admin/orchestrator
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feat(deploy): dedicated "Confirm Deploy" status triggers prod deploy

Browse Source 
Split the overloaded `Approved` Plane status: it served BOTH as the human BRD
gate on `analysis` AND as the silent Phase B prod-deploy trigger on `deploy`
(ORCH-036), so a routine approve could launch a self-hosting prod restart.

ORCH-059 introduces a dedicated logical status `confirm_deploy` ("Confirm
Deploy") that triggers ONLY Phase B on `deploy`; `Approved` stays purely a
pipeline gate.

- plane_sync: map "Confirm Deploy" -> "confirm_deploy" in _PLANE_NAME_TO_KEY;
  intentionally absent from _DEFAULT_STATES => fail-closed (no UUID -> .get
  yields None, no KeyError, no blind deploy).
- webhooks/plane: handle_issue_updated routes "Confirm Deploy" (fail-closed
  .get) to new handle_confirm_deploy (guarded to stage=="deploy") ->
  _try_advance_stage(confirm_deploy=True).
- stage_engine: advance_stage gains keyword-only confirm_deploy=False; Phase B
  block returns early for deploy+finished_agent is None but only initiates the
  deploy when confirm_deploy=True; a plain Approved is a deterministic no-op
  (returns before check_deploy_status -> no false БАГ-8 rollback).
- Phase A CTA now asks the operator for "Confirm Deploy", not "Approved".

Contracts unchanged: STAGE_TRANSITIONS, QG_CHECKS, check_deploy_status, hook
exit codes, Phases A/C, merge-gate, DB schema. Conditional like ORCH-35/36
(self-hosting only). Docs updated (CLAUDE.md, architecture/README.md, CHANGELOG).

Refs: ORCH-059

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-bot
2026-06-07 19:12:41 +00:00
committed by deployer
parent dd07b58165
commit 86fe8dd509
12 changed files with 813 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

File diff suppressed because one or more lines are too long

4
CLAUDE.md
View File

@@ -64,6 +64,10 @@ created → analysis → architecture → development → review → testing →
- **НЕ перезапускать / не ронять прод-контейнер** `orchestrator` в рамках задачи — встанет конвейер всех проектов.
- Любой деплой/рестарт self = групповой риск. Детали и топология — `docs/operations/INFRA.md`.
- Стадия `deploy-staging` (порт 8501) — обязательная страховка перед прод-деплоем орка.
- Прод-деплой орка запускается ТОЛЬКО переводом задачи на стадии `deploy` в выделенный
Plane-статус **«Confirm Deploy»** (ORCH-059). Статус `Approved` — человеческий гейт
конвейера и прод-деплой НЕ запускает (на `deploy` — no-op). Это разделяет «одобрить
артефакт» и «выкатить в прод», чтобы привычный approve не ронял прод случайным кликом.
---
*Паспорт проекта orchestrator. Поддерживается агентами при каждой доработке. Изолирован: описывает только этот проект (канон per-repo, см. ORCH-9).*

22
docs/architecture/README.md
View File

@@ -70,21 +70,25 @@ Self-hosting зацикливался на `deploy-staging`: `scripts/staging_ch
а `deploy_status: SUCCESS` означает доказанный health-ok, не декларацию LLM. Три фазы
(детерминированно, без LLM в критическом пути self-restart):
- **Фаза A (вход в `deploy`)** — при `deploy_require_manual_approve=true` вместо запуска
прод-deployer выставляется approval-pending статус Plane + запрос approve
(Plane-коммент + Telegram). Перехват в `advance_stage` ПОСЛЕ `check_staging_status`
и merge-gate.
- **Фаза B (Plane → `Approved`)** — `advance_stage(deploy, finished_agent=None)`
прод-deployer выставляется approval-pending статус Plane + запрос перевести задачу
в статус **«Confirm Deploy»** (ORCH-059; Plane-коммент + Telegram). Перехват в
`advance_stage` ПОСЛЕ `check_staging_status` и merge-gate.
- **Фаза B (Plane → `Confirm Deploy`, ORCH-059)** —
`advance_stage(deploy, finished_agent=None, confirm_deploy=True)`
запускает **detached host-процесс** (ssh + setsid → хук с прод-параметрами +
build-once retag `SOURCE_IMAGE`) и ставит детерминированный **finalizer-job**;
маркер `initiated` — идемпотентность. Возврат БЕЗ advance (вердикта ещё нет).
Обычный `Approved` на `deploy` (`confirm_deploy=False`) — детерминированный no-op
(не деплоит и не откатывает).
- **Фаза C (finalizer)** — новый контейнер после рестарта читает sentinel `result`
(exit-code хука), маппит `0→SUCCESS / иначе→FAILED`, пишет `14-deploy-log.md`,
вызывает `advance_stage(deploy, finished_agent="deployer")` → существующие контракты:
`SUCCESS → done`, `FAILED → откат БАГ-8 на development`.
Approve = смена статуса Plane на `Approved` (status-only verdict model; комментарии
не управляют конвейером). На старте — обязательный ручной approve (флаг `true`); полный
авто — отдельная задача (ORCH-54). Условность как ORCH-35: реально для `orchestrator`,
Триггер прод-деплоя = смена статуса Plane на `Confirm Deploy` (ORCH-059; status-only
verdict model; комментарии не управляют конвейером). `Approved` остаётся исключительно
человеческим гейтом конвейера и прод-деплой не запускает. На старте — обязательный
ручной approve (флаг `true`); полный авто — отдельная задача (ORCH-54). Условность как ORCH-35: реально для `orchestrator`,
прочие репо — прежний синхронный ssh-деплой агентом. Контракты не меняются:
`STAGE_TRANSITIONS`, реестр QG, `check_deploy_status`/`_parse_deploy_status`, БАГ-8,
terminal-sync, merge-gate, exit-code-контракт хука. Restart-safe состояние —
@@ -92,7 +96,7 @@ sentinel-файлы (`<repos_dir>/.deploy-state-<repo>/<wi>/`), без мигр
Подробнее: [adr-0007](adr/adr-0007-executable-self-deploy.md), детально —
`docs/work-items/ORCH-036/06-adr/ADR-001-executable-self-deploy.md`.
#### Выделенный статус-триггер прод-деплоя «Confirm Deploy» (ORCH-059 — design)
#### Выделенный статус-триггер прод-деплоя «Confirm Deploy» (ORCH-059 — реализовано)
Перегрузка: один Plane-статус `Approved` служил И человеческим гейтом BRD на
`analysis` (`check_analysis_approved`), И триггером Фазы B прод-деплоя на `deploy`
— привычный жест approve молча запускал прод-рестарт (групповой self-hosting
@@ -331,4 +335,4 @@ ORCH-065 вводит фоновый watchdog, чтобы смерть проц
Схема БД, потоки данных, resilience-слой, детали Dockerfile — [internals.md](internals.md).
---
*Актуально на 2026-06-07. Обновлять при изменении src/stages.py, src/qg/checks.py, src/main.py. Статусы доработок: ORCH-036 (исполняемый самодеплой `deploy`, adr-0007) — реализовано; ORCH-043 (merge-gate, adr-0006) — design, ветка feature/ORCH-043; ORCH-053 (reconciler, adr-0007, src/reconciler.py) — реализовано; ORCH-060 (F-1 skip escalated/Blocked/Needs-Input, `docs/work-items/ORCH-060/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-060 (Guard 1 `developer_retry_count>=MAX_DEVELOPER_RETRIES` + Guard 2 `plane_sync.fetch_issue_state` Blocked/Needs-Input, флаг `ORCH_RECONCILE_SKIP_BLOCKED_ENABLED`); ORCH-058 (провенанс staging-образа: check_staging_image_fresh + staging_check свежего образа + хук-guard, adr-0008) — реализовано в ветке feature/ORCH-058 (обновлять также при изменении src/image_freshness.py, scripts/orchestrator-deploy-hook.sh, Dockerfile); ORCH-061 (толерантность staging-вердикта к инфра-FAIL C9a/C9b, adr-0009, `docs/work-items/ORCH-061/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-061 (обновлять также при изменении src/staging_verdict.py, scripts/staging_check.py, флаг staging_infra_tolerance_enabled); ORCH-021 (post-deploy наблюдение прода + реакция на деградацию, adr-0010, `docs/work-items/ORCH-021/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-021-post-deploy-rollback (reserved-agent job `post-deploy-monitor`: арм в src/stage_engine.py блок `next_stage == "done"`, тик `run_post_deploy_monitor` + перехват в src/agents/launcher.py ДО _spawn; чистая логика src/post_deploy.py never-raise; флаги `post_deploy_*` в src/config.py; блок `post_deploy` в `/queue`; артефакт 16-post-deploy-log.md; self-hosting всегда ALERT_ONLY — тик не рестартит прод; обновлять также при изменении src/post_deploy.py / арм-блока / launcher-перехвата); ORCH-065 (job-reaper + проактивный реклейм merge-lease + идемпотентная финализация merge, adr-0011, `docs/work-items/ORCH-065/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-065 (новый daemon-поток src/job_reaper.py + старт/стоп в src/main.py lifespan; колонка `jobs.pid` через _ensure_column + проставление в src/agents/launcher.py `_spawn`; функции реклейма lease `pid_alive`/`reclaim_stale_lease` + guard `pr_already_merged` в src/merge_gate.py (консультируется merge-актором — промпт `.openclaw/agents/deployer.md`); флаги `reaper_*`/`lease_reclaim_*` в src/config.py; блок `reaper` в `/queue`; обновлять также при изменении этих мест).*
*Актуально на 2026-06-07. Обновлять при изменении src/stages.py, src/qg/checks.py, src/main.py. Статусы доработок: ORCH-036 (исполняемый самодеплой `deploy`, adr-0007) — реализовано; ORCH-043 (merge-gate, adr-0006) — design, ветка feature/ORCH-043; ORCH-053 (reconciler, adr-0007, src/reconciler.py) — реализовано; ORCH-060 (F-1 skip escalated/Blocked/Needs-Input, `docs/work-items/ORCH-060/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-060 (Guard 1 `developer_retry_count>=MAX_DEVELOPER_RETRIES` + Guard 2 `plane_sync.fetch_issue_state` Blocked/Needs-Input, флаг `ORCH_RECONCILE_SKIP_BLOCKED_ENABLED`); ORCH-058 (провенанс staging-образа: check_staging_image_fresh + staging_check свежего образа + хук-guard, adr-0008) — реализовано в ветке feature/ORCH-058 (обновлять также при изменении src/image_freshness.py, scripts/orchestrator-deploy-hook.sh, Dockerfile); ORCH-061 (толерантность staging-вердикта к инфра-FAIL C9a/C9b, adr-0009, `docs/work-items/ORCH-061/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-061 (обновлять также при изменении src/staging_verdict.py, scripts/staging_check.py, флаг staging_infra_tolerance_enabled); ORCH-021 (post-deploy наблюдение прода + реакция на деградацию, adr-0010, `docs/work-items/ORCH-021/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-021-post-deploy-rollback (reserved-agent job `post-deploy-monitor`: арм в src/stage_engine.py блок `next_stage == "done"`, тик `run_post_deploy_monitor` + перехват в src/agents/launcher.py ДО _spawn; чистая логика src/post_deploy.py never-raise; флаги `post_deploy_*` в src/config.py; блок `post_deploy` в `/queue`; артефакт 16-post-deploy-log.md; self-hosting всегда ALERT_ONLY — тик не рестартит прод; обновлять также при изменении src/post_deploy.py / арм-блока / launcher-перехвата); ORCH-065 (job-reaper + проактивный реклейм merge-lease + идемпотентная финализация merge, adr-0011, `docs/work-items/ORCH-065/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-065 (новый daemon-поток src/job_reaper.py + старт/стоп в src/main.py lifespan; колонка `jobs.pid` через _ensure_column + проставление в src/agents/launcher.py `_spawn`; функции реклейма lease `pid_alive`/`reclaim_stale_lease` + guard `pr_already_merged` в src/merge_gate.py (консультируется merge-актором — промпт `.openclaw/agents/deployer.md`); флаги `reaper_*`/`lease_reclaim_*` в src/config.py; блок `reaper` в `/queue`; обновлять также при изменении этих мест); ORCH-059 (выделенный статус-триггер прод-деплоя «Confirm Deploy», ADR `docs/work-items/ORCH-059/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-059 (маппинг `"Confirm Deploy"→"confirm_deploy"` в src/plane_sync.py `_PLANE_NAME_TO_KEY`, НЕ в `_DEFAULT_STATES` = fail-closed; ветка `handle_confirm_deploy` + fail-closed `.get("confirm_deploy")` в src/webhooks/plane.py `handle_issue_updated`; keyword-only `confirm_deploy` в src/stage_engine.py `advance_stage` — Фаза B деплоит ТОЛЬКО при `confirm_deploy=True`, иначе `Approved`-на-`deploy` = no-op; CTA Фазы A просит «Confirm Deploy»; эксплуатация — статус доски «Confirm Deploy» в Plane-проекте ORCH, `docs/work-items/ORCH-059/07-infra-requirements.md`).*

6
src/plane_sync.py
View File

@@ -128,6 +128,12 @@ _PLANE_NAME_TO_KEY: dict[str, str] = {
"Needs Input": "needs_input",
"In Review": "in_review",
"Blocked": "blocked",
# ORCH-059: dedicated prod-deploy trigger status, distinct from the
# human-gate "Approved". Resolved from the live Plane API for the ORCH
# project; intentionally ABSENT from _DEFAULT_STATES so environments without
# this board status (enduro / API fallback) fail-closed — no UUID, no
# confirm-deploy branch, no KeyError (accessed via .get).
"Confirm Deploy": "confirm_deploy",
}
# Per-project state cache: {project_id: {logical_key: state_uuid}}

55
src/stage_engine.py
View File

@@ -171,6 +171,8 @@ def advance_stage(
work_item_id: str,
branch: str,
finished_agent: str | None = None,
*,
confirm_deploy: bool = False,
) -> AdvanceResult:
"""Run the current stage's quality gate and advance / roll back the pipeline.
@@ -187,6 +189,13 @@ def advance_stage(
approved/REQUEST_CHANGES/tester/architect branches. In the
plane webhook path it is None, so those agent-specific
branches simply do not trigger (matches old plane behavior).
confirm_deploy: ORCH-059 — keyword-only signal that the human flipped the
issue to the dedicated "Confirm Deploy" status. ONLY this
signal initiates Phase B of the self-hosting prod deploy on
the `deploy` stage. A plain `Approved` on `deploy`
(confirm_deploy=False) is a deliberate no-op (no prod
deploy, no false БАГ-8 rollback). All non-webhook callers
leave it at the default.
Returns AdvanceResult describing what happened.
"""
@@ -203,21 +212,32 @@ def advance_stage(
result.note = "terminal"
return result
# --- ORCH-036 Phase B: human Approved on `deploy` -> initiate deploy --
# A human flipping the Plane status to Approved on the `deploy` stage
# (finished_agent is None) is the prod-deploy trigger for the self-hosting
# repo. Initiate the DETACHED host deploy + enqueue the finalizer and
# return WITHOUT running check_deploy_status (the verdict does not exist
# yet — running the gate now would read a stale/absent log and falsely
# roll back, R-2). The finalizer (Phase C, finished_agent="deployer")
# records the verdict later; that path is NOT intercepted here.
# --- ORCH-036/059 Phase B: "Confirm Deploy" on `deploy` -> initiate ----
# ORCH-059: the prod-deploy trigger is now the DEDICATED "Confirm Deploy"
# status (confirm_deploy=True), NOT the overloaded "Approved". On the
# `deploy` stage (finished_agent is None) for the self-hosting repo we
# always return early WITHOUT running check_deploy_status (the verdict
# does not exist yet — running the gate now would read a stale/absent log
# and falsely roll back, R-2/БАГ-8), but we only initiate the DETACHED
# host deploy + enqueue the finalizer when confirm_deploy is set. A plain
# Approved (confirm_deploy=False) is a deliberate no-op — it neither
# deploys nor rolls back (TRZ-3/AC-3). The finalizer (Phase C,
# finished_agent="deployer") records the verdict later; that path is NOT
# intercepted here (it requires finished_agent set).
if (
current_stage == "deploy"
and finished_agent is None
and settings.deploy_require_manual_approve
and self_deploy.self_deploy_applies(repo)
):
_handle_self_deploy_phase_b(task_id, repo, work_item_id, branch, result)
if confirm_deploy:
_handle_self_deploy_phase_b(task_id, repo, work_item_id, branch, result)
else:
result.note = "approved-on-deploy-noop"
logger.info(
f"Task {task_id}: Approved on `deploy` without Confirm Deploy "
f"— no-op (prod deploy requires the 'Confirm Deploy' status)"
)
return result
# --- Quality gate ----------------------------------------------------
@@ -998,9 +1018,11 @@ def _handle_self_deploy_phase_a(
Staging is green and the branch is mergeable; for the self-hosting repo we do
NOT auto-deploy to prod. Move the task onto the `deploy` stage (so a later
human Approved lands there -> Phase B), set the issue approval-pending and ask
the human to flip the status to Approved. A restart-safe `approve-requested`
marker records that Phase A ran. The merge lease stays HELD.
human "Confirm Deploy" lands there -> Phase B), set the issue approval-pending
and ask the human to flip the status to "Confirm Deploy" (ORCH-059: the
dedicated prod-deploy trigger, distinct from the human-gate "Approved"). A
restart-safe `approve-requested` marker records that Phase A ran. The merge
lease stays HELD.
"""
update_task_stage(task_id, "deploy")
notify_stage_change(task_id, current_stage, "deploy")
@@ -1022,13 +1044,14 @@ def _handle_self_deploy_phase_a(
if work_item_id:
plane_add_comment(
work_item_id,
"\U0001f7e1 Staging зелёный. Требуется ручной approve для ПРОД-деплоя: "
"смените статус задачи на «Approved», чтобы запустить деплой в прод (8500).",
"\U0001f7e1 Staging зелёный. Требуется ручное подтверждение ПРОД-деплоя: "
"смените статус задачи на «Confirm Deploy», чтобы запустить деплой в прод "
"(8500). Статус «Approved» прод-деплой НЕ запускает.",
author="deployer",
)
send_telegram(
f"\U0001f7e1 {work_item_id}: staging OK. Ждёт approve на ПРОД-деплой "
f"(смените статус на Approved)."
f"\U0001f7e1 {work_item_id}: staging OK. Ждёт подтверждения ПРОД-деплоя "
f"(смените статус на «Confirm Deploy»)."
)
logger.info(
f"Task {task_id}: self-deploy Phase A — advanced to deploy, "

63
src/webhooks/plane.py
View File

@@ -150,8 +150,15 @@ async def handle_issue_updated(data: dict, project_id: str = ""):
# both enduro (b873d9eb) and orchestrator (e331bfb3) In Progress trigger the
# pipeline. Using PLANE_STATES["in_progress"] here was the root-cause blocker.
proj_states = get_project_states(project_id)
# ORCH-059: the dedicated "Confirm Deploy" status is the prod-deploy trigger.
# fail-closed via .get — environments without the status (enduro / API
# fallback) resolve to None, so the branch simply never activates (no KeyError,
# no blind deploy). Checked before `approved` so the two gestures never alias.
confirm_state = proj_states.get("confirm_deploy")
if new_state == proj_states["in_progress"]:
await handle_status_start(data, project_id)
elif confirm_state and new_state == confirm_state:
await handle_confirm_deploy(data, project_id)
elif new_state == proj_states["approved"]:
await handle_verdict(data, project_id, approved=True)
elif new_state == proj_states["rejected"]:
@@ -160,6 +167,45 @@ async def handle_issue_updated(data: dict, project_id: str = ""):
logger.info(f"issue {plane_id} updated to state {new_state[:8]}..., no pipeline action")
async def handle_confirm_deploy(data: dict, project_id: str = ""):
"""ORCH-059: a human flipped the issue to the dedicated "Confirm Deploy"
status — the explicit trigger for the self-hosting prod deploy (Phase B).
Guarded to the `deploy` stage: "Confirm Deploy" is only meaningful on the
approval-pending `deploy` stage (Phase A advanced the task there). On any
other stage it is a no-op-with-log, so a stray Confirm Deploy can never
perturb another gate.
Routes to the unified stage engine with ``confirm_deploy=True`` so ONLY this
path initiates Phase B; a plain Approved on `deploy` stays a no-op (TRZ-3).
"""
plane_id = str(data.get("id") or "")
task = get_task_by_plane_id(plane_id)
if not task:
logger.warning(f"Confirm Deploy for {plane_id} but no task found, ignoring")
return
task_id = task["id"]
current_stage = task["stage"]
repo = task["repo"]
work_item_id = task.get("work_item_id", "")
branch = task.get("branch", "")
if current_stage != "deploy":
logger.info(
f"Confirm Deploy for {plane_id} but stage is '{current_stage}' "
f"(not 'deploy'); no-op"
)
return
logger.info(
f"Task {task_id}: Confirm Deploy status on `deploy` -> initiate Phase B prod deploy"
)
await _try_advance_stage(
task_id, current_stage, repo, work_item_id, branch, confirm_deploy=True
)
async def handle_status_start(data: dict, project_id: str = ""):
"""An issue moved into In Progress.
@@ -633,7 +679,8 @@ async def _rollback_stage(
async def _try_advance_stage(
task_id: int, current_stage: str, repo: str, work_item_id: str, branch: str
task_id: int, current_stage: str, repo: str, work_item_id: str, branch: str,
confirm_deploy: bool = False,
):
"""Thin async wrapper over the unified stage engine (ORCH-4 / M-3).
@@ -642,10 +689,15 @@ async def _try_advance_stage(
is synchronous. We run it off the event loop via asyncio.to_thread so there
is exactly one implementation shared with the launcher.
finished_agent is None on this webhook path (a human Approved status change,
not a finished agent), so the agent-specific rollback branches inside the
engine intentionally do not trigger — the webhook path only runs the QG and
either advances or reports the failure.
finished_agent is None on this webhook path (a human status change, not a
finished agent), so the agent-specific rollback branches inside the engine
intentionally do not trigger — the webhook path only runs the QG and either
advances or reports the failure.
ORCH-059: ``confirm_deploy`` is threaded through (keyword-only on
advance_stage). It is True ONLY on the "Confirm Deploy" path
(handle_confirm_deploy) and gates Phase B of the self-hosting prod deploy; the
plain Approved path (handle_verdict) leaves it at the default False.
"""
import asyncio
from ..stage_engine import advance_stage
@@ -658,6 +710,7 @@ async def _try_advance_stage(
work_item_id,
branch,
None,
confirm_deploy=confirm_deploy,
)

171
tests/test_confirm_deploy_integration.py Normal file
View File

@@ -0,0 +1,171 @@
"""ORCH-059 TC-10/11/12: end-to-end routing from a Plane webhook payload through
handle_issue_updated into the stage engine, with the host deploy mocked.
Contract (AC-2, AC-3, AC-8):
* TC-10 — task on `deploy` + webhook "Confirm Deploy" -> initiate_deploy called,
`deploy-finalizer` enqueued, `initiated` marker written.
* TC-11 — task on `deploy` + webhook "Approved" -> NO prod deploy initiated, the
task stays on `deploy` (no rollback, no advance to done).
* TC-12 — non-self repo: verdict statuses on `deploy` do not change deploy
behaviour (self_deploy_applies == False; the confirm-deploy branch is inert).
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orch_confirm_e2e.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ.setdefault("ORCH_PLANE_API_TOKEN", "test-token")
os.environ.setdefault("ORCH_GITEA_TOKEN", "test-token")
from unittest.mock import MagicMock # noqa: E402
import src.db as _db # noqa: E402
from src.db import init_db, get_db # noqa: E402
from src import stage_engine # noqa: E402
from src import self_deploy # noqa: E402
import src.plane_sync as plane_sync # noqa: E402
import src.webhooks.plane as wh # noqa: E402
IN_PROGRESS = "11111111-1111-1111-1111-111111111111"
APPROVED = "22222222-2222-2222-2222-222222222222"
REJECTED = "33333333-3333-3333-3333-333333333333"
CONFIRM = "44444444-4444-4444-4444-444444444444"
# ORCH project: Confirm Deploy resolved. enduro-like project: NO confirm_deploy key.
_STATES_SELF = {
"in_progress": IN_PROGRESS,
"approved": APPROVED,
"rejected": REJECTED,
"confirm_deploy": CONFIRM,
}
_STATES_NONSELF = {
"in_progress": IN_PROGRESS,
"approved": APPROVED,
"rejected": REJECTED,
}
@pytest.fixture(autouse=True)
def fresh_db(monkeypatch, tmp_path):
monkeypatch.setattr(_db.settings, "db_path", _test_db)
if os.path.exists(_test_db):
os.unlink(_test_db)
init_db()
monkeypatch.setattr(self_deploy.settings, "repos_dir", str(tmp_path))
monkeypatch.setattr(self_deploy.settings, "host_repos_dir", str(tmp_path))
monkeypatch.setattr(stage_engine.settings, "deploy_require_manual_approve", True)
yield
@pytest.fixture(autouse=True)
def silence_engine(monkeypatch):
for name in (
"notify_stage_change", "notify_qg_failure", "send_telegram",
"plane_notify_stage", "plane_notify_qg", "plane_add_comment",
"set_issue_in_review", "set_issue_needs_input", "set_issue_in_progress",
"set_issue_blocked", "set_issue_done",
):
monkeypatch.setattr(stage_engine, name, MagicMock(), raising=False)
def _make_task(stage, repo, branch, wi, plane_id):
conn = get_db()
cur = conn.execute(
"INSERT INTO tasks (plane_id, work_item_id, repo, branch, stage) "
"VALUES (?, ?, ?, ?, ?)",
(plane_id, wi, repo, branch, stage),
)
task_id = cur.lastrowid
conn.commit()
conn.close()
return task_id
def _stage(task_id):
conn = get_db()
row = conn.execute("SELECT stage FROM tasks WHERE id=?", (task_id,)).fetchone()
conn.close()
return row[0]
def _jobs():
conn = get_db()
rows = conn.execute("SELECT agent FROM jobs ORDER BY id").fetchall()
conn.close()
return [r[0] for r in rows]
def _payload(state_uuid, plane_id):
return {"id": plane_id, "state": {"id": state_uuid}}
# ---------------------------------------------------------------------------
# TC-10: E2E Confirm Deploy -> prod deploy initiated
# ---------------------------------------------------------------------------
@pytest.mark.asyncio
async def test_tc10_confirm_deploy_e2e_initiates(monkeypatch):
monkeypatch.setattr(plane_sync, "get_project_states", lambda pid: _STATES_SELF)
initiate = MagicMock(return_value=(True, "ok"))
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
task_id = _make_task("deploy", "orchestrator", "feature/ORCH-059-x",
"ORCH-059", "plane-ORCH-059")
await wh.handle_issue_updated(_payload(CONFIRM, "plane-ORCH-059"), "orch-proj")
initiate.assert_called_once()
assert "deploy-finalizer" in _jobs()
assert self_deploy.has_marker("orchestrator", "ORCH-059", self_deploy.INITIATED)
# Verdict comes later via the finalizer — still on `deploy`.
assert _stage(task_id) == "deploy"
# ---------------------------------------------------------------------------
# TC-11: E2E Approved -> no prod deploy, task stays on deploy
# ---------------------------------------------------------------------------
@pytest.mark.asyncio
async def test_tc11_approved_e2e_noop(monkeypatch):
monkeypatch.setattr(plane_sync, "get_project_states", lambda pid: _STATES_SELF)
initiate = MagicMock(return_value=(True, "ok"))
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
task_id = _make_task("deploy", "orchestrator", "feature/ORCH-059-x",
"ORCH-059", "plane-ORCH-059")
await wh.handle_issue_updated(_payload(APPROVED, "plane-ORCH-059"), "orch-proj")
initiate.assert_not_called()
assert "deploy-finalizer" not in _jobs()
assert _stage(task_id) == "deploy" # no rollback, no advance to done
assert not self_deploy.has_marker("orchestrator", "ORCH-059", self_deploy.INITIATED)
# ---------------------------------------------------------------------------
# TC-12: non-self repo -> confirm-deploy branch inert (fail-closed, no key)
# ---------------------------------------------------------------------------
@pytest.mark.asyncio
async def test_tc12_non_self_repo_unaffected(monkeypatch):
# Non-self project has no confirm_deploy key at all -> the branch never fires.
monkeypatch.setattr(plane_sync, "get_project_states", lambda pid: _STATES_NONSELF)
initiate = MagicMock(return_value=(True, "ok"))
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
# Stub the deploy gate so the legacy non-self path stays deterministic (no
# real git/network); its verdict is irrelevant to this test's assertions.
monkeypatch.setattr(
stage_engine, "QG_CHECKS",
{**stage_engine.QG_CHECKS, "check_deploy_status": lambda *a, **k: (True, "ok")},
)
task_id = _make_task("deploy", "enduro-trails", "feature/ET-009-x",
"ET-009", "plane-ET-009")
# An Approved on a non-self deploy task does not initiate self-deploy logic.
await wh.handle_issue_updated(_payload(APPROVED, "plane-ET-009"), "enduro-proj")
initiate.assert_not_called()
# The (absent) Confirm Deploy status simply maps to no pipeline action.
assert self_deploy.self_deploy_applies("enduro-trails") is False

12
tests/test_deploy_approve.py
View File

@@ -139,12 +139,14 @@ def test_tc06_approved_calls_prod_hook_exactly_once(monkeypatch):
ssh_run = MagicMock(return_value=MagicMock(returncode=0, stdout="", stderr=""))
monkeypatch.setattr(self_deploy.subprocess, "run", ssh_run)
task_id = _make_task("deploy") # already on deploy, awaiting Approved
task_id = _make_task("deploy") # already on deploy, awaiting Confirm Deploy
# 1st human Approved -> Phase B initiates the detached deploy.
# ORCH-059: Phase B is now triggered by the dedicated "Confirm Deploy" status
# (confirm_deploy=True), NOT by a plain Approved. 1st Confirm Deploy ->
# Phase B initiates the detached deploy.
res1 = advance_stage(
task_id, "deploy", "orchestrator", "ORCH-036",
"feature/ORCH-036-x", finished_agent=None,
"feature/ORCH-036-x", finished_agent=None, confirm_deploy=True,
)
assert res1.note == "self-deploy-initiated"
assert ssh_run.call_count == 1
@@ -152,10 +154,10 @@ def test_tc06_approved_calls_prod_hook_exactly_once(monkeypatch):
assert any(j["agent"] == "deploy-finalizer" for j in _jobs())
assert self_deploy.has_marker("orchestrator", "ORCH-036", self_deploy.INITIATED)
# 2nd (duplicate) Approved -> idempotent no-op, hook NOT called again.
# 2nd (duplicate) Confirm Deploy -> idempotent no-op, hook NOT called again.
res2 = advance_stage(
task_id, "deploy", "orchestrator", "ORCH-036",
"feature/ORCH-036-x", finished_agent=None,
"feature/ORCH-036-x", finished_agent=None, confirm_deploy=True,
)
assert res2.note == "self-deploy-already-initiated"
assert ssh_run.call_count == 1 # still exactly one prod deploy

152
tests/test_plane_confirm_deploy.py Normal file
View File

@@ -0,0 +1,152 @@
"""ORCH-059 TC-04/05/06: webhook routing for the dedicated "Confirm Deploy"
status vs. the overloaded "Approved".
Contract (AC-2, AC-3, AC-4):
* TC-04 — handle_issue_updated routes a "Confirm Deploy" status on a `deploy`
task to the Phase B path (handle_confirm_deploy -> advance_stage with
confirm_deploy=True), NOT the plain approve/advance path.
* TC-05 — an "Approved" status on a `deploy` task does NOT initiate the prod
deploy (self_deploy.initiate_deploy is never called).
* TC-06 — an "Approved" status on an `analysis` task still advances
analysis -> architecture (the approved-via-status human gate is intact).
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orch_confirm_routing.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ.setdefault("ORCH_PLANE_API_TOKEN", "test-token")
os.environ.setdefault("ORCH_GITEA_TOKEN", "test-token")
from unittest.mock import AsyncMock, MagicMock # noqa: E402
import src.db as _db # noqa: E402
from src.db import init_db, get_db # noqa: E402
from src import stage_engine # noqa: E402
from src import self_deploy # noqa: E402
import src.plane_sync as plane_sync # noqa: E402
import src.webhooks.plane as wh # noqa: E402
IN_PROGRESS = "11111111-1111-1111-1111-111111111111"
APPROVED = "22222222-2222-2222-2222-222222222222"
REJECTED = "33333333-3333-3333-3333-333333333333"
CONFIRM = "44444444-4444-4444-4444-444444444444"
_STATES = {
"in_progress": IN_PROGRESS,
"approved": APPROVED,
"rejected": REJECTED,
"confirm_deploy": CONFIRM,
}
@pytest.fixture(autouse=True)
def fresh_db(monkeypatch, tmp_path):
monkeypatch.setattr(_db.settings, "db_path", _test_db)
if os.path.exists(_test_db):
os.unlink(_test_db)
init_db()
# Deterministic per-project states (no network). handle_issue_updated imports
# get_project_states locally from ..plane_sync, so patch it at the source.
monkeypatch.setattr(plane_sync, "get_project_states", lambda pid: _STATES)
# Isolate sentinel dirs.
monkeypatch.setattr(self_deploy.settings, "repos_dir", str(tmp_path))
monkeypatch.setattr(self_deploy.settings, "host_repos_dir", str(tmp_path))
yield
@pytest.fixture(autouse=True)
def silence_engine(monkeypatch):
for name in (
"notify_stage_change", "notify_qg_failure", "send_telegram",
"plane_notify_stage", "plane_notify_qg", "plane_add_comment",
"set_issue_in_review", "set_issue_needs_input", "set_issue_in_progress",
"set_issue_blocked", "set_issue_done",
):
monkeypatch.setattr(stage_engine, name, MagicMock(), raising=False)
def _make_task(stage, repo="orchestrator", branch="feature/ORCH-059-x",
wi="ORCH-059", plane_id="plane-ORCH-059"):
conn = get_db()
cur = conn.execute(
"INSERT INTO tasks (plane_id, work_item_id, repo, branch, stage) "
"VALUES (?, ?, ?, ?, ?)",
(plane_id, wi, repo, branch, stage),
)
task_id = cur.lastrowid
conn.commit()
conn.close()
return task_id
def _payload(state_uuid, plane_id="plane-ORCH-059"):
return {"id": plane_id, "state": {"id": state_uuid}}
# ---------------------------------------------------------------------------
# TC-04: "Confirm Deploy" routes to the Phase B path with confirm_deploy=True
# ---------------------------------------------------------------------------
@pytest.mark.asyncio
async def test_tc04_confirm_deploy_routes_phase_b(monkeypatch):
_make_task("deploy")
spy = AsyncMock()
monkeypatch.setattr(wh, "_try_advance_stage", spy)
# handle_verdict must NOT be taken for the confirm-deploy status.
verdict_spy = AsyncMock()
monkeypatch.setattr(wh, "handle_verdict", verdict_spy)
await wh.handle_issue_updated(_payload(CONFIRM), "proj")
spy.assert_awaited_once()
# confirm_deploy=True must be threaded through.
assert spy.await_args.kwargs.get("confirm_deploy") is True
verdict_spy.assert_not_awaited()
@pytest.mark.asyncio
async def test_tc04b_confirm_deploy_off_deploy_stage_is_noop(monkeypatch):
"""Guard: a stray "Confirm Deploy" on a non-deploy stage is a no-op (no advance)."""
_make_task("analysis")
spy = AsyncMock()
monkeypatch.setattr(wh, "_try_advance_stage", spy)
await wh.handle_confirm_deploy(_payload(CONFIRM), "proj")
spy.assert_not_awaited()
# ---------------------------------------------------------------------------
# TC-05: "Approved" on `deploy` does NOT initiate the prod deploy
# ---------------------------------------------------------------------------
@pytest.mark.asyncio
async def test_tc05_approved_on_deploy_does_not_initiate(monkeypatch):
monkeypatch.setattr(stage_engine.settings, "deploy_require_manual_approve", True)
_make_task("deploy")
initiate = MagicMock()
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
# Real routing: Approved -> handle_verdict -> _try_advance_stage(confirm_deploy=False)
# -> advance_stage -> the deploy block no-ops (does not initiate).
await wh.handle_issue_updated(_payload(APPROVED), "proj")
initiate.assert_not_called()
# ---------------------------------------------------------------------------
# TC-06: "Approved" on `analysis` still advances analysis -> architecture
# ---------------------------------------------------------------------------
@pytest.mark.asyncio
async def test_tc06_approved_on_analysis_still_advances(monkeypatch):
task_id = _make_task("analysis")
await wh.handle_issue_updated(_payload(APPROVED), "proj")
conn = get_db()
stage = conn.execute("SELECT stage FROM tasks WHERE id=?", (task_id,)).fetchone()[0]
conn.close()
assert stage == "architecture"

120
tests/test_plane_states.py Normal file
View File

@@ -0,0 +1,120 @@
"""ORCH-059 TC-01/02/03: resolver registration of the dedicated "Confirm Deploy"
status and its fail-closed absence in fallback environments.
Contract (AC-1, AC-7):
* TC-01 — _PLANE_NAME_TO_KEY maps the board name "Confirm Deploy" to the logical
key "confirm_deploy".
* TC-02 — get_project_states for an ORCH-like project (Plane API mocked to
include a "Confirm Deploy" state) returns a NON-empty uuid under
"confirm_deploy", distinct from "approved".
* TC-03 — fail-closed: when the status is absent (API fallback to
_DEFAULT_STATES / unreachable Plane), the key is simply missing and a .get
access yields None WITHOUT raising — the confirm-deploy branch never activates.
"""
import os
import tempfile
import pytest
os.environ.setdefault("ORCH_PLANE_API_TOKEN", "test-token")
os.environ.setdefault("ORCH_GITEA_TOKEN", "test-token")
os.environ["ORCH_DB_PATH"] = os.path.join(tempfile.gettempdir(), "test_orch_plane_states.db")
import src.plane_sync as plane_sync # noqa: E402
from src.plane_sync import ( # noqa: E402
_PLANE_NAME_TO_KEY,
_DEFAULT_STATES,
get_project_states,
reload_project_states,
)
@pytest.fixture(autouse=True)
def fresh_cache():
reload_project_states()
yield
reload_project_states()
# ---------------------------------------------------------------------------
# TC-01: name -> key mapping is registered
# ---------------------------------------------------------------------------
def test_tc01_confirm_deploy_name_to_key_mapping():
assert _PLANE_NAME_TO_KEY.get("Confirm Deploy") == "confirm_deploy"
def test_tc01_confirm_deploy_not_in_default_states():
"""Fail-closed by construction: NO fallback UUID exists for confirm_deploy, so
enduro / API-fallback environments never resolve a (wrong) deploy trigger."""
assert "confirm_deploy" not in _DEFAULT_STATES
# ---------------------------------------------------------------------------
# TC-02: live API resolves a real, distinct uuid for an ORCH-like project
# ---------------------------------------------------------------------------
def test_tc02_get_project_states_resolves_confirm_deploy(monkeypatch):
confirm_uuid = "cfd00000-0000-0000-0000-000000000059"
approved_uuid = "a519a341-dada-4a91-8910-7604f82b79c5"
class _Resp:
def raise_for_status(self):
pass
def json(self):
return {
"results": [
{"name": "In Progress", "id": "b873d9eb-993c-48cd-97ac-99a9b1623967"},
{"name": "Approved", "id": approved_uuid},
{"name": "Confirm Deploy", "id": confirm_uuid},
]
}
monkeypatch.setattr(plane_sync.httpx, "get", lambda *a, **k: _Resp())
states = get_project_states("orch-project-uuid")
assert states.get("confirm_deploy") == confirm_uuid
# Distinct gestures: confirm-deploy must NOT alias the human "Approved" gate.
assert states["confirm_deploy"] != states["approved"]
# ---------------------------------------------------------------------------
# TC-03: fail-closed when the status is absent (API fallback / unreachable)
# ---------------------------------------------------------------------------
def test_tc03_fail_closed_when_api_unreachable(monkeypatch):
"""A Plane outage -> get_project_states falls back to _DEFAULT_STATES, which
has no confirm_deploy key. .get must yield None, never raise."""
def _boom(*a, **k):
raise RuntimeError("plane down")
monkeypatch.setattr(plane_sync.httpx, "get", _boom)
states = get_project_states("any-project-uuid")
# No KeyError, branch never activates.
assert states.get("confirm_deploy") is None
# The human gate "Approved" still resolves (fallback is intact).
assert states.get("approved") == _DEFAULT_STATES["approved"]
def test_tc03_fail_closed_when_status_not_on_board(monkeypatch):
"""Project whose board lacks "Confirm Deploy": the key is filled by NEITHER the
API loop NOR the _DEFAULT_STATES backfill -> absent -> fail-closed."""
class _Resp:
def raise_for_status(self):
pass
def json(self):
return {
"results": [
{"name": "In Progress", "id": "b873d9eb-993c-48cd-97ac-99a9b1623967"},
{"name": "Approved", "id": "a519a341-dada-4a91-8910-7604f82b79c5"},
]
}
monkeypatch.setattr(plane_sync.httpx, "get", lambda *a, **k: _Resp())
states = get_project_states("board-without-confirm")
assert states.get("confirm_deploy") is None
assert states.get("approved") == "a519a341-dada-4a91-8910-7604f82b79c5"

101
tests/test_stage_engine_phase_a_cta.py Normal file
View File

@@ -0,0 +1,101 @@
"""ORCH-059 TC-09: the Phase A CTA asks the operator for "Confirm Deploy".
Contract (AC-6): when Phase A advances `deploy-staging` -> `deploy` and requests
manual approval, both the Plane comment and the Telegram notification must
instruct the operator to flip the status to "Confirm Deploy" (the dedicated
prod-deploy trigger) — and must NOT present "Approved" as the deploy trigger.
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orch_phase_a_cta.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ.setdefault("ORCH_GITEA_TOKEN", "test-token")
os.environ.setdefault("ORCH_PLANE_API_TOKEN", "test-token")
from unittest.mock import MagicMock # noqa: E402
import src.db as _db # noqa: E402
from src.db import init_db, get_db # noqa: E402
from src import stage_engine # noqa: E402
from src import self_deploy # noqa: E402
from src.stage_engine import advance_stage # noqa: E402
def _pass(*a, **k):
return (True, "ok")
@pytest.fixture(autouse=True)
def fresh_db(monkeypatch, tmp_path):
monkeypatch.setattr(_db.settings, "db_path", _test_db)
if os.path.exists(_test_db):
os.unlink(_test_db)
init_db()
monkeypatch.setattr(self_deploy.settings, "repos_dir", str(tmp_path))
monkeypatch.setattr(self_deploy.settings, "host_repos_dir", str(tmp_path))
monkeypatch.setattr(stage_engine.settings, "deploy_require_manual_approve", True)
# Pass the staging / merge / freshness sub-gates so the edge reaches Phase A.
monkeypatch.setattr(
stage_engine, "QG_CHECKS",
{**stage_engine.QG_CHECKS,
"check_staging_status": _pass,
"check_branch_mergeable": _pass,
"check_staging_image_fresh": _pass},
)
yield
def _make_task(stage="deploy-staging", repo="orchestrator",
branch="feature/ORCH-059-x", wi="ORCH-059"):
conn = get_db()
cur = conn.execute(
"INSERT INTO tasks (plane_id, work_item_id, repo, branch, stage) "
"VALUES (?, ?, ?, ?, ?)",
(f"plane-{wi}", wi, repo, branch, stage),
)
task_id = cur.lastrowid
conn.commit()
conn.close()
return task_id
def test_tc09_phase_a_cta_requests_confirm_deploy(monkeypatch):
# Silence everything EXCEPT the two CTA channels we want to inspect.
for name in (
"notify_stage_change", "notify_qg_failure", "plane_notify_stage",
"plane_notify_qg", "set_issue_in_review", "set_issue_needs_input",
"set_issue_in_progress", "set_issue_blocked", "set_issue_done",
):
monkeypatch.setattr(stage_engine, name, MagicMock(), raising=False)
plane_comment = MagicMock()
telegram = MagicMock()
monkeypatch.setattr(stage_engine, "plane_add_comment", plane_comment)
monkeypatch.setattr(stage_engine, "send_telegram", telegram)
task_id = _make_task()
res = advance_stage(
task_id, "deploy-staging", "orchestrator", "ORCH-059",
"feature/ORCH-059-x", finished_agent="deployer",
)
assert res.note == "self-deploy-approval-pending"
# The Plane comment CTA mentions "Confirm Deploy" as the trigger.
plane_comment.assert_called_once()
comment_text = plane_comment.call_args.args[1]
assert "Confirm Deploy" in comment_text
# The Telegram CTA mentions "Confirm Deploy" too.
telegram.assert_called_once()
tg_text = telegram.call_args.args[0]
assert "Confirm Deploy" in tg_text
# Neither CTA presents bare "Approved" as the deploy trigger. (The comment may
# mention Approved only to clarify it does NOT trigger; assert no instruction
# to "set status to Approved".)
assert "статус задачи на «Approved»" not in comment_text
assert "на Approved" not in tg_text

141
tests/test_stage_engine_phase_b.py Normal file
View File

@@ -0,0 +1,141 @@
"""ORCH-059 TC-07/08: the Phase B block in stage_engine.advance_stage initiates
the prod deploy ONLY on the confirm-deploy signal.
Contract (AC-2, AC-3, AC-5):
* TC-07 — on (current_stage=="deploy", finished_agent is None) for the
self-hosting repo: confirm_deploy=True -> Phase B initiates; confirm_deploy
omitted/False (a plain Approved) -> a no-op that neither initiates the deploy
nor runs check_deploy_status (no false БАГ-8 rollback).
* TC-08 — idempotency: with the `initiated` marker already present, a repeated
confirm-deploy does NOT initiate again.
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orch_phase_b.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ.setdefault("ORCH_GITEA_TOKEN", "test-token")
os.environ.setdefault("ORCH_PLANE_API_TOKEN", "test-token")
from unittest.mock import MagicMock # noqa: E402
import src.db as _db # noqa: E402
from src.db import init_db, get_db # noqa: E402
from src import stage_engine # noqa: E402
from src import self_deploy # noqa: E402
from src.stage_engine import advance_stage # noqa: E402
@pytest.fixture(autouse=True)
def fresh_db(monkeypatch, tmp_path):
monkeypatch.setattr(_db.settings, "db_path", _test_db)
if os.path.exists(_test_db):
os.unlink(_test_db)
init_db()
monkeypatch.setattr(self_deploy.settings, "repos_dir", str(tmp_path))
monkeypatch.setattr(self_deploy.settings, "host_repos_dir", str(tmp_path))
monkeypatch.setattr(stage_engine.settings, "deploy_require_manual_approve", True)
yield
@pytest.fixture(autouse=True)
def silence_side_effects(monkeypatch):
for name in (
"notify_stage_change", "notify_qg_failure", "send_telegram",
"plane_notify_stage", "plane_notify_qg", "plane_add_comment",
"set_issue_in_review", "set_issue_needs_input", "set_issue_in_progress",
"set_issue_blocked", "set_issue_done",
):
monkeypatch.setattr(stage_engine, name, MagicMock(), raising=False)
def _make_task(stage, repo="orchestrator", branch="feature/ORCH-059-x", wi="ORCH-059"):
conn = get_db()
cur = conn.execute(
"INSERT INTO tasks (plane_id, work_item_id, repo, branch, stage) "
"VALUES (?, ?, ?, ?, ?)",
(f"plane-{wi}", wi, repo, branch, stage),
)
task_id = cur.lastrowid
conn.commit()
conn.close()
return task_id
def _stage(task_id):
conn = get_db()
row = conn.execute("SELECT stage FROM tasks WHERE id=?", (task_id,)).fetchone()
conn.close()
return row[0]
# ---------------------------------------------------------------------------
# TC-07: confirm-deploy initiates; plain Approved is a no-op
# ---------------------------------------------------------------------------
def test_tc07_confirm_deploy_initiates(monkeypatch):
initiate = MagicMock(return_value=(True, "ok"))
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
task_id = _make_task("deploy")
res = advance_stage(
task_id, "deploy", "orchestrator", "ORCH-059",
"feature/ORCH-059-x", finished_agent=None, confirm_deploy=True,
)
assert res.note == "self-deploy-initiated"
initiate.assert_called_once()
assert self_deploy.has_marker("orchestrator", "ORCH-059", self_deploy.INITIATED)
# Did NOT advance off deploy — the finalizer records the verdict later.
assert _stage(task_id) == "deploy"
def test_tc07_approved_without_confirm_is_noop(monkeypatch):
"""A plain Approved on `deploy` (confirm_deploy defaults to False): no
initiate_deploy, no rollback, no advance — a deterministic no-op (AC-3)."""
initiate = MagicMock(return_value=(True, "ok"))
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
# If check_deploy_status were (wrongly) run, it would intervene; spy to prove
# it is never invoked on this no-op path.
gate = MagicMock(return_value=(False, "FAILED"))
monkeypatch.setattr(
stage_engine, "QG_CHECKS",
{**stage_engine.QG_CHECKS, "check_deploy_status": gate},
)
task_id = _make_task("deploy")
res = advance_stage(
task_id, "deploy", "orchestrator", "ORCH-059",
"feature/ORCH-059-x", finished_agent=None, # confirm_deploy omitted -> False
)
assert res.note == "approved-on-deploy-noop"
initiate.assert_not_called()
gate.assert_not_called() # check_deploy_status NOT run -> no false БАГ-8
assert res.advanced is False
assert res.rolled_back_to is None
assert _stage(task_id) == "deploy" # stays put, no rollback to development
assert not self_deploy.has_marker("orchestrator", "ORCH-059", self_deploy.INITIATED)
# ---------------------------------------------------------------------------
# TC-08: idempotency — existing `initiated` marker -> repeat is a no-op
# ---------------------------------------------------------------------------
def test_tc08_idempotent_repeat_confirm_deploy(monkeypatch):
initiate = MagicMock(return_value=(True, "ok"))
monkeypatch.setattr(stage_engine.self_deploy, "initiate_deploy", initiate)
task_id = _make_task("deploy")
# Pre-seed the initiated marker (a deploy already in flight).
self_deploy.write_marker("orchestrator", "ORCH-059", self_deploy.INITIATED, content="1")
res = advance_stage(
task_id, "deploy", "orchestrator", "ORCH-059",
"feature/ORCH-059-x", finished_agent=None, confirm_deploy=True,
)
assert res.note == "self-deploy-already-initiated"
initiate.assert_not_called()