[ADD] CI jobs for demo runtime proof and runtime integration with branch protection notes

Dmi3yy · Dmi3yy · commit 8e5da356c8c8 · 2026-03-03T12:51:23.000+07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,11 @@ on:
   pull_request:
   workflow_dispatch:
     inputs:
+      run_demo_runtime:
+        description: 'Run demo runtime proof (make demo-all + artifacts)'
+        required: false
+        default: false
+        type: boolean
       run_runtime_integration:
         description: 'Run runtime integration checks against deployed environment'
         required: false
@@ -37,7 +42,11 @@ jobs:
 
   runtime-integration:
     needs: checks
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.run_runtime_integration == true }}
+    if: >-
+      ${{
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/'))
+        || (github.event_name == 'workflow_dispatch' && inputs.run_runtime_integration == true)
+      }}
     runs-on: ubuntu-latest
     env:
       EMCP_INTEGRATION_ENABLED: '1'
@@ -61,5 +70,74 @@ jobs:
       - name: Install dependencies
         run: composer install --no-interaction --prefer-dist --no-progress
 
+      - name: Validate live runtime secrets
+        run: |
+          set -eu
+          missing=""
+          for var in EMCP_BASE_URL EMCP_SERVER_HANDLE EMCP_API_PATH EMCP_API_TOKEN; do
+            eval "value=\${$var:-}"
+            if [ -z "$value" ]; then
+              missing="$missing $var"
+            fi
+          done
+          if [ -n "$missing" ]; then
+            echo "Missing required secrets/env for runtime integration:$missing" >&2
+            exit 1
+          fi
+
       - name: Runtime integration checks
-        run: composer run test:integration:runtime
+        run: |
+          set -eu
+          export EMCP_DISPATCH_CHECK="${EMCP_DISPATCH_CHECK:-1}"
+          composer run test:integration:runtime | tee runtime-live.log
+
+      - name: Upload runtime integration artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: runtime-live-log
+          path: runtime-live.log
+          if-no-files-found: warn
+
+  demo-runtime-proof:
+    needs: checks
+    if: >-
+      ${{
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/'))
+        || (github.event_name == 'workflow_dispatch' && inputs.run_demo_runtime == true)
+      }}
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      DEMO_JWT_SECRET: emcp-demo-secret-0123456789abcdef0123456789abcdef
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          coverage: none
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist --no-progress
+
+      - name: Install Evolution installer
+        run: |
+          set -eu
+          composer global require evolution-cms/installer --no-interaction --no-progress
+          echo "$(composer global config bin-dir --absolute)" >> "$GITHUB_PATH"
+
+      - name: Run demo runtime proof
+        run: make demo-all
+
+      - name: Upload demo runtime artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: demo-runtime-artifacts
+          path: |
+            demo/logs.md
+            /tmp/emcp-demo-php-server.log
+          if-no-files-found: warn
diff --git a/PRD.md b/PRD.md
@@ -20,7 +20,7 @@
 - Автоматично генерується `demo/logs.md` з деталями токена, MCP запитів/відповідей, manual-check командами і негативними probe-кейсами (`401/403/413/415/409/429`, `evo.model.get(User)` sanity).
 
 Залишок до RC-1 (core platform hardening):
-- live runtime integration job у GitHub Actions зі staging env/secrets;
+- branch protection required-check enforcement для CI runtime jobs (`demo-runtime-proof`, `runtime-integration`) на `release/*`;
 - live async checks для `sTask` (progress/result/retry/failover);
 - live stream/rate-limit операційні перевірки;
 - зафіксовані RC evidence артефакти (security sanity + performance baseline).
diff --git a/README.md b/README.md
@@ -280,6 +280,10 @@ EMCP_DISPATCH_CHECK=1 \
 composer run test:integration:runtime
 ```
 
+CI release note:
+- `.github/workflows/ci.yml` runs `demo-runtime-proof` and `runtime-integration` on `release/*` pushes.
+- Configure branch protection to make these jobs required for RC/release merges.
+
 ## Async (sTask-first)
 If `queue.driver=stask` and `sTask` is installed, eMCP can run long MCP calls via worker `emcp_dispatch`.
 If sTask is missing, fallback behavior follows `queue.failover` (`sync` or `fail`).
diff --git a/README.uk.md b/README.uk.md
@@ -279,6 +279,10 @@ EMCP_DISPATCH_CHECK=1 \
 composer run test:integration:runtime
 ```
 
+CI release примітка:
+- `.github/workflows/ci.yml` запускає `demo-runtime-proof` і `runtime-integration` на push у `release/*`.
+- Для RC/release merge треба увімкнути branch protection і позначити ці jobs як required checks.
+
 ## Async через sTask
 Якщо `queue.driver=stask` і `sTask` встановлений, довгі MCP виклики виконуються через воркер `emcp_dispatch`.
 Якщо `sTask` відсутній — fallback визначається `queue.failover` (`sync` або `fail`).
diff --git a/SPEC.md b/SPEC.md
@@ -20,7 +20,7 @@ Current validation snapshot (2026-03-03):
 - One-click verification writes `demo/logs.md` with request/response evidence, negative transport/security probes (`401/403/413/415/409/429`) and model-safety sanity (`evo.model.get(User)` without sensitive fields).
 
 Open RC-1 validation scope:
-- live CI runtime integration (external env/secrets) is not yet mandatory-on-push;
+- live CI runtime integration jobs are wired for `release/*` pushes (`demo-runtime-proof`, `runtime-integration`), but branch-protection required-check enforcement must be configured in repository settings;
 - live async `sTask` e2e checks (queue lifecycle/progress/failover) are not yet enforced in CI;
 - live stream/rate-limit infra checks remain pending as RC evidence.
 
diff --git a/TASKS.md b/TASKS.md
@@ -233,6 +233,8 @@ DoD:
 - [x] Baseline unit test for model allowlist leakage (sensitive fields never exposed).
 - [ ] Integration tests for manager/API MCP endpoints.
 - [x] Add runtime integration harness script for manager/API/dispatch verification against deployed environment.
+- [x] Add release-branch CI runtime jobs (`demo-runtime-proof`, `runtime-integration`) with artifacts (`demo/logs.md`, `runtime-live.log`).
+- [ ] Configure repository branch protection to require `demo-runtime-proof` and `runtime-integration` on `release/*`.
 - [ ] Streaming tests under typical PHP-FPM constraints.
 - [ ] Async tests for `sTask` path and failover.
 - [x] Baseline feature-behavior test for dispatch idempotency semantics (`reuse` and `409 conflict`) with policy deny path.
diff --git a/scripts/demo_verify.sh b/scripts/demo_verify.sh
@@ -384,6 +384,7 @@ model_get_user_payload='{"jsonrpc":"2.0","id":"model-doc","method":"tools/call",
 dispatch_payload_a='{"jsonrpc":"2.0","id":"d1-doc","method":"tools/call","params":{"name":"evo.content.search","arguments":{"limit":1,"offset":0}}}'
 dispatch_payload_b='{"jsonrpc":"2.0","id":"d2-doc","method":"tools/call","params":{"name":"evo.content.search","arguments":{"limit":2,"offset":0}}}'
 dispatch_url="${mcp_url}/dispatch"
+rate_limit_identity_type='api:jwt (sapi.jwt.user_id/sapi.jwt.sub; fallback ip)'
 
 unauth_headers_file="${TMP_DIR}/unauth.headers"
 unauth_raw=$(curl -sS -D "${unauth_headers_file}" \
@@ -455,10 +456,15 @@ dispatch_a_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispat
 dispatch_a_http_code=$(printf '%s' "${dispatch_a_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
 dispatch_a_response=$(printf '%s' "${dispatch_a_raw}" | sed '/^__HTTP_CODE__:/d')
 
-dispatch_b_headers="${TMP_DIR}/dispatch-b.headers"
-dispatch_b_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_b}" "${dispatch_b_headers}" "Idempotency-Key: demo-verify-k1" "${dispatch_url}")
-dispatch_b_http_code=$(printf '%s' "${dispatch_b_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
-dispatch_b_response=$(printf '%s' "${dispatch_b_raw}" | sed '/^__HTTP_CODE__:/d')
+dispatch_reuse_headers="${TMP_DIR}/dispatch-reuse.headers"
+dispatch_reuse_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_a}" "${dispatch_reuse_headers}" "Idempotency-Key: demo-verify-k1" "${dispatch_url}")
+dispatch_reuse_http_code=$(printf '%s' "${dispatch_reuse_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
+dispatch_reuse_response=$(printf '%s' "${dispatch_reuse_raw}" | sed '/^__HTTP_CODE__:/d')
+
+dispatch_conflict_headers="${TMP_DIR}/dispatch-conflict.headers"
+dispatch_conflict_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_b}" "${dispatch_conflict_headers}" "Idempotency-Key: demo-verify-k1" "${dispatch_url}")
+dispatch_conflict_http_code=$(printf '%s' "${dispatch_conflict_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
+dispatch_conflict_response=$(printf '%s' "${dispatch_conflict_raw}" | sed '/^__HTTP_CODE__:/d')
 
 model_headers_file="${TMP_DIR}/model.headers"
 model_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${model_get_user_payload}" "${model_headers_file}")
@@ -650,7 +656,11 @@ Response:
 ${oversized_response}
 \`\`\`
 
-### 10) Gate C negative probe: 409 idempotency conflict
+Result-size cap probe:
+- status: \`pending\`
+- reason: requires larger dataset or temporary per-server \`max_result_bytes\` override in demo runtime.
+
+### 10) Gate C idempotency probes (reuse + conflict)
 
 First dispatch HTTP: \`${dispatch_a_http_code}\`
 
@@ -659,18 +669,26 @@ First dispatch response:
 ${dispatch_a_response}
 \`\`\`
 
-Conflicting dispatch HTTP: \`${dispatch_b_http_code}\`
+Reuse dispatch HTTP (same key + same payload): \`${dispatch_reuse_http_code}\`
+
+Reuse dispatch response:
+\`\`\`json
+${dispatch_reuse_response}
+\`\`\`
+
+Conflicting dispatch HTTP (same key + different payload): \`${dispatch_conflict_http_code}\`
 
 Conflicting dispatch response:
 \`\`\`json
-${dispatch_b_response}
+${dispatch_conflict_response}
 \`\`\`
 
 ### 11) rate-limit probe: 429 with Retry-After
 
 429 observed: \`${rate_limit_observed}\`
 Retry-After: \`${rate_retry_after}\`
 HTTP: \`${rate_limit_http_code}\`
+Rate-limit identity type: \`${rate_limit_identity_type}\`
 
 Response:
 \`\`\`json
diff --git a/tests/Integration/RuntimeIntegrationHttpTest.php b/tests/Integration/RuntimeIntegrationHttpTest.php
@@ -628,6 +628,14 @@ function issueHs256Jwt(array $payload, string $secret): string
         if (!in_array($dispatchA['status'], [200, 202], true)) {
             fail("{$label} dispatch first call expected 200/202, got {$dispatchA['status']}.");
         }
+        $dispatchAJson = decodeJson($dispatchA['body']);
+        if (($dispatchAJson['reused'] ?? null) !== false) {
+            fail("{$label} dispatch first call must return reused=false.");
+        }
+        if (($dispatchAJson['idempotency_key'] ?? null) !== $key) {
+            fail("{$label} dispatch first call missing idempotency_key.");
+        }
+        $dispatchATaskId = is_numeric($dispatchAJson['task_id'] ?? null) ? (int)$dispatchAJson['task_id'] : null;
 
         $dispatchB = httpPostJson($dispatchUrl, [
             'jsonrpc' => '2.0',
@@ -642,6 +650,17 @@ function issueHs256Jwt(array $payload, string $secret): string
         if (!in_array($dispatchB['status'], [200, 202], true)) {
             fail("{$label} dispatch reuse expected 200/202, got {$dispatchB['status']}.");
         }
+        $dispatchBJson = decodeJson($dispatchB['body']);
+        if (($dispatchBJson['reused'] ?? null) !== true) {
+            fail("{$label} dispatch reuse must return reused=true.");
+        }
+        if (($dispatchBJson['idempotency_key'] ?? null) !== $key) {
+            fail("{$label} dispatch reuse missing idempotency_key.");
+        }
+        $dispatchBTaskId = is_numeric($dispatchBJson['task_id'] ?? null) ? (int)$dispatchBJson['task_id'] : null;
+        if ($dispatchATaskId !== null && $dispatchATaskId > 0 && $dispatchBTaskId !== $dispatchATaskId) {
+            fail("{$label} dispatch reuse expected same task_id={$dispatchATaskId}, got " . (string)($dispatchBJson['task_id'] ?? 'null') . '.');
+        }
 
         $dispatchC = httpPostJson($dispatchUrl, [
             'jsonrpc' => '2.0',
@@ -656,6 +675,14 @@ function issueHs256Jwt(array $payload, string $secret): string
         if ($dispatchC['status'] !== 409) {
             fail("{$label} dispatch conflict expected 409, got {$dispatchC['status']}.");
         }
+        $dispatchCJson = decodeJson($dispatchC['body']);
+        if (($dispatchCJson['error']['code'] ?? null) !== 'idempotency_conflict') {
+            fail("{$label} dispatch conflict expected error.code=idempotency_conflict.");
+        }
+        $traceId = trim((string)($dispatchCJson['error']['trace_id'] ?? ''));
+        if ($traceId === '') {
+            fail("{$label} dispatch conflict missing error.trace_id.");
+        }
     }
 
     info("{$label} checks passed.");
