diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index cea850f..260ff7d 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -417,32 +417,32 @@ jobs: - name: Run tests - ${{ matrix.build_config.name }} run: | echo "=== Testing ${{ matrix.build_config.name }} build (CGO_ENABLED=${{ matrix.build_config.cgo_enabled }}, tags=${{ matrix.build_config.tags }}) ===" - CGO_ENABLED=${{ matrix.build_config.cgo_enabled }} go test -tags "${{ matrix.build_config.tags }}" -v ./tests/unit/... || true + CGO_ENABLED=${{ matrix.build_config.cgo_enabled }} go test -tags "${{ matrix.build_config.tags }}" -v ./internal/... || true - name: Run plugin quota tests run: | echo "=== Running Plugin GPU Quota tests ===" - go test -v ./tests/unit/scheduler/... -run TestPluginQuota + go test -v ./internal/scheduler/... -run TestPluginQuota - name: Run service templates tests run: | echo "=== Running Service Templates tests ===" - go test -v ./tests/unit/scheduler/... -run TestServiceTemplate + go test -v ./internal/scheduler/... -run TestServiceTemplate - name: Run scheduler tests run: | echo "=== Running Scheduler tests ===" - go test -v ./tests/unit/scheduler/... -run TestScheduler + go test -v ./internal/scheduler/... -run TestScheduler - name: Run vLLM plugin tests run: | echo "=== Running vLLM Plugin tests ===" - go test -v ./tests/unit/worker/plugins/... -run TestVLLM + go test -v ./internal/worker/plugins/... -run TestVLLM - name: Run audit tests run: | echo "=== Running Audit Logging tests ===" - go test -v ./tests/unit/security/... -run TestAudit + go test -v ./internal/security/... -run TestAudit go test -v ./tests/integration/audit/... build-trigger: diff --git a/.forgejo/workflows/security-modes-test.yml b/.forgejo/workflows/security-modes-test.yml index 11b794a..60b4f74 100644 --- a/.forgejo/workflows/security-modes-test.yml +++ b/.forgejo/workflows/security-modes-test.yml @@ -78,36 +78,36 @@ jobs: if: matrix.security_mode == 'hipaa' run: | echo "=== Running HIPAA-specific validation tests ===" - go test -v ./tests/unit/security/... -run TestHIPAAValidation + go test -v ./internal/security/... -run TestHIPAAValidation - name: Run PHI denylist tests if: matrix.security_mode == 'hipaa' run: | echo "=== Running PHI denylist validation tests ===" - go test -v ./tests/unit/security/... -run TestPHIDenylist + go test -v ./internal/security/... -run TestPHIDenylist - name: Run artifact ingestion cap tests if: matrix.security_mode == 'hipaa' run: | echo "=== Running artifact ingestion cap tests ===" - go test -v ./tests/unit/security/... -run TestArtifactIngestionCaps + go test -v ./internal/security/... -run TestArtifactIngestionCaps - name: Run config hash tests if: matrix.security_mode == 'hipaa' run: | echo "=== Running config hash computation tests ===" - go test -v ./tests/unit/security/... -run TestConfigHash + go test -v ./internal/security/... -run TestConfigHash - name: Run inline credential rejection tests if: matrix.security_mode == 'hipaa' run: | echo "=== Running inline credential rejection tests ===" - go test -v ./tests/unit/security/... -run TestHIPAAValidation_InlineCredentials + go test -v ./internal/security/... -run TestHIPAAValidation_InlineCredentials - name: Test config validation for ${{ matrix.security_mode }} mode run: | echo "=== Testing config validation for ${{ matrix.security_mode }} mode ===" - go test -v ./tests/unit/security/... || true + go test -v ./internal/security/... || true - name: Verify compliance mode in config run: | @@ -157,19 +157,19 @@ EOF # which is tested by the unit tests above # Check that the test covers all required validations - if grep -r "compliance_mode" tests/unit/security/hipaa*.go 2>/dev/null; then + if grep -r "compliance_mode" internal/security/hipaa*.go 2>/dev/null; then echo "✓ compliance_mode validation is tested" fi - if grep -r "network_mode" tests/unit/security/hipaa*.go 2>/dev/null; then + if grep -r "network_mode" internal/security/hipaa*.go 2>/dev/null; then echo "✓ network_mode validation is tested" fi - if grep -r "no_new_privileges" tests/unit/security/hipaa*.go 2>/dev/null; then + if grep -r "no_new_privileges" internal/security/hipaa*.go 2>/dev/null; then echo "✓ no_new_privileges validation is tested" fi - if grep -r "seccomp_profile" tests/unit/security/hipaa*.go 2>/dev/null; then + if grep -r "seccomp_profile" internal/security/hipaa*.go 2>/dev/null; then echo "✓ seccomp_profile validation is tested" fi diff --git a/.forgejo/workflows/test-matrix.yml b/.forgejo/workflows/test-matrix.yml index be7ce4b..b36f5cd 100644 --- a/.forgejo/workflows/test-matrix.yml +++ b/.forgejo/workflows/test-matrix.yml @@ -32,7 +32,7 @@ jobs: - name: Run unit tests run: | export FETCHML_NATIVE_LIBS=$([ "${{ matrix.build_type }}" = "native" ] && echo "1" || echo "0") - go test -v ./tests/unit/... + go test -v ./internal/... - name: Run integration tests run: | diff --git a/.forgejo/workflows/verification.yml b/.forgejo/workflows/verification.yml index 5e9ccb3..1c47716 100644 --- a/.forgejo/workflows/verification.yml +++ b/.forgejo/workflows/verification.yml @@ -78,7 +78,7 @@ jobs: go-version: '1.25' - name: Run audit chain verifier tests - run: go test ./tests/unit/audit/... -run TestChainVerifier -v + run: go test -v ./internal/audit/... -run TestChainVerifier -v - name: Build audit verifier tool run: go build -o bin/audit-verifier ./cmd/audit-verifier/ diff --git a/AGENTS.md b/AGENTS.md index 52c259c..72706f9 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -124,3 +124,39 @@ cd cli && zig fmt . - Go 1.25+, Zig 0.15+, Python 3.11+ - Redis (integration tests), Docker/Podman (container tests) + +--- + +## Known Limitations + +See `docs/known-limitations.md` for full details. + +**Key items**: +- **AMD GPU**: Not implemented. Use NVIDIA, Apple Silicon, or CPU. Mock available for testing. +- **100+ node gang allocation**: Stress testing not yet implemented. +- **Podman-in-Docker CI**: Requires privileged mode, not yet automated. + +**Error Handling**: +```go +// For unimplemented features: +return apierrors.NewNotImplemented("feature name") + +// Validation: +if err := detectionResult.Validate(); err != nil { + return err // Clear error message for user +} +``` + +**Container Rule Reminder**: +- Docker = testing & deployments +- Podman = experiment isolation only + +--- + +## Error Codes + +| Code | HTTP Status | Use Case | +|------|-------------|----------| +| `NOT_IMPLEMENTED` | 501 | Feature planned but not available | +| `NOT_FOUND` | 404 | Resource doesn't exist | +| `INVALID_CONFIGURATION` | 400 | Bad config (e.g., AMD GPU in production) | diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index b34d224..f4ddce3 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -89,7 +89,7 @@ make test We maintain comprehensive test coverage across multiple categories: -- **Unit tests**: Fast tests for individual components (`tests/unit/`) +- **Unit tests**: Fast tests for individual components (`internal/`) - **Integration tests**: Test component interactions (`tests/integration/`) - **Property-based tests**: Verify invariants using gopter (`tests/property/`) - **Fault injection tests**: Test failure scenarios (`tests/fault/`) diff --git a/docs/TEST_COVERAGE_MAP.md b/docs/TEST_COVERAGE_MAP.md index 8050cd1..7e7dc8c 100644 --- a/docs/TEST_COVERAGE_MAP.md +++ b/docs/TEST_COVERAGE_MAP.md @@ -27,17 +27,17 @@ This document is a companion to the Security Plan and Verification Plan. It does | Requirement | Test | Location | Status | |---|---|---|---| -| Config file integrity / signature verification | `TestConfigIntegrityVerification` | `tests/unit/security/config_integrity_test.go` | `✓ Exists` — Tests config loading, signing, and tamper detection (lines 14-127) | -| `compliance_mode: hipaa` enforces network_mode | `TestHIPAAValidation_NetworkMode` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| `compliance_mode: hipaa` enforces no_new_privileges | `TestHIPAAValidation_NoNewPrivileges` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| `compliance_mode: hipaa` enforces seccomp_profile | `TestHIPAAValidation_SeccompProfile` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| `compliance_mode: hipaa` rejects inline credentials | `TestHIPAAValidation_InlineCredentials` | `tests/unit/security/hipaa_test.go` | `✓ Exists` — Now includes env var expansion verification for RedisPassword (lines 132-140) | -| `AllowedSecrets` PHI denylist enforced at `Validate()` | `TestPHIDenylist_Validation` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| Manifest filename includes nonce | `TestManifestFilenameNonce` | `tests/unit/security/manifest_filename_test.go` | `✓ Exists` — Verifies cryptographic nonce generation and filename pattern (lines 17-140) | -| Artifact ingestion file count cap | `TestArtifactIngestionCaps` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| Artifact ingestion total size cap | `TestArtifactIngestionCaps` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| GPU detection method logged at startup | `TestGPUDetectionAudit` | `tests/unit/security/gpu_audit_test.go` | `✓ Exists` — Verifies structured logging of GPU detection at startup (lines 14-160) | -| Resource env vars bounded by quota enforcement | `TestResourceEnvVarParsing` | `tests/unit/security/resource_quota_test.go` | `✓ Exists` — Tests env var parsing and override behavior (lines 11-183) | +| Config file integrity / signature verification | `TestConfigIntegrityVerification` | `internal/security/config_integrity_test.go` | `✓ Exists` — Tests config loading, signing, and tamper detection (lines 14-127) | +| `compliance_mode: hipaa` enforces network_mode | `TestHIPAAValidation_NetworkMode` | `internal/security/hipaa_test.go` | `✓ Exists` | +| `compliance_mode: hipaa` enforces no_new_privileges | `TestHIPAAValidation_NoNewPrivileges` | `internal/security/hipaa_test.go` | `✓ Exists` | +| `compliance_mode: hipaa` enforces seccomp_profile | `TestHIPAAValidation_SeccompProfile` | `internal/security/hipaa_test.go` | `✓ Exists` | +| `compliance_mode: hipaa` rejects inline credentials | `TestHIPAAValidation_InlineCredentials` | `internal/security/hipaa_test.go` | `✓ Exists` — Now includes env var expansion verification for RedisPassword (lines 132-140) | +| `AllowedSecrets` PHI denylist enforced at `Validate()` | `TestPHIDenylist_Validation` | `internal/security/hipaa_test.go` | `✓ Exists` | +| Manifest filename includes nonce | `TestManifestFilenameNonce` | `internal/security/manifest_filename_test.go` | `✓ Exists` — Verifies cryptographic nonce generation and filename pattern (lines 17-140) | +| Artifact ingestion file count cap | `TestArtifactIngestionCaps` | `internal/security/hipaa_test.go` | `✓ Exists` | +| Artifact ingestion total size cap | `TestArtifactIngestionCaps` | `internal/security/hipaa_test.go` | `✓ Exists` | +| GPU detection method logged at startup | `TestGPUDetectionAudit` | `internal/security/gpu_audit_test.go` | `✓ Exists` — Verifies structured logging of GPU detection at startup (lines 14-160) | +| Resource env vars bounded by quota enforcement | `TestResourceEnvVarParsing` | `internal/security/resource_quota_test.go` | `✓ Exists` — Tests env var parsing and override behavior (lines 11-183) | --- @@ -45,20 +45,20 @@ This document is a companion to the Security Plan and Verification Plan. It does | Requirement | Test | Location | Status | |---|---|---|---| -| R.1 — `manifest.Artifacts.Environment` populated on every scan | `TestManifestEnvironmentCapture` | `tests/unit/reproducibility/environment_capture_test.go` | `✓ Exists` — Tests Environment population with ConfigHash and DetectionMethod (lines 15-127) | -| R.1 — `Environment.ConfigHash` non-empty | `TestManifestEnvironmentCapture` | `tests/unit/reproducibility/environment_capture_test.go` | `✓ Exists` — Verified in EnvironmentPopulatedInManifest subtest (line 58) | -| R.1 — `Environment.DetectionMethod` non-empty | `TestManifestEnvironmentCapture` | `tests/unit/reproducibility/environment_capture_test.go` | `✓ Exists` — Verified in EnvironmentPopulatedInManifest subtest (line 63) | -| R.2 — Resolved config hash stable (same input → same hash) | `TestConfigHash_Computation` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| R.2 — Resolved config hash differs on changed input | `TestConfigHash_Computation` | `tests/unit/security/hipaa_test.go` | `✓ Exists` | -| R.2 — Hash computed after defaults and env expansion, not raw file | `TestConfigHashPostDefaults` | `tests/unit/reproducibility/config_hash_test.go` | `✓ Exists` — Tests hash computation after env expansion and defaults (lines 14-118) | -| R.3 — `CreateDetectorWithInfo` result written to manifest | `TestGPUDetectionWrittenToManifest` | `tests/unit/reproducibility/` | `✓ Exists` — **Covered by:** `TestAMDAliasManifestRecord` in `tests/unit/gpu/gpu_detector_test.go` tests GPU detection and manifest recording (lines 87-138) | -| R.3 — AMD alias recorded as `configured_vendor` in manifest | `TestAMDAliasManifestRecord` | `tests/unit/gpu/gpu_detector_test.go` | `✓ Exists` — Test renamed and enhanced with manifest recording validation (line 87-138) | -| R.4 — `ProvenanceBestEffort=false` fails on incomplete environment | `TestProvenanceBestEffortEnforcement` | `tests/unit/reproducibility/` | `✓ Exists` — Covered by `TestEnforceTaskProvenance_StrictMissingOrMismatchFails` in `tests/unit/worker/worker_test.go` | -| R.4 — `ProvenanceBestEffort=true` succeeds on incomplete environment | `TestProvenanceBestEffortPermissive` | `tests/unit/reproducibility/` | `✓ Exists` — Covered by `TestEnforceTaskProvenance_BestEffortOverwrites` in `tests/unit/worker/worker_test.go` | -| R.5 — Scan exclusions recorded in manifest | `TestScanExclusionsRecorded` | `tests/unit/worker/artifacts_test.go` | `✓ Exists` — Renamed from TestScanArtifacts_SkipsKnownPathsAndLogs, validates exclusions recorded with reasons (lines 71-116) | -| R.5 — `*.log` exclusion reason recorded | `TestScanExclusionsRecorded` | `tests/unit/worker/artifacts_test.go` | `✓ Exists` — Verified in exclusion reason check (line 85) | -| R.5 — `code/` exclusion reason recorded | `TestScanExclusionsRecorded` | `tests/unit/worker/artifacts_test.go` | `✓ Exists` — Verified in exclusion reason check (line 87) | -| R.5 — `snapshot/` exclusion reason recorded | `TestScanExclusionsRecorded` | `tests/unit/worker/artifacts_test.go` | `✓ Exists` — Verified in exclusion reason check (line 89) | +| R.1 — `manifest.Artifacts.Environment` populated on every scan | `TestManifestEnvironmentCapture` | `internal/tracking/environment_capture_test.go` | `✓ Exists` — Tests Environment population with ConfigHash and DetectionMethod (lines 15-127) | +| R.1 — `Environment.ConfigHash` non-empty | `TestManifestEnvironmentCapture` | `internal/tracking/environment_capture_test.go` | `✓ Exists` — Verified in EnvironmentPopulatedInManifest subtest (line 58) | +| R.1 — `Environment.DetectionMethod` non-empty | `TestManifestEnvironmentCapture` | `internal/tracking/environment_capture_test.go` | `✓ Exists` — Verified in EnvironmentPopulatedInManifest subtest (line 63) | +| R.2 — Resolved config hash stable (same input → same hash) | `TestConfigHash_Computation` | `internal/security/hipaa_test.go` | `✓ Exists` | +| R.2 — Resolved config hash differs on changed input | `TestConfigHash_Computation` | `internal/security/hipaa_test.go` | `✓ Exists` | +| R.2 — Hash computed after defaults and env expansion, not raw file | `TestConfigHashPostDefaults` | `internal/tracking/config_hash_test.go` | `✓ Exists` — Tests hash computation after env expansion and defaults (lines 14-118) | +| R.3 — `CreateDetectorWithInfo` result written to manifest | `TestGPUDetectionWrittenToManifest` | `internal/tracking/` | `✓ Exists` — **Covered by:** `TestAMDAliasManifestRecord` in `internal/resources/gpu_detector_test.go` tests GPU detection and manifest recording (lines 87-138) | +| R.3 — AMD alias recorded as `configured_vendor` in manifest | `TestAMDAliasManifestRecord` | `internal/resources/gpu_detector_test.go` | `✓ Exists` — Test renamed and enhanced with manifest recording validation (line 87-138) | +| R.4 — `ProvenanceBestEffort=false` fails on incomplete environment | `TestProvenanceBestEffortEnforcement` | `internal/tracking/` | `✓ Exists` — Covered by `TestEnforceTaskProvenance_StrictMissingOrMismatchFails` in `internal/worker/worker_test.go` | +| R.4 — `ProvenanceBestEffort=true` succeeds on incomplete environment | `TestProvenanceBestEffortPermissive` | `internal/tracking/` | `✓ Exists` — Covered by `TestEnforceTaskProvenance_BestEffortOverwrites` in `internal/worker/worker_test.go` | +| R.5 — Scan exclusions recorded in manifest | `TestScanExclusionsRecorded` | `internal/worker/artifacts_test.go` | `✓ Exists` — Renamed from TestScanArtifacts_SkipsKnownPathsAndLogs, validates exclusions recorded with reasons (lines 71-116) | +| R.5 — `*.log` exclusion reason recorded | `TestScanExclusionsRecorded` | `internal/worker/artifacts_test.go` | `✓ Exists` — Verified in exclusion reason check (line 85) | +| R.5 — `code/` exclusion reason recorded | `TestScanExclusionsRecorded` | `internal/worker/artifacts_test.go` | `✓ Exists` — Verified in exclusion reason check (line 87) | +| R.5 — `snapshot/` exclusion reason recorded | `TestScanExclusionsRecorded` | `internal/worker/artifacts_test.go` | `✓ Exists` — Verified in exclusion reason check (line 89) | --- @@ -68,7 +68,7 @@ This document is a companion to the Security Plan and Verification Plan. It does |---|---|---|---| | `manifest.Artifacts` schema matches committed version | `TestSchemaUnchanged` | `internal/manifest/schema_test.go` | `✓ Exists` | | `Environment` field required in schema | `TestSchemaEnvironmentRequired` | `internal/manifest/` | `✓ Exists` — **Covered by:** `TestSchemaRejectsInvalidManifest` in `internal/manifest/schema_test.go` validates missing `environment.config_hash` is rejected | -| `DetectionMethod` constrained to enum values in schema | `TestSchemaDetectionMethodEnum` | `tests/unit/manifest/schema_test.go` | `✓ Exists` — **Covered by:** `TestSchemaRejectsInvalidManifest` validates `compliance_mode` enum; `gpu_detection_method` validated in environment capture tests | +| `DetectionMethod` constrained to enum values in schema | `TestSchemaDetectionMethodEnum` | `internal/manifest/schema_test.go` | `✓ Exists` — **Covered by:** `TestSchemaRejectsInvalidManifest` validates `compliance_mode` enum; `gpu_detection_method` validated in environment capture tests | --- @@ -92,7 +92,7 @@ Not tests themselves — packages and targets that must achieve >80% mutation ki | `pkg/worker/config.go` | `ProvenanceBestEffort` enforcement branch, HIPAA hard-requirement checks, credential denylist | | `pkg/worker/gpu_detector.go` | `CreateDetectorWithInfo` call site, `DetectionInfo` capture | | `internal/manifest/` | `Environment` nil check, `Exclusions` population, schema version check | -| `tests/unit/security/` | PHI denylist logic, inline credential detection | +| `internal/security/` | PHI denylist logic, inline credential detection | --- @@ -113,8 +113,8 @@ Not tests — static analysis rules enforced at compile time in CI. All four mus | Requirement | Test | Location | Status | |---|---|---|---| -| Chained hash detects tampered entry | `TestAuditChainTamperDetection` | `tests/unit/security/audit_test.go` | `✓ Exists` — **Covered by:** `TestAuditLogger_VerifyChain` validates tamper detection (lines 89-100) | -| Chained hash detects deleted entry | `TestAuditChainDeletionDetection` | `tests/unit/security/audit_test.go` | `✓ Exists` — **Covered by:** `TestAuditLogger_VerifyChain` validates chain break detection via `prev_hash` mismatch (lines 102-113) | +| Chained hash detects tampered entry | `TestAuditChainTamperDetection` | `internal/security/audit_test.go` | `✓ Exists` — **Covered by:** `TestAuditLogger_VerifyChain` validates tamper detection (lines 89-100) | +| Chained hash detects deleted entry | `TestAuditChainDeletionDetection` | `internal/security/audit_test.go` | `✓ Exists` — **Covered by:** `TestAuditLogger_VerifyChain` validates chain break detection via `prev_hash` mismatch (lines 102-113) | | Background verification job alerts on chain break | `TestAuditVerificationJob` | `tests/integration/audit/verification_test.go` | `✓ Exists` — Integration test for audit chain verification (lines 14-126) | --- @@ -165,15 +165,15 @@ The following tests exist but use different naming conventions than specified in | Coverage Map Name | Actual Test Name | Location | Relationship | |---|---|---|---| -| `TestGPUDetectionAudit` | `TestGPUDetectorEnvOverrides`, `TestGPUDetectorDetectionSources`, `TestGPUDetectorInfoFields` | `tests/unit/gpu/gpu_detector_test.go` | Tests GPU detection but not audit logging | -| `TestAMDAliasManifestRecord` | `TestGPUDetectorAMDVendorAlias` | `tests/unit/gpu/gpu_detector_test.go` | Tests AMD vendor aliasing but not manifest recording | +| `TestGPUDetectionAudit` | `TestGPUDetectorEnvOverrides`, `TestGPUDetectorDetectionSources`, `TestGPUDetectorInfoFields` | `internal/resources/gpu_detector_test.go` | Tests GPU detection but not audit logging | +| `TestAMDAliasManifestRecord` | `TestGPUDetectorAMDVendorAlias` | `internal/resources/gpu_detector_test.go` | Tests AMD vendor aliasing but not manifest recording | | `TestGPUDetectionWrittenToManifest` | N/A - uses same tests as above | - | GPU detection tests don't verify manifest writing | -| `TestProvenanceBestEffortEnforcement` | `TestEnforceTaskProvenance_StrictMissingOrMismatchFails` | `tests/unit/worker/worker_test.go` | Tests strict provenance enforcement | -| `TestProvenanceBestEffortPermissive` | `TestEnforceTaskProvenance_BestEffortOverwrites` | `tests/unit/worker/worker_test.go` | Tests best-effort provenance behavior | -| `TestScanExclusionsRecorded` | `TestScanArtifacts_SkipsKnownPathsAndLogs` | `tests/unit/worker/artifacts_test.go` | Tests scan exclusions but not manifest recording | +| `TestProvenanceBestEffortEnforcement` | `TestEnforceTaskProvenance_StrictMissingOrMismatchFails` | `internal/worker/worker_test.go` | Tests strict provenance enforcement | +| `TestProvenanceBestEffortPermissive` | `TestEnforceTaskProvenance_BestEffortOverwrites` | `internal/worker/worker_test.go` | Tests best-effort provenance behavior | +| `TestScanExclusionsRecorded` | `TestScanArtifacts_SkipsKnownPathsAndLogs` | `internal/worker/artifacts_test.go` | Tests scan exclusions but not manifest recording | | `TestSandboxSyscallBlocking` | `TestSandboxSeccompEnforcement` | `tests/integration/security/sandbox_escape_test.go` | Tests seccomp syscall blocking | -| `TestAuditChainTamperDetection` | `TestAuditLogger_VerifyChain` (tamper portion) | `tests/unit/security/audit_test.go` | Lines 89-100 test tamper detection | -| `TestAuditChainDeletionDetection` | `TestAuditLogger_VerifyChain` (chain break portion) | `tests/unit/security/audit_test.go` | Lines 102-113 test prev_hash mismatch | +| `TestAuditChainTamperDetection` | `TestAuditLogger_VerifyChain` (tamper portion) | `internal/security/audit_test.go` | Lines 89-100 test tamper detection | +| `TestAuditChainDeletionDetection` | `TestAuditLogger_VerifyChain` (chain break portion) | `internal/security/audit_test.go` | Lines 102-113 test prev_hash mismatch | | `TestSchemaEnvironmentRequired` | `TestSchemaRejectsInvalidManifest` (portion) | `internal/manifest/schema_test.go` | Tests missing environment.config_hash rejection | --- @@ -184,11 +184,11 @@ These tests exist and provide related functionality testing, but don't fully cov | Requirement Area | Related Tests | Location | Gap | |---|---|---|---| -| GPU Detection | `TestGPUDetectorEnvOverrides`, `TestGPUDetectorAMDVendorAlias`, `TestGPUDetectorDetectionSources`, `TestGPUDetectorInfoFields`, `TestGPUDetectorEnvCountOverride` | `tests/unit/gpu/gpu_detector_test.go` | No manifest writing validation; no startup audit logging | -| Artifact Scanning | `TestScanArtifacts_SkipsKnownPathsAndLogs` | `tests/unit/worker/artifacts_test.go` | No `Environment` population check; no exclusion reason recording in manifest | -| Provenance | `TestEnforceTaskProvenance_StrictMissingOrMismatchFails`, `TestEnforceTaskProvenance_BestEffortOverwrites`, `TestComputeTaskProvenance` | `tests/unit/worker/worker_test.go` | Different test structure than coverage map specifies | +| GPU Detection | `TestGPUDetectorEnvOverrides`, `TestGPUDetectorAMDVendorAlias`, `TestGPUDetectorDetectionSources`, `TestGPUDetectorInfoFields`, `TestGPUDetectorEnvCountOverride` | `internal/resources/gpu_detector_test.go` | No manifest writing validation; no startup audit logging | +| Artifact Scanning | `TestScanArtifacts_SkipsKnownPathsAndLogs` | `internal/worker/artifacts_test.go` | No `Environment` population check; no exclusion reason recording in manifest | +| Provenance | `TestEnforceTaskProvenance_StrictMissingOrMismatchFails`, `TestEnforceTaskProvenance_BestEffortOverwrites`, `TestComputeTaskProvenance` | `internal/worker/worker_test.go` | Different test structure than coverage map specifies | | Schema Validation | `TestSchemaValidatesExampleManifest`, `TestSchemaRejectsInvalidManifest` | `internal/manifest/schema_test.go` | Exist and provide good coverage | -| Manifest | `TestRunManifestWriteLoadAndMarkFinished`, `TestRunManifestApplyNarrativePatchPartialUpdate` | `tests/unit/manifest/run_manifest_test.go` | Basic manifest operations tested | +| Manifest | `TestRunManifestWriteLoadAndMarkFinished`, `TestRunManifestApplyNarrativePatchPartialUpdate` | `internal/manifest/run_manifest_test.go` | Basic manifest operations tested | | Sandbox Security | `TestSandboxCapabilityDrop`, `TestSandboxNoNewPrivileges`, `TestSandboxSeccompEnforcement`, `TestSandboxNetworkIsolation`, `TestSandboxFilesystemEscape` | `tests/integration/security/sandbox_escape_test.go` | Comprehensive sandbox tests exist | --- @@ -252,9 +252,9 @@ Work through gaps in this order: - `TestConfigHashPostDefaults` - Hash computation after env expansion and defaults ### Files Modified -- `tests/unit/gpu/gpu_detector_test.go` -- `tests/unit/worker/artifacts_test.go` -- `tests/unit/security/hipaa_validation_test.go` +- `internal/resources/gpu_detector_test.go` +- `internal/worker/artifacts_test.go` +- `internal/security/hipaa_validation_test.go` - `internal/worker/artifacts.go` (added exclusions recording) - `internal/manifest/run_manifest.go` (nonce-based filename support) - 6 new test files created diff --git a/docs/src/scheduler-architecture.md b/docs/src/scheduler-architecture.md index 89ac003..24b928c 100644 --- a/docs/src/scheduler-architecture.md +++ b/docs/src/scheduler-architecture.md @@ -146,7 +146,7 @@ All tests use shared fixtures in `tests/fixtures/`: | Category | Count | Files | |----------|-------|-------| -| Unit | 17+ | `tests/unit/scheduler/` | +| Unit | 17+ | `internal/scheduler/` | | Integration | 6 | `tests/integration/scheduler/` | | E2E | 6 | `tests/e2e/scheduler/` | diff --git a/docs/src/testing.md b/docs/src/testing.md index a2a3318..07eb901 100644 --- a/docs/src/testing.md +++ b/docs/src/testing.md @@ -65,8 +65,8 @@ docker exec ml-experiments-redis redis-cli ping make test-unit # Go unit tests only cd cli && zig build test # Zig CLI tests -# Unit tests live under tests/unit/ (including tests that cover internal/ packages) -go test ./tests/unit/... +# Unit tests now live alongside source code in internal/ (following Go conventions) +go test ./internal/... ``` ### Integration Tests @@ -479,7 +479,7 @@ FetchML implements comprehensive security testing with **100% coverage** across make test # Run security-specific unit tests -go test -v ./tests/unit/security/... +go test -v ./internal/security/... # Run audit verification tests go test -v ./tests/integration/audit/... @@ -493,13 +493,13 @@ go test -v ./tests/property/... ### Security Test Files -- `tests/unit/security/path_traversal_test.go` - Path traversal prevention -- `tests/unit/security/filetype_test.go` - Magic bytes validation -- `tests/unit/security/secrets_test.go` - Environment expansion & secret detection -- `tests/unit/security/audit_test.go` - Audit chain integrity -- `tests/unit/security/config_integrity_test.go` - Config validation +- `internal/security/path_traversal_test.go` - Path traversal prevention +- `internal/security/filetype_test.go` - Magic bytes validation +- `internal/security/secrets_test.go` - Environment expansion & secret detection +- `internal/security/audit_test.go` - Audit chain integrity +- `internal/security/config_integrity_test.go` - Config validation - `tests/integration/security/cross_tenant_test.go` - Tenant isolation -- `tests/integration/audit/verification_test.go` - Audit verification +- `internal/audit/verifier_test.go` - Unit testsrification - `tests/property/*_test.go` - Property-based testing - `tests/fault/fault_test.go` - Fault injection scenarios diff --git a/docs/src/verification.md b/docs/src/verification.md index 3c7d557..50a1a55 100644 --- a/docs/src/verification.md +++ b/docs/src/verification.md @@ -82,7 +82,7 @@ type Event struct { **Components:** - `internal/audit/verifier.go` - Chain verification logic - `cmd/audit-verifier/main.go` - Standalone CLI tool -- `tests/unit/audit/verifier_test.go` - Unit tests +- `internal/audit/verifier_test.go` - Unit tests **Features:** - **Continuous verification:** Background job runs every 15 minutes (HIPAA) or hourly (other)