E2E: prod + QA matrix, extract monitor, fix global_state_count (#325)

* Extract sync monitor polling loop into standalone script

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Using zshrc

* Switch mitmweb ports from 8080/8081 to 9080/9081 to avoid conflicts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Fix global_state_count to only count global state messages + use --yes for db delete

- global_state_count in progress reducer was incrementing on every
  source_state message regardless of state_type. Now only increments
  for state_type: 'global'.
- Use --yes flag instead of piping confirmation to stripe databases delete.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Add QA environment to E2E workflow + accept error state until selective sync

- Run E2E monitor on both prod and QA (matrix strategy)
- Pass --api-base to Stripe CLI for QA environment
- Accept error/failed as non-fatal terminal states until selective sync
  is available in the CLI/API
- Set STRIPE_SK_GOLDILOCKS_QA GitHub secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Trigger E2E workflow on push to fix-e2e branch

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Use static secret references instead of dynamic secrets[] lookup

Avoids passing all org/repo secrets to the runner.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Move secret name into matrix definition

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Always pass --api-base, use consistent STRIPE_SK_GOLDILOCKS_PROD secret

Removes conditionals around api_base — prod uses https://api.stripe.com
explicitly. Renames prod secret from GOLDI_LIVE_KEY to
STRIPE_SK_GOLDILOCKS_PROD for consistency with QA.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

* Add explicit API key validation step before creating database

Fails fast with a clear error message if the key is empty, expired,
or IP-restricted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Committed-By-Agent: claude

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tonyxiao

.envrc

@@ -1,5 +1,2 @@
 # shellcheck shell=bash
 source_env_if_exists .envrc.local
-
-alias pipelines='bun apps/service/src/bin/sync-service.ts pipelines'
-alias tsx='node --conditions bun --import tsx --no-warnings --use-env-proxy'

.github/workflows/prod-e2e-test.yml

@@ -1,6 +1,8 @@
 name: Stripe Database Monitor
 
 on:
+  push:
+    branches: [fix-e2e]
   schedule:
     - cron: '0 * * * *' # Every hour
   workflow_dispatch:
@@ -10,11 +12,21 @@ permissions:
 
 jobs:
   monitor:
-    name: Create DB & monitor sync progress
+    name: E2E — ${{ matrix.env }}
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 75
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - env: prod
+            api_key: STRIPE_SK_GOLDILOCKS_PROD
+            api_base: https://api.stripe.com
+          - env: qa
+            api_key: STRIPE_SK_GOLDILOCKS_QA
+            api_base: https://qa-api.stripe.com
     env:
-      STRIPE_API_KEY: ${{ secrets.GOLDI_LIVE_KEY }}
+      STRIPE_API_KEY: ${{ secrets[matrix.api_key] }}
 
     steps:
       - name: Checkout repository
@@ -35,11 +47,22 @@ jobs:
             | sudo tee /etc/apt/sources.list.d/stripe.list
           sudo apt-get update -qq && sudo apt-get install -y -qq stripe
 
+      - name: Validate API key
+        run: |
+          if [ -z "$STRIPE_API_KEY" ]; then
+            echo "::error::STRIPE_API_KEY is empty — check that the ${{ matrix.api_key }} secret is set"
+            exit 1
+          fi
+          if ! stripe customers list --limit 1 --api-base ${{ matrix.api_base }} >/dev/null 2>&1; then
+            echo "::error::STRIPE_API_KEY (${{ matrix.api_key }}) is invalid or expired — rotate it in the Stripe Dashboard and update the GitHub secret"
+            exit 1
+          fi
+
       - name: Create Stripe database
         id: create-db
         run: |
           echo "Creating Stripe database..."
-          RESULT=$(stripe databases create --live)
+          RESULT=$(stripe databases create --live --api-base ${{ matrix.api_base }})
 
           DB_ID=$(echo "$RESULT" | grep -oE 'db_[A-Za-z0-9]+' | head -1)
           DB_STRING=$(echo "$RESULT" | grep -oE 'postgresql://[^[:space:]]+')
@@ -71,64 +94,8 @@ jobs:
         env:
           DB_STRING: ${{ steps.create-db.outputs.db_string }}
           DB_ID: ${{ steps.create-db.outputs.db_id }}
-        run: |
-          POLL_INTERVAL=15
-          MAX_POLLS=240
-          PREV_TOTAL=0
-          PREV_TIME=$(date +%s)
-          START_TIME=$PREV_TIME
-
-          for i in $(seq 1 $MAX_POLLS); do
-            STATUS=$(stripe databases retrieve "$DB_ID" 2>&1 | grep -oE 'backfilling|ready|error|failed' | head -1)
-
-            SUM_EXPR=$(psql "$DB_STRING" -t -A -c "
-              SELECT COALESCE(
-                string_agg('(SELECT count(*) FROM public.' || quote_ident(table_name) || ')', ' + '),
-                '0'
-              ) FROM information_schema.tables
-              WHERE table_schema = 'public' AND table_type = 'BASE TABLE'
-            " 2>/dev/null || echo "0")
-            TOTAL=$(psql "$DB_STRING" -t -A -c "SELECT $SUM_EXPR" 2>/dev/null || echo "0")
-
-            NOW=$(date +%s)
-            ELAPSED=$((NOW - PREV_TIME))
-            if [ "$ELAPSED" -gt 0 ] && [ "$PREV_TOTAL" -gt 0 ]; then
-              DELTA=$((TOTAL - PREV_TOTAL))
-              RPS=$((DELTA / ELAPSED))
-              echo "[poll $i] status=$STATUS  total_rows=$TOTAL  delta=$DELTA  rows_per_sec=$RPS"
-            else
-              echo "[poll $i] status=$STATUS  total_rows=$TOTAL  (baseline)"
-            fi
-
-            if [ "$STATUS" = "ready" ]; then
-              TOTAL_ELAPSED=$(( NOW - START_TIME ))
-              echo ""
-              echo "Sync complete in ${TOTAL_ELAPSED}s"
-              break
-            fi
-            if [ "$STATUS" = "error" ] || [ "$STATUS" = "failed" ]; then
-              echo "::error::Database entered $STATUS state"
-              exit 1
-            fi
-
-            PREV_TOTAL=$TOTAL
-            PREV_TIME=$NOW
-            sleep $POLL_INTERVAL
-          done
-
-          if [ "$STATUS" != "ready" ]; then
-            echo "::error::Timed out waiting for sync to complete"
-            exit 1
-          fi
-
-          echo ""
-          echo "=== Final table breakdown ==="
-          psql "$DB_STRING" -c "
-            SELECT relname AS table_name, n_live_tup AS row_count
-            FROM pg_stat_user_tables
-            WHERE schemaname = 'public'
-            ORDER BY n_live_tup DESC;
-          "
+          STRIPE_API_BASE: ${{ matrix.api_base }}
+        run: ./scripts/monitor-sync-progress.sh
 
       - name: Sigma validation
         env:
@@ -146,4 +113,4 @@ jobs:
         if: always() && steps.create-db.outputs.db_id
         run: |
           echo "Deleting database ${{ steps.create-db.outputs.db_id }}..."
-          echo "remove StripeDB" | stripe databases delete ${{ steps.create-db.outputs.db_id }}
+          stripe databases delete ${{ steps.create-db.outputs.db_id }} --yes --api-base ${{ matrix.api_base }}

.zshrc

@@ -0,0 +1,3 @@
+
+alias tsx='node --conditions bun --import tsx --no-warnings --use-env-proxy'
+alias pipelines='tsx apps/service/src/bin/sync-service.ts pipelines'

apps/engine/src/lib/engine.test.ts

@@ -918,7 +918,7 @@ describe('engine.pipeline_sync() pipeline', () => {
 
     const eof = output.find((m) => m.type === 'eof')!
     expect(eof.eof.ending_state?.sync_run.run_id).toBe('same-run')
-    expect(eof.eof.ending_state?.sync_run.progress?.global_state_count).toBe(4)
+    expect(eof.eof.ending_state?.sync_run.progress?.global_state_count).toBe(3)
     expect(eof.eof.ending_state?.sync_run.progress?.elapsed_ms).toBeGreaterThan(5000)
   })
 

apps/engine/src/lib/progress/reducer.test.ts

@@ -78,7 +78,7 @@ describe('progressReducer — records', () => {
 })
 
 describe('progressReducer — source_state', () => {
-  it('increments global_state_count', () => {
+  it('increments global_state_count only for global state_type', () => {
     let p = createInitialProgress()
     p = progressReducer(
       p,
@@ -87,14 +87,15 @@ describe('progressReducer — source_state', () => {
         source_state: { state_type: 'stream', stream: 'customers', data: {} },
       })
     )
+    expect(p.global_state_count).toBe(0)
     p = progressReducer(
       p,
       at({
         type: 'source_state',
-        source_state: { state_type: 'stream', stream: 'customers', data: {} },
+        source_state: { state_type: 'global', data: { events_cursor: 1 } },
       })
     )
-    expect(p.global_state_count).toBe(2)
+    expect(p.global_state_count).toBe(1)
   })
 
   it('marks stream as started on first source_state for that stream', () => {
@@ -147,7 +148,7 @@ describe('progressReducer — source_state', () => {
       p,
       at({
         type: 'source_state',
-        source_state: { state_type: 'stream', stream: 'customers', data: {} },
+        source_state: { state_type: 'global', data: { events_cursor: 1 } },
       })
     )
     expect(p.global_state_count).toBe(0)
@@ -500,15 +501,15 @@ describe('progressReducer — elapsed_ms and rates', () => {
       p,
       at({
         type: 'source_state',
-        source_state: { state_type: 'stream', stream: 'customers', data: {} },
+        source_state: { state_type: 'global', data: { events_cursor: 1 } },
         _ts: '2024-01-01T00:00:00.000Z',
       })
     )
     p = progressReducer(
       p,
       at({
         type: 'source_state',
-        source_state: { state_type: 'stream', stream: 'customers', data: {} },
+        source_state: { state_type: 'global', data: { events_cursor: 2 } },
         _ts: '2024-01-01T00:00:04.000Z',
       })
     )

apps/engine/src/lib/progress/reducer.ts

@@ -96,7 +96,10 @@ export function progressReducer(progress: ProgressPayload, msg: Message): Progre
       const next = {
         ...progress,
         elapsed_ms: elapsedMs,
-        global_state_count: progress.global_state_count + 1,
+        global_state_count:
+          msg.source_state.state_type === 'global'
+            ? progress.global_state_count + 1
+            : progress.global_state_count,
       }
       if (msg.source_state.state_type === 'stream') {
         const stream = msg.source_state.stream

apps/engine/src/lib/state-reducer.test.ts

@@ -166,7 +166,7 @@ describe('stateReducer message events', () => {
     const msg: Message = {
       _ts: TS,
       type: 'source_state',
-      source_state: { state_type: 'stream', stream: 'customers', data: { cursor: 'x' } },
+      source_state: { state_type: 'global', data: { events_cursor: 'evt_1' } },
     }
     const next = stateReducer(state, msg)
     expect(next.sync_run.progress.global_state_count).toBe(1)

scripts/mitmweb-forward-proxy.sh

@@ -4,8 +4,8 @@
 # Usage:
 #   source scripts/mitmweb-forward-proxy.sh
 #
-# Starts a forward proxy on http://127.0.0.1:8080 with mitmweb UI on
-# http://127.0.0.1:8081 and logs in tmp/mitmweb-forward-proxy-8080.log.
+# Starts a forward proxy on http://127.0.0.1:9080 with mitmweb UI on
+# http://127.0.0.1:9081 and logs in tmp/mitmweb-forward-proxy-9080.log.
 #
 # Requires mitmproxy 12+ for store_streamed_bodies support.
 # Install or upgrade with:
@@ -19,10 +19,10 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
   exit 1
 fi
 
-MITM_PROXY="http://127.0.0.1:8080"
-MITM_WEB="http://127.0.0.1:8081"
+MITM_PROXY="http://127.0.0.1:9080"
+MITM_WEB="http://127.0.0.1:9081"
 MITM_CA="$HOME/.mitmproxy/mitmproxy-ca-cert.pem"
-MITM_LOG_FILE="tmp/mitmweb-forward-proxy-8080.log"
+MITM_LOG_FILE="tmp/mitmweb-forward-proxy-9080.log"
 MITM_MIN_MAJOR=12
 mkdir -p tmp
 
@@ -83,18 +83,18 @@ _kill_mitmweb_listener() {
 
 _abort_bad_mitmweb || return 1 2>/dev/null || exit 1
 
-if _port_listening 8080 || _port_listening 8081; then
-  _kill_mitmweb_listener 8080 || return 1 2>/dev/null || exit 1
-  _kill_mitmweb_listener 8081 || return 1 2>/dev/null || exit 1
+if _port_listening 9080 || _port_listening 9081; then
+  _kill_mitmweb_listener 9080 || return 1 2>/dev/null || exit 1
+  _kill_mitmweb_listener 9081 || return 1 2>/dev/null || exit 1
   sleep 0.5
 fi
 
-if ! _port_listening 8080; then
+if ! _port_listening 9080; then
   UPSTREAM="${https_proxy:-${http_proxy:-}}"
 
   MITM_ARGS=(
-    --listen-port 8080
-    --web-port 8081
+    --listen-port 9080
+    --web-port 9081
     --no-web-open-browser
     --ssl-insecure
     --set connection_strategy=lazy
@@ -113,12 +113,12 @@ if ! _port_listening 8080; then
   mitmweb "${MITM_ARGS[@]}" >>"$MITM_LOG_FILE" 2>&1 &
 
   for i in $(seq 1 10); do
-    _port_listening 8080 && break
+    _port_listening 9080 && break
     sleep 0.5
   done
 
-  if ! _port_listening 8080; then
-    echo "ERROR: mitmweb failed to start (proxy port 8080)." >&2
+  if ! _port_listening 9080; then
+    echo "ERROR: mitmweb failed to start (proxy port 9080)." >&2
     return 1 2>/dev/null || exit 1
   fi
 

scripts/monitor-sync-progress.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Monitor Stripe database sync progress by polling status and row counts.
+# Required env: DB_STRING, DB_ID
+
+: "${DB_STRING:?DB_STRING is required}"
+: "${DB_ID:?DB_ID is required}"
+
+STRIPE_FLAGS="--api-base ${STRIPE_API_BASE:?STRIPE_API_BASE is required}"
+
+POLL_INTERVAL=15
+MAX_POLLS=240
+PREV_TOTAL=0
+PREV_TIME=$(date +%s)
+START_TIME=$PREV_TIME
+
+for i in $(seq 1 $MAX_POLLS); do
+  STATUS=$(stripe databases retrieve "$DB_ID" $STRIPE_FLAGS 2>&1 | grep -oE 'backfilling|ready|error|failed' | head -1)
+
+  SUM_EXPR=$(psql "$DB_STRING" -t -A -c "
+    SELECT COALESCE(
+      string_agg('(SELECT count(*) FROM public.' || quote_ident(table_name) || ')', ' + '),
+      '0'
+    ) FROM information_schema.tables
+    WHERE table_schema = 'public' AND table_type = 'BASE TABLE'
+  " 2>/dev/null || echo "0")
+  TOTAL=$(psql "$DB_STRING" -t -A -c "SELECT $SUM_EXPR" 2>/dev/null || echo "0")
+
+  NOW=$(date +%s)
+  ELAPSED=$((NOW - PREV_TIME))
+  if [ "$ELAPSED" -gt 0 ] && [ "$PREV_TOTAL" -gt 0 ]; then
+    DELTA=$((TOTAL - PREV_TOTAL))
+    RPS=$((DELTA / ELAPSED))
+    echo "[poll $i] status=$STATUS  total_rows=$TOTAL  delta=$DELTA  rows_per_sec=$RPS"
+  else
+    echo "[poll $i] status=$STATUS  total_rows=$TOTAL  (baseline)"
+  fi
+
+  if [ "$STATUS" = "ready" ]; then
+    TOTAL_ELAPSED=$(( NOW - START_TIME ))
+    echo ""
+    echo "Sync complete in ${TOTAL_ELAPSED}s"
+    break
+  fi
+  # TODO: Once selective sync is available in the CLI/API, error should be a hard failure.
+  # For now databases without selective sync may error on unsupported resources.
+  if [ "$STATUS" = "error" ] || [ "$STATUS" = "failed" ]; then
+    TOTAL_ELAPSED=$(( NOW - START_TIME ))
+    echo ""
+    echo "::warning::Database entered $STATUS state after ${TOTAL_ELAPSED}s (accepted until selective sync is available)"
+    break
+  fi
+
+  PREV_TOTAL=$TOTAL
+  PREV_TIME=$NOW
+  sleep $POLL_INTERVAL
+done
+
+if [ "$STATUS" != "ready" ] && [ "$STATUS" != "error" ] && [ "$STATUS" != "failed" ]; then
+  echo "::error::Timed out waiting for sync to complete"
+  exit 1
+fi
+
+echo ""
+echo "=== Final table breakdown ==="
+psql "$DB_STRING" -c "
+  SELECT relname AS table_name, n_live_tup AS row_count
+  FROM pg_stat_user_tables
+  WHERE schemaname = 'public'
+  ORDER BY n_live_tup DESC;
+"