From e4a7f993339ecf45a34ceff354fe08fd60af6fa1 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Mon, 29 Jun 2026 11:26:05 +0200 Subject: [PATCH] =?UTF-8?q?feat(test):=20split=20env=20config=20=E2=80=94?= =?UTF-8?q?=20.env=20(prod)=20vs=20.env.sandbox=20(sandbox)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit provisionSandbox.ts now loads its own .env.sandbox (via @std/dotenv loadSync) instead of the shared .env, so prod (main.ts → .env) and sandbox (provisionSandbox.ts → .env.sandbox) configs don't collide. .gitignore widened to .env* (keeping .env.example tracked). .env.example rewritten to document the two-file convention + the per-env kubectl secret sources, including the caveat that a prod-seeded sandbox uses PROD's admin password. Co-Authored-By: Claude Opus 4.7 (1M context) --- test/.env.example | 32 ++++++++++++++++++++------------ test/.gitignore | 7 ++++--- test/provisionSandbox.ts | 4 +++- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/test/.env.example b/test/.env.example index ec7e5ad..a4364e5 100644 --- a/test/.env.example +++ b/test/.env.example @@ -1,19 +1,27 @@ -# --- Production / default target (main.ts) --- +# Copy this template to one of: +# .env — production target, loaded by main.ts +# .env.sandbox — sandbox target, loaded by provisionSandbox.ts +# Both are gitignored. Never commit real secret values. + +# --- Target --- +# prod: https://erp.arcodange.lab (.env) +# sandbox: https://erp-sandbox.arcodange.lab (.env.sandbox) DOLIBARR_ADDRESS=https://erp.arcodange.lab -DOLI_DB_PASSWORD= + DOLI_ADMIN_LOGIN=admin DOLI_ADMIN_PASSWORD="" +DOLI_DB_PASSWORD="" ROOT_FOLDER=$HOME/erp -# --- Sandbox provisioning (provisionSandbox.ts) --- -# Point at the sandbox and reuse the DOLI_ADMIN_* vars above for the admin login. -# Populate from the erp-sandbox namespace secrets (see "Provision the sandbox" in -# README.md): -# DOLI_ADMIN_PASSWORD <- secret `secretkv` (-n erp-sandbox) -# DOLI_DB_PASSWORD <- secret `vso-db-credentials` (-n erp-sandbox) -# Override DOLIBARR_ADDRESS to the sandbox when running provisionSandbox.ts: -# DOLIBARR_ADDRESS=https://erp-sandbox.arcodange.lab +# Populate the passwords from the cluster secrets, e.g. (prod shown): +# DOLI_ADMIN_PASSWORD <- kubectl get secret secretkv -n erp -o jsonpath='{.data.DOLI_ADMIN_PASSWORD}' | base64 -d +# DOLI_DB_PASSWORD <- kubectl get secret vso-db-credentials -n erp -o jsonpath='{.data.password}' | base64 -d # -# Optional: fix the new user's password (otherwise one is generated and only the -# API key is emitted). Never commit a real value here. +# NOTE for a sandbox SEEDED from prod (ops/sandbox/sandbox-lifecycle.sh): the seed +# clones prod's admin password into the sandbox, so .env.sandbox's +# DOLI_ADMIN_PASSWORD must be PROD's admin password (-n erp), not the sandbox +# secretkv. The DB password is the sandbox's own (-n erp-sandbox). + +# Optional: fix the provisioned user's password (else one is generated and only +# the API key is emitted to .ai_agent_sandbox.key). # AI_AGENT_SANDBOX_PASSWORD="" diff --git a/test/.gitignore b/test/.gitignore index 6b33d05..3443b4e 100644 --- a/test/.gitignore +++ b/test/.gitignore @@ -1,5 +1,6 @@ -# Secrets — never commit. The root .gitignore already covers .env and *.key; -# this is defense-in-depth for the provisioning POC. -.env +# Secrets — never commit. Covers .env (prod, main.ts) and .env.sandbox +# (sandbox, provisionSandbox.ts), plus any generated *.key. +.env* +!.env.example .ai_agent_sandbox.key *.key diff --git a/test/provisionSandbox.ts b/test/provisionSandbox.ts index ef24327..7fd0261 100644 --- a/test/provisionSandbox.ts +++ b/test/provisionSandbox.ts @@ -1,4 +1,6 @@ -import "load_dotenv"; +import { loadSync } from "jsr:@std/dotenv"; +// Sandbox provisioning loads its OWN .env.sandbox; prod config stays in .env (main.ts). +loadSync({ envPath: ".env.sandbox", export: true }); import { chromium } from "playwright"; import path from "node:path"; import login from "./scripts/login.ts"; -- 2.49.1