1278 lines
85 KiB
TypeScript
1278 lines
85 KiB
TypeScript
import { PassThrough, Writable } from "node:stream";
|
||
import { spawnSync } from "node:child_process";
|
||
import { createHash } from "node:crypto";
|
||
import { chmodSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
|
||
import os from "node:os";
|
||
import path from "node:path";
|
||
import { sshHelp } from "./src/help";
|
||
import { runApplyPatchV2 } from "./src/apply-patch-v2";
|
||
import { providerTriageRecommendedCrossChecks } from "./src/provider-triage";
|
||
import { extractRemoteCliOptions, remoteSshFrontendPlanForTest } from "./src/remote";
|
||
import { runSshFileTransferOperation, type SshFileTransferCommandBuilders, type SshRemoteCommandExecutor } from "./src/ssh-file-transfer";
|
||
import {
|
||
formatSshFailureHint,
|
||
formatSshRuntimeTimeoutHint,
|
||
formatSshRuntimeTimingHint,
|
||
parseSshArgs,
|
||
parseSshInvocation,
|
||
remoteApplyPatchSource,
|
||
shellArgv,
|
||
sshFailureHint,
|
||
sshShellCompatibilityPrelude,
|
||
sshUserToolPathPrelude,
|
||
sshRuntimeTimeoutHint,
|
||
sshRuntimeTimeoutMs,
|
||
sshRuntimeTimingHint,
|
||
} from "./src/ssh";
|
||
|
||
type JsonRecord = Record<string, unknown>;
|
||
|
||
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
|
||
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
|
||
}
|
||
|
||
function assertThrows(fn: () => unknown, pattern: RegExp, message: string): void {
|
||
try {
|
||
fn();
|
||
} catch (error) {
|
||
const text = error instanceof Error ? error.message : String(error);
|
||
assertCondition(pattern.test(text), message, { error: text });
|
||
return;
|
||
}
|
||
throw new Error(`${message}: expected throw`);
|
||
}
|
||
|
||
function sha256Hex(value: string): string {
|
||
return createHash("sha256").update(Buffer.from(value, "utf8")).digest("hex");
|
||
}
|
||
|
||
function sha256BufferHex(value: Buffer): string {
|
||
return createHash("sha256").update(value).digest("hex");
|
||
}
|
||
|
||
function sshShellScriptPrelude(): string {
|
||
return `${sshUserToolPathPrelude}\n${sshShellCompatibilityPrelude}`;
|
||
}
|
||
|
||
async function captureStdout(fn: () => Promise<number>): Promise<{ exitCode: number; stdout: string; stderr: string }> {
|
||
const originalWrite = process.stdout.write;
|
||
const originalStderrWrite = process.stderr.write;
|
||
let stdout = "";
|
||
let stderr = "";
|
||
process.stdout.write = ((chunk: unknown, ...args: unknown[]) => {
|
||
stdout += Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
|
||
const callback = args.find((arg): arg is () => void => typeof arg === "function");
|
||
if (callback) callback();
|
||
return true;
|
||
}) as typeof process.stdout.write;
|
||
process.stderr.write = ((chunk: unknown, ...args: unknown[]) => {
|
||
stderr += Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
|
||
const callback = args.find((arg): arg is () => void => typeof arg === "function");
|
||
if (callback) callback();
|
||
return true;
|
||
}) as typeof process.stderr.write;
|
||
try {
|
||
const exitCode = await fn();
|
||
return { exitCode, stdout, stderr };
|
||
} finally {
|
||
process.stdout.write = originalWrite;
|
||
process.stderr.write = originalStderrWrite;
|
||
}
|
||
}
|
||
|
||
function decodeWinEncodedCommand(remoteCommand: string | null | undefined): string {
|
||
const text = String(remoteCommand ?? "");
|
||
const match = /'-EncodedCommand' '([^']+)'/u.exec(text);
|
||
assertCondition(match !== null, "win command must use PowerShell -EncodedCommand", remoteCommand);
|
||
return Buffer.from(match[1] ?? "", "base64").toString("utf16le");
|
||
}
|
||
|
||
function applyPatchFixture(args: string[], patch: string, files: Record<string, string>): { status: number | null; stdout: string; stderr: string; files: Record<string, string> } {
|
||
const root = mkdtempSync(path.join(os.tmpdir(), "unidesk-apply-patch-contract-"));
|
||
try {
|
||
const helperPath = path.join(root, "apply_patch");
|
||
writeFileSync(helperPath, remoteApplyPatchSource, "utf8");
|
||
for (const [relativePath, content] of Object.entries(files)) {
|
||
const target = path.join(root, relativePath);
|
||
writeFileSync(target, content, "utf8");
|
||
}
|
||
const run = spawnSync("sh", [helperPath, ...args], {
|
||
cwd: root,
|
||
input: patch,
|
||
encoding: "utf8",
|
||
});
|
||
const outputFiles: Record<string, string> = {};
|
||
for (const relativePath of Object.keys(files)) {
|
||
outputFiles[relativePath] = readFileSync(path.join(root, relativePath), "utf8");
|
||
}
|
||
return {
|
||
status: run.status,
|
||
stdout: run.stdout,
|
||
stderr: run.stderr,
|
||
files: outputFiles,
|
||
};
|
||
} finally {
|
||
rmSync(root, { recursive: true, force: true });
|
||
}
|
||
}
|
||
|
||
async function applyPatchV2FixtureAttempt(patch: string, files: Record<string, string>, options: { stderrOutput?: boolean } = {}): Promise<{ stdout: string; stderr: string; exitCode: number | null; files: Record<string, string>; commands: string[]; error: unknown | null }> {
|
||
const state = new Map(Object.entries(files));
|
||
const pendingWrites = new Map<string, string>();
|
||
const commands: string[] = [];
|
||
const stdin = new PassThrough();
|
||
stdin.end(patch);
|
||
let stdout = "";
|
||
let stderr = "";
|
||
const stdoutSink = new Writable({
|
||
write(chunk, _encoding, callback) {
|
||
stdout += Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
|
||
callback();
|
||
},
|
||
});
|
||
const stderrSink = new Writable({
|
||
write(chunk, _encoding, callback) {
|
||
stderr += Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
|
||
callback();
|
||
},
|
||
});
|
||
let error: unknown | null = null;
|
||
let exitCode: number | null = null;
|
||
try {
|
||
exitCode = await runApplyPatchV2({
|
||
stdin,
|
||
stdout: stdoutSink,
|
||
...(options.stderrOutput === true ? { stderr: stderrSink } : {}),
|
||
executor: {
|
||
async run(command, input) {
|
||
const operation = command[4] ?? "";
|
||
const target = command[5] ?? "";
|
||
commands.push([operation, ...command.slice(5)].join(" "));
|
||
if (operation === "stat") {
|
||
if (!state.has(target)) return { exitCode: 1, stdout: "", stderr: `missing ${target}` };
|
||
const content = state.get(target) ?? "";
|
||
return { exitCode: 0, stdout: `${Buffer.byteLength(content, "utf8")} ${sha256Hex(content)}\n`, stderr: "" };
|
||
}
|
||
if (operation === "read-b64-block") {
|
||
if (!state.has(target)) return { exitCode: 1, stdout: "", stderr: `missing ${target}` };
|
||
const content = Buffer.from(state.get(target) ?? "", "utf8");
|
||
const blockIndex = Number(command[6] ?? "-1");
|
||
const blockSize = Number(command[7] ?? "-1");
|
||
if (!Number.isSafeInteger(blockIndex) || !Number.isSafeInteger(blockSize) || blockIndex < 0 || blockSize <= 0) {
|
||
return { exitCode: 2, stdout: "", stderr: "bad read block args" };
|
||
}
|
||
const start = blockIndex * blockSize;
|
||
return { exitCode: 0, stdout: content.subarray(start, start + blockSize).toString("base64"), stderr: "" };
|
||
}
|
||
if (operation === "write-b64-argv") {
|
||
const expectedBytes = Number(command[6] ?? "-1");
|
||
const expectedSha256 = command[7] ?? "";
|
||
const content = Buffer.from(command.slice(8).join(""), "base64").toString("utf8");
|
||
if (Buffer.byteLength(content, "utf8") !== expectedBytes || sha256Hex(content) !== expectedSha256) {
|
||
return { exitCode: 23, stdout: "", stderr: "mock integrity mismatch" };
|
||
}
|
||
state.set(target, content);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-stdin") {
|
||
const expectedBytes = Number(command[6] ?? "-1");
|
||
const expectedSha256 = command[7] ?? "";
|
||
const content = Buffer.from(input ?? "", "base64").toString("utf8");
|
||
if (Buffer.byteLength(content, "utf8") !== expectedBytes || sha256Hex(content) !== expectedSha256) {
|
||
return { exitCode: 23, stdout: "", stderr: "mock integrity mismatch" };
|
||
}
|
||
state.set(target, content);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-begin") {
|
||
pendingWrites.set(`${target}\0${command[6] ?? ""}`, "");
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-append") {
|
||
const key = `${target}\0${command[6] ?? ""}`;
|
||
if (!pendingWrites.has(key)) return { exitCode: 2, stdout: "", stderr: "missing pending write" };
|
||
pendingWrites.set(key, `${pendingWrites.get(key) ?? ""}${command[7] ?? ""}`);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-commit") {
|
||
const key = `${target}\0${command[6] ?? ""}`;
|
||
const expectedBytes = Number(command[7] ?? "-1");
|
||
const expectedSha256 = command[8] ?? "";
|
||
const content = Buffer.from(pendingWrites.get(key) ?? "", "base64").toString("utf8");
|
||
if (Buffer.byteLength(content, "utf8") !== expectedBytes || sha256Hex(content) !== expectedSha256) {
|
||
return { exitCode: 23, stdout: "", stderr: "mock integrity mismatch" };
|
||
}
|
||
state.set(target, content);
|
||
pendingWrites.delete(key);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "delete") {
|
||
state.delete(target);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "move") {
|
||
state.set(command[6] ?? "", state.get(target) ?? "");
|
||
state.delete(target);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
return { exitCode: 2, stdout: "", stderr: "bad op" };
|
||
},
|
||
},
|
||
});
|
||
} catch (caught) {
|
||
error = caught;
|
||
}
|
||
return { stdout, stderr, exitCode, files: Object.fromEntries(state), commands, error };
|
||
}
|
||
|
||
async function applyPatchV2ActualShellFixtureAttempt(
|
||
patch: string,
|
||
files: Record<string, string>,
|
||
mutateInput?: (operation: string, input: string | undefined) => string | undefined,
|
||
mutateResult?: (operation: string, result: { exitCode: number; stdout: string; stderr: string }) => { exitCode: number; stdout: string; stderr: string },
|
||
): Promise<{ stdout: string; files: Record<string, string>; commands: string[]; error: unknown | null }> {
|
||
const root = mkdtempSync(path.join(os.tmpdir(), "unidesk-apply-patch-v2-shell-"));
|
||
const commands: string[] = [];
|
||
const stdin = new PassThrough();
|
||
stdin.end(patch);
|
||
let stdout = "";
|
||
const stdoutSink = new Writable({
|
||
write(chunk, _encoding, callback) {
|
||
stdout += Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
|
||
callback();
|
||
},
|
||
});
|
||
try {
|
||
for (const [relativePath, content] of Object.entries(files)) {
|
||
const target = path.join(root, relativePath);
|
||
mkdirSync(path.dirname(target), { recursive: true });
|
||
writeFileSync(target, content, "utf8");
|
||
}
|
||
let error: unknown | null = null;
|
||
try {
|
||
await runApplyPatchV2({
|
||
stdin,
|
||
stdout: stdoutSink,
|
||
executor: {
|
||
async run(command, input) {
|
||
const operation = command[4] ?? "";
|
||
commands.push([operation, ...command.slice(5)].join(" "));
|
||
const run = spawnSync(command[0] ?? "sh", command.slice(1), {
|
||
cwd: root,
|
||
input: mutateInput ? mutateInput(operation, input) : input,
|
||
encoding: "utf8",
|
||
});
|
||
const result = {
|
||
exitCode: run.status ?? 255,
|
||
stdout: run.stdout,
|
||
stderr: run.stderr,
|
||
};
|
||
return mutateResult ? mutateResult(operation, result) : result;
|
||
},
|
||
},
|
||
});
|
||
} catch (caught) {
|
||
error = caught;
|
||
}
|
||
const outputFiles: Record<string, string> = {};
|
||
for (const relativePath of Object.keys(files)) {
|
||
const target = path.join(root, relativePath);
|
||
outputFiles[relativePath] = existsSync(target) ? readFileSync(target, "utf8") : "";
|
||
}
|
||
return { stdout, files: outputFiles, commands, error };
|
||
} finally {
|
||
rmSync(root, { recursive: true, force: true });
|
||
}
|
||
}
|
||
|
||
async function applyPatchV2Fixture(patch: string, files: Record<string, string>): Promise<{ stdout: string; files: Record<string, string>; commands: string[] }> {
|
||
const result = await applyPatchV2FixtureAttempt(patch, files);
|
||
if (result.error !== null) throw result.error;
|
||
return { stdout: result.stdout, files: result.files, commands: result.commands };
|
||
}
|
||
|
||
function fileTransferFixture(initial: Record<string, Buffer> = {}, options: { emptyReadOnce?: Record<string, number[]> } = {}): {
|
||
state: Map<string, Buffer>;
|
||
commands: Array<{ operation: string; stdin: boolean }>;
|
||
executor: SshRemoteCommandExecutor;
|
||
builders: SshFileTransferCommandBuilders;
|
||
} {
|
||
const state = new Map(Object.entries(initial));
|
||
const pending = new Map<string, string>();
|
||
const emptyReadOnce = new Map(Object.entries(options.emptyReadOnce ?? {}).map(([target, blocks]) => [target, new Set(blocks)]));
|
||
const commands: Array<{ operation: string; stdin: boolean }> = [];
|
||
const builders: SshFileTransferCommandBuilders = {
|
||
buildRouteCommand(route, command, options) {
|
||
return JSON.stringify({ route: route.raw, command, stdin: options?.stdin === true });
|
||
},
|
||
buildWindowsPowerShellCommand(script) {
|
||
return JSON.stringify({ route: "win", command: ["powershell", script], stdin: false });
|
||
},
|
||
};
|
||
const executor: SshRemoteCommandExecutor = {
|
||
async runRemoteCommand(remoteCommand, input) {
|
||
const payload = JSON.parse(remoteCommand) as { command: string[]; stdin?: boolean };
|
||
const command = payload.command;
|
||
const operation = command[4] ?? "";
|
||
const target = command[5] ?? "";
|
||
commands.push({ operation, stdin: payload.stdin === true });
|
||
if (operation === "stat") {
|
||
const content = state.get(target);
|
||
if (content === undefined) return { exitCode: 1, stdout: "", stderr: "missing" };
|
||
return { exitCode: 0, stdout: `${content.length} ${sha256BufferHex(content)}\n`, stderr: "" };
|
||
}
|
||
if (operation === "read-b64-block") {
|
||
const content = state.get(target);
|
||
if (content === undefined) return { exitCode: 1, stdout: "", stderr: "missing" };
|
||
const blockIndex = Number(command[6] ?? "-1");
|
||
const blockSize = Number(command[7] ?? "-1");
|
||
const start = blockIndex * blockSize;
|
||
const emptyBlocks = emptyReadOnce.get(target);
|
||
if (emptyBlocks?.has(blockIndex)) {
|
||
emptyBlocks.delete(blockIndex);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
return { exitCode: 0, stdout: content.subarray(start, start + blockSize).toString("base64"), stderr: "" };
|
||
}
|
||
if (operation === "write-b64-argv" || operation === "write-b64-stdin") {
|
||
const expectedBytes = Number(command[6] ?? "-1");
|
||
const expectedSha256 = command[7] ?? "";
|
||
const encoded = operation === "write-b64-argv" ? command.slice(8).join("") : String(input ?? "");
|
||
const content = Buffer.from(encoded, "base64");
|
||
if (content.length !== expectedBytes || sha256BufferHex(content) !== expectedSha256) return { exitCode: 23, stdout: "", stderr: "integrity mismatch" };
|
||
state.set(target, content);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-begin") {
|
||
pending.set(`${target}\0${command[6] ?? ""}`, "");
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-append-stdin") {
|
||
const key = `${target}\0${command[6] ?? ""}`;
|
||
if (!pending.has(key)) return { exitCode: 2, stdout: "", stderr: "missing pending write" };
|
||
pending.set(key, `${pending.get(key) ?? ""}${String(input ?? "")}`);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
if (operation === "write-b64-commit") {
|
||
const key = `${target}\0${command[6] ?? ""}`;
|
||
const expectedBytes = Number(command[7] ?? "-1");
|
||
const expectedSha256 = command[8] ?? "";
|
||
const content = Buffer.from(pending.get(key) ?? "", "base64");
|
||
if (content.length !== expectedBytes || sha256BufferHex(content) !== expectedSha256) return { exitCode: 23, stdout: "", stderr: "integrity mismatch" };
|
||
state.set(target, content);
|
||
pending.delete(key);
|
||
return { exitCode: 0, stdout: "", stderr: "" };
|
||
}
|
||
return { exitCode: 2, stdout: "", stderr: `unsupported op ${operation}` };
|
||
},
|
||
};
|
||
return { state, commands, executor, builders };
|
||
}
|
||
|
||
export async function runSshArgvGuidanceContract(): Promise<JsonRecord> {
|
||
const argv = parseSshArgs(["argv", "true"]);
|
||
assertCondition(argv.invocationKind === "argv", "argv subcommand must be classified as argv", argv);
|
||
assertCondition(argv.remoteCommand === "'true'", "argv command must shell-quote each token", argv);
|
||
assertCondition(argv.requiresStdin === false, "argv command must not require stdin", argv);
|
||
assertCondition(sshFailureHint("D601", argv, 255, "kex_exchange_identification: Connection closed by remote host") === null, "argv failures must not produce ssh-like friction hint", argv);
|
||
|
||
const shortcut = parseSshArgs(["pwd"]);
|
||
assertCondition(shortcut.invocationKind === "argv", "safe command shortcuts must use argv quoting", shortcut);
|
||
assertCondition(shortcut.remoteCommand === "'pwd'", "safe command shortcut should be shell-quoted", shortcut);
|
||
|
||
const hostWorkspace = parseSshInvocation("D601:/home/ubuntu/workspace/hwlab-dev", ["pwd"]);
|
||
assertCondition(hostWorkspace.route.plane === "host" && hostWorkspace.route.workspace === "/home/ubuntu/workspace/hwlab-dev", "host workspace route must parse provider:/absolute/path", hostWorkspace);
|
||
assertCondition(hostWorkspace.parsed.remoteCommand === "'pwd'", "host workspace route must leave operation argv independent from location", hostWorkspace);
|
||
|
||
const hostWorkspaceLongForm = parseSshInvocation("D601:host:/home/ubuntu/workspace/hwlab-dev", ["argv", "git", "status", "--short"]);
|
||
assertCondition(hostWorkspaceLongForm.route.workspace === "/home/ubuntu/workspace/hwlab-dev", "host: workspace route must parse as the same location model", hostWorkspaceLongForm);
|
||
assertCondition(hostWorkspaceLongForm.parsed.remoteCommand === "'git' 'status' '--short'", "host workspace argv operation must stay argv-quoted", hostWorkspaceLongForm);
|
||
|
||
const winCmd = parseSshInvocation("D601:win", ["cmd", "ver"]);
|
||
assertCondition(winCmd.route.plane === "win" && winCmd.route.workspace === null, "win route must parse as the Windows cmd plane", winCmd);
|
||
const winCmdScript = decodeWinEncodedCommand(winCmd.parsed.remoteCommand);
|
||
assertCondition(
|
||
String(winCmd.parsed.remoteCommand).startsWith("'/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe'")
|
||
&& winCmdScript.includes("C:\\Windows\\System32\\cmd.exe")
|
||
&& winCmdScript.includes("chcp 65001>nul")
|
||
&& winCmdScript.includes('set "PYTHONUTF8=1"')
|
||
&& winCmdScript.includes('set "PYTHONIOENCODING=utf-8"'),
|
||
"win route must execute cmd.exe through a UTF-8 Windows launcher without trailing-space cmd set values",
|
||
{ winCmd, winCmdScript },
|
||
);
|
||
|
||
const winCmdCwd = parseSshInvocation("D601:win/c/test", ["cmd", "echo", "中文"]);
|
||
assertCondition(winCmdCwd.route.plane === "win" && winCmdCwd.route.workspace === String.raw`C:\test`, "win route slash workspace must map to a Windows drive cwd", winCmdCwd);
|
||
const winCmdCwdScript = decodeWinEncodedCommand(winCmdCwd.parsed.remoteCommand);
|
||
assertCondition(winCmdCwdScript.includes('cd /d "C:\\test"') && winCmdCwdScript.includes("echo 中文"), "win route workspace must cd in Windows cmd before running the command", { winCmdCwd, winCmdCwdScript });
|
||
|
||
const winSkills = parseSshInvocation("D601:win", ["skills", "--scope", "all", "--limit", "20"]);
|
||
assertCondition(winSkills.route.plane === "win" && winSkills.parsed.invocationKind === "helper", "win skills route must be a Windows helper operation", winSkills);
|
||
const winSkillsScript = decodeWinEncodedCommand(winSkills.parsed.remoteCommand);
|
||
assertCondition(winSkillsScript.includes(".agents\\skills") && winSkillsScript.includes(".codex\\skills") && winSkillsScript.includes("$limit = 20") && winSkillsScript.includes("ConvertTo-Json"), "win skills must discover Windows user skill roots as JSON", { winSkills, winSkillsScript });
|
||
|
||
const hostUploadParse = parseSshInvocation("D601", ["upload", "/tmp/local.bin", "/tmp/remote.bin"]);
|
||
assertCondition(hostUploadParse.parsed.remoteCommand === null && hostUploadParse.parsed.invocationKind === "helper", "host upload must be a structured local operation, not an ssh-like command string", hostUploadParse);
|
||
const winDownloadParse = parseSshInvocation("D601:win", ["download", String.raw`F:\Work\hwlab\.tmp\tool.mjs`, "/tmp/tool.mjs"]);
|
||
assertCondition(winDownloadParse.route.plane === "win" && winDownloadParse.parsed.remoteCommand === null, "win download must be handled by the file-transfer operation module", winDownloadParse);
|
||
const podUploadParse = parseSshInvocation("D601:k3s:unidesk:code-queue/root/unidesk", ["upload", "/tmp/local.bin", "/root/unidesk/.tmp/remote.bin"]);
|
||
assertCondition(podUploadParse.route.plane === "k3s" && podUploadParse.parsed.remoteCommand === null, "pod upload must keep k3s route as location-only and defer transfer execution to the operation module", podUploadParse);
|
||
|
||
const transferRoot = mkdtempSync(path.join(os.tmpdir(), "unidesk-transfer-contract-"));
|
||
try {
|
||
const localSource = path.join(transferRoot, "local-source.bin");
|
||
const localDownload = path.join(transferRoot, "downloaded", "local-copy.bin");
|
||
const payload = Buffer.from("hello 中文\n\0binary tail", "utf8");
|
||
writeFileSync(localSource, payload);
|
||
const transfer = fileTransferFixture();
|
||
const uploadResult = await captureStdout(() => runSshFileTransferOperation(hostUploadParse, ["upload", localSource, "/tmp/remote.bin"], transfer.executor, transfer.builders));
|
||
const uploadJson = JSON.parse(uploadResult.stdout) as JsonRecord;
|
||
const uploadVerification = uploadJson.verification as JsonRecord;
|
||
const uploadMatch = uploadVerification.match as JsonRecord;
|
||
const uploadSource = uploadVerification.source as JsonRecord;
|
||
const uploadTarget = uploadVerification.target as JsonRecord;
|
||
assertCondition(uploadResult.exitCode === 0 && uploadJson.verified === true, "upload should report verified JSON success", uploadResult);
|
||
assertCondition(
|
||
uploadVerification.automatic === true
|
||
&& uploadVerification.verified === true
|
||
&& uploadMatch.bytes === true
|
||
&& uploadMatch.sha256 === true
|
||
&& uploadSource.side === "local"
|
||
&& uploadTarget.side === "remote",
|
||
"upload should expose automatic endpoint verification so callers do not need manual sha256sum checks",
|
||
uploadJson,
|
||
);
|
||
assertCondition(transfer.state.get("/tmp/remote.bin")?.equals(payload), "upload must preserve binary and UTF-8 bytes in the mock remote file", transfer.commands);
|
||
const downloadResult = await captureStdout(() => runSshFileTransferOperation(parseSshInvocation("D601", ["download", "/tmp/remote.bin", localDownload]), ["download", "/tmp/remote.bin", localDownload], transfer.executor, transfer.builders));
|
||
const downloadJson = JSON.parse(downloadResult.stdout) as JsonRecord;
|
||
const downloadVerification = downloadJson.verification as JsonRecord;
|
||
const downloadMatch = downloadVerification.match as JsonRecord;
|
||
const downloadSource = downloadVerification.source as JsonRecord;
|
||
const downloadTarget = downloadVerification.target as JsonRecord;
|
||
assertCondition(downloadResult.exitCode === 0 && downloadJson.sha256 === sha256BufferHex(payload), "download should report the verified sha256", downloadResult);
|
||
assertCondition(
|
||
downloadVerification.automatic === true
|
||
&& downloadVerification.verified === true
|
||
&& downloadMatch.bytes === true
|
||
&& downloadMatch.sha256 === true
|
||
&& downloadSource.side === "remote"
|
||
&& downloadTarget.side === "local",
|
||
"download should expose automatic endpoint verification so callers do not need manual sha256sum checks",
|
||
downloadJson,
|
||
);
|
||
assertCondition(readFileSync(localDownload).equals(payload), "download must preserve binary and UTF-8 bytes locally", { commands: transfer.commands });
|
||
assertCondition(transfer.commands.some((item) => item.operation === "stat") && transfer.commands.some((item) => item.operation === "read-b64-block"), "file transfer should use stat plus chunked verified reads", transfer.commands);
|
||
|
||
const retryDownload = path.join(transferRoot, "downloaded", "retry-copy.bin");
|
||
const retryPayload = Buffer.from("0123456789abcdef".repeat(4096), "utf8");
|
||
const retryTransfer = fileTransferFixture({ "/tmp/retry-remote.bin": retryPayload }, { emptyReadOnce: { "/tmp/retry-remote.bin": [1] } });
|
||
const retryResult = await captureStdout(() => runSshFileTransferOperation(parseSshInvocation("D601", ["download", "--chunk-bytes", "1024", "/tmp/retry-remote.bin", retryDownload]), ["download", "--chunk-bytes", "1024", "/tmp/retry-remote.bin", retryDownload], retryTransfer.executor, retryTransfer.builders));
|
||
const retryJson = JSON.parse(retryResult.stdout) as JsonRecord;
|
||
const retryReadBlocks = retryTransfer.commands.filter((item) => item.operation === "read-b64-block");
|
||
assertCondition(retryResult.exitCode === 0 && retryJson.sha256 === sha256BufferHex(retryPayload), "download should retry a transient empty block and keep sha256 verification", retryResult);
|
||
assertCondition(retryReadBlocks.length === Number(retryJson.transfer && typeof retryJson.transfer === "object" ? (retryJson.transfer as JsonRecord).chunks : 0) + 1, "transient empty block should add exactly one repeated read without counting as a chunk", retryTransfer.commands);
|
||
assertCondition(retryResult.stderr.includes("unidesk.ssh.download.progress") && retryResult.stderr.includes("unidesk.ssh.download.empty-read-retry"), "download should emit bounded progress and retry events to stderr", retryResult.stderr);
|
||
assertCondition(readFileSync(retryDownload).equals(retryPayload), "retry download must preserve complete content after transient empty block", { commands: retryTransfer.commands });
|
||
} finally {
|
||
rmSync(transferRoot, { recursive: true, force: true });
|
||
}
|
||
|
||
assertThrows(
|
||
() => parseSshInvocation("D601:win32", ["cmd", "ver"]),
|
||
/use D601:win/u,
|
||
"win32 route spelling must be rejected in favor of win",
|
||
);
|
||
|
||
const script = parseSshArgs(["script", "--shell", "bash", "--", "alpha beta"]);
|
||
assertCondition(script.invocationKind === "helper", "script stdin helper must be classified as helper", script);
|
||
assertCondition(script.remoteCommand === "'bash' '-s' '--' 'alpha beta'", "script helper must pass stdin to shell directly", script);
|
||
assertCondition(script.requiresStdin === true, "script helper must require stdin", script);
|
||
|
||
const directScriptCommand = parseSshArgs(["script", "--", "sed", "-n", "1,2p", "file.txt"]);
|
||
assertCondition(directScriptCommand.invocationKind === "argv", "script -- command form must run as direct argv without stdin", directScriptCommand);
|
||
assertCondition(directScriptCommand.remoteCommand === "'sed' '-n' '1,2p' 'file.txt'", "script -- command form must preserve dash-prefixed command args", directScriptCommand);
|
||
assertCondition(directScriptCommand.requiresStdin === false, "script -- command form must not wait for stdin", directScriptCommand);
|
||
|
||
const directScriptOneLiner = parseSshArgs(["script", "--", "cd /root/hwlab && git status --short --branch"]);
|
||
assertCondition(directScriptOneLiner.invocationKind === "helper", "script -- single-string command should run through a remote shell", directScriptOneLiner);
|
||
assertCondition(directScriptOneLiner.remoteCommand === shellArgv(["sh", "-c", `${sshShellScriptPrelude()}\ncd /root/hwlab && git status --short --branch`]), "script -- single-string command should match the intuitive remote shell one-liner form with the compatibility prelude", directScriptOneLiner);
|
||
assertCondition(directScriptOneLiner.requiresStdin === false, "script -- single-string command should not wait for stdin", directScriptOneLiner);
|
||
|
||
const shellOneLiner = parseSshArgs(["shell", "sed -n '1,2p' a && sed -n '1,2p' b"]);
|
||
assertCondition(shellOneLiner.invocationKind === "helper", "shell one-liner must be a helper operation", shellOneLiner);
|
||
assertCondition(shellOneLiner.remoteCommand === shellArgv(["sh", "-c", `${sshShellScriptPrelude()}\nsed -n '1,2p' a && sed -n '1,2p' b`]), "shell one-liner must keep command operators inside the remote shell", shellOneLiner);
|
||
assertCondition(shellOneLiner.requiresStdin === false, "shell one-liner must not require stdin", shellOneLiner);
|
||
|
||
for (const shell of ["sh", "bash"]) {
|
||
const fixture = spawnSync(shell, ["-c", `${sshShellCompatibilityPrelude}\nprintf "--- AGENTS ---\\n"\nprintf -- "%s\\n" ok`], { encoding: "utf8" });
|
||
assertCondition(fixture.status === 0 && fixture.stdout === "--- AGENTS ---\nok\n", "script/shell compatibility prelude must make printf headings portable across sh and bash", { shell, status: fixture.status, stdout: fixture.stdout, stderr: fixture.stderr });
|
||
}
|
||
|
||
const k3sGuard = parseSshInvocation("D601:k3s", ["guard"]).parsed;
|
||
assertCondition(k3sGuard.invocationKind === "helper", "k3s guard must be classified as helper", k3sGuard);
|
||
assertCondition(k3sGuard.remoteCommand?.includes("KUBECONFIG") && k3sGuard.remoteCommand.includes("/etc/rancher/k3s/k3s.yaml"), "k3s guard must force native k3s kubeconfig", k3sGuard);
|
||
|
||
const k3sExec = parseSshInvocation("D601:k3s", ["exec", "--namespace", "hwlab-dev", "--deployment", "hwlab-cloud-api", "--", "node", "-e", "console.log(process.version)"]).parsed;
|
||
assertCondition(k3sExec.invocationKind === "helper", "k3s exec must be classified as helper", k3sExec);
|
||
assertCondition(k3sExec.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'node' '-e' 'console.log(process.version)'", "k3s exec must assemble kubectl argv without nested shell quoting", k3sExec);
|
||
|
||
const routeKubectl = parseSshInvocation("D601:k3s", ["kubectl", "get", "pods", "-n", "hwlab-dev"]);
|
||
assertCondition(routeKubectl.providerId === "D601", "route must preserve provider id", routeKubectl);
|
||
assertCondition(routeKubectl.route.plane === "k3s" && routeKubectl.route.entry === null, "route must keep kubectl as an operation, not as a route entry", routeKubectl);
|
||
assertCondition(routeKubectl.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'get' 'pods' '-n' 'hwlab-dev'", "D601:k3s kubectl must map to kubectl argv", routeKubectl);
|
||
|
||
const routeK3sShell = parseSshInvocation("D601:k3s", ["shell", "kubectl get nodes && kubectl get pods -A"]);
|
||
assertCondition(routeK3sShell.parsed.remoteCommand === shellArgv(["env", "KUBECONFIG=/etc/rancher/k3s/k3s.yaml", "sh", "-c", `${sshShellScriptPrelude()}\nkubectl get nodes && kubectl get pods -A`]), "D601:k3s shell must run one-line shell logic on the k3s host with native kubeconfig", routeK3sShell);
|
||
|
||
const g14Guard = parseSshInvocation("G14:k3s", []);
|
||
assertCondition(g14Guard.providerId === "G14" && g14Guard.route.plane === "k3s", "G14:k3s must parse as a native k3s route", g14Guard);
|
||
assertCondition(g14Guard.parsed.remoteCommand?.includes("UNIDESK_K3S_PROVIDER_ID") && g14Guard.parsed.remoteCommand.includes("ubuntu-rog-zephyrus-g14-ga401iv-ga401iv"), "G14:k3s guard must use the G14 node profile", g14Guard);
|
||
|
||
assertThrows(
|
||
() => parseSshInvocation("G14", ["k3s", "kubectl", "get", "nodes"]),
|
||
/unsupported.*ssh G14:k3s/u,
|
||
"k3s must be a route plane, not a post-provider shorthand",
|
||
);
|
||
|
||
const routeTarget = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api", ["node", "-e", "console.log(process.version)"]);
|
||
assertCondition(routeTarget.route.namespace === "hwlab-dev" && routeTarget.route.resource === "hwlab-cloud-api", "route target must parse namespace and workload", routeTarget);
|
||
assertCondition(routeTarget.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'node' '-e' 'console.log(process.version)'", "D601:k3s:<namespace>:<workload> must default to deployment exec", routeTarget);
|
||
|
||
const routeTargetArgv = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api", ["argv", "sh", "-c", "printf ok"]);
|
||
assertCondition(routeTargetArgv.parsed.invocationKind === "argv", "k3s target argv operation must stay explicit argv", routeTargetArgv);
|
||
assertCondition(routeTargetArgv.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'sh' '-c' 'printf ok'", "D601:k3s:<namespace>:<workload> argv must exec the argv payload instead of treating argv as a pod command", routeTargetArgv);
|
||
|
||
const routeTargetShell = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api/app", ["shell", "pwd && ls"]);
|
||
assertCondition(routeTargetShell.parsed.remoteCommand === shellArgv(["env", "KUBECONFIG=/etc/rancher/k3s/k3s.yaml", "kubectl", "exec", "-n", "hwlab-dev", "deployment/hwlab-cloud-api", "--", "sh", "-c", 'cd "$1" || exit; shift; exec "$@"', "unidesk-cwd", "/app", "sh", "-c", `${sshShellScriptPrelude()}\npwd && ls`]), "D601:k3s:<namespace>:<workload>/<workspace> shell must run shell logic after cd inside the pod", routeTargetShell);
|
||
|
||
const routeScript = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api", ["script", "--shell", "bash", "--", "arg"]);
|
||
assertCondition(routeScript.parsed.requiresStdin === true, "k3s script operation must stream local stdin", routeScript);
|
||
assertCondition(routeScript.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-i' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'bash' '-s' '--' 'arg'", "D601:k3s:<namespace>:<workload> script must map stdin to shell -s", routeScript);
|
||
assertCondition(routeScript.parsed.stdinPrefix === `${sshShellScriptPrelude()}\n`, "k3s script stdin must inject the shell compatibility prelude before user script text", routeScript);
|
||
|
||
const routeControlScript = parseSshInvocation("D601:k3s", ["script", "--shell", "bash", "--", "arg"]);
|
||
assertCondition(routeControlScript.parsed.requiresStdin === true, "k3s control-plane script operation must stream local stdin", routeControlScript);
|
||
assertCondition(routeControlScript.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'bash' '-s' '--' 'arg'", "D601:k3s script must inject native kubeconfig without manual export", routeControlScript);
|
||
assertCondition(routeControlScript.parsed.stdinPrefix === `${sshShellScriptPrelude()}\n`, "k3s control-plane script stdin must inject the shell compatibility prelude before user script text", routeControlScript);
|
||
|
||
const routeControlScriptOneLiner = parseSshInvocation("D601:k3s", ["script", "--", "echo k3s-script-ok"]);
|
||
assertCondition(routeControlScriptOneLiner.parsed.requiresStdin === false, "k3s control-plane script -- one-liner must not wait for stdin", routeControlScriptOneLiner);
|
||
assertCondition(routeControlScriptOneLiner.parsed.remoteCommand === shellArgv(["env", "KUBECONFIG=/etc/rancher/k3s/k3s.yaml", "sh", "-c", `${sshShellScriptPrelude()}\necho k3s-script-ok`]), "k3s control-plane script -- one-liner must run through the native kubeconfig shell path", routeControlScriptOneLiner);
|
||
|
||
const routePodScriptOneLiner = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api", ["script", "--", "echo pod-script-ok"]);
|
||
assertCondition(routePodScriptOneLiner.parsed.requiresStdin === false, "k3s workload script -- one-liner must not wait for stdin", routePodScriptOneLiner);
|
||
assertCondition(routePodScriptOneLiner.parsed.remoteCommand === shellArgv(["env", "KUBECONFIG=/etc/rancher/k3s/k3s.yaml", "kubectl", "exec", "-n", "hwlab-dev", "deployment/hwlab-cloud-api", "--", "sh", "-c", `${sshShellScriptPrelude()}\necho pod-script-ok`]), "k3s workload script -- one-liner must run as sh -c inside the workload", routePodScriptOneLiner);
|
||
|
||
const topLevelScriptSeparator = extractRemoteCliOptions(["ssh", "D601:/tmp", "script", "--", "sed", "-n", "1,2p", "file.txt"]);
|
||
assertCondition(JSON.stringify(topLevelScriptSeparator.args) === JSON.stringify(["ssh", "D601:/tmp", "script", "--", "sed", "-n", "1,2p", "file.txt"]), "top-level remote option parser must preserve command-local -- after the command starts", topLevelScriptSeparator);
|
||
const topLevelScriptInvocation = parseSshInvocation(topLevelScriptSeparator.args[1] as string, topLevelScriptSeparator.args.slice(2));
|
||
assertCondition(topLevelScriptInvocation.parsed.remoteCommand === "'sed' '-n' '1,2p' 'file.txt'", "script -- must allow argv such as sed -n to execute without being parsed as script options", topLevelScriptInvocation);
|
||
assertCondition(topLevelScriptInvocation.parsed.requiresStdin === false, "script -- direct command must not require stdin after top-level parsing", topLevelScriptInvocation);
|
||
|
||
const remoteOptionSeparator = extractRemoteCliOptions(["--main-server-ip", "74.48.78.17", "--", "ssh", "D601:/tmp", "script", "--", "sed", "-n", "1,2p", "file.txt"]);
|
||
assertCondition(remoteOptionSeparator.host === "74.48.78.17", "global remote options before -- must still be parsed", remoteOptionSeparator);
|
||
assertCondition(JSON.stringify(remoteOptionSeparator.args) === JSON.stringify(["ssh", "D601:/tmp", "script", "--", "sed", "-n", "1,2p", "file.txt"]), "global -- must not strip nested command separators", remoteOptionSeparator);
|
||
|
||
const routeApplyPatch = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api", ["apply-patch"]);
|
||
assertCondition(routeApplyPatch.parsed.requiresStdin === true && routeApplyPatch.parsed.remoteCommand === null, "k3s apply-patch operation must use the default v2 local engine", routeApplyPatch);
|
||
|
||
const routeApplyPatchV1 = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api", ["apply-patch-v1"]);
|
||
assertCondition(routeApplyPatchV1.parsed.requiresStdin === true, "k3s apply-patch-v1 operation must stream local patch stdin", routeApplyPatchV1);
|
||
assertCondition(routeApplyPatchV1.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-i' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'sh' '-s' '--'", "D601:k3s:<namespace>:<workload> apply-patch-v1 must enter pod with stdin", routeApplyPatchV1);
|
||
assertCondition(routeApplyPatchV1.parsed.stdinPrefix?.includes("apply_patch") && routeApplyPatchV1.parsed.stdinPrefix.includes("__UNIDESK_APPLY_PATCH_PAYLOAD__"), "k3s apply-patch-v1 operation must inject pod helper before patch stdin", routeApplyPatchV1);
|
||
assertCondition(routeApplyPatchV1.parsed.stdinPrefix?.includes("#!/bin/sh"), "k3s apply-patch-v1 operation must inject the same sh helper used by host apply-patch-v1", routeApplyPatchV1);
|
||
assertCondition(!routeApplyPatchV1.parsed.stdinPrefix?.includes("python3") && !routeApplyPatchV1.parsed.stdinPrefix?.includes("node "), "k3s apply-patch-v1 operation must use the sh-only pod helper", routeApplyPatchV1);
|
||
assertCondition(routeApplyPatchV1.parsed.stdinSuffix === "\n__UNIDESK_APPLY_PATCH_PAYLOAD__\n", "k3s apply-patch-v1 operation must terminate patch heredoc", routeApplyPatchV1);
|
||
|
||
const hostApplyPatchLoose = parseSshArgs(["apply-patch-v1", "--allow-loose"]);
|
||
assertCondition(hostApplyPatchLoose.remoteCommand === "'apply_patch' '--allow-loose'", "host apply-patch-v1 must pass --allow-loose as an explicit helper argument", hostApplyPatchLoose);
|
||
assertCondition(hostApplyPatchLoose.requiredHelpers?.length === 1 && hostApplyPatchLoose.requiredHelpers.includes("apply_patch"), "host apply-patch-v1 must request only the apply_patch helper bootstrap", hostApplyPatchLoose);
|
||
assertCondition(remoteApplyPatchSource.includes("replace_once_with_perl") && remoteApplyPatchSource.includes("perl -0777"), "apply_patch helper must keep a fast path for large files", {});
|
||
|
||
const hostApplyPatchV2 = parseSshArgs(["apply-patch"]);
|
||
assertCondition(hostApplyPatchV2.requiresStdin === true && hostApplyPatchV2.requiredHelpers === undefined && hostApplyPatchV2.remoteCommand === null, "host apply-patch must be a local v2 engine operation, not a remote helper bootstrap", hostApplyPatchV2);
|
||
const hostApplyPatchV2Help = parseSshArgs(["apply-patch", "--help"]);
|
||
assertCondition(hostApplyPatchV2Help.requiresStdin === false && hostApplyPatchV2Help.remoteCommand === null, "host apply-patch --help must not wait for patch stdin", hostApplyPatchV2Help);
|
||
const podApplyPatchV2 = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api/app", ["apply-patch"]);
|
||
assertCondition(podApplyPatchV2.parsed.requiresStdin === true && podApplyPatchV2.parsed.remoteCommand === null, "pod apply-patch must be handled by the local v2 engine instead of injecting the legacy helper", podApplyPatchV2);
|
||
assertThrows(() => parseSshArgs(["v2"]), /remote patch entrypoints/u, "v2 must not remain as an independent patch subcommand");
|
||
assertThrows(() => parseSshArgs(["patch"]), /remote patch entrypoints/u, "patch must not remain as a patch alias");
|
||
assertThrows(() => parseSshArgs(["patch-v1"]), /remote patch entrypoints/u, "patch-v1 must not remain as a legacy patch alias");
|
||
|
||
const longChinesePatch = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: story.md",
|
||
"@@",
|
||
"+这是一个很长很长的中文段落,用来证明远端 v2 不再依赖 shell hunk 拼接和手写长中文 search block。它只是通过本地行级 patch engine 计算新内容,然后把完整文件写回远端,所以中文、标点、长句都不应该影响 patch 解析和匹配。",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"story.md": "开头\n",
|
||
});
|
||
assertCondition(longChinesePatch.files["story.md"]?.includes("很长很长的中文段落"), "v2 should accept pure insertion with long Chinese text", longChinesePatch);
|
||
assertCondition(longChinesePatch.stdout.includes("Success. Updated the following files:"), "v2 must print visible success output", longChinesePatch);
|
||
|
||
const lowContextV1Baseline = applyPatchFixture([], [
|
||
"*** Begin Patch",
|
||
"*** Update File: story.md",
|
||
"@@",
|
||
" 开头",
|
||
"+低上下文纯插入在 v1 会失败,但 v2 应该按 Codex 行级语义允许。",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"story.md": "开头\n结尾\n",
|
||
});
|
||
assertCondition(lowContextV1Baseline.status !== 0 && lowContextV1Baseline.stderr.includes("insert-only without both leading and trailing context"), "v1 baseline should reject low-context pure insertion", lowContextV1Baseline);
|
||
const lowContextV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: story.md",
|
||
"@@",
|
||
" 开头",
|
||
"+低上下文纯插入在 v1 会失败,但 v2 应该按 Codex 行级语义允许。",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"story.md": "开头\n结尾\n",
|
||
});
|
||
assertCondition(lowContextV2.files["story.md"]?.includes("v2 应该按 Codex 行级语义允许"), "v2 should fix v1 low-context insertion friction", lowContextV2);
|
||
assertCondition(lowContextV2.commands.some((command) => command.includes("write-b64-argv")), "v2 should use argv write path for small remote files to work inside k3s pod exec capture", lowContextV2);
|
||
|
||
const unicodePunctuationV1Baseline = applyPatchFixture([], [
|
||
"*** Begin Patch",
|
||
"*** Update File: notes.txt",
|
||
"@@",
|
||
"-alpha - beta",
|
||
"+alpha - gamma",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"notes.txt": "alpha – beta\n",
|
||
});
|
||
assertCondition(unicodePunctuationV1Baseline.status !== 0, "v1 baseline should miss ASCII dash against typographic dash", unicodePunctuationV1Baseline);
|
||
const unicodePunctuationV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: notes.txt",
|
||
"@@",
|
||
"-alpha - beta",
|
||
"+alpha - gamma",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"notes.txt": "alpha – beta\n",
|
||
});
|
||
assertCondition(unicodePunctuationV2.files["notes.txt"] === "alpha - gamma\n", "v2 should normalize common Unicode punctuation while matching expected lines", unicodePunctuationV2);
|
||
|
||
const repeatedBlockWithContext = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: repeated.txt",
|
||
"@@ section two",
|
||
"-marker",
|
||
"+patched",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"repeated.txt": "section one\nmarker\nsection two\nmarker\n",
|
||
});
|
||
assertCondition(repeatedBlockWithContext.files["repeated.txt"] === "section one\nmarker\nsection two\npatched\n", "v2 should use @@ context to target repeated blocks", repeatedBlockWithContext);
|
||
|
||
const longChineseReplace = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: novel.md",
|
||
"@@",
|
||
"-林深在透明的舷窗前停下脚步,远处的群星像被压进黑色玻璃里的碎银,安静得让人怀疑整个宇宙都屏住了呼吸。",
|
||
"+林深在透明的舷窗前停下脚步,远处的群星像被压进黑色玻璃里的碎银,安静得让人怀疑整个宇宙正在等待他重新命名。",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"novel.md": "林深在透明的舷窗前停下脚步,远处的群星像被压进黑色玻璃里的碎银,安静得让人怀疑整个宇宙都屏住了呼吸。\n",
|
||
});
|
||
assertCondition(longChineseReplace.files["novel.md"]?.includes("等待他重新命名"), "v2 should replace long Chinese lines without remote shell search blocks", longChineseReplace);
|
||
|
||
const largeOriginal = `${"0123456789abcdef\n".repeat(4096)}`;
|
||
const largeV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: large.txt",
|
||
"@@",
|
||
"+large insert",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"large.txt": largeOriginal,
|
||
});
|
||
assertCondition(largeV2.commands.some((command) => command.includes("write-b64-stdin")), "v2 should use stdin write path for large remote files to avoid E2BIG", largeV2.commands);
|
||
assertCondition(!largeV2.commands.some((command) => command.includes("write-b64-append")), "v2 should keep the single stdin write as the normal large-file fast path", largeV2.commands);
|
||
assertCondition(largeV2.commands.filter((command) => command.startsWith("read-b64-block")).length <= 2, "v2 large-file verified read should use coarse chunks, not many tiny SSH calls", largeV2.commands);
|
||
|
||
const multiChunkTailV2 = await applyPatchV2ActualShellFixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: two_chunks.txt",
|
||
"@@",
|
||
"-b",
|
||
"+B",
|
||
"@@",
|
||
"-d",
|
||
"+D",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"two_chunks.txt": "a\nb\nc\nd\ne\nf\n",
|
||
});
|
||
assertCondition(multiChunkTailV2.error === null, "v2 should apply explicit multi-chunk patches through the real shell writer", multiChunkTailV2);
|
||
assertCondition(multiChunkTailV2.files["two_chunks.txt"] === "a\nB\nc\nD\ne\nf\n", "v2 must preserve untouched tail lines when applying multiple chunks", multiChunkTailV2);
|
||
|
||
const largeTailV2 = await applyPatchV2ActualShellFixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: large-tail.txt",
|
||
"@@ LINE-2048 tail-preserve",
|
||
"-LINE-2049 keep middle",
|
||
"+LINE-2049 patched middle",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"large-tail.txt": Array.from({ length: 5000 }, (_, index) => `LINE-${String(index).padStart(4, "0")} ${index === 2049 ? "keep middle" : "tail-preserve"}`).join("\n") + "\n",
|
||
});
|
||
assertCondition(largeTailV2.error === null, "v2 should patch a large file through the real shell writer", largeTailV2);
|
||
assertCondition(largeTailV2.files["large-tail.txt"]?.includes("LINE-2049 patched middle"), "v2 large-file patch should update the target line", largeTailV2);
|
||
assertCondition(largeTailV2.files["large-tail.txt"]?.endsWith("LINE-4999 tail-preserve\n"), "v2 must preserve the untouched tail of large files", largeTailV2);
|
||
assertCondition(largeTailV2.commands.some((command) => command.startsWith("write-b64-stdin")), "v2 large-file real shell path should use stdin fast path before any fallback", largeTailV2.commands);
|
||
assertCondition(!largeTailV2.commands.some((command) => command.startsWith("write-b64-append")), "v2 large-file real shell path should not use slower chunk fallback unless stdin integrity fails", largeTailV2.commands);
|
||
|
||
const truncatedLargeReadV2 = await applyPatchV2ActualShellFixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: large-read.txt",
|
||
"@@",
|
||
"+this write must not happen after a truncated read",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"large-read.txt": largeOriginal,
|
||
}, undefined, (operation, result) => {
|
||
if (operation !== "read-b64-block" || result.exitCode !== 0) return result;
|
||
return { ...result, stdout: result.stdout.slice(0, Math.max(0, result.stdout.length - 32)) };
|
||
});
|
||
assertCondition(truncatedLargeReadV2.error !== null, "v2 should reject a truncated remote read before planning writes", truncatedLargeReadV2);
|
||
assertCondition(truncatedLargeReadV2.files["large-read.txt"] === largeOriginal, "v2 must keep the original file when bridge stdout truncates a read block", truncatedLargeReadV2);
|
||
assertCondition(!truncatedLargeReadV2.commands.some((command) => command.startsWith("write-b64")), "v2 must not write after read integrity fails", truncatedLargeReadV2.commands);
|
||
|
||
const missingUpdateShellV2 = await applyPatchV2ActualShellFixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: missing-dist.js",
|
||
"@@",
|
||
"-old",
|
||
"+new",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {});
|
||
const missingUpdateShellError = missingUpdateShellV2.error instanceof Error ? missingUpdateShellV2.error : null;
|
||
assertCondition(missingUpdateShellError !== null, "v2 real shell stat should reject missing update targets", missingUpdateShellV2);
|
||
assertCondition(
|
||
missingUpdateShellError.message.includes("remote apply-patch v2 operation failed")
|
||
&& JSON.stringify((missingUpdateShellError as { details?: unknown }).details ?? {}).includes("file not found: missing-dist.js"),
|
||
"v2 real shell stat must expose file-not-found instead of invalid metadata",
|
||
missingUpdateShellError,
|
||
);
|
||
assertCondition(!missingUpdateShellV2.commands.some((command) => command.startsWith("read-b64") || command.startsWith("write-b64")), "missing update target must fail before remote read/write", missingUpdateShellV2.commands);
|
||
|
||
const truncatedLargeWriteV2 = await applyPatchV2ActualShellFixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: large.txt",
|
||
"@@",
|
||
"+large insert that forces a rewritten full-file payload",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"large.txt": largeOriginal,
|
||
}, (operation, input) => {
|
||
if (operation !== "write-b64-stdin" || input === undefined) return input;
|
||
return input.slice(0, Math.max(0, input.length - 32));
|
||
});
|
||
assertCondition(truncatedLargeWriteV2.error === null, "v2 should fall back to bounded argv chunks when the stdin write path is truncated", truncatedLargeWriteV2);
|
||
assertCondition(truncatedLargeWriteV2.files["large.txt"]?.includes("large insert that forces a rewritten full-file payload"), "v2 fallback write should still apply the patch", truncatedLargeWriteV2);
|
||
assertCondition(truncatedLargeWriteV2.files["large.txt"]?.startsWith(largeOriginal), "v2 fallback write must preserve the original large-file content before appending the inserted line", {
|
||
commands: truncatedLargeWriteV2.commands.map((command) => command.split(" ").slice(0, 2).join(" ")),
|
||
outputBytes: Buffer.byteLength(truncatedLargeWriteV2.files["large.txt"] ?? "", "utf8"),
|
||
});
|
||
assertCondition(truncatedLargeWriteV2.commands.some((command) => command.startsWith("write-b64-stdin")), "v2 should attempt the stdin fast path first", truncatedLargeWriteV2.commands);
|
||
assertCondition(truncatedLargeWriteV2.commands.some((command) => command.startsWith("write-b64-commit")), "v2 should commit the chunked fallback after stdin integrity failure", truncatedLargeWriteV2.commands);
|
||
|
||
const failedCompoundV2 = await applyPatchV2FixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: first.txt",
|
||
"@@",
|
||
"-old first",
|
||
"+new first",
|
||
"*** Update File: second.txt",
|
||
"@@",
|
||
"-missing second",
|
||
"+new second",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"first.txt": "old first\n",
|
||
"second.txt": "old second\n",
|
||
});
|
||
assertCondition(failedCompoundV2.error !== null, "v2 compound patch should fail when a later hunk does not match", failedCompoundV2);
|
||
assertCondition(failedCompoundV2.files["first.txt"] === "new first\n", "v2 should match Codex apply_patch by preserving earlier committed changes when a later hunk fails", failedCompoundV2);
|
||
assertCondition(failedCompoundV2.files["second.txt"] === "old second\n", "v2 must leave later failed files unchanged", failedCompoundV2);
|
||
assertCondition(failedCompoundV2.commands.some((command) => command.startsWith("write-b64")), "v2 should commit preceding operations in patch order like Codex apply_patch", failedCompoundV2.commands);
|
||
assertCondition(
|
||
Array.isArray((failedCompoundV2.error as { details?: { partialChanges?: unknown } })?.details?.partialChanges)
|
||
&& ((failedCompoundV2.error as { details?: { partialChanges?: string[] } }).details?.partialChanges ?? []).includes("M first.txt"),
|
||
"v2 failure should expose partialChanges for already committed operations",
|
||
failedCompoundV2.error,
|
||
);
|
||
|
||
const failedCompoundVisibleV2 = await applyPatchV2FixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Update File: first.txt",
|
||
"@@",
|
||
"-old first",
|
||
"+new first",
|
||
"*** Update File: second.txt",
|
||
"@@",
|
||
"-missing second",
|
||
"+new second",
|
||
"*** Update File: third.txt",
|
||
"@@",
|
||
"-old third",
|
||
"+new third",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"first.txt": "old first\n",
|
||
"second.txt": "old second\n",
|
||
"third.txt": "old third\n",
|
||
}, { stderrOutput: true });
|
||
assertCondition(failedCompoundVisibleV2.exitCode === 1 && failedCompoundVisibleV2.error === null, "v2 CLI path should return non-zero instead of throwing when stderr is provided", failedCompoundVisibleV2);
|
||
assertCondition(failedCompoundVisibleV2.stdout === "", "v2 failed CLI path should keep Codex-style empty stdout", failedCompoundVisibleV2);
|
||
assertCondition(
|
||
failedCompoundVisibleV2.stderr.includes("failed to find expected lines")
|
||
&& failedCompoundVisibleV2.stderr.includes("Applied before failure:")
|
||
&& failedCompoundVisibleV2.stderr.includes("M first.txt")
|
||
&& failedCompoundVisibleV2.stderr.includes("Failed:")
|
||
&& failedCompoundVisibleV2.stderr.includes("hunk 2 update second.txt")
|
||
&& !failedCompoundVisibleV2.stderr.includes("third.txt"),
|
||
"v2 failed CLI path should print Codex-style stderr plus applied/failed summary and stop before later hunks",
|
||
failedCompoundVisibleV2.stderr,
|
||
);
|
||
|
||
const addBeforeFailedUpdateV2 = await applyPatchV2FixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Add File: hwpod",
|
||
"+#!/bin/sh",
|
||
"+exec node /app/skills/device-pod-cli/scripts/device-pod-cli.mjs \"$@\"",
|
||
"*** Update File: scripts/artifact-publish.mjs",
|
||
"@@",
|
||
"-missing artifact line",
|
||
"+patched artifact line",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"scripts/artifact-publish.mjs": "actual artifact line\n",
|
||
});
|
||
assertCondition(addBeforeFailedUpdateV2.error !== null, "v2 should still fail when a later file hunk misses", addBeforeFailedUpdateV2);
|
||
assertCondition(addBeforeFailedUpdateV2.files.hwpod?.includes("device-pod-cli.mjs"), "v2 should preserve an earlier Add File from a large patch when a later hunk misses", addBeforeFailedUpdateV2);
|
||
assertCondition(addBeforeFailedUpdateV2.files["scripts/artifact-publish.mjs"] === "actual artifact line\n", "v2 must leave the failed later file unchanged", addBeforeFailedUpdateV2);
|
||
|
||
const sequentialCompoundV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: sequence.txt",
|
||
"@@",
|
||
"-alpha",
|
||
"+beta",
|
||
"*** Update File: sequence.txt",
|
||
"@@",
|
||
"-beta",
|
||
"+gamma",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"sequence.txt": "alpha\n",
|
||
});
|
||
assertCondition(sequentialCompoundV2.files["sequence.txt"] === "gamma\n", "v2 should plan later hunks against earlier planned edits before remote writes", sequentialCompoundV2);
|
||
|
||
const emptyPatchV2 = await applyPatchV2FixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"empty.txt": "kept\n",
|
||
});
|
||
assertCondition(emptyPatchV2.error !== null, "v2 should reject empty patches like Codex apply_patch", emptyPatchV2);
|
||
assertCondition(!emptyPatchV2.commands.some((command) => command.startsWith("write-b64") || command.startsWith("delete")), "empty v2 patches must not touch remote files", emptyPatchV2.commands);
|
||
|
||
const environmentPreambleV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Environment ID: remote",
|
||
"*** Update File: env.txt",
|
||
"@@",
|
||
"-before",
|
||
"+after",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"env.txt": "before\n",
|
||
});
|
||
assertCondition(environmentPreambleV2.files["env.txt"] === "after\n", "v2 should accept Codex apply_patch environment_id preamble", environmentPreambleV2);
|
||
|
||
const absolutePathV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: /tmp/absolute.txt",
|
||
"@@",
|
||
"-old",
|
||
"+new",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"/tmp/absolute.txt": "old\n",
|
||
});
|
||
assertCondition(absolutePathV2.files["/tmp/absolute.txt"] === "new\n", "v2 should accept absolute paths like Codex apply_patch when the executor route supports them", absolutePathV2);
|
||
|
||
const parentSegmentPathV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: ../outside.txt",
|
||
"@@",
|
||
"-old",
|
||
"+new",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"../outside.txt": "old\n",
|
||
});
|
||
assertCondition(parentSegmentPathV2.files["../outside.txt"] === "new\n", "v2 should leave path containment policy to the executor like Codex apply_patch", parentSegmentPathV2);
|
||
|
||
const missingDeleteV2 = await applyPatchV2FixtureAttempt([
|
||
"*** Begin Patch",
|
||
"*** Delete File: missing.txt",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"keep.txt": "kept\n",
|
||
});
|
||
assertCondition(missingDeleteV2.error !== null, "v2 should reject deleting a missing file like Codex apply_patch", missingDeleteV2);
|
||
assertCondition(missingDeleteV2.files["keep.txt"] === "kept\n", "missing delete must leave unrelated files unchanged", missingDeleteV2);
|
||
|
||
const moveOverwriteV2 = await applyPatchV2Fixture([
|
||
"*** Begin Patch",
|
||
"*** Update File: old-name.txt",
|
||
"*** Move to: new-name.txt",
|
||
"@@",
|
||
"-old content",
|
||
"+new content",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"old-name.txt": "old content\n",
|
||
"new-name.txt": "existing content\n",
|
||
});
|
||
assertCondition(!Object.prototype.hasOwnProperty.call(moveOverwriteV2.files, "old-name.txt"), "v2 rename should remove the source file", moveOverwriteV2);
|
||
assertCondition(moveOverwriteV2.files["new-name.txt"] === "new content\n", "v2 rename should overwrite the destination like Codex apply_patch", moveOverwriteV2);
|
||
|
||
const safePatch = applyPatchFixture([], [
|
||
"*** Begin Patch",
|
||
"*** Update File: sample.txt",
|
||
"@@",
|
||
" function alpha() {",
|
||
" return 1;",
|
||
" }",
|
||
"+function inserted() {",
|
||
"+ return 3;",
|
||
"+}",
|
||
" function beta() {",
|
||
" return 2;",
|
||
" }",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"sample.txt": [
|
||
"function alpha() {",
|
||
" return 1;",
|
||
"}",
|
||
"function beta() {",
|
||
" return 2;",
|
||
"}",
|
||
"",
|
||
].join("\n"),
|
||
});
|
||
assertCondition(safePatch.status === 0, "apply_patch sh helper should accept anchored insertions", safePatch);
|
||
assertCondition(safePatch.stderr.includes("apply_patch: hunk 1 matched sample.txt:1"), "apply_patch sh helper must report matched file:line", safePatch);
|
||
assertCondition(safePatch.files["sample.txt"]?.includes("function inserted()"), "apply_patch sh helper should apply anchored insertion", safePatch);
|
||
|
||
const lowContextPatch = applyPatchFixture([], [
|
||
"*** Begin Patch",
|
||
"*** Update File: sample.txt",
|
||
"@@",
|
||
" function alpha() {",
|
||
" return 1;",
|
||
" }",
|
||
"+function misplaced() {",
|
||
"+ return 9;",
|
||
"+}",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"sample.txt": [
|
||
"function alpha() {",
|
||
" return 1;",
|
||
"}",
|
||
"function beta() {",
|
||
" return 2;",
|
||
"}",
|
||
"",
|
||
].join("\n"),
|
||
});
|
||
assertCondition(lowContextPatch.status !== 0, "apply_patch sh helper should reject insert-only hunks without trailing context", lowContextPatch);
|
||
assertCondition(lowContextPatch.stderr.includes("insert-only without both leading and trailing context"), "low-context rejection must explain the risk", lowContextPatch);
|
||
|
||
const duplicateContextPatch = applyPatchFixture([], [
|
||
"*** Begin Patch",
|
||
"*** Update File: sample.txt",
|
||
"@@",
|
||
" marker",
|
||
"+inserted",
|
||
" x",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"sample.txt": "marker\nx\nmarker\nx\n",
|
||
});
|
||
assertCondition(duplicateContextPatch.status !== 0, "apply_patch sh helper should reject hunks whose context matches multiple locations", duplicateContextPatch);
|
||
assertCondition(duplicateContextPatch.stderr.includes("matched multiple locations"), "duplicate context rejection must explain the risk", duplicateContextPatch);
|
||
|
||
const reviewedLoosePatch = applyPatchFixture(["--allow-loose"], [
|
||
"*** Begin Patch",
|
||
"*** Update File: sample.txt",
|
||
"@@",
|
||
" marker",
|
||
"+reviewed",
|
||
" x",
|
||
"*** End Patch",
|
||
"",
|
||
].join("\n"), {
|
||
"sample.txt": "marker\nx\nmarker\nx\n",
|
||
});
|
||
assertCondition(reviewedLoosePatch.status === 0, "--allow-loose should allow an explicitly reviewed ambiguous hunk", reviewedLoosePatch);
|
||
assertCondition(reviewedLoosePatch.files["sample.txt"] === "marker\nreviewed\nx\nmarker\nx\n", "--allow-loose should still apply only one hunk", reviewedLoosePatch);
|
||
|
||
assertThrows(
|
||
() => parseSshInvocation("D601:k3s:kubectl", ["get", "pods"]),
|
||
/route must locate a target only.*ssh D601:k3s kubectl/u,
|
||
"operation names must not be accepted as k3s route segments",
|
||
);
|
||
assertThrows(
|
||
() => parseSshInvocation("D601:k3s:hwlab-ci:kubectl", ["get", "pods"]),
|
||
/route must locate a target only.*operation "kubectl" after the route/u,
|
||
"operation names must not be accepted as nested k3s route segments",
|
||
);
|
||
assertThrows(
|
||
() => parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api:logs", []),
|
||
/route must locate a target only.*operation "logs" after the route/u,
|
||
"operation names must not be accepted as k3s container route segments",
|
||
);
|
||
assertThrows(
|
||
() => parseSshInvocation("D601:k3s:apply-patch:hwlab-dev:hwlab-cloud-api", []),
|
||
/route must locate a target only.*apply-patch/u,
|
||
"pod apply-patch must be an operation after the route",
|
||
);
|
||
|
||
const routePodTarget = parseSshInvocation("D601:k3s:hwlab-dev:pod:hwlab-cloud-api-abc:api", ["printenv", "HOSTNAME"]);
|
||
assertCondition(routePodTarget.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'hwlab-dev' 'pod/hwlab-cloud-api-abc' '-c' 'api' '--' 'printenv' 'HOSTNAME'", "pod route with container must preserve explicit pod kind", routePodTarget);
|
||
|
||
const routePodWorkspace = parseSshInvocation("D601:k3s:hwlab-dev:pod:hwlab-cloud-api-abc/workspace/app:api", ["pwd"]);
|
||
assertCondition(routePodWorkspace.route.resource === "pod/hwlab-cloud-api-abc" && routePodWorkspace.route.container === "api" && routePodWorkspace.route.workspace === "/workspace/app", "pod route must support a workspace suffix after the pod id", routePodWorkspace);
|
||
assertCondition(routePodWorkspace.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'hwlab-dev' 'pod/hwlab-cloud-api-abc' '-c' 'api' '--' 'sh' '-c' 'cd \"$1\" || exit; shift; exec \"$@\"' 'unidesk-cwd' '/workspace/app' 'pwd'", "pod workspace route must run commands through a fixed cwd wrapper", routePodWorkspace);
|
||
|
||
const legacyRoutePodTarget = parseSshInvocation("D601:k3s:hwlab-dev:pod/hwlab-cloud-api-abc:api", ["printenv", "HOSTNAME"]);
|
||
assertCondition(legacyRoutePodTarget.parsed.remoteCommand === routePodTarget.parsed.remoteCommand, "legacy pod/name route remains accepted for compatibility", legacyRoutePodTarget);
|
||
|
||
const routeDeploymentWorkspaceScript = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api/app", ["script"]);
|
||
assertCondition(routeDeploymentWorkspaceScript.route.resource === "hwlab-cloud-api" && routeDeploymentWorkspaceScript.route.workspace === "/app", "deployment shorthand route must support workspace suffix", routeDeploymentWorkspaceScript);
|
||
assertCondition(routeDeploymentWorkspaceScript.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-i' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'sh' '-c' 'cd \"$1\" || exit; shift; exec \"$@\"' 'unidesk-cwd' '/app' 'sh' '-s' '--'", "pod workspace script must set cwd before shell -s consumes stdin", routeDeploymentWorkspaceScript);
|
||
|
||
const routeApplyPatchWorkspace = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api/app", ["apply-patch"]);
|
||
assertCondition(routeApplyPatchWorkspace.parsed.requiresStdin === true, "pod workspace apply-patch must still stream patch stdin", routeApplyPatchWorkspace);
|
||
assertCondition(routeApplyPatchWorkspace.parsed.remoteCommand === null, "pod workspace apply-patch must use the default v2 local engine", routeApplyPatchWorkspace);
|
||
|
||
const routeApplyPatchV1Workspace = parseSshInvocation("D601:k3s:hwlab-dev:hwlab-cloud-api/app", ["apply-patch-v1"]);
|
||
assertCondition(routeApplyPatchV1Workspace.parsed.requiresStdin === true, "pod workspace apply-patch-v1 must still stream patch stdin", routeApplyPatchV1Workspace);
|
||
assertCondition(routeApplyPatchV1Workspace.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-i' '-n' 'hwlab-dev' 'deployment/hwlab-cloud-api' '--' 'sh' '-c' 'cd \"$1\" || exit; shift; exec \"$@\"' 'unidesk-cwd' '/app' 'sh' '-s' '--'", "pod workspace apply-patch-v1 must set cwd before injecting the sh helper", routeApplyPatchV1Workspace);
|
||
|
||
const routeExecStdin = parseSshInvocation("D601:k3s:unidesk:code-queue/root/unidesk", ["exec", "--stdin", "--", "tar", "-xf", "-", "-C", "/root/unidesk"]);
|
||
assertCondition(routeExecStdin.parsed.requiresStdin === true, "pod route exec --stdin must stream local stdin into kubectl exec", routeExecStdin);
|
||
assertCondition(routeExecStdin.parsed.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'unidesk' 'deployment/code-queue' '-i' '--' 'sh' '-c' 'cd \"$1\" || exit; shift; exec \"$@\"' 'unidesk-cwd' '/root/unidesk' 'tar' '-xf' '-' '-C' '/root/unidesk'", "pod route exec --stdin must keep exec flags before -- and command argv after --", routeExecStdin);
|
||
|
||
const sshLike = parseSshArgs(["echo hello"]);
|
||
const hint = sshFailureHint("D601", sshLike, 255, "kex_exchange_identification: Connection closed by remote host");
|
||
assertCondition(hint !== null, "ssh-like kex failure must produce a hint", sshLike);
|
||
assertCondition(hint?.try === "bun scripts/cli.ts ssh D601 script <<'SCRIPT'", "hint must provide canonical stdin script retry", hint);
|
||
assertCondition(hint?.triage.includes("provider triage D601"), "hint must provide provider triage command", hint);
|
||
const formatted = formatSshFailureHint(hint!);
|
||
assertCondition(formatted.startsWith("UNIDESK_SSH_HINT "), "formatted hint must have structured prefix", formatted);
|
||
assertCondition(!formatted.includes("echo hello"), "formatted hint must not echo the original remote command", formatted);
|
||
|
||
const timingInfo = sshRuntimeTimingHint({
|
||
invocation: parseSshInvocation("D601:/home/ubuntu/workspace/hwlab-dev", ["argv", "true"]),
|
||
transport: "backend-core-broker",
|
||
exitCode: 0,
|
||
startedAtMs: 1000,
|
||
finishedAtMs: 5200,
|
||
thresholdMs: 10_000,
|
||
});
|
||
assertCondition(timingInfo.level === "info" && timingInfo.slow === false, "short ssh operation should stay below the timing warning threshold", timingInfo);
|
||
assertCondition(timingInfo.elapsedMs === 4200 && timingInfo.elapsedSeconds === 4.2, "timing hint must include elapsed ms and seconds", timingInfo);
|
||
assertCondition(formatSshRuntimeTimingHint(timingInfo) === "", "short ssh operation must not write routine timing noise to stderr", timingInfo);
|
||
const slowTiming = sshRuntimeTimingHint({
|
||
invocation: parseSshInvocation("D601", ["apply-patch"]),
|
||
transport: "frontend-websocket",
|
||
exitCode: 0,
|
||
startedAtMs: 0,
|
||
finishedAtMs: 12_345,
|
||
thresholdMs: 10_000,
|
||
});
|
||
assertCondition(slowTiming.level === "warning" && slowTiming.slow === true, "slow ssh operation should emit a warning timing hint", slowTiming);
|
||
assertCondition(slowTiming.message.includes("above the 10s warning threshold"), "slow timing warning must explain the threshold", slowTiming);
|
||
const formattedTiming = formatSshRuntimeTimingHint(slowTiming);
|
||
assertCondition(formattedTiming.startsWith("UNIDESK_SSH_TIMING "), "formatted timing hint must have structured prefix", formattedTiming);
|
||
assertCondition(formattedTiming.includes("\"exitCode\":0"), "slow successful ssh operation must still emit timing warning as a performance signal", formattedTiming);
|
||
assertCondition(!formattedTiming.includes("apply_patch"), "timing hint must not echo the original remote command", formattedTiming);
|
||
|
||
const timeoutHint = sshFailureHint("D601", sshLike, 255, "unidesk ssh bridge timed out waiting for provider session");
|
||
assertCondition(timeoutHint?.trigger === "timeout-or-kex", "provider session timeout must map to timeout-or-kex", timeoutHint);
|
||
assertCondition(sshRuntimeTimeoutMs({ UNIDESK_SSH_RUNTIME_TIMEOUT_MS: "120000" } as NodeJS.ProcessEnv) === 60_000, "ssh runtime timeout must cap at 60s", {});
|
||
assertCondition(sshRuntimeTimeoutMs({ UNIDESK_TRAN_RUNTIME_TIMEOUT_MS: "2500" } as NodeJS.ProcessEnv) === 2500, "ssh runtime timeout must accept smaller explicit limits", {});
|
||
const runtimeTimeout = sshRuntimeTimeoutHint({
|
||
invocation: parseSshInvocation("G14:k3s", ["script"]),
|
||
transport: "backend-core-broker",
|
||
timeoutMs: 60_000,
|
||
});
|
||
const formattedRuntimeTimeout = formatSshRuntimeTimeoutHint(runtimeTimeout);
|
||
assertCondition(formattedRuntimeTimeout.startsWith("UNIDESK_SSH_RUNTIME_TIMEOUT "), "runtime timeout hint must have structured prefix", formattedRuntimeTimeout);
|
||
assertCondition(formattedRuntimeTimeout.includes("short query plus poll semantics"), "runtime timeout hint must point to short polling", formattedRuntimeTimeout);
|
||
assertCondition(!formattedRuntimeTimeout.includes("kubectl"), "runtime timeout hint must not echo remote command text", formattedRuntimeTimeout);
|
||
|
||
const help = sshHelp() as { notes?: unknown };
|
||
const helpText = JSON.stringify(help);
|
||
const helpNotes = Array.isArray(help.notes) ? help.notes.map(String).join("\n") : "";
|
||
assertCondition(helpText.includes("ssh <providerId> script [--shell sh|bash] [script-args...] <<'SCRIPT'"), "ssh help must recommend stdin script passthrough for shell scripts", helpText);
|
||
assertCondition(helpText.includes("ssh <providerId> shell [--shell sh|bash]") && helpText.includes("outer shell operators written outside tran"), "ssh help must document one-line shell passthrough and the local operator boundary", helpText);
|
||
assertCondition(helpText.includes("inherits provider proxy variables"), "ssh help must state default script inherits provider proxy env", helpText);
|
||
assertCondition(helpText.includes("not as a proxy workaround"), "ssh help must reserve --shell bash for bash syntax instead of proxy workarounds", helpText);
|
||
assertCondition(helpNotes.includes("portable printf headings") && helpNotes.includes('printf "--- section ---\\n"'), "ssh help must document script/shell printf heading compatibility", helpNotes);
|
||
assertCondition(helpText.includes("ssh D601:/home/ubuntu/workspace/hwlab-dev git status --short --branch"), "ssh help must document host workspace routes", helpText);
|
||
assertCondition(helpText.includes("ssh D601:win cmd ver") && helpText.includes("ssh D601:win/c/test cmd cd") && helpText.includes("ssh D601:win skills"), "ssh help must document Windows cmd and skills win routes", helpText);
|
||
assertCondition(helpText.includes("Use `win`, not `win32`") && helpText.includes("chcp 65001") && helpText.includes("PYTHONIOENCODING=utf-8"), "ssh help must document win route UTF-8 defaults and naming", helpText);
|
||
assertCondition(helpText.includes("ssh D601:k3s kubectl get pods -n hwlab-dev"), "ssh help must document k3s kubectl operation", helpText);
|
||
assertCondition(helpText.includes("ssh G14:k3s kubectl get pipelineruns -n hwlab-ci"), "ssh help must document G14 k3s route operation", helpText);
|
||
assertCondition(helpText.includes("ssh D601:k3s:hwlab-dev:hwlab-cloud-api/app pwd"), "ssh help must document k3s pod workspace route", helpText);
|
||
assertCondition(helpText.includes("ssh D601:k3s script <<'SCRIPT'"), "ssh help must document k3s control-plane script operation", helpText);
|
||
assertCondition(helpText.includes("ssh D601:k3s:hwlab-dev:hwlab-cloud-api/app apply-patch <<'PATCH'"), "ssh help must document k3s pod apply-patch operation", helpText);
|
||
assertCondition(helpText.includes("ssh <route> upload <local-file> <remote-file>") && helpText.includes("ssh <route> download <remote-file> <local-file>"), "ssh help must document verified file transfer operations", helpText);
|
||
assertCondition(helpText.includes("ssh D601:k3s:unidesk:code-queue/root/unidesk exec --stdin -- tar -xf - -C /root/unidesk"), "ssh help must document one-step stdin file streaming into pod exec", helpText);
|
||
assertCondition(helpText.includes("apply-patch-v1 [--allow-loose]") && helpText.includes("low-context update hunks"), "ssh help must document apply-patch-v1 loose-context guard", helpText);
|
||
assertCondition(helpText.includes("ssh D601:k3s:hwlab-dev:hwlab-cloud-api script <<'SCRIPT'"), "ssh help must document k3s script operation", helpText);
|
||
assertCondition(helpText.includes("UNIDESK_SSH_HINT"), "ssh help must document structured failure hint", helpText);
|
||
assertCondition(helpText.includes("UNIDESK_SSH_RUNTIME_TIMEOUT") && helpText.includes("UNIDESK_TRAN_TIMEOUT_HINT") && helpText.includes("60s") && helpText.includes("submit-and-poll"), "ssh help must document top-level runtime timeout and short polling discipline", helpText);
|
||
assertCondition(helpText.includes("UNIDESK_SSH_TIMING") && helpText.includes("10s") && helpText.includes("slow successful calls are a distributed performance monitoring signal") && helpText.includes("Routine short calls do not emit timing noise"), "ssh help must document slow-only runtime timing hints", helpText);
|
||
assertCondition(helpText.includes("must not add provider/plane directory locks") && helpText.includes("k8s/Tekton/Argo/Lease"), "ssh help must document tran's no-local-lock boundary", helpText);
|
||
|
||
const crossChecks = providerTriageRecommendedCrossChecks("D601");
|
||
assertCondition(crossChecks.includes("bun scripts/cli.ts ssh D601 argv true"), "provider triage cross-checks must keep argv true", crossChecks);
|
||
|
||
const frontendRemoteK3sPlan = remoteSshFrontendPlanForTest("D601:k3s", ["kubectl", "get", "nodes", "-o", "name"]);
|
||
assertCondition(frontendRemoteK3sPlan.transport === "frontend-websocket", "remote frontend ssh must use the streaming websocket bridge", frontendRemoteK3sPlan);
|
||
assertCondition(frontendRemoteK3sPlan.providerId === "D601", "remote frontend ssh must dispatch route target to the provider id", frontendRemoteK3sPlan);
|
||
assertCondition(frontendRemoteK3sPlan.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'get' 'nodes' '-o' 'name'", "remote frontend ssh must preserve k3s route command construction", frontendRemoteK3sPlan);
|
||
assertCondition(!String(frontendRemoteK3sPlan.wrappedRemoteCommand ?? "").includes("UNIDESK_SSH_TOOL_DIR=/tmp/unidesk-ssh-tools"), "remote frontend ssh must not bootstrap helper tools for plain kubectl argv", frontendRemoteK3sPlan);
|
||
|
||
const frontendRemoteHostPatchPlan = remoteSshFrontendPlanForTest("D601", ["apply-patch"]);
|
||
assertCondition(frontendRemoteHostPatchPlan.requiresStdin === true && frontendRemoteHostPatchPlan.remoteCommand === null && !String(frontendRemoteHostPatchPlan.wrappedRemoteCommand ?? "").includes("UNIDESK_SSH_TOOL_DIR"), "frontend apply-patch plan must stay a local v2 engine operation and not bootstrap legacy helpers", frontendRemoteHostPatchPlan);
|
||
|
||
const frontendRemoteV1Plan = remoteSshFrontendPlanForTest("D601:/tmp", ["apply-patch-v1"]);
|
||
assertCondition(String(frontendRemoteV1Plan.wrappedRemoteCommand ?? "").includes("UNIDESK_SSH_TOOL_DIR=/tmp/unidesk-ssh-tools"), "frontend apply-patch-v1 must bootstrap the remote apply_patch helper", frontendRemoteV1Plan);
|
||
assertCondition(String(frontendRemoteV1Plan.wrappedRemoteCommand ?? "").includes("/apply_patch") && !String(frontendRemoteV1Plan.wrappedRemoteCommand ?? "").includes("/glob") && !String(frontendRemoteV1Plan.wrappedRemoteCommand ?? "").includes("/skill-discover"), "frontend apply-patch-v1 must not bootstrap unrelated helper tools", frontendRemoteV1Plan);
|
||
|
||
const frontendRemotePodArgvPlan = remoteSshFrontendPlanForTest("G14:k3s:unidesk:code-queue", ["argv", "sh", "-c", "command -v tran"]);
|
||
assertCondition(frontendRemotePodArgvPlan.providerId === "G14", "remote frontend pod route must dispatch through G14 provider", frontendRemotePodArgvPlan);
|
||
assertCondition(frontendRemotePodArgvPlan.remoteCommand === "'env' 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml' 'kubectl' 'exec' '-n' 'unidesk' 'deployment/code-queue' '--' 'sh' '-c' 'command -v tran'", "remote frontend pod argv route must be fully assembled before dispatch", frontendRemotePodArgvPlan);
|
||
|
||
const frontendRemoteWorkspacePlan = remoteSshFrontendPlanForTest("D601:/home/ubuntu/workspace/hwlab-dev", ["git", "status", "--short"]);
|
||
assertCondition(frontendRemoteWorkspacePlan.payloadCwd === "/home/ubuntu/workspace/hwlab-dev", "remote frontend host workspace route must pass cwd to host.ssh payload", frontendRemoteWorkspacePlan);
|
||
assertCondition(frontendRemoteWorkspacePlan.remoteCommand === "'git' 'status' '--short'", "remote frontend host workspace route must keep command argv-quoted", frontendRemoteWorkspacePlan);
|
||
|
||
const frontendRemoteWinPlan = remoteSshFrontendPlanForTest("D601:win/c/test", ["cmd", "cd"]);
|
||
assertCondition(frontendRemoteWinPlan.providerId === "D601" && frontendRemoteWinPlan.payloadCwd === "/mnt/c/Windows", "remote frontend win route must dispatch through provider host.ssh from a Windows-mounted cwd", frontendRemoteWinPlan);
|
||
const frontendRemoteWinScript = decodeWinEncodedCommand(String(frontendRemoteWinPlan.remoteCommand));
|
||
assertCondition(frontendRemoteWinScript.includes("cmd.exe") && frontendRemoteWinScript.includes("cd /d \"C:\\test\""), "remote frontend win route must assemble Windows cmd cwd internally", { frontendRemoteWinPlan, frontendRemoteWinScript });
|
||
|
||
const tranScript = readFileSync(new URL("./tran", import.meta.url), "utf8");
|
||
assertCondition(tranScript.includes("CODE_QUEUE_DEV_CONTAINER_MASTER_HOST") && tranScript.includes("--main-server-ip"), "tran wrapper must auto-select frontend transport inside Code Queue runner pods", tranScript);
|
||
assertCondition(tranScript.includes("UNIDESK_TRAN_LOCAL"), "tran wrapper must keep an explicit local override for diagnostics", tranScript);
|
||
assertCondition(!tranScript.includes("tran_lock_scope") && !tranScript.includes("UNIDESK_TRAN_LOCK_DIR") && !tranScript.includes("mkdir \"$lock_path\""), "tran wrapper must not add local provider/plane directory locks", tranScript);
|
||
|
||
const remoteSource = readFileSync(new URL("./src/remote.ts", import.meta.url), "utf8");
|
||
assertCondition(remoteSource.includes("UNIDESK_REMOTE_HTTP_CLIENT") && remoteSource.includes("isCodeQueueRunnerEnv(env) ? \"curl\" : \"fetch\""), "remote frontend transport must default to curl HTTP in Code Queue runner environments", remoteSource);
|
||
assertCondition(remoteSource.includes("frontendSshWebSocketUrl") && remoteSource.includes("runRemoteSshWebSocket"), "remote frontend ssh must go through the streaming websocket implementation", remoteSource);
|
||
assertCondition(remoteSource.includes("UNIDESK_SSH_CLIENT_TOKEN") && remoteSource.includes("authorization: `Bearer ${session.sshClientToken}`"), "remote frontend ssh must support scoped bearer-token clients without frontend admin login", remoteSource);
|
||
assertCondition(!remoteSource.includes("remote frontend transport does not stream stdin"), "remote frontend ssh must not reject stdin-backed helpers", remoteSource);
|
||
assertCondition(!remoteSource.includes("source: \"cli-remote-ssh\""), "remote frontend ssh must not use host.ssh dispatch task polling", remoteSource);
|
||
|
||
const sshSource = readFileSync(new URL("./src/ssh.ts", import.meta.url), "utf8");
|
||
const sshFileTransferSource = readFileSync(new URL("./src/ssh-file-transfer.ts", import.meta.url), "utf8");
|
||
assertCondition(sshFileTransferSource.includes("runSshFileTransferOperation") && sshFileTransferSource.includes("write-b64-commit"), "file transfer operation implementation must live in the dedicated ssh-file-transfer module", {});
|
||
assertCondition(sshFileTransferSource.includes("buildTransferVerification") && sshFileTransferSource.includes("automatic: true") && sshFileTransferSource.includes("match"), "file transfer JSON must expose automatic endpoint verification instead of relying on manual sha256sum checks", sshFileTransferSource);
|
||
assertCondition(!sshSource.includes("type SshFileTransferOperation") && !sshSource.includes("posixFileTransferScript"), "ssh.ts must not accumulate the full upload/download implementation", {});
|
||
|
||
const frontendSource = readFileSync(new URL("../src/components/frontend/src/index.ts", import.meta.url), "utf8");
|
||
assertCondition(frontendSource.includes('url.pathname === "/ws/ssh"') && frontendSource.includes("proxySshWebSocket"), "frontend must expose an authenticated /ws/ssh proxy", frontendSource);
|
||
assertCondition(frontendSource.includes("coreSshWebSocketUrl") && frontendSource.includes('url.searchParams.set("token"'), "frontend /ws/ssh proxy must connect to backend-core ssh bridge with the provider token", frontendSource);
|
||
assertCondition(frontendSource.includes("PROVIDER_TOKEN_FILE") && frontendSource.includes("/run/secrets/unidesk_provider_token"), "frontend ssh proxy must support file-based provider token injection for runtime hotfix and secret mounts", frontendSource);
|
||
assertCondition(frontendSource.includes("UNIDESK_SSH_CLIENT_TOKEN") && frontendSource.includes("UNIDESK_SSH_CLIENT_ROUTE_ALLOWLIST"), "frontend ssh proxy must support scoped client-token configuration", frontendSource);
|
||
assertCondition(frontendSource.includes("route-not-allowed") && frontendSource.includes("sshRouteAllowed") && frontendSource.includes("ssh.open"), "frontend ssh proxy must reject disallowed scoped-client routes before opening a provider session", frontendSource);
|
||
|
||
const composeSource = readFileSync(new URL("../docker-compose.yml", import.meta.url), "utf8");
|
||
assertCondition(composeSource.includes('PROVIDER_TOKEN: "${UNIDESK_PROVIDER_TOKEN}"'), "frontend compose service must receive provider token for the ssh proxy", composeSource);
|
||
|
||
const devCoreManifest = readFileSync(new URL("../src/components/microservices/k3sctl-adapter/k3s/dev/unidesk-dev-core.k8s.yaml", import.meta.url), "utf8");
|
||
assertCondition(devCoreManifest.includes("name: frontend-dev") && devCoreManifest.includes("name: PROVIDER_TOKEN"), "dev frontend manifest must receive provider token for the ssh proxy", devCoreManifest);
|
||
|
||
const codeQueueDockerfile = readFileSync(new URL("../src/components/microservices/code-queue/Dockerfile", import.meta.url), "utf8");
|
||
assertCondition(codeQueueDockerfile.includes("COPY scripts/tran /usr/local/bin/tran") && codeQueueDockerfile.includes("chmod 755 /usr/local/bin/tran"), "Code Queue runner image must install tran on PATH", codeQueueDockerfile);
|
||
|
||
return {
|
||
ok: true,
|
||
checks: [
|
||
"argv form is classified and quoted as the success path for non-interactive commands",
|
||
"stdin script form removes shell-command strings for host and k3s workload scripts",
|
||
"script -- single-string runs as a remote shell one-liner while multi-token form keeps dash-prefixed argv",
|
||
"script/shell helpers inject a portable printf prelude for common section headings",
|
||
"pod apply-patch operation uses the v2 local engine and apply-patch-v1 injects the legacy helper",
|
||
"pod exec --stdin streams arbitrary local stdin through workload routes without shell wrapping",
|
||
"upload/download file transfer operations use a dedicated module with automatic endpoint byte-count and sha256 verification JSON",
|
||
"apply-patch-v1 uses one sh helper for host and pod paths and rejects low-context hunks unless --allow-loose is explicit",
|
||
"legacy operation-in-route forms are rejected in any k3s route segment with canonical route-plus-operation guidance",
|
||
"post-provider k3s shorthand is rejected so location and operation stay separated",
|
||
"k3s route stays location-only while operations fix native kubeconfig and assemble kubectl exec as argv",
|
||
"win route runs Windows cmd.exe with UTF-8 defaults and slash cwd syntax such as D601:win/c/test",
|
||
"win skills discovers the current Windows user's skill roots without hand-written cmd dir or PowerShell",
|
||
"top-level remote option parsing preserves command-local -- separators for script -- sed -n style commands",
|
||
"ssh-like timeout/kex failures emit one structured argv retry hint",
|
||
"ssh runtime emits structured timing for slow operations over 10 seconds, including successful slow calls",
|
||
"help text documents stdin script passthrough and UNIDESK_SSH_HINT",
|
||
"provider triage recommendedCrossChecks keeps ssh D601 argv true",
|
||
"remote frontend ssh uses the same structured route parser for host, k3s and pod argv routes",
|
||
"ssh helper bootstrap is lazy so plain argv/script commands do not transfer helper sources",
|
||
"host apply-patch-v1 bootstraps only the apply_patch helper and uses a Perl fast path for large files",
|
||
"remote frontend ssh uses authenticated /ws/ssh streaming instead of host.ssh dispatch task polling",
|
||
"Code Queue runner image installs the tran wrapper and runner tran auto-selects remote frontend transport",
|
||
"tran does not add local provider/plane directory locks and leaves coordination to k8s/Tekton/Argo/Lease",
|
||
"Code Queue runner remote frontend HTTP uses curl by default for non-ssh API calls to avoid Bun response-body native crashes",
|
||
],
|
||
};
|
||
}
|
||
|
||
if (import.meta.main) {
|
||
const result = await runSshArgvGuidanceContract();
|
||
process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
|
||
}
|