Skip to content

fix(e2e): A10 uses disposable session; queue stays anon (prod green pt2)#177

Merged
mastermanas805 merged 1 commit into
mainfrom
fix/e2e-prod-green-2
Jun 5, 2026
Merged

fix(e2e): A10 uses disposable session; queue stays anon (prod green pt2)#177
mastermanas805 merged 1 commit into
mainfrom
fix/e2e-prod-green-2

Conversation

@mastermanas805

Copy link
Copy Markdown
Member

Fix-forward on #176. Run 26998139097 went from 5 red to 3 red; this closes the remaining 3.

Root causes

  1. A10 logout-revocation revoked the shared E2E_SESSION_JWT. Its premise ("A10 is the last authed leg, so revoking the minted bearer is safe") broke once fix(e2e): green prod LIVE suite — provision+reap as minted pro account #176 made live-claim-deploy (deploy leg) and live-provision-smoke provision/reap as the minted session. Those specs run after live-auth (serial, alphabetical), so the deploy POST /deploy/new got 401 revoked_session and smoke's /db/new fell through to the anon path (tier=anonymous, then 402/401-on-reap).
    • Fix: provisionAndClaim now returns the claim's real session_token; A10 revokes that throwaway team's session (reaping its resource before logout, since logout kills the bearer). E2E_SESSION_JWT is never revoked.
  2. Authed (pro) /queue/new hangs on prod (90s timeout). The isolated per-tenant NATS path blocks until the operator seeds NATS NKeys (CLAUDE.md P1 gap).
    • Fix: provisionIdentity(extra, forceAnon) pins the queue flow to the anonymous path (fast, auth_mode=legacy_open). The anon resource is TTL-reaped; the spec's reap is best-effort for no-bearer resources (asserts only 401/403, so an unexpected failure still reds).
  3. Smoke tier=anonymous+402 was a downstream symptom of (1).

Verification

npm run gate green (1115 passed, 3 skipped). The e2e-prod run is the live gate.

🤖 Generated with Claude Code

Run 26998139097 (the #176 fix) got most legs green but 3 still red:

1. A10 logout-revocation (live-auth.spec.ts) revoked the WORKFLOW-MINTED
   E2E_SESSION_JWT. That assumption ("A10 is the last authed leg") broke once
   #176 made live-claim-deploy (deploy leg) and live-provision-smoke also
   provision/reap AS that minted session — they run AFTER live-auth, so the
   deploy POST got 401 revoked_session and smoke's /db fell through to the anon
   path (tier=anonymous, then 402/401-on-reap). Fix: A10 now ALWAYS revokes a
   DISPOSABLE bearer it owns — provisionAndClaim now returns the claim's real
   session_token (onboarding.go:537), and A10 revokes THAT throwaway team's
   session, reaping its resource BEFORE the logout (the logout kills the only
   bearer that authorizes the DELETE). Never touches E2E_SESSION_JWT.

2. Authed (pro) /queue/new HANGS on prod (90s timeout) — the isolated
   per-tenant NATS path blocks until the operator seeds NATS NKeys (CLAUDE.md
   P1 gap). Fix: provisionIdentity(extra, forceAnon) pins the queue flow to the
   anonymous path (fast, returns auth_mode=legacy_open). The anon resource is
   TTL-reaped (no authed DELETE for anon resources); the anon-provision spec's
   reap is best-effort for no-bearer resources (asserts only 401/403 — the
   expected "no unauthed delete" outcome — so a different failure still reds).

3. Smoke tier=anonymous + 402 was a downstream symptom of (1); fixed by it.

npm run gate green (1115 passed, 3 skipped).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown

size-limit report 📦

Path Size
dist/assets/index-902QtfQT.js 161.98 KB (0%)
dist/assets/index-BsJUZYRr.css 6.13 KB (0%)

@mastermanas805
mastermanas805 merged commit 0a49b5e into main Jun 5, 2026
18 checks passed
mastermanas805 added a commit that referenced this pull request Jun 5, 2026
…178)

Run 26998759093 (the #177 fix) closed queue + A10; 2 legs still red:

1. Deploy-lifecycle inline reap got 409 deletion_already_pending — the test's
   own DELETE step starts the soft-delete/email flow, then the reap's second
   DELETE races it. And the final out-of-process reap:live got 503
   team_lookup_failed because the workflow reaps the minted ACCOUNT (cascading
   away its resources) BEFORE the ledger sweep runs. Both mean "already being
   torn down / gone with the account", not a leak. Fix: reapEntities now counts
   409 deletion_already_pending and 503 team_lookup_failed as alreadyGone.

2. live-provision-smoke /db/new hung 90s (test timeout) on the AUTHED (pro)
   path — authed /db/new provisions a DEDICATED database, slower than the
   timeout; the anon path uses the fast hot-pool. (Authed vector/cache/nosql in
   live-anon-provision still cover the minted-pro provision path.) Fix: smoke
   pins forceAnon (fast hot-pool, fingerprint bypass), with the same
   best-effort no-bearer reap (anon resources are TTL-reaped; assert only
   401/403 so an unexpected failure still reds).

npm run gate green (1115 passed, 3 skipped).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mastermanas805 added a commit that referenced this pull request Jun 5, 2026
…ut flake (#180)

nosql was the LAST dedicated-backing-DB service still on the slow authed
(minted-pro) provision path. The authed /nosql/new path provisions a DEDICATED
MongoDB per team — cold-provision > 90s on prod — which timed out the LIVE suite
at the per-test limit (flaky run 27000380873 failed on /nosql/new; an earlier
run failed on /vector/new). Prior PRs pinned db (#178) + queue (#177) + vector
(#179) to the fast anon hot-pool; this completes the set.

Systemic fix: EVERY service whose authed path provisions a dedicated backing DB
(db/vector/nosql) now uses forceAnon (anon hot-pool, TTL-reaped), so none can hit
the slow authed-dedicated-provision timeout. The fast, no-dedicated-DB services
(cache/storage/webhook) stay on the authed/minted-account + authed-reap path, and
the auth specs + claim flow + minted-account lifecycle keep exercising the
on-the-fly minted account — "test accounts on the fly" coverage is retained.

Adds a per-service path table (dedicated-DB? + fast-authed vs anon-hot-pool + why)
to live-anon-provision.spec.ts and syncs the cohort.ts/smoke-spec comments.

Secondary guard: bump playwright.live.config.ts per-test timeout 90s → 120s for
extra cold-hot-pool/network headroom (the forceAnon pinning is the primary fix).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant