package supervisor import ( "context" "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "math/big" "os" "path/filepath" "testing" "time" "github.com/example/remote-access-platform/agents/rap-node-agent/internal/client" "github.com/example/remote-access-platform/agents/rap-node-agent/internal/webingress" ) func TestStubSupervisorReportsDegradedForEnabledWorkload(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ {ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "container"}, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if len(statuses) != 1 { t.Fatalf("statuses length = %d", len(statuses)) } if statuses[0].ReportedState != "degraded" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } } func TestStubSupervisorReportsStoppedForDisabledWorkload(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ {ServiceType: "relay-node", DesiredState: "disabled", RuntimeMode: "container"}, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "stopped" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } } func TestStubSupervisorRunsInternalSyntheticEchoWorkload(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ {ServiceType: "synthetic.echo", DesiredState: "enabled", RuntimeMode: "native"}, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "running" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } if statuses[0].StatusPayload["reason"] != "internal_synthetic_echo_ready" { t.Fatalf("reason = %v", statuses[0].StatusPayload["reason"]) } if statuses[0].StatusPayload["execution_mode"] != "builtin" { t.Fatalf("execution_mode = %v", statuses[0].StatusPayload["execution_mode"]) } } func TestStubSupervisorReportsBuiltinFabricServicesRunning(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ {ServiceType: "core-mesh", DesiredState: "enabled", RuntimeMode: "container"}, {ServiceType: "fabric-listener", DesiredState: "enabled", RuntimeMode: "container"}, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if len(statuses) != 2 { t.Fatalf("statuses length = %d", len(statuses)) } for _, status := range statuses { if status.ReportedState != "running" { t.Fatalf("ReportedState = %q", status.ReportedState) } if status.StatusPayload["reason"] != "builtin_node_agent_service_ready" { t.Fatalf("reason = %v", status.StatusPayload["reason"]) } } } func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "ipv4-egress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "pool_id": "us-los-angeles-ipv4", "region": "us-los-angeles", "allowed_cidrs": []any{"0.0.0.0/0"}, "dns_servers": []any{"192.168.200.210"}, }, }, { ServiceType: "ipv4-ingress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "exit_pool_id": "us-los-angeles-ipv4", "listen_tcp_ports": []any{443, "8443"}, "listen_udp_ports": "443,51820", }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if len(statuses) != 2 { t.Fatalf("statuses length = %d", len(statuses)) } for _, status := range statuses { if status.ReportedState != "running" { t.Fatalf("ReportedState = %q", status.ReportedState) } if status.StatusPayload["execution_mode"] != "contract_probe" { t.Fatalf("execution_mode = %v", status.StatusPayload["execution_mode"]) } if status.StatusPayload["fabric_transport"] != "quic_only" { t.Fatalf("fabric_transport = %v", status.StatusPayload["fabric_transport"]) } if status.StatusPayload["backend_relay_fallback"] != false { t.Fatalf("backend_relay_fallback = %v", status.StatusPayload["backend_relay_fallback"]) } if status.StatusPayload["compat_protocol_compatibility"] != false { t.Fatalf("compat_protocol_compatibility = %v", status.StatusPayload["compat_protocol_compatibility"]) } } if statuses[0].StatusPayload["role"] != "ipv4-egress" || statuses[0].StatusPayload["internet_egress"] != true { t.Fatalf("ipv4 egress payload = %#v", statuses[0].StatusPayload) } if statuses[1].StatusPayload["role"] != "ipv4-ingress" || statuses[1].StatusPayload["legacy_role_alias"] != "vpn-client" || statuses[1].StatusPayload["android_node_supported"] != true || statuses[1].StatusPayload["linux_node_supported"] != true || statuses[1].StatusPayload["windows_node_supported"] != true { t.Fatalf("vpn client payload = %#v", statuses[1].StatusPayload) } exitBinding := statuses[0].StatusPayload["service_binding"].(map[string]any) if exitBinding["type"] != "ipv4_egress" || exitBinding["accepts_from_fabric_only"] != true || exitBinding["exit_pool_id"] != "us-los-angeles-ipv4" { t.Fatalf("ipv4 egress binding = %#v", exitBinding) } clientBinding := statuses[1].StatusPayload["service_binding"].(map[string]any) if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["compat_protocol_listener"] != false { t.Fatalf("vpn client binding = %#v", clientBinding) } if clientBinding["traffic_visibility"] != "opaque_ipv4_packets" || clientBinding["flow_distribution"] != "opaque_packet_hash_shards" { t.Fatalf("ipv4 ingress binding should be opaque: %#v", clientBinding) } if got := clientBinding["listen_tcp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 8443 { t.Fatalf("listen_tcp_ports = %#v", got) } if got := clientBinding["listen_udp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 51820 { t.Fatalf("listen_udp_ports = %#v", got) } } func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "admin-ingress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "listen_https_port": 443, "tls_mode": "terminate", "scope": "platform", "service_classes": []any{"admin-ingress", "admin-ingress"}, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "running" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } payload := statuses[0].StatusPayload if payload["reason"] != "web_ingress_contract_ready" || payload["fabric_transport"] != "quic_only" || payload["http_between_fabric_nodes"] != false || payload["authority_service"] != false || payload["real_listener_start_allowed"] != false || payload["runtime_handler_ready"] != true || payload["runtime_handler_payload_status"] != "fabric_service_channel_binding_not_implemented" || payload["ports_opened_by_stub"] != false { t.Fatalf("unexpected payload: %#v", payload) } functions, ok := payload["runtime_fabric_functions"].([]string) if !ok || !containsString(functions, "admin-ingress") { t.Fatalf("runtime fabric functions = %#v", payload["runtime_fabric_functions"]) } } func TestStubSupervisorBlocksWebIngressRealListenerWithoutRuntimeGate(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "admin-ingress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "listen_https_port": 443, "tls_mode": "terminate", "scope": "platform", "service_classes": []any{"admin-ingress"}, "real_listener_enabled": true, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "degraded" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } payload := statuses[0].StatusPayload if payload["reason"] != "web_ingress_real_listener_gate_disabled" || payload["real_listener_requested"] != true || payload["real_listener_runtime_enabled"] != false || payload["real_listener_start_allowed"] != false || payload["ports_opened_by_stub"] != false { t.Fatalf("unexpected payload: %#v", payload) } } func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *testing.T) { statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "admin-ingress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "listen_https_port": 443, "tls_mode": "terminate", "scope": "platform", "service_classes": []any{"admin-ingress"}, "real_listener_enabled": true, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "running" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } payload := statuses[0].StatusPayload if payload["real_listener_requested"] != true || payload["real_listener_runtime_enabled"] != true || payload["real_listener_start_allowed"] != true || payload["ports_opened_by_stub"] != false { t.Fatalf("unexpected payload: %#v", payload) } } func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing.T) { dir := t.TempDir() certFile, keyFile := writeSelfSignedCert(t, dir) manager := webingress.NewManager() statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true, WebIngressManager: manager}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "admin-ingress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "listen_https_port": 443, "listen_https_addr": "127.0.0.1:0", "tls_mode": "terminate", "tls_cert_file": certFile, "tls_key_file": keyFile, "scope": "platform", "service_classes": []any{"admin-ingress"}, "real_listener_enabled": true, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "running" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } payload := statuses[0].StatusPayload listenerStatus, ok := payload["listener_status"].(webingress.ListenerStatus) if !ok { t.Fatalf("listener_status = %#v", payload["listener_status"]) } if !listenerStatus.HTTPSRunning || listenerStatus.HTTPSAddr == "" { t.Fatalf("listener status = %+v", listenerStatus) } if payload["reason"] != "web_ingress_contract_ready" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false { t.Fatalf("payload = %#v", payload) } _ = manager.Stop(context.Background()) } func writeSelfSignedCert(t *testing.T, dir string) (string, string) { t.Helper() key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { t.Fatalf("generate key: %v", err) } template := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{CommonName: "localhost"}, NotBefore: time.Now().Add(-time.Hour), NotAfter: time.Now().Add(time.Hour), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, DNSNames: []string{"localhost"}, } der, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key) if err != nil { t.Fatalf("create cert: %v", err) } certFile := filepath.Join(dir, "cert.pem") keyFile := filepath.Join(dir, "key.pem") if err := os.WriteFile(certFile, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), 0o600); err != nil { t.Fatalf("write cert: %v", err) } if err := os.WriteFile(keyFile, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}), 0o600); err != nil { t.Fatalf("write key: %v", err) } return certFile, keyFile } func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "public-ingress", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "listen_https_port": 444, "scope": "organization", "service_classes": []any{"admin-ingress"}, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "degraded" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } payload := statuses[0].StatusPayload if payload["reason"] != "web_ingress_contract_invalid" || payload["traffic"] != "blocked" { t.Fatalf("unexpected payload: %#v", payload) } missing, ok := payload["missing_checks"].([]string) if !ok || !containsString(missing, "listen_https_port_must_be_443") || !containsString(missing, "service_class_not_allowed:admin-ingress") { t.Fatalf("missing checks = %#v", payload["missing_checks"]) } } func TestStubSupervisorKeepsUnsupportedEnabledWorkloadDegraded(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ {ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "container"}, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "degraded" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } if statuses[0].StatusPayload["reason"] != "service_runtime_not_implemented" { t.Fatalf("reason = %v", statuses[0].StatusPayload["reason"]) } } func TestStubSupervisorRunsRDPWorkerAdapterContractProbeOnly(t *testing.T) { statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "adapter_contract_probe": true, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "running" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } if statuses[0].StatusPayload["reason"] != "remote_workspace_adapter_contract_probe_ready" { t.Fatalf("reason = %v", statuses[0].StatusPayload["reason"]) } if statuses[0].StatusPayload["service_class"] != "remote_workspace" { t.Fatalf("service_class = %v", statuses[0].StatusPayload["service_class"]) } if statuses[0].StatusPayload["backend_relay_steady_state"] != false { t.Fatalf("backend_relay_steady_state = %v", statuses[0].StatusPayload["backend_relay_steady_state"]) } channels, ok := statuses[0].StatusPayload["channels"].([]map[string]any) if !ok || len(channels) != 9 { t.Fatalf("channels = %#v", statuses[0].StatusPayload["channels"]) } if channels[0]["name"] != "input" || channels[0]["priority"] != "critical" || channels[0]["droppable"] != true || channels[0]["may_block_input"] != false { t.Fatalf("unexpected input channel: %#v", channels[0]) } frameBatch, ok := statuses[0].StatusPayload["frame_batch_contract"].(map[string]any) if !ok { t.Fatalf("frame_batch_contract = %#v", statuses[0].StatusPayload["frame_batch_contract"]) } if frameBatch["schema_version"] != "rap.remote_workspace_frame_batch.v1" || frameBatch["payload_forwarding"] != "not_implemented" || frameBatch["service_class"] != "remote_workspace" { t.Fatalf("unexpected frame batch contract: %#v", frameBatch) } realAdapter, ok := statuses[0].StatusPayload["real_adapter_supervision"].(map[string]any) if !ok { t.Fatalf("real_adapter_supervision = %#v", statuses[0].StatusPayload["real_adapter_supervision"]) } if realAdapter["schema_version"] != "rap.remote_workspace_real_adapter_supervision.v1" || realAdapter["enabled"] != false || realAdapter["activation_state"] != "disabled_until_real_runtime_stage" || realAdapter["payload_traffic"] != "none" { t.Fatalf("unexpected real adapter supervision contract: %#v", realAdapter) } if !realAdapterSupervisionContractCompatible(realAdapter) { t.Fatalf("real adapter supervision contract is not compatible: %#v", realAdapter) } } func TestStubSupervisorKeepsContractProbePrecedenceWhenRealAdapterAlsoRequested(t *testing.T) { statuses, err := (StubSupervisor{ Version: "test", RemoteWorkspaceRealAdapter: RemoteWorkspaceRealAdapterConfig{ EnabledRequested: true, Command: "/opt/rap/bin/rdp-worker", ArgsJSON: `["--future-probe"]`, WorkDir: "/var/lib/rap-node-agent/rdp-worker", }, }).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "adapter_contract_probe": true, "real_adapter_supervision": true, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "running" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } payload := statuses[0].StatusPayload if payload["execution_mode"] != "contract_probe" || payload["reason"] != "remote_workspace_adapter_contract_probe_ready" || payload["traffic"] != "none" { t.Fatalf("contract probe did not retain precedence: %#v", payload) } realAdapter, ok := payload["real_adapter_supervision"].(map[string]any) if !ok || !realAdapterSupervisionContractCompatible(realAdapter) { t.Fatalf("real_adapter_supervision = %#v", payload["real_adapter_supervision"]) } decision := realAdapter["activation_decision"].(map[string]any) if realAdapter["enabled"] != false || decision["decision"] != "blocked" || decision["reason"] != "real_runtime_stage_not_enabled" || decision["payload_traffic"] != "none" { t.Fatalf("unexpected activation decision under contract-probe precedence: %#v", realAdapter) } } func TestStubSupervisorKeepsRealAdapterSupervisionDisabled(t *testing.T) { statuses, err := (StubSupervisor{ Version: "test", RemoteWorkspaceRealAdapter: RemoteWorkspaceRealAdapterConfig{ EnabledRequested: true, Command: "/opt/rap/bin/rdp-worker", ArgsJSON: `["--future-probe"]`, WorkDir: "/var/lib/rap-node-agent/rdp-worker", }, }).Apply(context.Background(), []client.DesiredWorkload{ { ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "native", Config: map[string]any{ "real_adapter_supervision": true, }, }, }) if err != nil { t.Fatalf("apply desired workload: %v", err) } if statuses[0].ReportedState != "degraded" { t.Fatalf("ReportedState = %q", statuses[0].ReportedState) } if statuses[0].StatusPayload["reason"] != "remote_workspace_real_adapter_supervision_disabled" || statuses[0].StatusPayload["execution_mode"] != "real_adapter_supervision_disabled" || statuses[0].StatusPayload["traffic"] != "blocked" || statuses[0].StatusPayload["payload_traffic"] != "none" { t.Fatalf("unexpected real adapter disabled payload: %#v", statuses[0].StatusPayload) } realAdapter, ok := statuses[0].StatusPayload["real_adapter_supervision"].(map[string]any) if !ok || !realAdapterSupervisionContractCompatible(realAdapter) { t.Fatalf("real adapter supervision contract = %#v", statuses[0].StatusPayload["real_adapter_supervision"]) } projection, ok := realAdapter["config_projection"].(map[string]any) if !ok { t.Fatalf("config_projection = %#v", realAdapter["config_projection"]) } if realAdapter["enabled"] != false || projection["enabled_requested"] != true || projection["activation_allowed"] != false || projection["command_present"] != true || projection["args_json_present"] != true || projection["args_json_shape"] != "json_array" || projection["workdir_present"] != true || projection["raw_values_redacted"] != true { t.Fatalf("unexpected config projection: %#v", projection) } decision, ok := realAdapter["activation_decision"].(map[string]any) if !ok { t.Fatalf("activation_decision = %#v", realAdapter["activation_decision"]) } if decision["decision"] != "blocked" || decision["reason"] != "real_runtime_stage_not_enabled" || decision["enabled_requested"] != true || decision["activation_allowed"] != false || decision["payload_traffic"] != "none" { t.Fatalf("unexpected activation decision: %#v", decision) } features, ok := realAdapter["features"].(map[string]any) if !ok || features["config_projection"] != true || features["activation_decision"] != true || features["process_supervisor_preconditions"] != true || features["process_supervisor_start_disabled"] != true || features["missing_gates"] != true || features["raw_values_redacted"] != true { t.Fatalf("unexpected real adapter features: %#v", realAdapter["features"]) } preconditions, ok := realAdapter["process_supervisor_preconditions"].(map[string]any) if !ok || preconditions["schema_version"] != "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1" || preconditions["process_start_allowed"] != false || preconditions["command_config_present"] != true || preconditions["args_config_present"] != true || preconditions["workdir_config_present"] != true { t.Fatalf("unexpected process supervisor preconditions: %#v", realAdapter["process_supervisor_preconditions"]) } healthProbe, ok := realAdapter["process_health_probe"].(map[string]any) if !ok || healthProbe["schema_version"] != "rap.remote_workspace_real_adapter_process_health_probe.v1" || healthProbe["health_probe_enabled"] != false || healthProbe["payload_traffic"] != "none" { t.Fatalf("unexpected process health probe: %#v", realAdapter["process_health_probe"]) } } func TestRealAdapterSupervisionContractCompatibility(t *testing.T) { compatible := remoteWorkspaceRealAdapterSupervisionContract() if !realAdapterSupervisionContractCompatible(compatible) { t.Fatalf("expected real adapter supervision contract to be compatible") } tests := []struct { name string contract map[string]any }{ { name: "enabled", contract: map[string]any{ "schema_version": "rap.remote_workspace_real_adapter_supervision.v1", "enabled": true, "activation_state": "disabled_until_real_runtime_stage", "payload_traffic": "none", "config_projection": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_config_projection.v1", "activation_allowed": false, "raw_values_redacted": true}, "activation_decision": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_activation_decision.v1", "decision": "blocked", "reason": "real_runtime_stage_not_enabled", "activation_allowed": false, "payload_traffic": "none", "required_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}, "missing_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}}, "process_supervisor_preconditions": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1", "process_start_allowed": false, "reason": "disabled_until_real_runtime_stage", "required_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}, "missing_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}}, "process_health_probe": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_health_probe.v1", "health_probe_enabled": false, "reason": "disabled_until_real_runtime_stage", "payload_traffic": "none", "probe_model": "external_process_health", "required_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}, "missing_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}}, "features": map[string]any{"config_projection": true, "activation_decision": true, "missing_gates": true, "process_health_probe": true, "process_health_probe_disabled": true, "process_supervisor_preconditions": true, "process_supervisor_start_disabled": true, "raw_values_redacted": true}, "config_env": []string{"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_COMMAND", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ARGS_JSON", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_WORKDIR"}, "status_contract": []string{"schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract"}, "guardrails": []string{"contract_probe_remains_default", "no_payload_forwarding_until_real_runtime_stage", "backend_relay_not_steady_state", "fabric_service_channel_required"}, }, }, { name: "missing env", contract: map[string]any{ "schema_version": "rap.remote_workspace_real_adapter_supervision.v1", "enabled": false, "activation_state": "disabled_until_real_runtime_stage", "payload_traffic": "none", "config_projection": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_config_projection.v1", "activation_allowed": false, "raw_values_redacted": true}, "activation_decision": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_activation_decision.v1", "decision": "blocked", "reason": "real_runtime_stage_not_enabled", "activation_allowed": false, "payload_traffic": "none", "required_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}, "missing_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}}, "process_supervisor_preconditions": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1", "process_start_allowed": false, "reason": "disabled_until_real_runtime_stage", "required_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}, "missing_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}}, "process_health_probe": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_health_probe.v1", "health_probe_enabled": false, "reason": "disabled_until_real_runtime_stage", "payload_traffic": "none", "probe_model": "external_process_health", "required_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}, "missing_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}}, "features": map[string]any{"config_projection": true, "activation_decision": true, "missing_gates": true, "process_health_probe": true, "process_health_probe_disabled": true, "process_supervisor_preconditions": true, "process_supervisor_start_disabled": true, "raw_values_redacted": true}, "config_env": []string{"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED"}, "status_contract": []string{"schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract"}, "guardrails": []string{"contract_probe_remains_default", "no_payload_forwarding_until_real_runtime_stage", "backend_relay_not_steady_state", "fabric_service_channel_required"}, }, }, { name: "missing guardrail", contract: map[string]any{ "schema_version": "rap.remote_workspace_real_adapter_supervision.v1", "enabled": false, "activation_state": "disabled_until_real_runtime_stage", "payload_traffic": "none", "config_projection": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_config_projection.v1", "activation_allowed": false, "raw_values_redacted": true}, "activation_decision": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_activation_decision.v1", "decision": "blocked", "reason": "real_runtime_stage_not_enabled", "activation_allowed": false, "payload_traffic": "none", "required_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}, "missing_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}}, "process_supervisor_preconditions": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1", "process_start_allowed": false, "reason": "disabled_until_real_runtime_stage", "required_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}, "missing_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}}, "process_health_probe": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_health_probe.v1", "health_probe_enabled": false, "reason": "disabled_until_real_runtime_stage", "payload_traffic": "none", "probe_model": "external_process_health", "required_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}, "missing_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}}, "features": map[string]any{"config_projection": true, "activation_decision": true, "missing_gates": true, "process_health_probe": true, "process_health_probe_disabled": true, "process_supervisor_preconditions": true, "process_supervisor_start_disabled": true, "raw_values_redacted": true}, "config_env": []string{"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_COMMAND", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ARGS_JSON", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_WORKDIR"}, "status_contract": []string{"schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract"}, "guardrails": []string{"contract_probe_remains_default"}, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if realAdapterSupervisionContractCompatible(tt.contract) { t.Fatalf("expected incompatible contract for %+v", tt.contract) } }) } } func TestRealAdapterConfigProjectionCompatibility(t *testing.T) { tests := []struct { name string config RemoteWorkspaceRealAdapterConfig enabledRequested bool commandPresent bool argsJSONPresent bool argsJSONShape string workdirPresent bool }{ { name: "default empty", argsJSONShape: "absent", }, { name: "requested array args", config: RemoteWorkspaceRealAdapterConfig{ EnabledRequested: true, Command: "/opt/rap/bin/rdp-worker", ArgsJSON: `["--future-probe"]`, WorkDir: "/var/lib/rap-node-agent/rdp-worker", }, enabledRequested: true, commandPresent: true, argsJSONPresent: true, argsJSONShape: "json_array", workdirPresent: true, }, { name: "object args shape", config: RemoteWorkspaceRealAdapterConfig{ ArgsJSON: `{"arg":"value"}`, }, argsJSONPresent: true, argsJSONShape: "json_object", }, { name: "opaque args shape", config: RemoteWorkspaceRealAdapterConfig{ ArgsJSON: "--future-probe", }, argsJSONPresent: true, argsJSONShape: "opaque", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { contract := remoteWorkspaceRealAdapterSupervisionContract(tt.config) if !realAdapterSupervisionContractCompatible(contract) { t.Fatalf("contract is not compatible: %#v", contract) } projection := contract["config_projection"].(map[string]any) if projection["enabled_requested"] != tt.enabledRequested || projection["activation_allowed"] != false || projection["command_present"] != tt.commandPresent || projection["args_json_present"] != tt.argsJSONPresent || projection["args_json_shape"] != tt.argsJSONShape || projection["workdir_present"] != tt.workdirPresent || projection["raw_values_redacted"] != true { t.Fatalf("unexpected config projection: %#v", projection) } }) } } func TestRealAdapterProjectionAndActivationDecisionStayAligned(t *testing.T) { tests := []struct { name string config RemoteWorkspaceRealAdapterConfig enabledRequested bool }{ {name: "default"}, { name: "requested", config: RemoteWorkspaceRealAdapterConfig{ EnabledRequested: true, Command: "/opt/rap/bin/rdp-worker", ArgsJSON: `["--future-probe"]`, WorkDir: "/var/lib/rap-node-agent/rdp-worker", }, enabledRequested: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { contract := remoteWorkspaceRealAdapterSupervisionContract(tt.config) projection := contract["config_projection"].(map[string]any) decision := contract["activation_decision"].(map[string]any) if projection["enabled_requested"] != decision["enabled_requested"] || projection["enabled_requested"] != tt.enabledRequested || projection["activation_allowed"] != false || decision["activation_allowed"] != false || contract["enabled"] != false || contract["payload_traffic"] != decision["payload_traffic"] { t.Fatalf("projection and activation decision are not aligned: contract=%#v", contract) } }) } } func realAdapterSupervisionContractCompatible(contract map[string]any) bool { if contract["schema_version"] != "rap.remote_workspace_real_adapter_supervision.v1" || contract["enabled"] != false || contract["activation_state"] != "disabled_until_real_runtime_stage" || contract["payload_traffic"] != "none" { return false } projection, ok := contract["config_projection"].(map[string]any) if !ok || projection["schema_version"] != "rap.remote_workspace_real_adapter_config_projection.v1" || projection["activation_allowed"] != false || projection["raw_values_redacted"] != true { return false } decision, ok := contract["activation_decision"].(map[string]any) if !ok || decision["schema_version"] != "rap.remote_workspace_real_adapter_activation_decision.v1" || decision["decision"] != "blocked" || decision["reason"] != "real_runtime_stage_not_enabled" || decision["activation_allowed"] != false || decision["payload_traffic"] != "none" { return false } for _, item := range []string{ "real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled", } { if !anyStringSliceContains(decision["required_gates"], item) || !anyStringSliceContains(decision["missing_gates"], item) { return false } } preconditions, ok := contract["process_supervisor_preconditions"].(map[string]any) if !ok || preconditions["schema_version"] != "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1" || preconditions["process_start_allowed"] != false || preconditions["reason"] != "disabled_until_real_runtime_stage" { return false } for _, item := range []string{ "real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled", } { if !anyStringSliceContains(preconditions["required_checks"], item) || !anyStringSliceContains(preconditions["missing_checks"], item) { return false } } healthProbe, ok := contract["process_health_probe"].(map[string]any) if !ok || healthProbe["schema_version"] != "rap.remote_workspace_real_adapter_process_health_probe.v1" || healthProbe["health_probe_enabled"] != false || healthProbe["reason"] != "disabled_until_real_runtime_stage" || healthProbe["payload_traffic"] != "none" || healthProbe["probe_model"] != "external_process_health" { return false } for _, item := range []string{ "process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready", } { if !anyStringSliceContains(healthProbe["required_signals"], item) || !anyStringSliceContains(healthProbe["missing_signals"], item) { return false } } features, ok := contract["features"].(map[string]any) if !ok || features["config_projection"] != true || features["activation_decision"] != true || features["missing_gates"] != true || features["process_health_probe"] != true || features["process_health_probe_disabled"] != true || features["process_supervisor_preconditions"] != true || features["process_supervisor_start_disabled"] != true || features["raw_values_redacted"] != true { return false } for _, item := range []string{ "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_COMMAND", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ARGS_JSON", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_WORKDIR", } { if !anyStringSliceContains(contract["config_env"], item) { return false } } for _, item := range []string{ "schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract", } { if !anyStringSliceContains(contract["status_contract"], item) { return false } } for _, item := range []string{ "contract_probe_remains_default", "no_payload_forwarding_until_real_runtime_stage", "backend_relay_not_steady_state", "fabric_service_channel_required", } { if !anyStringSliceContains(contract["guardrails"], item) { return false } } return true } func anyStringSliceContains(value any, want string) bool { switch items := value.(type) { case []string: for _, item := range items { if item == want { return true } } case []any: for _, item := range items { if item == want { return true } } } return false }