ci(test): add gitleaks config and overhaul cluster regression test

- Add `.gitleaksconfig.toml` extending the default gitleaks ruleset with
  a global allowlist for config and test shell files; wire it into the
  `gitleaks.yml` workflow via `GITLEAKS_CONFIG`.
- Completely rewrite `scripts/tests/10-test-cluster-api.sh` to be a
  proper regression suite for the Phase D cluster bugs:
  - Replaces raw `curl` one-liners with reusable helper functions
    (`put_value`, `expect_value`, `expect_404`, `delete_key`) that assert
    both HTTP status codes and response body fields.
  - Collects all failures before exiting (non-short-circuit) so operators
    get a full report in one run.
  - Adds configurable `PORTS`, `WRITE_PORT`, and `DELETE_PORT` env vars
    for flexible local/CI overrides.
  - Phases cover: cluster propagation, wire-encoding fidelity for
    non-owner GETs, and cross-node DELETE propagation.

Author: hyp3rd

.github/workflows/gitleaks.yml

@@ -5,7 +5,7 @@ permissions:
 on:
     pull_request:
     push:
-        branches: [main]
+        branches: [ main ]
     workflow_dispatch:
     schedule:
         # run once a day at 4 AM
@@ -21,3 +21,4 @@ jobs:
             - uses: gitleaks/gitleaks-action@v2
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  GITLEAKS_CONFIG: .gitleaksconfig.toml

.gitleaksconfig.toml

@@ -0,0 +1,39 @@
+# Title for the gitleaks configuration file.
+title = "Hypercache Gitleaks configuration"
+
+# You have basically two options for your custom configuration:
+#
+# 1. define your own configuration, default rules do not apply
+#
+#    use e.g., the default configuration as starting point:
+#    https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+#
+# 2. extend a configuration, the rules are overwritten or extended
+#
+#    When you extend a configuration the extended rules take precedence over the
+#    default rules. I.e., if there are duplicate rules in both the extended
+#    configuration and the default configuration the extended rules or
+#    attributes of them will override the default rules.
+#    Another thing to know with extending configurations is you can chain
+#    together multiple configuration files to a depth of 2. Allowlist arrays are
+#    appended and can contain duplicates.
+
+# useDefault and path can NOT be used at the same time. Choose one.
+[extend]
+# useDefault will extend the default gitleaks config built in to the binary
+# the latest version is located at:
+# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+useDefault = true
+
+
+# ⚠️ In v8.25.0 `[allowlist]` was replaced with `[[allowlists]]`.
+#
+# Global allowlists have a higher order of precedence than rule-specific allowlists.
+# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
+# secrets will be detected for said commit. The same logic applies for regexes and paths.
+[[allowlists]]
+description = "global allow list"
+paths = [
+  '''gitleaks\.toml''',
+  '''scripts/tests/._\.sh$'''
+]

scripts/tests/10-test-cluster-api.sh

@@ -1,38 +1,207 @@
 #!/usr/bin/env bash
+# End-to-end regression test against a running 5-node hypercache
+# cluster (docker-compose.cluster.yml). Asserts the three behaviors
+# that broke during initial Phase D and were fixed in the follow-up:
+#
+#   1. Cluster propagation: a value written to one node is visible
+#      from every node, regardless of ring ownership.
+#   2. Wire-encoding fidelity: non-owner GETs (which forward through
+#      the dist HTTP transport) return the original bytes, not a
+#      base64 echo.
+#   3. Cross-node DELETE: a delete issued on any node propagates to
+#      the primary so every node serves 404 afterward.
+#
+# Run after `docker compose -f docker-compose.cluster.yml up --build`.
+# Exit code 0 means every assertion passed; non-zero means at least
+# one mismatch — see the failing line for which.
+#
+# Usage:
+#   ./scripts/tests/10-test-cluster-api.sh
+#   PORTS="8081 8082" ./scripts/tests/10-test-cluster-api.sh   # custom subset
 
 set -euo pipefail
 
-echo "=== PUT to hypercache-1 ==="
-curl -sS -H "Authorization: Bearer dev-token" -X PUT --data 'world' 'http://localhost:8081/v1/cache/greeting' -w '\n  status %{http_code}\n'
+readonly TOKEN="${HYPERCACHE_TOKEN:-dev-token}"
+readonly PORTS="${PORTS:-8081 8082 8083 8084 8085}"
+readonly WRITE_PORT="${WRITE_PORT:-8081}"
+readonly DELETE_PORT="${DELETE_PORT:-8083}"
 
+# Tracks failures so the script can report all of them, not just the
+# first — operators get one full report rather than discover-and-rerun.
+fail_count=0
+
+# log_fail prints an assertion failure in red (when a TTY is attached)
+# and bumps the failure counter. Centralized so every assertion uses
+# the same shape.
+log_fail() {
+	local msg="$1"
+
+	if [[ -t 1 ]]; then
+		printf '\033[31mFAIL\033[0m %s\n' "$msg"
+	else
+		printf 'FAIL %s\n' "$msg"
+	fi
+
+	fail_count=$((fail_count + 1))
+}
+
+log_ok() {
+	local msg="$1"
+
+	if [[ -t 1 ]]; then
+		printf '\033[32m OK \033[0m %s\n' "$msg"
+	else
+		printf ' OK  %s\n' "$msg"
+	fi
+}
+
+# put_value writes `$3` to /v1/cache/$2 on port $1 and asserts the
+# response status is 200 and the body's `stored` field is true.
+put_value() {
+	local port="$1"
+	local key="$2"
+	local value="$3"
+
+	local status
+
+	status=$(curl -sS -o /tmp/hyp-put.body -w '%{http_code}' \
+		-H "Authorization: Bearer $TOKEN" \
+		-X PUT --data "$value" \
+		"http://localhost:$port/v1/cache/$key")
+
+	if [[ "$status" != "200" ]]; then
+		log_fail "PUT $key on :$port returned status $status (want 200); body: $(cat /tmp/hyp-put.body)"
+		return 1
+	fi
+
+	if ! grep -q '"stored":true' /tmp/hyp-put.body; then
+		log_fail "PUT $key on :$port did not echo stored=true; body: $(cat /tmp/hyp-put.body)"
+		return 1
+	fi
+
+	log_ok "PUT $key on :$port"
+	return 0
+}
+
+# expect_value asserts GET /v1/cache/$key on port $port returns the
+# given value with status 200. Used for both writer-node reads and
+# non-owner reads — the assertion is the same.
+expect_value() {
+	local port="$1"
+	local key="$2"
+	local want="$3"
+
+	local status
+
+	status=$(curl -sS -o /tmp/hyp-get.body -w '%{http_code}' \
+		-H "Authorization: Bearer $TOKEN" \
+		"http://localhost:$port/v1/cache/$key")
+
+	if [[ "$status" != "200" ]]; then
+		log_fail "GET $key on :$port: status=$status (want 200); body: $(cat /tmp/hyp-get.body)"
+		return 1
+	fi
+
+	local got
+	got=$(cat /tmp/hyp-get.body)
+	if [[ "$got" != "$want" ]]; then
+		log_fail "GET $key on :$port: got '$got' (want '$want')"
+		return 1
+	fi
+
+	log_ok "GET $key on :$port == '$want'"
+	return 0
+}
+
+# expect_404 asserts GET returns 404 with the canonical NOT_FOUND
+# JSON shape — used after the delete propagation tests.
+expect_404() {
+	local port="$1"
+	local key="$2"
+
+	local status
+
+	status=$(curl -sS -o /tmp/hyp-get.body -w '%{http_code}' \
+		-H "Authorization: Bearer $TOKEN" \
+		"http://localhost:$port/v1/cache/$key")
+
+	if [[ "$status" != "404" ]]; then
+		log_fail "GET $key on :$port after delete: status=$status (want 404); body: $(cat /tmp/hyp-get.body)"
+		return 1
+	fi
+
+	if ! grep -q '"code":"NOT_FOUND"' /tmp/hyp-get.body; then
+		log_fail "GET $key on :$port: 404 but missing NOT_FOUND code; body: $(cat /tmp/hyp-get.body)"
+		return 1
+	fi
+
+	log_ok "GET $key on :$port returned 404 NOT_FOUND"
+	return 0
+}
+
+# delete_key issues DELETE on the given port and asserts a 200 +
+# deleted=true response.
+delete_key() {
+	local port="$1"
+	local key="$2"
+
+	local status
+
+	status=$(curl -sS -o /tmp/hyp-del.body -w '%{http_code}' \
+		-H "Authorization: Bearer $TOKEN" \
+		-X DELETE \
+		"http://localhost:$port/v1/cache/$key")
+
+	if [[ "$status" != "200" ]]; then
+		log_fail "DELETE $key on :$port returned status $status; body: $(cat /tmp/hyp-del.body)"
+		return 1
+	fi
+
+	if ! grep -q '"deleted":true' /tmp/hyp-del.body; then
+		log_fail "DELETE $key on :$port did not echo deleted=true; body: $(cat /tmp/hyp-del.body)"
+		return 1
+	fi
+
+	log_ok "DELETE $key on :$port"
+	return 0
+}
+
+echo "=== Phase 1: byte-value propagation (PUT 'world' on :$WRITE_PORT) ==="
+put_value "$WRITE_PORT" greeting world || true
 sleep 1
-echo ""
-echo "=== GET via every node (all should be world) ==="
-for port in 8081 8082 8083 8084 8085; do
-	printf "node@%s -> " "$port"
-	curl -H "Authorization: Bearer dev-token" "http://localhost:$port/v1/cache/greeting" -w ' [%{http_code}]'
-	echo ""
+for port in $PORTS; do
+	expect_value "$port" greeting world || true
 done
 
 echo ""
-echo "=== PUT a JSON-y value to hypercache-2 ==="
-curl -sS -H "Authorization: Bearer dev-token" -X PUT --data 'plain string with spaces' 'http://localhost:8082/v1/cache/sentence' -w '\n  status %{http_code}\n'
-
+echo "=== Phase 2: text-value propagation (PUT spaces on :8082) ==="
+put_value 8082 sentence "plain string with spaces" || true
 sleep 1
-echo ""
-echo "=== GET sentence via every node ==="
-for port in 8081 8082 8083 8084 8085; do
-	printf "node@%s -> " "$port"
-	curl -sS -H "Authorization: Bearer dev-token" "http://localhost:$port/v1/cache/sentence" -w ' [%{http_code}]'
-	echo ""
+for port in $PORTS; do
+	expect_value "$port" sentence "plain string with spaces" || true
 done
 
 echo ""
-echo "=== DELETE from hypercache-3, then GET from all ==="
-curl -sS -H "Authorization: Bearer dev-token" -X DELETE 'http://localhost:8083/v1/cache/greeting' -w '\n  status %{http_code}\n'
+echo "=== Phase 3: cross-node DELETE (DELETE on :$DELETE_PORT, expect 404 cluster-wide) ==="
+delete_key "$DELETE_PORT" greeting || true
 sleep 1
-for port in 8081 8082 8083 8084 8085; do
-	printf "node@%s -> " "$port"
-	curl -sS -H "Authorization: Bearer dev-token" "http://localhost:$port/v1/cache/greeting" -w ' [%{http_code}]'
-	echo ""
+for port in $PORTS; do
+	expect_404 "$port" greeting || true
 done
+
+echo ""
+if [[ "$fail_count" -gt 0 ]]; then
+	if [[ -t 1 ]]; then
+		printf '\033[31m=== %d assertion(s) failed ===\033[0m\n' "$fail_count"
+	else
+		printf '=== %d assertion(s) failed ===\n' "$fail_count"
+	fi
+
+	exit 1
+fi
+
+if [[ -t 1 ]]; then
+	printf '\033[32m=== all assertions passed ===\033[0m\n'
+else
+	printf '=== all assertions passed ===\n'
+fi