@sun-asterisk/sungen 3.1.2-beta.99 → 3.2.0-beta.141

package/src/orchestrator/templates/specs-db.ts

@@ -21,12 +21,73 @@ const ident = (s: string): string => {
   return s;
 };
 
+interface SshConfig {
+  host: string;              // jump host reachable from the runner
+  port?: number;             // default 22
+  user: string;
+  private_key?: string;      // PEM contents (from ${VAR} in .env.qa) — preferred for CI
+  private_key_path?: string; // or a filesystem path (local dev)
+  passphrase?: string;       // for an encrypted key
+  known_host?: string;       // base64 of the server's host key to pin (optional; else warn-and-proceed)
+}
+
 interface DataSourceConfig {
   engine: 'postgres' | 'mysql' | 'sqlite';
   url: string;
   readonly?: boolean;
   statement_timeout_ms?: number;
   max_rows?: number;
+  // Cách B (fallback): tunnel the DB SOCKET through an SSH bastion. DB-only — the browser/E2E
+  // still run on the runner; only PG traffic crosses. See docs/spec/sungen_data_driver_ssh_tunnel_spec.md.
+  ssh?: SshConfig;
+}
+
+/**
+ * Open a local TCP forward (127.0.0.1:<ephemeral> → ssh bastion → dstHost:dstPort) for a DB socket.
+ * Sockets are unref()'d so a dangling tunnel never keeps the test process alive after the run.
+ */
+async function openSshTunnel(ssh: SshConfig, dstHost: string, dstPort: number): Promise<{ host: string; port: number; close: () => void }> {
+  const { Client } = require('ssh2');
+  const net = require('net');
+  const privateKey = ssh.private_key
+    ? ssh.private_key
+    : ssh.private_key_path
+      ? fs.readFileSync(ssh.private_key_path.replace(/^~(?=\/)/, process.env.HOME || ''), 'utf8')
+      : undefined;
+  if (!privateKey) throw new Error('Data Driver: datasource `ssh` requires `private_key` or `private_key_path`.');
+
+  const conn = new Client();
+  await new Promise<void>((resolve, reject) => {
+    conn.on('ready', resolve).on('error', reject).connect({
+      host: ssh.host,
+      port: ssh.port ?? 22,
+      username: ssh.user,
+      privateKey,
+      passphrase: ssh.passphrase,
+      hostVerifier: (key: Buffer) => {
+        const got = Buffer.isBuffer(key) ? key.toString('base64') : String(key);
+        if (ssh.known_host) {
+          if (got === ssh.known_host.trim()) return true;
+          throw new Error(`Data Driver: SSH host-key mismatch for ${ssh.host} — refused (known_host pin).`);
+        }
+        console.warn(`Data Driver: SSH host key for ${ssh.host} is not pinned (set datasource ssh.known_host to verify). Proceeding (TOFU).`);
+        return true;
+      },
+    });
+  });
+
+  const server = net.createServer((sock: any) => {
+    conn.forwardOut(sock.remoteAddress || '127.0.0.1', sock.remotePort || 0, dstHost, dstPort, (err: any, stream: any) => {
+      if (err) { sock.destroy(); return; }
+      sock.pipe(stream).pipe(sock);
+    });
+  });
+  await new Promise<void>((resolve, reject) => server.on('error', reject).listen(0, '127.0.0.1', () => resolve()));
+  const addr = server.address();
+  const port = addr && typeof addr === 'object' ? addr.port : 0;
+  server.unref();                          // don't keep the event loop alive after tests
+  try { (conn as any)._sock?.unref?.(); } catch { /* best-effort */ }
+  return { host: '127.0.0.1', port, close: () => { try { server.close(); } catch {} try { conn.end(); } catch {} } };
 }
 
 function loadEnvQa(): void {
@@ -64,6 +125,7 @@ type Engine = { query(sql: string, params: any[]): Promise<any[]>; };
 class DataSource {
   private configs: Record<string, DataSourceConfig> | null = null;
   private engines = new Map<string, Engine>();
+  private tunnels: Array<{ close: () => void }> = [];
 
   private cfg(name?: string): { key: string; conf: DataSourceConfig } {
     if (!this.configs) this.configs = loadConfig();
@@ -79,10 +141,19 @@ class DataSource {
     if (!conf.url) throw new Error(`Data Driver: datasource "${key}" has no url (set it in .env.qa).`);
     let engine: Engine;
     if (conf.engine === 'postgres') {
+      let connectionString = conf.url;
+      if (conf.ssh) {                                   // Cách B: tunnel the DB socket through a bastion
+        const u = new URL(conf.url);
+        const t = await openSshTunnel(conf.ssh, u.hostname, Number(u.port || 5432));
+        this.tunnels.push(t);
+        u.hostname = t.host; u.port = String(t.port);   // rewrite host:port → 127.0.0.1:<tunnel> (keep user/pass/db/query)
+        connectionString = u.toString();
+      }
       const { Pool } = require('pg');
-      const pool = new Pool({ connectionString: conf.url, max: 2, statement_timeout: conf.statement_timeout_ms ?? 4000 });
+      const pool = new Pool({ connectionString, max: 2, statement_timeout: conf.statement_timeout_ms ?? 4000 });
       engine = { query: async (sql, params) => (await pool.query(sql, params)).rows };
     } else if (conf.engine === 'sqlite') {
+      if (conf.ssh) console.warn(`Data Driver: datasource "${key}" sets ssh: but engine is sqlite (file-based) — ssh ignored.`);
       const Database = require('better-sqlite3');
       const db = new Database(conf.url.replace(/^sqlite:/, ''), { readonly: conf.readonly !== false });
       engine = { query: async (sql, params) => db.prepare(sql).all(...params) };
@@ -93,6 +164,12 @@ class DataSource {
     return { engine, conf };
   }
 
+  /** Close any open SSH tunnels (optional explicit teardown; tunnels are unref'd so the process exits regardless). */
+  close(): void {
+    for (const t of this.tunnels) t.close();
+    this.tunnels = [];
+  }
+
   private build(table: string, filter: Record<string, any>): { sql: string; params: any[] } {
     const cols = Object.keys(filter);
     const where = cols.map((c, i) => `${ident(c)} = $${i + 1}`).join(' AND ');

package/src/orchestrator/templates/specs-test-data.ts

@@ -23,7 +23,8 @@ export class TestDataLoader {
    */
   static load(screenName: string, featureName: string): TestDataLoader {
     let baseDir: string;
-    if (screenName.startsWith('flows/')) {
+    if (screenName.startsWith('flows/') || screenName.startsWith('api/')) {
+      // flows/<flow> · api/<area> · api/flows/<flow> → qa/<screenName>/test-data
       baseDir = path.join(process.cwd(), 'qa', screenName, 'test-data');
     } else {
       baseDir = path.join(process.cwd(), 'qa', 'screens', screenName, 'test-data');