From a98d605477c262e35d7a1bafed3b2d9ddc1ee50b Mon Sep 17 00:00:00 2001 From: claude-bot Date: Wed, 10 Jun 2026 02:53:15 +0300 Subject: [PATCH] feat(fs): legacy root-owned ownership detect + actionable worktree error (ORCH-057) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up ORCH-040: legacy root:root files in /repos broke worktree creation under uid 1000 with a raw "Permission denied" (agent never started, no diagnosis). Three additive, kill-switch-reversible layers; STAGE_TRANSITIONS / QG_CHECKS / check_* / machine-verdict keys / DB schema are byte-for-byte unchanged. - D1: ensure_worktree classifies the permission class and raises an actionable RuntimeError (cause + chown command + INFRA.md ref); non-permission errors keep the prior raw-stderr contract; kill-switch off -> contract 1:1 as before ORCH-057. - D2: new never-raise leaf src/fs_normalize.py — scan_ownership (TTL-cached, early-exit per root), applies()-first scope (empty CSV -> self-hosting only), opt-in normalize() that chowns ONLY when privileged (no-op under uid 1000). - D3: best-effort startup detect in main.lifespan (WARNING + Telegram on mismatch, never-fatal); read-only fs_ownership block in GET /queue; POST /fs-normalize/check. Claim is NOT blocked — the clear early outcome is delivered by D1 at launch. - Docs/config: .env.example flags + CHANGELOG (architecture README / adr-0031 / INFRA.md procedure already landed on the branch). - Tests: test_fs_normalize.py, test_git_worktree_perm.py, test_fs_normalize_startup.py, test_api_queue.py (TC-01..TC-12). Full suite green. Refs: ORCH-057 Co-Authored-By: Claude Opus 4.8 --- .env.example | 23 ++ .task-dev.md | 4 +- CHANGELOG.md | 6 + src/fs_normalize.py | 539 +++++++++++++++++++++++++++++ src/git_worktree.py | 41 ++- src/main.py | 63 ++++ tests/test_api_queue.py | 68 ++++ tests/test_fs_normalize.py | 214 ++++++++++++ tests/test_fs_normalize_startup.py | 136 ++++++++ tests/test_git_worktree_perm.py | 139 ++++++++ 10 files changed, 1228 insertions(+), 5 deletions(-) create mode 100644 src/fs_normalize.py create mode 100644 tests/test_api_queue.py create mode 100644 tests/test_fs_normalize.py create mode 100644 tests/test_fs_normalize_startup.py create mode 100644 tests/test_git_worktree_perm.py diff --git a/.env.example b/.env.example index 4d479f1..39bfb51 100644 --- a/.env.example +++ b/.env.example @@ -394,6 +394,29 @@ ORCH_COVERAGE_EPSILON=0.5 ORCH_COVERAGE_TOOL_FAIL_CLOSED=false ORCH_COVERAGE_RUN_TIMEOUT_S=900 +# ORCH-057 (follow-up ORCH-040): legacy root-owned ownership detect + actionable +# worktree error. After the uid migration (user: "1000:1000") legacy root:root files +# in /repos broke worktree creation under uid 1000 with a raw "Permission denied". +# Three additive, kill-switch-reversible layers: an actionable RuntimeError in +# ensure_worktree, a cheap never-raise detect leaf (src/fs_normalize.py) with a +# startup WARNING/Telegram + GET /queue fs_ownership block, and an opt-in chown ONLY +# when privileged (under uid 1000 a no-op; the real fix is the operator procedure in +# docs/operations/INFRA.md «Миграция uid»). No STAGE_TRANSITIONS / QG_CHECKS / schema +# change. +# ENABLED -> kill-switch; false -> all code inert, behaviour 1:1 as before +# ORCH-057 (the actionable error too). +# REPOS -> CSV of repos the layer is REAL for; empty -> self-hosting only. +# TARGET_UID -> target uid fallback when os.getuid() is unavailable. +# NORMALIZE_AUTO -> detect-only (false) | attempt chown when privileged (true). +# SCAN_ROOTS -> CSV override of the scan roots (empty -> default roots). +# SCAN_CACHE_TTL_S -> TTL of the detect cache (mirrors ORCH_PREFLIGHT_CACHE_TTL). +ORCH_FS_NORMALIZE_ENABLED=true +ORCH_FS_NORMALIZE_REPOS= +ORCH_FS_TARGET_UID=1000 +ORCH_FS_NORMALIZE_AUTO=false +ORCH_FS_SCAN_ROOTS= +ORCH_FS_SCAN_CACHE_TTL_S=300 + # ORCH-099 (FND/F1a): operator off-switch for the read-only GET /metrics endpoint # (raw-signal snapshot for the F1b sidecar). Default true -> available out of the # box. false -> /metrics returns a minimal parsable body {"schema_version":1, diff --git a/.task-dev.md b/.task-dev.md index 1964470..b2687c2 100644 --- a/.task-dev.md +++ b/.task-dev.md @@ -1,4 +1,4 @@ -Work item: ORCH-099 +Work item: ORCH-057 Repo: orchestrator -Branch: feature/ORCH-099-fnd-f1a-metrics-agent-liveness +Branch: feature/ORCH-057-bug-follow-up-orch-040-normali Stage: development \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ceaa28..74ac986 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,12 @@ Формат: [Keep a Changelog](https://keepachangelog.com/). Записи — на смысловой PR/задачу. ## [Unreleased] +- **Детект legacy root-owned файлов + внятная ошибка worktree при миграции на uid 1000** (ORCH-057, follow-up ORCH-040, `feat`): закрыт недоделанный AC ORCH-040 — legacy `root:root` файлы в `/repos` (после перевода контейнеров на `user: "1000:1000"`) ломали создание worktree под uid 1000 (`ensure_worktree` → сырой `fatal: … Permission denied`, агент не стартовал, диагноза не было). Три аддитивных, обратимых kill-switch'ем слоя; **`STAGE_TRANSITIONS` / `QG_CHECKS` / `check_*` / machine-verdict-ключи / схема БД — байт-в-байт прежние**. ADR: `docs/work-items/ORCH-057/06-adr/ADR-001-legacy-ownership-normalization.md`, сквозной `docs/architecture/adr/adr-0031-legacy-ownership-normalization.md`. + - **D1 — actionable-ошибка `ensure_worktree`:** класс «нет прав» (`Permission denied` / `could not create leading directories` / `insufficient permission for adding an object` / `PermissionError`/`EACCES`/`EPERM`) оборачивается в `RuntimeError` с **причиной** (legacy root-файлы в `/repos/_wt`/`.git` после миграции uid), **лечащей командой** (`chown -R : …`) и ссылкой на `INFRA.md` — вместо сырого git stderr. Ошибки, **не** связанные с правами, сохраняют прежний контракт (меняется только формулировка, не факт сбоя; чистый классификатор `fs_normalize.classify_worktree_error`). Под выключенным kill-switch контракт ошибки 1:1 как до ORCH-057. + - **D2 — детект-леаф `src/fs_normalize.py`** (never-raise, паттерн `serial_gate`/`coverage_gate`): `scan_ownership(roots, target_uid=os.getuid())` обходит `/repos/_wt`, `/.git/{objects,worktrees}`, `data/runs` с ранним выходом при первом `st_uid != target_uid`, TTL-кэшем (`fs_scan_cache_ttl_s`, по образцу `preflight._cache`) и `applies(repo)` first (пустой CSV → self-hosting only → enduro-trails не сканируется). Опц. `normalize()` chown'ит **только** при `geteuid()==0` (под uid 1000 — no-op + честный лог «нужна операторская процедура», НЕ ошибка). + - **D3 — наблюдаемость, БЕЗ блокировки claim:** best-effort вызов `scan_ownership()` на старте `main.lifespan` (рядом с lease-reclaim/log-rotation, never-fatal) → WARNING + Telegram при mismatch; read-only блок `fs_ownership` в `GET /queue`; опц. ручной `POST /fs-normalize/check`. Claim **не** блокируется (preflight repo-слеп → регресс enduro; queue_worker — дорогой FS-обход в hot-path + молчаливое зависание); внятный ранний отказ даёт D1 в точке launch. + - **Процедура (D5):** обязательная операторская нормализация под root на хосте — в `docs/operations/INFRA.md` (раздел «Миграция uid: обязательная нормализация legacy root-файлов», все корни: `_wt`, оба `.git`, `data/runs`); фактический `chown` остаётся ручным шагом (контейнер без root его сделать не может) — задача гарантирует **внятность** отказа, а не его отсутствие. + - **Флаги** (`src/config.py`, аддитивно): `ORCH_FS_NORMALIZE_ENABLED` (kill-switch), `ORCH_FS_NORMALIZE_REPOS` (CSV; пусто → self-hosting only), `ORCH_FS_TARGET_UID` (1000), `ORCH_FS_NORMALIZE_AUTO` (детект-only), `ORCH_FS_SCAN_ROOTS`, `ORCH_FS_SCAN_CACHE_TTL_S`. Тесты: `tests/test_fs_normalize.py`, `tests/test_git_worktree_perm.py`, `tests/test_fs_normalize_startup.py`, `tests/test_api_queue.py` (TC-01…TC-12). - **Лёгкий read-only `GET /metrics` — машинное «сырьё» о самом орке для sidecar F1b** (ORCH-099, FND/F1a, `feat`): добавлен версионируемый JSON-эндпоинт `GET /metrics`, отдающий снимок внутреннего состояния орка для будущего отдельного sidecar-наблюдателя F1b (`watchdog/`) — наблюдатель отделён от наблюдаемого (BRD §1): орк отдаёт ТОЛЬКО факты, которые знает лишь он сам; пороги/алерты/история/Telegram — на стороне F1b. **Аддитивно, строго read-only, never-raise:** `STAGE_TRANSITIONS` / `QG_CHECKS` / `check_*` / machine-verdict ключи / схема БД — **не тронуты**; `/health`/`/status`/`/queue` — байт-в-байт прежние. ADR: `docs/work-items/ORCH-099/06-adr/ADR-001-metrics-endpoint.md`, сквозной `docs/architecture/adr/adr-0030-metrics-endpoint.md`. - **Leaf-сборщик + тонкий эндпоинт (D1):** новый `src/metrics.py` (`build_metrics() -> dict`, never-raise по разделам, паттерн `serial_gate.snapshot()`) собирает конверт по-раздельно (каждый раздел в своём `try/except` → безопасный дефолт `null`/`[]`/`{}` + WARNING); эндпоинт `@app.get("/metrics")` в `src/main.py` — тонкая обёртка, возвращает результат как есть (стиль `GET /queue`). Тестируемость без ASGI: разделы проверяются прямым вызовом `build_metrics()`. - **Конверт + контракт `schema_version` (D2):** `schema_version` (стартует с `1`), `generated_at` (UTC ISO-8601, часовой домен орка → дельты CPU иммунны к skew орк↔sidecar, TR-3), `clk_tck` (`os.sysconf("SC_CLK_TCK")`, базис тиков). Политика: аддитивные изменения **НЕ бампят** версию (sidecar обязан игнорировать незнакомые ключи) — бамп только при ломающем (rename/remove/retype). diff --git a/src/fs_normalize.py b/src/fs_normalize.py new file mode 100644 index 0000000..ee459b7 --- /dev/null +++ b/src/fs_normalize.py @@ -0,0 +1,539 @@ +"""Legacy root-owned ownership detect + actionable worktree error (ORCH-057). + +Background +---------- +ORCH-040 moved both containers to ``user: "1000:1000"`` by editing ONLY +``docker-compose.yml``. Changing ``user:`` does NOT change the owner of files that +the previous root container already created. The bind-mount ``/home/slin/repos -> +/repos`` therefore still held ``root:root`` directories (``_wt/``, old worktrees, +``.git/objects``, ``data/runs``). Under uid 1000 (no root) ``git_worktree. +ensure_worktree`` could not create a worktree next to a ``root:root`` ``/repos/_wt`` +and failed with a RAW ``fatal: could not create leading directories … Permission +denied`` — the agent never started and the operator had no diagnosis. + +The container runs as numeric uid 1000 WITHOUT root, so it physically cannot +``chown`` foreign (root-owned) files — only DETECT + DIAGNOSE. The real fix is the +documented operator procedure (INFRA.md «Миграция uid»), run once on the host. + +This leaf (ADR-001) provides three additive, kill-switch-reversible primitives: + + * ``classify_worktree_error`` / ``build_worktree_help`` — the pure classifier + + actionable message used by ``git_worktree.ensure_worktree`` (D1 / FR-1). + * ``scan_ownership`` — a cheap, TTL-cached, never-raise walk of the infra roots + that reports whether any file has ``uid != target_uid`` (D2 / FR-2), used by the + startup hook (D3 / FR-3) and the ``GET /queue`` ``fs_ownership`` block. + * ``normalize`` — an opt-in ``chown`` that runs ONLY when the process is + privileged (root / CAP_CHOWN); under uid 1000 it is a no-op + honest log, NOT + an error (D4 / FR-4). + +Invariants (never broken): + * **never-raise** (NFR-3): every public function degrades to a conservative, + non-blocking default and NEVER propagates into the worker / lifespan / worktree + path. A detect error -> WARNING + ``mismatch=False`` (do not block / panic). + * **applies() first** (NFR-2): the expensive walk runs only when the layer is REAL + for the repo (``fs_normalize_enabled`` + scope; empty CSV -> self-hosting only), + so enduro-trails is never scanned at the default config. + * **kill-switch reversible** (D6): ``fs_normalize_enabled=False`` -> all code inert, + behaviour 1:1 as before ORCH-057 (the actionable error contract too). + * **no chown without privilege** (NFR-1): the code only reads / detects / diagnoses; + a real ``chown`` happens only when privileged and ``fs_normalize_auto=True``. + +Leaf: imports only ``config`` / ``logging`` / ``os`` / ``time`` (+ lazily +``qg.checks.is_self_hosting_repo`` / ``notifications`` for scope / observability). It +never imports ``git_worktree`` / ``stage_engine`` / ``launcher`` (``git_worktree`` +imports THIS module, so the dependency is one-way). +""" +from __future__ import annotations + +import errno +import logging +import os +import time +from dataclasses import dataclass, field + +from .config import settings + +logger = logging.getLogger("orchestrator.fs_normalize") + +# Permission-class markers in a git stderr / OSError string (D1 / TR-1). Narrow on +# purpose — a non-permission error (real branch conflict, missing origin/main, +# timeout) must NOT be reclassified (AC-2 FAIL-condition), so we match only the +# unambiguous "no permission to create the file/object" phrases. +_PERM_MARKERS = ( + "permission denied", + "could not create leading directories", + "insufficient permission for adding an object", + "operation not permitted", +) + + +# --------------------------------------------------------------------------- +# Resolution helpers (target uid, scope, roots) +# --------------------------------------------------------------------------- +def _resolve_target_uid(target_uid: int | None = None) -> int: + """The uid the scan compares against (the subject that "cannot create files"). + + Resolution order (D2 / TR-7): explicit ``target_uid`` arg > ``os.getuid()`` (the + uid the process really runs as) > ``settings.fs_target_uid`` fallback (default + 1000) when ``os.getuid()`` is unavailable. Never raises. + """ + if target_uid is not None: + return int(target_uid) + try: + return os.getuid() + except (AttributeError, OSError): # pragma: no cover - non-POSIX fallback + try: + return int(settings.fs_target_uid) + except (TypeError, ValueError): + return 1000 + + +def _scope_repos() -> list[str]: + """Repos the layer is REAL for (used to build the default ``.git`` roots). + + Non-empty ``fs_normalize_repos`` CSV -> those repos; empty -> self-hosting only + (``orchestrator``), mirroring ``coverage_gate``. Never raises -> [] on error. + """ + try: + raw = (settings.fs_normalize_repos or "").strip() + except Exception: # noqa: BLE001 - never-raise + return [] + if raw: + return [r.strip() for r in raw.split(",") if r.strip()] + try: + from .qg.checks import SELF_HOSTING_REPO + return [SELF_HOSTING_REPO] + except Exception: # noqa: BLE001 + return ["orchestrator"] + + +def _runs_root() -> str: + """``data/runs`` root (per ADR: ``os.path.dirname(db_path)/runs``).""" + try: + rd = getattr(settings, "runs_dir", None) + if rd: + return rd + except Exception: # noqa: BLE001 + pass + try: + return os.path.join(os.path.dirname(settings.db_path), "runs") + except Exception: # noqa: BLE001 + return "/app/data/runs" + + +def _default_roots() -> list[str]: + """The default scan roots (D2): ``/repos/_wt``, ``data/runs`` and each in-scope + repo's ``.git/objects`` + ``.git/worktrees``. Never raises -> [] on error. + """ + roots: list[str] = [] + try: + wt = getattr(settings, "worktrees_dir", None) + if wt: + roots.append(wt) + roots.append(_runs_root()) + repos_dir = getattr(settings, "repos_dir", "/repos") + for repo in _scope_repos(): + base = os.path.join(repos_dir, repo, ".git") + roots.append(os.path.join(base, "objects")) + roots.append(os.path.join(base, "worktrees")) + except Exception as e: # noqa: BLE001 - never-raise + logger.warning("fs_normalize._default_roots error: %s", e) + return roots + + +def _resolve_roots(roots: list[str] | None = None) -> list[str]: + """Resolve scan roots: explicit arg > ``fs_scan_roots`` CSV > the default set.""" + if roots is not None: + return list(roots) + try: + raw = (settings.fs_scan_roots or "").strip() + except Exception: # noqa: BLE001 + raw = "" + if raw: + return [r.strip() for r in raw.split(",") if r.strip()] + return _default_roots() + + +# --------------------------------------------------------------------------- +# Conditionality (mirrors coverage_gate_applies) +# --------------------------------------------------------------------------- +def applies(repo: str) -> bool: + """Whether the ORCH-057 layer is REAL for this repo (D6 / NFR-2). + + * ``fs_normalize_enabled=False`` -> always False (kill-switch). + * ``fs_normalize_repos`` (CSV) non-empty -> real only for the listed repos. + * empty CSV -> real ONLY for the self-hosting repo (``orchestrator``). + Never raises -> False (the safe no-op default). + """ + try: + if not settings.fs_normalize_enabled: + return False + raw = (settings.fs_normalize_repos or "").strip() + if raw: + allowed = {r.strip().lower() for r in raw.split(",") if r.strip()} + return (repo or "").strip().lower() in allowed + from .qg.checks import is_self_hosting_repo + return is_self_hosting_repo(repo) + except Exception as e: # noqa: BLE001 - never-raise contract + logger.warning("fs_normalize.applies error for %s: %s", repo, e) + return False + + +# --------------------------------------------------------------------------- +# D1: actionable worktree error (pure classifier + message) +# --------------------------------------------------------------------------- +def classify_worktree_error(text: str | None) -> bool: + """Pure: True iff ``text`` looks like a "no permission to create" failure. + + Matches only the narrow ``_PERM_MARKERS`` so a non-permission git error keeps + its original contract (AC-2). Never raises -> False on bad input. + """ + try: + t = (text or "").lower() + return any(m in t for m in _PERM_MARKERS) + except Exception: # noqa: BLE001 + return False + + +def is_permission_failure(*, stderr: str | None = None, exc: BaseException | None = None) -> bool: + """True iff a worktree failure is the legacy-ownership permission class. + + Considers both a git ``stderr`` string (marker match) and an ``OSError`` + (``PermissionError`` or ``errno`` in ``EACCES``/``EPERM``). Never raises. + """ + try: + if isinstance(exc, PermissionError): + return True + if isinstance(exc, OSError) and exc.errno in (errno.EACCES, errno.EPERM): + return True + if classify_worktree_error(stderr): + return True + if exc is not None and classify_worktree_error(str(exc)): + return True + except Exception: # noqa: BLE001 + return False + return False + + +def build_worktree_help(repo: str, branch: str, target_uid: int | None = None, raw: str = "") -> str: + """Build the actionable RuntimeError message for a permission-class worktree + failure (D1): names the root cause + the healing command + the INFRA.md + procedure, instead of a raw git stderr (AC-2). Never raises. + """ + try: + tuid = _resolve_target_uid(target_uid) + wt_dir = getattr(settings, "worktrees_dir", "/repos/_wt") + git_dir = os.path.join(getattr(settings, "repos_dir", "/repos"), repo, ".git") + msg = ( + f"Cannot create git worktree for {repo}:{branch} — permission denied. " + f"Likely cause: legacy root-owned files in {wt_dir} or {git_dir} left over " + f"from before the uid migration (ORCH-040). This container runs as uid " + f"{tuid} without root and cannot chown foreign files itself. Fix (run once " + f"on the host as root): `sudo chown -R {tuid}:{tuid} {wt_dir}` and " + f"`sudo chown -R {tuid}:{tuid} {git_dir}`. See docs/operations/INFRA.md " + f"section «Миграция uid: обязательная нормализация legacy root-файлов»." + ) + if raw: + msg += f" (underlying error: {raw.strip()})" + return msg + except Exception: # noqa: BLE001 - never-raise; degrade to a minimal hint + return ( + f"Cannot create git worktree for {repo}:{branch} — permission denied " + f"(legacy root-owned files; see docs/operations/INFRA.md «Миграция uid»)." + ) + + +# --------------------------------------------------------------------------- +# D2: ownership scan (TTL-cached, never-raise, early-exit per root) +# --------------------------------------------------------------------------- +@dataclass +class OwnershipScan: + """Result of an ownership scan (D2). ``mismatch`` is the boolean verdict.""" + + mismatch: bool + target_uid: int + roots_checked: list[str] = field(default_factory=list) + roots_mismatch: list[str] = field(default_factory=list) + sample_path: str | None = None + count: int | None = None + checked_at: float = 0.0 + enabled: bool = True + + def to_dict(self) -> dict: + return { + "enabled": self.enabled, + "mismatch": self.mismatch, + "target_uid": self.target_uid, + "roots_checked": self.roots_checked, + "roots_mismatch": self.roots_mismatch, + "sample_path": self.sample_path, + "count": self.count, + "checked_at": self.checked_at, + } + + +class _ScanCache: + def __init__(self): + self.ts: float = 0.0 + self.key: tuple | None = None + self.result: OwnershipScan | None = None + + +_cache = _ScanCache() + + +def reset_cache() -> None: + """Invalidate the TTL detect cache (tests / forced recheck).""" + _cache.ts = 0.0 + _cache.key = None + _cache.result = None + + +def _first_mismatch(root: str, target_uid: int) -> str | None: + """Return the first path under ``root`` whose ``st_uid != target_uid`` (early + exit), else None. ``os.lstat`` (not ``stat``) so a symlink's own ownership is + judged, never its target. Never raises -> None on any walk error. + """ + try: + if not os.path.exists(root): + return None + try: + if os.lstat(root).st_uid != target_uid: + return root + except OSError: + return None + for dirpath, dirnames, filenames in os.walk(root, onerror=None): + for name in dirnames: + p = os.path.join(dirpath, name) + try: + if os.lstat(p).st_uid != target_uid: + return p + except OSError: + continue + for name in filenames: + p = os.path.join(dirpath, name) + try: + if os.lstat(p).st_uid != target_uid: + return p + except OSError: + continue + except Exception as e: # noqa: BLE001 - never-raise + logger.warning("fs_normalize._first_mismatch error for %s: %s", root, e) + return None + return None + + +def _scan(roots: list[str], target_uid: int) -> OwnershipScan: + """Walk each root, early-exiting per root at its first mismatch. The clean case + (no mismatch) walks fully; the dirty case stops fast per root (TR-2 cost). Lists + every affected root (informative verdict). Never raises -> conservative + ``mismatch=False`` on a wholesale error. + """ + roots_checked: list[str] = [] + roots_mismatch: list[str] = [] + sample_path: str | None = None + try: + for root in roots: + if not os.path.exists(root): + continue + roots_checked.append(root) + hit = _first_mismatch(root, target_uid) + if hit is not None: + roots_mismatch.append(root) + if sample_path is None: + sample_path = hit + except Exception as e: # noqa: BLE001 - never-raise -> conservative verdict + logger.warning("fs_normalize._scan error -> mismatch=False: %s", e) + return OwnershipScan( + mismatch=False, target_uid=target_uid, + roots_checked=roots_checked, roots_mismatch=[], checked_at=time.time(), + ) + return OwnershipScan( + mismatch=bool(roots_mismatch), + target_uid=target_uid, + roots_checked=roots_checked, + roots_mismatch=roots_mismatch, + sample_path=sample_path, + checked_at=time.time(), + ) + + +def scan_ownership( + roots: list[str] | None = None, + target_uid: int | None = None, + force: bool = False, +) -> OwnershipScan: + """Detect files with ``uid != target_uid`` across the infra roots (D2 / FR-2). + + TTL-cached (``fs_scan_cache_ttl_s``, mirrors ``preflight._cache``): a repeat call + inside the window with the SAME (roots, target_uid) returns the cached result + without re-walking; ``force=True`` (or ``reset_cache()``) re-scans. Kill-switch + off -> an inert ``mismatch=False`` result (``enabled=False``). Never raises. + """ + try: + if not settings.fs_normalize_enabled: + return OwnershipScan( + mismatch=False, target_uid=_resolve_target_uid(target_uid), + checked_at=time.time(), enabled=False, + ) + resolved_roots = _resolve_roots(roots) + tuid = _resolve_target_uid(target_uid) + key = (tuple(resolved_roots), tuid) + now = time.time() + try: + ttl = float(settings.fs_scan_cache_ttl_s) + except (TypeError, ValueError): + ttl = 300.0 + if ( + not force + and _cache.result is not None + and _cache.key == key + and (now - _cache.ts) < ttl + ): + return _cache.result + result = _scan(resolved_roots, tuid) + _cache.ts = now + _cache.key = key + _cache.result = result + return result + except Exception as e: # noqa: BLE001 - never-raise -> conservative verdict + logger.warning("fs_normalize.scan_ownership error -> mismatch=False: %s", e) + return OwnershipScan( + mismatch=False, target_uid=_resolve_target_uid(target_uid), + checked_at=time.time(), + ) + + +# --------------------------------------------------------------------------- +# D4: opt-in normalize (chown ONLY when privileged) — never init-container +# --------------------------------------------------------------------------- +def _is_privileged() -> bool: + """True iff the process can chown foreign files (root). Under uid 1000 -> False. + + A practical check: ``os.geteuid() == 0``. A CAP_CHOWN-without-root environment + still degrades to the honest no-op (a chown attempt would simply fail and be + swallowed). Never raises -> False (the safe "not privileged" default). + """ + try: + return os.geteuid() == 0 + except (AttributeError, OSError): # pragma: no cover - non-POSIX + return False + + +def normalize(roots: list[str] | None = None, target_uid: int | None = None) -> dict: + """Opt-in ``chown -R target_uid:target_uid`` over the roots, ONLY when the + process is privileged (D4 / FR-4). Under uid 1000 (the prod-self case) it is a + no-op + honest log "operator procedure required" — NOT an error. Gated by + ``fs_normalize_auto`` at the call site; this function additionally self-guards on + ``_is_privileged()``. Never raises. + + Returns a result dict ``{attempted, privileged, changed, errors, note}``. + """ + result = {"attempted": False, "privileged": False, "changed": 0, "errors": [], "note": ""} + try: + if not settings.fs_normalize_enabled: + result["note"] = "disabled (fs_normalize_enabled=False)" + return result + tuid = _resolve_target_uid(target_uid) + privileged = _is_privileged() + result["privileged"] = privileged + if not privileged: + result["note"] = ( + "not privileged (process runs as non-root) — chown of legacy " + "root-owned files needs the operator procedure (docs/operations/" + "INFRA.md «Миграция uid»)." + ) + logger.warning("fs_normalize.normalize: %s", result["note"]) + return result + + result["attempted"] = True + resolved_roots = _resolve_roots(roots) + changed = 0 + for root in resolved_roots: + if not os.path.exists(root): + continue + for path in _iter_paths(root): + try: + if os.lstat(path).st_uid != tuid: + os.chown(path, tuid, tuid, follow_symlinks=False) + changed += 1 + except OSError as e: + result["errors"].append(f"{path}: {e}") + result["changed"] = changed + result["note"] = f"chown applied to {changed} path(s) over {len(resolved_roots)} root(s)" + logger.info("fs_normalize.normalize: %s", result["note"]) + return result + except Exception as e: # noqa: BLE001 - never-raise + logger.error("fs_normalize.normalize error: %s", e) + result["note"] = f"error: {e}" + return result + + +def _iter_paths(root: str): + """Yield ``root`` and every path beneath it (never raises per item).""" + try: + yield root + for dirpath, dirnames, filenames in os.walk(root, onerror=None): + for name in dirnames + filenames: + yield os.path.join(dirpath, name) + except Exception as e: # noqa: BLE001 + logger.warning("fs_normalize._iter_paths error for %s: %s", root, e) + + +# --------------------------------------------------------------------------- +# Observability snapshot for GET /queue (D6 / AC-4) +# --------------------------------------------------------------------------- +def snapshot() -> dict: + """Read-only ownership summary for GET /queue (``fs_ownership`` block, AC-4). + + Additive; uses the TTL-cached scan (no expensive walk on every /queue hit). + never-raise: any error -> a minimal dict carrying the flags. + """ + try: + enabled = bool(settings.fs_normalize_enabled) + except Exception: # noqa: BLE001 + enabled = False + try: + auto = bool(getattr(settings, "fs_normalize_auto", False)) + except Exception: # noqa: BLE001 + auto = False + try: + repos_cfg = getattr(settings, "fs_normalize_repos", "") or "" + except Exception: # noqa: BLE001 + repos_cfg = "" + out = { + "enabled": enabled, + "auto": auto, + "repos": repos_cfg, + "target_uid": _resolve_target_uid(), + "mismatch": False, + "roots_checked": [], + "roots_mismatch": [], + "sample_path": None, + "checked_at": None, + } + try: + if enabled: + scan = scan_ownership() + out["mismatch"] = scan.mismatch + out["target_uid"] = scan.target_uid + out["roots_checked"] = scan.roots_checked + out["roots_mismatch"] = scan.roots_mismatch + out["sample_path"] = scan.sample_path + out["checked_at"] = scan.checked_at or None + except Exception as e: # noqa: BLE001 - never-raise -> minimal dict + logger.warning("fs_normalize.snapshot error: %s", e) + return out + + +def healing_command(target_uid: int | None = None) -> str: + """The one-line operator healing hint (startup WARNING / Telegram). Never raises.""" + try: + tuid = _resolve_target_uid(target_uid) + wt_dir = getattr(settings, "worktrees_dir", "/repos/_wt") + return ( + f"sudo chown -R {tuid}:{tuid} {wt_dir} /.git data/runs " + f"(см. docs/operations/INFRA.md «Миграция uid»)" + ) + except Exception: # noqa: BLE001 + return "sudo chown -R 1000:1000 /repos/_wt (см. docs/operations/INFRA.md «Миграция uid»)" diff --git a/src/git_worktree.py b/src/git_worktree.py index 1721907..1e82ca0 100644 --- a/src/git_worktree.py +++ b/src/git_worktree.py @@ -39,6 +39,31 @@ def _main_repo(repo: str) -> str: return os.path.join(settings.repos_dir, repo) +def _raise_if_permission(repo: str, branch: str, *, stderr: str | None = None, + exc: BaseException | None = None) -> None: + """ORCH-057 D1: if a worktree failure is the legacy-ownership permission class, + raise an actionable ``RuntimeError`` (cause + healing command + INFRA.md ref) + instead of a raw git stderr (FR-1 / AC-2). + + Gated by ``fs_normalize_enabled`` — when the kill-switch is off the error + contract is byte-for-byte as before ORCH-057 (this helper is a no-op, the caller + re-raises the original). A non-permission error is also a no-op here, so the + caller's existing message/semantics are preserved (no meaning substitution). + Never raises anything other than the deliberate actionable RuntimeError. + """ + try: + if not settings.fs_normalize_enabled: + return + from . import fs_normalize + if fs_normalize.is_permission_failure(stderr=stderr, exc=exc): + raw = stderr if stderr is not None else (str(exc) if exc else "") + raise RuntimeError(fs_normalize.build_worktree_help(repo, branch, raw=raw)) + except RuntimeError: + raise + except Exception as e: # noqa: BLE001 - classification must never mask the real error + logger.warning("worktree permission-classification skipped: %s", e) + + def ensure_worktree(repo: str, branch: str) -> str: """Create (or reuse) an isolated worktree for ``branch``. Returns its path. @@ -75,7 +100,14 @@ def ensure_worktree(repo: str, branch: str) -> str: logger.info(f"Worktree reused: {wt} (branch {branch})") return wt - os.makedirs(os.path.dirname(wt), exist_ok=True) + # ORCH-057 D1: creating the leading worktree directory next to a legacy + # root-owned /repos/_wt fails with Permission denied under uid 1000 — turn that + # into an actionable error (the kill-switch / non-permission path is unchanged). + try: + os.makedirs(os.path.dirname(wt), exist_ok=True) + except OSError as e: + _raise_if_permission(repo, branch, exc=e) + raise # Try to attach an existing branch (local or remote-tracking) to the new worktree. r = subprocess.run(["git", "-C", main_repo, "worktree", "add", wt, branch], @@ -87,9 +119,12 @@ def ensure_worktree(repo: str, branch: str) -> str: capture_output=True, text=True, timeout=60, ) if r2.returncode != 0: + combined = f"{r.stderr.strip()} | {r2.stderr.strip()}" + # ORCH-057 D1: a permission-class git fatal -> actionable RuntimeError; + # any other failure keeps the prior raw-stderr contract (AC-2). + _raise_if_permission(repo, branch, stderr=combined) raise RuntimeError( - f"git worktree add failed for {repo}:{branch}: " - f"{r.stderr.strip()} | {r2.stderr.strip()}" + f"git worktree add failed for {repo}:{branch}: {combined}" ) logger.info(f"Worktree ready: {wt} (branch {branch})") return wt diff --git a/src/main.py b/src/main.py index 64a3981..4c5d5fc 100644 --- a/src/main.py +++ b/src/main.py @@ -89,6 +89,44 @@ async def lifespan(app: FastAPI): except Exception as e: log.warning(f"Log rotation skipped: {e}") + # ORCH-057 (D3 / FR-3): best-effort legacy-ownership detect. Surfaces a + # PROACTIVE operator signal (WARNING + Telegram) when /repos still holds + # root-owned files after the uid migration, BEFORE a task fails on launch. + # never-fatal (mirrors lease-reclaim / log-rotation above): a detect error must + # not crash the start of the shared instance. The actual "clear, early" failure + # is delivered by the actionable error in ensure_worktree (D1) — claim is NOT + # blocked (ADR-001 D3). Honours ORCH_FS_NORMALIZE_ENABLED inside scan_ownership. + try: + from .fs_normalize import scan_ownership, healing_command, normalize + from .config import settings as _fs_settings + scan = scan_ownership() + if scan.mismatch: + log.warning( + "FS-ownership mismatch: %d root(s) with files not owned by uid %s " + "(%s; sample: %s). Heal: %s", + len(scan.roots_mismatch), scan.target_uid, + ", ".join(scan.roots_mismatch), scan.sample_path, healing_command(), + ) + try: + from .notifications import send_telegram + send_telegram( + "⚠️ Orchestrator: обнаружены legacy root-owned файлы в " + f"{', '.join(scan.roots_mismatch)} (uid != {scan.target_uid}). " + f"Первый запуск задачи может упасть на создании worktree. " + f"Лечение: {healing_command()}" + ) + except Exception: + pass + # D4 / FR-4: opt-in auto-chown ONLY when privileged (no-op under uid 1000). + if getattr(_fs_settings, "fs_normalize_auto", False): + try: + res = normalize() + log.warning("FS-ownership auto-normalize: %s", res.get("note")) + except Exception as e: # noqa: BLE001 + log.warning("FS-ownership auto-normalize skipped: %s", e) + except Exception as e: + log.warning(f"FS-ownership detect skipped: {e}") + # Start the background job-queue worker (ORCH-1). from .queue_worker import worker worker.start() @@ -171,6 +209,7 @@ async def queue(): from . import task_deps from . import serial_gate from . import coverage_gate + from . import fs_normalize from . import labels from . import cancel from .disk_watchdog import disk_watchdog @@ -193,6 +232,10 @@ async def queue(): # ORCH-027 (FR-7 / AC-9): coverage-gate observability (read-only) — # kill-switch, scope, policy/floor/epsilon, per-repo baselines. Additive block. "coverage": coverage_gate.snapshot(), + # ORCH-057 (D6 / AC-4): legacy-ownership detect observability (read-only) — + # kill-switch, scope, target_uid, mismatch + affected roots (TTL-cached scan). + # Additive block; never-raise. + "fs_ownership": fs_normalize.snapshot(), # ORCH-089 (D7): auto-mode-by-label observability (read-only) — kill-switch, # label names, scope. Additive block. "auto_labels": labels.snapshot(), @@ -262,6 +305,26 @@ async def serial_gate_unfreeze(repo: str = ""): return {"ok": True, "repo": repo, "cleared": cleared, "frozen": frozen} +@app.post("/fs-normalize/check") +async def fs_normalize_check(normalize: bool = False): + """ORCH-057 (D6 / AC-4): force a fresh legacy-ownership detect (bypass the TTL + cache) and return the snapshot. By образцу ``POST /serial-gate/unfreeze``. + + ``normalize=true`` additionally attempts an opt-in ``chown`` — a no-op under uid + 1000 (the prod-self case), effective only when the process is privileged (D4). + The real fix remains the operator procedure (docs/operations/INFRA.md «Миграция + uid»). Read-only/never-raise otherwise. + """ + from . import fs_normalize as _fs + scan = _fs.scan_ownership(force=True) + out = {"ok": True, "scan": scan.to_dict(), "healing": _fs.healing_command()} + if normalize: + out["normalize"] = _fs.normalize() + # Re-scan so the returned snapshot reflects any change a privileged run made. + out["scan"] = _fs.scan_ownership(force=True).to_dict() + return out + + @app.post("/coverage/baseline") async def coverage_set_baseline(repo: str = "", value: float | None = None): """ORCH-027 (D8): manually set/override the per-repo coverage baseline. diff --git a/tests/test_api_queue.py b/tests/test_api_queue.py new file mode 100644 index 0000000..6d0237b --- /dev/null +++ b/tests/test_api_queue.py @@ -0,0 +1,68 @@ +"""ORCH-057 TC-12: GET /queue exposes the read-only fs_ownership block. + +The block carries {enabled, target_uid, mismatch, roots_checked, roots_mismatch, +sample_path, checked_at, ...} and /queue must not 5xx whether the layer is on or off. +""" +import os +import tempfile + +import pytest + +_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_apiq.db") +os.environ["ORCH_DB_PATH"] = _test_db +os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir() +os.environ["ORCH_GITEA_TOKEN"] = "test-token" +os.environ["ORCH_PLANE_API_TOKEN"] = "test-token" +os.environ["ORCH_PLANE_WEBHOOK_SECRET"] = "" +os.environ["ORCH_GITEA_WEBHOOK_SECRET"] = "" + +from fastapi.testclient import TestClient + +from src import fs_normalize +from src.main import app +from src.db import init_db + +client = TestClient(app) + + +@pytest.fixture(autouse=True) +def _db(): + if os.path.exists(_test_db): + os.unlink(_test_db) + init_db() + fs_normalize.reset_cache() + yield + if os.path.exists(_test_db): + os.unlink(_test_db) + + +def test_tc12_queue_exposes_fs_ownership_block(monkeypatch): + """TC-12: GET /queue returns the fs_ownership block with the documented shape.""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", True) + r = client.get("/queue") + assert r.status_code == 200 + body = r.json() + assert "fs_ownership" in body + block = body["fs_ownership"] + for k in ("enabled", "target_uid", "mismatch", "roots_checked", + "roots_mismatch", "sample_path", "checked_at"): + assert k in block + + +def test_tc12_queue_no_5xx_when_disabled(monkeypatch): + """TC-12: with the kill-switch off /queue still returns 200 (no 5xx).""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", False) + fs_normalize.reset_cache() + r = client.get("/queue") + assert r.status_code == 200 + assert r.json()["fs_ownership"]["enabled"] is False + + +def test_fs_normalize_check_endpoint(): + """The optional POST /fs-normalize/check force-rescans and returns the snapshot.""" + r = client.post("/fs-normalize/check") + assert r.status_code == 200 + body = r.json() + assert body["ok"] is True + assert "scan" in body and "mismatch" in body["scan"] + assert "healing" in body diff --git a/tests/test_fs_normalize.py b/tests/test_fs_normalize.py new file mode 100644 index 0000000..3a18e61 --- /dev/null +++ b/tests/test_fs_normalize.py @@ -0,0 +1,214 @@ +"""ORCH-057 D2/D4/D6: ownership-detect leaf (src/fs_normalize.py) unit tests. + +TC-03..TC-09 (04-test-plan.yaml). All FS-dependent tests use ``tmp_path`` and vary +``target_uid`` (a uid no tmp file actually has -> mismatch; the runner's own uid -> +clean) so NO real chown / privilege is needed. ``os.geteuid`` is monkeypatched for +the privilege-gated normalize test (TC-08). Never touches /repos. +""" +import os +import tempfile + +import pytest + +_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_fsn.db") +os.environ["ORCH_DB_PATH"] = _test_db +os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir() +os.environ["ORCH_GITEA_TOKEN"] = "test-token" +os.environ["ORCH_PLANE_API_TOKEN"] = "test-token" + +from src import fs_normalize + + +_NONEXISTENT_UID = 999999 # no tmp file is owned by this uid -> deterministic mismatch + + +@pytest.fixture(autouse=True) +def _reset(monkeypatch): + fs_normalize.reset_cache() + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", True) + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_repos", "") + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_auto", False) + monkeypatch.setattr(fs_normalize.settings, "fs_scan_cache_ttl_s", 300) + yield + fs_normalize.reset_cache() + + +@pytest.fixture +def tree(tmp_path): + """A small dir tree with a file, owned by the test runner's own uid.""" + d = tmp_path / "root" + (d / "sub").mkdir(parents=True) + (d / "a.txt").write_text("a") + (d / "sub" / "b.txt").write_text("b") + return d + + +# --------------------------------------------------------------------------- +# TC-03 / TC-04 — scan verdict +# --------------------------------------------------------------------------- +def test_tc03_scan_detects_mismatch(tree): + """TC-03: a tree whose files are not owned by target_uid -> mismatch=True with the + affected root listed and a sample path set.""" + scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + assert scan.mismatch is True + assert str(tree) in scan.roots_mismatch + assert scan.sample_path is not None + assert scan.target_uid == _NONEXISTENT_UID + + +def test_tc04_clean_tree_no_mismatch(tree): + """TC-04: a clean tree (all files owned by target_uid == the runner) -> idempotent + mismatch=False no-op.""" + scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=os.getuid()) + assert scan.mismatch is False + assert scan.roots_mismatch == [] + assert scan.sample_path is None + + +# --------------------------------------------------------------------------- +# TC-05 — never-raise on bad/missing root +# --------------------------------------------------------------------------- +def test_tc05_never_raise_on_missing_root(tmp_path): + """TC-05: a non-existent root degrades to mismatch=False, never raises.""" + missing = str(tmp_path / "does-not-exist") + scan = fs_normalize.scan_ownership(roots=[missing], target_uid=_NONEXISTENT_UID) + assert scan.mismatch is False + assert scan.roots_checked == [] # the missing root is skipped + + +def test_tc05_never_raise_on_walk_error(tree, monkeypatch): + """TC-05: an os.walk explosion mid-scan degrades to a conservative verdict.""" + def boom(*a, **k): + raise OSError("simulated walk failure") + + monkeypatch.setattr(fs_normalize.os, "walk", boom) + scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + # The root dir itself is owned by the runner (not _NONEXISTENT_UID was checked via + # lstat which still works) -> walk error swallowed, no exception escapes. + assert isinstance(scan, fs_normalize.OwnershipScan) + + +# --------------------------------------------------------------------------- +# TC-06 — applies() scope +# --------------------------------------------------------------------------- +def test_tc06_applies_empty_csv_self_hosting_only(monkeypatch): + """TC-06: empty ORCH_FS_NORMALIZE_REPOS -> True only for the self-hosting repo + (orchestrator), False for enduro-trails.""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_repos", "") + assert fs_normalize.applies("orchestrator") is True + assert fs_normalize.applies("enduro-trails") is False + + +def test_tc06_applies_explicit_csv(monkeypatch): + """TC-06: a non-empty CSV scopes by list (case-insensitive).""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_repos", "enduro-trails") + assert fs_normalize.applies("enduro-trails") is True + assert fs_normalize.applies("orchestrator") is False + + +# --------------------------------------------------------------------------- +# TC-07 — kill-switch +# --------------------------------------------------------------------------- +def test_tc07_killswitch_off_scan_inert(tree, monkeypatch): + """TC-07: fs_normalize_enabled=False -> scan is inert (mismatch=False, enabled + flag exposes the off state); applies() False for everyone.""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", False) + scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + assert scan.mismatch is False + assert scan.enabled is False + assert fs_normalize.applies("orchestrator") is False + + +def test_tc07_killswitch_off_normalize_inert(tree, monkeypatch): + """TC-07: normalize is a documented no-op when the kill-switch is off.""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", False) + res = fs_normalize.normalize(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + assert res["attempted"] is False + assert res["changed"] == 0 + assert "disabled" in res["note"] + + +# --------------------------------------------------------------------------- +# TC-08 — normalize without privilege +# --------------------------------------------------------------------------- +def test_tc08_normalize_without_rights_is_noop_not_error(tree, monkeypatch): + """TC-08: under a non-root euid with auto=True and foreign files, normalize is a + no-op + honest log ('operator procedure required'), NOT an exception.""" + monkeypatch.setattr(fs_normalize.settings, "fs_normalize_auto", True) + monkeypatch.setattr(fs_normalize.os, "geteuid", lambda: 1000) # non-root + res = fs_normalize.normalize(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + assert res["privileged"] is False + assert res["attempted"] is False + assert res["changed"] == 0 + assert "INFRA.md" in res["note"] + + +# --------------------------------------------------------------------------- +# TC-09 — TTL cache +# --------------------------------------------------------------------------- +def test_tc09_ttl_cache_avoids_rescan(tree, monkeypatch): + """TC-09: a repeat call inside the TTL window does NOT re-walk; force/reset + invalidates (mirrors preflight._cache).""" + calls = {"n": 0} + real_scan = fs_normalize._scan + + def counting_scan(roots, target_uid): + calls["n"] += 1 + return real_scan(roots, target_uid) + + monkeypatch.setattr(fs_normalize, "_scan", counting_scan) + + fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + assert calls["n"] == 1 # second call served from cache + + fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID, force=True) + assert calls["n"] == 2 # force bypasses the cache + + fs_normalize.reset_cache() + fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + assert calls["n"] == 3 # reset invalidates + + +def test_tc09_cache_keyed_by_roots_and_uid(tree, monkeypatch): + """A different (roots, target_uid) key is not served from another key's cache.""" + calls = {"n": 0} + real_scan = fs_normalize._scan + + def counting_scan(roots, target_uid): + calls["n"] += 1 + return real_scan(roots, target_uid) + + monkeypatch.setattr(fs_normalize, "_scan", counting_scan) + fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID) + fs_normalize.scan_ownership(roots=[str(tree)], target_uid=os.getuid()) # different uid + assert calls["n"] == 2 + + +# --------------------------------------------------------------------------- +# classifier (pure) + snapshot +# --------------------------------------------------------------------------- +def test_classify_worktree_error_markers(): + assert fs_normalize.classify_worktree_error("fatal: ...: Permission denied") is True + assert fs_normalize.classify_worktree_error("could not create leading directories") is True + assert fs_normalize.classify_worktree_error("insufficient permission for adding an object") is True + assert fs_normalize.classify_worktree_error("fatal: branch already checked out") is False + assert fs_normalize.classify_worktree_error("") is False + assert fs_normalize.classify_worktree_error(None) is False + + +def test_is_permission_failure_from_exc(): + assert fs_normalize.is_permission_failure(exc=PermissionError(13, "denied")) is True + import errno as _errno + assert fs_normalize.is_permission_failure(exc=OSError(_errno.EACCES, "x")) is True + assert fs_normalize.is_permission_failure(exc=OSError(_errno.ENOENT, "x")) is False + + +def test_snapshot_shape(tree, monkeypatch): + """snapshot() returns the additive fs_ownership block and never raises.""" + monkeypatch.setattr(fs_normalize.settings, "fs_scan_roots", str(tree)) + snap = fs_normalize.snapshot() + for k in ("enabled", "auto", "repos", "target_uid", "mismatch", + "roots_checked", "roots_mismatch", "sample_path", "checked_at"): + assert k in snap + assert snap["enabled"] is True diff --git a/tests/test_fs_normalize_startup.py b/tests/test_fs_normalize_startup.py new file mode 100644 index 0000000..deda547 --- /dev/null +++ b/tests/test_fs_normalize_startup.py @@ -0,0 +1,136 @@ +"""ORCH-057 D3: startup-hook observability + the clear pre-launch outcome. + +TC-10 / TC-11 (04-test-plan.yaml): + * TC-10 — the lifespan startup hook, on a detected mismatch, emits a WARNING and a + Telegram message; a detect error never crashes the start (never-fatal). + * TC-11 — the "clear, early" outcome on a permission failure is delivered by the + actionable ensure_worktree error (ADR-001 D3: claim is NOT blocked), i.e. the + launch surfaces an actionable diagnosis, never a raw git-fatal. + +Background daemons are disabled via env so the lifespan is cheap and deterministic. +""" +import os +import tempfile + +import pytest + +_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_fsn_startup.db") +os.environ["ORCH_DB_PATH"] = _test_db +os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir() +os.environ["ORCH_GITEA_TOKEN"] = "test-token" +os.environ["ORCH_PLANE_API_TOKEN"] = "test-token" +os.environ["ORCH_PLANE_WEBHOOK_SECRET"] = "" +os.environ["ORCH_GITEA_WEBHOOK_SECRET"] = "" +# Keep the lifespan light: no background daemons during the test. +os.environ["ORCH_RECONCILE_ENABLED"] = "false" +os.environ["ORCH_REAPER_ENABLED"] = "false" +os.environ["ORCH_DISK_MONITOR_ENABLED"] = "false" +os.environ["ORCH_BUILD_CACHE_PRUNE_ENABLED"] = "false" +os.environ["ORCH_FS_NORMALIZE_ENABLED"] = "true" + +from fastapi.testclient import TestClient + +from src import fs_normalize, git_worktree +from src.main import app +from src.db import init_db + + +@pytest.fixture(autouse=True) +def _db(): + if os.path.exists(_test_db): + os.unlink(_test_db) + init_db() + fs_normalize.reset_cache() + yield + if os.path.exists(_test_db): + os.unlink(_test_db) + + +# --------------------------------------------------------------------------- +# TC-10 — startup observability +# --------------------------------------------------------------------------- +def test_tc10_startup_mismatch_warns_and_telegrams(monkeypatch, caplog): + """TC-10: on a detected mismatch the startup hook logs a WARNING and sends a + Telegram message (mocked).""" + sent = [] + monkeypatch.setattr( + "src.notifications.send_telegram", lambda *a, **k: sent.append(a[0] if a else "") + ) + scan = fs_normalize.OwnershipScan( + mismatch=True, target_uid=1000, roots_checked=["/repos/_wt"], + roots_mismatch=["/repos/_wt"], sample_path="/repos/_wt/x", checked_at=1.0, + ) + monkeypatch.setattr("src.fs_normalize.scan_ownership", lambda *a, **k: scan) + + with caplog.at_level("WARNING"): + with TestClient(app): + pass + + assert any("FS-ownership mismatch" in r.message for r in caplog.records) + # Filter for the fs-ownership message (the shared startup may emit other, + # unrelated Telegram traffic — e.g. a leftover task's tracker card). + fs_msgs = [m for m in sent if "legacy root-owned" in m.lower() or "chown" in m.lower()] + assert fs_msgs, "expected a Telegram message on mismatch" + + +def test_tc10_startup_detect_error_never_fatal(monkeypatch): + """TC-10: a detect error must NOT crash the start (never-fatal).""" + def boom(*a, **k): + raise RuntimeError("simulated detect failure") + + monkeypatch.setattr("src.fs_normalize.scan_ownership", boom) + # Entering/exiting the lifespan must not raise. + with TestClient(app): + pass + + +def test_tc10_startup_clean_no_telegram(monkeypatch): + """A clean environment (no mismatch) sends no Telegram and does not warn.""" + sent = [] + monkeypatch.setattr( + "src.notifications.send_telegram", lambda *a, **k: sent.append(a[0] if a else "") + ) + clean = fs_normalize.OwnershipScan(mismatch=False, target_uid=1000, checked_at=1.0) + monkeypatch.setattr("src.fs_normalize.scan_ownership", lambda *a, **k: clean) + with TestClient(app): + pass + # No fs-ownership message on a clean environment (unrelated startup Telegram + # traffic from a shared-DB leftover task is ignored). + fs_msgs = [m for m in sent if "legacy root-owned" in m.lower() or "обнаружены legacy" in m.lower()] + assert fs_msgs == [] + + +# --------------------------------------------------------------------------- +# TC-11 — clear pre-launch outcome (D1, not a claim gate) +# --------------------------------------------------------------------------- +def test_tc11_launch_permission_failure_is_actionable_not_raw(tmp_path, monkeypatch): + """TC-11: the launch-time worktree creation surfaces an actionable error (clear, + before the agent spends a token), not a raw git-fatal — the ADR-001 D3 "внятно и + заранее" outcome that replaces a blocking claim gate.""" + repo = "orchestrator" + repos_dir = tmp_path / "repos" + (repos_dir / repo).mkdir(parents=True) + monkeypatch.setattr(git_worktree.settings, "repos_dir", str(repos_dir)) + monkeypatch.setattr(git_worktree.settings, "worktrees_dir", str(repos_dir / "_wt")) + monkeypatch.setattr(git_worktree.settings, "fs_normalize_enabled", True) + + class _R: + def __init__(self, rc, err=""): + self.returncode = rc + self.stderr = err + self.stdout = "" + + def fake_run(cmd, *a, **k): + if "fetch" in cmd: + return _R(0) + if "worktree" in cmd and "add" in cmd: + return _R(128, "fatal: ...: Permission denied") + return _R(0) + + monkeypatch.setattr(git_worktree.subprocess, "run", fake_run) + + with pytest.raises(RuntimeError) as ei: + git_worktree.ensure_worktree(repo, "feature/x") + msg = str(ei.value) + assert "INFRA.md" in msg and "chown" in msg.lower() + assert "git worktree add failed" not in msg # not the raw passthrough diff --git a/tests/test_git_worktree_perm.py b/tests/test_git_worktree_perm.py new file mode 100644 index 0000000..a7793fe --- /dev/null +++ b/tests/test_git_worktree_perm.py @@ -0,0 +1,139 @@ +"""ORCH-057 D1: actionable worktree error on a legacy-ownership permission failure. + +TC-01 / TC-02 (04-test-plan.yaml): a permission-class ``git worktree add`` / +``os.makedirs`` failure must surface an actionable RuntimeError (cause + healing +command + INFRA.md ref), while a NON-permission failure keeps the prior raw-stderr +contract (no meaning substitution). No real chown / no writes to /repos — failures +are simulated via monkeypatched ``subprocess.run`` / ``os.makedirs``. +""" +import os +import tempfile + +import pytest + +_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_wt_perm.db") +os.environ["ORCH_DB_PATH"] = _test_db +os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir() +os.environ["ORCH_GITEA_TOKEN"] = "test-token" +os.environ["ORCH_PLANE_API_TOKEN"] = "test-token" + +from src import git_worktree +from src.git_worktree import ensure_worktree + + +class _R: + """Minimal CompletedProcess stand-in.""" + + def __init__(self, returncode, stderr=""): + self.returncode = returncode + self.stderr = stderr + self.stdout = "" + + +@pytest.fixture +def main_repo(tmp_path, monkeypatch): + """A bare-minimum main clone dir so ensure_worktree gets past the existence check. + + repos_dir/ must be a directory; worktrees_dir points at a fresh tmp path. + The actual git calls are monkeypatched per-test. + """ + repo = "orchestrator" + repos_dir = tmp_path / "repos" + (repos_dir / repo).mkdir(parents=True) + monkeypatch.setattr(git_worktree.settings, "repos_dir", str(repos_dir)) + monkeypatch.setattr(git_worktree.settings, "worktrees_dir", str(tmp_path / "repos" / "_wt")) + monkeypatch.setattr(git_worktree.settings, "fs_normalize_enabled", True) + return repo + + +def test_tc01_permission_git_fatal_becomes_actionable(main_repo, monkeypatch): + """TC-01: a git-fatal 'could not create leading directories / Permission denied' + raises an actionable RuntimeError (diagnosis + chown), not the raw git stderr.""" + perm_stderr = ( + "fatal: could not create leading directories of " + "'/repos/_wt/orchestrator/x': Permission denied" + ) + + def fake_run(cmd, *a, **k): + # fetch -> ok; worktree add (both forms) -> permission fatal. + if "fetch" in cmd: + return _R(0) + if "worktree" in cmd and "add" in cmd: + return _R(128, perm_stderr) + return _R(0) + + monkeypatch.setattr(git_worktree.subprocess, "run", fake_run) + + with pytest.raises(RuntimeError) as ei: + ensure_worktree(main_repo, "feature/x") + msg = str(ei.value) + # Actionable: names the cause + the healing command + the INFRA procedure... + assert "legacy root-owned" in msg.lower() + assert "chown" in msg.lower() + assert "INFRA.md" in msg + # ...and is NOT merely the raw "git worktree add failed" passthrough. + assert "git worktree add failed" not in msg + + +def test_tc01_makedirs_permission_error_becomes_actionable(main_repo, monkeypatch): + """TC-01 (sibling path): a PermissionError from os.makedirs (creating the leading + worktree dir) is also turned into the actionable RuntimeError.""" + def fake_run(cmd, *a, **k): + return _R(0) + + monkeypatch.setattr(git_worktree.subprocess, "run", fake_run) + + def boom(*a, **k): + raise PermissionError(13, "Permission denied") + + monkeypatch.setattr(git_worktree.os, "makedirs", boom) + + with pytest.raises(RuntimeError) as ei: + ensure_worktree(main_repo, "feature/x") + assert "chown" in str(ei.value).lower() + assert "legacy root-owned" in str(ei.value).lower() + + +def test_tc02_non_permission_error_keeps_prior_contract(main_repo, monkeypatch): + """TC-02: a NON-permission failure (e.g. a real branch conflict) keeps the prior + raw-stderr 'git worktree add failed' message — no meaning substitution.""" + conflict = "fatal: 'feature/x' is already checked out at '/repos/_wt/other'" + + def fake_run(cmd, *a, **k): + if "fetch" in cmd: + return _R(0) + if "worktree" in cmd and "add" in cmd: + return _R(128, conflict) + return _R(0) + + monkeypatch.setattr(git_worktree.subprocess, "run", fake_run) + + with pytest.raises(RuntimeError) as ei: + ensure_worktree(main_repo, "feature/x") + msg = str(ei.value) + assert "git worktree add failed" in msg + assert "already checked out" in msg + # The actionable diagnosis must NOT be injected for a non-permission error. + assert "legacy root-owned" not in msg.lower() + + +def test_tc02_killswitch_off_keeps_raw_contract_even_for_permission(main_repo, monkeypatch): + """Kill-switch off (fs_normalize_enabled=False) -> the error contract is byte-for- + byte as before ORCH-057 even for a permission failure (raw stderr passthrough).""" + monkeypatch.setattr(git_worktree.settings, "fs_normalize_enabled", False) + perm_stderr = "fatal: ...: Permission denied" + + def fake_run(cmd, *a, **k): + if "fetch" in cmd: + return _R(0) + if "worktree" in cmd and "add" in cmd: + return _R(128, perm_stderr) + return _R(0) + + monkeypatch.setattr(git_worktree.subprocess, "run", fake_run) + + with pytest.raises(RuntimeError) as ei: + ensure_worktree(main_repo, "feature/x") + msg = str(ei.value) + assert "git worktree add failed" in msg + assert "legacy root-owned" not in msg.lower()