jkoelker · March 22, 2026 01:57
diff --git a/apply-opencode-tests-snippet.rs b/apply-opencode-tests-snippet.rs
 }

 #[test]
 #[serial]
 fn apply_ticket_with_opencode_rejects_non_doc_family_target() {
    let tempdir = tempdir().unwrap();
    let event = MatrixEvent {
        event_id: "$runtime-opencode-reject:example.com".to_string(),
        room_id: "!room:example.com".to_string(),
        sender: "@alice:example.com".to_string(),
        body: "Reject non doc target".to_string(),
        timestamp: 1_741_382_800,
    };
    let now = Utc.with_ymd_and_hms(2026, 3, 8, 1, 12, 50).unwrap();
    let mut ticket = TicketDocument::from_matrix_event(&event, now);
    ticket.front_matter.r#type = "improvement".to_string();
    ticket.front_matter.improvement_target_paths = vec!["info/DEVELOPMENT_PLAN.md".to_string()];
    let ticket_path = ticket.write_to(tempdir.path()).unwrap();
    let repo_dir = tempdir.path().join("platform-control");
    fs::create_dir_all(repo_dir.join("info")).unwrap();

    let error = apply_ticket_with_opencode(&ticket_path, &repo_dir).unwrap_err();

    assert!(error
        .to_string()
        .contains("only supports trusted SKILL.md / capability-pack doc targets"));
 }

 #[test]
 #[serial]
 fn apply_ticket_with_opencode_uses_builtin_shim_when_no_binary_is_configured() {
    let tempdir = tempdir().unwrap();
    let event = MatrixEvent {
        event_id: "$runtime-opencode-shim:example.com".to_string(),
        room_id: "!room:example.com".to_string(),
        sender: "@alice:example.com".to_string(),
        body: "Use builtin shim".to_string(),
        timestamp: 1_741_382_800,
    };
    let now = Utc.with_ymd_and_hms(2026, 3, 8, 1, 12, 52).unwrap();
    let mut ticket = TicketDocument::from_matrix_event(&event, now);
    ticket.front_matter.r#type = "improvement".to_string();
    ticket.front_matter.improvement_target_capability = Some("review-agent/runtime@v2".to_string());
    ticket.front_matter.improvement_target_skill = Some("review-pr".to_string());
    ticket.front_matter.improvement_change_kinds = vec!["skill-update".to_string()];
    ticket.front_matter.improvement_target_paths = vec!["skills/review-pr/SKILL.md".to_string()];
    let ticket_path = ticket.write_to(tempdir.path()).unwrap();
    let repo_dir = tempdir.path().join("platform-control");
    fs::create_dir_all(repo_dir.join("skills").join("review-pr")).unwrap();

    unsafe {
        env::remove_var("OPENCODE_BIN");
    }
    let target_path = apply_ticket_with_opencode(&ticket_path, &repo_dir).unwrap();

    assert_eq!(
        target_path,
        repo_dir.join("skills").join("review-pr").join("SKILL.md")
    );
    let content = fs::read_to_string(&target_path).unwrap();
    assert!(content.contains("# Fleet Managed Update"));
    assert!(content.contains("target_path: skills/review-pr/SKILL.md"));
 }

 #[test]
 #[serial]
 fn apply_ticket_with_opencode_strips_sensitive_env_vars() {
    let tempdir = tempdir().unwrap();
    let event = MatrixEvent {
        event_id: "$runtime-opencode-env:example.com".to_string(),
        room_id: "!room:example.com".to_string(),
        sender: "@alice:example.com".to_string(),
        body: "Check opencode env allowlist".to_string(),
        timestamp: 1_741_382_800,
    };
    let now = Utc.with_ymd_and_hms(2026, 3, 8, 1, 12, 55).unwrap();
    let mut ticket = TicketDocument::from_matrix_event(&event, now);
    ticket.front_matter.r#type = "improvement".to_string();
    ticket.front_matter.improvement_target_capability = Some("review-agent/runtime@v2".to_string());
    ticket.front_matter.improvement_target_skill = Some("review-pr".to_string());
    ticket.front_matter.improvement_change_kinds = vec!["skill-update".to_string()];
    ticket.front_matter.improvement_target_paths = vec!["skills/review-pr/SKILL.md".to_string()];
    let ticket_path = ticket.write_to(tempdir.path()).unwrap();
    let repo_dir = tempdir.path().join("platform-control");
    fs::create_dir_all(repo_dir.join("skills").join("review-pr")).unwrap();

    let opencode_path = tempdir.path().join("fake-opencode-env.sh");
    let opencode_log = tempdir.path().join("opencode-env.log");
    fs::write(
        &opencode_path,
        r#"#!/bin/sh
 env | sort > "$OPENCODE_LOG"
 printf '%s
 ' "$FLEET_TARGET_PATHS" | while IFS= read -r path; do
  [ -z "$path" ] && continue
  python3 - "$path" <<'PY'
 import os
 import sys
 from pathlib import Path

 path = Path(sys.argv[1])
 ticket_id = os.environ["FLEET_TICKET_ID"]
 start = f"<!-- fleet:{ticket_id}:begin -->"
 end = f"<!-- fleet:{ticket_id}:end -->"
 content = path.read_text()
 replacement = f"{start}\nenv checked\n{end}"
 before, rest = content.split(start, 1)
 _, after = rest.split(end, 1)
 path.write_text(before + replacement + after)
 PY
 done
 "#,
    )
    .unwrap();
    let mut permissions = fs::metadata(&opencode_path).unwrap().permissions();
    permissions.set_mode(0o755);
    fs::set_permissions(&opencode_path, permissions).unwrap();

    unsafe {
        env::set_var("OPENCODE_BIN", opencode_path.to_str().unwrap());
        env::set_var("OPENCODE_LOG", opencode_log.to_str().unwrap());
        env::set_var("FORGEJO_ADMIN_PASSWORD", "super-secret");
        env::set_var(
            "CLAIM_PATH",
            "/var/lib/fleet/project-management/claims/active/test.md",
        );
        env::set_var(
            "LEASE_PATH",
            "/var/lib/fleet/project-management/leases/active/test.md",
        );
    }
    let target_path = apply_ticket_with_opencode(&ticket_path, &repo_dir).unwrap();
    unsafe {
        env::remove_var("OPENCODE_BIN");
        env::remove_var("OPENCODE_LOG");
        env::remove_var("FORGEJO_ADMIN_PASSWORD");
        env::remove_var("CLAIM_PATH");
        env::remove_var("LEASE_PATH");
    }

    assert_eq!(
        target_path,
        repo_dir.join("skills").join("review-pr").join("SKILL.md")
    );
    let logged_env = fs::read_to_string(opencode_log).unwrap();
    assert!(logged_env.contains("FLEET_TARGET_PATHS=skills/review-pr/SKILL.md"));
    assert!(!logged_env.contains("FORGEJO_ADMIN_PASSWORD=super-secret"));
    assert!(
        !logged_env.contains("CLAIM_PATH=/var/lib/fleet/project-management/claims/active/test.md")
    );
    assert!(
        !logged_env.contains("LEASE_PATH=/var/lib/fleet/project-management/leases/active/test.md")
    );
 }
	}

	#[test]
	#[serial]
	fn apply_ticket_with_opencode_rejects_non_doc_family_target() {
	let tempdir = tempdir().unwrap();
	let event = MatrixEvent {
	event_id: "$runtime-opencode-reject:example.com".to_string(),
	room_id: "!room:example.com".to_string(),
	sender: "@alice:example.com".to_string(),
	body: "Reject non doc target".to_string(),
	timestamp: 1_741_382_800,
	};
	let now = Utc.with_ymd_and_hms(2026, 3, 8, 1, 12, 50).unwrap();
	let mut ticket = TicketDocument::from_matrix_event(&event, now);
	ticket.front_matter.r#type = "improvement".to_string();
	ticket.front_matter.improvement_target_paths = vec!["info/DEVELOPMENT_PLAN.md".to_string()];
	let ticket_path = ticket.write_to(tempdir.path()).unwrap();
	let repo_dir = tempdir.path().join("platform-control");
	fs::create_dir_all(repo_dir.join("info")).unwrap();

	let error = apply_ticket_with_opencode(&ticket_path, &repo_dir).unwrap_err();

	assert!(error
	.to_string()
	.contains("only supports trusted SKILL.md / capability-pack doc targets"));
	}

	#[test]
	#[serial]
	fn apply_ticket_with_opencode_uses_builtin_shim_when_no_binary_is_configured() {
	let tempdir = tempdir().unwrap();
	let event = MatrixEvent {
	event_id: "$runtime-opencode-shim:example.com".to_string(),
	room_id: "!room:example.com".to_string(),
	sender: "@alice:example.com".to_string(),
	body: "Use builtin shim".to_string(),
	timestamp: 1_741_382_800,
	};
	let now = Utc.with_ymd_and_hms(2026, 3, 8, 1, 12, 52).unwrap();
	let mut ticket = TicketDocument::from_matrix_event(&event, now);
	ticket.front_matter.r#type = "improvement".to_string();
	ticket.front_matter.improvement_target_capability = Some("review-agent/runtime@v2".to_string());
	ticket.front_matter.improvement_target_skill = Some("review-pr".to_string());
	ticket.front_matter.improvement_change_kinds = vec!["skill-update".to_string()];
	ticket.front_matter.improvement_target_paths = vec!["skills/review-pr/SKILL.md".to_string()];
	let ticket_path = ticket.write_to(tempdir.path()).unwrap();
	let repo_dir = tempdir.path().join("platform-control");
	fs::create_dir_all(repo_dir.join("skills").join("review-pr")).unwrap();

	unsafe {
	env::remove_var("OPENCODE_BIN");
	}
	let target_path = apply_ticket_with_opencode(&ticket_path, &repo_dir).unwrap();

	assert_eq!(
	target_path,
	repo_dir.join("skills").join("review-pr").join("SKILL.md")
	);
	let content = fs::read_to_string(&target_path).unwrap();
	assert!(content.contains("# Fleet Managed Update"));
	assert!(content.contains("target_path: skills/review-pr/SKILL.md"));
	}

	#[test]
	#[serial]
	fn apply_ticket_with_opencode_strips_sensitive_env_vars() {
	let tempdir = tempdir().unwrap();
	let event = MatrixEvent {
	event_id: "$runtime-opencode-env:example.com".to_string(),
	room_id: "!room:example.com".to_string(),
	sender: "@alice:example.com".to_string(),
	body: "Check opencode env allowlist".to_string(),
	timestamp: 1_741_382_800,
	};
	let now = Utc.with_ymd_and_hms(2026, 3, 8, 1, 12, 55).unwrap();
	let mut ticket = TicketDocument::from_matrix_event(&event, now);
	ticket.front_matter.r#type = "improvement".to_string();
	ticket.front_matter.improvement_target_capability = Some("review-agent/runtime@v2".to_string());
	ticket.front_matter.improvement_target_skill = Some("review-pr".to_string());
	ticket.front_matter.improvement_change_kinds = vec!["skill-update".to_string()];
	ticket.front_matter.improvement_target_paths = vec!["skills/review-pr/SKILL.md".to_string()];
	let ticket_path = ticket.write_to(tempdir.path()).unwrap();
	let repo_dir = tempdir.path().join("platform-control");
	fs::create_dir_all(repo_dir.join("skills").join("review-pr")).unwrap();

	let opencode_path = tempdir.path().join("fake-opencode-env.sh");
	let opencode_log = tempdir.path().join("opencode-env.log");
	fs::write(
	&opencode_path,
	r#"#!/bin/sh
	env \| sort > "$OPENCODE_LOG"
	printf '%s
	' "$FLEET_TARGET_PATHS" \| while IFS= read -r path; do
	[ -z "$path" ] && continue
	python3 - "$path" <<'PY'
	import os
	import sys
	from pathlib import Path

	path = Path(sys.argv[1])
	ticket_id = os.environ["FLEET_TICKET_ID"]
	start = f"<!-- fleet:{ticket_id}:begin -->"
	end = f"<!-- fleet:{ticket_id}:end -->"
	content = path.read_text()
	replacement = f"{start}\nenv checked\n{end}"
	before, rest = content.split(start, 1)
	_, after = rest.split(end, 1)
	path.write_text(before + replacement + after)
	PY
	done
	"#,
	)
	.unwrap();
	let mut permissions = fs::metadata(&opencode_path).unwrap().permissions();
	permissions.set_mode(0o755);
	fs::set_permissions(&opencode_path, permissions).unwrap();

	unsafe {
	env::set_var("OPENCODE_BIN", opencode_path.to_str().unwrap());
	env::set_var("OPENCODE_LOG", opencode_log.to_str().unwrap());
	env::set_var("FORGEJO_ADMIN_PASSWORD", "super-secret");
	env::set_var(
	"CLAIM_PATH",
	"/var/lib/fleet/project-management/claims/active/test.md",
	);
	env::set_var(
	"LEASE_PATH",
	"/var/lib/fleet/project-management/leases/active/test.md",
	);
	}
	let target_path = apply_ticket_with_opencode(&ticket_path, &repo_dir).unwrap();
	unsafe {
	env::remove_var("OPENCODE_BIN");
	env::remove_var("OPENCODE_LOG");
	env::remove_var("FORGEJO_ADMIN_PASSWORD");
	env::remove_var("CLAIM_PATH");
	env::remove_var("LEASE_PATH");
	}

	assert_eq!(
	target_path,
	repo_dir.join("skills").join("review-pr").join("SKILL.md")
	);
	let logged_env = fs::read_to_string(opencode_log).unwrap();
	assert!(logged_env.contains("FLEET_TARGET_PATHS=skills/review-pr/SKILL.md"));
	assert!(!logged_env.contains("FORGEJO_ADMIN_PASSWORD=super-secret"));
	assert!(
	!logged_env.contains("CLAIM_PATH=/var/lib/fleet/project-management/claims/active/test.md")
	);
	assert!(
	!logged_env.contains("LEASE_PATH=/var/lib/fleet/project-management/leases/active/test.md")
	);
	}
No results found