-
Notifications
You must be signed in to change notification settings - Fork 0
771 lines (691 loc) · 38.2 KB
/
Copy pathci.yml
File metadata and controls
771 lines (691 loc) · 38.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
name: CI
on:
# PRs are the pre-merge gate (and the only safe path for fork PRs). push is
# scoped to main so trunk is validated post-merge without double-running on
# every PR-branch push. A branch with no open PR intentionally runs no CI.
push:
branches:
- main
pull_request:
workflow_dispatch:
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
with:
go-version-file: go.mod
- name: shellcheck version
run: shellcheck --version
- name: Lint
run: make lint
build-and-test:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
with:
go-version-file: go.mod
- name: Build
run: make build
- name: Test
run: make test
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Validate plugin
run: claude plugin validate .
- name: Test marketplace install (Dash0 custom, published)
run: |
git config --global url."https://github.com/".insteadOf "git@github.com:"
claude plugin marketplace add dash0hq/claude-marketplace --scope user
claude plugin install dash0-agent-plugin@dash0 --scope user
- name: Test marketplace install (workspace, PR code)
# Stage the workspace as a local marketplace and install from it. Unlike
# the published-marketplace step above, this exercises THIS PR's plugin
# files end-to-end through the marketplace install path — catching
# regressions in plugin.json, marketplace metadata, or the install flow
# before they ship to a real marketplace.
run: |
mkdir -p /tmp/local-mp/.claude-plugin
ln -s "$GITHUB_WORKSPACE" /tmp/local-mp/dash0-agent-plugin
cat > /tmp/local-mp/.claude-plugin/marketplace.json <<'JSON'
{
"name": "local",
"owner": { "name": "ci-local-test" },
"plugins": [
{ "name": "dash0-agent-plugin", "source": "./dash0-agent-plugin" }
]
}
JSON
claude plugin marketplace add /tmp/local-mp --scope user
claude plugin install dash0-agent-plugin@local --scope user
- name: Test marketplace install (official, published)
run: |
claude plugin marketplace add anthropics/claude-plugins-official --scope user
claude plugin install dash0@claude-plugins-official --scope user
# Contract tests mapping to the documented install/credential paths (README
# "Installation" + "Configuration"). They pin the behavior the docs depend on,
# so a Claude Code change or a wrong doc assumption fails CI, not a rollout:
# A — settings.json alone does NOT install (the Fleet "not enough" callout)
# B — `claude plugin install --config` (Fleet --config credential option)
# C — credential delivery: config file AND DASH0_*/CLAUDE_PLUGIN_OPTION_* env vars
# Marketplace installs (official / Dash0 / local PR code) are covered by the
# build-and-test job; the binary reading CLAUDE_PLUGIN_OPTION_* by Go unit tests.
install-config-contract:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
with:
go-version-file: go.mod
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Force HTTPS for marketplace clones (runner has no SSH key)
run: git config --global url."https://github.com/".insteadOf "git@github.com:"
- name: "Contract A — settings.json alone does NOT install the plugin"
env:
HOME: /tmp/home-neg
run: |
mkdir -p "$HOME/.claude"
git config --global url."https://github.com/".insteadOf "git@github.com:"
cat > "$HOME/.claude/settings.json" <<'JSON'
{
"extraKnownMarketplaces": {
"dash0": { "source": { "source": "github", "repo": "dash0hq/claude-marketplace" } }
},
"enabledPlugins": { "dash0-agent-plugin@dash0": true }
}
JSON
claude plugin list 2>&1 | tee /tmp/list-neg.txt || true
if [ -d "$HOME/.claude/plugins/cache" ] && ls "$HOME/.claude/plugins/cache" | grep -qi dash0; then
echo "::error::settings.json alone installed the plugin — fleet docs/assumptions must be revisited"
exit 1
fi
echo "PASS: settings.json (extraKnownMarketplaces + enabledPlugins) alone does NOT install; explicit install required"
- name: "Contract B — claude plugin install --config persists creds where the plugin reads them"
env:
HOME: /tmp/home-pos
run: |
mkdir -p "$HOME/.claude"
git config --global url."https://github.com/".insteadOf "git@github.com:"
# Use the published Dash0 marketplace. `--config` is a Claude Code
# behavior independent of the plugin's own code (PR-code install is
# already covered by the "workspace, PR code" step above), and a
# published marketplace installs into ~/.claude/plugins/cache — the
# cleanest signal to assert "installed" on. (A local/directory
# marketplace serves the plugin in place and never populates the cache.)
claude plugin marketplace add dash0hq/claude-marketplace --scope user
claude plugin install dash0-agent-plugin@dash0 --scope user \
--config OTLP_URL=https://probe.example.test \
--config AUTH_TOKEN=contract-token-xyz \
--config DATASET=contract-ds
echo "::group::resulting settings.json"; cat "$HOME/.claude/settings.json"; echo "::endgroup::"
echo "::group::resulting credentials.json"; cat "$HOME/.claude/.credentials.json" 2>/dev/null || echo "(none)"; echo "::endgroup::"
fail=0
# 1) Plugin actually installed to cache.
if ! ls "$HOME/.claude/plugins/cache" 2>/dev/null | grep -qi dash0; then
echo "::error::plugin was not installed to cache"; fail=1
fi
# 2) Non-sensitive --config values land in settings.json (pluginConfigs).
if ! grep -q "https://probe.example.test" "$HOME/.claude/settings.json"; then
echo "::error::OTLP_URL not persisted to settings.json"; fail=1
fi
if ! grep -q "contract-ds" "$HOME/.claude/settings.json"; then
echo "::error::DATASET not persisted to settings.json"; fail=1
fi
# 3) The sensitive token must NOT be in settings.json...
if grep -q "contract-token-xyz" "$HOME/.claude/settings.json"; then
echo "::error::AUTH_TOKEN leaked into settings.json (should be in keychain/credentials)"; fail=1
fi
# ...and MUST be in the secrets store (keychain -> .credentials.json fallback on Linux).
if ! grep -q "contract-token-xyz" "$HOME/.claude/.credentials.json" 2>/dev/null; then
echo "::error::AUTH_TOKEN not stored in the secrets store (.credentials.json pluginSecrets)"; fail=1
fi
if [ "$fail" -ne 0 ]; then exit 1; fi
echo "PASS: --config installs + persists non-sensitive->settings.json, AUTH_TOKEN->secrets store"
- name: "Contract C — credential delivery reaches a real OTLP request (config file + env vars)"
env:
CLAUDE_PLUGIN_DATA: /tmp/pdata
run: |
# Build the hook binary where on-event.sh expects it (skip release download),
# and stand up the mock OTLP server (records requests + auth header on :4319).
VERSION=$(grep '^VERSION=' scripts/on-event.sh | sed 's/VERSION="//;s/"//')
mkdir -p "$CLAUDE_PLUGIN_DATA/bin"
make build-binary PKG=./cmd/on-event OUT="$CLAUDE_PLUGIN_DATA/bin/on-event-${VERSION}-linux-amd64"
make build-binary PKG=./test/e2e/mock-otlp-server OUT=/tmp/mock-otlp
/tmp/mock-otlp &
sleep 1
# C1 — credentials from a user-level config file (~/.claude/dash0-agent-plugin.local.md).
# Run from a clean cwd so the repo's own .env / .claude can't interfere.
export HOME=/tmp/home-cfg
mkdir -p "$HOME/.claude"
cat > "$HOME/.claude/dash0-agent-plugin.local.md" <<'MD'
---
otlp_url: "http://localhost:4319"
auth_token: "cfg-file-token"
dataset: "cfg-file-ds"
---
MD
( cd "$(mktemp -d)" \
&& echo '{"hook_event_name":"SessionStart","session_id":"contract-c1","model":"opus"}' \
| bash "$GITHUB_WORKSPACE/scripts/on-event.sh" )
# C2 — credentials from env vars only (no config file present).
export HOME=/tmp/home-env
mkdir -p "$HOME/.claude"
( cd "$(mktemp -d)" \
&& echo '{"hook_event_name":"SessionStart","session_id":"contract-c2","model":"opus"}' \
| DASH0_OTLP_URL=http://localhost:4319 \
CLAUDE_PLUGIN_OPTION_AUTH_TOKEN=env-token \
DASH0_DATASET=env-ds \
bash "$GITHUB_WORKSPACE/scripts/on-event.sh" )
sleep 2
RESULT=$(curl -s http://localhost:4319/requests)
echo "::group::mock requests"; echo "$RESULT" | jq .; echo "::endgroup::"
fail=0
[ "$(echo "$RESULT" | jq '[.requests[]|select(.auth=="Bearer cfg-file-token")]|length')" -ge 1 ] \
|| { echo "::error::config-file token did not reach the OTLP request"; fail=1; }
[ "$(echo "$RESULT" | jq '[.requests[]|select(.auth=="Bearer env-token")]|length')" -ge 1 ] \
|| { echo "::error::env-var token did not reach the OTLP request"; fail=1; }
[ "$fail" -eq 0 ] || exit 1
echo "PASS: both config-file and env-var credentials flow through on-event.sh to real OTLP requests"
- name: "Contract D — Cursor credential delivery reaches a real OTLP request (config file + env vars)"
run: |
# Mirror of Contract C for the Cursor side. Contract C's mock-OTLP
# doesn't survive across step shells (GitHub Actions cleans up
# backgrounded processes on step exit), so we start a fresh one on
# the same port. Asserts that credentials supplied via config file
# or env vars both reach the wire via scripts/cursor-on-event.sh.
export DASH0_PLUGIN_DATA=/tmp/cursor-pdata
VERSION=$(grep '^VERSION=' scripts/cursor-on-event.sh | sed 's/VERSION="//;s/"//')
mkdir -p "$DASH0_PLUGIN_DATA/bin"
make build-binary PKG=./cmd/cursor-on-event OUT="$DASH0_PLUGIN_DATA/bin/cursor-on-event-${VERSION}-linux-amd64"
make build-binary PKG=./test/e2e/mock-otlp-server OUT=/tmp/mock-otlp-cursor
/tmp/mock-otlp-cursor &
sleep 1
# D1 — credentials from ~/.cursor/dash0-agent-plugin.local.md.
export HOME=/tmp/cursor-home-cfg
mkdir -p "$HOME/.cursor"
cat > "$HOME/.cursor/dash0-agent-plugin.local.md" <<'MD'
---
otlp_url: "http://localhost:4319"
auth_token: "cursor-cfg-token"
dataset: "cursor-cfg-ds"
---
MD
# Run from a clean cwd so the repo's own .cursor/ can't shadow the
# global config file (cursor-on-event.sh checks project first).
( cd "$(mktemp -d)" \
&& echo '{"hook_event_name":"sessionStart","session_id":"contract-d1","conversation_id":"contract-d1","model":"default"}' \
| bash "$GITHUB_WORKSPACE/scripts/cursor-on-event.sh" )
# D2 — credentials from env vars only, no config file present.
export HOME=/tmp/cursor-home-env
mkdir -p "$HOME/.cursor"
( cd "$(mktemp -d)" \
&& echo '{"hook_event_name":"sessionStart","session_id":"contract-d2","conversation_id":"contract-d2","model":"default"}' \
| DASH0_OTLP_URL=http://localhost:4319 \
CURSOR_PLUGIN_OPTION_AUTH_TOKEN=cursor-env-token \
DASH0_DATASET=cursor-env-ds \
bash "$GITHUB_WORKSPACE/scripts/cursor-on-event.sh" )
sleep 2
RESULT=$(curl -s http://localhost:4319/requests)
echo "::group::mock requests"; echo "$RESULT" | jq .; echo "::endgroup::"
fail=0
[ "$(echo "$RESULT" | jq '[.requests[]|select(.auth=="Bearer cursor-cfg-token")]|length')" -ge 1 ] \
|| { echo "::error::cursor config-file token did not reach the OTLP request"; fail=1; }
[ "$(echo "$RESULT" | jq '[.requests[]|select(.auth=="Bearer cursor-env-token")]|length')" -ge 1 ] \
|| { echo "::error::cursor env-var token did not reach the OTLP request"; fail=1; }
[ "$fail" -eq 0 ] || exit 1
echo "PASS: both config-file and env-var credentials flow through cursor-on-event.sh to real OTLP requests"
- name: "Contract E — install-cursor.sh lays out the plugin dir + merges into ~/.cursor/hooks.json (preserving user entries)"
run: |
# Cursor 3.9.x doesn't fire hooks from local-plugin manifests, so
# install-cursor.sh writes the plugin dir AND merges hook entries
# into ~/.cursor/hooks.json at the user scope (with commands pointing
# at $HOME/.cursor/plugins/local/...). This step verifies both
# sides and — importantly — that a preexisting non-Dash0 hook in
# ~/.cursor/hooks.json survives the merge.
DASH0_VERSION=$(curl -fsSL https://api.github.com/repos/dash0hq/dash0-agent-plugin/releases/latest \
| grep -m1 '"tag_name"' | cut -d'"' -f4 | sed 's/^v//')
[ -n "$DASH0_VERSION" ] || { echo "::warning::could not resolve latest release, skipping Contract E"; exit 0; }
echo "testing installer against v$DASH0_VERSION artifacts"
export HOME=/tmp/cursor-installer-home
export XDG_STATE_HOME=/tmp/cursor-installer-state
rm -rf "$HOME" "$XDG_STATE_HOME"
mkdir -p "$HOME/.cursor"
# Seed a foreign hook the installer must preserve.
cat > "$HOME/.cursor/hooks.json" <<'JSON'
{
"version": 1,
"hooks": {
"beforeSubmitPrompt": [{"command": "/tmp/user-owned-hook.sh"}]
}
}
JSON
DASH0_VERSION="$DASH0_VERSION" \
DASH0_OTLP_URL=http://localhost:4319 \
DASH0_AUTH_TOKEN=e2e-token \
bash "$GITHUB_WORKSPACE/install-cursor.sh" 2>&1 | tail -25
fail=0
# Plugin dir + shared paths as before.
EXPECTED_PATHS=(
"$HOME/.cursor/plugins/local/dash0-agent-plugin/.cursor-plugin/plugin.json"
"$HOME/.cursor/plugins/local/dash0-agent-plugin/cursor/plugin-hooks.json"
"$HOME/.cursor/plugins/local/dash0-agent-plugin/cursor/skills/dash0-configure/SKILL.md"
"$HOME/.cursor/plugins/local/dash0-agent-plugin/scripts/cursor-on-event.sh"
"$HOME/.cursor/dash0-agent-plugin.local.md"
"$HOME/.cursor/hooks.json"
)
for p in "${EXPECTED_PATHS[@]}"; do
if [ ! -f "$p" ]; then
echo "::error::installer did not create expected file: $p"; fail=1
fi
done
if [ ! -x "$HOME/.cursor/plugins/local/dash0-agent-plugin/scripts/cursor-on-event.sh" ]; then
echo "::error::bootstrap script is not executable"; fail=1
fi
echo "::group::resulting hooks.json"; cat "$HOME/.cursor/hooks.json"; echo "::endgroup::"
# Dash0 entries land under 9 event keys with $HOME-based command paths.
EXPECTED_CMD='$HOME/.cursor/plugins/local/dash0-agent-plugin/scripts/cursor-on-event.sh'
for ev in sessionStart sessionEnd beforeSubmitPrompt afterAgentResponse preToolUse postToolUse postToolUseFailure subagentStart subagentStop; do
got=$(jq -r --arg ev "$ev" '.hooks[$ev] // [] | map(select(.command | contains("cursor-on-event.sh"))) | .[0].command // ""' "$HOME/.cursor/hooks.json")
if [ "$got" != "$EXPECTED_CMD" ]; then
echo "::error::hooks.json missing or wrong command for $ev (got: $got)"; fail=1
fi
done
# User-owned foreign entry must still be present under beforeSubmitPrompt.
user_hook=$(jq -r '.hooks.beforeSubmitPrompt[] | select(.command == "/tmp/user-owned-hook.sh") | .command' "$HOME/.cursor/hooks.json")
if [ "$user_hook" != "/tmp/user-owned-hook.sh" ]; then
echo "::error::installer removed user-authored beforeSubmitPrompt hook /tmp/user-owned-hook.sh"; fail=1
fi
[ "$fail" -eq 0 ] || exit 1
echo "PASS: installer produced expected plugin dir + merged hooks with foreign entry preserved"
- name: "Contract F — uninstall-cursor.sh strips Dash0 entries, preserves non-Dash0 hooks"
run: |
# Assumes Contract E ran and left a mixed hooks.json in place.
export HOME=/tmp/cursor-installer-home
export XDG_STATE_HOME=/tmp/cursor-installer-state
[ -f "$HOME/.cursor/hooks.json" ] || { echo "::error::Contract E did not produce a hooks.json"; exit 1; }
bash "$GITHUB_WORKSPACE/uninstall-cursor.sh" --yes 2>&1 | tail -20
fail=0
# Plugin dir + config + state should be gone entirely.
for p in \
"$HOME/.cursor/plugins/local/dash0-agent-plugin" \
"$HOME/.cursor/dash0-agent-plugin.local.md" \
"$XDG_STATE_HOME/dash0-agent-plugin/cursor" ; do
if [ -e "$p" ]; then
echo "::error::uninstaller left behind: $p"; fail=1
fi
done
# hooks.json must still exist because a non-Dash0 entry was present.
if [ ! -f "$HOME/.cursor/hooks.json" ]; then
echo "::error::uninstaller deleted ~/.cursor/hooks.json but a user-owned entry was present"; fail=1
else
echo "::group::hooks.json after uninstall"; cat "$HOME/.cursor/hooks.json"; echo "::endgroup::"
# No cursor-on-event.sh entries should remain.
dash0_left=$(jq -r '.hooks | to_entries[] | .value[]? | .command // empty' "$HOME/.cursor/hooks.json" | grep -c "cursor-on-event.sh" || true)
if [ "$dash0_left" -ne 0 ]; then
echo "::error::uninstaller left $dash0_left Dash0 hook entry/entries in $HOME/.cursor/hooks.json"; fail=1
fi
# The user's foreign entry must survive.
user_hook=$(jq -r '.hooks.beforeSubmitPrompt[]? | select(.command == "/tmp/user-owned-hook.sh") | .command' "$HOME/.cursor/hooks.json")
if [ "$user_hook" != "/tmp/user-owned-hook.sh" ]; then
echo "::error::uninstaller removed user-authored beforeSubmitPrompt hook"; fail=1
fi
fi
[ "$fail" -eq 0 ] || exit 1
echo "PASS: uninstaller stripped Dash0 entries and preserved the user-authored hook"
- name: "Contract G — Codex credential delivery reaches a real OTLP request (config file + env vars)"
run: |
# Mirror of Contract D for the Codex side. Asserts that credentials
# supplied via config file or env vars both reach the wire through
# scripts/codex-on-event.sh. The bootstrap is version-pinned; build the
# binary at that exact path so no release download is needed.
export DASH0_PLUGIN_DATA=/tmp/codex-pdata
VERSION=$(grep '^VERSION=' scripts/codex-on-event.sh | sed 's/VERSION="//;s/"//')
mkdir -p "$DASH0_PLUGIN_DATA/bin"
make build-binary PKG=./cmd/codex-on-event OUT="$DASH0_PLUGIN_DATA/bin/codex-on-event-${VERSION}-linux-amd64"
make build-binary PKG=./test/e2e/mock-otlp-server OUT=/tmp/mock-otlp-codex
/tmp/mock-otlp-codex &
sleep 1
# G1 — credentials from ~/.codex/dash0-agent-plugin.local.md.
export HOME=/tmp/codex-home-cfg
mkdir -p "$HOME/.codex"
cat > "$HOME/.codex/dash0-agent-plugin.local.md" <<'MD'
---
otlp_url: "http://localhost:4319"
auth_token: "codex-cfg-token"
dataset: "codex-cfg-ds"
---
MD
# Clean cwd so the repo's own .codex/ can't shadow the global config
# (codex-on-event.sh checks the project file first).
( cd "$(mktemp -d)" \
&& echo '{"hook_event_name":"SessionStart","session_id":"contract-g1","model":"gpt-5.5","source":"startup"}' \
| bash "$GITHUB_WORKSPACE/scripts/codex-on-event.sh" )
# G2 — credentials from env vars only, no config file present.
export HOME=/tmp/codex-home-env
mkdir -p "$HOME/.codex"
( cd "$(mktemp -d)" \
&& echo '{"hook_event_name":"SessionStart","session_id":"contract-g2","model":"gpt-5.5","source":"startup"}' \
| DASH0_OTLP_URL=http://localhost:4319 \
CODEX_PLUGIN_OPTION_AUTH_TOKEN=codex-env-token \
DASH0_DATASET=codex-env-ds \
bash "$GITHUB_WORKSPACE/scripts/codex-on-event.sh" )
sleep 2
RESULT=$(curl -s http://localhost:4319/requests)
echo "::group::mock requests"; echo "$RESULT" | jq .; echo "::endgroup::"
fail=0
[ "$(echo "$RESULT" | jq '[.requests[]|select(.auth=="Bearer codex-cfg-token")]|length')" -ge 1 ] \
|| { echo "::error::codex config-file token did not reach the OTLP request"; fail=1; }
[ "$(echo "$RESULT" | jq '[.requests[]|select(.auth=="Bearer codex-env-token")]|length')" -ge 1 ] \
|| { echo "::error::codex env-var token did not reach the OTLP request"; fail=1; }
[ "$fail" -eq 0 ] || exit 1
echo "PASS: both config-file and env-var credentials flow through codex-on-event.sh to real OTLP requests"
- name: "Contract H — install-codex.sh merges hooks + pre-trust into config.toml, preserving user content"
run: |
# Codex has no release yet (M4), so pre-stage the version-pinned binary
# and bootstrap; install-codex.sh skips the download when they're
# present. This exercises the real merge: managed block appended,
# [hooks.state] trust entries written, and any user-authored hooks /
# settings preserved. DASH0_VERSION pins the path so no release lookup.
export HOME=/tmp/codex-installer-home
export XDG_STATE_HOME=/tmp/codex-installer-state
rm -rf "$HOME" "$XDG_STATE_HOME"
VERSION=$(grep '^VERSION=' scripts/codex-on-event.sh | sed 's/VERSION="//;s/"//')
STATE_BASE="$XDG_STATE_HOME/dash0-agent-plugin/codex"
mkdir -p "$STATE_BASE/bin" "$HOME/.codex"
make build-binary PKG=./cmd/codex-on-event OUT="$STATE_BASE/bin/codex-on-event-${VERSION}-linux-amd64"
cp scripts/codex-on-event.sh "$STATE_BASE/codex-on-event.sh"
make build-binary PKG=./test/e2e/mock-otlp-server OUT=/tmp/mock-otlp-codex-h
/tmp/mock-otlp-codex-h &
sleep 1
# Seed config.toml with an unrelated setting AND a user-authored hook the
# installer must preserve.
cat > "$HOME/.codex/config.toml" <<'TOML'
model = "gpt-5.5"
[[hooks.PreToolUse]]
matcher = "*"
[[hooks.PreToolUse.hooks]]
type = "command"
command = 'echo user-hook'
TOML
DASH0_VERSION="$VERSION" \
DASH0_OTLP_URL=http://localhost:4319 \
DASH0_AUTH_TOKEN=codex-install-token \
bash "$GITHUB_WORKSPACE/install-codex.sh" 2>&1 | tail -25
CONFIG_TOML="$HOME/.codex/config.toml"
echo "::group::resulting config.toml"; cat "$CONFIG_TOML"; echo "::endgroup::"
fail=0
[ -f "$HOME/.codex/dash0-agent-plugin.local.md" ] \
|| { echo "::error::installer did not write the config .local.md"; fail=1; }
grep -q ">>> dash0-agent-plugin (managed)" "$CONFIG_TOML" \
|| { echo "::error::managed block not appended to config.toml"; fail=1; }
trust_n=$(grep -c 'trusted_hash = "sha256:' "$CONFIG_TOML" || true)
[ "$trust_n" -eq 10 ] \
|| { echo "::error::expected 10 pre-trust entries, found $trust_n"; fail=1; }
# Structural assertions via a real TOML parser: valid TOML, user setting
# and user hook preserved, our hooks + 10 trust-state keys present.
python3 - "$CONFIG_TOML" <<'PY' || fail=1
import sys, tomllib
d = tomllib.load(open(sys.argv[1], "rb"))
assert d.get("model") == "gpt-5.5", "user setting lost"
pre = d["hooks"]["PreToolUse"]
cmds = [h["command"] for g in pre for h in g["hooks"]]
assert any(c == "echo user-hook" for c in cmds), "user hook lost"
assert any("codex-on-event.sh" in c for c in cmds), "dash0 PreToolUse hook missing"
assert len(d["hooks"]["state"]) == 10, f"expected 10 trust keys, got {len(d['hooks']['state'])}"
print("TOML OK: user content preserved, dash0 hooks + trust present")
PY
[ "$fail" -eq 0 ] || exit 1
echo "PASS: install-codex.sh merged hooks + pre-trust and preserved user config"
- name: "Contract I — uninstall-codex.sh strips the managed block, preserves user content"
run: |
# Assumes Contract H ran and left a merged config.toml in place.
export HOME=/tmp/codex-installer-home
export XDG_STATE_HOME=/tmp/codex-installer-state
CONFIG_TOML="$HOME/.codex/config.toml"
[ -f "$CONFIG_TOML" ] || { echo "::error::Contract H did not produce a config.toml"; exit 1; }
bash "$GITHUB_WORKSPACE/uninstall-codex.sh" --yes 2>&1 | tail -20
echo "::group::config.toml after uninstall"; cat "$CONFIG_TOML"; echo "::endgroup::"
fail=0
# config .local.md and state dir gone entirely.
for p in "$HOME/.codex/dash0-agent-plugin.local.md" "$XDG_STATE_HOME/dash0-agent-plugin/codex"; do
[ -e "$p" ] && { echo "::error::uninstaller left behind: $p"; fail=1; }
done
# config.toml still exists (user content), with NO managed block or trust.
grep -q ">>> dash0-agent-plugin (managed)" "$CONFIG_TOML" \
&& { echo "::error::managed block survived uninstall"; fail=1; }
grep -q 'codex-on-event.sh' "$CONFIG_TOML" \
&& { echo "::error::dash0 hook command survived uninstall"; fail=1; }
python3 - "$CONFIG_TOML" <<'PY' || fail=1
import sys, tomllib
d = tomllib.load(open(sys.argv[1], "rb"))
assert d.get("model") == "gpt-5.5", "user setting lost on uninstall"
cmds = [h["command"] for g in d["hooks"]["PreToolUse"] for h in g["hooks"]]
assert cmds == ["echo user-hook"], f"user hook not cleanly preserved: {cmds}"
assert "state" not in d.get("hooks", {}), "trust state survived uninstall"
print("TOML OK: user content intact, dash0 fully removed")
PY
[ "$fail" -eq 0 ] || exit 1
echo "PASS: uninstall-codex.sh stripped the managed block and preserved user config"
e2e:
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
with:
go-version-file: go.mod
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Install Codex CLI
run: npm install -g @openai/codex
- name: Build plugin binary
run: make build-binary PKG=./cmd/on-event OUT=bin/on-event-linux-amd64
- name: Run E2E tests
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
# Enables the live Codex drift canary (TestE2EFullFlowWithCodex), which
# FAILS when this key is missing (same as the Claude e2e) — so add the
# secret before merging or the job goes red. Use a Platform service-account
# key (project codex-o11y, budget-capped); see SIG-172/SIG-174. Inherits
# this job's fork guard, so a fork PR never receives the secret.
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
if [ -z "$ANTHROPIC_API_KEY" ]; then
echo "::error::ANTHROPIC_API_KEY secret is not set — add it at Settings → Secrets → Actions"
exit 1
fi
make test-e2e
consistency-checks:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Version consistency (plugin.json == on-event.sh)
run: |
PLUGIN_VERSION=$(jq -r '.version' .claude-plugin/plugin.json)
SCRIPT_VERSION=$(grep '^VERSION=' scripts/on-event.sh | sed 's/VERSION="//' | sed 's/"//')
echo "plugin.json: $PLUGIN_VERSION"
echo "on-event.sh: $SCRIPT_VERSION"
if [ "$PLUGIN_VERSION" != "$SCRIPT_VERSION" ]; then
echo "::error::Version mismatch: plugin.json=$PLUGIN_VERSION, on-event.sh=$SCRIPT_VERSION"
exit 1
fi
- name: Version consistency (Cursor plugin.json == cursor-on-event.sh)
run: |
# Mirror of the Claude version check. Both files are bumped together
# by scripts/release.sh; this guards against a hand-edit drifting.
PLUGIN_VERSION=$(jq -r '.version' .cursor-plugin/plugin.json)
SCRIPT_VERSION=$(grep '^VERSION=' scripts/cursor-on-event.sh | sed 's/VERSION="//' | sed 's/"//')
echo ".cursor-plugin/plugin.json: $PLUGIN_VERSION"
echo "scripts/cursor-on-event.sh: $SCRIPT_VERSION"
if [ "$PLUGIN_VERSION" != "$SCRIPT_VERSION" ]; then
echo "::error::Version mismatch: .cursor-plugin/plugin.json=$PLUGIN_VERSION, cursor-on-event.sh=$SCRIPT_VERSION"
exit 1
fi
- name: Release assets exist for configured version
run: |
VERSION=$(grep '^VERSION=' scripts/on-event.sh | sed 's/VERSION="//' | sed 's/"//')
echo "Checking release assets for v$VERSION"
# Check if the release tag exists at all — if not, this is a
# version bump PR preparing for a future release. Warn but don't fail.
TAG_STATUS=$(curl -sI -o /dev/null -w "%{http_code}" -L "https://github.com/dash0hq/dash0-agent-plugin/releases/tag/v${VERSION}")
if [ "$TAG_STATUS" = "404" ]; then
echo "::warning::Release v$VERSION does not exist yet — this is expected for version bump PRs. Will be validated after release."
exit 0
fi
for BINARY in on-event-linux-amd64 on-event-linux-arm64 on-event-darwin-amd64 on-event-darwin-arm64; do
URL="https://github.com/dash0hq/dash0-agent-plugin/releases/download/v${VERSION}/${BINARY}"
STATUS=$(curl -sI -o /dev/null -w "%{http_code}" -L "$URL")
echo " $BINARY: $STATUS"
if [ "$STATUS" != "200" ]; then
echo "::error::Binary $BINARY not found at $URL (HTTP $STATUS)"
exit 1
fi
done
- name: userConfig covers all plugin options
run: |
# Extract option keys used in Go code via pluginOption/pluginOptionSecure/pluginOptionBool/pluginOptionBoolDefault
USED_KEYS=$(grep -ohE 'pluginOption(Secure|Bool|BoolDefault)?\("([^"]+)"' cmd/on-event/main.go | \
sed 's/pluginOption[^"]*"//' | sed 's/"$//' | sort -u)
# Extract keys declared in plugin.json userConfig
DECLARED_KEYS=$(jq -r '.userConfig // {} | keys[]' .claude-plugin/plugin.json | sort -u)
echo "Used in code: $USED_KEYS"
echo "Declared in plugin.json: $DECLARED_KEYS"
MISSING=""
for key in $USED_KEYS; do
# Skip DEBUG and DEBUG_FILE — dev-only, not user-facing
if [ "$key" = "DEBUG" ] || [ "$key" = "DEBUG_FILE" ]; then
continue
fi
if ! echo "$DECLARED_KEYS" | grep -qx "$key"; then
MISSING="$MISSING $key"
fi
done
if [ -n "$MISSING" ]; then
echo "::error::Options used in code but missing from plugin.json userConfig:$MISSING"
exit 1
fi
- name: Runtime component isolation
run: |
# Cursor auto-discovers commands/, skills/, and hooks/hooks.json at the
# repo root when not overridden in .cursor-plugin/plugin.json. Claude
# auto-discovers skills/ and commands/ at the root. Keep runtime assets
# under claude/ and cursor/ instead.
fail=0
for dir in commands skills; do
if [ -d "$dir" ]; then
echo "::error::root $dir/ must not exist — move runtime assets under claude/ or cursor/"
fail=1
fi
done
CURSOR_COMMANDS=$(jq -c '.commands // "unset"' .cursor-plugin/plugin.json)
CURSOR_SKILLS=$(jq -r '.skills // "unset"' .cursor-plugin/plugin.json)
CURSOR_HOOKS=$(jq -r '.hooks // "unset"' .cursor-plugin/plugin.json)
if [ "$CURSOR_COMMANDS" = "unset" ]; then
echo "::error::.cursor-plugin/plugin.json must set commands (use []) to block auto-discovery"
fail=1
fi
if [ "$CURSOR_SKILLS" != "./cursor/skills/" ]; then
echo "::error::.cursor-plugin/plugin.json skills must point at ./cursor/skills/ (got $CURSOR_SKILLS)"
fail=1
fi
if [ ! -d "cursor/skills" ]; then
echo "::error::.cursor-plugin/plugin.json skills references cursor/skills/ but the directory is missing"
fail=1
fi
# Cursor 3.9.x silently ignores `hooks` in local-plugin manifests, so we
# deliberately omit it. install-cursor.sh reads cursor/plugin-hooks.json
# directly instead. Assert the field is absent so it doesn't sneak back
# in and mislead future readers.
if [ "$CURSOR_HOOKS" != "unset" ]; then
echo "::error::.cursor-plugin/plugin.json must NOT set 'hooks' — Cursor ignores it for local plugins; installer reads cursor/plugin-hooks.json directly"
fail=1
fi
if [ ! -f "cursor/plugin-hooks.json" ]; then
echo "::error::cursor/plugin-hooks.json is missing (installer reads this file as the source of truth for hook events)"
fail=1
fi
if [ "$fail" -ne 0 ]; then exit 1; fi
echo "PASS: runtime-specific components are isolated under claude/ and cursor/"
- name: README documents every userConfig option
run: |
# Every userConfig option declared in plugin.json must appear as a
# table row in the README (the backtick-wrapped `KEY` form), so the
# Configuration/Privacy tables can't silently fall out of sync.
DECLARED_KEYS=$(jq -r '.userConfig // {} | keys[]' .claude-plugin/plugin.json | sort -u)
MISSING=""
for key in $DECLARED_KEYS; do
if ! grep -qF "| \`$key\`" .claude-plugin/README.md; then
MISSING="$MISSING $key"
fi
done
if [ -n "$MISSING" ]; then
echo "::error::userConfig options declared in plugin.json but not documented as README table rows:$MISSING"
exit 1
fi
echo "PASS: README documents all $(echo "$DECLARED_KEYS" | wc -w | tr -d ' ') userConfig options"
- name: Hook script is valid
run: |
# Check on-event.sh is executable and has valid shebang
if [ ! -x scripts/on-event.sh ]; then
echo "::error::scripts/on-event.sh is not executable"
exit 1
fi
HEAD=$(head -1 scripts/on-event.sh)
if [[ "$HEAD" != "#!/"* ]]; then
echo "::error::scripts/on-event.sh missing shebang"
exit 1
fi
# Check hooks.json references an existing script
HOOK_CMD=$(jq -r '.hooks.SessionStart[0].hooks[0].command' hooks/hooks.json)
EXPECTED='${CLAUDE_PLUGIN_ROOT}/scripts/on-event.sh'
if [ "$HOOK_CMD" != "$EXPECTED" ]; then
echo "::error::hooks.json command ($HOOK_CMD) does not match expected ($EXPECTED)"
exit 1
fi
- name: Cursor hook script is valid
run: |
# Mirror of the Claude hook-script check for the Cursor side. Verifies
# the bootstrap script is executable, has a shebang, and that every
# command referenced from cursor/plugin-hooks.json resolves to a file
# relative to the repo root — which is the plugin root Cursor will
# resolve against when the plugin is dropped into ~/.cursor/plugins/.
if [ ! -x scripts/cursor-on-event.sh ]; then
echo "::error::scripts/cursor-on-event.sh is not executable"
exit 1
fi
HEAD=$(head -1 scripts/cursor-on-event.sh)
if [[ "$HEAD" != "#!/"* ]]; then
echo "::error::scripts/cursor-on-event.sh missing shebang"
exit 1
fi
COMMANDS=$(jq -r '.hooks | to_entries[] | .value[] | .command' cursor/plugin-hooks.json | sort -u)
if [ -z "$COMMANDS" ]; then
echo "::error::cursor/plugin-hooks.json has no hook commands"
exit 1
fi
fail=0
for cmd in $COMMANDS; do
# Resolve relative to the plugin root (repo root here).
resolved="${cmd#./}"
if [ ! -f "$resolved" ]; then
echo "::error::cursor/plugin-hooks.json references missing command: $cmd (resolved to $resolved)"
fail=1
elif [ ! -x "$resolved" ]; then
echo "::error::cursor/plugin-hooks.json references non-executable command: $cmd"
fail=1
fi
done
if [ "$fail" -ne 0 ]; then exit 1; fi
echo "PASS: cursor/plugin-hooks.json commands all resolve to executable files"