Wire deployment validation infrastructure to SDLC pipeline #892
Description
Summary
PR #881 (issue #647) implemented the DinD infrastructure for deployment validation but left significant gaps between the original design in #645 and the actual implementation. The infrastructure layer (DinD manager, devserver manager, network creation, compose extraction) is solid, but it's operationally disconnected from the pipeline execution path. None of the deployment validation features are automatically triggered during the SDLC pipeline.
This issue tracks the remaining work to close the gap.
Gap Inventory
Critical: Production pipeline wiring
1. DinD not wired to production spawn path
container_spawner.py accepts integration_test_enabled but pipelines.py never passes it when spawning tester agents. The parameter propagates only through the spawn_fn callback path used in tests/local mode. Documented as "Phase 2 deferred" in container_spawner.py:214-244.
2. No automatic triggering of deployment checks
The devserver REST API endpoints exist (POST /deployment-check/start, GET /status, POST /teardown) but nothing in the pipeline execution calls them. Deployment validation requires manual REST calls from the sandbox — there's no integration point where the check phase automatically starts the devserver, runs health checks, and tears down.
3. DeploymentCheck runner not integrated into check phase
.github/scripts/checks/deployment_check.py (446 lines) exists but is not listed in phase_defaults.py implement checks and has no automatic invocation mechanism. It's an orphaned file.
4. No check-deployment phase definition
phase_defaults.py defines only REFINE → PLAN → IMPLEMENT → PR. The original design implied a check-deployment CheckDefinition within the implement phase, but this was never added.
Major: Security and isolation gaps
5. Inter-container network isolation not active
devserver.py creates per-service scoped networks (_create_scoped_network()) but never attaches containers to them. All devserver containers share the single egg-check bridge network. Line 278 hardcodes "networks": [self._network_name] for all services, so a compromised service container can reach every other container (DB emulators, caches, etc.) — the original design called for restricting inter-container traffic to only required paths.
6. Validation tests defined but not executed
DeploymentConfig accepts ValidationTest objects (smoke tests, health checks) via the contract, but DevserverManager.start() never runs them. The config is parsed and validated but ignored at runtime.
Medium: Operational gaps
7. No full pipeline integration test
test_deployment_check_e2e.py tests DevserverManager in isolation but doesn't test the end-to-end flow: automatic triggering during IMPLEMENT → sandbox-to-orchestrator API calls → multi-service validation → failure handling and recovery.
8. Per-service network attachment not implemented
Even though _create_scoped_network() creates networks, no logic attaches specific services to their scoped networks. The checker is attached only to the main egg-check network (attach_checker() line 924), not to per-service scoped networks.
9. Health endpoint discovery is manual-only
DeploymentConfig requires explicit health_endpoints dict. No auto-detection of exposed ports or health check endpoints from Docker/compose configs. Services without explicit config won't be health-checked.
Low: Edge cases
10. Changed files detection fallback
_get_changed_files() falls back to HEAD~1 diff when origin/main is unreachable, which may miss multi-commit agent changes.
11. Multi-port service handling
_get_container_endpoint() uses the first exposed port from Docker config. Multi-port containers aren't handled explicitly (documented limitation).
Architectural deviations from #645
| Design spec | What was built |
|---|---|
| Automatic deployment validation during check phase | Manual REST API endpoints, nothing calls them |
check-deployment CheckDefinition in phase defaults |
No check definition added |
| Per-service scoped networks restricting lateral movement | Single shared egg-check network for all containers |
| Orchestrator runs validation tests from contract | Validation test config accepted but ignored |
| DinD available to tester agents in production | DinD only works via spawn_fn callback (test/local) |
What works today
The infrastructure layer is solid and well-tested (~4,800 lines):
- DinD manager: full lifecycle, watchdog, image preload ✅
- DevserverManager: compose extraction from HEAD, RO mounts, resource limits ✅
- egg-check network:
internal:true, air-gapped ✅ - Service mapping: file path → service resolution ✅
- Image pre-pull: both native and DinD paths ✅
- Security model: no credentials, committed compose, ephemeral teardown ✅
Suggested approach
The highest-value work is wiring the existing infrastructure to the pipeline:
- Pass
integration_test_enabled=Trueinpipelines.pywhen spawning tester agents - Add
check-deploymenttophase_defaults.pyimplement checks (start asrequired=False) - Wire automatic devserver start/teardown around the deployment check
- Enable per-service scoped network attachment
- Execute validation tests from contract config
- Add end-to-end pipeline integration test
Closes #645
Authored-by: egg