lesavka/testing/tests/client_hevc_bundle_audit_contract.rs

//! Contracts for local HEVC client-bundle preflight and remote re-entry helpers.
//!
//! Scope: guard the passwordless scripts used while Theia is offline or just
//! recovering. Targets: `scripts/manual/run_local_hevc_bundle_audit.sh`,
//! `scripts/manual/run_hevc_remote_reentry_check.sh`, and
//! `scripts/manual/run_hevc_post_reboot_sequence.sh`. Why: these helpers should
//! make the HEVC migration repeatable without reintroducing sudo prompts,
//! split-stream probes, or undocumented artifact paths.

const LOCAL_AUDIT_SCRIPT: &str =
    include_str!("../../scripts/manual/run_local_hevc_bundle_audit.sh");
const LOCAL_AUDIT_VALIDATOR: &str =
    include_str!("../../scripts/manual/validate_local_hevc_bundle_audit.py");
const LOCAL_ENCODER_PREFLIGHT_SCRIPT: &str =
    include_str!("../../scripts/manual/run_local_hevc_encoder_preflight.sh");
const REMOTE_REENTRY_SCRIPT: &str =
    include_str!("../../scripts/manual/run_hevc_remote_reentry_check.sh");
const POST_REBOOT_SCRIPT: &str =
    include_str!("../../scripts/manual/run_hevc_post_reboot_sequence.sh");

#[test]
fn local_hevc_bundle_audit_is_passwordless_and_artifact_backed() {
    for expected in [
        "LESAVKA_LOCAL_HEVC_BUNDLE_AUDIT_OUTPUT_DIR",
        "LESAVKA_LOCAL_HEVC_BUNDLE_AUDIT_JSON",
        "hevc_probe_bundle_audit_writes_manifest",
        "hevc_probe_bundle_train_covers_every_supported_mode",
        "hevc_probe_bundle_train_drops_stale_events_as_complete_av_units_under_jitter",
        "runtime_probe_hevc_video_and_audio_can_form_one_local_bundle",
        "validate_local_hevc_bundle_audit.py",
        "no remote host, sudo, tunnel, or RCT capture is used",
        "audit_json: ${LOCAL_AUDIT_JSON}",
    ] {
        assert!(
            LOCAL_AUDIT_SCRIPT.contains(expected),
            "local HEVC audit script should contain marker {expected}"
        );
    }
    for forbidden in ["ssh ", "sudo -n", "sudo -S", "read -s", "VAULT", "vault"] {
        assert!(
            !LOCAL_AUDIT_SCRIPT.contains(forbidden),
            "local HEVC audit must stay local/passwordless: {forbidden}"
        );
    }
}

#[test]
fn local_hevc_bundle_validator_enforces_event_timing_and_identity() {
    for expected in [
        "lesavka.local-hevc-bundle-audit.v1",
        "EXPECTED_EVENTS = 16",
        "EXPECTED_AUDIO_PACKETS_PER_EVENT = 2",
        "EXPECTED_VIDEO_PERIOD_US = 1_000_000",
        "MAX_AUDIO_VIDEO_SKEW_US = 120_000",
        "has_annex_b_start_code",
        "event_code",
        "event codes: 1..",
        "audio_capture_pts_us",
        "max_audio_video_skew_us",
        "local HEVC bundle audit validation: pass",
    ] {
        assert!(
            LOCAL_AUDIT_VALIDATOR.contains(expected),
            "local HEVC validator should contain marker {expected}"
        );
    }
    for forbidden in ["ssh ", "sudo", "VAULT", "vault"] {
        assert!(
            !LOCAL_AUDIT_VALIDATOR.contains(forbidden),
            "local HEVC validator must stay local/passwordless: {forbidden}"
        );
    }
}

#[test]
fn local_hevc_encoder_preflight_is_passwordless_and_mode_matrix_backed() {
    for expected in [
        "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_OUTPUT_DIR",
        "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_JSON",
        "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_MODES",
        "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_SECONDS",
        "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_KBIT",
        "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_MIN_REALTIME_FACTOR",
        "LESAVKA_LOCAL_HEVC_ENCODER",
        "1280x720@20,1280x720@30,1920x1080@20,1920x1080@30",
        "lesavka.local-hevc-encoder-preflight.v1",
        "gst-launch-1.0",
        "h265parse config-interval=-1",
        "video/x-h265,stream-format=byte-stream,alignment=au",
        "local HEVC encoder preflight failed",
        "no remote host, sudo, tunnel, or RCT capture is used",
    ] {
        assert!(
            LOCAL_ENCODER_PREFLIGHT_SCRIPT.contains(expected),
            "local HEVC encoder preflight should contain marker {expected}"
        );
    }
    for forbidden in ["ssh ", "sudo -n", "sudo -S", "read -s", "VAULT", "vault"] {
        assert!(
            !LOCAL_ENCODER_PREFLIGHT_SCRIPT.contains(forbidden),
            "local HEVC encoder preflight must stay local/passwordless: {forbidden}"
        );
    }
}

#[test]
fn remote_reentry_helper_is_noninteractive_and_explicitly_opt_in_for_mutations() {
    for expected in [
        "LESAVKA_HEVC_REENTRY_HOST",
        "LESAVKA_HEVC_REENTRY_REMOTE_REPO",
        "LESAVKA_HEVC_REENTRY_MODE",
        "LESAVKA_HEVC_REENTRY_CODEC",
        "LESAVKA_HEVC_REENTRY_SYNC",
        "LESAVKA_HEVC_REENTRY_BUILD",
        "LESAVKA_HEVC_REENTRY_DEPLOY",
        "LESAVKA_HEVC_REENTRY_RECONFIGURE",
        "LESAVKA_HEVC_REENTRY_WAIT_SECONDS",
        "LESAVKA_HEVC_REENTRY_WAIT_INTERVAL_SECONDS",
        "sudo -n /usr/local/sbin/lesavka-dev-install status",
        "sudo -n /usr/local/sbin/lesavka-dev-install deploy",
        "sudo -n /usr/local/sbin/lesavka-dev-install reconfigure",
        "falling back to git-file tar-over-SSH sync without remote delete",
        "git ls-files -z --cached --others --exclude-standard",
        "--exclude '*.profraw'",
        "BatchMode=yes",
        "this script will not prompt for passwords",
        "remote host did not become reachable within",
    ] {
        assert!(
            REMOTE_REENTRY_SCRIPT.contains(expected),
            "remote HEVC re-entry script should contain marker {expected}"
        );
    }
    for forbidden in ["sudo -S", "read -s", "VAULT", "vault"] {
        assert!(
            !REMOTE_REENTRY_SCRIPT.contains(forbidden),
            "remote HEVC re-entry script must not retrieve or prompt secrets: {forbidden}"
        );
    }
}

#[test]
fn post_reboot_sequence_chains_local_preflights_reentry_and_hevc_matrix() {
    for expected in [
        "LESAVKA_HEVC_POST_REBOOT_OUTPUT_DIR",
        "LESAVKA_HEVC_POST_REBOOT_WAIT_SECONDS",
        "LESAVKA_HEVC_POST_REBOOT_RUN_LOCAL_PREFLIGHTS",
        "LESAVKA_HEVC_POST_REBOOT_RUN_REENTRY",
        "LESAVKA_HEVC_POST_REBOOT_RUN_STATIC_MATRIX",
        "LESAVKA_HEVC_POST_REBOOT_RUN_FINAL_SANITY",
        "run_local_hevc_bundle_audit.sh",
        "run_local_hevc_encoder_preflight.sh",
        "run_hevc_remote_reentry_check.sh",
        "run_server_to_rc_mode_matrix.sh",
        "LESAVKA_SERVER_RC_PROFILE=hevc",
        "LESAVKA_SERVER_RC_PROMPT_SUDO_EARLY=0",
        "LESAVKA_SERVER_RC_TUNE_DELAYS=0",
        "1280x720@30,1280x720@20",
        "1280x720@20,1280x720@30,1920x1080@20,1920x1080@30",
        "sudo is non-interactive only; no password prompt path is used",
    ] {
        assert!(
            POST_REBOOT_SCRIPT.contains(expected),
            "post-reboot HEVC sequence should contain marker {expected}"
        );
    }
    for forbidden in ["sudo -S", "read -s", "VAULT", "vault"] {
        assert!(
            !POST_REBOOT_SCRIPT.contains(forbidden),
            "post-reboot HEVC sequence must not retrieve or prompt secrets: {forbidden}"
        );
    }
}