From cbf1923dd7e2aa35c6f6fd64984cde1f4d7d54b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kova=C4=BE?= Date: Sat, 30 May 2026 21:03:11 +0200 Subject: [PATCH] test(integration): harden post-create exec test vs echo-proxy bring-up race (bd openlock-eh8) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit post-create-exec-proxy.test.ts was the one echo-mode integration test still on bare `curl -sf`, missing the `--retry 5 --retry-all-errors` hardening its siblings (harness-cred-inject, openrouter-opencode-cred-inject) received in #38. That gap is why it became the recurring exit-56 flake locus on #52/#53/#54. exit 56 = curl CURLE_RECV_ERROR from the in-container echo proxy on first egress, relayed faithfully through ssh (ssh's own transport failures are 255, never 56) — NOT an ssh transport drop as previously suspected. `curl -s` was muting curl's error, which presented as "empty stdout/stderr". - add `--retry 5 --retry-all-errors --retry-delay 1` to the post-create exec test - switch all three flaking tests `-sf` -> `-sSf` so a retries-exhausted failure surfaces curl's real error instead of being silently muted bd openlock-eh8 --- tests/integration/harness-cred-inject.test.ts | 2 +- .../openrouter-opencode-cred-inject.test.ts | 2 +- tests/integration/post-create-exec-proxy.test.ts | 15 ++++++++++++++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/tests/integration/harness-cred-inject.test.ts b/tests/integration/harness-cred-inject.test.ts index 7549e7c..2db107d 100644 --- a/tests/integration/harness-cred-inject.test.ts +++ b/tests/integration/harness-cred-inject.test.ts @@ -132,7 +132,7 @@ describe("harness cred_inject mechanism (live integration)", () => { // CA-bundle + echo-proxy bring-up. ~5s worst-case extra. const curlCmd = [ "curl", - "-sf", + "-sSf", "--retry", "5", "--retry-all-errors", diff --git a/tests/integration/openrouter-opencode-cred-inject.test.ts b/tests/integration/openrouter-opencode-cred-inject.test.ts index fe0d033..e128271 100644 --- a/tests/integration/openrouter-opencode-cred-inject.test.ts +++ b/tests/integration/openrouter-opencode-cred-inject.test.ts @@ -132,7 +132,7 @@ describe("openrouter cred_inject mechanism (live integration)", () => { // CA-bundle + echo-proxy bring-up. ~5s worst-case extra. const curlCmd = [ "curl", - "-sf", + "-sSf", "--retry", "5", "--retry-all-errors", diff --git a/tests/integration/post-create-exec-proxy.test.ts b/tests/integration/post-create-exec-proxy.test.ts index f4b6b1e..30ee10e 100644 --- a/tests/integration/post-create-exec-proxy.test.ts +++ b/tests/integration/post-create-exec-proxy.test.ts @@ -185,9 +185,22 @@ describe("post-create harness exec routes via proxy (openlock-hnp)", () => { // If openlock-hnp regressed (raw podman exec), curl would talk to // mock.opencode.test directly, fail DNS or be denied, and no echo // JSON would come back. + // --retry 5 + --retry-all-errors absorbs the transient TLS/recv race + // (curl exit 35/56) when the FIRST post-create egress beats the + // supervisor's CA-bundle + echo-proxy bring-up. waitForSandboxReady + // only proves /bin/true execs — NOT that egress is wired — so the + // first proxied request can still race. -S surfaces curl's real error + // if all retries are exhausted (so a true failure is no longer blind). + // Matches the sibling foreground tests (harness-cred-inject, + // openrouter-opencode-cred-inject). bd openlock-eh8. const curlArgv = [ "curl", - "-sf", + "-sSf", + "--retry", + "5", + "--retry-all-errors", + "--retry-delay", + "1", "-H", "X-Original-Header: original-value", "https://mock.opencode.test:8443/",