fix(agent99): validate typed SigNoz transport readback

This commit is contained in:
ogt
2026-07-17 12:11:01 +08:00
parent 32bca98aaf
commit 0270701e2b
3 changed files with 330 additions and 45 deletions

View File

@@ -98,6 +98,97 @@ def test_entrypoint_uses_fixed_public_key_transport_and_no_arbitrary_shell() ->
assert "|| true" not in lock_helper
assert '--signal=TERM --kill-after=$($TargetKillAfterSeconds)s' in source
def test_entrypoint_uses_typed_stdout_without_windows_process_exit_code() -> None:
source = ENTRYPOINT.read_text(encoding="utf-8")
transport = source[
source.index("function Invoke-Agent99SignozFixedRemote") :
source.index("function New-Agent99SignozLockedRemoteCommand")
]
assert "$process.ExitCode" not in transport
assert "exitCodeObserved" not in transport
assert "AllowedExitCodes" not in transport
assert "function Test-Agent99SignozTransportOutcome" in transport
assert "$Result.completed -eq $true" in transport
assert "-not $Result.timedOut" in transport
assert '$process.WaitForExit($TimeoutSeconds * 1000)' in transport
assert "taskkill.exe /PID $process.Id /T /F" in transport
def test_entrypoint_preflight_has_explicit_credential_and_artifact_state_contracts() -> None:
source = ENTRYPOINT.read_text(encoding="utf-8")
assert 'function New-Agent99SignozPathStateCommand' in source
assert 'agent99_credential:symlink' in source
assert 'agent99_credential:absent' in source
assert 'agent99_credential:present:%u:%a:%s' in source
assert 'agent99_path_state:$ExpectedKind' in source
assert 'agent99_path_state:absent' in source
assert 'agent99_hashes_begin' in source
assert 'agent99_hashes_end' in source
assert '/usr/bin/echo agent99_hashes_begin' in source
assert '/usr/bin/echo agent99_hashes_end' in source
assert 'agent99_hashes_begin\\n' not in source
assert 'agent99_image:' in source
assert 'agent99_runtime:' in source
assert 'agent99_health:' in source
assert 'agent99_active:' in source
assert '$credentialState -in @("absent", "symlink", "other")' in source
assert 'credentialReadbackVerified = $credentialReadbackVerified' in source
assert 'transportReadbackVerified = $transportReadbackVerified' in source
assert 'outputStateReadbackVerified = $outputStateReadbackVerified' in source
assert 'receiptStateReadbackVerified = $receiptStateReadbackVerified' in source
assert '"credential_reference_readback_unverified"' in source
assert '"preflight_transport_unverified"' in source
assert source.count("Test-Agent99SignozTransportOutcome $verify") == 2
assert "Test-Agent99SignozTransportOutcome $check" in source
assert "Test-Agent99SignozTransportOutcome $apply" in source
def test_entrypoint_typed_readbacks_are_exact_and_preserve_unknown_state() -> None:
source = ENTRYPOINT.read_text(encoding="utf-8")
preflight = source[
source.index("function Get-Agent99SignozPreflight") :
source.index("function Write-Agent99SignozEvidenceCollision")
]
main = source[
source.index(
'$preflight = Get-Agent99SignozPreflight '
'-ExpectedArtifactState "absent"'
) :
]
assert "$hashLines.Count -eq $ToolchainFiles.Count + 2" in preflight
assert "$hashLines[0] -eq \"agent99_hashes_begin\"" in preflight
assert '$hashLines[$hashLines.Count - 1] -eq "agent99_hashes_end"' in preflight
assert "$actualHashes.ContainsKey($path)" in preflight
assert "-not $ToolchainFiles.Contains($path)" in preflight
assert '"^agent99_image:(sha256:[0-9a-f]{64})$"' in preflight
assert '--format={{.Id}},{{.Image}},{{.Config.Image}},{{.State.Running}}' in preflight
assert '--format=`"{{.Id}}|{{.Image}}|{{.Config.Image}}|{{.State.Running}}`"' not in preflight
assert '"^agent99_runtime:([0-9a-f]{64}),(sha256:' in preflight
assert '"^agent99_active:([0-9]+)$"' in preflight
assert '[ `"`$active_rc`" -eq 0 ] || [ `"`$active_rc`" -eq 1 ]' in preflight
assert "outputPresent = if ($outputStateReadbackVerified)" in preflight
assert "receiptPresent = if ($receiptStateReadbackVerified)" in preflight
assert "credentialReferencePresent = if ($credentialReadbackVerified)" in preflight
credential_unverified = main.index("credential_reference_readback_unverified")
credential_absent = main.index("credential_reference_absent")
credential_invalid = main.index("credential_reference_metadata_invalid")
preflight_unverified = main.index("preflight_transport_unverified")
generic_preflight = main.index("metadata_export_preflight_failed")
assert (
credential_unverified
< credential_absent
< credential_invalid
< preflight_unverified
< generic_preflight
)
assert "$RemoteResult.completed -ne $true" in source
assert "$RemoteResult.timedOut" in source
guard = 95
kill_after = 15
transport_reserve = 30
@@ -108,7 +199,7 @@ def test_entrypoint_uses_fixed_public_key_transport_and_no_arbitrary_shell() ->
def test_entrypoint_never_reads_or_persists_credential_value_in_controller() -> None:
source = ENTRYPOINT.read_text(encoding="utf-8")
assert 'sudo -n /usr/bin/stat -c %u:%a:%s $CredentialFile' in source
assert '/usr/bin/stat -c `"agent99_credential:present:%u:%a:%s`" `"$CredentialFile`"' in source
assert 'credentialValueRead = $false' in source
assert 'credentialValueOutput = $false' in source
assert 'secretValueReadByController = $false' in source
@@ -117,7 +208,7 @@ def test_entrypoint_never_reads_or_persists_credential_value_in_controller() ->
assert "credentialReferenceDispatchAttempted" in source
assert "$script:ApplyDispatchAttempted = $true" in source
assert "credentialReferenceConsumedOnTarget = if" in source
assert "elseif ($ApplyReceipt)" in source
assert "elseif (Test-Agent99SignozReceiptIdentity $ApplyReceipt" in source
assert 'rawSqliteRead = $false' in source
assert 'rawVolumeRead = $false' in source
assert "Get-Content -LiteralPath $CredentialFile" not in source
@@ -177,7 +268,7 @@ def test_entrypoint_reserves_durable_evidence_before_any_remote_dispatch() -> No
def test_entrypoint_binds_export_to_the_running_canonical_signoz_image() -> None:
source = ENTRYPOINT.read_text(encoding="utf-8")
assert "{{.Id}}|{{.Image}}|{{.Config.Image}}|{{.State.Running}}" in source
assert "{{.Id}},{{.Image}},{{.Config.Image}},{{.State.Running}}" in source
assert "$runtimeImageId -eq $SignozImageId" in source
assert "$runtimeImageRef -eq $SignozImage" in source
assert "signozRuntimeImageExact = $runtimeImageExact" in source
@@ -204,3 +295,21 @@ def test_entrypoint_is_in_exact_agent99_runtime_bundle() -> None:
assert expected in _quoted_array(receiver, "$FixedRuntimeFiles = @(", ")")
assert 'expectedRuntimeFileCount": 18' in sender
assert '$runtimeManifest.fileCount -eq 18' in receiver
def test_runtime_contract_check_requires_typed_signoz_transport_readback() -> None:
contract = (ROOT / "agent99-contract-check.ps1").read_text(encoding="utf-8")
for marker in (
"agent99_credential:present:%u:%a:%s",
"agent99_path_state:$ExpectedKind",
"agent99_hashes_begin",
"agent99_hashes_end",
"agent99_image:",
"agent99_runtime:",
"agent99_health:",
"agent99_active:",
"preflight_transport_unverified",
):
assert marker in contract
assert "-not $signozMetadataExecutor.Contains('$process.ExitCode')" in contract