Joseph Doherty
047125bc11
Three doc fixes pinned by re-running today's full live-test sweep:
1. Bump status header from 2026-05-06 to "re-run 2026-05-07" with a
note that all 5 steps still pass against the live AVEVA install.
The first run of step 1 + step 5 today failed with
`Error::Status { detail: 5 }` (DCE/RPC fault 0x00000005) traced
to MX_TEST_DOMAIN being polluted with the infisical CLI's
"A new release of infisical is available" upgrade banner. The
banner was being concatenated onto the domain string by
Setup-LiveProbeEnv.ps1's `2>&1` capture, causing NTLM Type1 to
send a malformed domain field that NmxSvc rejected.
2. Fix tools/Setup-LiveProbeEnv.ps1 — Get-InfisicalSecret now splits
captured output on newlines, filters lines matching the
"^A new release of infisical is available" / "^Please upgrade"
banner patterns, and returns the last non-empty line (the actual
secret value from `infisical secrets get --plain`). Robust to
future banner messages of similar shape.
3. Fix two drifted line citations in docs/M6-live-verification.md:
`recover_connection_core (session.rs:1428-...)` is now at line
1374 after F56/F45/F47 edits — strip the line number, keep the
function name (`Session::recover_connection_core`). Same for
`Session::unsubscribe (session.rs:2261)`.
4. Add "Workspace gate (no live infra needed)" subsection to the
"Reproducing locally" recipe so a fresh contributor sees the
full V1 verification recipe (live + workspace gate) in one place.
All 5 live tests pass post-fix:
- F36 buffered subscribe (drained 1 raw NMX message; no scan
activity on TestChangingInt today, matches 5/6 baseline)
- F45 buffered recovery replay (2 pre + 2 post DataUpdate frames)
- F47 buffered unsubscribe skip (returned Ok)
- F40 metrics smoke (4 expected metric names present)
- F54 OnWriteComplete (status detail 9 = WRITE_COMPLETE_OK)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
137 lines
6.6 KiB
PowerShell
137 lines
6.6 KiB
PowerShell
# Setup-LiveProbeEnv.ps1 — populate the env vars the mxaccess Rust port's
|
|
# `live`-feature integration tests and probes expect, fetching credentials
|
|
# from the homelab Infisical instance via wwtools/secrets/Get-Secret.ps1.
|
|
#
|
|
# Usage:
|
|
# . .\tools\Setup-LiveProbeEnv.ps1 # dot-source — env vars persist in the calling session
|
|
# . .\tools\Setup-LiveProbeEnv.ps1 -SkipAsbSecret # no Infisical lookup for ASB shared secret (CI/dev fallback)
|
|
# .\tools\Setup-LiveProbeEnv.ps1 -DryRun # print what would be set without exporting
|
|
#
|
|
# Hard rules (per design/00-overview.md "Adjacent tooling" section):
|
|
# - Credentials are fetched via `wwtools\secrets\Get-Secret.ps1`, which logs
|
|
# into Infisical fresh on each call (DPAPI session storage doesn't survive
|
|
# non-interactive contexts).
|
|
# - We never inline plaintext secrets here. New AVEVA-specific secrets go
|
|
# into Infisical at `homelab/aveva/system-platform/<KEY>` (suggested path).
|
|
# - Sets `MX_LIVE=1` to enable the `live` feature gate in cargo tests.
|
|
#
|
|
# Env vars set:
|
|
# MX_LIVE — "1", enables the `live` cargo feature
|
|
# MX_NMX_HOST — NMX hostname (default: localhost)
|
|
# MX_GALAXY_DB — tiberius / SQL Server connection string with integrated security
|
|
# MX_GALAXY_NAME — Galaxy name (default: $env:MX_GALAXY_NAME or 'ZB' from wwtools/grdb)
|
|
# MX_TEST_USER — fetched from Infisical: homelab/infrastructure/windows-hosts/WW_VM_ADMIN_USER
|
|
# MX_TEST_DOMAIN — fetched from Infisical: ...WW_VM_ADMIN_DOMAIN
|
|
# MX_TEST_PASSWORD — fetched from Infisical: ...WW_VM_ADMIN_PWD
|
|
# MX_ASB_SHARED_SECRET — fetched from Infisical: homelab/aveva/system-platform/ASB_SHARED_SECRET
|
|
# (TODO: add this entry to Infisical — currently optional with -SkipAsbSecret)
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[string]$NmxHost = 'localhost',
|
|
[string]$GalaxyName = $(if ($env:MX_GALAXY_NAME) { $env:MX_GALAXY_NAME } else { 'ZB' }),
|
|
[string]$GalaxyServer = 'localhost',
|
|
[switch]$SkipAsbSecret,
|
|
[switch]$DryRun
|
|
)
|
|
|
|
$ErrorActionPreference = 'Stop'
|
|
|
|
$GetSecret = 'C:\Users\dohertj2\Desktop\wwtools\secrets\Get-Secret.ps1'
|
|
if (-not (Test-Path $GetSecret)) {
|
|
throw "Get-Secret.ps1 not found at $GetSecret. wwtools must be installed at C:\Users\dohertj2\Desktop\wwtools per design/00-overview.md 'Adjacent tooling' section."
|
|
}
|
|
|
|
# Hydrate User-scope env vars into Process scope. Necessary in non-interactive
|
|
# contexts (Bash → pwsh, scheduled tasks, CI runners) where the User-scope
|
|
# block from HKCU\Environment is not auto-merged into the process env.
|
|
foreach ($name in @('INFISICAL_API_URL','INFISICAL_UNIVERSAL_AUTH_CLIENT_ID','INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET')) {
|
|
if (-not (Get-Item -Path "Env:$name" -ErrorAction SilentlyContinue)) {
|
|
$userValue = [Environment]::GetEnvironmentVariable($name, 'User')
|
|
if ($userValue) {
|
|
Set-Item -Path "Env:$name" -Value $userValue
|
|
}
|
|
}
|
|
}
|
|
|
|
function Set-LiveEnvVar {
|
|
param([string]$Name, [string]$Value, [switch]$Sensitive)
|
|
$display = if ($Sensitive) { '***redacted***' } else { $Value }
|
|
if ($DryRun) {
|
|
Write-Host "[DRY] $Name = $display" -ForegroundColor Yellow
|
|
} else {
|
|
Set-Item -Path "Env:$Name" -Value $Value
|
|
Write-Host "[SET] $Name = $display" -ForegroundColor Green
|
|
}
|
|
}
|
|
|
|
function Get-InfisicalSecret {
|
|
param([string]$Key, [string]$Env = 'infrastructure', [string]$Path = '/windows-hosts')
|
|
try {
|
|
$value = & $GetSecret -Key $Key -Env $Env -Path $Path 2>&1
|
|
if ($LASTEXITCODE -ne 0 -or -not $value) {
|
|
throw "Get-Secret returned empty for $Env$Path/$Key (exit code $LASTEXITCODE)"
|
|
}
|
|
# The infisical CLI occasionally writes an upgrade-available banner
|
|
# ("A new release of infisical is available: ...") to stderr; the
|
|
# `2>&1` redirect above merges it into the value stream. Filter
|
|
# those banner lines so they don't pollute the returned secret.
|
|
# Take the last non-empty, non-banner line — the actual secret
|
|
# value is always the final line of `infisical secrets get --plain`.
|
|
$clean = ($value | Out-String) -split "(`r`n|`n)" |
|
|
ForEach-Object { $_.Trim() } |
|
|
Where-Object {
|
|
$_ -and
|
|
($_ -notmatch '^A new release of infisical is available') -and
|
|
($_ -notmatch '^Please upgrade ')
|
|
}
|
|
if (-not $clean) {
|
|
throw "Get-Secret produced no usable line for $Env$Path/$Key after banner filtering"
|
|
}
|
|
return ($clean | Select-Object -Last 1)
|
|
} catch {
|
|
throw "Failed to fetch $Env$Path/$Key from Infisical: $_"
|
|
}
|
|
}
|
|
|
|
Write-Host "mxaccess live-probe env setup" -ForegroundColor Cyan
|
|
Write-Host " source: wwtools/secrets/Get-Secret.ps1 -> https://infisical.dohertylan.com" -ForegroundColor DarkGray
|
|
Write-Host ""
|
|
|
|
# Non-secret env vars
|
|
Set-LiveEnvVar -Name 'MX_LIVE' -Value '1'
|
|
Set-LiveEnvVar -Name 'MX_NMX_HOST' -Value $NmxHost
|
|
Set-LiveEnvVar -Name 'MX_GALAXY_NAME' -Value $GalaxyName
|
|
$galaxyDb = "Server=$GalaxyServer;Database=$GalaxyName;Integrated Security=True;TrustServerCertificate=True"
|
|
Set-LiveEnvVar -Name 'MX_GALAXY_DB' -Value $galaxyDb
|
|
|
|
# Secret-backed env vars
|
|
Write-Host ""
|
|
Write-Host "Fetching credentials from Infisical..." -ForegroundColor Cyan
|
|
|
|
$user = Get-InfisicalSecret -Key 'WW_VM_ADMIN_USER'
|
|
Set-LiveEnvVar -Name 'MX_TEST_USER' -Value $user
|
|
|
|
$domain = Get-InfisicalSecret -Key 'WW_VM_ADMIN_DOMAIN'
|
|
Set-LiveEnvVar -Name 'MX_TEST_DOMAIN' -Value $domain
|
|
|
|
$password = Get-InfisicalSecret -Key 'WW_VM_ADMIN_PWD'
|
|
Set-LiveEnvVar -Name 'MX_TEST_PASSWORD' -Value $password -Sensitive
|
|
|
|
if ($SkipAsbSecret) {
|
|
Write-Host "[SKIP] MX_ASB_SHARED_SECRET (use AsbCredentials::shared_secret(&[u8]) constructor or set manually)" -ForegroundColor Yellow
|
|
} else {
|
|
try {
|
|
$asbSecret = Get-InfisicalSecret -Key 'ASB_SHARED_SECRET' -Env 'aveva' -Path '/system-platform'
|
|
Set-LiveEnvVar -Name 'MX_ASB_SHARED_SECRET' -Value $asbSecret -Sensitive
|
|
} catch {
|
|
Write-Warning "MX_ASB_SHARED_SECRET not yet in Infisical. Add it at homelab/aveva/system-platform/ASB_SHARED_SECRET, or rerun with -SkipAsbSecret. Underlying error: $_"
|
|
Set-LiveEnvVar -Name 'MX_ASB_SHARED_SECRET' -Value '' -Sensitive
|
|
}
|
|
}
|
|
|
|
Write-Host ""
|
|
Write-Host "Done. Live-probe env is ready." -ForegroundColor Green
|
|
Write-Host " Run cargo tests with the 'live' feature: cargo test -p mxaccess --features live -- --ignored" -ForegroundColor DarkGray
|
|
Write-Host " Run a probe example: cargo run -p mxaccess --example session-write" -ForegroundColor DarkGray
|