Skip to content

UN-3636 [DEV] Cover six worker-free critical paths with integration tests#2164

Open
chandrasekharan-zipstack wants to merge 7 commits into
mainfrom
feat/un-3636-critical-path-integration-tests
Open

UN-3636 [DEV] Cover six worker-free critical paths with integration tests#2164
chandrasekharan-zipstack wants to merge 7 commits into
mainfrom
feat/un-3636-critical-path-integration-tests

Conversation

@chandrasekharan-zipstack

Copy link
Copy Markdown
Contributor

What

Adds marker-proven integration tests for six worker-free critical paths, one commit each. Follow-up to #2151 (merged), which shipped the multi-tier CI workflow but left these paths as uncovered gaps.

All six land in integration-backend (testcontainers, parallel fast leg, no image build, transactional cleanup) and are proof: marker.

Path What it proves
api-deployment-auth 10 rejection cases (403/401/404) land before execute_workflow — no execution row, no dispatch. Plus the accept path, so a guard that rejected everything wouldn't pass.
workflow-author Creating a workflow materialises both endpoints, they start unconfigured, and accept configuration.
api-deployment-provision The API key is minted once, persisted active, bound to the deployment, and listable.
prompt-studio-author A project is creatable with zero adapters configured (fresh-org case); prompts bind to it.
usage-aggregate-read Two orgs sharing a run_id — only the caller's rows are summed (billing + disclosure).
connector-register-test Real MinIO: good credentials validate, bad ones don't, registered credentials land encrypted.

Also in here

  • Drop the decorative entry field from the critical-path registry (render-only, already drifted from real routes) — removed from critical_paths.yaml, rig code, and rig tests.
  • Stop health-probing the runner in the e2e tier — container-based execution is being retired in favour of in-worker execution.
  • MinIO added to integration-backend's requires_services — connector credential validation must hit a real endpoint; mocking it would test nothing.

Notes

  • The four *-execute paths remain declared gaps (covered_by: [], warn-only), pending hermetic LLM mocking (rubberduck).
  • Two tests use a deferred view import: usage_v2.views and endpoint_v2.views resolve a queryset at class-body evaluation, which hits the DB at pytest collection time. Latent smell in the product code, flagged not fixed here.

Verification

  • tox -e unit green
  • tox -e integration -- --fail-on-critical-gap green (zero in-scope gaps)
  • tox -e rig -- validate → 16 groups, 15 critical paths

🤖 Generated with Claude Code

https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU

chandrasekharan-zipstack and others added 6 commits July 10, 2026 21:28
The public deployment endpoint is guarded by a decorator rather than DRF
permission classes, so a regression silently opens it. Assert every rejection
lands before execute_workflow — no execution row, no dispatch — which makes the
path provable without workers.

Drop the decorative `entry` field from the critical-path registry; it was
render-only and had already drifted from the real routes.

Stop health-probing the runner in the e2e tier: container-based execution is
being retired in favour of in-worker execution.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
Creating a workflow implicitly materialises its source and destination
endpoints; nothing else in the product recreates them, so a workflow that loses
them is silently unconfigurable. Assert the endpoints appear, start
unconfigured, and accept configuration.

Authoring is synchronous, so this half of workflow-create-execute needs no
workers. The execute half stays a declared gap.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
…al path

Provisioning is the only place a deployment's API key is minted, and it is
returned exactly once — a regression is unrecoverable for the caller. Assert
the key is persisted, active, bound to the deployment, and listable.

Also assert the auth guard's accept path: without it, a guard that rejected
every request would satisfy the rejection cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
Composing a prompt is synchronous; only running it needs an LLM. Assert a
project is creatable before any adapter exists — a fresh org has none — and
that prompts bind to their project.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
Workers write usage rows, but the aggregation billed against them is a
synchronous read. Under-counting loses revenue and cross-org leakage is a
disclosure bug; the scoping lives in a default manager, so a stray switch to
the base manager would break it silently. Seed two orgs sharing a run_id and
assert only the caller's rows are summed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
…l path

Credential validation is the only point where the platform proves it can reach
external storage before a workflow depends on it; a version that always answered
"valid" would only surface deep inside an execution. Test against the rig's
MinIO rather than a mock, and assert registered credentials land encrypted.

Adds MinIO to integration-backend's services for that reason.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4b85b7f5-6e1c-417a-ac0f-11e36a96de94

📥 Commits

Reviewing files that changed from the base of the PR and between 9d5074a and 4753c44.

📒 Files selected for processing (3)
  • backend/connector_v2/tests/test_connector_register.py
  • backend/usage_v2/tests/test_usage_aggregate.py
  • tests/groups.yaml
💤 Files with no reviewable changes (1)
  • tests/groups.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • backend/usage_v2/tests/test_usage_aggregate.py
  • backend/connector_v2/tests/test_connector_register.py

Summary by CodeRabbit

  • Tests
    • Expanded critical-path coverage for API deployment authentication (invalid headers/keys rejected; valid key reaches execution).
    • Added provisioning coverage for API deployments (endpoint creation, activation, API key minting).
    • Added connector registration coverage, including encrypted credential persistence checks.
    • Added prompt-studio, workflow authoring, and usage aggregation critical-path tests.
  • Chores
    • Updated critical-path registry and reporting output to omit the removed entry field.
    • Adjusted readiness probe targets and updated CLI gap scenario fixtures accordingly.
    • Enabled MinIO-backed integration tests.

Walkthrough

Adds critical-path integration tests for deployment, connector, Prompt Studio, workflow authoring, and usage aggregation. It also replaces critical-path entry mappings with marker-based coverage and removes the runner readiness dependency.

Changes

Critical path coverage

Layer / File(s) Summary
Critical-path registry and rig updates
tests/critical_paths.yaml, tests/rig/*
Removes entry from critical-path data, reporting, fixtures, and constructors; registers new marker-covered paths and removes the runner readiness target.
API deployment provisioning and authentication tests
backend/api_v2/tests/test_deployment_*.py
Tests deployment creation, API-key minting, endpoint generation, credential rejection, and dispatch with valid credentials.
Connector registration coverage
backend/connector_v2/tests/test_connector_register.py, tests/groups.yaml
Tests MinIO credential validation and encrypted connector persistence, and adds MinIO to the integration backend services.
Workflow and Prompt Studio authoring tests
backend/workflow_manager/.../test_workflow_author.py, backend/prompt_studio/.../test_prompt_studio_author.py
Tests workflow endpoint materialization/configuration and Prompt Studio project and prompt creation.
Organization-scoped usage aggregation test
backend/usage_v2/tests/test_usage_aggregate.py
Verifies token totals include only usage rows belonging to the authenticated user’s organization.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description omits most required template sections, including Why, How, breakage impact, migrations, env config, testing notes, and checklist. Add the missing template sections with concise details for Why, How, breakage impact, migrations, env config, related issues, testing, and checklist.
Docstring Coverage ⚠️ Warning Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding integration tests for six worker-free critical paths.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/un-3636-critical-path-integration-tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds integration coverage for worker-free critical paths and updates the test rig metadata.

  • Adds backend integration tests for deployment auth, deployment provisioning, workflow authoring, Prompt Studio authoring, usage aggregation, and connector registration.
  • Requires MinIO for the backend integration group so connector credentials hit a real service.
  • Removes the render-only entry field from critical path manifests and rig reporting.
  • Stops probing the runner in e2e health targets.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
backend/connector_v2/tests/test_connector_register.py Covers live MinIO credential validation and checks stored connector metadata through the raw database column.
tests/critical_paths.yaml Adds new marker-backed critical path declarations and removes the unused entry metadata.
tests/groups.yaml Adds MinIO to the backend integration service requirements.
tests/rig/critical_paths.py Updates the critical path dataclass and loader for the manifest shape.
tests/rig/reporting.py Updates critical path markdown output for the manifest shape.
tests/rig/runtime.py Removes the runner from e2e health probe targets.

Reviews (2): Last reviewed commit: "UN-3636 [DEV] address review: prove ciph..." | Re-trigger Greptile

Comment thread backend/connector_v2/tests/test_connector_register.py Outdated
Comment thread backend/connector_v2/tests/test_connector_register.py

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
backend/usage_v2/tests/test_usage_aggregate.py (1)

42-60: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add tearDown to clear UserContext thread-local state.

UserContext.set_organization_identifier is called in setUp but never cleaned up. Since UserContext is thread-local, the org identifier persists after tests in this class complete and can leak into other test classes that rely on Usage.objects (whose manager filters via UserContext), causing flaky cross-test contamination.

🧹 Suggested cleanup
     self.factory = APIRequestFactory()
 
+    def tearDown(self) -> None:
+        super().tearDown()
+        UserContext.set_organization_identifier(None)
+
     `@pytest.mark.critical_path`("usage-aggregate-read")

Verify that set_organization_identifier(None) (or an equivalent clear/reset method on UserContext) is the correct way to unset the thread-local value.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/usage_v2/tests/test_usage_aggregate.py` around lines 42 - 60, Add a
tearDown method to UsageAggregateReadTest that clears the thread-local
organization context after each test by calling
UserContext.set_organization_identifier(None), or the existing equivalent
reset/clear API if available. Ensure cleanup runs after every test, including
failures, to prevent state leakage into other tests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/connector_v2/tests/test_connector_register.py`:
- Around line 27-30: Update the module-level pytestmark skipif guard to also
require MINIO_SECRET_ACCESS_KEY, matching the bracket-based access used by the
MinIO test setup. Keep the existing live-MinIO reason and ensure the test suite
skips cleanly whenever any required MinIO environment variable is absent.

---

Nitpick comments:
In `@backend/usage_v2/tests/test_usage_aggregate.py`:
- Around line 42-60: Add a tearDown method to UsageAggregateReadTest that clears
the thread-local organization context after each test by calling
UserContext.set_organization_identifier(None), or the existing equivalent
reset/clear API if available. Ensure cleanup runs after every test, including
failures, to prevent state leakage into other tests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d9ff0d00-3b0e-405d-9006-e2b9fdfb0a94

📥 Commits

Reviewing files that changed from the base of the PR and between 09b6834 and 9d5074a.

📒 Files selected for processing (15)
  • backend/api_v2/tests/test_deployment_auth.py
  • backend/api_v2/tests/test_deployment_provision.py
  • backend/connector_v2/tests/__init__.py
  • backend/connector_v2/tests/test_connector_register.py
  • backend/prompt_studio/prompt_studio_core_v2/tests/test_prompt_studio_author.py
  • backend/usage_v2/tests/test_usage_aggregate.py
  • backend/workflow_manager/workflow_v2/tests/__init__.py
  • backend/workflow_manager/workflow_v2/tests/test_workflow_author.py
  • tests/critical_paths.yaml
  • tests/groups.yaml
  • tests/rig/critical_paths.py
  • tests/rig/reporting.py
  • tests/rig/runtime.py
  • tests/rig/tests/test_cli.py
  • tests/rig/tests/test_critical_paths.py
💤 Files with no reviewable changes (2)
  • tests/rig/tests/test_cli.py
  • tests/rig/critical_paths.py

Comment thread backend/connector_v2/tests/test_connector_register.py
… skip

- connector-register-test: assert the raw connector_metadata column is
  ciphertext (read past the decrypting field descriptor), so a regression to
  plaintext storage fails instead of passing on the decrypted round-trip.
- Require MINIO_SECRET_ACCESS_KEY in the skip guard — the setup accesses it
  unconditionally, so a partial env now skips cleanly instead of raising
  KeyError.
- usage-aggregate-read: clear the thread-local UserContext in tearDown so the
  org identifier can't leak into a later manager-filtered query.
- Drop an explanatory comment from groups.yaml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UVfw7aAocC3KCJaEyZ5GU
@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown
Contributor

Unstract test results

Per-group results

Status Group Tier Passed Failed Errors Skipped Duration (s)
e2e-login e2e 2 0 0 0 1.4
e2e-smoke e2e 2 0 0 0 0.8
integration-backend integration 74 0 0 27 48.3
integration-connectors integration 1 0 0 7 8.1
unit-backend unit 118 0 0 0 22.7
unit-connectors unit 63 0 0 0 9.8
unit-core unit 27 0 0 0 1.3
unit-platform-service unit 15 0 0 0 2.6
unit-rig unit 69 0 0 0 3.5
unit-sdk1 unit 381 0 0 0 23.9
unit-workers unit 0 0 0 0 28.0
TOTAL 752 0 0 34 150.7

Critical paths

⚠️ Critical paths not yet covered

  • workflow-create-execute — Create a workflow, configure source+destination, execute, poll, fetch result. (declared coverage: e2e-workflow)
  • api-deployment-run — Deploy a workflow as an API, POST a document, receive structured JSON. (declared coverage: e2e-api-deployment)
  • prompt-studio-fetch-response — Prompt Studio: create project, add prompt, run single-pass, get response. (declared coverage: e2e-prompt-studio)
  • pipeline-etl-execute — Run an ETL pipeline from source connector to destination. (declared coverage: no groups declared)
  • usage-token-tracking — Per-execution token usage is recorded and retrievable. (declared coverage: no groups declared)
  • workflow-execution-fan-out — Multi-file workflow execution fans out to file-processing workers and rejoins. (declared coverage: no groups declared)
  • callback-result-delivery — Async results are posted back via the callback worker. (declared coverage: no groups declared)
✅ Covered critical paths
  • auth-login — covered by e2e-login
  • adapter-register-llm — covered by integration-backend
  • workflow-author — covered by integration-backend
  • api-deployment-provision — covered by integration-backend
  • api-deployment-auth — covered by integration-backend
  • prompt-studio-author — covered by integration-backend
  • connector-register-test — covered by integration-backend
  • usage-aggregate-read — covered by integration-backend

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant