import { spawnSync } from "node:child_process"; import { writeFileSync, unlinkSync } from "node:fs"; import { join } from "node:path"; import { tmpdir } from "node:os"; import { codexSteerTaskForTest, codexSteerTraceConfirmForTest } from "./src/code-queue"; type JsonRecord = Record; function assertCondition(condition: unknown, message: string, detail: JsonRecord = {}): void { if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`); } function runCli(args: string[], stdin?: string): { status: number | null; stdout: string; stderr: string; json: JsonRecord | null } { const result = spawnSync("bun", ["scripts/cli.ts", ...args], { cwd: process.cwd(), input: stdin, encoding: "utf8", }); const stdout = String(result.stdout || ""); let json: JsonRecord | null = null; try { json = JSON.parse(stdout) as JsonRecord; } catch { json = null; } return { status: result.status, stdout, stderr: String(result.stderr || ""), json, }; } function nestedRecord(value: unknown, path: string[]): JsonRecord { let current: unknown = value; for (const key of path) { assertCondition(current !== null && typeof current === "object" && !Array.isArray(current), "expected object while traversing JSON", { path, key, current }); current = (current as JsonRecord)[key]; } assertCondition(current !== null && typeof current === "object" && !Array.isArray(current), "expected nested object", { path, current }); return current as JsonRecord; } function stringArray(value: unknown): string[] { return Array.isArray(value) ? value.map((item) => String(item)) : []; } function deterministicSteerId(taskId: string, prompt: string): string { return `steer_${Bun.SHA256.hash(`unidesk-code-queue-steer:v1\0${taskId}\0${prompt}`, "hex").slice(0, 24)}`; } function assertDryRunPrompt(response: JsonRecord, expectedText: string): void { assertCondition(response.ok === true, "CLI dry-run should succeed", response); const data = nestedRecord(response.data, []); assertCondition(data.dryRun === true, "dry-run response should expose dryRun=true", data); const request = nestedRecord(response.data, ["request"]); assertCondition(request.method === "POST", "dry-run should expose request method", request); assertCondition(request.path === "/api/tasks/codex_test_task/steer", "dry-run should expose request path", request); assertCondition(request.stableProxyPath === "/api/microservices/code-queue/proxy/api/tasks/codex_test_task/steer", "dry-run should expose stable proxy path", request); const prompt = nestedRecord(response.data, ["request", "body", "prompt"]); assertCondition(prompt.text === expectedText, "dry-run prompt text mismatch", prompt); assertCondition(prompt.chars === expectedText.length, "dry-run prompt char count mismatch", prompt); assertCondition(prompt.truncated === false, "dry-run prompt must not truncate", prompt); assertCondition(String(request.steerId || "").startsWith("steer_"), "dry-run should expose deterministic steerId", request); const bodySummary = nestedRecord(response.data, ["request", "bodySummary"]); assertCondition(bodySummary.promptChars === expectedText.length, "dry-run should expose body prompt char count", bodySummary); assertCondition(bodySummary.steerId === request.steerId, "dry-run body summary should repeat steerId", { bodySummary, request }); const commands = nestedRecord(response.data, ["commands"]); assertCondition(String(commands.rawProxy || "").includes("microservice proxy code-queue /api/tasks/codex_test_task/steer --method POST"), "dry-run should expose raw proxy equivalent", commands); assertCondition(String(commands.traceConfirm || "").includes(`--steer-id ${String(request.steerId)}`), "dry-run should expose trace confirmation command", commands); } function assertReason(result: unknown, reason: string, status: number | null): void { const data = nestedRecord({ data: result }, ["data"]); assertCondition(data.ok === false, "classified steer failure should be ok=false", data); const diagnostics = nestedRecord(data, ["diagnostics"]); assertCondition(diagnostics.reason === reason, "unexpected steer failure reason", diagnostics); assertCondition(diagnostics.status === status, "unexpected steer failure status", diagnostics); assertCondition(typeof diagnostics.retryable === "boolean", "diagnostics should expose retryable boolean", diagnostics); assertCondition(Array.isArray(diagnostics.recommendedCrossChecks), "diagnostics should expose cross-check commands", diagnostics); } export function runCodeQueueCliSteerContract(): JsonRecord { const positional = runCli(["codex", "steer", "codex_test_task", "correct the running task", "--dry-run"]); assertDryRunPrompt(positional.json ?? {}, "correct the running task"); assertCondition(String(positional.json?.command || "").includes(""), "outer command should redact positional steer prompt", positional.json ?? {}); assertCondition(!String(positional.json?.command || "").includes("correct the running task"), "outer command must not echo positional steer prompt", positional.json ?? {}); const stdin = runCli(["codex", "steer", "codex_test_task", "--prompt-stdin", "--dry-run"], "stdin steer prompt\n"); assertDryRunPrompt(stdin.json ?? {}, "stdin steer prompt\n"); const promptFile = join(tmpdir(), `unidesk-code-queue-steer-${process.pid}.txt`); writeFileSync(promptFile, "file steer prompt", "utf8"); try { const fromFile = runCli(["codex", "steer", "codex_test_task", "--prompt-file", promptFile, "--dry-run"]); assertDryRunPrompt(fromFile.json ?? {}, "file steer prompt"); } finally { unlinkSync(promptFile); } const duplicateSource = runCli(["codex", "steer", "codex_test_task", "positional", "--prompt-stdin", "--dry-run"], "stdin\n"); assertCondition(duplicateSource.status !== 0, "duplicate prompt source should fail", duplicateSource.json ?? { stdout: duplicateSource.stdout }); const duplicateMessage = String(nestedRecord(duplicateSource.json, ["error"]).message || ""); assertCondition(duplicateMessage.includes("exactly one prompt source"), "duplicate prompt source error should be explicit", { duplicateMessage }); const unknownOption = runCli(["codex", "steer", "codex_test_task", "--queue", "default", "prompt", "--dry-run"]); assertCondition(unknownOption.status !== 0, "unknown steer option should fail", unknownOption.json ?? { stdout: unknownOption.stdout }); const unknownMessage = String(nestedRecord(unknownOption.json, ["error"]).message || ""); assertCondition(unknownMessage.includes("unsupported codex steer option: --queue"), "unknown option error should name option", { unknownMessage }); const help = runCli(["codex", "help"]); assertCondition(help.status === 0 && help.json?.ok === true, "codex help should succeed", help.json ?? { stdout: help.stdout }); const usage = stringArray(nestedRecord(help.json?.data, []).usage); assertCondition(usage.some((line) => line.includes("codex steer ")), "codex help should list steer", { usage }); const advertisedConfirm = runCli(["codex", "steer-confirm", "codex_test_task", "--steer-id", "steer_direct_12345"]); assertCondition(advertisedConfirm.json !== null, "advertised steer-confirm command should return JSON", { stdout: advertisedConfirm.stdout, stderr: advertisedConfirm.stderr }); assertCondition(!("error" in (advertisedConfirm.json ?? {})), "advertised steer-confirm command must not fall through to top-level error", advertisedConfirm.json ?? {}); const advertisedDeliveryStatus = String(nestedRecord(advertisedConfirm.json?.data, ["delivery"]).status || ""); assertCondition(["confirmed", "pending", "unknown", "not-supported"].includes(advertisedDeliveryStatus), "advertised steer-confirm command should return structured delivery status", { advertisedDeliveryStatus, json: advertisedConfirm.json }); assertCondition(!String(JSON.stringify(advertisedConfirm.json)).includes("\"message\":\"not found\""), "advertised steer-confirm command must not return top-level not found", advertisedConfirm.json ?? {}); let dryRunFetchCount = 0; const dryRunDirect = codexSteerTaskForTest("direct_task", ["do not send", "--dry-run"], () => { dryRunFetchCount += 1; return { ok: true, status: 200, body: { ok: true } }; }); assertCondition(dryRunFetchCount === 0, "dry-run must not call stable proxy helper", { dryRunFetchCount, dryRunDirect }); const longPrompt = `${"x".repeat(480)}-tail-secret-marker`; const longDryRun = codexSteerTaskForTest("direct_task", [longPrompt, "--dry-run"], () => { throw new Error("dry-run should not fetch"); }) as JsonRecord; const longPreview = nestedRecord(longDryRun, ["request", "body", "prompt"]); assertCondition(longPreview.truncated === true, "long dry-run prompt should be truncated", longPreview); assertCondition(!String(longPreview.text || "").includes("tail-secret-marker"), "long dry-run must not leak prompt tail", longPreview); let fetchPath = ""; let fetchMethod = ""; let fetchPrompt = ""; let fetchSteerId = ""; const success = codexSteerTaskForTest("direct_task", ["send this"], (path, init) => { fetchPath = path; fetchMethod = String(init?.method || ""); fetchPrompt = String((init?.body as JsonRecord | undefined)?.prompt || ""); fetchSteerId = String((init?.body as JsonRecord | undefined)?.steerId || ""); return { ok: true, status: 200, body: { ok: true, accepted: true, deliveryState: "accepted", steerId: fetchSteerId, traceConfirmation: { taskId: "direct_task", steerId: fetchSteerId, found: true, accepted: true, deliveryState: "accepted", matchCount: 1, trace: { seq: 5, at: "2026-05-23T00:00:00.000Z", method: "turn/steer", steerId: fetchSteerId, promptChars: 9, promptHash: "hash", promptOmitted: true, source: "promptHistory" }, duplicateSuppressionKey: fetchSteerId, }, task: { id: "direct_task", status: "running", prompt: "p" }, queue: { activeTaskIds: ["direct_task"] }, }, }; }) as JsonRecord; assertCondition(fetchPath === "/api/microservices/code-queue/proxy/api/tasks/direct_task/steer", "non-dry-run should use stable proxy path", { fetchPath }); assertCondition(fetchMethod === "POST", "non-dry-run should POST", { fetchMethod }); assertCondition(fetchPrompt === "send this", "non-dry-run should send raw prompt in body", { fetchPrompt }); assertCondition(fetchSteerId === deterministicSteerId("direct_task", "send this"), "non-dry-run should send deterministic steerId", { fetchSteerId }); assertCondition(nestedRecord(success, ["steer"]).accepted === true, "successful steer should report accepted=true", success); assertCondition(nestedRecord(success, ["steer"]).steerId === fetchSteerId, "successful steer should report steerId", success); assertCondition(nestedRecord(success, ["steer"]).deliveryState === "accepted", "successful steer should report delivery state", success); assertCondition(nestedRecord(success, ["traceConfirmation"]).accepted === true, "successful steer should expose bounded trace confirmation", success); assertCondition(String(nestedRecord(success, ["commands"]).traceConfirm || "").includes(`--steer-id ${fetchSteerId}`), "successful steer should expose trace confirmation command", success); const successJson = JSON.stringify(success); assertCondition(nestedRecord(success, ["steer"]).promptOmitted === true, "successful steer should mark prompt omitted", success); assertCondition(!successJson.includes("send this"), "successful steer must not echo prompt text", success); assertCondition(!successJson.includes("promptPreview"), "successful steer must not include promptPreview", success); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, exitCode: 1, stderrTail: "Cannot connect to the Docker daemon" })), "backend-core-unreachable", null); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, status: 404, body: { ok: false, error: "microservice not found: code-queue" } })), "code-queue-microservice-unregistered", 404); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, status: 401, body: { ok: false, error: "unauthorized" } })), "proxy-unauthorized", 401); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, status: 404, body: { ok: false, error: "proxy route not found", path: "/api/microservices/code-queue/proxy/api/tasks/direct_task/steer" } })), "proxy-404", 404); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, status: 404, body: { ok: false, error: "task not found" } })), "steer-endpoint-404", 404); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, status: 409, body: { ok: false, error: "task does not have an active steerable turn" } })), "upstream-runtime-rejected", 409); assertReason(codexSteerTaskForTest("direct_task", ["p", "--no-retry"], () => ({ ok: false, status: 504, body: { ok: false, error: "provider HTTP tunnel timed out or disconnected", stage: "http-tunnel-wait" } })), "stable-proxy-failed", 504); const abortedTunnelBody = { ok: false, error: "provider HTTP tunnel failed", stage: "provider-gateway-http-fetch", providerId: "D601", serviceId: "code-queue", providerError: "The operation was aborted", retryable: false, attempts: [{ attempt: 1, ok: false, durationMs: 30003, timeoutMs: 30000, result: { ok: false, error: "The operation was aborted" } }], }; let retryCalls = 0; const retrySteerIds: string[] = []; const retryThenSuccess = codexSteerTaskForTest("direct_task", ["transient correction", "--retry-delay-ms", "0"], (_path, init) => { retryCalls += 1; retrySteerIds.push(String((init?.body as JsonRecord | undefined)?.steerId || "")); if (retryCalls === 1) return { ok: false, status: 502, body: abortedTunnelBody }; return { ok: true, status: 200, body: { ok: true, accepted: true, deliveryState: "accepted", steerId: retrySteerIds[0], traceConfirmation: { taskId: "direct_task", steerId: retrySteerIds[0], found: true, accepted: true, deliveryState: "accepted", matchCount: 1, trace: { seq: 6, at: "2026-05-23T00:00:02.000Z", method: "turn/steer", steerId: retrySteerIds[0], promptChars: 20, promptHash: "hash2", promptOmitted: true, source: "output" }, duplicateSuppressionKey: retrySteerIds[0], }, task: { id: "direct_task", status: "running", prompt: "hidden" }, queue: { activeTaskIds: ["direct_task"] }, }, }; }) as JsonRecord; assertCondition(retryCalls === 2, "retryable 502 tunnel abort should be retried once by default", { retryCalls, retryThenSuccess }); assertCondition(retrySteerIds.length === 2 && retrySteerIds[0] === retrySteerIds[1] && retrySteerIds[0] === deterministicSteerId("direct_task", "transient correction"), "retry should reuse a single steerId", { retrySteerIds }); assertCondition(nestedRecord(retryThenSuccess, ["steer"]).accepted === true, "retry success should accept steer", retryThenSuccess); assertCondition(nestedRecord(retryThenSuccess, ["steer"]).steerId === retrySteerIds[0], "retry success should report reused steerId", retryThenSuccess); const retrySuccessAttempts = nestedRecord(retryThenSuccess, ["steer"]).attempts; assertCondition(Array.isArray(retrySuccessAttempts) && retrySuccessAttempts.length === 2, "retry success should expose both attempts", retryThenSuccess); assertCondition(String(JSON.stringify(retryThenSuccess)).includes("The operation was aborted"), "retry attempts should preserve aborted tunnel evidence", retryThenSuccess); assertCondition(!String(JSON.stringify(retryThenSuccess)).includes("transient correction"), "retry success must not echo steer prompt", retryThenSuccess); let exhaustedCalls = 0; const exhaustedSteerIds: string[] = []; const exhausted = codexSteerTaskForTest("direct_task", ["final correction", "--retry-attempts", "2", "--retry-delay-ms", "0"], (path, init) => { exhaustedCalls += 1; exhaustedSteerIds.push(String((init?.body as JsonRecord | undefined)?.steerId || "")); if (path.includes("/steer-confirmation")) { return { ok: true, status: 200, body: { ok: true, confirmation: { taskId: "direct_task", steerId: exhaustedSteerIds[0], found: false, accepted: false, deliveryState: "unknown", matchCount: 0, trace: null, duplicateSuppressionKey: exhaustedSteerIds[0], promptOmitted: true, }, }, }; } return { ok: false, status: 502, body: abortedTunnelBody }; }) as JsonRecord; assertCondition(exhaustedCalls === 3, "retryable 502 tunnel abort should honor retry-attempts and run confirmation lookup", { exhaustedCalls, exhausted }); assertCondition(exhaustedSteerIds[0] === exhaustedSteerIds[1], "exhausted retry should reuse steerId", { exhaustedSteerIds }); assertReason(exhausted, "stable-proxy-failed", 502); assertCondition(nestedRecord(exhausted, ["steer"]).status === "unknown", "unconfirmed transport failure should report unknown status", exhausted); assertCondition(nestedRecord(exhausted, ["steer"]).steerId === exhaustedSteerIds[0], "exhausted failure should expose steerId", exhausted); assertCondition(nestedRecord(exhausted, ["traceConfirmation"]).deliveryState === "unknown", "exhausted failure should include trace confirmation lookup", exhausted); const exhaustedDiagnostics = nestedRecord(exhausted, ["diagnostics"]); const exhaustedAttempts = exhaustedDiagnostics.attempts; assertCondition(Array.isArray(exhaustedAttempts) && exhaustedAttempts.length === 2, "exhausted retry diagnostics should expose attempts", exhaustedDiagnostics); assertCondition(String(exhaustedDiagnostics.message || "").includes("The operation was aborted"), "diagnostics should include provider abort message", exhaustedDiagnostics); assertCondition(nestedRecord(exhaustedDiagnostics, ["operatorGuidance"]).rawProxyEquivalentIsFallback === false, "raw proxy equivalent should be diagnostic, not fallback", exhaustedDiagnostics); assertCondition(String(nestedRecord(exhausted, ["commands"]).traceConfirm || "").includes(`--steer-id ${exhaustedSteerIds[0]}`), "failure should expose bounded trace confirmation command", exhausted); assertCondition(String(nestedRecord(exhausted, ["commands"]).rawProxy || "").includes("microservice proxy code-queue /api/tasks/direct_task/steer"), "failure should still expose raw proxy diagnostic command", exhausted); assertCondition(nestedRecord(exhausted, ["steer"]).promptOmitted === true, "failed steer should omit prompt by default", exhausted); assertCondition(!("request" in exhausted), "failed steer should omit request by default", exhausted); assertCondition(!("upstreamBodyPreview" in exhaustedDiagnostics), "failed steer should omit upstream preview by default", exhaustedDiagnostics); assertCondition(!String(JSON.stringify(exhausted)).includes("provider-gateway-http-fetch"), "failed steer default output should omit upstream body internals", exhausted); assertCondition(String(nestedRecord(exhausted, ["commands"]).fullDetails || "").includes("--full"), "failed steer should suggest full disclosure command", exhausted); assertCondition(String(nestedRecord(exhausted, ["commands"]).rawDetails || "").includes("--raw"), "failed steer should suggest raw disclosure command", exhausted); const exhaustedFull = codexSteerTaskForTest("direct_task", ["final correction", "--retry-attempts", "1", "--retry-delay-ms", "0", "--full"], () => { return { ok: false, status: 502, body: abortedTunnelBody }; }) as JsonRecord; const exhaustedFullDiagnostics = nestedRecord(exhaustedFull, ["diagnostics"]); assertCondition("request" in exhaustedFull, "--full failed steer should expose request metadata", exhaustedFull); assertCondition("upstreamBodyPreview" in exhaustedFullDiagnostics, "--full failed steer should expose bounded upstream preview", exhaustedFullDiagnostics); const exhaustedRaw = codexSteerTaskForTest("direct_task", ["final correction", "--retry-attempts", "1", "--retry-delay-ms", "0", "--raw"], () => { return { ok: false, status: 502, body: abortedTunnelBody }; }) as JsonRecord; assertCondition("rawFailure" in exhaustedRaw, "--raw failed steer should expose raw response", exhaustedRaw); const timeoutAcceptedSteerId = deterministicSteerId("direct_task", "accepted but timed out"); let timeoutAcceptedCalls = 0; const timeoutAccepted = codexSteerTaskForTest("direct_task", ["accepted but timed out", "--retry-attempts", "1", "--retry-delay-ms", "0"], (path) => { timeoutAcceptedCalls += 1; if (path.includes("/steer-confirmation")) { return { ok: true, status: 200, body: { ok: true, confirmation: { taskId: "direct_task", steerId: timeoutAcceptedSteerId, found: true, accepted: true, deliveryState: "accepted", matchCount: 1, trace: { seq: 77, at: "2026-05-23T00:00:03.000Z", method: "turn/steer", steerId: timeoutAcceptedSteerId, promptChars: 22, promptHash: "hash3", promptOmitted: true, source: "promptHistory" }, duplicateSuppressionKey: timeoutAcceptedSteerId, promptOmitted: true, }, }, }; } return { ok: false, status: 502, body: abortedTunnelBody }; }) as JsonRecord; assertCondition(timeoutAcceptedCalls === 2, "timeout accepted contract should perform one send and one confirmation lookup", { timeoutAcceptedCalls }); assertCondition(timeoutAccepted.ok === true, "trace-confirmed timeout should be treated as accepted", timeoutAccepted); assertCondition(nestedRecord(timeoutAccepted, ["steer"]).status === "accepted_response_timeout", "trace-confirmed timeout should expose accepted_response_timeout", timeoutAccepted); assertCondition(nestedRecord(timeoutAccepted, ["steer"]).deliveryUnconfirmed === false, "trace-confirmed timeout should not remain deliveryUnconfirmed", timeoutAccepted); assertCondition(nestedRecord(timeoutAccepted, ["traceConfirmation"]).accepted === true, "trace-confirmed timeout should include confirmation", timeoutAccepted); const explicitSteerId = "steer_manual_12345"; const duplicateSuppressed = codexSteerTaskForTest("direct_task", ["same prompt", "--steer-id", explicitSteerId], (_path, init) => { const body = init?.body as JsonRecord | undefined; assertCondition(body?.steerId === explicitSteerId, "explicit steerId should be sent unchanged", body ?? {}); return { ok: true, status: 200, body: { ok: true, accepted: true, duplicateSuppressed: true, deliveryState: "accepted", steerId: explicitSteerId, traceConfirmation: { taskId: "direct_task", steerId: explicitSteerId, found: true, accepted: true, deliveryState: "accepted", matchCount: 1, trace: { seq: 88, at: "2026-05-23T00:00:04.000Z", method: "turn/steer", steerId: explicitSteerId, promptChars: 11, promptHash: "hash4", promptOmitted: true, source: "promptHistory" }, duplicateSuppressionKey: explicitSteerId, }, task: { id: "direct_task", status: "running", prompt: "hidden" }, queue: { activeTaskIds: ["direct_task"] }, }, }; }) as JsonRecord; assertCondition(nestedRecord(duplicateSuppressed, ["steer"]).duplicateSuppressed === true, "duplicate suppression should be visible", duplicateSuppressed); assertCondition(nestedRecord(duplicateSuppressed, ["steer"]).steerId === explicitSteerId, "duplicate suppression should preserve steerId", duplicateSuppressed); const confirmLookup = codexSteerTraceConfirmForTest("direct_task", ["--steer-id", explicitSteerId], (path) => { assertCondition(path.includes("/api/microservices/code-queue/proxy/api/tasks/direct_task/steer-confirmation"), "confirm lookup should use proxy confirmation endpoint", { path }); assertCondition(path.includes(`steerId=${encodeURIComponent(explicitSteerId)}`), "confirm lookup should include steerId query", { path }); return { ok: true, status: 200, body: { ok: true, confirmation: { taskId: "direct_task", steerId: explicitSteerId, found: true, accepted: true, deliveryState: "accepted", matchCount: 1, trace: { seq: 88, at: "2026-05-23T00:00:04.000Z", method: "turn/steer", steerId: explicitSteerId, promptChars: 11, promptHash: "hash4", promptOmitted: true, source: "promptHistory" }, duplicateSuppressionKey: explicitSteerId, promptOmitted: true, }, }, }; }) as JsonRecord; assertCondition(confirmLookup.ok === true, "trace confirmation lookup should succeed when accepted", confirmLookup); assertCondition(nestedRecord(confirmLookup, ["delivery"]).status === "confirmed", "trace confirmation output should expose confirmed status", confirmLookup); assertCondition(nestedRecord(confirmLookup, ["traceConfirmation"]).status === "confirmed", "trace confirmation payload should expose confirmed status", confirmLookup); assertCondition(nestedRecord(confirmLookup, ["traceConfirmation", "trace"]).seq === 88, "trace confirmation output should expose bounded trace seq", confirmLookup); assertCondition(!JSON.stringify(confirmLookup).includes("same prompt"), "trace confirmation lookup must not echo prompt", confirmLookup); const pendingLookup = codexSteerTraceConfirmForTest("direct_task", ["--steer-id", explicitSteerId], () => ({ ok: true, status: 200, body: { ok: true, confirmation: { taskId: "direct_task", steerId: explicitSteerId, found: false, accepted: false, deliveryState: "unknown", matchCount: 0, trace: null, duplicateSuppressionKey: explicitSteerId, promptOmitted: true, }, }, })) as JsonRecord; assertCondition(pendingLookup.ok === false, "pending trace confirmation should not report ok=true", pendingLookup); assertCondition(nestedRecord(pendingLookup, ["delivery"]).status === "pending", "unmatched supported trace confirmation should be pending", pendingLookup); const unsupportedLookup = codexSteerTraceConfirmForTest("direct_task", ["--steer-id", explicitSteerId], (path) => { assertCondition(path.includes("/api/microservices/code-queue/proxy/api/tasks/direct_task/steer-confirmation"), "unsupported lookup should still call advertised route", { path }); return { ok: false, status: 404, body: { ok: false, error: "not found", path: "/api/tasks/direct_task/steer-confirmation" }, }; }) as JsonRecord; assertCondition(unsupportedLookup.ok === false, "unsupported trace confirmation should be structured ok=false", unsupportedLookup); assertCondition(nestedRecord(unsupportedLookup, ["delivery"]).status === "not-supported", "unsupported trace confirmation should expose not-supported status", unsupportedLookup); assertCondition(nestedRecord(unsupportedLookup, ["traceConfirmation"]).status === "not-supported", "unsupported trace confirmation payload should expose not-supported status", unsupportedLookup); assertCondition(!JSON.stringify(unsupportedLookup).includes("promptPreview"), "unsupported trace confirmation must not echo prompt previews", unsupportedLookup); const terminalPrompt = `${"do not leak ".repeat(40)}tail-secret-marker`; const terminalRejection = codexSteerTaskForTest("completed_task", [terminalPrompt], () => ({ ok: false, status: 409, body: { ok: false, error: "task does not have an active steerable turn", task: { id: "completed_task", queueId: "default", status: "succeeded", terminalStatus: "completed", currentAttempt: 1, updatedAt: "2026-05-22T00:00:00.000Z", finishedAt: "2026-05-22T00:00:00.000Z", prompt: `${"hidden task prompt ".repeat(60)}tail`, output: [{ seq: 1, text: "noisy raw task output" }], }, }, })) as JsonRecord; const terminalSteer = nestedRecord(terminalRejection, ["steer"]); assertCondition(terminalRejection.ok === false, "terminal steer rejection should fail", terminalRejection); assertCondition(terminalSteer.reason === "task-already-terminal", "terminal steer rejection should use compact terminal reason", terminalSteer); assertCondition(terminalSteer.deliveryState === "not_accepted", "terminal steer rejection should expose not_accepted delivery state", terminalSteer); assertCondition(String(terminalSteer.steerId || "").startsWith("steer_"), "terminal steer rejection should expose steerId", terminalSteer); assertCondition(terminalSteer.status === "not_accepted", "terminal steer rejection should expose not_accepted status", terminalSteer); assertCondition(terminalSteer.taskStatus === "succeeded", "terminal steer rejection should expose task status", terminalSteer); assertCondition(terminalSteer.terminalStatus === "completed", "terminal steer rejection should expose terminal status", terminalSteer); assertCondition(terminalSteer.lastUpdate === "2026-05-22T00:00:00.000Z", "terminal steer rejection should expose last update", terminalSteer); assertCondition(terminalSteer.updatedAt === "2026-05-22T00:00:00.000Z", "terminal steer rejection should expose last update time", terminalSteer); assertCondition(terminalSteer.retryable === false, "terminal steer rejection should not be retryable", terminalSteer); const terminalCommands = nestedRecord(terminalRejection, ["commands"]); assertCondition(String(terminalCommands.show || "").includes("codex task completed_task"), "terminal rejection should suggest show command", terminalCommands); assertCondition(String(terminalCommands.read || "").includes("codex read completed_task"), "terminal rejection should suggest read command", terminalCommands); assertCondition(String(terminalCommands.followUpSubmit || "").includes("codex submit --prompt-file --reference-task-id completed_task"), "terminal rejection should suggest follow-up submit pattern", terminalCommands); assertCondition(String(terminalCommands.fullDetails || "").includes("codex steer completed_task --prompt-file --full"), "terminal rejection should suggest explicit full disclosure command", terminalCommands); assertCondition(String(terminalCommands.rawDetails || "").includes("codex steer completed_task --prompt-file --raw"), "terminal rejection should suggest explicit raw disclosure command", terminalCommands); const terminalJson = JSON.stringify(terminalRejection); assertCondition(!terminalJson.includes("tail-secret-marker"), "terminal rejection must not echo steer prompt", terminalRejection); assertCondition(!terminalJson.includes("hidden task prompt"), "terminal rejection must not echo task prompt", terminalRejection); assertCondition(!terminalJson.includes("noisy raw task output"), "terminal rejection must not echo task output", terminalRejection); assertCondition(!("request" in terminalRejection), "terminal rejection should omit request preview", terminalRejection); assertCondition(!("diagnostics" in terminalRejection), "terminal rejection should omit bulky diagnostics", terminalRejection); const terminalFull = codexSteerTaskForTest("completed_task", [terminalPrompt, "--full"], () => ({ ok: false, status: 409, body: { ok: false, error: "task does not have an active steerable turn", task: { id: "completed_task", status: "succeeded", terminalStatus: "completed", prompt: `${"hidden task prompt ".repeat(60)}tail`, output: [{ seq: 1, text: "noisy raw task output" }], }, }, })) as JsonRecord; const fullDiagnostics = nestedRecord(terminalFull, ["diagnostics"]); assertCondition("upstreamBodyPreview" in fullDiagnostics, "--full should expose bounded upstream preview behind diagnostics", fullDiagnostics); assertCondition(typeof fullDiagnostics.rawProxyEquivalent === "string", "--full should expose raw proxy equivalent", fullDiagnostics); assertCondition(!("rawFailure" in terminalFull), "--full should not include raw upstream response", terminalFull); const terminalRaw = codexSteerTaskForTest("completed_task", [terminalPrompt, "--raw"], () => ({ ok: false, status: 409, body: { ok: false, error: "task does not have an active steerable turn", task: { id: "completed_task", status: "succeeded", terminalStatus: "completed" }, }, })) as JsonRecord; const rawFailure = nestedRecord(terminalRaw, ["rawFailure"]); const rawFailureTask = nestedRecord(rawFailure, ["body", "task"]); assertCondition(rawFailure.status === 409 && rawFailureTask.status === "succeeded", "--raw should expose raw upstream failure only when requested", rawFailure); return { ok: true, checks: [ "steer positional dry-run", "steer stdin dry-run", "steer prompt-file dry-run", "duplicate prompt source failure", "unsupported option failure", "codex help lists steer", "advertised steer-confirm CLI command returns structured status", "outer command redacts positional steer prompt", "dry-run does not call stable proxy helper", "dry-run prompt preview is bounded", "non-dry-run uses stable proxy helper", "successful steer confirms write without echoing prompt", "steer failure classification is JSON-consumable", "retryable tunnel aborts are retried with bounded diagnostics", "retry reuses steerId and trace confirmation distinguishes accepted_response_timeout from unknown", "duplicate suppression and trace confirmation lookup expose bounded confirmed/pending/not-supported statuses", "terminal steer rejection is compact and actionable", "terminal steer rejection full/raw disclosure is explicit", ], }; } if (import.meta.main) { const result = runCodeQueueCliSteerContract(); process.stdout.write(`${JSON.stringify(result, null, 2)}\n`); }