test(deploy): e2e smoke for weekly-digest --mode cloud

[khaliqgant]

Summary

• Track K: Track K — End-to-end smoke test
• Final signoff: COMPLETE.
• Eligible for auto-merge when CI green and upstream deps merged.

Spec reference

Source spec: workforce/docs/plans/deploy-v1-schema-cascade-spec.md

Track section: Track K — End-to-end smoke test

Final signoff

Verified Track K acceptance against the actual files in `/Users/khaliqgant/Projects/AgentWorkforce/workforce.wt-smoke` (diff vs `origin/main`: 528 lines, 2 files):

- **Smoke test file** — `packages/deploy/test/e2e/weekly-digest.smoke.test.ts` (459 lines). Builds bundle via `parsePersonaSpec` + `stageBundle` (`buildBundleLocally`, L127–149), deploys via `workforce deploy --mode cloud` (`deployViaCloudCli`, L151–185, with `--cloud-url`, `--workspace`, `--detach`), force-ticks the cron hook (`forceCronTick`, used L82), asserts a `Weekly digest — *` issue posts within 90s (`ISSUE_TITLE_RE` + `waitForWeeklyDigestIssue`, L100–101, `POLL_TIMEOUT_MS = 90_000`), and cleans up issue + deployment (L102–118).
- **Clean skip without staging token** — L19–24 emit `SMOKE_TEST: SKIP — WORKFORCE_E2E_STAGING_TOKEN is unset` and call `t.skip(...)`; L31–35 do the same for the missing workspace id. No staging side effects on local runs.
- **GitHub Actions workflow** — `.github/workflows/deploy-e2e.yml` (69 lines): `workflow_dispatch` + nightly `cron: '17 8 * * *'`, runs `node --test packages/deploy/test/e2e/weekly-digest.smoke.test.ts`, posts `SMOKE_TEST: PASS`/`FAIL — see logs`, and notifies `#workforce-alerts` via `SLACK_WEBHOOK_URL` on failure (L61–69).
- **PR / commit subject** — commit `186b1bd` carries the exact subject `test(deploy): e2e smoke for weekly-digest --mode cloud`.

All four acceptance bullets are satisfied by the current files in the worktree.

SIGNOFF_FINAL: COMPLETE Track-K

Final gate (typecheck + tests)

FINAL_K_TSC=0
FINAL_K_TESTS=0

> workforce@0.1.0 typecheck /Users/khaliqgant/Projects/AgentWorkforce/workforce.wt-smoke
> corepack pnpm -r typecheck && corepack pnpm run typecheck:examples

Scope: 8 of 9 workspace projects
packages/daytona-runner typecheck$ tsc -p tsconfig.json --noEmit
packages/persona-kit typecheck$ tsc -p tsconfig.json --noEmit
packages/daytona-runner typecheck: Done
packages/persona-kit typecheck: Done
packages/workload-router typecheck$ tsc -p tsconfig.json --noEmit
packages/runtime typecheck$ tsc -p tsconfig.json --noEmit
packages/workload-router typecheck: Done
packages/runtime typecheck: Done
packages/deploy typecheck$ tsc -p tsconfig.json --noEmit
packages/deploy typecheck: Done
packages/cli typecheck$ tsc -p tsconfig.json --noEmit
packages/cli typecheck: Done
packages/agentworkforce typecheck$ node --check bin/agentworkforce.js
packages/agentworkforce typecheck: Done

> workforce@0.1.0 typecheck:examples /Users/khaliqgant/Projects/AgentWorkforce/workforce.wt-smoke
> tsc -p examples/tsconfig.json --noEmit

packages/cli test: # Subtest: computeTuiView: matches mode honors visibleCap
packages/cli test: ok 163 - computeTuiView: matches mode honors visibleCap
packages/cli test:   ---
packages/cli test:   duration_ms: 0.035375
packages/cli test:   type: 'test'
packages/cli test:   ...
packages/cli test: # Subtest: loadRecents returns [] when the file is absent or corrupt
packages/cli test: ok 164 - loadRecents returns [] when the file is absent or corrupt
packages/cli test:   ---
packages/cli test:   duration_ms: 0.415125
packages/cli test:   type: 'test'
packages/cli test:   ...
packages/cli test: 1..164
packages/cli test: # tests 164
packages/cli test: # suites 0
packages/cli test: # pass 164
packages/cli test: # fail 0
packages/cli test: # cancelled 0
packages/cli test: # skipped 0
packages/cli test: # todo 0
packages/cli test: # duration_ms 34999.61825
packages/cli test: Done
packages/agentworkforce test$ node --check bin/agentworkforce.js && node --test test/*.test.js
packages/agentworkforce test: TAP version 13
packages/agentworkforce test: # Subtest: agentworkforce --version prints the wrapper package version
packages/agentworkforce test: ok 1 - agentworkforce --version prints the wrapper package version
packages/agentworkforce test:   ---
packages/agentworkforce test:   duration_ms: 42.623792
packages/agentworkforce test:   type: 'test'
packages/agentworkforce test:   ...
packages/agentworkforce test: 1..1
packages/agentworkforce test: # tests 1
packages/agentworkforce test: # suites 0
packages/agentworkforce test: # pass 1
packages/agentworkforce test: # fail 0
packages/agentworkforce test: # cancelled 0
packages/agentworkforce test: # skipped 0
packages/agentworkforce test: # todo 0
packages/agentworkforce test: # duration_ms 101.784542
packages/agentworkforce test: Done

Self-reflection report

REFLECT_GAPS:
- "Smoke test file added" — file exists at packages/deploy/test/e2e/weekly-digest.smoke.test.ts but is UNTRACKED (not committed). `git diff origin/main` returns empty; nothing is actually on branch test/deploy-v1-e2e-smoke. The PR cannot be opened from this state — must `git add` and commit.
- "GitHub Actions workflow added" — .github/workflows/deploy-e2e.yml exists but is also UNTRACKED. Not on branch.
- Cleanup step — spec says "close the issue, optionally destroy the agent". `closeIssue` is implemented (weekly-digest.smoke.test.ts:262) but no destroy-agent call is attempted (even guarded). Spec marks destroy as optional ("skip if M3 destroy isn't wired"), so partial — code does not even try.
- Title regex `/^Weekly digest\s+[—-]\s+/u` (line 10) accepts BOTH em-dash and hyphen; spec says title pattern `Weekly digest — *` (em-dash). Broader-than-spec match — minor partial; could mask a real bug where the agent emits a hyphen instead of em-dash. Borderline gap.
- "Test passes when run against staging (or skipped cleanly if WORKFORCE_E2E_STAGING_TOKEN is unset)" — skip on missing token is implemented (lines 18-23), but the test ALSO skips when `WORKFORCE_E2E_STAGING_WORKSPACE_ID`/`WORKFORCE_WORKSPACE_ID` is unset (lines 25-36). Spec only documents the token gate; the extra gate is not a hard violation but isn't surfaced in the acceptance bullet or workflow env (the `.github/workflows/deploy-e2e.yml:24` does pass `WORKFORCE_E2E_STAGING_WORKSPACE_ID` from vars, so CI is wired, but local-run behavior diverges from spec wording). Minor partial.
- Spec calls for asserting "deployment was created + status='active'" when the tick hook is absent. Implementation reads agent-level status (readAgentStatus, line 213) and asserts `'active'` (line 71). Spec wording was "deployment was created" — code checks the agent record, not an `agent_deployments` row. Likely fine given the cloud API surface, but it's an interpretation, not a literal match. Minor partial.
- "PR title: `test(deploy): e2e smoke for weekly-digest --mode cloud`" — cannot be verified from diff; no PR exists, and files are not even committed. Tied to the top gap.

Summary: Two artifact files (test + workflow) exist on disk but are UNTRACKED. The diff against origin/main is empty, so by the literal acceptance contract ("Smoke test file added", "GitHub Actions workflow added"), Track K is not yet landed. Content of the artifacts mostly matches spec with the minor partials noted (no destroy-agent attempt, looser title regex, extra workspace-id skip gate).

Known gaps after this PR

⚠️ Memory is not wired. is a stub in v1; see § Loud hole. Memory wiring lands in a follow-up workflow (not yet specced).

⚠️ M3 destroy/list CLI commands not implemented. Separate workflow.

⚠️ ** not on npm** under scope. Handled by a separate agent per platform-team OIDC setup; not blocking morning state because cloud consumes via workspace ref.

Co-Authored-By: Ricky deploy-v1 schema cascade noreply@agentworkforce.com

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c522bc57-56aa-4abd-865a-6d456a94cbf0

📥 Commits

Reviewing files that changed from the base of the PR and between ea4db5d and 40e3ce7.

📒 Files selected for processing (2)

• .github/workflows/deploy-e2e.yml
• packages/deploy/test/e2e/weekly-digest.smoke.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/deploy-e2e.yml
• packages/deploy/test/e2e/weekly-digest.smoke.test.ts

---

📝 Walkthrough

Walkthrough

Adds a scheduled/manual GitHub Actions workflow and a Node.js E2E smoke test that builds and deploys a weekly-digest agent to staging, triggers a cron tick (or checks active status), polls GitHub Issues for the digest, closes the issue, and ensures teardown; workflow posts Slack alerts on failure.

Changes

Weekly Digest E2E Smoke Test

Layer / File(s)	Summary
GitHub Actions workflow setup and execution .github/workflows/deploy-e2e.yml	Workflow named "Deploy E2E Smoke" runs on workflow_dispatch and cron with repository contents: read and issues: write. Job sets env from secrets/vars, provisions ubuntu-latest, sets up pnpm and Node 22.14.0 with caching, installs with pnpm install --frozen-lockfile, builds the workspace, runs the Node --test smoke test, reports PASS/FAIL unconditionally, and conditionally posts a Slack failure notification.
E2E test main flow and lifecycle packages/deploy/test/e2e/weekly-digest.smoke.test.ts (lines 1–120)	Test entrypoint skips when WORKFORCE_E2E_STAGING_TOKEN absent. Orchestrates building a local persona bundle, deploying to staging via CLI, resolving agent/deployment IDs, invoking cron tick (with 404/405/501 fallback), polling GitHub Issues for the weekly digest issue, closing the issue, and ensuring cleanup in a finally block.
Bundle build, CLI deploy, and id resolution packages/deploy/test/e2e/weekly-digest.smoke.test.ts (lines 121–258)	Builds persona bundle from examples/weekly-digest/persona.json, runs packages/cli/dist/cli.js deploy --mode cloud with fixture repo/topic and detached/timeout options, parses CLI output for IDs using JSON/regex, and falls back to staging workspace agent/deployment API queries to resolve agentId and deploymentId.
Cron tick triggering and GitHub issue verification packages/deploy/test/e2e/weekly-digest.smoke.test.ts (lines 260–369)	POSTs to staging _test/tick endpoint, treating 404/405/501 as skipped and otherwise checking responses. Polls GitHub Issues (open, updated-since filter) for a matching "Weekly digest — " title until timeout, then PATCHes the issue to closed with state_reason: completed.
Teardown, status checks, and utilities packages/deploy/test/e2e/weekly-digest.smoke.test.ts (lines 282–459)	Reads deployment status with flexible payload extraction, destroys deployment/agent via candidate DELETE endpoints with retries, includes output parsing helpers, authentication header helpers, dynamic dist import, child-process runner with SIGTERM timeout handling, and helper utilities for polling/sleep and error messaging.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hop, I build, I tick the night away,
A bundle sails to staging by first light,
An issue blooms, then closed without delay,
Cleanup hums softly, alerts beam if there's fright—
The rabbit nods: the smoke test did its play.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding an end-to-end smoke test for weekly-digest deployment in cloud mode.
Description check	✅ Passed	The description is comprehensively related to the changeset, detailing the smoke test implementation, workflow configuration, and verification status.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/deploy-v1-e2e-smoke

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-e2e.yml:
- Around line 48-70: The smoke test step with id "smoke" currently uses
continue-on-error: true which prevents the job from failing; add a final step
(e.g., name "Fail job on smoke failure") that runs only when steps.smoke.outcome
== 'failure' and executes an explicit exit 1 to propagate the failure to the job
result, keeping the existing "Report smoke result" and "Notify
`#workforce-alerts`" steps as-is so logs and notifications still run before the
job is marked failed.

In `@packages/deploy/test/e2e/weekly-digest.smoke.test.ts`:
- Around line 37-38: The smoke test currently backdates startedAt and selects
the first matching open GitHub issue updated after that timestamp, which can
collide with concurrent runs; generate a unique run marker (e.g. const runMarker
= process.env.GITHUB_RUN_ID || <generated id>) and include that marker in any
created/updated issue content (title or body) when emitting the weekly digest,
then change the lookup/verification logic (the code paths that use startedAt and
the issue-searching logic referenced around the lookup and the later
verification blocks) to require the found issue’s body/title contains this
runMarker before treating it as this run’s result; also update any assertions
that currently rely only on updated_at to check the marker so overlapping runs
don’t interfere.
- Around line 299-317: The destroyDeployment function currently returns early
inside the loop on the first successful/acceptable DELETE, skipping the second
cleanup; change it so both candidate URLs in the candidates array are always
requested: for each url call fetch(...) with method 'DELETE' and
authHeaders(stagingToken), treat res.ok or status 404/405/501 as a success but
continue to the next candidate, set lastError when a request returns an
unexpected status (using new Error(`${res.status} ${await res.text()}`)), and
after the loop throw lastError if present; adjust any early return inside the
for..of so both agent and deployment deletes are attempted even when the first
succeeds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f71a634b-d805-4eec-a488-71d9d2920409

📥 Commits

Reviewing files that changed from the base of the PR and between 19ebbee and 186b1bd.

📒 Files selected for processing (2)

• .github/workflows/deploy-e2e.yml
• packages/deploy/test/e2e/weekly-digest.smoke.test.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Correlate the observed GitHub issue to this run.

This lookup accepts the first open issue whose title matches Weekly digest — ... and whose updated_at is newer than a backdated timestamp. Two overlapping smoke runs against the shared fixture repo can therefore pass on, or close, each other's issue. Add a run-specific marker (for example deploymentId or GITHUB_RUN_ID) to the emitted issue content and verify that marker here before treating the issue as this deployment's result.

Also applies to: 94-100, 320-355

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/deploy/test/e2e/weekly-digest.smoke.test.ts` around lines 37 - 38,
The smoke test currently backdates startedAt and selects the first matching open
GitHub issue updated after that timestamp, which can collide with concurrent
runs; generate a unique run marker (e.g. const runMarker =
process.env.GITHUB_RUN_ID || <generated id>) and include that marker in any
created/updated issue content (title or body) when emitting the weekly digest,
then change the lookup/verification logic (the code paths that use startedAt and
the issue-searching logic referenced around the lookup and the later
verification blocks) to require the found issue’s body/title contains this
runMarker before treating it as this run’s result; also update any assertions
that currently rely only on updated_at to check the marker so overlapping runs
don’t interfere.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/deploy-e2e.yml (1)

8-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reduce secret exposure scope and remove unused permission.

Secrets at lines 22, 25, and 27 are exposed to all steps via job-level env, including pnpm install and build steps that don't use them. Move secrets to the specific steps that need them: WORKFORCE_E2E_STAGING_TOKEN and WORKFORCE_E2E_GITHUB_TOKEN to the "Run weekly-digest smoke" step, and SLACK_WEBHOOK_URL to the "Notify #workforce-alerts" step. Additionally, remove the issues: write permission at line 10—no step in the workflow creates or updates issues, so this violates least-privilege principle. The curl command at line 69 should also include --fail to catch HTTP errors.

Suggested hardening diff

 permissions:
   contents: read
-  issues: write

 jobs:
   weekly-digest:
@@
     env:
       WORKFORCE_E2E_STAGING_URL: ${{ vars.WORKFORCE_E2E_STAGING_URL }}
       WORKFORCE_E2E_STAGING_WORKSPACE_ID: ${{ vars.WORKFORCE_E2E_STAGING_WORKSPACE_ID }}
       WORKFORCE_E2E_FIXTURE_REPO: AgentWorkforce/deploy-e2e-fixtures
-      WORKFORCE_E2E_STAGING_TOKEN: ${{ secrets.WORKFORCE_E2E_STAGING_TOKEN }}
-      WORKFORCE_E2E_GITHUB_TOKEN: ${{ secrets.WORKFORCE_E2E_GITHUB_TOKEN || github.token }}
-      SLACK_WEBHOOK_URL: ${{ secrets.WORKFORCE_ALERTS_SLACK_WEBHOOK_URL }}
@@
       - name: Run weekly-digest smoke
         id: smoke
+        env:
+          WORKFORCE_E2E_STAGING_TOKEN: ${{ secrets.WORKFORCE_E2E_STAGING_TOKEN }}
+          WORKFORCE_E2E_GITHUB_TOKEN: ${{ secrets.WORKFORCE_E2E_GITHUB_TOKEN }}
         run: node --test packages/deploy/test/e2e/weekly-digest.smoke.test.ts
@@
       - name: Notify `#workforce-alerts`
         if: failure() && steps.smoke.outcome == 'failure'
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.WORKFORCE_ALERTS_SLACK_WEBHOOK_URL }}
         run: |
           if [ -z "${SLACK_WEBHOOK_URL}" ]; then
             echo "No Slack webhook configured; skipping `#workforce-alerts` notification."
             exit 0
           fi
           payload=$(node -e "console.log(JSON.stringify({text: 'SMOKE_TEST: FAIL — weekly-digest deploy E2E failed. See ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'}))")
-          curl -sS -X POST -H 'content-type: application/json' --data "$payload" "$SLACK_WEBHOOK_URL"
+          curl -sS --fail -X POST -H 'content-type: application/json' --data "$payload" "$SLACK_WEBHOOK_URL"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-e2e.yml around lines 8 - 10, The workflow currently
exposes secrets via job-level env and grants an unnecessary permission; remove
the job-level environment entries for WORKFORCE_E2E_STAGING_TOKEN,
WORKFORCE_E2E_GITHUB_TOKEN, and SLACK_WEBHOOK_URL and instead add
WORKFORCE_E2E_STAGING_TOKEN and WORKFORCE_E2E_GITHUB_TOKEN as env only on the
"Run weekly-digest smoke" step and add SLACK_WEBHOOK_URL as env only on the
"Notify `#workforce-alerts`" step; also remove the top-level permission issues:
write from the permissions block and update the curl invocation (the curl
command in the notify step) to include --fail so HTTP errors are detected.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-e2e.yml:
- Line 69: The curl invocation that posts to Slack currently uses "curl -sS -X
POST -H 'content-type: application/json' --data \"$payload\"
\"$SLACK_WEBHOOK_URL\"" which will still exit zero on HTTP 4xx/5xx; update the
command to fail on non-2xx (e.g., add --fail or --fail-with-body) and check the
exit status so the workflow fails when Slack returns an error; modify the POST
command (the curl line) to use --fail-with-body --show-error (or --fail) and
capture/check its exit code (or let the step fail) so non-2xx responses cause
the job to fail.

---

Duplicate comments:
In @.github/workflows/deploy-e2e.yml:
- Around line 8-10: The workflow currently exposes secrets via job-level env and
grants an unnecessary permission; remove the job-level environment entries for
WORKFORCE_E2E_STAGING_TOKEN, WORKFORCE_E2E_GITHUB_TOKEN, and SLACK_WEBHOOK_URL
and instead add WORKFORCE_E2E_STAGING_TOKEN and WORKFORCE_E2E_GITHUB_TOKEN as
env only on the "Run weekly-digest smoke" step and add SLACK_WEBHOOK_URL as env
only on the "Notify `#workforce-alerts`" step; also remove the top-level
permission issues: write from the permissions block and update the curl
invocation (the curl command in the notify step) to include --fail so HTTP
errors are detected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 470f213a-0063-48bd-83b5-8679d2eed2b8

📥 Commits

Reviewing files that changed from the base of the PR and between 186b1bd and ea4db5d.

📒 Files selected for processing (2)

• .github/workflows/deploy-e2e.yml
• packages/deploy/test/e2e/weekly-digest.smoke.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/deploy/test/e2e/weekly-digest.smoke.test.ts