admin/orchestrator
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feat(fs): legacy root-owned ownership detect + actionable worktree error (ORCH-057)

Browse Source 
Follow-up ORCH-040: legacy root:root files in /repos broke worktree creation
under uid 1000 with a raw "Permission denied" (agent never started, no diagnosis).
Three additive, kill-switch-reversible layers; STAGE_TRANSITIONS / QG_CHECKS /
check_* / machine-verdict keys / DB schema are byte-for-byte unchanged.

- D1: ensure_worktree classifies the permission class and raises an actionable
  RuntimeError (cause + chown command + INFRA.md ref); non-permission errors keep
  the prior raw-stderr contract; kill-switch off -> contract 1:1 as before ORCH-057.
- D2: new never-raise leaf src/fs_normalize.py — scan_ownership (TTL-cached,
  early-exit per root), applies()-first scope (empty CSV -> self-hosting only),
  opt-in normalize() that chowns ONLY when privileged (no-op under uid 1000).
- D3: best-effort startup detect in main.lifespan (WARNING + Telegram on mismatch,
  never-fatal); read-only fs_ownership block in GET /queue; POST /fs-normalize/check.
  Claim is NOT blocked — the clear early outcome is delivered by D1 at launch.
- Docs/config: .env.example flags + CHANGELOG (architecture README / adr-0031 /
  INFRA.md procedure already landed on the branch).
- Tests: test_fs_normalize.py, test_git_worktree_perm.py,
  test_fs_normalize_startup.py, test_api_queue.py (TC-01..TC-12). Full suite green.

Refs: ORCH-057
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
claude-bot
2026-06-10 02:53:15 +03:00
committed by orchestrator-deployer
parent 34778217fe
commit a98d605477
10 changed files with 1228 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
.env.example
View File

@@ -394,6 +394,29 @@ ORCH_COVERAGE_EPSILON=0.5
ORCH_COVERAGE_TOOL_FAIL_CLOSED=false
ORCH_COVERAGE_RUN_TIMEOUT_S=900
# ORCH-057 (follow-up ORCH-040): legacy root-owned ownership detect + actionable
# worktree error. After the uid migration (user: "1000:1000") legacy root:root files
# in /repos broke worktree creation under uid 1000 with a raw "Permission denied".
# Three additive, kill-switch-reversible layers: an actionable RuntimeError in
# ensure_worktree, a cheap never-raise detect leaf (src/fs_normalize.py) with a
# startup WARNING/Telegram + GET /queue fs_ownership block, and an opt-in chown ONLY
# when privileged (under uid 1000 a no-op; the real fix is the operator procedure in
# docs/operations/INFRA.md «Миграция uid»). No STAGE_TRANSITIONS / QG_CHECKS / schema
# change.
# ENABLED -> kill-switch; false -> all code inert, behaviour 1:1 as before
# ORCH-057 (the actionable error too).
# REPOS -> CSV of repos the layer is REAL for; empty -> self-hosting only.
# TARGET_UID -> target uid fallback when os.getuid() is unavailable.
# NORMALIZE_AUTO -> detect-only (false) | attempt chown when privileged (true).
# SCAN_ROOTS -> CSV override of the scan roots (empty -> default roots).
# SCAN_CACHE_TTL_S -> TTL of the detect cache (mirrors ORCH_PREFLIGHT_CACHE_TTL).
ORCH_FS_NORMALIZE_ENABLED=true
ORCH_FS_NORMALIZE_REPOS=
ORCH_FS_TARGET_UID=1000
ORCH_FS_NORMALIZE_AUTO=false
ORCH_FS_SCAN_ROOTS=
ORCH_FS_SCAN_CACHE_TTL_S=300
# ORCH-099 (FND/F1a): operator off-switch for the read-only GET /metrics endpoint
# (raw-signal snapshot for the F1b sidecar). Default true -> available out of the
# box. false -> /metrics returns a minimal parsable body {"schema_version":1,

4
.task-dev.md
View File

@@ -1,4 +1,4 @@
Work item: ORCH-099
Work item: ORCH-057
Repo: orchestrator
Branch: feature/ORCH-099-fnd-f1a-metrics-agent-liveness
Branch: feature/ORCH-057-bug-follow-up-orch-040-normali
Stage: development

6
CHANGELOG.md
View File

@@ -3,6 +3,12 @@
Формат: [Keep a Changelog](https://keepachangelog.com/). Записи — на смысловой PR/задачу.
## [Unreleased]
- **Детект legacy root-owned файлов + внятная ошибка worktree при миграции на uid 1000** (ORCH-057, follow-up ORCH-040, `feat`): закрыт недоделанный AC ORCH-040 — legacy `root:root` файлы в `/repos` (после перевода контейнеров на `user: "1000:1000"`) ломали создание worktree под uid 1000 (`ensure_worktree` → сырой `fatal: … Permission denied`, агент не стартовал, диагноза не было). Три аддитивных, обратимых kill-switch'ем слоя; **`STAGE_TRANSITIONS` / `QG_CHECKS` / `check_*` / machine-verdict-ключи / схема БД — байт-в-байт прежние**. ADR: `docs/work-items/ORCH-057/06-adr/ADR-001-legacy-ownership-normalization.md`, сквозной `docs/architecture/adr/adr-0031-legacy-ownership-normalization.md`.
- **D1 — actionable-ошибка `ensure_worktree`:** класс «нет прав» (`Permission denied` / `could not create leading directories` / `insufficient permission for adding an object` / `PermissionError`/`EACCES`/`EPERM`) оборачивается в `RuntimeError` с **причиной** (legacy root-файлы в `/repos/_wt`/`.git` после миграции uid), **лечащей командой** (`chown -R <uid>:<uid> …`) и ссылкой на `INFRA.md` — вместо сырого git stderr. Ошибки, **не** связанные с правами, сохраняют прежний контракт (меняется только формулировка, не факт сбоя; чистый классификатор `fs_normalize.classify_worktree_error`). Под выключенным kill-switch контракт ошибки 1:1 как до ORCH-057.
- **D2 — детект-леаф `src/fs_normalize.py`** (never-raise, паттерн `serial_gate`/`coverage_gate`): `scan_ownership(roots, target_uid=os.getuid())` обходит `/repos/_wt`, `<repo>/.git/{objects,worktrees}`, `data/runs` с ранним выходом при первом `st_uid != target_uid`, TTL-кэшем (`fs_scan_cache_ttl_s`, по образцу `preflight._cache`) и `applies(repo)` first (пустой CSV → self-hosting only → enduro-trails не сканируется). Опц. `normalize()` chown'ит **только** при `geteuid()==0` (под uid 1000 — no-op + честный лог «нужна операторская процедура», НЕ ошибка).
- **D3 — наблюдаемость, БЕЗ блокировки claim:** best-effort вызов `scan_ownership()` на старте `main.lifespan` (рядом с lease-reclaim/log-rotation, never-fatal) → WARNING + Telegram при mismatch; read-only блок `fs_ownership` в `GET /queue`; опц. ручной `POST /fs-normalize/check`. Claim **не** блокируется (preflight repo-слеп → регресс enduro; queue_worker — дорогой FS-обход в hot-path + молчаливое зависание); внятный ранний отказ даёт D1 в точке launch.
- **Процедура (D5):** обязательная операторская нормализация под root на хосте — в `docs/operations/INFRA.md` (раздел «Миграция uid: обязательная нормализация legacy root-файлов», все корни: `_wt`, оба `.git`, `data/runs`); фактический `chown` остаётся ручным шагом (контейнер без root его сделать не может) — задача гарантирует **внятность** отказа, а не его отсутствие.
- **Флаги** (`src/config.py`, аддитивно): `ORCH_FS_NORMALIZE_ENABLED` (kill-switch), `ORCH_FS_NORMALIZE_REPOS` (CSV; пусто → self-hosting only), `ORCH_FS_TARGET_UID` (1000), `ORCH_FS_NORMALIZE_AUTO` (детект-only), `ORCH_FS_SCAN_ROOTS`, `ORCH_FS_SCAN_CACHE_TTL_S`. Тесты: `tests/test_fs_normalize.py`, `tests/test_git_worktree_perm.py`, `tests/test_fs_normalize_startup.py`, `tests/test_api_queue.py` (TC-01…TC-12).
- **Лёгкий read-only `GET /metrics` — машинное «сырьё» о самом орке для sidecar F1b** (ORCH-099, FND/F1a, `feat`): добавлен версионируемый JSON-эндпоинт `GET /metrics`, отдающий снимок внутреннего состояния орка для будущего отдельного sidecar-наблюдателя F1b (`watchdog/`) — наблюдатель отделён от наблюдаемого (BRD §1): орк отдаёт ТОЛЬКО факты, которые знает лишь он сам; пороги/алерты/история/Telegram — на стороне F1b. **Аддитивно, строго read-only, never-raise:** `STAGE_TRANSITIONS` / `QG_CHECKS` / `check_*` / machine-verdict ключи / схема БД — **не тронуты**; `/health`/`/status`/`/queue` — байт-в-байт прежние. ADR: `docs/work-items/ORCH-099/06-adr/ADR-001-metrics-endpoint.md`, сквозной `docs/architecture/adr/adr-0030-metrics-endpoint.md`.
- **Leaf-сборщик + тонкий эндпоинт (D1):** новый `src/metrics.py` (`build_metrics() -> dict`, never-raise по разделам, паттерн `serial_gate.snapshot()`) собирает конверт по-раздельно (каждый раздел в своём `try/except` → безопасный дефолт `null`/`[]`/`{}` + WARNING); эндпоинт `@app.get("/metrics")` в `src/main.py` — тонкая обёртка, возвращает результат как есть (стиль `GET /queue`). Тестируемость без ASGI: разделы проверяются прямым вызовом `build_metrics()`.
- **Конверт + контракт `schema_version` (D2):** `schema_version` (стартует с `1`), `generated_at` (UTC ISO-8601, часовой домен орка → дельты CPU иммунны к skew орк↔sidecar, TR-3), `clk_tck` (`os.sysconf("SC_CLK_TCK")`, базис тиков). Политика: аддитивные изменения **НЕ бампят** версию (sidecar обязан игнорировать незнакомые ключи) — бамп только при ломающем (rename/remove/retype).

539
src/fs_normalize.py Normal file
View File

@@ -0,0 +1,539 @@
"""Legacy root-owned ownership detect + actionable worktree error (ORCH-057).
Background
----------
ORCH-040 moved both containers to ``user: "1000:1000"`` by editing ONLY
``docker-compose.yml``. Changing ``user:`` does NOT change the owner of files that
the previous root container already created. The bind-mount ``/home/slin/repos ->
/repos`` therefore still held ``root:root`` directories (``_wt/``, old worktrees,
``.git/objects``, ``data/runs``). Under uid 1000 (no root) ``git_worktree.
ensure_worktree`` could not create a worktree next to a ``root:root`` ``/repos/_wt``
and failed with a RAW ``fatal: could not create leading directories … Permission
denied`` — the agent never started and the operator had no diagnosis.
The container runs as numeric uid 1000 WITHOUT root, so it physically cannot
``chown`` foreign (root-owned) files — only DETECT + DIAGNOSE. The real fix is the
documented operator procedure (INFRA.md «Миграция uid»), run once on the host.
This leaf (ADR-001) provides three additive, kill-switch-reversible primitives:
* ``classify_worktree_error`` / ``build_worktree_help`` — the pure classifier +
actionable message used by ``git_worktree.ensure_worktree`` (D1 / FR-1).
* ``scan_ownership`` — a cheap, TTL-cached, never-raise walk of the infra roots
that reports whether any file has ``uid != target_uid`` (D2 / FR-2), used by the
startup hook (D3 / FR-3) and the ``GET /queue`` ``fs_ownership`` block.
* ``normalize`` — an opt-in ``chown`` that runs ONLY when the process is
privileged (root / CAP_CHOWN); under uid 1000 it is a no-op + honest log, NOT
an error (D4 / FR-4).
Invariants (never broken):
* **never-raise** (NFR-3): every public function degrades to a conservative,
non-blocking default and NEVER propagates into the worker / lifespan / worktree
path. A detect error -> WARNING + ``mismatch=False`` (do not block / panic).
* **applies() first** (NFR-2): the expensive walk runs only when the layer is REAL
for the repo (``fs_normalize_enabled`` + scope; empty CSV -> self-hosting only),
so enduro-trails is never scanned at the default config.
* **kill-switch reversible** (D6): ``fs_normalize_enabled=False`` -> all code inert,
behaviour 1:1 as before ORCH-057 (the actionable error contract too).
* **no chown without privilege** (NFR-1): the code only reads / detects / diagnoses;
a real ``chown`` happens only when privileged and ``fs_normalize_auto=True``.
Leaf: imports only ``config`` / ``logging`` / ``os`` / ``time`` (+ lazily
``qg.checks.is_self_hosting_repo`` / ``notifications`` for scope / observability). It
never imports ``git_worktree`` / ``stage_engine`` / ``launcher`` (``git_worktree``
imports THIS module, so the dependency is one-way).
"""
from __future__ import annotations
import errno
import logging
import os
import time
from dataclasses import dataclass, field
from .config import settings
logger = logging.getLogger("orchestrator.fs_normalize")
# Permission-class markers in a git stderr / OSError string (D1 / TR-1). Narrow on
# purpose — a non-permission error (real branch conflict, missing origin/main,
# timeout) must NOT be reclassified (AC-2 FAIL-condition), so we match only the
# unambiguous "no permission to create the file/object" phrases.
_PERM_MARKERS = (
"permission denied",
"could not create leading directories",
"insufficient permission for adding an object",
"operation not permitted",
)
# ---------------------------------------------------------------------------
# Resolution helpers (target uid, scope, roots)
# ---------------------------------------------------------------------------
def _resolve_target_uid(target_uid: int | None = None) -> int:
"""The uid the scan compares against (the subject that "cannot create files").
Resolution order (D2 / TR-7): explicit ``target_uid`` arg > ``os.getuid()`` (the
uid the process really runs as) > ``settings.fs_target_uid`` fallback (default
1000) when ``os.getuid()`` is unavailable. Never raises.
"""
if target_uid is not None:
return int(target_uid)
try:
return os.getuid()
except (AttributeError, OSError): # pragma: no cover - non-POSIX fallback
try:
return int(settings.fs_target_uid)
except (TypeError, ValueError):
return 1000
def _scope_repos() -> list[str]:
"""Repos the layer is REAL for (used to build the default ``.git`` roots).
Non-empty ``fs_normalize_repos`` CSV -> those repos; empty -> self-hosting only
(``orchestrator``), mirroring ``coverage_gate``. Never raises -> [] on error.
"""
try:
raw = (settings.fs_normalize_repos or "").strip()
except Exception: # noqa: BLE001 - never-raise
return []
if raw:
return [r.strip() for r in raw.split(",") if r.strip()]
try:
from .qg.checks import SELF_HOSTING_REPO
return [SELF_HOSTING_REPO]
except Exception: # noqa: BLE001
return ["orchestrator"]
def _runs_root() -> str:
"""``data/runs`` root (per ADR: ``os.path.dirname(db_path)/runs``)."""
try:
rd = getattr(settings, "runs_dir", None)
if rd:
return rd
except Exception: # noqa: BLE001
pass
try:
return os.path.join(os.path.dirname(settings.db_path), "runs")
except Exception: # noqa: BLE001
return "/app/data/runs"
def _default_roots() -> list[str]:
"""The default scan roots (D2): ``/repos/_wt``, ``data/runs`` and each in-scope
repo's ``.git/objects`` + ``.git/worktrees``. Never raises -> [] on error.
"""
roots: list[str] = []
try:
wt = getattr(settings, "worktrees_dir", None)
if wt:
roots.append(wt)
roots.append(_runs_root())
repos_dir = getattr(settings, "repos_dir", "/repos")
for repo in _scope_repos():
base = os.path.join(repos_dir, repo, ".git")
roots.append(os.path.join(base, "objects"))
roots.append(os.path.join(base, "worktrees"))
except Exception as e: # noqa: BLE001 - never-raise
logger.warning("fs_normalize._default_roots error: %s", e)
return roots
def _resolve_roots(roots: list[str] | None = None) -> list[str]:
"""Resolve scan roots: explicit arg > ``fs_scan_roots`` CSV > the default set."""
if roots is not None:
return list(roots)
try:
raw = (settings.fs_scan_roots or "").strip()
except Exception: # noqa: BLE001
raw = ""
if raw:
return [r.strip() for r in raw.split(",") if r.strip()]
return _default_roots()
# ---------------------------------------------------------------------------
# Conditionality (mirrors coverage_gate_applies)
# ---------------------------------------------------------------------------
def applies(repo: str) -> bool:
"""Whether the ORCH-057 layer is REAL for this repo (D6 / NFR-2).
* ``fs_normalize_enabled=False`` -> always False (kill-switch).
* ``fs_normalize_repos`` (CSV) non-empty -> real only for the listed repos.
* empty CSV -> real ONLY for the self-hosting repo (``orchestrator``).
Never raises -> False (the safe no-op default).
"""
try:
if not settings.fs_normalize_enabled:
return False
raw = (settings.fs_normalize_repos or "").strip()
if raw:
allowed = {r.strip().lower() for r in raw.split(",") if r.strip()}
return (repo or "").strip().lower() in allowed
from .qg.checks import is_self_hosting_repo
return is_self_hosting_repo(repo)
except Exception as e: # noqa: BLE001 - never-raise contract
logger.warning("fs_normalize.applies error for %s: %s", repo, e)
return False
# ---------------------------------------------------------------------------
# D1: actionable worktree error (pure classifier + message)
# ---------------------------------------------------------------------------
def classify_worktree_error(text: str | None) -> bool:
"""Pure: True iff ``text`` looks like a "no permission to create" failure.
Matches only the narrow ``_PERM_MARKERS`` so a non-permission git error keeps
its original contract (AC-2). Never raises -> False on bad input.
"""
try:
t = (text or "").lower()
return any(m in t for m in _PERM_MARKERS)
except Exception: # noqa: BLE001
return False
def is_permission_failure(*, stderr: str | None = None, exc: BaseException | None = None) -> bool:
"""True iff a worktree failure is the legacy-ownership permission class.
Considers both a git ``stderr`` string (marker match) and an ``OSError``
(``PermissionError`` or ``errno`` in ``EACCES``/``EPERM``). Never raises.
"""
try:
if isinstance(exc, PermissionError):
return True
if isinstance(exc, OSError) and exc.errno in (errno.EACCES, errno.EPERM):
return True
if classify_worktree_error(stderr):
return True
if exc is not None and classify_worktree_error(str(exc)):
return True
except Exception: # noqa: BLE001
return False
return False
def build_worktree_help(repo: str, branch: str, target_uid: int | None = None, raw: str = "") -> str:
"""Build the actionable RuntimeError message for a permission-class worktree
failure (D1): names the root cause + the healing command + the INFRA.md
procedure, instead of a raw git stderr (AC-2). Never raises.
"""
try:
tuid = _resolve_target_uid(target_uid)
wt_dir = getattr(settings, "worktrees_dir", "/repos/_wt")
git_dir = os.path.join(getattr(settings, "repos_dir", "/repos"), repo, ".git")
msg = (
f"Cannot create git worktree for {repo}:{branch} — permission denied. "
f"Likely cause: legacy root-owned files in {wt_dir} or {git_dir} left over "
f"from before the uid migration (ORCH-040). This container runs as uid "
f"{tuid} without root and cannot chown foreign files itself. Fix (run once "
f"on the host as root): `sudo chown -R {tuid}:{tuid} {wt_dir}` and "
f"`sudo chown -R {tuid}:{tuid} {git_dir}`. See docs/operations/INFRA.md "
f"section «Миграция uid: обязательная нормализация legacy root-файлов»."
)
if raw:
msg += f" (underlying error: {raw.strip()})"
return msg
except Exception: # noqa: BLE001 - never-raise; degrade to a minimal hint
return (
f"Cannot create git worktree for {repo}:{branch} — permission denied "
f"(legacy root-owned files; see docs/operations/INFRA.md «Миграция uid»)."
)
# ---------------------------------------------------------------------------
# D2: ownership scan (TTL-cached, never-raise, early-exit per root)
# ---------------------------------------------------------------------------
@dataclass
class OwnershipScan:
"""Result of an ownership scan (D2). ``mismatch`` is the boolean verdict."""
mismatch: bool
target_uid: int
roots_checked: list[str] = field(default_factory=list)
roots_mismatch: list[str] = field(default_factory=list)
sample_path: str | None = None
count: int | None = None
checked_at: float = 0.0
enabled: bool = True
def to_dict(self) -> dict:
return {
"enabled": self.enabled,
"mismatch": self.mismatch,
"target_uid": self.target_uid,
"roots_checked": self.roots_checked,
"roots_mismatch": self.roots_mismatch,
"sample_path": self.sample_path,
"count": self.count,
"checked_at": self.checked_at,
}
class _ScanCache:
def __init__(self):
self.ts: float = 0.0
self.key: tuple | None = None
self.result: OwnershipScan | None = None
_cache = _ScanCache()
def reset_cache() -> None:
"""Invalidate the TTL detect cache (tests / forced recheck)."""
_cache.ts = 0.0
_cache.key = None
_cache.result = None
def _first_mismatch(root: str, target_uid: int) -> str | None:
"""Return the first path under ``root`` whose ``st_uid != target_uid`` (early
exit), else None. ``os.lstat`` (not ``stat``) so a symlink's own ownership is
judged, never its target. Never raises -> None on any walk error.
"""
try:
if not os.path.exists(root):
return None
try:
if os.lstat(root).st_uid != target_uid:
return root
except OSError:
return None
for dirpath, dirnames, filenames in os.walk(root, onerror=None):
for name in dirnames:
p = os.path.join(dirpath, name)
try:
if os.lstat(p).st_uid != target_uid:
return p
except OSError:
continue
for name in filenames:
p = os.path.join(dirpath, name)
try:
if os.lstat(p).st_uid != target_uid:
return p
except OSError:
continue
except Exception as e: # noqa: BLE001 - never-raise
logger.warning("fs_normalize._first_mismatch error for %s: %s", root, e)
return None
return None
def _scan(roots: list[str], target_uid: int) -> OwnershipScan:
"""Walk each root, early-exiting per root at its first mismatch. The clean case
(no mismatch) walks fully; the dirty case stops fast per root (TR-2 cost). Lists
every affected root (informative verdict). Never raises -> conservative
``mismatch=False`` on a wholesale error.
"""
roots_checked: list[str] = []
roots_mismatch: list[str] = []
sample_path: str | None = None
try:
for root in roots:
if not os.path.exists(root):
continue
roots_checked.append(root)
hit = _first_mismatch(root, target_uid)
if hit is not None:
roots_mismatch.append(root)
if sample_path is None:
sample_path = hit
except Exception as e: # noqa: BLE001 - never-raise -> conservative verdict
logger.warning("fs_normalize._scan error -> mismatch=False: %s", e)
return OwnershipScan(
mismatch=False, target_uid=target_uid,
roots_checked=roots_checked, roots_mismatch=[], checked_at=time.time(),
)
return OwnershipScan(
mismatch=bool(roots_mismatch),
target_uid=target_uid,
roots_checked=roots_checked,
roots_mismatch=roots_mismatch,
sample_path=sample_path,
checked_at=time.time(),
)
def scan_ownership(
roots: list[str] | None = None,
target_uid: int | None = None,
force: bool = False,
) -> OwnershipScan:
"""Detect files with ``uid != target_uid`` across the infra roots (D2 / FR-2).
TTL-cached (``fs_scan_cache_ttl_s``, mirrors ``preflight._cache``): a repeat call
inside the window with the SAME (roots, target_uid) returns the cached result
without re-walking; ``force=True`` (or ``reset_cache()``) re-scans. Kill-switch
off -> an inert ``mismatch=False`` result (``enabled=False``). Never raises.
"""
try:
if not settings.fs_normalize_enabled:
return OwnershipScan(
mismatch=False, target_uid=_resolve_target_uid(target_uid),
checked_at=time.time(), enabled=False,
)
resolved_roots = _resolve_roots(roots)
tuid = _resolve_target_uid(target_uid)
key = (tuple(resolved_roots), tuid)
now = time.time()
try:
ttl = float(settings.fs_scan_cache_ttl_s)
except (TypeError, ValueError):
ttl = 300.0
if (
not force
and _cache.result is not None
and _cache.key == key
and (now - _cache.ts) < ttl
):
return _cache.result
result = _scan(resolved_roots, tuid)
_cache.ts = now
_cache.key = key
_cache.result = result
return result
except Exception as e: # noqa: BLE001 - never-raise -> conservative verdict
logger.warning("fs_normalize.scan_ownership error -> mismatch=False: %s", e)
return OwnershipScan(
mismatch=False, target_uid=_resolve_target_uid(target_uid),
checked_at=time.time(),
)
# ---------------------------------------------------------------------------
# D4: opt-in normalize (chown ONLY when privileged) — never init-container
# ---------------------------------------------------------------------------
def _is_privileged() -> bool:
"""True iff the process can chown foreign files (root). Under uid 1000 -> False.
A practical check: ``os.geteuid() == 0``. A CAP_CHOWN-without-root environment
still degrades to the honest no-op (a chown attempt would simply fail and be
swallowed). Never raises -> False (the safe "not privileged" default).
"""
try:
return os.geteuid() == 0
except (AttributeError, OSError): # pragma: no cover - non-POSIX
return False
def normalize(roots: list[str] | None = None, target_uid: int | None = None) -> dict:
"""Opt-in ``chown -R target_uid:target_uid`` over the roots, ONLY when the
process is privileged (D4 / FR-4). Under uid 1000 (the prod-self case) it is a
no-op + honest log "operator procedure required" — NOT an error. Gated by
``fs_normalize_auto`` at the call site; this function additionally self-guards on
``_is_privileged()``. Never raises.
Returns a result dict ``{attempted, privileged, changed, errors, note}``.
"""
result = {"attempted": False, "privileged": False, "changed": 0, "errors": [], "note": ""}
try:
if not settings.fs_normalize_enabled:
result["note"] = "disabled (fs_normalize_enabled=False)"
return result
tuid = _resolve_target_uid(target_uid)
privileged = _is_privileged()
result["privileged"] = privileged
if not privileged:
result["note"] = (
"not privileged (process runs as non-root) — chown of legacy "
"root-owned files needs the operator procedure (docs/operations/"
"INFRA.md «Миграция uid»)."
)
logger.warning("fs_normalize.normalize: %s", result["note"])
return result
result["attempted"] = True
resolved_roots = _resolve_roots(roots)
changed = 0
for root in resolved_roots:
if not os.path.exists(root):
continue
for path in _iter_paths(root):
try:
if os.lstat(path).st_uid != tuid:
os.chown(path, tuid, tuid, follow_symlinks=False)
changed += 1
except OSError as e:
result["errors"].append(f"{path}: {e}")
result["changed"] = changed
result["note"] = f"chown applied to {changed} path(s) over {len(resolved_roots)} root(s)"
logger.info("fs_normalize.normalize: %s", result["note"])
return result
except Exception as e: # noqa: BLE001 - never-raise
logger.error("fs_normalize.normalize error: %s", e)
result["note"] = f"error: {e}"
return result
def _iter_paths(root: str):
"""Yield ``root`` and every path beneath it (never raises per item)."""
try:
yield root
for dirpath, dirnames, filenames in os.walk(root, onerror=None):
for name in dirnames + filenames:
yield os.path.join(dirpath, name)
except Exception as e: # noqa: BLE001
logger.warning("fs_normalize._iter_paths error for %s: %s", root, e)
# ---------------------------------------------------------------------------
# Observability snapshot for GET /queue (D6 / AC-4)
# ---------------------------------------------------------------------------
def snapshot() -> dict:
"""Read-only ownership summary for GET /queue (``fs_ownership`` block, AC-4).
Additive; uses the TTL-cached scan (no expensive walk on every /queue hit).
never-raise: any error -> a minimal dict carrying the flags.
"""
try:
enabled = bool(settings.fs_normalize_enabled)
except Exception: # noqa: BLE001
enabled = False
try:
auto = bool(getattr(settings, "fs_normalize_auto", False))
except Exception: # noqa: BLE001
auto = False
try:
repos_cfg = getattr(settings, "fs_normalize_repos", "") or ""
except Exception: # noqa: BLE001
repos_cfg = ""
out = {
"enabled": enabled,
"auto": auto,
"repos": repos_cfg,
"target_uid": _resolve_target_uid(),
"mismatch": False,
"roots_checked": [],
"roots_mismatch": [],
"sample_path": None,
"checked_at": None,
}
try:
if enabled:
scan = scan_ownership()
out["mismatch"] = scan.mismatch
out["target_uid"] = scan.target_uid
out["roots_checked"] = scan.roots_checked
out["roots_mismatch"] = scan.roots_mismatch
out["sample_path"] = scan.sample_path
out["checked_at"] = scan.checked_at or None
except Exception as e: # noqa: BLE001 - never-raise -> minimal dict
logger.warning("fs_normalize.snapshot error: %s", e)
return out
def healing_command(target_uid: int | None = None) -> str:
"""The one-line operator healing hint (startup WARNING / Telegram). Never raises."""
try:
tuid = _resolve_target_uid(target_uid)
wt_dir = getattr(settings, "worktrees_dir", "/repos/_wt")
return (
f"sudo chown -R {tuid}:{tuid} {wt_dir} <repo>/.git data/runs "
f"(см. docs/operations/INFRA.md «Миграция uid»)"
)
except Exception: # noqa: BLE001
return "sudo chown -R 1000:1000 /repos/_wt (см. docs/operations/INFRA.md «Миграция uid»)"

39
src/git_worktree.py
View File

@@ -39,6 +39,31 @@ def _main_repo(repo: str) -> str:
return os.path.join(settings.repos_dir, repo)
def _raise_if_permission(repo: str, branch: str, *, stderr: str | None = None,
exc: BaseException | None = None) -> None:
"""ORCH-057 D1: if a worktree failure is the legacy-ownership permission class,
raise an actionable ``RuntimeError`` (cause + healing command + INFRA.md ref)
instead of a raw git stderr (FR-1 / AC-2).
Gated by ``fs_normalize_enabled`` — when the kill-switch is off the error
contract is byte-for-byte as before ORCH-057 (this helper is a no-op, the caller
re-raises the original). A non-permission error is also a no-op here, so the
caller's existing message/semantics are preserved (no meaning substitution).
Never raises anything other than the deliberate actionable RuntimeError.
"""
try:
if not settings.fs_normalize_enabled:
return
from . import fs_normalize
if fs_normalize.is_permission_failure(stderr=stderr, exc=exc):
raw = stderr if stderr is not None else (str(exc) if exc else "")
raise RuntimeError(fs_normalize.build_worktree_help(repo, branch, raw=raw))
except RuntimeError:
raise
except Exception as e: # noqa: BLE001 - classification must never mask the real error
logger.warning("worktree permission-classification skipped: %s", e)
def ensure_worktree(repo: str, branch: str) -> str:
"""Create (or reuse) an isolated worktree for ``branch``. Returns its path.
@@ -75,7 +100,14 @@ def ensure_worktree(repo: str, branch: str) -> str:
logger.info(f"Worktree reused: {wt} (branch {branch})")
return wt
# ORCH-057 D1: creating the leading worktree directory next to a legacy
# root-owned /repos/_wt fails with Permission denied under uid 1000 — turn that
# into an actionable error (the kill-switch / non-permission path is unchanged).
try:
os.makedirs(os.path.dirname(wt), exist_ok=True)
except OSError as e:
_raise_if_permission(repo, branch, exc=e)
raise
# Try to attach an existing branch (local or remote-tracking) to the new worktree.
r = subprocess.run(["git", "-C", main_repo, "worktree", "add", wt, branch],
@@ -87,9 +119,12 @@ def ensure_worktree(repo: str, branch: str) -> str:
capture_output=True, text=True, timeout=60,
)
if r2.returncode != 0:
combined = f"{r.stderr.strip()} | {r2.stderr.strip()}"
# ORCH-057 D1: a permission-class git fatal -> actionable RuntimeError;
# any other failure keeps the prior raw-stderr contract (AC-2).
_raise_if_permission(repo, branch, stderr=combined)
raise RuntimeError(
f"git worktree add failed for {repo}:{branch}: "
f"{r.stderr.strip()} | {r2.stderr.strip()}"
f"git worktree add failed for {repo}:{branch}: {combined}"
)
logger.info(f"Worktree ready: {wt} (branch {branch})")
return wt

63
src/main.py
View File

@@ -89,6 +89,44 @@ async def lifespan(app: FastAPI):
except Exception as e:
log.warning(f"Log rotation skipped: {e}")
# ORCH-057 (D3 / FR-3): best-effort legacy-ownership detect. Surfaces a
# PROACTIVE operator signal (WARNING + Telegram) when /repos still holds
# root-owned files after the uid migration, BEFORE a task fails on launch.
# never-fatal (mirrors lease-reclaim / log-rotation above): a detect error must
# not crash the start of the shared instance. The actual "clear, early" failure
# is delivered by the actionable error in ensure_worktree (D1) — claim is NOT
# blocked (ADR-001 D3). Honours ORCH_FS_NORMALIZE_ENABLED inside scan_ownership.
try:
from .fs_normalize import scan_ownership, healing_command, normalize
from .config import settings as _fs_settings
scan = scan_ownership()
if scan.mismatch:
log.warning(
"FS-ownership mismatch: %d root(s) with files not owned by uid %s "
"(%s; sample: %s). Heal: %s",
len(scan.roots_mismatch), scan.target_uid,
", ".join(scan.roots_mismatch), scan.sample_path, healing_command(),
)
try:
from .notifications import send_telegram
send_telegram(
"⚠️ Orchestrator: обнаружены legacy root-owned файлы в "
f"{', '.join(scan.roots_mismatch)} (uid != {scan.target_uid}). "
f"Первый запуск задачи может упасть на создании worktree. "
f"Лечение: {healing_command()}"
)
except Exception:
pass
# D4 / FR-4: opt-in auto-chown ONLY when privileged (no-op under uid 1000).
if getattr(_fs_settings, "fs_normalize_auto", False):
try:
res = normalize()
log.warning("FS-ownership auto-normalize: %s", res.get("note"))
except Exception as e: # noqa: BLE001
log.warning("FS-ownership auto-normalize skipped: %s", e)
except Exception as e:
log.warning(f"FS-ownership detect skipped: {e}")
# Start the background job-queue worker (ORCH-1).
from .queue_worker import worker
worker.start()
@@ -171,6 +209,7 @@ async def queue():
from . import task_deps
from . import serial_gate
from . import coverage_gate
from . import fs_normalize
from . import labels
from . import cancel
from .disk_watchdog import disk_watchdog
@@ -193,6 +232,10 @@ async def queue():
# ORCH-027 (FR-7 / AC-9): coverage-gate observability (read-only) —
# kill-switch, scope, policy/floor/epsilon, per-repo baselines. Additive block.
"coverage": coverage_gate.snapshot(),
# ORCH-057 (D6 / AC-4): legacy-ownership detect observability (read-only) —
# kill-switch, scope, target_uid, mismatch + affected roots (TTL-cached scan).
# Additive block; never-raise.
"fs_ownership": fs_normalize.snapshot(),
# ORCH-089 (D7): auto-mode-by-label observability (read-only) — kill-switch,
# label names, scope. Additive block.
"auto_labels": labels.snapshot(),
@@ -262,6 +305,26 @@ async def serial_gate_unfreeze(repo: str = ""):
return {"ok": True, "repo": repo, "cleared": cleared, "frozen": frozen}
@app.post("/fs-normalize/check")
async def fs_normalize_check(normalize: bool = False):
"""ORCH-057 (D6 / AC-4): force a fresh legacy-ownership detect (bypass the TTL
cache) and return the snapshot. By образцу ``POST /serial-gate/unfreeze``.
``normalize=true`` additionally attempts an opt-in ``chown`` — a no-op under uid
1000 (the prod-self case), effective only when the process is privileged (D4).
The real fix remains the operator procedure (docs/operations/INFRA.md «Миграция
uid»). Read-only/never-raise otherwise.
"""
from . import fs_normalize as _fs
scan = _fs.scan_ownership(force=True)
out = {"ok": True, "scan": scan.to_dict(), "healing": _fs.healing_command()}
if normalize:
out["normalize"] = _fs.normalize()
# Re-scan so the returned snapshot reflects any change a privileged run made.
out["scan"] = _fs.scan_ownership(force=True).to_dict()
return out
@app.post("/coverage/baseline")
async def coverage_set_baseline(repo: str = "", value: float | None = None):
"""ORCH-027 (D8): manually set/override the per-repo coverage baseline.

68
tests/test_api_queue.py Normal file
View File

@@ -0,0 +1,68 @@
"""ORCH-057 TC-12: GET /queue exposes the read-only fs_ownership block.
The block carries {enabled, target_uid, mismatch, roots_checked, roots_mismatch,
sample_path, checked_at, ...} and /queue must not 5xx whether the layer is on or off.
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_apiq.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ["ORCH_GITEA_TOKEN"] = "test-token"
os.environ["ORCH_PLANE_API_TOKEN"] = "test-token"
os.environ["ORCH_PLANE_WEBHOOK_SECRET"] = ""
os.environ["ORCH_GITEA_WEBHOOK_SECRET"] = ""
from fastapi.testclient import TestClient
from src import fs_normalize
from src.main import app
from src.db import init_db
client = TestClient(app)
@pytest.fixture(autouse=True)
def _db():
if os.path.exists(_test_db):
os.unlink(_test_db)
init_db()
fs_normalize.reset_cache()
yield
if os.path.exists(_test_db):
os.unlink(_test_db)
def test_tc12_queue_exposes_fs_ownership_block(monkeypatch):
"""TC-12: GET /queue returns the fs_ownership block with the documented shape."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", True)
r = client.get("/queue")
assert r.status_code == 200
body = r.json()
assert "fs_ownership" in body
block = body["fs_ownership"]
for k in ("enabled", "target_uid", "mismatch", "roots_checked",
"roots_mismatch", "sample_path", "checked_at"):
assert k in block
def test_tc12_queue_no_5xx_when_disabled(monkeypatch):
"""TC-12: with the kill-switch off /queue still returns 200 (no 5xx)."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", False)
fs_normalize.reset_cache()
r = client.get("/queue")
assert r.status_code == 200
assert r.json()["fs_ownership"]["enabled"] is False
def test_fs_normalize_check_endpoint():
"""The optional POST /fs-normalize/check force-rescans and returns the snapshot."""
r = client.post("/fs-normalize/check")
assert r.status_code == 200
body = r.json()
assert body["ok"] is True
assert "scan" in body and "mismatch" in body["scan"]
assert "healing" in body

214
tests/test_fs_normalize.py Normal file
View File

@@ -0,0 +1,214 @@
"""ORCH-057 D2/D4/D6: ownership-detect leaf (src/fs_normalize.py) unit tests.
TC-03..TC-09 (04-test-plan.yaml). All FS-dependent tests use ``tmp_path`` and vary
``target_uid`` (a uid no tmp file actually has -> mismatch; the runner's own uid ->
clean) so NO real chown / privilege is needed. ``os.geteuid`` is monkeypatched for
the privilege-gated normalize test (TC-08). Never touches /repos.
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_fsn.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ["ORCH_GITEA_TOKEN"] = "test-token"
os.environ["ORCH_PLANE_API_TOKEN"] = "test-token"
from src import fs_normalize
_NONEXISTENT_UID = 999999 # no tmp file is owned by this uid -> deterministic mismatch
@pytest.fixture(autouse=True)
def _reset(monkeypatch):
fs_normalize.reset_cache()
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", True)
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_repos", "")
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_auto", False)
monkeypatch.setattr(fs_normalize.settings, "fs_scan_cache_ttl_s", 300)
yield
fs_normalize.reset_cache()
@pytest.fixture
def tree(tmp_path):
"""A small dir tree with a file, owned by the test runner's own uid."""
d = tmp_path / "root"
(d / "sub").mkdir(parents=True)
(d / "a.txt").write_text("a")
(d / "sub" / "b.txt").write_text("b")
return d
# ---------------------------------------------------------------------------
# TC-03 / TC-04 — scan verdict
# ---------------------------------------------------------------------------
def test_tc03_scan_detects_mismatch(tree):
"""TC-03: a tree whose files are not owned by target_uid -> mismatch=True with the
affected root listed and a sample path set."""
scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
assert scan.mismatch is True
assert str(tree) in scan.roots_mismatch
assert scan.sample_path is not None
assert scan.target_uid == _NONEXISTENT_UID
def test_tc04_clean_tree_no_mismatch(tree):
"""TC-04: a clean tree (all files owned by target_uid == the runner) -> idempotent
mismatch=False no-op."""
scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=os.getuid())
assert scan.mismatch is False
assert scan.roots_mismatch == []
assert scan.sample_path is None
# ---------------------------------------------------------------------------
# TC-05 — never-raise on bad/missing root
# ---------------------------------------------------------------------------
def test_tc05_never_raise_on_missing_root(tmp_path):
"""TC-05: a non-existent root degrades to mismatch=False, never raises."""
missing = str(tmp_path / "does-not-exist")
scan = fs_normalize.scan_ownership(roots=[missing], target_uid=_NONEXISTENT_UID)
assert scan.mismatch is False
assert scan.roots_checked == [] # the missing root is skipped
def test_tc05_never_raise_on_walk_error(tree, monkeypatch):
"""TC-05: an os.walk explosion mid-scan degrades to a conservative verdict."""
def boom(*a, **k):
raise OSError("simulated walk failure")
monkeypatch.setattr(fs_normalize.os, "walk", boom)
scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
# The root dir itself is owned by the runner (not _NONEXISTENT_UID was checked via
# lstat which still works) -> walk error swallowed, no exception escapes.
assert isinstance(scan, fs_normalize.OwnershipScan)
# ---------------------------------------------------------------------------
# TC-06 — applies() scope
# ---------------------------------------------------------------------------
def test_tc06_applies_empty_csv_self_hosting_only(monkeypatch):
"""TC-06: empty ORCH_FS_NORMALIZE_REPOS -> True only for the self-hosting repo
(orchestrator), False for enduro-trails."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_repos", "")
assert fs_normalize.applies("orchestrator") is True
assert fs_normalize.applies("enduro-trails") is False
def test_tc06_applies_explicit_csv(monkeypatch):
"""TC-06: a non-empty CSV scopes by list (case-insensitive)."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_repos", "enduro-trails")
assert fs_normalize.applies("enduro-trails") is True
assert fs_normalize.applies("orchestrator") is False
# ---------------------------------------------------------------------------
# TC-07 — kill-switch
# ---------------------------------------------------------------------------
def test_tc07_killswitch_off_scan_inert(tree, monkeypatch):
"""TC-07: fs_normalize_enabled=False -> scan is inert (mismatch=False, enabled
flag exposes the off state); applies() False for everyone."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", False)
scan = fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
assert scan.mismatch is False
assert scan.enabled is False
assert fs_normalize.applies("orchestrator") is False
def test_tc07_killswitch_off_normalize_inert(tree, monkeypatch):
"""TC-07: normalize is a documented no-op when the kill-switch is off."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_enabled", False)
res = fs_normalize.normalize(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
assert res["attempted"] is False
assert res["changed"] == 0
assert "disabled" in res["note"]
# ---------------------------------------------------------------------------
# TC-08 — normalize without privilege
# ---------------------------------------------------------------------------
def test_tc08_normalize_without_rights_is_noop_not_error(tree, monkeypatch):
"""TC-08: under a non-root euid with auto=True and foreign files, normalize is a
no-op + honest log ('operator procedure required'), NOT an exception."""
monkeypatch.setattr(fs_normalize.settings, "fs_normalize_auto", True)
monkeypatch.setattr(fs_normalize.os, "geteuid", lambda: 1000) # non-root
res = fs_normalize.normalize(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
assert res["privileged"] is False
assert res["attempted"] is False
assert res["changed"] == 0
assert "INFRA.md" in res["note"]
# ---------------------------------------------------------------------------
# TC-09 — TTL cache
# ---------------------------------------------------------------------------
def test_tc09_ttl_cache_avoids_rescan(tree, monkeypatch):
"""TC-09: a repeat call inside the TTL window does NOT re-walk; force/reset
invalidates (mirrors preflight._cache)."""
calls = {"n": 0}
real_scan = fs_normalize._scan
def counting_scan(roots, target_uid):
calls["n"] += 1
return real_scan(roots, target_uid)
monkeypatch.setattr(fs_normalize, "_scan", counting_scan)
fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
assert calls["n"] == 1 # second call served from cache
fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID, force=True)
assert calls["n"] == 2 # force bypasses the cache
fs_normalize.reset_cache()
fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
assert calls["n"] == 3 # reset invalidates
def test_tc09_cache_keyed_by_roots_and_uid(tree, monkeypatch):
"""A different (roots, target_uid) key is not served from another key's cache."""
calls = {"n": 0}
real_scan = fs_normalize._scan
def counting_scan(roots, target_uid):
calls["n"] += 1
return real_scan(roots, target_uid)
monkeypatch.setattr(fs_normalize, "_scan", counting_scan)
fs_normalize.scan_ownership(roots=[str(tree)], target_uid=_NONEXISTENT_UID)
fs_normalize.scan_ownership(roots=[str(tree)], target_uid=os.getuid()) # different uid
assert calls["n"] == 2
# ---------------------------------------------------------------------------
# classifier (pure) + snapshot
# ---------------------------------------------------------------------------
def test_classify_worktree_error_markers():
assert fs_normalize.classify_worktree_error("fatal: ...: Permission denied") is True
assert fs_normalize.classify_worktree_error("could not create leading directories") is True
assert fs_normalize.classify_worktree_error("insufficient permission for adding an object") is True
assert fs_normalize.classify_worktree_error("fatal: branch already checked out") is False
assert fs_normalize.classify_worktree_error("") is False
assert fs_normalize.classify_worktree_error(None) is False
def test_is_permission_failure_from_exc():
assert fs_normalize.is_permission_failure(exc=PermissionError(13, "denied")) is True
import errno as _errno
assert fs_normalize.is_permission_failure(exc=OSError(_errno.EACCES, "x")) is True
assert fs_normalize.is_permission_failure(exc=OSError(_errno.ENOENT, "x")) is False
def test_snapshot_shape(tree, monkeypatch):
"""snapshot() returns the additive fs_ownership block and never raises."""
monkeypatch.setattr(fs_normalize.settings, "fs_scan_roots", str(tree))
snap = fs_normalize.snapshot()
for k in ("enabled", "auto", "repos", "target_uid", "mismatch",
"roots_checked", "roots_mismatch", "sample_path", "checked_at"):
assert k in snap
assert snap["enabled"] is True

136
tests/test_fs_normalize_startup.py Normal file
View File

@@ -0,0 +1,136 @@
"""ORCH-057 D3: startup-hook observability + the clear pre-launch outcome.
TC-10 / TC-11 (04-test-plan.yaml):
* TC-10 — the lifespan startup hook, on a detected mismatch, emits a WARNING and a
Telegram message; a detect error never crashes the start (never-fatal).
* TC-11 — the "clear, early" outcome on a permission failure is delivered by the
actionable ensure_worktree error (ADR-001 D3: claim is NOT blocked), i.e. the
launch surfaces an actionable diagnosis, never a raw git-fatal.
Background daemons are disabled via env so the lifespan is cheap and deterministic.
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_fsn_startup.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ["ORCH_GITEA_TOKEN"] = "test-token"
os.environ["ORCH_PLANE_API_TOKEN"] = "test-token"
os.environ["ORCH_PLANE_WEBHOOK_SECRET"] = ""
os.environ["ORCH_GITEA_WEBHOOK_SECRET"] = ""
# Keep the lifespan light: no background daemons during the test.
os.environ["ORCH_RECONCILE_ENABLED"] = "false"
os.environ["ORCH_REAPER_ENABLED"] = "false"
os.environ["ORCH_DISK_MONITOR_ENABLED"] = "false"
os.environ["ORCH_BUILD_CACHE_PRUNE_ENABLED"] = "false"
os.environ["ORCH_FS_NORMALIZE_ENABLED"] = "true"
from fastapi.testclient import TestClient
from src import fs_normalize, git_worktree
from src.main import app
from src.db import init_db
@pytest.fixture(autouse=True)
def _db():
if os.path.exists(_test_db):
os.unlink(_test_db)
init_db()
fs_normalize.reset_cache()
yield
if os.path.exists(_test_db):
os.unlink(_test_db)
# ---------------------------------------------------------------------------
# TC-10 — startup observability
# ---------------------------------------------------------------------------
def test_tc10_startup_mismatch_warns_and_telegrams(monkeypatch, caplog):
"""TC-10: on a detected mismatch the startup hook logs a WARNING and sends a
Telegram message (mocked)."""
sent = []
monkeypatch.setattr(
"src.notifications.send_telegram", lambda *a, **k: sent.append(a[0] if a else "")
)
scan = fs_normalize.OwnershipScan(
mismatch=True, target_uid=1000, roots_checked=["/repos/_wt"],
roots_mismatch=["/repos/_wt"], sample_path="/repos/_wt/x", checked_at=1.0,
)
monkeypatch.setattr("src.fs_normalize.scan_ownership", lambda *a, **k: scan)
with caplog.at_level("WARNING"):
with TestClient(app):
pass
assert any("FS-ownership mismatch" in r.message for r in caplog.records)
# Filter for the fs-ownership message (the shared startup may emit other,
# unrelated Telegram traffic — e.g. a leftover task's tracker card).
fs_msgs = [m for m in sent if "legacy root-owned" in m.lower() or "chown" in m.lower()]
assert fs_msgs, "expected a Telegram message on mismatch"
def test_tc10_startup_detect_error_never_fatal(monkeypatch):
"""TC-10: a detect error must NOT crash the start (never-fatal)."""
def boom(*a, **k):
raise RuntimeError("simulated detect failure")
monkeypatch.setattr("src.fs_normalize.scan_ownership", boom)
# Entering/exiting the lifespan must not raise.
with TestClient(app):
pass
def test_tc10_startup_clean_no_telegram(monkeypatch):
"""A clean environment (no mismatch) sends no Telegram and does not warn."""
sent = []
monkeypatch.setattr(
"src.notifications.send_telegram", lambda *a, **k: sent.append(a[0] if a else "")
)
clean = fs_normalize.OwnershipScan(mismatch=False, target_uid=1000, checked_at=1.0)
monkeypatch.setattr("src.fs_normalize.scan_ownership", lambda *a, **k: clean)
with TestClient(app):
pass
# No fs-ownership message on a clean environment (unrelated startup Telegram
# traffic from a shared-DB leftover task is ignored).
fs_msgs = [m for m in sent if "legacy root-owned" in m.lower() or "обнаружены legacy" in m.lower()]
assert fs_msgs == []
# ---------------------------------------------------------------------------
# TC-11 — clear pre-launch outcome (D1, not a claim gate)
# ---------------------------------------------------------------------------
def test_tc11_launch_permission_failure_is_actionable_not_raw(tmp_path, monkeypatch):
"""TC-11: the launch-time worktree creation surfaces an actionable error (clear,
before the agent spends a token), not a raw git-fatal — the ADR-001 D3 "внятно и
заранее" outcome that replaces a blocking claim gate."""
repo = "orchestrator"
repos_dir = tmp_path / "repos"
(repos_dir / repo).mkdir(parents=True)
monkeypatch.setattr(git_worktree.settings, "repos_dir", str(repos_dir))
monkeypatch.setattr(git_worktree.settings, "worktrees_dir", str(repos_dir / "_wt"))
monkeypatch.setattr(git_worktree.settings, "fs_normalize_enabled", True)
class _R:
def __init__(self, rc, err=""):
self.returncode = rc
self.stderr = err
self.stdout = ""
def fake_run(cmd, *a, **k):
if "fetch" in cmd:
return _R(0)
if "worktree" in cmd and "add" in cmd:
return _R(128, "fatal: ...: Permission denied")
return _R(0)
monkeypatch.setattr(git_worktree.subprocess, "run", fake_run)
with pytest.raises(RuntimeError) as ei:
git_worktree.ensure_worktree(repo, "feature/x")
msg = str(ei.value)
assert "INFRA.md" in msg and "chown" in msg.lower()
assert "git worktree add failed" not in msg # not the raw passthrough

139
tests/test_git_worktree_perm.py Normal file
View File

@@ -0,0 +1,139 @@
"""ORCH-057 D1: actionable worktree error on a legacy-ownership permission failure.
TC-01 / TC-02 (04-test-plan.yaml): a permission-class ``git worktree add`` /
``os.makedirs`` failure must surface an actionable RuntimeError (cause + healing
command + INFRA.md ref), while a NON-permission failure keeps the prior raw-stderr
contract (no meaning substitution). No real chown / no writes to /repos — failures
are simulated via monkeypatched ``subprocess.run`` / ``os.makedirs``.
"""
import os
import tempfile
import pytest
_test_db = os.path.join(tempfile.gettempdir(), "test_orchestrator_wt_perm.db")
os.environ["ORCH_DB_PATH"] = _test_db
os.environ["ORCH_REPOS_DIR"] = tempfile.gettempdir()
os.environ["ORCH_GITEA_TOKEN"] = "test-token"
os.environ["ORCH_PLANE_API_TOKEN"] = "test-token"
from src import git_worktree
from src.git_worktree import ensure_worktree
class _R:
"""Minimal CompletedProcess stand-in."""
def __init__(self, returncode, stderr=""):
self.returncode = returncode
self.stderr = stderr
self.stdout = ""
@pytest.fixture
def main_repo(tmp_path, monkeypatch):
"""A bare-minimum main clone dir so ensure_worktree gets past the existence check.
repos_dir/<repo> must be a directory; worktrees_dir points at a fresh tmp path.
The actual git calls are monkeypatched per-test.
"""
repo = "orchestrator"
repos_dir = tmp_path / "repos"
(repos_dir / repo).mkdir(parents=True)
monkeypatch.setattr(git_worktree.settings, "repos_dir", str(repos_dir))
monkeypatch.setattr(git_worktree.settings, "worktrees_dir", str(tmp_path / "repos" / "_wt"))
monkeypatch.setattr(git_worktree.settings, "fs_normalize_enabled", True)
return repo
def test_tc01_permission_git_fatal_becomes_actionable(main_repo, monkeypatch):
"""TC-01: a git-fatal 'could not create leading directories / Permission denied'
raises an actionable RuntimeError (diagnosis + chown), not the raw git stderr."""
perm_stderr = (
"fatal: could not create leading directories of "
"'/repos/_wt/orchestrator/x': Permission denied"
)
def fake_run(cmd, *a, **k):
# fetch -> ok; worktree add (both forms) -> permission fatal.
if "fetch" in cmd:
return _R(0)
if "worktree" in cmd and "add" in cmd:
return _R(128, perm_stderr)
return _R(0)
monkeypatch.setattr(git_worktree.subprocess, "run", fake_run)
with pytest.raises(RuntimeError) as ei:
ensure_worktree(main_repo, "feature/x")
msg = str(ei.value)
# Actionable: names the cause + the healing command + the INFRA procedure...
assert "legacy root-owned" in msg.lower()
assert "chown" in msg.lower()
assert "INFRA.md" in msg
# ...and is NOT merely the raw "git worktree add failed" passthrough.
assert "git worktree add failed" not in msg
def test_tc01_makedirs_permission_error_becomes_actionable(main_repo, monkeypatch):
"""TC-01 (sibling path): a PermissionError from os.makedirs (creating the leading
worktree dir) is also turned into the actionable RuntimeError."""
def fake_run(cmd, *a, **k):
return _R(0)
monkeypatch.setattr(git_worktree.subprocess, "run", fake_run)
def boom(*a, **k):
raise PermissionError(13, "Permission denied")
monkeypatch.setattr(git_worktree.os, "makedirs", boom)
with pytest.raises(RuntimeError) as ei:
ensure_worktree(main_repo, "feature/x")
assert "chown" in str(ei.value).lower()
assert "legacy root-owned" in str(ei.value).lower()
def test_tc02_non_permission_error_keeps_prior_contract(main_repo, monkeypatch):
"""TC-02: a NON-permission failure (e.g. a real branch conflict) keeps the prior
raw-stderr 'git worktree add failed' message — no meaning substitution."""
conflict = "fatal: 'feature/x' is already checked out at '/repos/_wt/other'"
def fake_run(cmd, *a, **k):
if "fetch" in cmd:
return _R(0)
if "worktree" in cmd and "add" in cmd:
return _R(128, conflict)
return _R(0)
monkeypatch.setattr(git_worktree.subprocess, "run", fake_run)
with pytest.raises(RuntimeError) as ei:
ensure_worktree(main_repo, "feature/x")
msg = str(ei.value)
assert "git worktree add failed" in msg
assert "already checked out" in msg
# The actionable diagnosis must NOT be injected for a non-permission error.
assert "legacy root-owned" not in msg.lower()
def test_tc02_killswitch_off_keeps_raw_contract_even_for_permission(main_repo, monkeypatch):
"""Kill-switch off (fs_normalize_enabled=False) -> the error contract is byte-for-
byte as before ORCH-057 even for a permission failure (raw stderr passthrough)."""
monkeypatch.setattr(git_worktree.settings, "fs_normalize_enabled", False)
perm_stderr = "fatal: ...: Permission denied"
def fake_run(cmd, *a, **k):
if "fetch" in cmd:
return _R(0)
if "worktree" in cmd and "add" in cmd:
return _R(128, perm_stderr)
return _R(0)
monkeypatch.setattr(git_worktree.subprocess, "run", fake_run)
with pytest.raises(RuntimeError) as ei:
ensure_worktree(main_repo, "feature/x")
msg = str(ei.value)
assert "git worktree add failed" in msg
assert "legacy root-owned" not in msg.lower()