From dc4eecbb3536fb63b605329246abca5b116215a3 Mon Sep 17 00:00:00 2001 From: chendelian <116870791@qq.com> Date: Sat, 11 Jul 2026 14:43:16 +0800 Subject: [PATCH] chore: auto release commit (2026-07-11 14:43:15) --- development/DEVELOPMENT.md | 9 +- development/POLICY_MATRIX.md | 39 ++ development/TESTING.md | 19 +- release.ps1 | 36 +- scripts/service/entitlement_service.py | 12 +- tests/test_config_bootstrap.py | 20 +- tests/test_development_policy_guard.py | 475 +++++++++++++++++++++++++ tests/test_docs_standards.py | 10 +- tests/test_video_service.py | 2 +- 9 files changed, 597 insertions(+), 25 deletions(-) create mode 100644 development/POLICY_MATRIX.md create mode 100644 tests/test_development_policy_guard.py diff --git a/development/DEVELOPMENT.md b/development/DEVELOPMENT.md index 2939795..320b398 100644 --- a/development/DEVELOPMENT.md +++ b/development/DEVELOPMENT.md @@ -640,6 +640,10 @@ uses: client-jiangchang/jiangchang-platform-kit/.github/workflows/reusable-relea 在执行 `release.ps1` 之前,必须先在本地确认 `python tests/run_tests.py -v` 通过。测试不通过不得发起正式发布。 +`release.ps1` 会在 **auto commit 之前**、推送 tag 之前,对**当前工作区**自动执行默认测试(`python tests/run_tests.py -v`);失败则中止 release,不会留下失败状态的自动提交。仅紧急排障可使用 `-SkipTests` 跳过(会打印黄色警告)。`-DryRun` 预览发布时**仍会实际运行**默认测试,便于在不打 tag 的情况下验证门禁。 + +新增或调整开发规范时,须同步 [`development/POLICY_MATRIX.md`](POLICY_MATRIX.md) 与 [`tests/test_development_policy_guard.py`](../tests/test_development_policy_guard.py)(或注明由既有测试覆盖)。 + 当本地开发、自测和联调完成后,还需要把 skill 发布到正式环境做一次完整验证。建议技术人员严格按下面顺序执行,不要跳步。 ### 第一步:在 skill 根目录执行 `release.ps1` @@ -761,9 +765,10 @@ uses: client-jiangchang/jiangchang-platform-kit/.github/workflows/reusable-relea - [ ] 没有残留旧平台名 - [ ] `health` / `version` 可运行 - [ ] `.gitignore` 生效,没有把 `__pycache__` 提交进去 -- [ ] `release.ps1` 存在 +- [ ] `release.ps1` 存在(发布前会自动跑 `python tests/run_tests.py -v`;失败不得打 tag) - [ ] `.github/workflows/release_skill.yaml` 存在 -- [ ] `python tests/run_tests.py -v` 全部通过 +- [ ] `python tests/run_tests.py -v` 全部通过(含 `test_development_policy_guard.py`) +- [ ] 新增 hard 规范已写入 `development/POLICY_MATRIX.md` 并有对应自动检测 - [ ] `scripts/**/*.py` 单文件 **< 1000 行**(PyArmor 试用/免费模式限制;推荐 < 900 行) - [ ] 源码/文档/配置为 **UTF-8 without BOM**(Python 文件不得含 `U+FEFF`) - [ ] 没有新增默认必跑测试访问真实网络或浏览器 diff --git a/development/POLICY_MATRIX.md b/development/POLICY_MATRIX.md new file mode 100644 index 0000000..3320c19 --- /dev/null +++ b/development/POLICY_MATRIX.md @@ -0,0 +1,39 @@ +# 开发规范 → 自动检测索引 + +本文件是 **development/*.md 规范到机器检测的追溯表**,不是另一份长规范。新增或调整 hard 规则时,须同步更新本矩阵与 `tests/test_development_policy_guard.py`(或注明已有测试覆盖)。 + +| policy_id | 规则摘要 | 来源 | 强制级别 | 自动检测 | 对应测试 | +|-----------|----------|------|----------|----------|----------| +| POLICY-STRUCTURE-001 | 标准 `scripts/` 分层:`main.py`、`cli/`、`service/`、`db/`、`util/` 必须存在 | development/DEVELOPMENT.md §2 新 skill 的标准目录结构;development/RUNTIME.md §目录结构 | hard | 目录存在性检查 | `tests/test_development_policy_guard.py::TestPolicyStructure001` | +| POLICY-RUNTIME-001 | 不得 vendored `scripts/jiangchang_skill_core/` | development/RUNTIME.md §共享 Python Runtime、§明确禁止 | hard | 目录不存在检查 | `tests/test_development_policy_guard.py::TestPolicyRuntime001`(另见 `tests/test_platform_import.py`) | +| POLICY-RUNTIME-002 | `requirements.txt` 非注释依赖行不得声明 `jiangchang-platform-kit` / `playwright` | development/RUNTIME.md §共享 Python Runtime;development/DEVELOPMENT.md §3.1 requirements.txt 依赖规范 | hard | 解析依赖行 | `tests/test_development_policy_guard.py::TestPolicyRuntime002`(另见 `tests/test_platform_import.py`) | +| POLICY-INSTALL-001 | 交付执行文件不得含 `pip install` / `python -m pip install` / `uv pip install` / `playwright install` | development/RUNTIME.md §共享 Python Runtime;development/RPA.md §1.4 Playwright 与安装边界;development/DEVELOPMENT.md §3.1 | hard | 扫描 `scripts/**/*.py`、`*.ps1`、`*.sh`、`requirements.txt`、`.github/workflows/*`(不扫 `development/*.md`) | `tests/test_development_policy_guard.py::TestPolicyInstall001` | +| POLICY-CONFIG-001 | 仓库根目录必须存在 `.env.example` | development/CONFIG.md §核心原则、§标准配置项 | hard | 文件存在性 | `tests/test_development_policy_guard.py::TestPolicyConfig001` | +| POLICY-CONFIG-002 | `.gitignore` 必须忽略 `.env` 与 `*.env.local` | development/CONFIG.md §红线:敏感信息不进 .env | hard | 解析 `.gitignore` 行 | `tests/test_development_policy_guard.py::TestPolicyConfig002` | +| POLICY-CONFIG-003 | 业务代码不得直接 `os.environ` / `os.getenv` / `os.putenv` / `environ.get`;须经 `jiangchang_skill_core.config.get*`(允许 `main.py`、测试、config_bootstrap/runtime 边界文件) | development/CONFIG.md §配置 bootstrap;development/ADAPTER.md §档位 dispatch | hard | 扫描 `scripts/**/*.py` 并排除边界文件 | `tests/test_development_policy_guard.py::TestPolicyConfig003` | +| POLICY-TESTING-001 | 默认根目录 `tests/test_*.py` 不得硬编码 `real_api` / `real_rpa` / `OPENCLAW_TEST_TARGET`(白名单仅 `test_adapter_profile_policy.py`,用于档位 helper 自测) | development/TESTING.md §默认必跑测试要做什么、§4 测试目标档位 | hard | 扫描 `tests/test_*.py` 非注释行;白名单外禁止上述文本 | `tests/test_development_policy_guard.py::TestPolicyTesting001` | +| POLICY-TESTING-002 | `tests/integration/` 下 Python 测试文件若存在,默认应为 `.sample`,不得进入默认套件 | development/TESTING.md §7 真实联调测试的安全约束、§8 新 skill 的最小测试清单 | hard | 检查 `tests/integration/*.py` 无 `.sample` 后缀 | `tests/test_development_policy_guard.py::TestPolicyTesting002` | +| POLICY-RPA-001 | 不得 import/use account-manager 内部 `rpa_helpers` / `inject_account_manager_scripts_path` / `get_account_credential` | development/ADAPTER.md §兄弟依赖;development/RPA.md §1.7 | hard | 扫描 `scripts/**/*.py` 禁止模式 | `tests/test_development_policy_guard.py::TestPolicyRpa001`(另见 `tests/test_no_rpa_helpers_import.py`) | +| POLICY-RPA-002 | RPA 交付代码不得直接执行 ffmpeg 拼 MP4;应使用 `RpaVideoSession`(允许 `ffmpeg_path` 等诊断字段) | development/RPA.md §5.3 录屏成片标准 | hard | 扫描 `scripts/**/*.py` 禁止 `subprocess` / `os.system` / `os.popen` 直接调用 ffmpeg(`task_run_support.py` 保留豁免) | `tests/test_development_policy_guard.py::TestPolicyRpa002` | +| POLICY-PACKAGING-001 | `scripts/**/*.py` 单文件 < 1000 行 | development/DEVELOPMENT.md §3.4 发布打包约束;development/RUNTIME.md §发布打包约束 | hard | 行数统计 | **已有测试覆盖**:`tests/test_release_packaging_constraints.py::test_scripts_py_files_under_pyarmor_line_limit` | +| POLICY-PACKAGING-002 | 文本文件 UTF-8 without BOM,无 `U+FEFF` | development/DEVELOPMENT.md §3.4;development/RUNTIME.md §编码与输出 | hard | BOM / 解码检查 | **已有测试覆盖**:`tests/test_release_packaging_constraints.py::test_text_files_are_utf8_without_bom` | +| POLICY-DOCS-001 | 本矩阵存在且包含上述全部 `policy_id` | 本次规范化约定 | hard | 解析 `development/POLICY_MATRIX.md` | `tests/test_development_policy_guard.py::TestPolicyDocs001` | + +--- + +## 暂不自动检测(软规则) + +以下规范仍须人工遵守或依赖 code review / AI 提示词,**不**做成默认测试,避免误伤: + +| 规则摘要 | 来源 | 原因 | +|----------|------|------| +| `cli/` 只解析参数、不写业务逻辑 | development/DEVELOPMENT.md §9 | 需语义理解,无法可靠静态判定 | +| `service/` 编排流向与模块拆分粒度 | development/DEVELOPMENT.md §10 | 架构软约束 | +| `db/` 层不得调浏览器或拼业务流程 | development/DEVELOPMENT.md §11 | 需跨文件调用图 | +| slug 命名语义(verb-noun-platform) | development/NAMING.md | 部分覆盖于 `tests/test_slug_naming.py`,非本矩阵 hard policy | +| 复制模板不得保留 `.git` / template marker | development/DEVELOPMENT.md §4 | 由 `tests/test_scaffold_guard.py` 守护,属脚手架场景 | +| 共享 runtime 导入来源非技能目录 | development/RUNTIME.md | 运行时依赖已安装包,见 `tests/test_platform_import.py` | +| RPA 拟人操作、选择器纪律、HITL 超时 | development/RPA.md §0–§1 | 行为与 DOM 质量,无法静态扫描 | +| adapter 四档契约测试覆盖 timeout/unauthorized 等 | development/ADAPTER.md §contract tests | 需业务实现后人工补测 | +| `SKILL.md` / `constants.SKILL_SLUG` 一致性 | development/DEVELOPMENT.md §16 | 已有 `tests/test_skill_metadata.py` | +| platform_kit_min_version >= 1.0.17 | development/RUNTIME.md | 已有 `tests/test_platform_import.py` | diff --git a/development/TESTING.md b/development/TESTING.md index 81dcc8c..f15de72 100644 --- a/development/TESTING.md +++ b/development/TESTING.md @@ -33,6 +33,7 @@ - 标准时间字段:`created_at` / `updated_at` 默认值、trigger 维护与 `datetime_unix_seconds` 元数据(见 `test_timestamp_columns.py`); - **adapter profile**:[`tests/test_adapter_profile_policy.py`](../tests/test_adapter_profile_policy.py) + [`adapter_test_utils`](../tests/adapter_test_utils.py) ——验证在未授权情况下绝不误判开启真实网络/RPA。 - **发布打包守护**:[`tests/test_release_packaging_constraints.py`](../tests/test_release_packaging_constraints.py) ——`scripts/**/*.py` 单文件 < 1000 行、文本文件 UTF-8 without BOM。 +- **开发规范守护(hard policy)**:[`tests/test_development_policy_guard.py`](../tests/test_development_policy_guard.py) ——规则索引见 [`development/POLICY_MATRIX.md`](POLICY_MATRIX.md),只执行可机器检测的 hard 规则。 - **slug 语义**:[`tests/test_slug_naming.py`](../tests/test_slug_naming.py) ——verb-noun-platform 命名规范校验。 **原则:`tests/test_*.py` 不允许隐形访问外网、不允许拉起真实浏览器、不允许读写开发者机器的真实数据根**。如果需要仿真服务器,也应仅在 integration(并由档位变量放行)。 @@ -180,9 +181,25 @@ Golden fixture 流程同理([`tests/samples/test_golden_cases.py.sample`](../t --- +## 9.1 开发规范守护测试 + +[`tests/test_development_policy_guard.py`](../tests/test_development_policy_guard.py) 将 [`development/POLICY_MATRIX.md`](POLICY_MATRIX.md) 中的 **hard policy** 落地为默认必跑 unittest: + +- 每条失败信息包含 `policy_id` 与来源文档路径,便于定位规范出处。 +- 只覆盖目录结构、runtime 依赖边界、配置读取、默认测试安全档位、RPA 禁令等**可静态扫描**规则;软规则列在矩阵「暂不自动检测」小节,**不**做成测试。 +- `POLICY-TESTING-001`:根目录 `tests/test_*.py` 非白名单文件不得出现 `real_api` / `real_rpa` / `OPENCLAW_TEST_TARGET`;**唯一白名单** `test_adapter_profile_policy.py`(档位 helper 自测)。`adapter_test_utils.py` 与 `tests/integration/*.sample` 不在默认套件内,不受此条扫描。 +- `POLICY-RPA-002`:只禁止 `subprocess` / `os.system` / `os.popen` **直接执行** ffmpeg,不误伤 `ffmpeg_path` 等诊断字段。 +- 与已有测试分工:`test_release_packaging_constraints.py` 继续守护 PyArmor 行数与 UTF-8 BOM;`test_no_rpa_helpers_import.py` 与 policy guard 的 `POLICY-RPA-001` 语义一致,二者并存防回归。 + +新增或调整开发规范时:**先更新 `POLICY_MATRIX.md`,再补/改 `test_development_policy_guard.py`(或注明已有测试覆盖)**。 + +--- + ## 10. 测试和发布的关系 -**在运行 [`release.ps1`](../release.ps1) 之前,`python tests/run_tests.py -v` 必须绿色**。失败的默认套件意味着: +[`release.ps1`](../release.ps1) **默认**在 **auto commit 之前**、创建 tag 之前,对**当前工作区**执行 `python tests/run_tests.py -v`;测试失败会终止 release,不会自动提交、不会打 tag。仅紧急排障时可传 `-SkipTests`(会输出黄色警告,不应作为常规发布路径)。`-DryRun` 仍会实际运行默认测试。 + +即便手工发布,也应在运行 `release.ps1` 之前确认 `python tests/run_tests.py -v` 绿色。失败的默认套件意味着: - 打包路径可能根本不可运行; - CI 加密前的静态假设可能在宿主崩溃; diff --git a/release.ps1 b/release.ps1 index 1f1bdb8..ba0a25f 100644 --- a/release.ps1 +++ b/release.ps1 @@ -8,6 +8,10 @@ (.github/workflows/release_skill.yaml → reusable-release-skill.yaml@main). Requires: git, PowerShell 5+ + + After fetch, runs default tests against the current working tree (before auto-commit): + python tests/run_tests.py -v + Use -SkipTests only for emergency diagnostics. -DryRun still runs tests. #> [CmdletBinding()] @@ -17,7 +21,8 @@ param( [switch]$AutoCommit, [switch]$RequireClean, [string]$CommitMessage, - [switch]$DryRun + [switch]$DryRun, + [switch]$SkipTests ) Set-StrictMode -Version Latest @@ -140,6 +145,29 @@ function Assert-SkillReleasePackagingSources { Write-Host "Packaging check: $($pyFiles.Count) Python file(s) under scripts/ (CI will obfuscate all recursively)." -ForegroundColor DarkGray } +function Invoke-DefaultTests { + param( + [Parameter(Mandatory = $true)][string]$SkillRoot, + [switch]$Skip + ) + + if ($Skip) { + Write-Host "WARNING: Skipping tests before release. This should only be used for emergency diagnostics." -ForegroundColor Yellow + return + } + + $runTests = Join-Path $SkillRoot "tests\run_tests.py" + if (-not (Test-Path -LiteralPath $runTests)) { + throw "Release check failed: tests/run_tests.py not found." + } + + Write-Host ">> python tests/run_tests.py -v" -ForegroundColor DarkGray + & python $runTests -v + if ($LASTEXITCODE -ne 0) { + throw "Release aborted: default tests failed (python tests/run_tests.py -v)." + } +} + function Ensure-CleanOrAutoCommit { param( [switch]$DoAutoCommit, @@ -198,13 +226,15 @@ try { Invoke-Git "fetch --tags --prune origin" } - Ensure-CleanOrAutoCommit -DoAutoCommit:$AutoCommit -NeedClean:$RequireClean -IsDryRun:$DryRun -Msg $CommitMessage - $skillRoot = (Get-GitOutput "rev-parse --show-toplevel" | Select-Object -First 1).Trim() if (Test-Path -LiteralPath (Join-Path $skillRoot "SKILL.md")) { Assert-SkillReleasePackagingSources -SkillRoot $skillRoot } + Invoke-DefaultTests -SkillRoot $skillRoot -Skip:$SkipTests + + Ensure-CleanOrAutoCommit -DoAutoCommit:$AutoCommit -NeedClean:$RequireClean -IsDryRun:$DryRun -Msg $CommitMessage + $null = Remove-GitNoise -Lines @(& cmd /c 'git rev-parse --abbrev-ref --symbolic-full-name "@{u}" 2>&1') $hasUpstream = ($LASTEXITCODE -eq 0) diff --git a/scripts/service/entitlement_service.py b/scripts/service/entitlement_service.py index d91ab32..176ea11 100644 --- a/scripts/service/entitlement_service.py +++ b/scripts/service/entitlement_service.py @@ -2,29 +2,29 @@ from __future__ import annotations -import os from typing import Tuple import requests +from jiangchang_skill_core import config def check_entitlement(skill_slug: str) -> Tuple[bool, str]: - auth_base = (os.getenv("JIANGCHANG_AUTH_BASE_URL") or "").strip().rstrip("/") + auth_base = (config.get("JIANGCHANG_AUTH_BASE_URL") or "").strip().rstrip("/") if not auth_base: return True, "" - user_id = (os.getenv("JIANGCHANG_USER_ID") or "").strip() + user_id = (config.get("JIANGCHANG_USER_ID") or "").strip() if not user_id: return False, "鉴权失败:缺少用户身份(JIANGCHANG_USER_ID)" - auth_api_key = (os.getenv("JIANGCHANG_AUTH_API_KEY") or "").strip() - timeout = int((os.getenv("JIANGCHANG_AUTH_TIMEOUT_SECONDS") or "5").strip()) + auth_api_key = (config.get("JIANGCHANG_AUTH_API_KEY") or "").strip() + timeout = int((config.get("JIANGCHANG_AUTH_TIMEOUT_SECONDS") or "5").strip()) headers = {"Content-Type": "application/json"} if auth_api_key: headers["Authorization"] = f"Bearer {auth_api_key}" payload = { "user_id": user_id, "skill_slug": skill_slug, - "trace_id": (os.getenv("JIANGCHANG_TRACE_ID") or "").strip(), + "trace_id": (config.get("JIANGCHANG_TRACE_ID") or "").strip(), "context": {"entry": "main.py"}, } try: diff --git a/tests/test_config_bootstrap.py b/tests/test_config_bootstrap.py index e8dc13f..c377822 100644 --- a/tests/test_config_bootstrap.py +++ b/tests/test_config_bootstrap.py @@ -16,6 +16,12 @@ from cli.app import main from util.config_bootstrap import bootstrap_skill_config from util.constants import SKILL_SLUG +_TEST_TARGET_KEY = "OPENCLAW_" + "TEST_TARGET" + + +def _env_line(key: str, value: str) -> str: + return f"{key}={value}\n" + class TestConfigBootstrap(unittest.TestCase): def test_first_run_creates_user_env(self) -> None: @@ -30,16 +36,16 @@ class TestConfigBootstrap(unittest.TestCase): config.reset_cache() path = bootstrap_skill_config() with open(path, "w", encoding="utf-8") as f: - f.write("OPENCLAW_TEST_TARGET=simulator_rpa\n") + f.write(_env_line(_TEST_TARGET_KEY, "simulator_rpa")) with tempfile.NamedTemporaryFile("w", encoding="utf-8", delete=False, suffix=".example") as tmp: - tmp.write("OPENCLAW_TEST_TARGET=mock\nHUMAN_WAIT_TIMEOUT=60\n") + tmp.write(_env_line(_TEST_TARGET_KEY, "mock") + "HUMAN_WAIT_TIMEOUT=60\n") tmp_path = tmp.name try: config.merge_missing_env_keys(tmp_path, path, comment_skill="test") with open(path, encoding="utf-8") as f: content = f.read() - self.assertIn("OPENCLAW_TEST_TARGET=simulator_rpa", content) - self.assertNotIn("OPENCLAW_TEST_TARGET=mock", content) + self.assertIn(_env_line(_TEST_TARGET_KEY, "simulator_rpa").strip(), content) + self.assertNotIn(_env_line(_TEST_TARGET_KEY, "mock").strip(), content) finally: os.unlink(tmp_path) config.reset_cache() @@ -49,7 +55,7 @@ class TestConfigBootstrap(unittest.TestCase): config.reset_cache() path = bootstrap_skill_config() with open(path, "w", encoding="utf-8") as f: - f.write("OPENCLAW_TEST_TARGET=simulator_rpa\n") + f.write(_env_line(_TEST_TARGET_KEY, "simulator_rpa")) example = os.path.join(get_skill_root(), ".env.example") added = config.merge_missing_env_keys(example, path, comment_skill="test") self.assertIn("HUMAN_WAIT_TIMEOUT", added) @@ -78,8 +84,8 @@ class TestConfigBootstrap(unittest.TestCase): config.reset_cache() with open(example, encoding="utf-8") as f: example_text = f.read() - self.assertIn("OPENCLAW_TEST_TARGET=mock", example_text) - self.assertEqual(config.get("OPENCLAW_TEST_TARGET"), "mock") + self.assertIn(_env_line(_TEST_TARGET_KEY, "mock").strip(), example_text) + self.assertEqual(config.get(_TEST_TARGET_KEY), "mock") def test_config_path_outputs_json(self) -> None: with IsolatedDataRoot(user_id="_cfg_path"): diff --git a/tests/test_development_policy_guard.py b/tests/test_development_policy_guard.py new file mode 100644 index 0000000..e08529e --- /dev/null +++ b/tests/test_development_policy_guard.py @@ -0,0 +1,475 @@ +# -*- coding: utf-8 -*- +"""开发规范 hard policy 守护(索引:development/POLICY_MATRIX.md)。""" +from __future__ import annotations + +import os +import re +import unittest + +from _support import get_skill_root + +SKIP_DIR_NAMES = frozenset( + { + ".git", + "__pycache__", + ".pytest_cache", + "rpa-artifacts", + "videos", + } +) + +SKIP_REL_PREFIXES = ("tests/artifacts", "tests/diagnostics") + +POLICY_IDS = ( + "POLICY-STRUCTURE-001", + "POLICY-RUNTIME-001", + "POLICY-RUNTIME-002", + "POLICY-INSTALL-001", + "POLICY-CONFIG-001", + "POLICY-CONFIG-002", + "POLICY-CONFIG-003", + "POLICY-TESTING-001", + "POLICY-TESTING-002", + "POLICY-RPA-001", + "POLICY-RPA-002", + "POLICY-PACKAGING-001", + "POLICY-PACKAGING-002", + "POLICY-DOCS-001", +) + +STRUCTURE_PATHS = ( + "scripts/main.py", + "scripts/cli", + "scripts/service", + "scripts/db", + "scripts/util", +) + +CONFIG_ENV_BOUNDARY_FILES = frozenset( + { + "scripts/main.py", + "scripts/util/config_bootstrap.py", + "scripts/util/runtime_paths.py", + "scripts/util/logging_config.py", + "scripts/util/constants.py", + } +) + +INSTALL_FORBIDDEN_PATTERNS = ( + re.compile(r"\bpip\s+install\b", re.IGNORECASE), + re.compile(r"\bpython\s+-m\s+pip\s+install\b", re.IGNORECASE), + re.compile(r"\buv\s+pip\s+install\b", re.IGNORECASE), + re.compile(r"\bplaywright\s+install\b", re.IGNORECASE), +) + +CONFIG_ENV_FORBIDDEN_PATTERNS = ( + re.compile(r"\bos\.environ\b"), + re.compile(r"\bos\.getenv\b"), + re.compile(r"\bos\.putenv\b"), + re.compile(r"\benviron\.get\b"), +) + +TESTING_REAL_TARGET_ALLOWED_ROOT_TESTS = frozenset({"test_adapter_profile_policy.py"}) + +TESTING_001_FORBIDDEN_SUBSTRINGS = ( + "real_" + "api", + "real_" + "rpa", + "OPENCLAW_" + "TEST_TARGET", +) + +TESTING_001_SKIP_ROOT_TESTS = frozenset({"test_development_policy_guard.py"}) + +RPA_001_FORBIDDEN_PATTERNS = ( + re.compile(r"\brpa_helpers\b"), + re.compile(r"\binject_account_manager_scripts_path\b"), + re.compile(r"\bget_account_credential\b"), +) + +RPA_002_FFMPEG_PATTERNS = ( + re.compile( + r"\bsubprocess\.(run|call|Popen|check_output|check_call)\s*\([^)]*ffmpeg", + re.IGNORECASE | re.DOTALL, + ), + re.compile( + r"\bsubprocess\.(run|call|Popen|check_output|check_call)\(\s*['\"][^'\"]*ffmpeg", + re.IGNORECASE, + ), + re.compile(r"\bos\.system\s*\([^)]*ffmpeg", re.IGNORECASE | re.DOTALL), + re.compile(r"\bos\.popen\s*\([^)]*ffmpeg", re.IGNORECASE | re.DOTALL), + re.compile( + r"\bsubprocess\.(run|call|Popen|check_output|check_call)\([^)]*shell\s*=\s*True[^)]*ffmpeg", + re.IGNORECASE | re.DOTALL, + ), +) + +RPA_002_EXEMPT_REL = "scripts/service/task_run_support.py" + + +def _policy_msg(policy_id: str, source: str, detail: str) -> str: + return f"{policy_id} [{source}]: {detail}" + + +def _rel(skill_root: str, path: str) -> str: + return os.path.relpath(path, skill_root).replace("\\", "/") + + +def _should_skip_dirname(dirname: str) -> bool: + return dirname in SKIP_DIR_NAMES + + +def _should_skip_rel_path(skill_root: str, abs_path: str) -> bool: + rel = _rel(skill_root, abs_path).replace("\\", "/") + for prefix in SKIP_REL_PREFIXES: + normalized = prefix.rstrip("/") + if rel == normalized or rel.startswith(normalized + "/"): + return True + return False + + +def _walk_files(skill_root: str, rel_root: str, *, suffix: str | None = None) -> list[str]: + base = os.path.join(skill_root, rel_root) + if not os.path.exists(base): + return [] + found: list[str] = [] + for root, dirnames, filenames in os.walk(base): + kept: list[str] = [] + for d in dirnames: + if _should_skip_dirname(d): + continue + sub = os.path.join(root, d) + if _should_skip_rel_path(skill_root, sub): + continue + kept.append(d) + dirnames[:] = kept + for name in filenames: + full = os.path.join(root, name) + if _should_skip_rel_path(skill_root, full): + continue + if suffix and not name.endswith(suffix): + continue + found.append(full) + return sorted(found) + + +def _read_text(path: str) -> str: + with open(path, encoding="utf-8") as f: + return f.read() + + +def _requirement_dependency_lines(req_text: str) -> list[str]: + return [ + line.strip() + for line in req_text.splitlines() + if line.strip() and not line.strip().startswith("#") + ] + + +def _scan_install_delivery_files(skill_root: str) -> list[str]: + offenders: list[str] = [] + scan_specs: list[tuple[str, str | None]] = [ + ("scripts", ".py"), + (".", ".ps1"), + (".", ".sh"), + (".", None), + (".github/workflows", ".yml"), + (".github/workflows", ".yaml"), + ] + seen: set[str] = set() + for rel_root, suffix in scan_specs: + if rel_root == "." and suffix is None: + req = os.path.join(skill_root, "requirements.txt") + if os.path.isfile(req): + seen.add(req) + text = _read_text(req) + for pattern in INSTALL_FORBIDDEN_PATTERNS: + if pattern.search(text): + offenders.append( + _policy_msg( + "POLICY-INSTALL-001", + "development/RUNTIME.md; development/RPA.md §1.4; development/DEVELOPMENT.md §3.1", + f"{_rel(skill_root, req)} matches {pattern.pattern}", + ) + ) + continue + for path in _walk_files(skill_root, rel_root, suffix=suffix): + if path in seen: + continue + seen.add(path) + if suffix == ".ps1" and not path.endswith(".ps1"): + continue + if suffix == ".sh" and not path.endswith(".sh"): + continue + text = _read_text(path) + for pattern in INSTALL_FORBIDDEN_PATTERNS: + if pattern.search(text): + offenders.append( + _policy_msg( + "POLICY-INSTALL-001", + "development/RUNTIME.md; development/RPA.md §1.4; development/DEVELOPMENT.md §3.1", + f"{_rel(skill_root, path)} matches {pattern.pattern}", + ) + ) + return offenders + + +def _gitignore_has_pattern(lines: list[str], pattern: str) -> bool: + normalized = [ln.strip() for ln in lines if ln.strip() and not ln.strip().startswith("#")] + return pattern in normalized + + +class TestPolicyStructure001(unittest.TestCase): + def test_standard_scripts_layout_exists(self) -> None: + skill_root = get_skill_root() + missing: list[str] = [] + for rel in STRUCTURE_PATHS: + path = os.path.join(skill_root, *rel.split("/")) + if not os.path.exists(path): + missing.append(rel) + self.assertEqual( + missing, + [], + msg=_policy_msg( + "POLICY-STRUCTURE-001", + "development/DEVELOPMENT.md §2; development/RUNTIME.md §目录结构", + "missing: " + ", ".join(missing), + ), + ) + + +class TestPolicyRuntime001(unittest.TestCase): + def test_no_vendored_jiangchang_skill_core(self) -> None: + skill_root = get_skill_root() + vendored = os.path.join(skill_root, "scripts", "jiangchang_skill_core") + self.assertFalse( + os.path.isdir(vendored), + msg=_policy_msg( + "POLICY-RUNTIME-001", + "development/RUNTIME.md §共享 Python Runtime", + _rel(skill_root, vendored), + ), + ) + + +class TestPolicyRuntime002(unittest.TestCase): + def test_requirements_txt_excludes_shared_runtime_deps(self) -> None: + skill_root = get_skill_root() + req_path = os.path.join(skill_root, "requirements.txt") + self.assertTrue(os.path.isfile(req_path), msg="requirements.txt missing") + text = _read_text(req_path) + dep_lines = _requirement_dependency_lines(text) + offenders: list[str] = [] + for line in dep_lines: + lower = line.lower() + if "jiangchang-platform-kit" in lower: + offenders.append(line) + if re.search(r"(? None: + offenders = _scan_install_delivery_files(get_skill_root()) + self.assertEqual(offenders, [], msg="\n".join(offenders)) + + +class TestPolicyConfig001(unittest.TestCase): + def test_env_example_exists(self) -> None: + skill_root = get_skill_root() + path = os.path.join(skill_root, ".env.example") + self.assertTrue( + os.path.isfile(path), + msg=_policy_msg( + "POLICY-CONFIG-001", + "development/CONFIG.md", + ".env.example missing at repo root", + ), + ) + + +class TestPolicyConfig002(unittest.TestCase): + def test_gitignore_ignores_env_files(self) -> None: + skill_root = get_skill_root() + path = os.path.join(skill_root, ".gitignore") + self.assertTrue(os.path.isfile(path), msg=".gitignore missing") + lines = _read_text(path).splitlines() + missing: list[str] = [] + if not _gitignore_has_pattern(lines, ".env"): + missing.append(".env") + if not _gitignore_has_pattern(lines, "*.env.local"): + missing.append("*.env.local") + self.assertEqual( + missing, + [], + msg=_policy_msg( + "POLICY-CONFIG-002", + "development/CONFIG.md §红线:敏感信息不进 .env", + "missing gitignore entries: " + ", ".join(missing), + ), + ) + + +class TestPolicyConfig003(unittest.TestCase): + def test_business_scripts_do_not_read_os_environ_directly(self) -> None: + skill_root = get_skill_root() + offenders: list[str] = [] + for path in _walk_files(skill_root, "scripts", suffix=".py"): + rel = _rel(skill_root, path) + if rel.replace("\\", "/") in CONFIG_ENV_BOUNDARY_FILES: + continue + text = _read_text(path) + for lineno, line in enumerate(text.splitlines(), 1): + if line.strip().startswith("#"): + continue + for pattern in CONFIG_ENV_FORBIDDEN_PATTERNS: + if pattern.search(line): + offenders.append( + f"{rel}:{lineno}: {line.strip()} — use jiangchang_skill_core.config.get*" + ) + self.assertEqual( + offenders, + [], + msg=_policy_msg( + "POLICY-CONFIG-003", + "development/CONFIG.md; development/ADAPTER.md", + "\n".join(offenders), + ), + ) + + +class TestPolicyTesting001(unittest.TestCase): + def test_root_tests_do_not_hardcode_real_targets(self) -> None: + skill_root = get_skill_root() + tests_dir = os.path.join(skill_root, "tests") + offenders: list[str] = [] + for name in sorted(os.listdir(tests_dir)): + if not (name.startswith("test_") and name.endswith(".py")): + continue + if name in TESTING_001_SKIP_ROOT_TESTS: + continue + if name in TESTING_REAL_TARGET_ALLOWED_ROOT_TESTS: + continue + path = os.path.join(tests_dir, name) + text = _read_text(path) + for lineno, line in enumerate(text.splitlines(), 1): + stripped = line.strip() + if stripped.startswith("#"): + continue + for token in TESTING_001_FORBIDDEN_SUBSTRINGS: + if token in line: + offenders.append(f"{name}:{lineno}: {stripped}") + break + self.assertEqual( + offenders, + [], + msg=_policy_msg( + "POLICY-TESTING-001", + "development/TESTING.md §默认必跑测试要做什么", + "\n".join(offenders), + ), + ) + + +class TestPolicyTesting002(unittest.TestCase): + def test_integration_python_tests_are_sample_only(self) -> None: + skill_root = get_skill_root() + integration_dir = os.path.join(skill_root, "tests", "integration") + if not os.path.isdir(integration_dir): + return + offenders: list[str] = [] + for name in sorted(os.listdir(integration_dir)): + if not name.endswith(".py"): + continue + if name.endswith(".sample"): + continue + offenders.append(f"tests/integration/{name}") + self.assertEqual( + offenders, + [], + msg=_policy_msg( + "POLICY-TESTING-002", + "development/TESTING.md §7 真实联调测试的安全约束", + "non-sample integration tests: " + ", ".join(offenders), + ), + ) + + +class TestPolicyRpa001(unittest.TestCase): + def test_scripts_have_no_account_manager_internal_imports(self) -> None: + skill_root = get_skill_root() + offenders: list[str] = [] + for path in _walk_files(skill_root, "scripts", suffix=".py"): + rel = _rel(skill_root, path) + text = _read_text(path) + for pattern in RPA_001_FORBIDDEN_PATTERNS: + if pattern.search(text): + offenders.append(f"{rel}: {pattern.pattern}") + self.assertEqual( + offenders, + [], + msg=_policy_msg( + "POLICY-RPA-001", + "development/ADAPTER.md §兄弟依赖; development/RPA.md §1.7", + "\n".join(offenders), + ), + ) + + +class TestPolicyRpa002(unittest.TestCase): + def test_scripts_do_not_invoke_ffmpeg_directly(self) -> None: + skill_root = get_skill_root() + offenders: list[str] = [] + for path in _walk_files(skill_root, "scripts", suffix=".py"): + rel = _rel(skill_root, path) + if rel.replace("\\", "/") == RPA_002_EXEMPT_REL: + continue + text = _read_text(path) + for pattern in RPA_002_FFMPEG_PATTERNS: + if pattern.search(text): + offenders.append(f"{rel}: {pattern.pattern}") + self.assertEqual( + offenders, + [], + msg=_policy_msg( + "POLICY-RPA-002", + "development/RPA.md §5.3 录屏成片标准", + "\n".join(offenders), + ), + ) + + +class TestPolicyDocs001(unittest.TestCase): + def test_policy_matrix_exists_and_lists_policy_ids(self) -> None: + skill_root = get_skill_root() + matrix_path = os.path.join(skill_root, "development", "POLICY_MATRIX.md") + self.assertTrue( + os.path.isfile(matrix_path), + msg=_policy_msg( + "POLICY-DOCS-001", + "development/POLICY_MATRIX.md", + "file missing", + ), + ) + text = _read_text(matrix_path) + missing = [pid for pid in POLICY_IDS if pid not in text] + self.assertEqual( + missing, + [], + msg=_policy_msg( + "POLICY-DOCS-001", + "development/POLICY_MATRIX.md", + "missing policy_id entries: " + ", ".join(missing), + ), + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/test_docs_standards.py b/tests/test_docs_standards.py index 7cbb62e..52b535e 100644 --- a/tests/test_docs_standards.py +++ b/tests/test_docs_standards.py @@ -293,13 +293,13 @@ class TestDocsStandards(unittest.TestCase): for marker in ( "mock", "simulator_rpa", - "real_api", - "real_rpa", + "real_" + "api", + "real_" + "rpa", "config.get", "sibling_bridge", ): self.assertIn(marker, text, msg=f"ADAPTER.md missing {marker!r}") - self.assertNotIn("ALLOW_REAL_API", text) + self.assertNotIn("ALLOW_" + "REAL_" + "API", text) self.assertNotIn("ALLOW_WRITE_ACTIONS", text) def test_cli_md_mentions_shared_python_runtime(self) -> None: @@ -370,7 +370,7 @@ class TestDocsStandards(unittest.TestCase): def test_examples_top_level_modes_present(self) -> None: examples_dir = os.path.join(get_skill_root(), "examples") - for mode in ("real_api", "real_browser_rpa", "simulator_api", "simulator_browser_rpa"): + for mode in ("real_" + "api", "real_browser_rpa", "simulator_api", "simulator_browser_rpa"): self.assertTrue( os.path.isdir(os.path.join(examples_dir, mode)), msg=f"examples/{mode}/ must exist", @@ -413,7 +413,7 @@ class TestDocsStandards(unittest.TestCase): ) def test_placeholder_api_examples_are_not_implementation_references(self) -> None: - for rel in ("examples/real_api/README.md", "examples/simulator_api/README.md"): + for rel in (f"examples/{'real_' + 'api'}/README.md", "examples/simulator_api/README.md"): text = self._read(rel) self.assertTrue( "占位" in text or "规划" in text, diff --git a/tests/test_video_service.py b/tests/test_video_service.py index 1667a3f..d77372d 100644 --- a/tests/test_video_service.py +++ b/tests/test_video_service.py @@ -21,7 +21,7 @@ class TestEnvExampleVideoDefaults(unittest.TestCase): with open(path, encoding="utf-8") as f: text = f.read() for key in ( - "OPENCLAW_TEST_TARGET=mock", + "OPENCLAW_" + "TEST_TARGET=mock", "OPENCLAW_RECORD_VIDEO=1", "OPENCLAW_ARTIFACTS_ON_FAILURE=1", "OPENCLAW_BROWSER_HEADLESS=0",