.stdoutText), result);
}
async function controlledObservability(repoPath: string, dumpDir: string, timeoutMs: number): Promise<Record<string, unknown>> {
const script = join(repoPath, "scripts/d601-k3s-readonly-observability.mjs");
if (!existsSync(script)) {
return { status: "skipped", reason: "scripts/d601-k3s-readonly-observability.mjs not found" };
}
const result = await runCaptured(["node", "scripts/d601-k3s-readonly-observability.mjs", "--no-write", "--timeout-ms", String(Math.min(timeoutMs, 10_000))], repoPath, dumpDir, "d601-readonly-observability", {
env: { ...process.env, KUBECONFIG: nativeKubeconfig },
timeoutMs: Math.max(timeoutMs, 15_000),
});
const parsed = asRecord(parseJson(result.stdoutText));
return {
status: stringValue(parsed?.conclusion) ?? (result.ok ? "unknown" : "blocked"),
reportKind: stringValue(parsed?.reportKind),
readable: parsed?.readable ?? null,
runnerKubeconfigReadable: parsed?.runnerKubeconfigReadable ?? null,
d601PublicEndpointsReachable: parsed?.d601PublicEndpointsReachable ?? null,
d601K3sUnavailable: parsed?.d601K3sUnavailable ?? null,
attemptedExecutors: parsed?.attemptedExecutors ?? [],
blockers: parsed?.blockers ?? [],
command: commandView(result),
parsed: parsed !== null,
};
}
function revisionFromHealth(json: Record<string, unknown> | null): string | null {
const commit = asRecord(json?.commit);
const image = asRecord(json?.image);
return stringValue(json?.revision)
?? stringValue(json?.commitId)
?? stringValue(commit?.id)
?? stringValue(image?.tag)
?? null;
}
function imageFromHealth(json: Record<string, unknown> | null): string | null {
const image = json?.image;
if (typeof image === "string") return image;
return stringValue(asRecord(image)?.reference);
}
async function fetchLive(url: string, dumpDir: string, id: string, timeoutMs: number): Promise<Record<string, unknown>> {
const startedAt = Date.now();
await mkdir(dumpDir, { recursive: true });
const bodyPath = join(dumpDir, `${id}.body.txt`);
const errorPath = join(dumpDir, `${id}.error.txt`);
const controller = new AbortController();
const timeout = setTimeout(() => controller.abort(), timeoutMs);
try {
const response = await fetch(url, { method: "GET", signal: controller.signal });
const body = await response.text();
await writeFile(bodyPath, body, { mode: 0o600 });
await writeFile(errorPath, "", { mode: 0o600 });
const json = asRecord(parseJson(body));
return {
id,
url,
ok: response.ok && json !== null,
httpStatus: response.status,
durationMs: Date.now() - startedAt,
serviceId: stringValue(json?.serviceId) ?? stringValue(asRecord(json?.service)?.id),
environment: stringValue(json?.environment),
applicationStatus: stringValue(json?.status),
ready: json?.ready ?? null,
revision: revisionFromHealth(json),
image: imageFromHealth(json),
blockerCodes: Array.isArray(json?.blockerCodes) ? json.blockerCodes.slice(0, 20) : [],
dump: {
body: bodyPath,
error: errorPath,
bodyBytes: Buffer.byteLength(body, "utf8"),
bodyTail: boundedTail(body),
},
};
} catch (error) {
const message = error instanceof Error ? error.message : String(error);
await writeFile(bodyPath, "", { mode: 0o600 });
await writeFile(errorPath, message, { mode: 0o600 });
return {
id,
url,
ok: false,
httpStatus: null,
durationMs: Date.now() - startedAt,
error: message,
dump: {
body: bodyPath,
error: errorPath,
bodyBytes: 0,
bodyTail: "",
},
};
} finally {
clearTimeout(timeout);
}
}
async function liveRevisionStatus(options: HwlabCdOptions, dumpDir: string): Promise<Record<string, unknown>> {
const [frontend, api] = await Promise.all([
fetchLive(options.frontendLiveUrl, dumpDir, "live-16666", Math.min(options.timeoutMs, 10_000)),
fetchLive(options.apiLiveUrl, dumpDir, "live-16667", Math.min(options.timeoutMs, 10_000)),
]);
return {
status: frontend.ok === true && api.ok === true ? "observed" : "blocked",
endpoints: [frontend, api],
};
}
function collectBlockers(parts: {
git?: Record<string, unknown>;
desired?: Record<string, unknown>;
guard?: Record<string, unknown>;
lock?: Record<string, unknown>;
live?: Record<string, unknown>;
dryRun?: Record<string, unknown>;
}): Record<string, unknown>[] {
const blockers: Record<string, unknown>[] = [];
if (parts.git !== undefined) {
if (parts.git.clean === false) blockers.push({ scope: "hwlab-git-clean", summary: "HWLAB repo has local modifications." });
if (parts.git.onMain === false) blockers.push({ scope: "hwlab-git-main", summary: "HWLAB repo is not on main." });
if (parts.git.headMatchesOriginMain === false) blockers.push({ scope: "hwlab-git-origin-main", summary: "HWLAB HEAD does not match local origin/main." });
}
if (parts.desired !== undefined && parts.desired.status !== "pass") {
blockers.push({ scope: "desired-state", summary: `HWLAB desired-state status is ${String(parts.desired.status)}` });
}
if (parts.guard !== undefined && parts.guard.status !== "pass") {
blockers.push({ scope: "d601-native-k3s-guard", summary: String(parts.guard.summary ?? "D601 native k3s guard is not pass."), refusal: parts.guard.refusal === true });
}
if (parts.lock !== undefined && parts.lock.held === true) {
blockers.push({ scope: "cd-lock", summary: `HWLAB DEV CD lock is held by ${String(parts.lock.ownerTaskId ?? parts.lock.holderIdentity ?? "unknown")}.` });
}
if (parts.live !== undefined && parts.live.status !== "observed") {
blockers.push({ scope: "live-revision", summary: "16666/16667 live revision summary is not fully observable." });
}
if (parts.dryRun !== undefined && parts.dryRun.commandOk === false) {
blockers.push({ scope: "apply-dry-run-command", summary: "HWLAB controlled dry-run command failed." });
}
if (parts.dryRun !== undefined && parts.dryRun.status === "blocked") {
blockers.push({ scope: "apply-dry-run-blockers", summary: "HWLAB controlled dry-run reported open blockers." });
}
return blockers;
}
async function status(options: HwlabCdOptions): Promise<Record<string, unknown>> {
const dumpDir = rootPath(".state", "hwlab-cd", makeRunId());
mkdirSync(dumpDir, { recursive: true, mode: 0o700 });
const repo = resolveHwlabRepo(options.repoPath);
const selected = asRecord(repo.selected);
if (selected === null) {
return {
ok: false,
status: "blocked",
environment: options.environment,
dumpDir,
repo,
error: "hwlab-repo-not-found",
};
}
const repoPath = String(selected.path);
const [git, desired, guard, controlled, live] = await Promise.all([
gitSummary(repoPath, dumpDir, Math.min(options.timeoutMs, 15_000)),
desiredStateStatus(repoPath, dumpDir, options.timeoutMs),
nativeK3sGuard(options.kubeconfig, dumpDir, Math.min(options.timeoutMs, 15_000)),
controlledObservability(repoPath, dumpDir, Math.min(options.timeoutMs, 15_000)),
liveRevisionStatus(options, dumpDir),
]);
const lock = await cdLockStatus(options.kubeconfig, guard, dumpDir, Math.min(options.timeoutMs, 15_000));
const blockers = collectBlockers({ git, desired, guard, lock, live });
return {
ok: guard.refusal !== true,
status: blockers.length === 0 ? "ready" : "blocked",
environment: options.environment,
dryRun: false,
mutation: false,
dumpDir,
hwlabRepo: {
path: repoPath,
source: selected.source,
controlledEntrypoints: {
devCdApply: join(repoPath, "scripts/dev-cd-apply.mjs"),
devDeployApply: join(repoPath, "scripts/dev-deploy-apply.mjs"),
},
},
git,
desiredState: desired,
d601NativeK3sGuard: guard,
controlledObservability: controlled,
cdLock: lock,
liveRevisions: live,
blockers,
nextCommands: {
dryRunApply: "bun scripts/cli.ts hwlab cd apply --env dev --dry-run",
fullDump: `find ${JSON.stringify(dumpDir)} -type f -maxdepth 1 -print`,
},
};
}
function summarizeApplyDryRun(parsed: unknown, command: CapturedCommand): Record<string, unknown> {
const report = asRecord(parsed);
const apply = asRecord(report?.devDeployApply);
const conclusion = asRecord(apply?.conclusion);
const boundary = asRecord(apply?.applyBoundary);
const artifactPlan = asRecord(apply?.artifactPlan);
const applyStep = asRecord(apply?.applyStep);
return {
status: stringValue(report?.status) ?? (command.ok ? "unknown" : "blocked"),
commandOk: command.ok,
reportVersion: stringValue(report?.reportVersion),
commitId: stringValue(report?.commitId),
namespace: stringValue(report?.namespace) ?? namespace,
endpoint: stringValue(report?.endpoint) ?? "http://74.48.78.17:16667",
blockers: Array.isArray(report?.blockers) ? report.blockers.slice(0, 30) : [],
blockerCount: Array.isArray(report?.blockers) ? report.blockers.length : null,
conclusion,
artifactPlan: artifactPlan === null ? null : {
expectedArtifactCommit: artifactPlan.expectedArtifactCommit,
deployCommitId: artifactPlan.deployCommitId,
catalogCommitId: artifactPlan.catalogCommitId,
published: artifactPlan.published,
registryVerified: artifactPlan.registryVerified,
imageCount: artifactPlan.imageCount,
requiredServiceCount: artifactPlan.requiredServiceCount,
unpublishedServices: artifactPlan.unpublishedServices,
},
applyBoundary: boundary === null ? null : {
currentMode: boundary.currentMode,
defaultNoWrite: boundary.defaultNoWrite,
mutationAttempted: boundary.mutationAttempted,
mutationAllowed: boundary.mutationAllowed,
kubeconfigSource: boundary.kubeconfigSource,
writeScope: boundary.writeScope,
noWriteScope: boundary.noWriteScope,
forbiddenActions: boundary.forbiddenActions,
},
applyStep: applyStep === null ? null : {
status: applyStep.status,
command: applyStep.command,
mutationAttempted: applyStep.mutationAttempted,
expectedImmutableTemplateJobDryRun: applyStep.expectedImmutableTemplateJobDryRun,
},
manualCommands: asRecord(apply?.manualCommands),
command: commandView(command),
parsed: report !== null,
};
}
function realApplyRefusal(options: HwlabCdOptions, dumpDir: string, repoPath: string): Record<string, unknown> {
const controlledCommand = [
"node",
"scripts/dev-cd-apply.mjs",
"--apply",
"--confirm-dev",
"--confirmed-non-production",
"--write-report",
"--kubeconfig",
options.kubeconfig,
];
return {
ok: false,
status: "refused",
environment: options.environment,
dryRun: false,
mutation: false,
dumpDir,
hwlabRepo: { path: repoPath },
error: "host-commander-only-real-apply",
summary: "UniDesk HWLAB CD wrapper exposes the real DEV apply shape but does not execute it from this runner path. Use dry-run here; host commander must run live apply only after explicit DEV CD authorization.",
hostCommanderOnly: true,
requiredDefaultCommand: "bun scripts/cli.ts hwlab cd apply --env dev --dry-run",
controlledEntrypoint: "scripts/dev-cd-apply.mjs",
controlledCommandShape: controlledCommand,
safety: {
prodTouched: false,
kubectlApplyExecuted: false,
rolloutExecuted: false,
secretValuesRead: false,
},
};
}
async function apply(options: HwlabCdOptions): Promise<Record<string, unknown>> {
const dumpDir = rootPath(".state", "hwlab-cd", makeRunId());
mkdirSync(dumpDir, { recursive: true, mode: 0o700 });
const repo = resolveHwlabRepo(options.repoPath);
const selected = asRecord(repo.selected);
if (selected === null) {
return {
ok: false,
status: "blocked",
environment: options.environment,
dryRun: options.dryRun,
mutation: false,
dumpDir,
repo,
error: "hwlab-repo-not-found",
};
}
const repoPath = String(selected.path);
if (!options.dryRun) return realApplyRefusal(options, dumpDir, repoPath);
const guard = await nativeK3sGuard(options.kubeconfig, dumpDir, Math.min(options.timeoutMs, 15_000));
if (guard.refusal === true) {
return {
ok: false,
status: "refused",
environment: options.environment,
dryRun: true,
mutation: false,
dumpDir,
hwlabRepo: { path: repoPath, source: selected.source },
d601NativeK3sGuard: guard,
error: "native-k3s-guard-refused",
summary: "Refusing HWLAB DEV CD dry-run because kubectl resolved to a forbidden Docker Desktop control plane signal.",
};
}
const command = await runCaptured([
"node",
"scripts/dev-deploy-apply.mjs",
"--dry-run",
"--expect-blocked",
"--kubeconfig",
options.kubeconfig,
], repoPath, dumpDir, "controlled-dev-deploy-apply-dry-run", {
env: { ...process.env, KUBECONFIG: options.kubeconfig },
timeoutMs: options.timeoutMs,
});
const dryRun = summarizeApplyDryRun(parseJson(command.stdoutText), command);
const blockers = collectBlockers({ guard, dryRun });
return {
ok: command.ok,
status: blockers.length === 0 ? "prepared" : "blocked",
environment: options.environment,
dryRun: true,
mutation: false,
dumpDir,
hwlabRepo: {
path: repoPath,
source: selected.source,
controlledEntrypoint: join(repoPath, "scripts/dev-deploy-apply.mjs"),
liveApplyEntrypointShape: join(repoPath, "scripts/dev-cd-apply.mjs"),
},
d601NativeK3sGuard: guard,
controlledDryRun: dryRun,
blockers,
hostCommanderOnlyLiveApply: {
supportedByShapeOnly: true,
notExecuted: true,
commandShape: [
"node",
"scripts/dev-cd-apply.mjs",
"--apply",
"--confirm-dev",
"--confirmed-non-production",
"--write-report",
"--kubeconfig",
options.kubeconfig,
],
},
};
}
export function hwlabHelp(): Record<string, unknown> {
return {
command: "hwlab cd",
output: "json",
usage: [
"bun scripts/cli.ts hwlab cd status --env dev",
"bun scripts/cli.ts hwlab cd apply --env dev --dry-run",
],
description: "Inspect and prepare HWLAB DEV CD from UniDesk without embedding release kubectl logic. The wrapper calls HWLAB repo-owned scripts and writes full stdout/stderr dumps under .state/hwlab-cd/.",
boundary: [
`KUBECONFIG is forced to ${nativeKubeconfig}`,
"docker-desktop, desktop-control-plane, and 127.0.0.1:11700 are refusal signals",
"status is read-only and bounded; live apply is host-commander-only and not executed by the dry-run path",
"dry-run apply calls HWLAB scripts/dev-deploy-apply.mjs; live apply shape points at scripts/dev-cd-apply.mjs",
],
};
}
export async function runHwlabCdCommand(args: string[]): Promise<Record<string, unknown>> {
if (args.length === 0 || args.some(isHelpArg)) return { ok: true, ...hwlabHelp() };
const options = parseOptions(args);
if (options.action === "status") return status(options);
return apply(options);
}