test: add frontend artifact lane contract

This commit is contained in:
Codex
2026-05-21 10:02:33 +00:00
parent e4e18736f2
commit b69c2fe599
4 changed files with 321 additions and 5 deletions
@@ -2,16 +2,17 @@
Snapshot date: 2026-05-21
This matrix closes the current review pass for the `decision-center`, `mdtodo`, `claudeqq` and `todo-note` lane. It records only focused smoke evidence: health, runtime commit/digest or deployment labels, private proxy API checks and registry artifact presence. No full e2e/Playwright run, backend-core restart, Code Queue restart, backend-core prod deploy or Code Queue prod deploy is part of this lane.
This matrix closes the current review pass for the `decision-center`, `mdtodo`, `claudeqq`, `todo-note` and frontend artifact lane. It records only focused smoke evidence: health, runtime commit/digest or deployment labels, private proxy API checks and registry artifact presence. No full e2e/Playwright run, backend-core restart, Code Queue restart, backend-core prod deploy, frontend deploy, publish, or Code Queue prod deploy is part of this lane.
## Shared Findings
| Area | State | Impact | Next step |
| --- | --- | --- | --- |
| Artifact producer catalog | `CI.json` has source-build producer entries for all four services. | The standard producer route is modeled for the whole lane. | Keep producer commands as the only source-build entrypoint: `ci publish-user-service --service <id> --commit <full-sha>`. |
| CD consumer plan | `deploy plan --env dev|prod --service <id>` resolves standard consumers for all four services: k3s-managed for `decision-center`, `mdtodo`, `claudeqq`; main-server Compose artifact consumer for `todo-note`. | The dry-run contract exists, but live apply still depends on artifact and verification readiness. | Use dev -> focused smoke -> prod only after the desired artifact exists and the preflight channel is healthy. |
| Artifact-registry probe | Direct D601 registry API access is healthy, but remote frontend `artifact-registry health` and CI publish dry-run registry checks fail because the provider Host SSH command is rejected as too long (`4039` bytes). | The registry itself is reachable from D601, but the standard preflight tool path reports `registry` as infra-blocked. | Split or shrink the registry health probe before relying on remote CI dry-run as release evidence. |
| Artifact producer catalog | `CI.json` has source-build producer entries for the reviewed services, including `frontend`. | The standard producer route is modeled for the lane. | Keep producer commands as the only source-build entrypoint: `ci publish-user-service --service <id> --commit <full-sha>`. |
| CD consumer plan | `deploy plan --env dev|prod --service <id>` resolves standard consumers: k3s-managed for `decision-center`, `mdtodo`, `claudeqq` and dev `frontend`; main-server Compose artifact consumer for `todo-note` and prod `frontend`. | The dry-run contract exists, but live apply still depends on artifact and verification readiness. | Use dev -> focused smoke -> prod only after the desired artifact exists and the preflight channel is healthy. |
| Artifact-registry probe | Remote frontend Host SSH probing is no longer blocked by command length. Registry runtime API is reachable and frontend publish dry-run can report ready, while `artifact-registry health` still reports service drift in rendered config / registry image scopes. | Runtime artifact reads are usable for contract evidence; registry service drift remains an infra hygiene item and should not be confused with a frontend publish blocker. | Repair registry rendered-config/image drift separately before treating registry health as fully clean. |
| Dev service catalog | `decision-center-dev` exists in k3s, while `mdtodo-dev` and `claudeqq-dev` do not. The adapter public catalog did not expose the dev aliases during this pass. | Dev promotion cannot be claimed for `mdtodo` or `claudeqq`; `decision-center-dev` is reachable through direct k3s service proxy only. | Publish artifacts first, then create/verify dev consumers and register dev aliases where intended. |
| Frontend closure contract | `bun scripts/frontend-artifact-lane-contract-test.ts` is the standard lightweight contract for the frontend artifact sample. | Frontend lane evidence is now repeatable without live deploy, publish, service restart, or Playwright. | Keep the contract green whenever frontend deploy.json, health metadata, artifact digest, producer preflight, or CD dry-run shape changes. |
## Service Matrix
@@ -21,11 +22,13 @@ This matrix closes the current review pass for the `decision-center`, `mdtodo`,
| `mdtodo` | `127.0.0.1:5000/unidesk/mdtodo:75fb6757b2504ba86d61f2587fb34a9c9ed4019a`; registry HEAD returned 404, so no digest was available. | k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from `src/components/microservices/mdtodo/Dockerfile`. | `unidesk-dev/mdtodo-dev` does not exist. | `unidesk/mdtodo` is ready 1/1. Deployment annotations record deploy and requested commit `75fb6757b2504ba86d61f2587fb34a9c9ed4019a`; health returned `ok=true`, and `/live` returned 200. Health does not expose deploy metadata. | Partial. Prod is healthy and annotated with the desired commit, but the desired registry artifact is absent and dev is absent. | Publish the desired artifact, add deploy metadata to health or keep strict label/annotation verification, then run dev -> focused smoke -> prod if prod replacement is still needed. |
| `claudeqq` | `127.0.0.1:5000/unidesk/claudeqq:203b1f46684c91340ecbbd8a74502bd55e4f2011`; registry HEAD returned 404, so no digest was available. | k3s-managed artifact consumer on D601. CI producer uses the external Gitee source plus UniDesk adapter/overlay. | `unidesk-dev/claudeqq-dev` does not exist. | `unidesk/claudeqq` is ready 1/1. Deployment annotations and `/health` report commit/requested commit `203b1f46684c91340ecbbd8a74502bd55e4f2011`; health also reports NapCat `logged_in`. Focused API probes for `/api/events/recent` and `/api/events/subscriptions` returned 404. | Partial. Prod commit alignment and health are good, but the desired registry artifact is absent, dev is absent and the expected event API surface is not verified. | Publish the desired artifact, create/verify dev, and either fix or document the current event API paths before any prod artifact replacement. |
| `todo-note` | `127.0.0.1:5000/unidesk/todo-note:a14ce0eb855a685fa17b47adacd54623e72cd2ff`; registry HEAD returned 404, so no digest was available. | Main-server Compose artifact consumer. CI producer uses the external Gitee source. CD plan is pull-only and no-build for Compose service `todo-note`, container `todo-note-backend`. | The dev/prod consumer plans resolve, but no live dev apply was attempted because the desired artifact is absent. | Runtime health returned 200 with PostgreSQL storage and running reminders. Private proxy `/api/instances` returned 200. The running container image is `unidesk-todo-note`; runtime labels do not expose `unidesk.ai/source-commit`, and health does not expose deploy metadata. | Not yet. Runtime behavior is healthy, but image digest/commit proof is missing and the desired registry artifact is absent. | Publish the desired artifact, then use the Compose artifact consumer to recreate only `todo-note` with no build/no deps and verify image labels plus health deploy metadata. |
| `frontend` | `127.0.0.1:5000/unidesk/frontend:b5486a61ab0aa6c227366a95d1afa68281584359`, registry v2 manifest digest `sha256:76d7c47e797605470959ca2274f116149bdc367e6fa155913d19f42516e5b9e4`. | CI producer is `ci publish-user-service` from `src/components/frontend/Dockerfile`. Dev CD is D601 native k3s `frontend-dev`; prod CD is master-server Compose `frontend` / `unidesk-frontend`; both are pull-only artifact consumers. | Public dev `http://74.48.78.17:18083/health` reports `ok=true`, `environment=dev`, `namespace=unidesk-dev`, and deploy commit/requestedCommit `b5486a61ab0aa6c227366a95d1afa68281584359`. | Public prod `http://74.48.78.17:18081/health` reports `ok=true` and deploy commit/requestedCommit `b5486a61ab0aa6c227366a95d1afa68281584359`. Remote `ci publish-user-service --service frontend --commit b5486... --dry-run` reports `runnerDisposition=ready`, all control channels ready, and no missing control channels. | Complete for CI/CD contract. Dev/prod desired and live commit match the artifact; CD dry-runs are non-mutating and no-build. | Remaining UI route acceptance is a manual product/UI gate and is independent of CI/CD artifact correctness. |
## Execution Decision
No live deployment was executed in this pass.
No live deployment or publish was executed in this pass.
- `decision-center` has an available desired artifact, but both dev and prod are currently healthy on `b5486a61...`; the task scope asked for review and gap recording unless a repair is clearly safe. The standard remote registry preflight path is currently infra-blocked, so this pass records drift instead of changing prod/dev.
- `mdtodo`, `claudeqq` and `todo-note` do not have the desired registry artifact tags, so live apply would not satisfy the artifact-consumer contract.
- `frontend` is the first batch sample that can be marked complete for the CI/CD artifact lane: desired commit, registry artifact digest, dev/prod health metadata, publish dry-run readiness and dev/prod CD no-build dry-runs are aligned.
- Focused smoke stayed limited to health, deployment metadata, registry HEAD/tag checks and small private proxy API calls.
+8
View File
@@ -268,6 +268,14 @@ This matrix describes the next promotion stage after dry-run coverage is in plac
| `k3sctl-adapter` | `master` | source-build supported | plan/dry-run only | no normal dev target; only control-bridge health and recovery evidence | prod live apply requires supervisor confirmation | bridge recovery, k3s fault-domain isolation, no worker self-replacement | `GPT-5.5` |
| `filebrowser` / `filebrowser-d601` | `master` | upstream-image blocked | pull-only mirror target | digest resolution, mirror governance and private proxy health only | not in this phase | upstream digest/mirror worker not yet implemented | `DeepSeek` for evidence summarization, `GPT-5.5` for blocker resolution |
Frontend lane closure evidence is intentionally lightweight and non-mutating:
```bash
bun scripts/frontend-artifact-lane-contract-test.ts
```
The contract fixes the current sample around one artifact lane: `deploy.json` dev/prod both request the same frontend commit, `CI.json` keeps the producer as `ci publish-user-service`, the D601 registry manifest digest is recorded, dev and prod health expose matching `deploy.commit` / `deploy.requestedCommit`, `ci publish-user-service --dry-run` is ready, and both CD dry-runs are artifact consumers with no source build.
Planned parallelism for the next wave should be three lanes:
1. Lane A: `frontend`, `baidu-netdisk`, `project-manager`, `oa-event-flow`.
+1
View File
@@ -65,6 +65,7 @@ Frontend is the canonical user-service UI sample. It is not released by target-s
- The minimal standard artifact command is `bun scripts/cli.ts ci publish-user-service --service frontend --commit <full-sha> --wait-ms 1200000`.
- The expected artifact is `127.0.0.1:5000/unidesk/frontend:<commit>` plus its registry digest from the CI output.
- The lightweight closure contract is `bun scripts/frontend-artifact-lane-contract-test.ts`. It checks `deploy.json` dev/prod desired commits, the `CI.json` producer entry, the observed registry digest, dev/prod `/health.deploy.commit` and `deploy.requestedCommit`, producer dry-run readiness, and dev/prod CD dry-run no-build targets.
- Dev CD consumes the same artifact with `bun scripts/cli.ts deploy apply --env dev --service frontend`; it imports the image into D601 native k3s, rolls out `frontend-dev`, syncs auth/session metadata from main-server config, and verifies `/health.deploy.commit`.
- Production CD consumes the same artifact with `bun scripts/cli.ts deploy apply --env prod --service frontend`; it recreates only the master-server Compose `frontend` service with `--no-build --no-deps --force-recreate` and verifies image labels plus `/health.deploy.commit`.
- `server rebuild frontend` remains a maintenance/local rebuild path only. It is not the standard versioned release truth for frontend.
@@ -0,0 +1,304 @@
import { readFileSync } from "node:fs";
import { rootPath } from "./src/config";
import { runArtifactRegistryCommand } from "./src/artifact-registry";
type JsonRecord = Record<string, unknown>;
const frontendCommit = "b5486a61ab0aa6c227366a95d1afa68281584359";
const frontendDigest = "sha256:76d7c47e797605470959ca2274f116149bdc367e6fa155913d19f42516e5b9e4";
const frontendRepo = "https://github.com/pikasTech/unidesk";
const frontendDockerfile = "src/components/frontend/Dockerfile";
const frontendRegistryRepository = "unidesk/frontend";
const frontendImageRef = `127.0.0.1:5000/${frontendRegistryRepository}:${frontendCommit}`;
const observedEvidence = {
registry: {
imageRef: frontendImageRef,
contentType: "application/vnd.docker.distribution.manifest.v2+json",
digest: frontendDigest,
},
health: {
dev: {
ok: true,
service: "unidesk-frontend",
deploy: {
serviceId: "frontend",
repo: frontendRepo,
commit: frontendCommit,
requestedCommit: frontendCommit,
},
environment: "dev",
namespace: "unidesk-dev",
databaseName: "unidesk_dev",
serviceId: "frontend",
deployRef: "origin/master:deploy.json#environments.dev.services.frontend",
},
prod: {
ok: true,
service: "unidesk-frontend",
deploy: {
serviceId: "frontend",
repo: frontendRepo,
commit: frontendCommit,
requestedCommit: frontendCommit,
},
},
},
publishDryRun: {
ok: true,
mode: "dry-run-preflight",
runnerDisposition: "ready",
supportedArtifactPublish: true,
serviceId: "frontend",
commit: frontendCommit,
missingControlChannels: [],
controlChannels: [
{ channel: "backend-core", ok: true },
{ channel: "database", ok: true },
{ channel: "provider", ok: true },
{ channel: "registry", ok: true },
],
registry: {
runtimeApiHealthy: true,
decision: "service-degraded",
failedScopes: ["rendered-config", "registry-image"],
healthyScopes: ["systemd", "docker", "registry-container", "loopback-listener", "registry-api", "storage"],
},
artifactSummary: {
serviceId: "frontend",
sourceCommit: frontendCommit,
sourceRepo: frontendRepo,
dockerfile: frontendDockerfile,
registry: "127.0.0.1:5000",
repository: "127.0.0.1:5000/unidesk/frontend",
tag: frontendCommit,
imageRef: frontendImageRef,
digest: null,
digestRef: null,
},
controlledPublish: {
environment: "D601",
namespace: "unidesk-ci",
pipeline: "unidesk-user-service-artifact-publish",
command: `bun scripts/cli.ts ci publish-user-service --service frontend --commit ${frontendCommit} --wait-ms 1200000`,
requiresReadyControlChannels: ["backend-core", "database", "provider", "registry"],
},
boundary: "preflight is read-only: no D601 source export, no Tekton PipelineRun, no image push, no deploy apply, no service restart",
},
} satisfies JsonRecord;
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
}
function asRecord(value: unknown, label: string): JsonRecord {
assertCondition(typeof value === "object" && value !== null && !Array.isArray(value), `${label} must be an object`, { value });
return value as JsonRecord;
}
function asArray(value: unknown, label: string): unknown[] {
assertCondition(Array.isArray(value), `${label} must be an array`, { value });
return value as unknown[];
}
function stringArray(value: unknown, label: string): string[] {
return asArray(value, label).map(String);
}
function manifestService(manifest: JsonRecord, environment: "dev" | "prod", serviceId: string): JsonRecord {
const environments = asRecord(manifest.environments, "deploy.json.environments");
const env = asRecord(environments[environment], `deploy.json.environments.${environment}`);
const services = asArray(env.services, `deploy.json.environments.${environment}.services`);
const service = services.map((item, index) => asRecord(item, `${environment}.services[${index}]`)).find((item) => item.id === serviceId);
assertCondition(service !== undefined, `deploy.json ${environment} must include ${serviceId}`, env);
return service as JsonRecord;
}
function assertDeployJson(): void {
const manifest = asRecord(JSON.parse(readFileSync(rootPath("deploy.json"), "utf8")) as unknown, "deploy.json");
assertCondition(manifest.schemaVersion === 2, "deploy.json must use schemaVersion=2", manifest);
for (const environment of ["dev", "prod"] as const) {
const service = manifestService(manifest, environment, "frontend");
assertCondition(service.repo === frontendRepo, `${environment} frontend repo must stay on UniDesk`, service);
assertCondition(service.commitId === frontendCommit, `${environment} frontend desired commit must match the reviewed artifact`, service);
}
}
function assertCiCatalog(): void {
const catalog = asRecord(JSON.parse(readFileSync(rootPath("CI.json"), "utf8")) as unknown, "CI.json");
const artifacts = asArray(catalog.artifacts, "CI.json.artifacts").map((item, index) => asRecord(item, `CI.json.artifacts[${index}]`));
const frontend = artifacts.find((item) => item.serviceId === "frontend");
assertCondition(frontend !== undefined, "CI.json must include frontend", catalog);
const artifact = frontend as JsonRecord;
const source = asRecord(artifact.source, "CI.json frontend.source");
const image = asRecord(artifact.image, "CI.json frontend.image");
assertCondition(artifact.kind === "source-build", "frontend CI producer must be source-build", artifact);
assertCondition(artifact.status === "supported", "frontend CI producer must be supported", artifact);
assertCondition(artifact.producer === "ci publish-user-service", "frontend CI producer must use publish-user-service", artifact);
assertCondition(source.repo === frontendRepo, "frontend source repo mismatch", source);
assertCondition(source.dockerfile === frontendDockerfile, "frontend Dockerfile mismatch", source);
assertCondition(image.repository === frontendRegistryRepository, "frontend registry repository mismatch", image);
}
function assertObservedHealth(environment: "dev" | "prod"): void {
const health = asRecord(asRecord(observedEvidence.health, "health evidence")[environment], `${environment} health`);
const deploy = asRecord(health.deploy, `${environment} health.deploy`);
assertCondition(health.ok === true, `${environment} health must be ok`, health);
assertCondition(health.service === "unidesk-frontend", `${environment} health service mismatch`, health);
assertCondition(deploy.serviceId === "frontend", `${environment} health deploy service id mismatch`, deploy);
assertCondition(deploy.repo === frontendRepo, `${environment} health deploy repo mismatch`, deploy);
assertCondition(deploy.commit === frontendCommit, `${environment} health deploy commit mismatch`, deploy);
assertCondition(deploy.requestedCommit === frontendCommit, `${environment} health requested commit mismatch`, deploy);
if (environment === "dev") {
assertCondition(health.environment === "dev", "dev health must expose dev environment", health);
assertCondition(health.namespace === "unidesk-dev", "dev health must expose unidesk-dev namespace", health);
assertCondition(health.deployRef === "origin/master:deploy.json#environments.dev.services.frontend", "dev health deployRef mismatch", health);
}
}
function assertRegistryDigest(): void {
const registry = asRecord(observedEvidence.registry, "registry evidence");
assertCondition(registry.imageRef === frontendImageRef, "registry image ref mismatch", registry);
assertCondition(registry.contentType === "application/vnd.docker.distribution.manifest.v2+json", "registry digest must come from the v2 manifest", registry);
assertCondition(registry.digest === frontendDigest, "registry digest mismatch", registry);
assertCondition(/^sha256:[0-9a-f]{64}$/u.test(String(registry.digest)), "registry digest must be a sha256 manifest digest", registry);
}
function assertPublishDryRunReady(): void {
const preflight = asRecord(observedEvidence.publishDryRun, "publish dry-run evidence");
const missingControlChannels = stringArray(preflight.missingControlChannels, "publish missingControlChannels");
const artifactSummary = asRecord(preflight.artifactSummary, "publish artifactSummary");
const controlledPublish = asRecord(preflight.controlledPublish, "publish controlledPublish");
const registry = asRecord(preflight.registry, "publish registry");
const controlChannels = asArray(preflight.controlChannels, "publish controlChannels").map((item, index) => asRecord(item, `publish controlChannels[${index}]`));
assertCondition(preflight.ok === true, "frontend publish dry-run must be ready", preflight);
assertCondition(preflight.mode === "dry-run-preflight", "frontend publish dry-run mode mismatch", preflight);
assertCondition(preflight.runnerDisposition === "ready", "frontend publish dry-run runnerDisposition mismatch", preflight);
assertCondition(preflight.supportedArtifactPublish === true, "frontend publish must be supported", preflight);
assertCondition(missingControlChannels.length === 0, "frontend publish dry-run must not miss control channels", preflight);
for (const channel of ["backend-core", "database", "provider", "registry"]) {
assertCondition(controlChannels.some((item) => item.channel === channel && item.ok === true), `publish dry-run ${channel} channel must be ready`, controlChannels);
}
assertCondition(registry.runtimeApiHealthy === true, "registry runtime API must be healthy for publish readiness", registry);
assertCondition(stringArray(registry.healthyScopes, "publish registry.healthyScopes").includes("registry-api"), "registry-api scope must be healthy", registry);
assertCondition(artifactSummary.imageRef === frontendImageRef, "publish artifact image must be commit-pinned", artifactSummary);
assertCondition(artifactSummary.digest === null && artifactSummary.digestRef === null, "publish dry-run must not fake a digest", artifactSummary);
assertCondition(controlledPublish.environment === "D601", "controlled publish environment mismatch", controlledPublish);
assertCondition(controlledPublish.namespace === "unidesk-ci", "controlled publish namespace mismatch", controlledPublish);
assertCondition(controlledPublish.pipeline === "unidesk-user-service-artifact-publish", "controlled publish pipeline mismatch", controlledPublish);
assertCondition(stringArray(controlledPublish.requiresReadyControlChannels, "controlled publish channels").join(",") === "backend-core,database,provider,registry", "controlled publish required channel order mismatch", controlledPublish);
assertCondition(String(preflight.boundary).includes("read-only"), "publish dry-run boundary must be read-only", preflight);
assertCondition(!String(preflight.boundary).includes("service restart") || String(preflight.boundary).includes("no service restart"), "publish dry-run boundary must forbid restarts", preflight);
}
function assertNoRuntimeBuild(plan: JsonRecord, environment: "dev" | "prod"): void {
const build = asRecord(plan.build, `${environment} build`);
const registry = asRecord(plan.registry, `${environment} registry`);
const source = asRecord(plan.source, `${environment} source`);
const target = asRecord(plan.target, `${environment} target`);
const validation = stringArray(plan.validation, `${environment} validation`);
const labels = asRecord(plan.requiredLabels, `${environment} labels`);
const registryProbe = asRecord(plan.registryProbe, `${environment} registryProbe`);
assertCondition(plan.ok === true && plan.supported === true, `${environment} frontend dry-run must be supported`, plan);
assertCondition(plan.dryRun === true && plan.mutation === false, `${environment} frontend dry-run must be non-mutating`, plan);
assertCondition(plan.environment === environment, `${environment} dry-run environment mismatch`, plan);
assertCondition(plan.providerId === "D601", `${environment} dry-run provider mismatch`, plan);
assertCondition(plan.serviceId === "frontend", `${environment} dry-run service id mismatch`, plan);
assertCondition(plan.commit === frontendCommit, `${environment} dry-run commit mismatch`, plan);
assertCondition(plan.sourceImage === frontendImageRef, `${environment} dry-run source image mismatch`, plan);
assertCondition(source.repo === frontendRepo && source.commit === frontendCommit && source.dockerfile === frontendDockerfile, `${environment} source boundary mismatch`, source);
assertCondition(registry.imageRef === frontendImageRef, `${environment} registry image ref mismatch`, registry);
assertCondition(registry.digest === null, `${environment} dry-run must not fake registry digest`, registry);
assertCondition(String(registry.digestSource ?? "").includes("live apply must read this digest"), `${environment} digest source must name live registry HEAD`, registry);
assertCondition(registryProbe.method === "HEAD", `${environment} registry probe must be HEAD-only`, registryProbe);
assertCondition(labels["unidesk.ai/service-id"] === "frontend", `${environment} service label mismatch`, labels);
assertCondition(labels["unidesk.ai/source-commit"] === frontendCommit, `${environment} source commit label mismatch`, labels);
assertCondition(labels["unidesk.ai/dockerfile"] === frontendDockerfile, `${environment} Dockerfile label mismatch`, labels);
assertCondition(build.willCompile === false, `${environment} CD must not compile`, build);
assertCondition(build.willRunCargoBuild === false, `${environment} CD must not run cargo build`, build);
assertCondition(build.willRunDockerBuild === false, `${environment} CD must not run docker build`, build);
assertCondition(build.willRunDockerComposeBuild === false, `${environment} CD must not run docker compose build`, build);
assertCondition(build.producerBoundary === "ci publish-user-service", `${environment} producer boundary mismatch`, build);
assertCondition(String(plan.boundary ?? "").includes("artifact-consumer only"), `${environment} boundary must say artifact-consumer only`, plan);
assertCondition(String(plan.boundary ?? "").includes("never builds source"), `${environment} boundary must forbid runtime source builds`, plan);
if (environment === "dev") {
assertCondition(target.kind === "d601-k3s", "dev frontend target must be D601 k3s", target);
assertCondition(target.namespace === "unidesk-dev", "dev frontend namespace mismatch", target);
assertCondition(target.deployment === "frontend-dev", "dev frontend deployment mismatch", target);
assertCondition(target.service === "frontend-dev", "dev frontend service mismatch", target);
assertCondition(target.runtimeImage === `unidesk-frontend:${frontendCommit}`, "dev frontend runtime image mismatch", target);
assertCondition(validation.some((line) => line.includes("Kubernetes API service proxy")), "dev validation must use Kubernetes API service proxy", validation);
} else {
assertCondition(target.kind === "compose", "prod frontend target must be Compose", target);
assertCondition(target.runtimeHost === "main-server", "prod frontend runtime host mismatch", target);
assertCondition(target.composeService === "frontend", "prod frontend Compose service mismatch", target);
assertCondition(target.containerName === "unidesk-frontend", "prod frontend container mismatch", target);
assertCondition(target.deployCommandShape === "docker compose up -d --no-build --no-deps --force-recreate frontend", "prod frontend deploy command shape mismatch", target);
assertCondition(validation.some((line) => line.includes("deploy.commit/deploy.requestedCommit")), "prod validation must require health commit metadata", validation);
}
}
async function main(): Promise<void> {
assertDeployJson();
assertCiCatalog();
assertRegistryDigest();
assertObservedHealth("dev");
assertObservedHealth("prod");
assertPublishDryRunReady();
const devDryRun = asRecord(await runArtifactRegistryCommand([
"deploy-service",
"--env",
"dev",
"--service",
"frontend",
"--commit",
frontendCommit,
"--dry-run",
]), "dev artifact dry-run");
const prodDryRun = asRecord(await runArtifactRegistryCommand([
"deploy-service",
"--env",
"prod",
"--service",
"frontend",
"--commit",
frontendCommit,
"--dry-run",
]), "prod artifact dry-run");
assertNoRuntimeBuild(devDryRun, "dev");
assertNoRuntimeBuild(prodDryRun, "prod");
process.stdout.write(`${JSON.stringify({
ok: true,
checks: [
"deploy.json dev/prod desired frontend commit matches the reviewed artifact",
"CI.json frontend producer remains ci publish-user-service source-build",
"registry v2 manifest digest is pinned as contract evidence",
"dev and prod health report matching deploy.commit/requestedCommit",
"publish-user-service dry-run is ready and read-only",
"dev CD dry-run is D601 k3s artifact-only and non-mutating",
"prod CD dry-run is main-server Compose artifact-only and non-mutating",
],
frontend: {
commit: frontendCommit,
artifact: frontendImageRef,
digest: frontendDigest,
devHealthCommit: frontendCommit,
prodHealthCommit: frontendCommit,
uiAcceptanceIndependentOfCiCd: true,
},
dryRunTargets: {
dev: asRecord(devDryRun.target, "dev target"),
prod: asRecord(prodDryRun.target, "prod target"),
},
}, null, 2)}\n`);
}
if (import.meta.main) {
await main();
}