fix(agent99): validate typed SigNoz transport readback
This commit is contained in:
@@ -98,6 +98,97 @@ def test_entrypoint_uses_fixed_public_key_transport_and_no_arbitrary_shell() ->
|
||||
assert "|| true" not in lock_helper
|
||||
assert '--signal=TERM --kill-after=$($TargetKillAfterSeconds)s' in source
|
||||
|
||||
|
||||
def test_entrypoint_uses_typed_stdout_without_windows_process_exit_code() -> None:
|
||||
source = ENTRYPOINT.read_text(encoding="utf-8")
|
||||
transport = source[
|
||||
source.index("function Invoke-Agent99SignozFixedRemote") :
|
||||
source.index("function New-Agent99SignozLockedRemoteCommand")
|
||||
]
|
||||
|
||||
assert "$process.ExitCode" not in transport
|
||||
assert "exitCodeObserved" not in transport
|
||||
assert "AllowedExitCodes" not in transport
|
||||
assert "function Test-Agent99SignozTransportOutcome" in transport
|
||||
assert "$Result.completed -eq $true" in transport
|
||||
assert "-not $Result.timedOut" in transport
|
||||
assert '$process.WaitForExit($TimeoutSeconds * 1000)' in transport
|
||||
assert "taskkill.exe /PID $process.Id /T /F" in transport
|
||||
|
||||
|
||||
def test_entrypoint_preflight_has_explicit_credential_and_artifact_state_contracts() -> None:
|
||||
source = ENTRYPOINT.read_text(encoding="utf-8")
|
||||
|
||||
assert 'function New-Agent99SignozPathStateCommand' in source
|
||||
assert 'agent99_credential:symlink' in source
|
||||
assert 'agent99_credential:absent' in source
|
||||
assert 'agent99_credential:present:%u:%a:%s' in source
|
||||
assert 'agent99_path_state:$ExpectedKind' in source
|
||||
assert 'agent99_path_state:absent' in source
|
||||
assert 'agent99_hashes_begin' in source
|
||||
assert 'agent99_hashes_end' in source
|
||||
assert '/usr/bin/echo agent99_hashes_begin' in source
|
||||
assert '/usr/bin/echo agent99_hashes_end' in source
|
||||
assert 'agent99_hashes_begin\\n' not in source
|
||||
assert 'agent99_image:' in source
|
||||
assert 'agent99_runtime:' in source
|
||||
assert 'agent99_health:' in source
|
||||
assert 'agent99_active:' in source
|
||||
assert '$credentialState -in @("absent", "symlink", "other")' in source
|
||||
assert 'credentialReadbackVerified = $credentialReadbackVerified' in source
|
||||
assert 'transportReadbackVerified = $transportReadbackVerified' in source
|
||||
assert 'outputStateReadbackVerified = $outputStateReadbackVerified' in source
|
||||
assert 'receiptStateReadbackVerified = $receiptStateReadbackVerified' in source
|
||||
assert '"credential_reference_readback_unverified"' in source
|
||||
assert '"preflight_transport_unverified"' in source
|
||||
assert source.count("Test-Agent99SignozTransportOutcome $verify") == 2
|
||||
assert "Test-Agent99SignozTransportOutcome $check" in source
|
||||
assert "Test-Agent99SignozTransportOutcome $apply" in source
|
||||
|
||||
|
||||
def test_entrypoint_typed_readbacks_are_exact_and_preserve_unknown_state() -> None:
|
||||
source = ENTRYPOINT.read_text(encoding="utf-8")
|
||||
preflight = source[
|
||||
source.index("function Get-Agent99SignozPreflight") :
|
||||
source.index("function Write-Agent99SignozEvidenceCollision")
|
||||
]
|
||||
main = source[
|
||||
source.index(
|
||||
'$preflight = Get-Agent99SignozPreflight '
|
||||
'-ExpectedArtifactState "absent"'
|
||||
) :
|
||||
]
|
||||
|
||||
assert "$hashLines.Count -eq $ToolchainFiles.Count + 2" in preflight
|
||||
assert "$hashLines[0] -eq \"agent99_hashes_begin\"" in preflight
|
||||
assert '$hashLines[$hashLines.Count - 1] -eq "agent99_hashes_end"' in preflight
|
||||
assert "$actualHashes.ContainsKey($path)" in preflight
|
||||
assert "-not $ToolchainFiles.Contains($path)" in preflight
|
||||
assert '"^agent99_image:(sha256:[0-9a-f]{64})$"' in preflight
|
||||
assert '--format={{.Id}},{{.Image}},{{.Config.Image}},{{.State.Running}}' in preflight
|
||||
assert '--format=`"{{.Id}}|{{.Image}}|{{.Config.Image}}|{{.State.Running}}`"' not in preflight
|
||||
assert '"^agent99_runtime:([0-9a-f]{64}),(sha256:' in preflight
|
||||
assert '"^agent99_active:([0-9]+)$"' in preflight
|
||||
assert '[ `"`$active_rc`" -eq 0 ] || [ `"`$active_rc`" -eq 1 ]' in preflight
|
||||
assert "outputPresent = if ($outputStateReadbackVerified)" in preflight
|
||||
assert "receiptPresent = if ($receiptStateReadbackVerified)" in preflight
|
||||
assert "credentialReferencePresent = if ($credentialReadbackVerified)" in preflight
|
||||
|
||||
credential_unverified = main.index("credential_reference_readback_unverified")
|
||||
credential_absent = main.index("credential_reference_absent")
|
||||
credential_invalid = main.index("credential_reference_metadata_invalid")
|
||||
preflight_unverified = main.index("preflight_transport_unverified")
|
||||
generic_preflight = main.index("metadata_export_preflight_failed")
|
||||
assert (
|
||||
credential_unverified
|
||||
< credential_absent
|
||||
< credential_invalid
|
||||
< preflight_unverified
|
||||
< generic_preflight
|
||||
)
|
||||
assert "$RemoteResult.completed -ne $true" in source
|
||||
assert "$RemoteResult.timedOut" in source
|
||||
|
||||
guard = 95
|
||||
kill_after = 15
|
||||
transport_reserve = 30
|
||||
@@ -108,7 +199,7 @@ def test_entrypoint_uses_fixed_public_key_transport_and_no_arbitrary_shell() ->
|
||||
def test_entrypoint_never_reads_or_persists_credential_value_in_controller() -> None:
|
||||
source = ENTRYPOINT.read_text(encoding="utf-8")
|
||||
|
||||
assert 'sudo -n /usr/bin/stat -c %u:%a:%s $CredentialFile' in source
|
||||
assert '/usr/bin/stat -c `"agent99_credential:present:%u:%a:%s`" `"$CredentialFile`"' in source
|
||||
assert 'credentialValueRead = $false' in source
|
||||
assert 'credentialValueOutput = $false' in source
|
||||
assert 'secretValueReadByController = $false' in source
|
||||
@@ -117,7 +208,7 @@ def test_entrypoint_never_reads_or_persists_credential_value_in_controller() ->
|
||||
assert "credentialReferenceDispatchAttempted" in source
|
||||
assert "$script:ApplyDispatchAttempted = $true" in source
|
||||
assert "credentialReferenceConsumedOnTarget = if" in source
|
||||
assert "elseif ($ApplyReceipt)" in source
|
||||
assert "elseif (Test-Agent99SignozReceiptIdentity $ApplyReceipt" in source
|
||||
assert 'rawSqliteRead = $false' in source
|
||||
assert 'rawVolumeRead = $false' in source
|
||||
assert "Get-Content -LiteralPath $CredentialFile" not in source
|
||||
@@ -177,7 +268,7 @@ def test_entrypoint_reserves_durable_evidence_before_any_remote_dispatch() -> No
|
||||
def test_entrypoint_binds_export_to_the_running_canonical_signoz_image() -> None:
|
||||
source = ENTRYPOINT.read_text(encoding="utf-8")
|
||||
|
||||
assert "{{.Id}}|{{.Image}}|{{.Config.Image}}|{{.State.Running}}" in source
|
||||
assert "{{.Id}},{{.Image}},{{.Config.Image}},{{.State.Running}}" in source
|
||||
assert "$runtimeImageId -eq $SignozImageId" in source
|
||||
assert "$runtimeImageRef -eq $SignozImage" in source
|
||||
assert "signozRuntimeImageExact = $runtimeImageExact" in source
|
||||
@@ -204,3 +295,21 @@ def test_entrypoint_is_in_exact_agent99_runtime_bundle() -> None:
|
||||
assert expected in _quoted_array(receiver, "$FixedRuntimeFiles = @(", ")")
|
||||
assert 'expectedRuntimeFileCount": 18' in sender
|
||||
assert '$runtimeManifest.fileCount -eq 18' in receiver
|
||||
|
||||
|
||||
def test_runtime_contract_check_requires_typed_signoz_transport_readback() -> None:
|
||||
contract = (ROOT / "agent99-contract-check.ps1").read_text(encoding="utf-8")
|
||||
|
||||
for marker in (
|
||||
"agent99_credential:present:%u:%a:%s",
|
||||
"agent99_path_state:$ExpectedKind",
|
||||
"agent99_hashes_begin",
|
||||
"agent99_hashes_end",
|
||||
"agent99_image:",
|
||||
"agent99_runtime:",
|
||||
"agent99_health:",
|
||||
"agent99_active:",
|
||||
"preflight_transport_unverified",
|
||||
):
|
||||
assert marker in contract
|
||||
assert "-not $signozMetadataExecutor.Contains('$process.ExitCode')" in contract
|
||||
|
||||
Reference in New Issue
Block a user