Files
pikasTech-unidesk/scripts/hwlab-cd-wrapper-contract-test.ts
T
2026-05-23 19:21:40 +00:00

314 lines
15 KiB
TypeScript

import { spawnSync } from "node:child_process";
import { mkdirSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import { join } from "node:path";
import assert from "node:assert/strict";
type JsonRecord = Record<string, unknown>;
function runCli(args: string[], env: NodeJS.ProcessEnv = {}): JsonRecord {
const result = spawnSync("bun", ["scripts/cli.ts", ...args], {
cwd: process.cwd(),
env: { ...process.env, ...env },
encoding: "utf8",
timeout: 20_000,
});
assert.equal(result.stderr, "", `stderr should be empty: ${result.stderr}`);
assert.notEqual(result.stdout.trim(), "", "CLI must not produce empty output");
const parsed = JSON.parse(result.stdout) as JsonRecord;
if (result.status !== 0) {
assert.equal(parsed.ok, false, `nonzero CLI should return ok=false: ${result.stdout}`);
}
return parsed;
}
function makeFakeHwlabRepo(): string {
const root = join(tmpdir(), `unidesk-hwlab-cd-wrapper-${process.pid}-${Date.now()}`);
mkdirSync(join(root, "scripts"), { recursive: true });
writeFileSync(join(root, "scripts/dev-cd-apply.mjs"), [
"const kubeconfigIndex = process.argv.indexOf('--kubeconfig');",
"process.stdout.write(JSON.stringify({",
" ok: true,",
" status: 'pass',",
" mode: process.argv.includes('--dry-run') ? 'dry-run' : 'status',",
" command: 'dev-cd-apply',",
" mutationAttempted: false,",
" prodTouched: false,",
" target: {",
" ref: 'origin/main',",
" promotionCommit: 'abc1234567890abcdef',",
" shortCommitId: 'abc1234',",
" promotionSource: 'deploy-json',",
" publishRequired: false,",
" headCommitId: 'abc1234567890abcdef',",
" headMatchesTarget: true,",
" desiredStateCheck: { status: 'pass', summary: { desiredCommitId: 'abc1234', targetConvergence: 'already_promoted' } },",
" artifactBoundary: { status: 'pass', desiredState: { deployCommitId: 'abc1234', catalogCommitId: 'abc1234', deployCommitMatches: true, catalogCommitMatches: true } },",
" namespace: 'hwlab-dev'",
" },",
" deployJson: { path: 'deploy/deploy.json', commitId: 'abc1234', matchesTarget: true },",
" artifactCatalog: { path: 'deploy/artifact-catalog.dev.json', commitId: 'abc1234', artifactState: 'published', ciPublished: true, registryVerified: true },",
" artifactReport: { path: 'reports/dev-gate/dev-artifacts.json', commitId: 'abc1234' },",
" lock: { status: 'absent' },",
" liveDelta: { status: 'unknown' },",
" kubeconfig: kubeconfigIndex >= 0 ? process.argv[kubeconfigIndex + 1] : null",
"}, null, 2));",
].join("\n"));
writeFileSync(join(root, "scripts/dev-deploy-apply.mjs"), [
"const dryRun = process.argv.includes('--dry-run');",
"const kubeconfigIndex = process.argv.indexOf('--kubeconfig');",
"process.stdout.write(JSON.stringify({",
" reportVersion: 'v1',",
" status: dryRun ? 'pass' : 'blocked',",
" commitId: 'abc1234',",
" namespace: 'hwlab-dev',",
" endpoint: 'http://74.48.78.17:16667',",
" blockers: [],",
" devDeployApply: {",
" conclusion: { status: 'ready', blockerCount: 0 },",
" artifactPlan: { expectedArtifactCommit: 'abc1234', deployCommitId: 'abc1234', catalogCommitId: 'abc1234', published: true, registryVerified: true, imageCount: 13, requiredServiceCount: 13, unpublishedServices: [] },",
" applyBoundary: { currentMode: 'dry-run', defaultNoWrite: true, mutationAttempted: false, mutationAllowed: false, kubeconfigSource: 'flag:--kubeconfig', writeScope: 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply -k deploy/k8s/dev', noWriteScope: 'server-side dry-run only', forbiddenActions: ['prod-deploy'] },",
" applyStep: { status: 'pass', command: 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply --dry-run=server -k deploy/k8s/dev', mutationAttempted: false },",
" manualCommands: { status: 'ready' }",
" },",
" kubeconfig: kubeconfigIndex >= 0 ? process.argv[kubeconfigIndex + 1] : null",
"}, null, 2));",
].join("\n"));
writeFileSync(join(root, "scripts/deploy-desired-state-plan.mjs"), [
"process.stdout.write(JSON.stringify({",
" kind: 'hwlab-deploy-desired-state-plan',",
" mode: 'read-only-plan',",
" status: 'pass',",
" source: { deploy: 'deploy/deploy.json', artifactCatalog: 'deploy/artifact-catalog.dev.json', workloads: 'deploy/k8s/base/workloads.yaml', optionalReport: 'reports/dev-gate/dev-artifacts.json' },",
" promotionBoundary: { authoritativeDesiredState: ['deploy/deploy.json', 'deploy/artifact-catalog.dev.json', 'deploy/k8s/base/workloads.yaml'], nonAuthoritativeEvidence: ['reports/dev-gate/dev-artifacts.json'] },",
" summary: { desiredCommitId: 'abc1234', desiredImageTag: 'abc1234', artifactState: 'published', ciPublished: true, registryVerified: true, services: 13, workloadContainers: 13, diagnostics: 0, blockers: 0, targetConvergence: 'not_requested' }",
"}, null, 2));",
].join("\n"));
spawnSync("git", ["init", "-b", "main"], { cwd: root, encoding: "utf8" });
spawnSync("git", ["config", "user.email", "test@example.invalid"], { cwd: root, encoding: "utf8" });
spawnSync("git", ["config", "user.name", "HWLAB CD Test"], { cwd: root, encoding: "utf8" });
spawnSync("git", ["remote", "add", "origin", "git@github.com:pikasTech/HWLAB.git"], { cwd: root, encoding: "utf8" });
spawnSync("git", ["add", "."], { cwd: root, encoding: "utf8" });
spawnSync("git", ["commit", "-m", "fixture"], { cwd: root, encoding: "utf8" });
spawnSync("git", ["update-ref", "refs/remotes/origin/main", "HEAD"], { cwd: root, encoding: "utf8" });
writeFileSync(join(root, ".git", "FETCH_HEAD"), "fixture\n");
return root;
}
function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node" | "missing-secret"): string {
const bin = join(tmpdir(), `unidesk-hwlab-cd-bin-${process.pid}-${Date.now()}-${mode}`);
mkdirSync(bin, { recursive: true });
const explicitContext = mode === "desktop" ? "docker-desktop" : "default";
const explicitServer = mode === "desktop" ? "https://127.0.0.1:11700" : "https://127.0.0.1:6443";
const explicitNodes = mode === "desktop" ? "desktop-control-plane" : mode === "wrong-node" ? "d602" : "d601";
const defaultContext = mode === "stale-default" ? "docker-desktop" : explicitContext;
const defaultServer = mode === "stale-default" ? "https://127.0.0.1:11700" : explicitServer;
const defaultNodes = mode === "stale-default" ? "desktop-control-plane" : explicitNodes;
writeFileSync(join(bin, "kubectl"), [
"#!/usr/bin/env bash",
"set -euo pipefail",
"printf 'KUBECONFIG=%s\\n' \"${KUBECONFIG:-}\" >&2",
"context=" + JSON.stringify(explicitContext),
"server=" + JSON.stringify(explicitServer),
"nodes=" + JSON.stringify(explicitNodes),
"if [[ \"${KUBECONFIG:-}\" == '' ]]; then",
" context=" + JSON.stringify(defaultContext),
" server=" + JSON.stringify(defaultServer),
" nodes=" + JSON.stringify(defaultNodes),
"fi",
"if [[ \"$*\" == 'config current-context' ]]; then printf '%s\\n' \"$context\"; exit 0; fi",
"if [[ \"$*\" == 'config view --minify -o jsonpath={.clusters[0].cluster.server}' ]]; then printf '%s' \"$server\"; exit 0; fi",
"if [[ \"$*\" == 'get nodes -o jsonpath={range .items[*]}{.metadata.name}{\"\\n\"}{end}' ]]; then printf '%s\\n' \"$nodes\"; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get lease hwlab-dev-cd-lock -o json' ]]; then printf 'Error from server (NotFound): leases.coordination.k8s.io \"hwlab-dev-cd-lock\" not found\\n' >&2; exit 1; fi",
"if [[ \"$*\" == '-n hwlab-dev get deploy -o jsonpath={range .items[*]}{.metadata.name}{\"\\t\"}{range .spec.template.spec.containers[*]}{.name}{\"=\"}{.image}{\",\"}{end}{\"\\n\"}{end}' ]]; then printf 'hwlab-cloud-api\\thwlab-cloud-api=127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234,\\n'; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get secret hwlab-code-agent-provider -o name' && " + JSON.stringify(mode) + " == 'missing-secret' ]]; then printf 'Error from server (NotFound): secrets \"hwlab-code-agent-provider\" not found\\n' >&2; exit 1; fi",
"if [[ \"$*\" =~ ^-n\\ hwlab-dev\\ get\\ secret\\ ([^[:space:]]+)\\ -o\\ name$ ]]; then printf 'secret/%s\\n' \"${BASH_REMATCH[1]}\"; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev describe secret hwlab-cloud-api-dev-db' ]]; then printf 'Name: hwlab-cloud-api-dev-db\\nData\\n====\\ndatabase-url: 48 bytes\\n'; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev describe secret hwlab-cloud-api-dev-db-admin' ]]; then printf 'Name: hwlab-cloud-api-dev-db-admin\\nData\\n====\\nadmin-url: 48 bytes\\n'; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev describe secret hwlab-code-agent-provider' ]]; then printf 'Name: hwlab-code-agent-provider\\nData\\n====\\nopenai-api-key: 48 bytes\\n'; exit 0; fi",
"printf '{}\\n'",
].join("\n"));
spawnSync("chmod", ["+x", join(bin, "kubectl")]);
return bin;
}
const fakeRepo = makeFakeHwlabRepo();
const nativeBin = makeFakeBin("native");
const desktopBin = makeFakeBin("desktop");
const staleDefaultBin = makeFakeBin("stale-default");
const wrongNodeBin = makeFakeBin("wrong-node");
const missingSecretBin = makeFakeBin("missing-secret");
const liveBody = "data:application/json,%7B%22serviceId%22%3A%22hwlab-cloud-web%22%2C%22environment%22%3A%22dev%22%2C%22status%22%3A%22ok%22%2C%22revision%22%3A%22abc1234%22%7D";
const apiBody = "data:application/json,%7B%22serviceId%22%3A%22hwlab-cloud-api%22%2C%22environment%22%3A%22dev%22%2C%22status%22%3A%22ok%22%2C%22revision%22%3A%22abc1234%22%7D";
const help = runCli(["hwlab", "help"]);
assert.equal(help.ok, true);
assert.equal((help.data as JsonRecord).command, "hwlab cd");
const runnerHistoryRepo = runCli([
"hwlab",
"cd",
"status",
"--env",
"dev",
"--hwlab-repo",
"/home/ubuntu/hwlab",
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(runnerHistoryRepo.ok, false);
const runnerHistoryCandidates = ((runnerHistoryRepo.data as JsonRecord).repo as JsonRecord).candidates as JsonRecord[];
assert.equal(runnerHistoryCandidates[0]?.rejected, true);
assert.equal(runnerHistoryCandidates[0]?.rejectionReason, "runner-history-directory-is-not-hwlab-cd-release-truth");
const applyDryRun = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(applyDryRun.ok, true);
const dryRunData = applyDryRun.data as JsonRecord;
assert.equal(dryRunData.dryRun, true);
assert.equal(dryRunData.mutation, false);
assert.equal(((dryRunData.d601NativeK3sGuard as JsonRecord).injectedEnv as JsonRecord).KUBECONFIG, "/etc/rancher/k3s/k3s.yaml");
assert.equal((dryRunData.d601NativeK3sGuard as JsonRecord).requiredNodePresent, true);
assert.equal((dryRunData.controlledDryRun as JsonRecord).commandOk, true);
assert.equal((dryRunData.secretRefPreflight as JsonRecord).status, "pass");
assert.equal(((dryRunData.controlledDryRun as JsonRecord).controlledEntrypoint), "scripts/dev-cd-apply.mjs");
assert.equal(((dryRunData.hostCommanderOnlyLiveApply as JsonRecord).commandShape as unknown[]).includes("scripts/dev-cd-apply.mjs"), true);
assert.equal(JSON.stringify(dryRunData).includes("sk-secret"), false);
const preflight = runCli([
"hwlab",
"cd",
"preflight",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
UNIDESK_HWLAB_CD_TEST_FRONTEND_LIVE_URL: liveBody,
UNIDESK_HWLAB_CD_TEST_API_LIVE_URL: apiBody,
});
assert.equal(preflight.ok, true);
const preflightData = preflight.data as JsonRecord;
assert.equal(preflightData.mutation, false);
assert.equal((preflightData.secretRefPreflight as JsonRecord).status, "pass");
assert.equal((preflightData.liveWorkloads as JsonRecord).status, "observed");
const realApply = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(realApply.ok, false);
assert.equal((realApply.data as JsonRecord).error, "host-commander-only-real-apply");
const status = runCli([
"hwlab",
"cd",
"status",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
UNIDESK_HWLAB_CD_TEST_FRONTEND_LIVE_URL: liveBody,
UNIDESK_HWLAB_CD_TEST_API_LIVE_URL: apiBody,
});
assert.equal(status.ok, true);
const statusData = status.data as JsonRecord;
assert.equal(((statusData.d601NativeK3sGuard as JsonRecord).injectedEnv as JsonRecord).KUBECONFIG, "/etc/rancher/k3s/k3s.yaml");
assert.equal((statusData.liveRevisions as JsonRecord).status, "observed");
assert.ok(typeof statusData.dumpDir === "string" && String(statusData.dumpDir).includes(".state/hwlab-cd"));
const staleDefaultOk = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${staleDefaultBin}:${process.env.PATH ?? ""}`,
KUBECONFIG: "",
});
assert.equal(staleDefaultOk.ok, true);
const staleDefaultGuard = (staleDefaultOk.data as JsonRecord).d601NativeK3sGuard as JsonRecord;
assert.equal(staleDefaultGuard.status, "pass");
assert.equal(staleDefaultGuard.refusal, false);
assert.equal((staleDefaultGuard.defaultKubectlDiagnostic as JsonRecord).status, "stale-forbidden-default");
assert.deepEqual((staleDefaultGuard.defaultKubectlDiagnostic as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
const desktopRefusal = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${desktopBin}:${process.env.PATH ?? ""}`,
});
assert.equal(desktopRefusal.ok, false);
assert.equal((desktopRefusal.data as JsonRecord).error, "native-k3s-guard-refused");
assert.deepEqual((desktopRefusal.data as JsonRecord).d601NativeK3sGuard && ((desktopRefusal.data as JsonRecord).d601NativeK3sGuard as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
const wrongNodeBlocked = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${wrongNodeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(wrongNodeBlocked.ok, false);
const wrongNodeGuard = (wrongNodeBlocked.data as JsonRecord).d601NativeK3sGuard as JsonRecord;
assert.equal(wrongNodeGuard.status, "blocked");
assert.equal(wrongNodeGuard.requiredNodePresent, false);
assert.equal(((wrongNodeBlocked.data as JsonRecord).blockers as JsonRecord[]).some((blocker) => blocker.scope === "d601-native-k3s-guard"), true);
const missingSecretBlocked = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${missingSecretBin}:${process.env.PATH ?? ""}`,
});
assert.equal(missingSecretBlocked.ok, false);
const missingSecretData = missingSecretBlocked.data as JsonRecord;
assert.equal((missingSecretData.secretRefPreflight as JsonRecord).status, "blocked");
assert.equal((missingSecretData.controlledDryRun as JsonRecord).status, "skipped");
assert.equal((missingSecretData.blockers as JsonRecord[]).some((blocker) => blocker.scope === "secretref:hwlab-code-agent-provider/openai-api-key"), true);
assert.equal(JSON.stringify(missingSecretData).includes("sk-secret"), false);
console.log(JSON.stringify({ ok: true, checked: "hwlab-cd-wrapper-contract" }));