test: pin existing behaviour as a test contract across charts and core packages

[Aleksei Sviridkin (lexfrei)]

Summary

Pin the current behaviour of the cozystack/generic charts and the core Go packages as a layer of contract documentation that lives alongside the code. Tests are written as the second documentation surface — each test starts with a Contract: comment describing the user-visible guarantee being captured and why it matters; the body is the executable enforcement of that guarantee. When something drifts in a future change, the failing test names point directly at the broken cell of the matrix.

Scope

Charts (pkg/engine/contract_*_test.go)

Roughly 95 contract tests covering the rendered shape of both shipped charts across the matrix chart × schema × machineType:

• cluster section — clusterName/podSubnets/serviceSubnets/endpoint, cozystack-specific defaults (clusterDomain, OIDC, allocateNodeCIDRs, allowSchedulingOnControlPlanes, proxy/discovery, unconditional 127.0.0.1 in certSANs), generic chart minimalism pinned via explicit absence assertions.
• machine section — kubelet extraConfig, sysctls trio, kernel modules with drbd usermode_helper parameter, two hardcoded files (containerd device-ownership, lvm.conf global_filter), install.image, registries.
• schema selection — templateOptions.talosVersion routes legacy vs multi-doc, including pre-release tags (v1.12.0-rc.1 satisfies >=1.12.0-0).
• multi-doc network — HostnameConfig fallback, ResolverConfig empty list, LinkConfig per-link, gateway-only routing rule, BondConfig with bondMaster fields, slave filtering, VLANConfig, bridge silent-skip, Layer2VIPConfig discovery and override paths, floatingIP stripping.
• legacy network — machine.network.interfaces[] for plain/VLAN/bond, vipLink override semantics, existing-interfaces shortcut.
• fail paths — every fail and required directive across both charts (endpoint required, advertisedSubnets+empty discovery, multi-doc legacy interfaces guard, bridge-as-gateway, VLAN no parent, VLAN no vlanID).

Core packages

• pkg/engine (54.4% → 79.0%): loadValues / mergeMaps Helm precedence and slice-replace-not-append, Render/FullConfigProcess/InitializeConfigBundle/SerializeConfiguration error surfaces and happy paths, extractResourceData metadata projection and yaml-spec round-trip.
• pkg/age (3.5% → 69.5%): key generation/loading (both age keygen format and legacy plain), envelope ENC[AGE,data:...] shape, secrets round-trip, incremental encryption (new keys, nested change locality, type change fallback, list length change full re-encrypt, same-length localised re-encrypt).
• pkg/modeline (40.9% → 90.9%): parse/read/generate round-trip stability, prefix discipline (# talm: ), trim tolerance, key order in generated lines.
• pkg/commands (16.8% → 29.7%): CLI flag parsing, project-root detection (two-marker rule with secrets.yaml or secrets.encrypted.yaml), Chart.yaml preset detection, .gitignore management, endpoint normalisation, kubeconfig server rewrite, no-prompt file write paths.
• pkg/secureperm: atomic-write contract (mode 0600, no tmp leftover on success or failure, idempotency, bytes-integrity).

CI

Adds a report-only coverage job to .github/workflows/pr.yml that runs go test -coverprofile, prints a per-package summary in the GitHub Actions step-summary, and uploads the profile as an artifact. No threshold gate — the goal is visibility into drift, not forcing every PR to also touch tests.

Coverage delta

Package	Before	After	Δ
pkg/age	3.5%	69.5%	+66.0
pkg/modeline	40.9%	90.9%	+50.0
pkg/engine	54.4%	79.0%	+24.6
pkg/commands	16.8%	29.7%	+12.9
Total	34.8%	56.2%	+21.4

90% on pkg/commands is reachable only with a fake Talos gRPC server (apply, WithClient*, cosiVersionReader, etc.). That is a separate project; this PR stops at what is testable without one.

Bugs surfaced during this work

Filed as separate issues so this PR stays test-only:

• pkg/age: RotateKeys does not actually rotate the on-disk key #151 — pkg/age.RotateKeys does not actually rotate the on-disk key (security-relevant).
• pkg/engine: debugPhase panics on empty patch in --debug output loop #152 — pkg/engine.debugPhase panics on empty patch in --debug output loop.
• ci(lint): adopt strict golangci-lint config (default:all) and clean up resulting backlog #153 — golangci-lint config refresh and resulting cleanup backlog (extended scope).

The contract test for RotateKeys deliberately does NOT pin the broken behaviour — it only asserts round-trip integrity and documents the bug in a comment, so the test can be tightened once the fix lands.

Out of scope

• Behaviour changes — strictly additive, no production code touched.
• Fixing the bugs surfaced above (separate issues).
• Code refactors beyond what tests require to be writable.

Summary by CodeRabbit

• Tests
  • Added an extensive suite of contract tests validating encryption/decryption and YAML secret stability, CLI root-detection and flag/file helpers, .gitignore/kubeconfig behaviors, modeline parsing/generation, secure-permission file writes, resource/spec extraction, values-merge/loading, and broad Helm chart rendering/validation for clusters, machines, networks, schemas, and error conditions.
• Chores
  • CI: added a coverage job that runs tests, summarizes per-package coverage, and uploads a coverage-profile artifact.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds comprehensive contract-test coverage across the codebase and a CI job to run tests with coverage and upload a coverage profile.

Changes

Contract Test Suite Expansion

Layer / File(s)	Summary
CI Coverage Reporting \.github/workflows/pr.yml	Adds coverage job to run go test ./... with coverage output, aggregate per-package summaries, append to PR UI, and upload coverage.out artifact with 14-day retention.
AGE Encryption Contracts pkg/age/contract_internals_test.go, pkg/age/contract_test.go	Pins contracts for key generation/loading, public-key extraction, YAML encrypt/decrypt with ENC[AGE,data:<base64>] envelopes, round-trip integrity, deterministic ciphertext for unchanged inputs, localized ciphertext changes for focused edits, and key rotation plaintext round-trip.
Commands: Chart Preset & .gitignore pkg/commands/contract_chart_gitignore_test.go	Validates Chart.yaml preset selection, .gitignore creation/append/idempotency, kubeconfig basename handling, and tolerant annotated-entry matching.
Commands Helpers & Gitops Utilities pkg/commands/contract_helpers_test.go	Validates endpoint normalization to https://<host>:6443, kubeconfig server rewriting for all clusters, .gitignore management, cluster name resolution from charts, and updateFileWithConfirmation behavior.
Commands Root Detection & Path Utilities pkg/commands/contract_root_detection_test.go, pkg/commands/root_detection_test.go	Validates project root detection (Chart.yaml + secrets(.encrypted).yaml), DetectProjectRootForFile, ValidateAndDetectRootsForFiles aggregation and error cases, parseFlagFromArgs/CSV parsing, ResolveSecretsPath anchoring, and ExpandFilePaths recursion to .yaml/.yml.
Commands Root Dispatch & Talosconfig pkg/commands/contract_root_dispatch_test.go	Validates getFlagValues behavior, DetectAndSetRoot/DetectAndSetRootFromFiles precedence and conflict handling, checkRootConflict, EnsureTalosconfigPath anchoring and precedence, and updateKubeconfigEndpoint rewriting and erroring on malformed input.
Commands Template Rendering pkg/commands/contract_template_test.go	Validates resolveEngineTemplatePaths path normalization, generateOutput composition (modeline, AUTOGENERATED banner, rendered body), template command stdout behavior, and minimal-chart helpers for offline rendering tests.
Engine: Values & Loading pkg/engine/contract_loadvalues_test.go	Pins mergeMaps deep-merge semantics, loadValues precedence and set/JSON/file/string behaviors, dotted-key parsing, FileValues handling, and relevant error cases.
Engine: Rendering Core & Bundles pkg/engine/contract_render_test.go	Pins Render error surfaces, offline happy-path rendering, Options/InitializeConfigBundle validation, SerializeConfiguration outputs, FullConfigProcess flows, and TalosVersion validation.
Engine: Schema Selection pkg/engine/contract_schema_test.go	Validates legacy vs multi-doc schema selection by talosVersion (including pre-releases), single-document legacy contract, chart-specific RegistryMirrorConfig emission, and that selection is not cached across renders.
Engine: Cluster & Machine Rendering pkg/engine/contract_cluster_test.go, pkg/engine/contract_machine_test.go	Verifies rendered cluster and machine blocks across cozystack/generic charts and legacy/multi-doc schemas: cluster defaults, cozystack-specific defaults/fields, generic minimalism, and machine-level invariants.
Engine: Network Rendering pkg/engine/contract_network_legacy_test.go, pkg/engine/contract_network_multidoc_test.go	Pins legacy machine.network and multi-doc network rendering shapes: hostname/resolver emission, interfaces/bond/VLAN nesting, default-gateway route consolidation, Layer2VIPConfig behavior, floatingIP stripping and vipLink overrides, and discovery short-circuit semantics.
Engine: Errors & Resource Extraction pkg/engine/contract_errors_test.go, pkg/engine/contract_extractresource_test.go	Asserts grep-stable render error messages for validation failures and validates extractResourceData metadata/spec projection and YAML-decoding error behavior.
Modeline pkg/modeline/contract_test.go	Validates ParseModeline/ReadAndParseModeline/GenerateModeline: exact # talm: prefix, key=value JSON-array parsing, fixed key order, first-line-only parsing, and round-trip stability.
Secureperm (unix) pkg/secureperm/contract_unix_test.go	Unix-only tests asserting secureperm.WriteFile byte integrity (including NUL/high-bit/newlines), nil→zero-length file with 0600, atomic writes with no .secureperm-* leftover on success or failure, idempotency, and LockDown behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through tests both wide and deep,
Ensured secrets stay locked while outputs keep,
From modelines to networks, each contract held tight,
CI reports humming under moonlight.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/chart-contract

[gemini-code-assist]

Code Review

This pull request introduces an extensive suite of contract tests across multiple packages to ensure the stability of core functionalities such as configuration rendering, project detection, and key management. These tests document and enforce intended behaviors for both legacy and multi-doc Talos schemas. A review comment correctly identified a documentation error in the network rendering tests where a comment contradicted the actual test implementation for VIP address stripping.

[gemini-code-assist]

The comment here is contradictory to the comment on line 341 and the actual test implementation. The test intentionally picks a VIP that does match the discovery address to verify that it is stripped from the LinkConfig. Please update this comment to accurately reflect the test's purpose.

[Aleksei Sviridkin (lexfrei)]

Good catch — the leading comment was a leftover from an earlier iteration that picked a non-matching VIP. The test deliberately reuses the discovery address so the strip path actually fires. Comment rewritten in 43c9eb6 to describe that intent.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (5)

pkg/commands/root_detection_test.go (1)

305-347: ⚡ Quick win

filesDiffer test doesn't cover the (false, err) I/O-error path its own docstring documents.

The contract comment at lines 312–313 says the function returns (false, err) on read errors other than not-exist, but no test case exercises this path. The consequence is that a regression that silently returns (false, nil) on permission errors would pass undetected.

This is a low-priority gap — but since the contract text is already written and the pattern for adding a case is straightforward (use a path inside a 0000-mode directory), it's worth closing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/commands/root_detection_test.go` around lines 305 - 347, Add a test case
to TestContract_FilesDiffer that exercises the "(false, err)" path of
filesDiffer by creating a directory with restrictive permissions (e.g., mode
0000), placing the target filename inside it (or attempting to read a file path
within it) and calling filesDiffer to provoke a permission/read error; assert
that filesDiffer returns false and a non-nil error, and restore permissions
before cleanup so the temp dir can be removed. Reference the existing
TestContract_FilesDiffer and the filesDiffer function when locating where to
insert this case.

pkg/engine/contract_loadvalues_test.go (1)

36-51: 💤 Low value

Contract docstring contradicts the actual assertion.

The function comment says "no aliasing — mutating the result must not affect base", but the code uses t.Logf (not t.Errorf) when aliasing is detected, meaning aliasing is silently accepted. A future maintainer reading the docstring would reasonably expect this to be an enforced invariant.

Either update the comment to describe the actual pinned behaviour (aliasing is possible for pure-a keys) and drop the misleading "no aliasing" framing, or change t.Logf → t.Errorf if the intent really is to enforce copy semantics.

✏️ Suggested comment clarification

-// Contract: merging an empty map onto base returns a copy of base
-// (no aliasing — mutating the result must not affect base).
+// Contract: merging an empty map onto base returns a result with
+// the same key-value pairs as base. Known quirk: keys present only
+// in `a` (not present in `b`) are NOT deep-copied; they are shared
+// by reference. This is the upstream Helm behaviour and is pinned
+// here — do not assume copy semantics for pure-base keys.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/engine/contract_loadvalues_test.go` around lines 36 - 51, The test
TestContract_MergeMaps_EmptyOverlay documents "no aliasing" but then only logs
(t.Logf) when aliasing is observed; fix the mismatch in the test for mergeMaps
by either (A) enforcing the invariant: replace the t.Logf call with t.Errorf so
the test fails when aliasing occurs (keeps the comment as-is), or (B) clarifying
the docstring to state the pinned behaviour (that pure-`a` keys may be aliased)
and keep t.Logf; locate the changes in TestContract_MergeMaps_EmptyOverlay and
reference mergeMaps to ensure the test and its comment are consistent.

pkg/engine/contract_errors_test.go (1)

49-74: 💤 Low value

helmEngine.LookupFunc global mutation is not parallel-safe.

renderExpectingError correctly guards with t.Cleanup, but because helmEngine.LookupFunc is a package-level variable, any future addition of t.Parallel() to these subtests would introduce a data race. Consider accepting the lookup as a parameter to the engine or wrapping it in a mutex-protected pattern now that this helper is established.

This is a test-only concern with no current impact.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/engine/contract_errors_test.go` around lines 49 - 74, The test mutates
the package-global helmEngine.LookupFunc without concurrency protection; add a
package-level sync.Mutex (e.g., helmEngineLookupMu) and lock it around the
mutation in renderExpectingError: call helmEngineLookupMu.Lock() before
assigning helmEngine.LookupFunc, and in the existing t.Cleanup restore
origLookup and call helmEngineLookupMu.Unlock(); keep the existing use of
helmEngineEmptyLookup when lookup is nil and preserve t.Helper(),
loader.LoadDir, cloneValues, maps.Copy, and eng.Render behavior.

pkg/age/contract_internals_test.go (1)

166-172: ⚡ Quick win

Prefer guarded type assertions with t.Fatalf over bare panics in test helpers.

The assertions at lines 166–167, 171–172, 235–236, and 274–275 will panic on a type mismatch rather than calling t.Fatalf, which produces a raw stack trace instead of a clear test-failure message when the contract unexpectedly breaks.

♻️ Pattern to apply at each assertion site

-firstTop := first["top"].(map[string]any)
-secondTop := second["top"].(map[string]any)
+firstTop, ok := first["top"].(map[string]any)
+if !ok {
+    t.Fatalf("expected first[\"top\"] to be map[string]any, got %T", first["top"])
+}
+secondTop, ok := second["top"].(map[string]any)
+if !ok {
+    t.Fatalf("expected second[\"top\"] to be map[string]any, got %T", second["top"])
+}

Apply the same pattern to the ["sub"], ["items"] assertions in the other tests.

Also applies to: 235-236, 274-275

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/age/contract_internals_test.go` around lines 166 - 172, The current
unguarded type assertions like firstTop := first["top"].(map[string]any) and
secondTop := second["top"].(map[string]any) (and similar sites for
firstSub/secondSub and ["items"]) can panic on mismatch; change them to guarded
assertions using the comma-ok form (e.g., v, ok :=
first["top"].(map[string]any)) and call t.Fatalf with a clear message when ok is
false so the test fails cleanly instead of panicking; apply the same pattern for
firstSub/secondSub and the items assertions mentioned in the review.

pkg/engine/contract_cluster_test.go (1)

351-370: ⚡ Quick win

Loose substring assertions for "disabled: true" and "enabled: false" may yield false positives.

TestContract_Cluster_ProxyDisabled_Cozystack asserts "disabled: true" independently of its parent key, and TestContract_Cluster_DiscoveryDisabled_Cozystack does the same for "enabled: false". If any other rendered YAML block in the output (e.g., another component with disabled: true) happens to match, the test passes even if the targeted section is missing or structurally changed.

Tightening to a combined pattern or using a multi-line assertion would make these contracts more precise:

♻️ Proposed tightening

-			assertContains(t, out, "proxy:")
-			assertContains(t, out, "disabled: true")
+			assertContains(t, out, "proxy:\n    disabled: true")

-			assertContains(t, out, "discovery:")
-			assertContains(t, out, "enabled: false")
+			assertContains(t, out, "discovery:\n    enabled: false")

Note: the exact indentation in the multiline string depends on the rendered YAML indentation level — verify against actual chart output before applying.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/engine/contract_cluster_test.go` around lines 351 - 370, Tests
TestContract_Cluster_ProxyDisabled_Cozystack and
TestContract_Cluster_DiscoveryDisabled_Cozystack use loose substring checks and
can false-positive; update each test (referencing renderChartTemplate and
assertContains) to assert the parent key and child value together (e.g., match a
multi-line block or use a regex anchored to the parent key) so you verify
"proxy" with its nested "disabled: true" and "discovery" with its nested
"enabled: false" rather than any standalone "disabled: true" or "enabled:
false"; ensure the pattern accounts for the YAML indentation used by the chart
output.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/age/contract_test.go`:
- Around line 357-366: The test currently swallows errors from os.ReadFile when
assigning first and second, which can mask I/O failures; update the two reads
(the calls that set first and second) to check the returned error and call
t.Fatal(err) (or t.Fatalf) if non-nil so failures surface immediately — locate
the os.ReadFile calls that produce variables first and second in the test and
add error handling for each.

In `@pkg/commands/contract_chart_gitignore_test.go`:
- Around line 215-235: Each of the three tests
(TestContract_WriteGitignoreFile_PreservesExistingEntries,
TestContract_WriteGitignoreFile_IdempotentOnFullList,
TestContract_WriteGitignoreFile_TolerantOfAnnotatedEntries) must capture the
current Config.GlobalOptions.Kubeconfig into a local variable at test start and
restore it in t.Cleanup instead of unconditionally setting it to ""; change the
t.Cleanup(func() { Config.GlobalOptions.Kubeconfig = "" }) calls to save :=
Config.GlobalOptions.Kubeconfig and t.Cleanup(func() {
Config.GlobalOptions.Kubeconfig = save }) so the original kubeconfig is
preserved across tests.

In `@pkg/commands/contract_helpers_test.go`:
- Around line 40-61: Test and implementation are producing a malformed IPv6 URL
(missing square brackets); update normalizeEndpoint to use
net.JoinHostPort(host, "6443") when composing host:port so IPv6 addresses get
bracketed correctly, and update the test case in TestContract_NormalizeEndpoint
to expect "https://[2001:db8::1]:6443"; also add or reference an issue note in
the comment if this was intentionally tracked as known-broken behavior.
- Around line 40-61: The normalizeEndpoint result must return valid
URI-bracketed IPv6 literals; update the normalizeEndpoint function to detect
when the host is an IPv6 literal (e.g., contains ':' after net.SplitHostPort or
when the input had brackets) and re-add surrounding square brackets before
formatting the final "https://<host>:<port>" string; ensure you still normalize
scheme to https and default port to 6443, handle inputs that already include a
scheme or port, and use the same host/port symbols returned by net.SplitHostPort
(or url parsing) so tests like TestContract_NormalizeEndpoint (which calls
normalizeEndpoint) produce "https://[2001:db8::1]:6443" not an unbracketed IPv6
address.

In `@pkg/engine/contract_cluster_test.go`:
- Around line 215-227: The test
TestContract_Cluster_NoControlplaneBlocksOnWorker is missing an assertion that
the controlplane-only block "discovery:" is absent from worker templates; inside
the t.Run body of that function (alongside the existing assertNotContains checks
for "apiServer:", "controllerManager:", "scheduler:", "etcd:",
"allowSchedulingOnControlPlanes", and "proxy:"), add an assertNotContains(t,
out, "discovery:") to enforce the contract.

---

Nitpick comments:
In `@pkg/age/contract_internals_test.go`:
- Around line 166-172: The current unguarded type assertions like firstTop :=
first["top"].(map[string]any) and secondTop := second["top"].(map[string]any)
(and similar sites for firstSub/secondSub and ["items"]) can panic on mismatch;
change them to guarded assertions using the comma-ok form (e.g., v, ok :=
first["top"].(map[string]any)) and call t.Fatalf with a clear message when ok is
false so the test fails cleanly instead of panicking; apply the same pattern for
firstSub/secondSub and the items assertions mentioned in the review.

In `@pkg/commands/root_detection_test.go`:
- Around line 305-347: Add a test case to TestContract_FilesDiffer that
exercises the "(false, err)" path of filesDiffer by creating a directory with
restrictive permissions (e.g., mode 0000), placing the target filename inside it
(or attempting to read a file path within it) and calling filesDiffer to provoke
a permission/read error; assert that filesDiffer returns false and a non-nil
error, and restore permissions before cleanup so the temp dir can be removed.
Reference the existing TestContract_FilesDiffer and the filesDiffer function
when locating where to insert this case.

In `@pkg/engine/contract_cluster_test.go`:
- Around line 351-370: Tests TestContract_Cluster_ProxyDisabled_Cozystack and
TestContract_Cluster_DiscoveryDisabled_Cozystack use loose substring checks and
can false-positive; update each test (referencing renderChartTemplate and
assertContains) to assert the parent key and child value together (e.g., match a
multi-line block or use a regex anchored to the parent key) so you verify
"proxy" with its nested "disabled: true" and "discovery" with its nested
"enabled: false" rather than any standalone "disabled: true" or "enabled:
false"; ensure the pattern accounts for the YAML indentation used by the chart
output.

In `@pkg/engine/contract_errors_test.go`:
- Around line 49-74: The test mutates the package-global helmEngine.LookupFunc
without concurrency protection; add a package-level sync.Mutex (e.g.,
helmEngineLookupMu) and lock it around the mutation in renderExpectingError:
call helmEngineLookupMu.Lock() before assigning helmEngine.LookupFunc, and in
the existing t.Cleanup restore origLookup and call helmEngineLookupMu.Unlock();
keep the existing use of helmEngineEmptyLookup when lookup is nil and preserve
t.Helper(), loader.LoadDir, cloneValues, maps.Copy, and eng.Render behavior.

In `@pkg/engine/contract_loadvalues_test.go`:
- Around line 36-51: The test TestContract_MergeMaps_EmptyOverlay documents "no
aliasing" but then only logs (t.Logf) when aliasing is observed; fix the
mismatch in the test for mergeMaps by either (A) enforcing the invariant:
replace the t.Logf call with t.Errorf so the test fails when aliasing occurs
(keeps the comment as-is), or (B) clarifying the docstring to state the pinned
behaviour (that pure-`a` keys may be aliased) and keep t.Logf; locate the
changes in TestContract_MergeMaps_EmptyOverlay and reference mergeMaps to ensure
the test and its comment are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1a3152f6-804b-4aaa-87c7-e26e8c9b8411

📥 Commits

Reviewing files that changed from the base of the PR and between 7a21e6a and 5d93f1d.

📒 Files selected for processing (18)

• .github/workflows/pr.yml
• pkg/age/contract_internals_test.go
• pkg/age/contract_test.go
• pkg/commands/contract_chart_gitignore_test.go
• pkg/commands/contract_helpers_test.go
• pkg/commands/contract_root_detection_test.go
• pkg/commands/root_detection_test.go
• pkg/engine/contract_cluster_test.go
• pkg/engine/contract_errors_test.go
• pkg/engine/contract_extractresource_test.go
• pkg/engine/contract_loadvalues_test.go
• pkg/engine/contract_machine_test.go
• pkg/engine/contract_network_legacy_test.go
• pkg/engine/contract_network_multidoc_test.go
• pkg/engine/contract_render_test.go
• pkg/engine/contract_schema_test.go
• pkg/modeline/contract_test.go
• pkg/secureperm/contract_unix_test.go

[coderabbitai]

🧹 Nitpick comments (1)

pkg/commands/contract_root_dispatch_test.go (1)

491-527: ⚡ Quick win

Add an explicit IPv6 contract case for updateKubeconfigEndpoint (known defect pin).

The rewrite tests only assert IPv4 behavior right now. Please add a contract test for IPv6 endpoint input and pin current behavior with FIXME #155`` (per repo convention for known-broken contracts), so regressions/fixes are tracked intentionally.

Based on learnings: contract tests in this repo intentionally pin known-broken behavior with FIXME #<issue> comments, including the IPv6 bracketing defect tracked as #155.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/commands/contract_root_dispatch_test.go` around lines 491 - 527, Add a
new contract test that exercises updateKubeconfigEndpoint with an IPv6 endpoint
input (e.g. "2001:db8::1:50000") to pin current behavior; create a test named
TestContract_UpdateKubeconfigEndpoint_IPv6 that calls updateKubeconfigEndpoint
with a kubeconfig containing cluster servers and asserts the rewritten server
contains the unbracketed IPv6 + port (or current observed behavior), and
annotate the test with a comment "FIXME `#155`" to mark the known IPv6 bracketing
defect; ensure you reference updateKubeconfigEndpoint and mirror the existing
IPv4 test structure for parsing and error checks so the contract captures the
current behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/commands/contract_root_dispatch_test.go`:
- Around line 491-527: Add a new contract test that exercises
updateKubeconfigEndpoint with an IPv6 endpoint input (e.g. "2001:db8::1:50000")
to pin current behavior; create a test named
TestContract_UpdateKubeconfigEndpoint_IPv6 that calls updateKubeconfigEndpoint
with a kubeconfig containing cluster servers and asserts the rewritten server
contains the unbracketed IPv6 + port (or current observed behavior), and
annotate the test with a comment "FIXME `#155`" to mark the known IPv6 bracketing
defect; ensure you reference updateKubeconfigEndpoint and mirror the existing
IPv4 test structure for parsing and error checks so the contract captures the
current behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7fa8114-e2e2-423c-a6a8-0b6e033c3461

📥 Commits

Reviewing files that changed from the base of the PR and between 90eb54a and 71f6f01.

📒 Files selected for processing (1)

• pkg/commands/contract_root_dispatch_test.go

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/commands/contract_template_test.go`:
- Around line 256-271: The test TestContract_GenerateOutput_NoTemplatesError
currently only checks that generateOutput returns a non-nil error; update it to
also assert that the error string has the expected wrapped-prefix "failed to
render templates" (e.g., using strings.HasPrefix or errors.As to inspect the
error message) so the contract described in the comment is enforced; locate the
assertion in TestContract_GenerateOutput_NoTemplatesError and add the prefix
check against the err returned from generateOutput.
- Around line 391-414: The captureStdout helper leaves os.Stdout pointed at a
closed pipe and never closes the read end; change captureStdout so it restores
os.Stdout and closes the writer/reader immediately with defers scoped to the
helper instead of using t.Cleanup: save original := os.Stdout, set os.Stdout =
w, then defer func() { os.Stdout = original }(), defer w.Close(), and ensure r
is closed after the reader goroutine finishes (or closed in a defer after the
goroutine signals completion); remove the t.Cleanup usage and ensure the
goroutine reads until EOF then signals a done channel so you close r/w
deterministically within captureStdout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7065bfbd-d0da-4928-813c-f3a2cd90de65

📥 Commits

Reviewing files that changed from the base of the PR and between 71f6f01 and 50a93d9.

📒 Files selected for processing (5)

• pkg/commands/contract_root_dispatch_test.go
• pkg/commands/contract_template_test.go
• pkg/commands/root_detection_test.go
• pkg/engine/contract_loadvalues_test.go
• pkg/engine/contract_schema_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/engine/contract_loadvalues_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/engine/contract_schema_test.go
• pkg/commands/contract_root_dispatch_test.go
• pkg/commands/root_detection_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Contract check is incomplete for the “no templates” path.

Line 257 states the wrapped-prefix contract, but the test only asserts err != nil. Please also assert the expected "failed to render templates" prefix so this behavior is actually pinned.

Suggested test assertion update

 func TestContract_GenerateOutput_NoTemplatesError(t *testing.T) {
@@
 	_, err := generateOutput(context.Background(), nil, nil)
 	if err == nil {
 		t.Fatal("expected error for empty templates")
 	}
+	if !strings.Contains(err.Error(), "failed to render templates") {
+		t.Errorf("error must wrap with 'failed to render templates', got: %v", err)
+	}
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Contract: an empty templates list surfaces the engine-side
	// 'templates are not set' error wrapped with the same prefix.
	func TestContract_GenerateOutput_NoTemplatesError(t *testing.T) {
	withTemplateFlagsSnapshot(t)
	chartRoot := makeMinimalChart(t)
	Config.RootDir = chartRoot
	templateCmdFlags.offline = true
	templateCmdFlags.templateFiles = nil
	GlobalArgs.Nodes = []string{"10.0.0.1"}
	_, err := generateOutput(context.Background(), nil, nil)
	if err == nil {
	t.Fatal("expected error for empty templates")
	}
	}
	// Contract: an empty templates list surfaces the engine-side
	// 'templates are not set' error wrapped with the same prefix.
	func TestContract_GenerateOutput_NoTemplatesError(t *testing.T) {
	withTemplateFlagsSnapshot(t)
	chartRoot := makeMinimalChart(t)
	Config.RootDir = chartRoot
	templateCmdFlags.offline = true
	templateCmdFlags.templateFiles = nil
	GlobalArgs.Nodes = []string{"10.0.0.1"}
	_, err := generateOutput(context.Background(), nil, nil)
	if err == nil {
	t.Fatal("expected error for empty templates")
	}
	if !strings.Contains(err.Error(), "failed to render templates") {
	t.Errorf("error must wrap with 'failed to render templates', got: %v", err)
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/commands/contract_template_test.go` around lines 256 - 271, The test
TestContract_GenerateOutput_NoTemplatesError currently only checks that
generateOutput returns a non-nil error; update it to also assert that the error
string has the expected wrapped-prefix "failed to render templates" (e.g., using
strings.HasPrefix or errors.As to inspect the error message) so the contract
described in the comment is enforced; locate the assertion in
TestContract_GenerateOutput_NoTemplatesError and add the prefix check against
the err returned from generateOutput.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

captureStdout leaves global stdout redirected too long and leaks pipe lifecycle handling.

On Line 393, restoring os.Stdout in t.Cleanup defers restoration until test end, so after Line 412 closes w, stdout can remain pointed to a closed pipe for the rest of the test. Also, r is never explicitly closed on the success path. Restore/close immediately with defers scoped to the helper.

Suggested helper hardening

 func captureStdout(t *testing.T, fn func()) string {
 	t.Helper()
 	r, w, err := os.Pipe()
 	if err != nil {
 		t.Fatal(err)
 	}
 	original := os.Stdout
 	os.Stdout = w
-	t.Cleanup(func() { os.Stdout = original })
+	defer func() {
+		os.Stdout = original
+		_ = r.Close()
+		_ = w.Close()
+	}()
@@
 	fn()
 	_ = w.Close()
 	return <-done
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/commands/contract_template_test.go` around lines 391 - 414, The
captureStdout helper leaves os.Stdout pointed at a closed pipe and never closes
the read end; change captureStdout so it restores os.Stdout and closes the
writer/reader immediately with defers scoped to the helper instead of using
t.Cleanup: save original := os.Stdout, set os.Stdout = w, then defer func() {
os.Stdout = original }(), defer w.Close(), and ensure r is closed after the
reader goroutine finishes (or closed in a defer after the goroutine signals
completion); remove the t.Cleanup usage and ensure the goroutine reads until EOF
then signals a done channel so you close r/w deterministically within
captureStdout.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/commands/contract_helpers_test.go`:
- Around line 196-210: The current test
TestContract_AddToGitignore_PathPrefixMatch only checks exact-match idempotence;
add a case that verifies path-prefix behavior by writing "dist\n" to .gitignore,
calling addToGitignore("dist/"), and asserting the file still contains exactly
one "dist" entry. Update the test (or add a new subtest) to use setRoot and
t.TempDir, create gitignore with "dist\n", call addToGitignore("dist/"), then
read the file and assert strings.Count(..., "dist") == 1 to ensure no duplicate
entry is added for the path-prefix variant; reference the existing
TestContract_AddToGitignore_PathPrefixMatch and the addToGitignore function when
locating where to add this case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 133677c3-9ae7-4fe6-a2cd-7070cbb32e7a

📥 Commits

Reviewing files that changed from the base of the PR and between 50a93d9 and ba98494.

📒 Files selected for processing (20)

• .github/workflows/pr.yml
• pkg/age/contract_internals_test.go
• pkg/age/contract_test.go
• pkg/commands/contract_chart_gitignore_test.go
• pkg/commands/contract_helpers_test.go
• pkg/commands/contract_root_detection_test.go
• pkg/commands/contract_root_dispatch_test.go
• pkg/commands/contract_template_test.go
• pkg/commands/root_detection_test.go
• pkg/engine/contract_cluster_test.go
• pkg/engine/contract_errors_test.go
• pkg/engine/contract_extractresource_test.go
• pkg/engine/contract_loadvalues_test.go
• pkg/engine/contract_machine_test.go
• pkg/engine/contract_network_legacy_test.go
• pkg/engine/contract_network_multidoc_test.go
• pkg/engine/contract_render_test.go
• pkg/engine/contract_schema_test.go
• pkg/modeline/contract_test.go
• pkg/secureperm/contract_unix_test.go

🚧 Files skipped from review as they are similar to previous changes (19)

• .github/workflows/pr.yml
• pkg/engine/contract_extractresource_test.go
• pkg/engine/contract_schema_test.go
• pkg/modeline/contract_test.go
• pkg/secureperm/contract_unix_test.go
• pkg/commands/contract_template_test.go
• pkg/age/contract_test.go
• pkg/commands/contract_root_detection_test.go
• pkg/commands/contract_root_dispatch_test.go
• pkg/engine/contract_machine_test.go
• pkg/age/contract_internals_test.go
• pkg/commands/root_detection_test.go
• pkg/engine/contract_cluster_test.go
• pkg/engine/contract_network_legacy_test.go
• pkg/engine/contract_errors_test.go
• pkg/commands/contract_chart_gitignore_test.go
• pkg/engine/contract_network_multidoc_test.go
• pkg/engine/contract_loadvalues_test.go
• pkg/engine/contract_render_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Test only covers exact match, not the path-prefix behavior described in the contract.

The comment at lines 191-195 promises that "existing dist matches a request to add dist/" (path-prefix awareness), but the test only verifies that adding "dist" when "dist" already exists is idempotent (exact match). To fully enforce the contract, add a test case where the file contains "dist" and the request is addToGitignore("dist/"), expecting no duplicate entry.

📋 Suggested additional test case

Add after line 210:

+// Contract: verify the reverse case — existing `dist` (no trailing
+// slash) should match a request to add `dist/` (with slash).
+func TestContract_AddToGitignore_PathPrefixMatch_WithSlash(t *testing.T) {
+	dir := t.TempDir()
+	setRoot(t, dir)
+	gitignore := filepath.Join(dir, ".gitignore")
+	if err := os.WriteFile(gitignore, []byte("dist\n"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	if err := addToGitignore("dist/"); err != nil {
+		t.Fatal(err)
+	}
+	got, _ := os.ReadFile(gitignore)
+	if strings.Count(string(got), "dist") != 1 {
+		t.Errorf("expected exactly one 'dist' entry (prefix match), got:\n%s", got)
+	}
+}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/commands/contract_helpers_test.go` around lines 196 - 210, The current
test TestContract_AddToGitignore_PathPrefixMatch only checks exact-match
idempotence; add a case that verifies path-prefix behavior by writing "dist\n"
to .gitignore, calling addToGitignore("dist/"), and asserting the file still
contains exactly one "dist" entry. Update the test (or add a new subtest) to use
setRoot and t.TempDir, create gitignore with "dist\n", call
addToGitignore("dist/"), then read the file and assert strings.Count(...,
"dist") == 1 to ensure no duplicate entry is added for the path-prefix variant;
reference the existing TestContract_AddToGitignore_PathPrefixMatch and the
addToGitignore function when locating where to add this case.