feat(hwlab): add dev cd audit

This commit is contained in:
Codex
2026-05-24 02:27:15 +00:00
parent 6d59684d67
commit acc20b5c89
7 changed files with 731 additions and 17 deletions
+116 -4
View File
@@ -1,6 +1,6 @@
import assert from "node:assert/strict";
import { spawnSync } from "node:child_process";
import { mkdirSync, writeFileSync } from "node:fs";
import { existsSync, mkdirSync, readdirSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import { join } from "node:path";
import { buildHwlabCdRemoteCommandForTest } from "./src/hwlab-cd";
@@ -40,6 +40,7 @@ function makeFakeHwlabRepo(): string {
mkdirSync(join(root, "reports/dev-gate"), { recursive: true });
writeFileSync(join(root, "scripts/dev-cd-apply.mjs"), [
"const kubeconfigIndex = process.argv.indexOf('--kubeconfig');",
"if (process.argv.includes('--apply') || process.argv.includes('--write-report') || process.argv.includes('--confirm-dev')) { throw new Error('mutation flag must not be used in wrapper tests'); }",
"process.stdout.write(JSON.stringify({",
" ok: true,",
" status: 'pass',",
@@ -85,6 +86,43 @@ function makeFakeHwlabRepo(): string {
function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node" | "missing-secret" | "second-plane"): string {
const bin = join(tmpdir(), `unidesk-hwlab-cd-bin-${process.pid}-${Date.now()}-${mode}-${Math.random().toString(16).slice(2)}`);
mkdirSync(bin, { recursive: true });
const deploymentJson = {
items: [
{
metadata: {
name: "hwlab-cloud-api",
labels: { "app.kubernetes.io/name": "hwlab-cloud-api", "hwlab.pikastech.local/service-id": "hwlab-cloud-api" },
annotations: { "deployment.kubernetes.io/revision": "7" },
},
spec: {
replicas: 1,
template: { spec: { containers: [{ name: "hwlab-cloud-api", image: "127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234", env: [{ name: "HWLAB_COMMIT_ID", value: "abc1234" }] }] } },
},
status: { availableReplicas: 1, updatedReplicas: 1, unavailableReplicas: 0, conditions: [{ type: "Available", status: "True" }, { type: "Progressing", status: "True", reason: "NewReplicaSetAvailable" }] },
},
{
metadata: {
name: "hwlab-cloud-web",
labels: { "app.kubernetes.io/name": "hwlab-cloud-web", "hwlab.pikastech.local/service-id": "hwlab-cloud-web" },
annotations: { "deployment.kubernetes.io/revision": "8" },
},
spec: {
replicas: 1,
template: { spec: { containers: [{ name: "hwlab-cloud-web", image: "127.0.0.1:5000/hwlab/hwlab-cloud-web:abc1234", env: [{ name: "HWLAB_COMMIT_ID", value: "abc1234" }] }] } },
},
status: { availableReplicas: 1, updatedReplicas: 1, unavailableReplicas: 0, conditions: [{ type: "Available", status: "True" }, { type: "Progressing", status: "True" }] },
},
],
};
const podsJson = {
items: [
{
metadata: { name: "hwlab-cloud-api-abc" },
status: { containerStatuses: [{ name: "hwlab-cloud-api", image: "127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234", imageID: "docker-pullable://127.0.0.1:5000/hwlab/hwlab-cloud-api@sha256:" + "b".repeat(64), state: { running: {} } }] },
},
],
};
const jobsJson = { items: [{ metadata: { name: "hwlab-runtime-provision-old" }, status: { succeeded: 1, failed: 0, active: 0, completionTime: "2026-05-24T00:00:00Z" } }] };
const explicitContext = mode === "desktop" ? "docker-desktop" : "default";
const explicitServer = mode === "desktop" ? "https://127.0.0.1:11700" : "https://127.0.0.1:6443";
const explicitNodes = mode === "desktop" ? "desktop-control-plane" : mode === "wrong-node" ? "d602" : "d601";
@@ -112,6 +150,9 @@ function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node"
" printf 'Error from server (NotFound): namespaces \"hwlab-dev\" not found\\n' >&2; exit 1",
"fi",
"if [[ \"$*\" =~ ^-n[[:space:]]+hwlab-dev[[:space:]]+get[[:space:]]+lease[[:space:]]+hwlab-dev-cd-lock[[:space:]]+-o[[:space:]]+json$ ]]; then printf 'Error from server (NotFound): leases.coordination.k8s.io \"hwlab-dev-cd-lock\" not found\\n' >&2; exit 1; fi",
"if [[ \"$*\" == '-n hwlab-dev get deployments -o json' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify(deploymentJson)) + "; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get pods -o json' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify(podsJson)) + "; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get jobs -o json' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify(jobsJson)) + "; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get secret hwlab-code-agent-provider -o name' && " + JSON.stringify(mode) + " == 'missing-secret' ]]; then printf 'Error from server (NotFound): secrets \"hwlab-code-agent-provider\" not found\\n' >&2; exit 1; fi",
"if [[ \"$*\" =~ ^-n\\ hwlab-dev\\ get\\ secret\\ ([^[:space:]]+)\\ -o\\ name$ ]]; then printf 'secret/%s\\n' \"${BASH_REMATCH[1]}\"; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev describe secret hwlab-cloud-api-dev-db' ]]; then printf 'Name: hwlab-cloud-api-dev-db\\nData\\n====\\ndatabase-url: 48 bytes\\n'; exit 0; fi",
@@ -120,6 +161,34 @@ function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node"
"printf 'unexpected kubectl args: %s\\n' \"$*\" >&2; exit 99",
].join("\n"));
spawnSync("chmod", ["+x", join(bin, "kubectl")]);
writeFileSync(join(bin, "curl"), [
"#!/usr/bin/env bash",
"set -euo pipefail",
"url=\"${@: -1}\"",
"if [[ \"$*\" == *'http://127.0.0.1:5000/v2/'* ]]; then printf '{}\\n'; exit 0; fi",
"if [[ \"$url\" == 'http://74.48.78.17:16666/health/live' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify({
serviceId: "hwlab-cloud-web",
environment: "dev",
status: "ready",
ready: true,
commit: { id: "abc1234" },
image: { reference: "127.0.0.1:5000/hwlab/hwlab-cloud-web:abc1234", tag: "abc1234" },
blockerCodes: [],
})) + "; exit 0; fi",
"if [[ \"$url\" == 'http://74.48.78.17:16667/health/live' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify({
serviceId: "hwlab-cloud-api",
environment: "dev",
status: "ready",
ready: true,
commit: { id: "abc1234" },
image: { reference: "127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234", tag: "abc1234" },
db: { ready: true, connected: true, liveDbEvidence: true, runtimeReadiness: { status: "ready", ready: true, blocker: null } },
runtime: { status: "ready", ready: true, durable: true, durableRequested: true, liveRuntimeEvidence: true, blocker: null, adapter: "postgres" },
blockerCodes: [],
})) + "; exit 0; fi",
"printf 'unexpected curl args: %s\\n' \"$*\" >&2; exit 22",
].join("\n"));
spawnSync("chmod", ["+x", join(bin, "curl")]);
return bin;
}
@@ -142,11 +211,14 @@ const secondPlaneBin = makeFakeBin("second-plane");
const help = runCli(["hwlab", "help"]);
assert.equal(help.ok, true);
assert.equal((help.data as JsonRecord).command, "hwlab cd");
assert.equal(((help.data as JsonRecord).usage as string[]).includes("bun scripts/cli.ts hwlab cd audit --env dev"), true);
const remoteCommand = buildHwlabCdRemoteCommandForTest(withLocalTransport(["cd", "apply", "--env", "dev", "--dry-run"]));
assert.equal(remoteCommand.includes("scripts/dev-cd-apply.mjs"), true);
assert.equal(remoteCommand.includes("/etc/rancher/k3s/k3s.yaml"), true);
assert.equal(remoteCommand.includes("kubectl rollout"), false);
assert.equal(remoteCommand.includes("kubectl apply"), false);
assert.equal(remoteCommand.includes("break-stale-lock"), false);
const realApply = runCli(["hwlab", "cd", "apply", "--env", "dev", "--hwlab-repo", fakeRepo], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
@@ -201,6 +273,46 @@ assert.equal(((dryRunData.target as JsonRecord).promotionCommit), "abc1234567890
assert.equal(((dryRunData.promotion as JsonRecord).source), "deploy/deploy.json");
assert.equal(JSON.stringify(dryRunData).includes("sk-secret"), false);
const reportsBefore = existsSync(join(fakeRepo, "reports")) ? JSON.stringify(readdirSync(join(fakeRepo, "reports"), { recursive: true })) : "";
const audit = runCli(withLocalTransport([
"hwlab",
"cd",
"audit",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
]), {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(audit.ok, true);
const auditData = dataOf(audit);
const auditSummary = auditData.audit as JsonRecord;
assert.equal(auditSummary.status, "pass");
assert.equal((auditSummary.namespace), "hwlab-dev");
assert.equal(((auditSummary.nodeGuard as JsonRecord).nodeNames as unknown[]).includes("d601"), true);
assert.equal(((auditSummary.secrets as JsonRecord).valuesRead), false);
assert.equal(((auditSummary.secrets as JsonRecord).valuesPrinted), false);
assert.equal(JSON.stringify(auditSummary).includes("48 bytes"), false);
assert.equal(((auditSummary.registry as JsonRecord).status), "pass");
assert.equal(((auditSummary.lease as JsonRecord).staleClassification), "not-held");
assert.equal((((auditSummary.desiredState as JsonRecord).imageConvergence as JsonRecord).status), "pass");
assert.equal(((auditSummary.workload as JsonRecord).status), "healthy");
assert.equal(((auditSummary.publicHealth as JsonRecord).status), "pass");
assert.equal(((auditSummary.durability as JsonRecord).status), "pass");
assert.deepEqual((auditSummary.blockerTypes as unknown[]), []);
assert.equal(((auditSummary.safety as JsonRecord).reportsWritten), false);
assert.equal(((auditSummary.safety as JsonRecord).cdLockMutated), false);
assert.equal((auditData.remote as JsonRecord).providerId, "D601");
assert.equal(JSON.stringify(auditData).length < 80_000, true);
assert.equal(JSON.stringify(auditData).includes("kubectl apply"), false);
assert.equal(JSON.stringify(auditData).includes("kubectl rollout"), false);
assert.equal(JSON.stringify(auditData).includes("--apply"), false);
assert.equal(JSON.stringify(auditData).includes("--write-report"), false);
assert.equal(JSON.stringify(auditData).includes("sk-secret"), false);
const reportsAfter = existsSync(join(fakeRepo, "reports")) ? JSON.stringify(readdirSync(join(fakeRepo, "reports"), { recursive: true })) : "";
assert.equal(reportsAfter, reportsBefore);
const status = runCli(withLocalTransport([
"hwlab",
"cd",
@@ -240,10 +352,9 @@ assert.equal((staleDefaultGuard.defaultKubectlDiagnostic as JsonRecord).status,
const desktopRefusal = runCli(withLocalTransport([
"hwlab",
"cd",
"apply",
"audit",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
]), {
@@ -252,7 +363,8 @@ const desktopRefusal = runCli(withLocalTransport([
assert.equal(desktopRefusal.ok, false);
const desktopData = dataOf(desktopRefusal);
assert.equal(desktopData.status, "refused");
assert.deepEqual((desktopData.nodeGuard as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
assert.deepEqual((((desktopData.audit as JsonRecord).nodeGuard as JsonRecord).refusalSignals), ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
assert.equal(((desktopData.blockerTypes as unknown[]).includes("docker-desktop-context-risk")), true);
const wrongNodeBlocked = runCli(withLocalTransport([
"hwlab",