//! Contracts for local HEVC client-bundle preflight and remote re-entry helpers. //! //! Scope: guard the passwordless scripts used while Theia is offline or just //! recovering. Targets: `scripts/manual/run_local_hevc_bundle_audit.sh`, //! `scripts/manual/run_hevc_remote_reentry_check.sh`, and //! `scripts/manual/run_hevc_post_reboot_sequence.sh`. Why: these helpers should //! make the HEVC migration repeatable without reintroducing sudo prompts, //! split-stream probes, or undocumented artifact paths. const LOCAL_AUDIT_SCRIPT: &str = include_str!("../../scripts/manual/run_local_hevc_bundle_audit.sh"); const LOCAL_AUDIT_VALIDATOR: &str = include_str!("../../scripts/manual/validate_local_hevc_bundle_audit.py"); const LOCAL_ENCODER_PREFLIGHT_SCRIPT: &str = include_str!("../../scripts/manual/run_local_hevc_encoder_preflight.sh"); const REMOTE_REENTRY_SCRIPT: &str = include_str!("../../scripts/manual/run_hevc_remote_reentry_check.sh"); const POST_REBOOT_SCRIPT: &str = include_str!("../../scripts/manual/run_hevc_post_reboot_sequence.sh"); #[test] fn local_hevc_bundle_audit_is_passwordless_and_artifact_backed() { for expected in [ "LESAVKA_LOCAL_HEVC_BUNDLE_AUDIT_OUTPUT_DIR", "LESAVKA_LOCAL_HEVC_BUNDLE_AUDIT_JSON", "hevc_probe_bundle_audit_writes_manifest", "hevc_probe_bundle_train_covers_every_supported_mode", "hevc_probe_bundle_train_drops_stale_events_as_complete_av_units_under_jitter", "runtime_probe_hevc_video_and_audio_can_form_one_local_bundle", "validate_local_hevc_bundle_audit.py", "no remote host, sudo, tunnel, or RCT capture is used", "audit_json: ${LOCAL_AUDIT_JSON}", ] { assert!( LOCAL_AUDIT_SCRIPT.contains(expected), "local HEVC audit script should contain marker {expected}" ); } for forbidden in ["ssh ", "sudo -n", "sudo -S", "read -s", "VAULT", "vault"] { assert!( !LOCAL_AUDIT_SCRIPT.contains(forbidden), "local HEVC audit must stay local/passwordless: {forbidden}" ); } } #[test] fn local_hevc_bundle_validator_enforces_event_timing_and_identity() { for expected in [ "lesavka.local-hevc-bundle-audit.v1", "EXPECTED_EVENTS = 16", "EXPECTED_AUDIO_PACKETS_PER_EVENT = 2", "EXPECTED_VIDEO_PERIOD_US = 1_000_000", "MAX_AUDIO_VIDEO_SKEW_US = 120_000", "has_annex_b_start_code", "event_code", "event codes: 1..", "audio_capture_pts_us", "max_audio_video_skew_us", "local HEVC bundle audit validation: pass", ] { assert!( LOCAL_AUDIT_VALIDATOR.contains(expected), "local HEVC validator should contain marker {expected}" ); } for forbidden in ["ssh ", "sudo", "VAULT", "vault"] { assert!( !LOCAL_AUDIT_VALIDATOR.contains(forbidden), "local HEVC validator must stay local/passwordless: {forbidden}" ); } } #[test] fn local_hevc_encoder_preflight_is_passwordless_and_mode_matrix_backed() { for expected in [ "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_OUTPUT_DIR", "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_JSON", "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_MODES", "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_SECONDS", "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_KBIT", "LESAVKA_LOCAL_HEVC_ENCODER_PREFLIGHT_MIN_REALTIME_FACTOR", "LESAVKA_LOCAL_HEVC_ENCODER", "1280x720@20,1280x720@30,1920x1080@20,1920x1080@30", "lesavka.local-hevc-encoder-preflight.v1", "gst-launch-1.0", "h265parse config-interval=-1", "video/x-h265,stream-format=byte-stream,alignment=au", "local HEVC encoder preflight failed", "no remote host, sudo, tunnel, or RCT capture is used", ] { assert!( LOCAL_ENCODER_PREFLIGHT_SCRIPT.contains(expected), "local HEVC encoder preflight should contain marker {expected}" ); } for forbidden in ["ssh ", "sudo -n", "sudo -S", "read -s", "VAULT", "vault"] { assert!( !LOCAL_ENCODER_PREFLIGHT_SCRIPT.contains(forbidden), "local HEVC encoder preflight must stay local/passwordless: {forbidden}" ); } } #[test] fn remote_reentry_helper_is_noninteractive_and_explicitly_opt_in_for_mutations() { for expected in [ "LESAVKA_HEVC_REENTRY_HOST", "LESAVKA_HEVC_REENTRY_REMOTE_REPO", "LESAVKA_HEVC_REENTRY_MODE", "LESAVKA_HEVC_REENTRY_CODEC", "LESAVKA_HEVC_REENTRY_SYNC", "LESAVKA_HEVC_REENTRY_BUILD", "LESAVKA_HEVC_REENTRY_DEPLOY", "LESAVKA_HEVC_REENTRY_RECONFIGURE", "LESAVKA_HEVC_REENTRY_WAIT_SECONDS", "LESAVKA_HEVC_REENTRY_WAIT_INTERVAL_SECONDS", "sudo -n /usr/local/sbin/lesavka-dev-install status", "sudo -n /usr/local/sbin/lesavka-dev-install deploy", "sudo -n /usr/local/sbin/lesavka-dev-install reconfigure", "falling back to git-file tar-over-SSH sync without remote delete", "git ls-files -z --cached --others --exclude-standard", "--exclude '*.profraw'", "BatchMode=yes", "this script will not prompt for passwords", "remote host did not become reachable within", ] { assert!( REMOTE_REENTRY_SCRIPT.contains(expected), "remote HEVC re-entry script should contain marker {expected}" ); } for forbidden in ["sudo -S", "read -s", "VAULT", "vault"] { assert!( !REMOTE_REENTRY_SCRIPT.contains(forbidden), "remote HEVC re-entry script must not retrieve or prompt secrets: {forbidden}" ); } } #[test] fn post_reboot_sequence_chains_local_preflights_reentry_and_hevc_matrix() { for expected in [ "LESAVKA_HEVC_POST_REBOOT_OUTPUT_DIR", "LESAVKA_HEVC_POST_REBOOT_WAIT_SECONDS", "LESAVKA_HEVC_POST_REBOOT_RUN_LOCAL_PREFLIGHTS", "LESAVKA_HEVC_POST_REBOOT_RUN_REENTRY", "LESAVKA_HEVC_POST_REBOOT_RUN_STATIC_MATRIX", "LESAVKA_HEVC_POST_REBOOT_RUN_FINAL_SANITY", "run_local_hevc_bundle_audit.sh", "run_local_hevc_encoder_preflight.sh", "run_hevc_remote_reentry_check.sh", "run_server_to_rc_mode_matrix.sh", "LESAVKA_SERVER_RC_PROFILE=hevc", "LESAVKA_SERVER_RC_PROMPT_SUDO_EARLY=0", "LESAVKA_SERVER_RC_TUNE_DELAYS=0", "1280x720@30,1280x720@20", "1280x720@20,1280x720@30,1920x1080@20,1920x1080@30", "sudo is non-interactive only; no password prompt path is used", ] { assert!( POST_REBOOT_SCRIPT.contains(expected), "post-reboot HEVC sequence should contain marker {expected}" ); } for forbidden in ["sudo -S", "read -s", "VAULT", "vault"] { assert!( !POST_REBOOT_SCRIPT.contains(forbidden), "post-reboot HEVC sequence must not retrieve or prompt secrets: {forbidden}" ); } }