import { readFileSync } from "node:fs"; import { rootPath } from "./src/config"; function assertCondition(condition: unknown, message: string, detail: unknown = {}): void { if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`); } const sub2apiConfigPath = rootPath("config", "platform-infra", "sub2api.yaml"); const codexPoolConfigPath = rootPath("config", "platform-infra", "sub2api-codex-pool.yaml"); const manifestPath = rootPath("src", "components", "platform-infra", "sub2api", "sub2api.k8s.yaml"); const sub2api = Bun.YAML.parse(readFileSync(sub2apiConfigPath, "utf8")) as { security?: { urlAllowlist?: { enabled?: boolean; allowInsecureHttp?: boolean; allowPrivateHosts?: boolean; upstreamHosts?: string[]; }; }; }; const codexPool = Bun.YAML.parse(readFileSync(codexPoolConfigPath, "utf8")) as { profiles?: { entries?: Array<{ accountName?: string; }>; }; }; const manifest = readFileSync(manifestPath, "utf8"); assertCondition((codexPool.profiles?.entries ?? []).length > 0, "Codex pool must have YAML-selected upstream accounts", codexPool.profiles); assertCondition(sub2api.security?.urlAllowlist?.enabled === false, "Sub2API URL allowlist must be disabled for current HTTP upstream pool policy", sub2api.security); assertCondition(sub2api.security?.urlAllowlist?.allowInsecureHttp === true, "Sub2API must allow http:// upstream base URLs for account tests and normal scheduling", { security: sub2api.security, accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName), }); assertCondition(sub2api.security?.urlAllowlist?.allowPrivateHosts === false, "Sub2API must not allow private hosts for this public HTTP upstream exception", sub2api.security); assertCondition(Array.isArray(sub2api.security?.urlAllowlist?.upstreamHosts), "Sub2API upstreamHosts must be YAML-controlled even when empty", sub2api.security); assertCondition(manifest.includes('SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP: "__SUB2API_SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP__"'), "Sub2API manifest must render allowInsecureHttp from YAML", manifest); console.log(JSON.stringify({ ok: true, checks: [ "Sub2API runtime URL policy explicitly allows http:// upstream base URLs", "Sub2API manifest renders URL policy from YAML instead of hardcoding the old value", ], accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName), }));