Files
pikasTech-unidesk/scripts/platform-infra-sub2api-http-upstream-contract-test.ts
T
2026-06-09 09:45:48 +00:00

49 lines
2.4 KiB
TypeScript

import { readFileSync } from "node:fs";
import { rootPath } from "./src/config";
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
}
const sub2apiConfigPath = rootPath("config", "platform-infra", "sub2api.yaml");
const codexPoolConfigPath = rootPath("config", "platform-infra", "sub2api-codex-pool.yaml");
const manifestPath = rootPath("src", "components", "platform-infra", "sub2api", "sub2api.k8s.yaml");
const sub2api = Bun.YAML.parse(readFileSync(sub2apiConfigPath, "utf8")) as {
security?: {
urlAllowlist?: {
enabled?: boolean;
allowInsecureHttp?: boolean;
allowPrivateHosts?: boolean;
upstreamHosts?: string[];
};
};
};
const codexPool = Bun.YAML.parse(readFileSync(codexPoolConfigPath, "utf8")) as {
profiles?: {
entries?: Array<{
accountName?: string;
}>;
};
};
const manifest = readFileSync(manifestPath, "utf8");
assertCondition((codexPool.profiles?.entries ?? []).length > 0, "Codex pool must have YAML-selected upstream accounts", codexPool.profiles);
assertCondition(sub2api.security?.urlAllowlist?.enabled === false, "Sub2API URL allowlist must be disabled for current HTTP upstream pool policy", sub2api.security);
assertCondition(sub2api.security?.urlAllowlist?.allowInsecureHttp === true, "Sub2API must allow http:// upstream base URLs for account tests and normal scheduling", {
security: sub2api.security,
accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName),
});
assertCondition(sub2api.security?.urlAllowlist?.allowPrivateHosts === false, "Sub2API must not allow private hosts for this public HTTP upstream exception", sub2api.security);
assertCondition(Array.isArray(sub2api.security?.urlAllowlist?.upstreamHosts), "Sub2API upstreamHosts must be YAML-controlled even when empty", sub2api.security);
assertCondition(manifest.includes('SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP: "__SUB2API_SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP__"'), "Sub2API manifest must render allowInsecureHttp from YAML", manifest);
console.log(JSON.stringify({
ok: true,
checks: [
"Sub2API runtime URL policy explicitly allows http:// upstream base URLs",
"Sub2API manifest renders URL policy from YAML instead of hardcoding the old value",
],
accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName),
}));