feat(e2e): guarded ephemeral test-account API (CI mints accounts to test vs prod)#260
Merged
Merged
Conversation
…s vs prod
POST/DELETE /internal/e2e/account — lets CI mint a real ephemeral test account
on prod per run, exercise integration flows, then reap. Security:
- X-E2E-Token constant-time guard; unset/wrong token → 404 (inert + no existence
leak). Ships INERT (no E2E_ACCOUNT_TOKEN config = off by default).
- Create makes an is_test_cohort=true team+user (live worker skip-guards neuter
billing/churn/email/quota), tier ≤ pro — team/growth rejected 400 (Team gated).
Returns a JWT_SECRET-signed session JWT (no Brevo dependency).
- Reap ONLY deletes is_test_cohort teams — a real team → 403 not_test_cohort
(the load-bearing safety test: TestE2EAccount_Reap_NonCohortTeam_Forbidden).
- Rate-limited (fail-open), audit-logged (e2e.account.created/reaped),
metric instant_e2e_account_total{op,result}.
Foundation for running the real-backend integration suite against production
in CI with on-the-fly accounts.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…+ cover model reap/purge branches Fixes the CI failures from #260's guarded /internal/e2e/account endpoint (endpoint + handler tests were correct; only the cross-cutting registries and a few uncovered model error-branches were missing): 1. codeToAgentAction (helpers.go): add operator-facing agent_action for the 6 new error codes — not_test_cohort, rand_failed, team_create_failed, tier_not_allowed, tier_set_failed, user_create_failed. Fixes TestErrorCode_HasAgentAction. 2. auditConsumerSpec (reliability_contract_test.go): register e2e.account.created + e2e.account.reaped as IntentionallyNoConsumer (operator-internal, never customer-facing). Fixes TestReliability_AuditKinds_EveryConstantHasConsumerSpec. 3. openapi_test.go intentionallyHidden: exempt POST /internal/e2e/account + DELETE /internal/e2e/account/{team_id} (CI-only, guarded; mirrors the other /internal worker routes). Fixes TestOpenAPI_CoversAllRegisteredRoutes. 4. route_donebar_guard routeTestMap: map the 2 routes to their existing covering handler-integration tests (create→MintsTestCohortAndAuthenticatingJWT, delete→Reap_TestCohortTeam_Purged). Fixes TestDoneBar_EveryRouteCovered; keeps TestDoneBar_TestMapPointsAtRealTests green. 5. e2e_account_errbranches_test.go: white-box sqlmock coverage for the DB-error branches of CreateTestCohortTeam, DeleteTeamHard, and MarkTeamResourcesForReaper (resource.go 587-592, team.go 414-442) — 100% of the changed lines, satisfying the patch-coverage gate. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…track dump.rdb The e2e-account error codes (not_test_cohort, team_create_failed, user_create_failed, tier_not_allowed, tier_set_failed, rand_failed) are operator/CI-only — emitted only on the guarded /internal/e2e/account surface that is inert by default (404 unless E2E_ACCOUNT_TOKEN is set) and driven by the machine-to-machine E2E harness, never a customer agent. They were previously added to codeToAgentAction with operator-facing copy, which violated the customer-facing agent_action contract (TestAgentActionContract requires every entry to start "Tell the user ..." and carry a customer recovery URL). Move them to error_envelope_coverage_test.go's coverageAllowlist with a per-code rationale instead: the 503 arms fall back to AgentActionContactSupport via respondError's status>=500 path; the 4xx arms (400/403/429) carry a self-explanatory message with no agent_action, which is correct for a CI caller. Also untrack dump.rdb (local Redis artifact accidentally committed) and add it to .gitignore. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enables CI to mint a real ephemeral test account on prod per run → run the real-backend integration suite → reap. Inert by default (no
E2E_ACCOUNT_TOKEN= endpoints 404). is_test_cohort-scoped (live skip-guards neuter billing/churn/email; reap can never touch a real team → 403); never team-tier. Constant-time token guard, rate-limited, audit-logged. Critical safety test:TestE2EAccount_Reap_NonCohortTeam_Forbidden. Foundation for the prod-CI integration-test goal.🤖 Generated with Claude Code