direxio-deployer 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -2
- package/README_zh.md +10 -2
- package/SKILL.md +32 -8
- package/bin/direxio-deployer.mjs +1 -2
- package/package.json +2 -3
- package/references/agent-targets.md +7 -1
- package/references/deployment-lessons.md +5 -7
- package/references/deployment-workflow.md +8 -4
- package/references/runtime-wiring.md +5 -5
- package/references/tooling.md +11 -12
- package/references/user-journey.md +2 -2
- package/references/voip-turn-runbook.md +2 -2
- package/references/windows-deployment-notes.md +2 -1
- package/scripts/destroy.sh +24 -43
- package/scripts/json.mjs +841 -0
- package/scripts/lib/aws.sh +5 -1
- package/scripts/lib/json.sh +114 -0
- package/scripts/lib/operation_report.sh +8 -195
- package/scripts/lib/ops.sh +8 -21
- package/scripts/lib/state.sh +18 -44
- package/scripts/mcp-tools-list.mjs +66 -5
- package/scripts/orchestrate.sh +166 -249
- package/scripts/phases/s3_provision.sh +5 -10
- package/scripts/phases/s5_init_tokens.sh +7 -17
- package/scripts/phases/s6_wire_local.sh +22 -42
- package/scripts/phases/s7_verify_e2e.sh +5 -5
- package/scripts/pricing-estimate.sh +36 -80
- package/tests/aws_credentials_test.sh +0 -139
- package/tests/connect_daemon_runtime_check_test.sh +0 -120
- package/tests/default_paths_test.sh +0 -58
- package/tests/destroy_local_bridge_test.sh +0 -154
- package/tests/destroy_root_identity_test.sh +0 -91
- package/tests/destroy_route53_zone_test.sh +0 -80
- package/tests/domain_authoritative_dns_test.sh +0 -49
- package/tests/mcp_doctor_runtime_check_test.sh +0 -86
- package/tests/mcp_smoke_runtime_check_test.sh +0 -121
- package/tests/mcp_tools_runtime_check_test.sh +0 -123
- package/tests/npm_skill_distribution_test.sh +0 -95
- package/tests/operation_report_test.sh +0 -258
- package/tests/orchestrate_status_recovery_test.sh +0 -91
- package/tests/phase_timeout_test.sh +0 -88
- package/tests/pricing_estimate_test.sh +0 -159
- package/tests/render_userdata_remote_nodes_test.sh +0 -40
- package/tests/root_volume_tracking_test.sh +0 -41
- package/tests/route53_overwrite_guard_test.sh +0 -86
- package/tests/route53_zone_auto_create_test.sh +0 -66
- package/tests/runtime_summary_check_test.sh +0 -203
- package/tests/s6_wire_local_test.sh +0 -405
- package/tests/skill_structure_test.sh +0 -298
- package/tests/update_reset_ops_test.sh +0 -230
- package/tests/user_confirmation_gates_test.sh +0 -152
|
@@ -1,298 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env bash
|
|
2
|
-
set -euo pipefail
|
|
3
|
-
|
|
4
|
-
ROOT=$(cd "$(dirname "$0")/.." && pwd)
|
|
5
|
-
cd "$ROOT"
|
|
6
|
-
|
|
7
|
-
required=(
|
|
8
|
-
AGENTS.md
|
|
9
|
-
package.json
|
|
10
|
-
SKILL.md
|
|
11
|
-
README.md
|
|
12
|
-
README_zh.md
|
|
13
|
-
bin/direxio-deployer.mjs
|
|
14
|
-
scripts/orchestrate.sh
|
|
15
|
-
scripts/orchestrate.ps1
|
|
16
|
-
scripts/aws-credentials.sh
|
|
17
|
-
scripts/destroy.sh
|
|
18
|
-
scripts/destroy.ps1
|
|
19
|
-
scripts/update.sh
|
|
20
|
-
scripts/reset-app-data.sh
|
|
21
|
-
scripts/pricing-estimate.sh
|
|
22
|
-
scripts/mcp-tools-list.mjs
|
|
23
|
-
scripts/lib/ops.sh
|
|
24
|
-
scripts/lib/operation_report.sh
|
|
25
|
-
scripts/phases/s6_wire_local.sh
|
|
26
|
-
tests/operation_report_test.sh
|
|
27
|
-
tests/npm_skill_distribution_test.sh
|
|
28
|
-
tests/orchestrate_status_recovery_test.sh
|
|
29
|
-
tests/update_reset_ops_test.sh
|
|
30
|
-
tests/aws_credentials_test.sh
|
|
31
|
-
tests/connect_daemon_runtime_check_test.sh
|
|
32
|
-
tests/pricing_estimate_test.sh
|
|
33
|
-
tests/route53_zone_auto_create_test.sh
|
|
34
|
-
tests/route53_overwrite_guard_test.sh
|
|
35
|
-
tests/destroy_root_identity_test.sh
|
|
36
|
-
tests/destroy_route53_zone_test.sh
|
|
37
|
-
tests/domain_authoritative_dns_test.sh
|
|
38
|
-
tests/mcp_doctor_runtime_check_test.sh
|
|
39
|
-
tests/mcp_smoke_runtime_check_test.sh
|
|
40
|
-
tests/mcp_tools_runtime_check_test.sh
|
|
41
|
-
tests/root_volume_tracking_test.sh
|
|
42
|
-
tests/runtime_summary_check_test.sh
|
|
43
|
-
tests/user_confirmation_gates_test.sh
|
|
44
|
-
references/agent-targets.md
|
|
45
|
-
references/deployment-optimization-audit.md
|
|
46
|
-
references/runtime-wiring.md
|
|
47
|
-
)
|
|
48
|
-
|
|
49
|
-
for path in "${required[@]}"; do
|
|
50
|
-
[ -s "$path" ] || {
|
|
51
|
-
echo "missing or empty required file: $path" >&2
|
|
52
|
-
exit 1
|
|
53
|
-
}
|
|
54
|
-
done
|
|
55
|
-
|
|
56
|
-
grep -q 'direxio/message-server:latest' SKILL.md
|
|
57
|
-
grep -q 'direxio-deployer' package.json
|
|
58
|
-
grep -q 'bin/direxio-deployer.mjs' package.json
|
|
59
|
-
grep -q 'skill install --agent' README.md
|
|
60
|
-
grep -q 'skill update --agent' README_zh.md
|
|
61
|
-
grep -q 'skill refresh --agent' SKILL.md
|
|
62
|
-
grep -q 'Windows PowerShell' README.md
|
|
63
|
-
grep -q 'Windows PowerShell' README_zh.md
|
|
64
|
-
grep -q '.direxio-skill-install.json' references/agent-targets.md
|
|
65
|
-
grep -q 'DIREXIO_DOMAIN' scripts/phases/s6_wire_local.sh
|
|
66
|
-
grep -q 'DIREXIO_AGENT_TOKEN' scripts/phases/s6_wire_local.sh
|
|
67
|
-
grep -q 'DIREXIO_AGENT_ROOM_ID' scripts/phases/s6_wire_local.sh
|
|
68
|
-
grep -q 'DIREXIO_CC_CONNECT_REPO' scripts/phases/s6_wire_local.sh
|
|
69
|
-
grep -q 'DIREXIO_LOCAL_PATH_STYLE' scripts/phases/s6_wire_local.sh
|
|
70
|
-
grep -q 'DIREXIO_CREDENTIALS_FILE' scripts/phases/s6_wire_local.sh
|
|
71
|
-
grep -q 'direxio-mcp' scripts/phases/s6_wire_local.sh
|
|
72
|
-
grep -q 'PLATFORMS_INCLUDE=matrix' scripts/phases/s6_wire_local.sh
|
|
73
|
-
grep -q 'YingSuiAI/direxio-connect.git' scripts/phases/s6_wire_local.sh
|
|
74
|
-
grep -q 'DIREXIO_CC_CONNECT_AGENT' scripts/phases/s6_wire_local.sh
|
|
75
|
-
grep -q 'orchestrate.ps1' README.md
|
|
76
|
-
grep -q 'destroy.ps1' README.md
|
|
77
|
-
grep -q 'destroy.ps1' README_zh.md
|
|
78
|
-
grep -q 'destroy.ps1' SKILL.md
|
|
79
|
-
grep -q 'destroy.ps1' references/deployment-workflow.md
|
|
80
|
-
grep -q 'destroy.ps1' references/windows-deployment-notes.md
|
|
81
|
-
grep -q 'cc-connect' SKILL.md
|
|
82
|
-
grep -q 'mcp_config_dir' SKILL.md
|
|
83
|
-
grep -q 'mcp_codex_config' references/runtime-wiring.md
|
|
84
|
-
if grep -R '@direxio/agent-plugins' SKILL.md scripts README.md README_zh.md references >/dev/null; then
|
|
85
|
-
echo "current docs/scripts must not reference legacy agent plugin packages" >&2
|
|
86
|
-
exit 1
|
|
87
|
-
fi
|
|
88
|
-
grep -q '简体中文](README_zh.md)' README.md
|
|
89
|
-
grep -q '通用 Agent Skill' README_zh.md
|
|
90
|
-
grep -q 'PROJECT_ROOT/.cursor/skills/direxio-deployer' references/agent-targets.md
|
|
91
|
-
grep -q 'direxio-connent' references/agent-targets.md
|
|
92
|
-
grep -q 'direxio-connect daemon install' references/agent-targets.md
|
|
93
|
-
grep -q 'acp antigravity claudecode codex copilot cursor devin gemini iflow kimi opencode pi qoder reasonix tmux' references/agent-targets.md
|
|
94
|
-
|
|
95
|
-
if grep -R 'YingSuiAI/cc-connect\|github.com/YingSuiAI/cc-connect' SKILL.md scripts README.md README_zh.md references AGENTS.md >/dev/null; then
|
|
96
|
-
echo "current docs/scripts must use YingSuiAI/direxio-connect, not the old YingSuiAI/cc-connect repository" >&2
|
|
97
|
-
exit 1
|
|
98
|
-
fi
|
|
99
|
-
|
|
100
|
-
if grep -RE '(^|[^[:alnum:]_])([a-z0-9-]+\.)*example\.com([^[:alnum:]_]|$)' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
101
|
-
echo "published docs/scripts must use placeholders such as __DOMAIN__, not example.com-style domains" >&2
|
|
102
|
-
exit 1
|
|
103
|
-
fi
|
|
104
|
-
|
|
105
|
-
if grep -RE '(^|[^[:alnum:]_])([a-z0-9-]+\.)*direxio\.ai([^[:alnum:]_]|$)' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
106
|
-
echo "published docs/scripts must use placeholders such as __DOMAIN__, not real Direxio-owned domains" >&2
|
|
107
|
-
exit 1
|
|
108
|
-
fi
|
|
109
|
-
|
|
110
|
-
if grep -RE 'agentp2p\.im|54\.161\.73\.211' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
111
|
-
echo "published docs/scripts must use placeholders such as __DOMAIN__ and __EIP__, not session-specific domains or IPs" >&2
|
|
112
|
-
exit 1
|
|
113
|
-
fi
|
|
114
|
-
|
|
115
|
-
if awk '/_write_cc_connect_config\(\)/,/^}/' scripts/phases/s6_wire_local.sh | grep -q 'DIREXIO_CREDENTIALS_FILE'; then
|
|
116
|
-
echo "cc-connect config must not use DIREXIO_CREDENTIALS_FILE; it must use direct Matrix config" >&2
|
|
117
|
-
exit 1
|
|
118
|
-
fi
|
|
119
|
-
|
|
120
|
-
if awk '/_print_cc_connect_guidance\(\)/,/^}/' scripts/phases/s6_wire_local.sh | grep -q 'DIREXIO_CREDENTIALS_FILE'; then
|
|
121
|
-
echo "cc-connect guidance must not use DIREXIO_CREDENTIALS_FILE; MCP guidance owns that env var" >&2
|
|
122
|
-
exit 1
|
|
123
|
-
fi
|
|
124
|
-
|
|
125
|
-
if grep -RE 'fixed order.*\.codex.*\.hermes|\.codex.*checked before.*\.hermes' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
126
|
-
echo "published docs/scripts must not describe stale Codex-before-Hermes runtime detection" >&2
|
|
127
|
-
exit 1
|
|
128
|
-
fi
|
|
129
|
-
|
|
130
|
-
if grep -R 'direxio-mcp@0\.1\.[0-9]' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
131
|
-
echo "published docs/scripts must not reference stale direxio-mcp versions" >&2
|
|
132
|
-
exit 1
|
|
133
|
-
fi
|
|
134
|
-
|
|
135
|
-
if grep -R 'direxio-connent@1\.' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
136
|
-
echo "published docs/scripts must not pin direxio-connent by default" >&2
|
|
137
|
-
exit 1
|
|
138
|
-
fi
|
|
139
|
-
|
|
140
|
-
if grep -RE 'Elastic IP.*attached.*free|attached.*Elastic IP.*free' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
141
|
-
echo "published docs/scripts must not say attached Elastic IP or public IPv4 is free" >&2
|
|
142
|
-
exit 1
|
|
143
|
-
fi
|
|
144
|
-
|
|
145
|
-
if grep -F 'Host runtimes such as Hermes or OpenClaw are not cc-connect backends; when they are detected, set `DIREXIO_CC_CONNECT_AGENT` explicitly' SKILL.md >/dev/null; then
|
|
146
|
-
echo "SKILL.md must not override ACP-backed OpenClaw/Hermes defaults with stale explicit-agent guidance" >&2
|
|
147
|
-
exit 1
|
|
148
|
-
fi
|
|
149
|
-
|
|
150
|
-
if grep -F 'paste into the IM login form' scripts/orchestrate.sh SKILL.md >/dev/null; then
|
|
151
|
-
echo "delivery output must present the password field as an app initialization code, not an IM login form password" >&2
|
|
152
|
-
exit 1
|
|
153
|
-
fi
|
|
154
|
-
|
|
155
|
-
if grep -F 'Deployment Complete' scripts/orchestrate.sh SKILL.md references/deployment-workflow.md >/dev/null; then
|
|
156
|
-
echo "delivery output must not call S7 green the final deployment completion state" >&2
|
|
157
|
-
exit 1
|
|
158
|
-
fi
|
|
159
|
-
|
|
160
|
-
if grep -F 'Service URL' scripts/orchestrate.sh SKILL.md references/deployment-workflow.md >/dev/null; then
|
|
161
|
-
echo "new deployment delivery should give the App domain and init code, not a service URL/initialization URL" >&2
|
|
162
|
-
exit 1
|
|
163
|
-
fi
|
|
164
|
-
|
|
165
|
-
if grep -F 'Destroy :' scripts/orchestrate.sh SKILL.md >/dev/null; then
|
|
166
|
-
echo "new deployment delivery should not present destroy as a user-copied command; ask the agent to destroy instead" >&2
|
|
167
|
-
exit 1
|
|
168
|
-
fi
|
|
169
|
-
|
|
170
|
-
if grep -R 'destroy command' SKILL.md references/user-journey.md references/deployment-lessons.md >/dev/null; then
|
|
171
|
-
echo "new deployment delivery docs should describe asking the agent to destroy, not delivering a destroy command" >&2
|
|
172
|
-
exit 1
|
|
173
|
-
fi
|
|
174
|
-
|
|
175
|
-
grep -q 'Root access keys are allowed when the operator explicitly chooses them' SKILL.md
|
|
176
|
-
|
|
177
|
-
if grep -RE '_find_route53_zone.*does NOT create|never creates hosted zone|hosted zone must exist before S3_PROVISION|Do not rely on the script to create the zone' SKILL.md references README.md README_zh.md >/dev/null; then
|
|
178
|
-
echo "published docs must not preserve stale Route53 hosted-zone manual-create guidance" >&2
|
|
179
|
-
exit 1
|
|
180
|
-
fi
|
|
181
|
-
|
|
182
|
-
if grep -R 'IM passwords\|login password\|login form\|登录密码\|IM 地址' SKILL.md references scripts README.md README_zh.md >/dev/null; then
|
|
183
|
-
echo "published docs/scripts must call the user-facing field an initialization code, not a login password" >&2
|
|
184
|
-
exit 1
|
|
185
|
-
fi
|
|
186
|
-
|
|
187
|
-
grep -q 'eight-digit app initialization code' SKILL.md
|
|
188
|
-
grep -q 'S7 green is not the final product-complete state' SKILL.md
|
|
189
|
-
grep -q 'non-polluting' SKILL.md
|
|
190
|
-
grep -q 'direxio-mcp@latest' SKILL.md
|
|
191
|
-
grep -q 'direxio-connent@latest' SKILL.md
|
|
192
|
-
grep -q 'DirexioDeployer' SKILL.md
|
|
193
|
-
grep -q 'AdministratorAccess' SKILL.md
|
|
194
|
-
grep -qi 'root access keys are allowed' SKILL.md
|
|
195
|
-
grep -q 'Destroy uses the same AWS identity boundary as deployment' SKILL.md
|
|
196
|
-
grep -q 'Destroy allows root AWS access-key identity' references/deployment-workflow.md
|
|
197
|
-
grep -q 'Recovery summary' SKILL.md
|
|
198
|
-
grep -q 'operation-report.json' SKILL.md
|
|
199
|
-
grep -q 'destroy.evidence' SKILL.md
|
|
200
|
-
grep -q 'user_confirmation_details' SKILL.md
|
|
201
|
-
grep -q 'confirmation evidence is redacted' SKILL.md
|
|
202
|
-
grep -q 'eight-or-more digit numeric strings' SKILL.md
|
|
203
|
-
grep -q 'eight-or-more digit numeric strings' references/deployment-workflow.md
|
|
204
|
-
grep -q 'credentials.status' SKILL.md
|
|
205
|
-
grep -q 'mcp.status' SKILL.md
|
|
206
|
-
grep -q 'credentials.status=refresh_pending' references/deployment-workflow.md
|
|
207
|
-
grep -q 'mcp.status=refresh_pending' references/deployment-workflow.md
|
|
208
|
-
grep -q 'stops only the matching service-scoped direxio-connect daemon' references/deployment-workflow.md
|
|
209
|
-
grep -q 'possible_remaining_billable_resources' SKILL.md
|
|
210
|
-
grep -q 'EBS root volume' SKILL.md
|
|
211
|
-
grep -q 'destroy.evidence' references/deployment-workflow.md
|
|
212
|
-
grep -q 'scripts/orchestrate.sh report new_deploy' SKILL.md
|
|
213
|
-
grep -q 'scripts/update.sh' SKILL.md
|
|
214
|
-
grep -q 'scripts/reset-app-data.sh' SKILL.md
|
|
215
|
-
grep -q 'clears old user-confirmation/runtime-check evidence' SKILL.md
|
|
216
|
-
grep -q 'agent_install_status=refresh_pending' SKILL.md
|
|
217
|
-
grep -q 'stops only the matching service-scoped direxio-connect daemon' SKILL.md
|
|
218
|
-
grep -q 'Local refresh:' SKILL.md
|
|
219
|
-
grep -q 'rerun the deployment workflow to refresh S4-S7' SKILL.md
|
|
220
|
-
grep -q 'refresh_pending' references/token-refresh.md
|
|
221
|
-
grep -q 'user_confirmations.*runtime_checks' references/token-refresh.md
|
|
222
|
-
grep -q 'stops only the matching service-scoped direxio-connect daemon' references/token-refresh.md
|
|
223
|
-
grep -q 'Local refresh:' references/token-refresh.md
|
|
224
|
-
grep -q 'rerun the deployment workflow to refresh S4-S7' references/token-refresh.md
|
|
225
|
-
grep -q 'DIREXIO_RESET_APP_DATA_CONFIRM=1' SKILL.md
|
|
226
|
-
grep -q 'scripts/aws-credentials.sh import-csv' SKILL.md
|
|
227
|
-
grep -q 'scripts/aws-credentials.sh verify' SKILL.md
|
|
228
|
-
grep -q 'scripts/pricing-estimate.sh' SKILL.md
|
|
229
|
-
grep -q 'pricing-estimate.sh --state' references/deployment-workflow.md
|
|
230
|
-
grep -q 'cost_estimate' SKILL.md
|
|
231
|
-
grep -q 'cost_estimate' references/deployment-workflow.md
|
|
232
|
-
grep -q 'orchestrate.sh confirm app_initialization' SKILL.md
|
|
233
|
-
grep -q 'orchestrate.sh confirm agent_mcp_runtime' SKILL.md
|
|
234
|
-
grep -q 'DIREXIO_CONFIRM_RUNTIME_PROBE=1' SKILL.md
|
|
235
|
-
grep -q 'runtime_checks.summary.status' SKILL.md
|
|
236
|
-
grep -q 'confirm` command requires `DIREXIO_CONFIRM_EVIDENCE`' SKILL.md
|
|
237
|
-
grep -q 'at least 12 characters' SKILL.md
|
|
238
|
-
grep -q 'orchestrate.sh verify connect_daemon' SKILL.md
|
|
239
|
-
grep -q 'orchestrate.sh verify mcp_doctor' SKILL.md
|
|
240
|
-
grep -q 'orchestrate.sh verify mcp_smoke' SKILL.md
|
|
241
|
-
grep -q 'orchestrate.sh verify mcp_tools' SKILL.md
|
|
242
|
-
grep -q 'orchestrate.sh verify runtime' SKILL.md
|
|
243
|
-
grep -q 'orchestrate.sh confirm app_initialization' references/deployment-workflow.md
|
|
244
|
-
grep -q 'DIREXIO_CONFIRM_RUNTIME_PROBE=1' references/deployment-workflow.md
|
|
245
|
-
grep -q 'All `confirm` commands require `DIREXIO_CONFIRM_EVIDENCE`' references/deployment-workflow.md
|
|
246
|
-
grep -q 'at least 12 characters' references/deployment-workflow.md
|
|
247
|
-
grep -q 'orchestrate.sh verify connect_daemon' references/deployment-workflow.md
|
|
248
|
-
grep -q 'orchestrate.sh verify mcp_doctor' references/deployment-workflow.md
|
|
249
|
-
grep -q 'orchestrate.sh verify mcp_smoke' references/deployment-workflow.md
|
|
250
|
-
grep -q 'orchestrate.sh verify mcp_tools' references/deployment-workflow.md
|
|
251
|
-
grep -q 'orchestrate.sh verify runtime' references/deployment-workflow.md
|
|
252
|
-
grep -q 'DIREXIO_CONFIRM_DNS_OVERWRITE=1' SKILL.md
|
|
253
|
-
grep -q 'DIREXIO_CONFIRM_DNS_OVERWRITE=1' references/deployment-workflow.md
|
|
254
|
-
grep -q 'authoritative DNS' SKILL.md
|
|
255
|
-
grep -q 'AWS Budget' SKILL.md
|
|
256
|
-
grep -q 'AWS Budget' references/deployment-workflow.md
|
|
257
|
-
grep -q 'AWS Billing Console' SKILL.md
|
|
258
|
-
grep -q 'Current MVP deployment path is EC2-only' SKILL.md
|
|
259
|
-
grep -q 'Lightsail requires a separate deploy_mode=lightsail implementation before it can be offered' SKILL.md
|
|
260
|
-
grep -q 'rotate/remove root access keys if used' SKILL.md
|
|
261
|
-
grep -q 'temporary IAM key' scripts/orchestrate.sh
|
|
262
|
-
|
|
263
|
-
for requirement_id in \
|
|
264
|
-
DEPLOY-P0-001 \
|
|
265
|
-
DEPLOY-P0-002 \
|
|
266
|
-
DEPLOY-P0-003 \
|
|
267
|
-
DEPLOY-P0-004 \
|
|
268
|
-
DEPLOY-P0-005 \
|
|
269
|
-
DEPLOY-P1-001 \
|
|
270
|
-
DEPLOY-P1-002 \
|
|
271
|
-
DEPLOY-P1-003 \
|
|
272
|
-
DEPLOY-P1-004 \
|
|
273
|
-
DEPLOY-P1-005 \
|
|
274
|
-
DEPLOY-P2-001 \
|
|
275
|
-
DEPLOY-P2-002 \
|
|
276
|
-
DEPLOY-P2-003 \
|
|
277
|
-
DEPLOY-P2-004; do
|
|
278
|
-
grep -q "$requirement_id" references/deployment-optimization-audit.md
|
|
279
|
-
done
|
|
280
|
-
|
|
281
|
-
grep -q 'Deployer-side implemented' references/deployment-optimization-audit.md
|
|
282
|
-
grep -q 'Runtime evidence still required' references/deployment-optimization-audit.md
|
|
283
|
-
grep -q 'Current best plan' references/deployment-optimization-audit.md
|
|
284
|
-
grep -q '~/.direxio/nodes/<service_id>/' references/deployment-optimization-audit.md
|
|
285
|
-
grep -q 'verify runtime is an internal non-polluting check' references/deployment-optimization-audit.md
|
|
286
|
-
grep -q 'user App initialization and real chat evidence' references/deployment-optimization-audit.md
|
|
287
|
-
grep -q 'update/reset are now first-class scripts' references/deployment-optimization-audit.md
|
|
288
|
-
grep -q 'Local refresh' references/deployment-optimization-audit.md
|
|
289
|
-
grep -q 'cleared old credentials, user confirmations, runtime checks, and bridge install proof' references/deployment-optimization-audit.md
|
|
290
|
-
grep -q 'stops only the matching service-scoped direxio-connect daemon' references/deployment-optimization-audit.md
|
|
291
|
-
grep -q 'Lightsail remains deferred' references/deployment-optimization-audit.md
|
|
292
|
-
|
|
293
|
-
if grep -RE 'DOMAIN_MODE=lightsail|DEPLOY_MODE=lightsail|choose between EC2 and Lightsail|Lightsail automatic deployment is supported' SKILL.md README.md README_zh.md references scripts >/dev/null; then
|
|
294
|
-
echo "current docs/scripts must not offer Lightsail as an implemented automatic deployment path" >&2
|
|
295
|
-
exit 1
|
|
296
|
-
fi
|
|
297
|
-
|
|
298
|
-
echo "skill structure ok"
|
|
@@ -1,230 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env bash
|
|
2
|
-
set -euo pipefail
|
|
3
|
-
|
|
4
|
-
ROOT=$(cd "$(dirname "$0")/.." && pwd)
|
|
5
|
-
tmp=$(mktemp -d)
|
|
6
|
-
trap 'rm -rf "$tmp"' EXIT
|
|
7
|
-
|
|
8
|
-
export HOME="$tmp/home"
|
|
9
|
-
mkdir -p "$HOME"
|
|
10
|
-
|
|
11
|
-
fakebin="$tmp/bin"
|
|
12
|
-
mkdir -p "$fakebin"
|
|
13
|
-
|
|
14
|
-
cat > "$fakebin/ssh" <<'EOF'
|
|
15
|
-
#!/usr/bin/env bash
|
|
16
|
-
set -euo pipefail
|
|
17
|
-
printf 'ssh' >> "$CALLS"
|
|
18
|
-
printf ' %q' "$@" >> "$CALLS"
|
|
19
|
-
printf '\n' >> "$CALLS"
|
|
20
|
-
exit 0
|
|
21
|
-
EOF
|
|
22
|
-
chmod 700 "$fakebin/ssh"
|
|
23
|
-
|
|
24
|
-
cat > "$fakebin/direxio-connect" <<'EOF'
|
|
25
|
-
#!/usr/bin/env bash
|
|
26
|
-
set -euo pipefail
|
|
27
|
-
printf 'direxio-connect' >> "$CALLS"
|
|
28
|
-
printf ' %q' "$@" >> "$CALLS"
|
|
29
|
-
printf '\n' >> "$CALLS"
|
|
30
|
-
if [ "${1:-}" = "daemon" ] && [ "${2:-}" = "status" ]; then
|
|
31
|
-
cat <<STATUS
|
|
32
|
-
Status: ${CONNECT_STATUS:-Running}
|
|
33
|
-
WorkDir: ${CONNECT_WORK_DIR:-}
|
|
34
|
-
STATUS
|
|
35
|
-
fi
|
|
36
|
-
exit 0
|
|
37
|
-
EOF
|
|
38
|
-
chmod 700 "$fakebin/direxio-connect"
|
|
39
|
-
|
|
40
|
-
write_state() {
|
|
41
|
-
local state=$1 service_dir=$2
|
|
42
|
-
mkdir -p "$(dirname "$state")" "$service_dir"
|
|
43
|
-
jq -n \
|
|
44
|
-
--arg service_dir "$service_dir" \
|
|
45
|
-
'{
|
|
46
|
-
run_id: "ops-test",
|
|
47
|
-
region: "ap-northeast-1",
|
|
48
|
-
domain_mode: "user",
|
|
49
|
-
domain: "ops.example.test",
|
|
50
|
-
as_url: "https://ops.example.test",
|
|
51
|
-
instance_type: "t3.small",
|
|
52
|
-
password: "12345678",
|
|
53
|
-
access_token: "ACCESS_SECRET",
|
|
54
|
-
agent_token: "AGENT_SECRET",
|
|
55
|
-
agent_room_id: "!old:ops.example.test",
|
|
56
|
-
agent_service_id: "ops.example.test",
|
|
57
|
-
agent_service_dir: $service_dir,
|
|
58
|
-
agent_credentials_file: ($service_dir + "/credentials.json"),
|
|
59
|
-
agent_install_status: "installed",
|
|
60
|
-
cc_connect_config: ($service_dir + "/cc-connect/config.toml"),
|
|
61
|
-
cc_connect_binary: "direxio-connect",
|
|
62
|
-
cc_connect_agent: "codex",
|
|
63
|
-
mcp_config_dir: ($service_dir + "/mcp"),
|
|
64
|
-
mcp_codex_config: ($service_dir + "/mcp/codex.toml"),
|
|
65
|
-
mcp_openclaw_config: ($service_dir + "/mcp/openclaw.md"),
|
|
66
|
-
mcp_hermes_config: ($service_dir + "/mcp/hermes.mcp.json"),
|
|
67
|
-
mcp_doctor_command: ("DIREXIO_CREDENTIALS_FILE=" + $service_dir + "/credentials.json direxio-mcp doctor --json"),
|
|
68
|
-
resources: {
|
|
69
|
-
instance_id: "i-ops",
|
|
70
|
-
public_ip: "203.0.113.77",
|
|
71
|
-
eip_id: "eipalloc-ops",
|
|
72
|
-
key_file: "/tmp/ops.pem"
|
|
73
|
-
},
|
|
74
|
-
phases: {
|
|
75
|
-
S0_PREREQ_AWS: {status: "done"},
|
|
76
|
-
S1_PREFLIGHT: {status: "done"},
|
|
77
|
-
S2_DOMAIN: {status: "done"},
|
|
78
|
-
S3_PROVISION: {status: "done"},
|
|
79
|
-
S4_BOOTSTRAP_STACK: {status: "done"},
|
|
80
|
-
S5_INIT_TOKENS: {status: "done"},
|
|
81
|
-
S6_WIRE_LOCAL: {status: "done"},
|
|
82
|
-
S7_VERIFY_E2E: {status: "done"}
|
|
83
|
-
},
|
|
84
|
-
user_confirmations: {
|
|
85
|
-
app_initialization: {status: "confirmed", evidence: "old app confirmation"},
|
|
86
|
-
real_chat: {status: "confirmed", evidence: "old chat confirmation"},
|
|
87
|
-
agent_mcp_runtime: {
|
|
88
|
-
status: "confirmed",
|
|
89
|
-
evidence: "old runtime confirmation",
|
|
90
|
-
runtime_summary_status: "passed",
|
|
91
|
-
runtime_probe_confirmed: true
|
|
92
|
-
}
|
|
93
|
-
},
|
|
94
|
-
runtime_checks: {
|
|
95
|
-
summary: {status: "passed"},
|
|
96
|
-
connect_daemon: {status: "passed"},
|
|
97
|
-
mcp_doctor: {status: "passed"},
|
|
98
|
-
mcp_smoke: {status: "passed"},
|
|
99
|
-
mcp_tools: {status: "passed"}
|
|
100
|
-
}
|
|
101
|
-
}' > "$state"
|
|
102
|
-
}
|
|
103
|
-
|
|
104
|
-
assert_file_exists() {
|
|
105
|
-
[ -s "$1" ] || {
|
|
106
|
-
echo "expected non-empty file: $1" >&2
|
|
107
|
-
exit 1
|
|
108
|
-
}
|
|
109
|
-
}
|
|
110
|
-
|
|
111
|
-
assert_not_contains() {
|
|
112
|
-
local path=$1 pattern=$2
|
|
113
|
-
if grep -E "$pattern" "$path" >/dev/null; then
|
|
114
|
-
echo "unexpected pattern in $path: $pattern" >&2
|
|
115
|
-
cat "$path" >&2
|
|
116
|
-
exit 1
|
|
117
|
-
fi
|
|
118
|
-
}
|
|
119
|
-
|
|
120
|
-
assert_contains() {
|
|
121
|
-
local path=$1 pattern=$2
|
|
122
|
-
if ! grep -E "$pattern" "$path" >/dev/null; then
|
|
123
|
-
echo "missing pattern in $path: $pattern" >&2
|
|
124
|
-
cat "$path" >&2
|
|
125
|
-
exit 1
|
|
126
|
-
fi
|
|
127
|
-
}
|
|
128
|
-
|
|
129
|
-
service_dir="$HOME/.direxio/nodes/ops.example.test"
|
|
130
|
-
state="$service_dir/state.json"
|
|
131
|
-
write_state "$state" "$service_dir"
|
|
132
|
-
|
|
133
|
-
update_calls="$tmp/update.calls"
|
|
134
|
-
: > "$update_calls"
|
|
135
|
-
CALLS="$update_calls" PATH="$fakebin:$PATH" CONNECT_WORK_DIR="$service_dir/cc-connect" MESSAGE_SERVER_IMAGE="direxio/message-server:test" bash "$ROOT/scripts/update.sh" "$state" > "$tmp/update.out"
|
|
136
|
-
assert_contains "$tmp/update.out" 'Old user confirmations and runtime checks were cleared'
|
|
137
|
-
assert_contains "$tmp/update.out" 'Scoped local bridge daemon was stopped'
|
|
138
|
-
assert_contains "$tmp/update.out" 'rerun orchestrate with P2P_EXISTING_STATE_ACTION=continue'
|
|
139
|
-
|
|
140
|
-
assert_contains "$update_calls" 'docker compose --env-file \.env pull'
|
|
141
|
-
assert_contains "$update_calls" 'docker compose --env-file \.env up -d'
|
|
142
|
-
assert_contains "$update_calls" 'bash /opt/p2p/init-tokens\.sh'
|
|
143
|
-
assert_contains "$update_calls" 'direxio/message-server:test'
|
|
144
|
-
assert_contains "$update_calls" 'MESSAGE_SERVER_IMAGE=\$escaped_image'
|
|
145
|
-
assert_contains "$update_calls" 'direxio-connect daemon status --service-name ops\.example\.test'
|
|
146
|
-
assert_contains "$update_calls" 'direxio-connect daemon stop --service-name ops\.example\.test'
|
|
147
|
-
assert_not_contains "$update_calls" 'volume rm|down -v|postgres-data|message-config|message-data|caddy-data|caddy-config'
|
|
148
|
-
|
|
149
|
-
jq -e '
|
|
150
|
-
(.password // "") == ""
|
|
151
|
-
and (.access_token // "") == ""
|
|
152
|
-
and (.agent_token // "") == ""
|
|
153
|
-
and (.agent_room_id // "") == ""
|
|
154
|
-
and .agent_install_status == "refresh_pending"
|
|
155
|
-
and .phases.S4_BOOTSTRAP_STACK.status == "pending"
|
|
156
|
-
and .phases.S5_INIT_TOKENS.status == "pending"
|
|
157
|
-
and .phases.S6_WIRE_LOCAL.status == "pending"
|
|
158
|
-
and .phases.S7_VERIFY_E2E.status == "pending"
|
|
159
|
-
and (.user_confirmations | not)
|
|
160
|
-
and (.runtime_checks | not)
|
|
161
|
-
' "$state" >/dev/null
|
|
162
|
-
|
|
163
|
-
update_report="$service_dir/operation-report.json"
|
|
164
|
-
assert_file_exists "$update_report"
|
|
165
|
-
jq -e '
|
|
166
|
-
.operation_type == "update"
|
|
167
|
-
and .status == "update_remote_restart_complete_refresh_pending"
|
|
168
|
-
and .security.secrets_included == false
|
|
169
|
-
and .gates.user_confirmation.app_initialization == "pending_user_confirmation"
|
|
170
|
-
and .gates.user_confirmation.real_chat == "pending_user_confirmation"
|
|
171
|
-
and .gates.user_confirmation.agent_mcp_runtime == "pending_runtime_confirmation"
|
|
172
|
-
and .runtime_checks.summary.status == "not_run"
|
|
173
|
-
and .connect.install_status == "refresh_pending"
|
|
174
|
-
and .credentials.status == "refresh_pending"
|
|
175
|
-
and .mcp.status == "refresh_pending"
|
|
176
|
-
' "$update_report" >/dev/null
|
|
177
|
-
|
|
178
|
-
write_state "$state" "$service_dir"
|
|
179
|
-
if CALLS="$tmp/reset-unconfirmed.calls" PATH="$fakebin:$PATH" bash "$ROOT/scripts/reset-app-data.sh" "$state" >/dev/null 2>&1; then
|
|
180
|
-
echo "reset-app-data must require explicit confirmation" >&2
|
|
181
|
-
exit 1
|
|
182
|
-
fi
|
|
183
|
-
|
|
184
|
-
reset_calls="$tmp/reset.calls"
|
|
185
|
-
: > "$reset_calls"
|
|
186
|
-
CALLS="$reset_calls" PATH="$fakebin:$PATH" CONNECT_WORK_DIR="$service_dir/cc-connect" DIREXIO_RESET_APP_DATA_CONFIRM=1 bash "$ROOT/scripts/reset-app-data.sh" "$state" > "$tmp/reset.out"
|
|
187
|
-
assert_contains "$tmp/reset.out" 'Old user confirmations and runtime checks were cleared'
|
|
188
|
-
assert_contains "$tmp/reset.out" 'Scoped local bridge daemon was stopped'
|
|
189
|
-
assert_contains "$tmp/reset.out" 'rerun orchestrate with P2P_EXISTING_STATE_ACTION=continue'
|
|
190
|
-
|
|
191
|
-
assert_contains "$reset_calls" 'docker compose --env-file \.env down'
|
|
192
|
-
assert_contains "$reset_calls" 'docker volume rm'
|
|
193
|
-
assert_contains "$reset_calls" 'postgres-data'
|
|
194
|
-
assert_contains "$reset_calls" 'message-config'
|
|
195
|
-
assert_contains "$reset_calls" 'message-data'
|
|
196
|
-
assert_contains "$reset_calls" 'docker compose --env-file \.env up -d'
|
|
197
|
-
assert_contains "$reset_calls" 'bash /opt/p2p/init-tokens\.sh'
|
|
198
|
-
assert_contains "$reset_calls" 'direxio-connect daemon status --service-name ops\.example\.test'
|
|
199
|
-
assert_contains "$reset_calls" 'direxio-connect daemon stop --service-name ops\.example\.test'
|
|
200
|
-
assert_not_contains "$reset_calls" 'caddy-data|caddy-config|down -v'
|
|
201
|
-
|
|
202
|
-
jq -e '
|
|
203
|
-
(.password // "") == ""
|
|
204
|
-
and (.access_token // "") == ""
|
|
205
|
-
and (.agent_token // "") == ""
|
|
206
|
-
and (.agent_room_id // "") == ""
|
|
207
|
-
and .agent_install_status == "refresh_pending"
|
|
208
|
-
and .phases.S5_INIT_TOKENS.status == "pending"
|
|
209
|
-
and .phases.S6_WIRE_LOCAL.status == "pending"
|
|
210
|
-
and .phases.S7_VERIFY_E2E.status == "pending"
|
|
211
|
-
and (.user_confirmations | not)
|
|
212
|
-
and (.runtime_checks | not)
|
|
213
|
-
' "$state" >/dev/null
|
|
214
|
-
|
|
215
|
-
reset_report="$service_dir/operation-report.json"
|
|
216
|
-
assert_file_exists "$reset_report"
|
|
217
|
-
jq -e '
|
|
218
|
-
.operation_type == "reset_app_data"
|
|
219
|
-
and .status == "reset_remote_data_cleared_refresh_pending"
|
|
220
|
-
and .security.secrets_included == false
|
|
221
|
-
and .gates.user_confirmation.app_initialization == "pending_user_confirmation"
|
|
222
|
-
and .gates.user_confirmation.real_chat == "pending_user_confirmation"
|
|
223
|
-
and .gates.user_confirmation.agent_mcp_runtime == "pending_runtime_confirmation"
|
|
224
|
-
and .runtime_checks.summary.status == "not_run"
|
|
225
|
-
and .connect.install_status == "refresh_pending"
|
|
226
|
-
and .credentials.status == "refresh_pending"
|
|
227
|
-
and .mcp.status == "refresh_pending"
|
|
228
|
-
' "$reset_report" >/dev/null
|
|
229
|
-
|
|
230
|
-
echo "update reset ops ok"
|
|
@@ -1,152 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env bash
|
|
2
|
-
set -euo pipefail
|
|
3
|
-
|
|
4
|
-
ROOT=$(cd "$(dirname "$0")/.." && pwd)
|
|
5
|
-
tmp=$(mktemp -d)
|
|
6
|
-
trap 'rm -rf "$tmp"' EXIT
|
|
7
|
-
|
|
8
|
-
export HOME="$tmp/home"
|
|
9
|
-
mkdir -p "$HOME"
|
|
10
|
-
|
|
11
|
-
service_dir="$HOME/.direxio/nodes/confirm.example.test"
|
|
12
|
-
mkdir -p "$service_dir"
|
|
13
|
-
state="$service_dir/state.json"
|
|
14
|
-
jq -n \
|
|
15
|
-
--arg service_dir "$service_dir" \
|
|
16
|
-
'{
|
|
17
|
-
run_id: "confirm-test",
|
|
18
|
-
region: "ap-northeast-1",
|
|
19
|
-
domain_mode: "user",
|
|
20
|
-
domain: "confirm.example.test",
|
|
21
|
-
agent_service_id: "confirm.example.test",
|
|
22
|
-
agent_service_dir: $service_dir,
|
|
23
|
-
phase: "S7_VERIFY_E2E",
|
|
24
|
-
phases: {
|
|
25
|
-
S0_PREREQ_AWS: {status: "done"},
|
|
26
|
-
S1_PREFLIGHT: {status: "done"},
|
|
27
|
-
S2_DOMAIN: {status: "done"},
|
|
28
|
-
S3_PROVISION: {status: "done"},
|
|
29
|
-
S4_BOOTSTRAP_STACK: {status: "done"},
|
|
30
|
-
S5_INIT_TOKENS: {status: "done"},
|
|
31
|
-
S6_WIRE_LOCAL: {status: "done"},
|
|
32
|
-
S7_VERIFY_E2E: {status: "done"}
|
|
33
|
-
},
|
|
34
|
-
resources: {}
|
|
35
|
-
}' > "$state"
|
|
36
|
-
|
|
37
|
-
set +e
|
|
38
|
-
P2P_WORKDIR="$service_dir" bash "$ROOT/scripts/orchestrate.sh" confirm app_initialization > "$tmp/missing-app-evidence.out" 2>&1
|
|
39
|
-
missing_app_evidence_rc=$?
|
|
40
|
-
set -e
|
|
41
|
-
[ "$missing_app_evidence_rc" -ne 0 ] || {
|
|
42
|
-
echo "app_initialization confirmation must require explicit evidence" >&2
|
|
43
|
-
exit 1
|
|
44
|
-
}
|
|
45
|
-
grep -q 'requires DIREXIO_CONFIRM_EVIDENCE' "$tmp/missing-app-evidence.out"
|
|
46
|
-
jq -e '(.user_confirmations.app_initialization | not)' "$state" >/dev/null
|
|
47
|
-
|
|
48
|
-
set +e
|
|
49
|
-
P2P_WORKDIR="$service_dir" bash "$ROOT/scripts/orchestrate.sh" confirm real_chat > "$tmp/missing-real-chat-evidence.out" 2>&1
|
|
50
|
-
missing_real_chat_evidence_rc=$?
|
|
51
|
-
set -e
|
|
52
|
-
[ "$missing_real_chat_evidence_rc" -ne 0 ] || {
|
|
53
|
-
echo "real_chat confirmation must require explicit evidence" >&2
|
|
54
|
-
exit 1
|
|
55
|
-
}
|
|
56
|
-
grep -q 'requires DIREXIO_CONFIRM_EVIDENCE' "$tmp/missing-real-chat-evidence.out"
|
|
57
|
-
jq -e '(.user_confirmations.real_chat | not)' "$state" >/dev/null
|
|
58
|
-
|
|
59
|
-
set +e
|
|
60
|
-
P2P_WORKDIR="$service_dir" \
|
|
61
|
-
DIREXIO_CONFIRM_EVIDENCE="ok" \
|
|
62
|
-
bash "$ROOT/scripts/orchestrate.sh" confirm app_initialization > "$tmp/short-app-evidence.out" 2>&1
|
|
63
|
-
short_app_evidence_rc=$?
|
|
64
|
-
set -e
|
|
65
|
-
[ "$short_app_evidence_rc" -ne 0 ] || {
|
|
66
|
-
echo "app_initialization confirmation must reject short generic evidence" >&2
|
|
67
|
-
exit 1
|
|
68
|
-
}
|
|
69
|
-
grep -q 'DIREXIO_CONFIRM_EVIDENCE is too short' "$tmp/short-app-evidence.out"
|
|
70
|
-
jq -e '(.user_confirmations.app_initialization | not)' "$state" >/dev/null
|
|
71
|
-
|
|
72
|
-
confirm_output=$(P2P_WORKDIR="$service_dir" DIREXIO_CONFIRM_EVIDENCE="user completed app initialization" bash "$ROOT/scripts/orchestrate.sh" confirm app_initialization)
|
|
73
|
-
printf '%s\n' "$confirm_output" | grep -q 'confirmed gate: app_initialization'
|
|
74
|
-
|
|
75
|
-
jq -e '
|
|
76
|
-
.user_confirmations.app_initialization.status == "confirmed"
|
|
77
|
-
and .user_confirmations.app_initialization.evidence == "user completed app initialization"
|
|
78
|
-
and (.user_confirmations.app_initialization.ts | type == "string")
|
|
79
|
-
' "$state" >/dev/null
|
|
80
|
-
|
|
81
|
-
report_output=$(P2P_WORKDIR="$service_dir" bash "$ROOT/scripts/orchestrate.sh" report new_deploy)
|
|
82
|
-
report_path=$(printf '%s\n' "$report_output" | sed -nE 's/^operation report: //p' | tail -n 1)
|
|
83
|
-
jq -e '
|
|
84
|
-
.gates.user_confirmation.app_initialization == "confirmed"
|
|
85
|
-
and .gates.user_confirmation.real_chat == "pending_user_confirmation"
|
|
86
|
-
and .gates.user_confirmation.agent_mcp_runtime == "pending_runtime_confirmation"
|
|
87
|
-
' "$report_path" >/dev/null
|
|
88
|
-
|
|
89
|
-
set +e
|
|
90
|
-
P2P_WORKDIR="$service_dir" \
|
|
91
|
-
DIREXIO_CONFIRM_EVIDENCE="MCP runtime looks ok" \
|
|
92
|
-
bash "$ROOT/scripts/orchestrate.sh" confirm agent_mcp_runtime > "$tmp/mcp-runtime-blocked.out" 2>&1
|
|
93
|
-
mcp_blocked_rc=$?
|
|
94
|
-
set -e
|
|
95
|
-
[ "$mcp_blocked_rc" -ne 0 ] || {
|
|
96
|
-
echo "agent_mcp_runtime confirmation must require runtime evidence" >&2
|
|
97
|
-
exit 1
|
|
98
|
-
}
|
|
99
|
-
grep -q 'requires runtime_checks.summary.status=passed' "$tmp/mcp-runtime-blocked.out"
|
|
100
|
-
jq -e '(.user_confirmations.agent_mcp_runtime | not)' "$state" >/dev/null
|
|
101
|
-
|
|
102
|
-
jq '.runtime_checks.summary = {
|
|
103
|
-
status: "passed",
|
|
104
|
-
failed_count: 0,
|
|
105
|
-
evidence: "all runtime checks passed",
|
|
106
|
-
checks: {
|
|
107
|
-
connect_daemon: "passed",
|
|
108
|
-
mcp_doctor: "passed",
|
|
109
|
-
mcp_tools: "passed",
|
|
110
|
-
mcp_smoke: "passed"
|
|
111
|
-
}
|
|
112
|
-
}' "$state" > "$state.tmp" && mv "$state.tmp" "$state"
|
|
113
|
-
|
|
114
|
-
set +e
|
|
115
|
-
P2P_WORKDIR="$service_dir" \
|
|
116
|
-
DIREXIO_CONFIRM_EVIDENCE="MCP runtime looks ok" \
|
|
117
|
-
bash "$ROOT/scripts/orchestrate.sh" confirm agent_mcp_runtime > "$tmp/mcp-runtime-missing-probe.out" 2>&1
|
|
118
|
-
mcp_missing_probe_rc=$?
|
|
119
|
-
set -e
|
|
120
|
-
[ "$mcp_missing_probe_rc" -ne 0 ] || {
|
|
121
|
-
echo "agent_mcp_runtime confirmation must require explicit runtime probe evidence" >&2
|
|
122
|
-
exit 1
|
|
123
|
-
}
|
|
124
|
-
grep -q 'requires DIREXIO_CONFIRM_RUNTIME_PROBE=1' "$tmp/mcp-runtime-missing-probe.out"
|
|
125
|
-
jq -e '(.user_confirmations.agent_mcp_runtime | not)' "$state" >/dev/null
|
|
126
|
-
|
|
127
|
-
mcp_confirm_output=$(
|
|
128
|
-
P2P_WORKDIR="$service_dir" \
|
|
129
|
-
DIREXIO_CONFIRM_RUNTIME_PROBE=1 \
|
|
130
|
-
DIREXIO_CONFIRM_EVIDENCE="runtime channel probe confirmed in Codex" \
|
|
131
|
-
bash "$ROOT/scripts/orchestrate.sh" confirm agent_mcp_runtime
|
|
132
|
-
)
|
|
133
|
-
printf '%s\n' "$mcp_confirm_output" | grep -q 'confirmed gate: agent_mcp_runtime'
|
|
134
|
-
|
|
135
|
-
jq -e '
|
|
136
|
-
.user_confirmations.agent_mcp_runtime.status == "confirmed"
|
|
137
|
-
and .user_confirmations.agent_mcp_runtime.evidence == "runtime channel probe confirmed in Codex"
|
|
138
|
-
and .user_confirmations.agent_mcp_runtime.runtime_summary_status == "passed"
|
|
139
|
-
and .user_confirmations.agent_mcp_runtime.runtime_probe_confirmed == true
|
|
140
|
-
' "$state" >/dev/null
|
|
141
|
-
|
|
142
|
-
set +e
|
|
143
|
-
P2P_WORKDIR="$service_dir" bash "$ROOT/scripts/orchestrate.sh" confirm unknown_gate > "$tmp/invalid.out" 2>&1
|
|
144
|
-
invalid_rc=$?
|
|
145
|
-
set -e
|
|
146
|
-
[ "$invalid_rc" -ne 0 ] || {
|
|
147
|
-
echo "invalid confirmation gate should fail" >&2
|
|
148
|
-
exit 1
|
|
149
|
-
}
|
|
150
|
-
grep -q 'Usage: .* confirm' "$tmp/invalid.out"
|
|
151
|
-
|
|
152
|
-
echo "user confirmation gates ok"
|