pxe-server

ge-aerospace/pxe-server

Fork 0

Commit Graph

Author	SHA1	Message	Date
cproudlock	eaf2dbf167	test harness: smoke-pass B-enforce, fix four issues Harness now passes 9/9 across baseline + heal + idempotent phases on the win11 VM (Standard/Machine), with 6 drift scenarios applied + healed between the baseline and heal cycles in ~30s total. Fixes: 1. lib/qga-run.py - extracted the qga round-trip out of an inline `python3 - <<PY` heredoc. The inline form clobbered stdin (heredoc replaces stdin to feed python the script, leaving sys.stdin empty for the PowerShell snippet the function caller piped in). 2. lib/qga.sh - dropped `set -euo pipefail`. When sourced, it leaked into the harness shell. Then any captured `out=$(qga_run_ps ...)` that exited non-zero (verify-state.ps1 returns 1 on any FAIL, normal during drift phases) would silently abort the harness. Callers handle non-zero with `\|\| rc=$?`. 3. B-enforce/run.sh do_verify - rewritten to capture rc, parse summary line, distinguish expect_pass=true vs false, route to ok / fail helper without aborting the harness on a normal non-zero verify. 4. matrix.json WJF Defect Tracker entry - switched detection from File to Registry (uninstall key DisplayVersion). The MSI does not drop the Defect_Tracker.exe artifact at the documented path even though the manifest's File detection treats it as installed; the uninstall reg entry is the reliable install marker. v2 manifest's File detection path may also need fixing, separate task. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 17:45:06 -04:00
cproudlock	db1cdf7aee	test harness: Path B (manifest-engine) for Standard-Machine Initial harness scaffolding per SCOPE.md. Drives the win11 analyzer VM via qemu-guest-agent (runs as NT AUTHORITY\SYSTEM, same context as GE-Enforce in production - see reference-vm-qga-as-system memory note for why this is preferred over WinRM). Pieces: - lib/qga.sh - host-side helpers (qga round-trip, snapshot revert, share mount via cmdkey + net use, file upload). Source from any harness script. - lib/verify-state.ps1 - VM-side detection runner. Parses matrix.json, walks each app's verify block, prints PASS/FAIL with detail, exits 0 only if every check passes. Methods: Registry, File, FileVersion, Hash, FileGrep. - matrix.json - PC-type matrix data. Currently only Standard/Machine rows populated (apps + drift scenarios). Extending to other PC types is just adding rows. - B-enforce/run.sh - 5-phase orchestrator (stage / baseline / tamper / heal / idempotent). Defaults to Standard/Machine. SKIP_REVERT=1 for faster iteration without burning the snapshot revert. - B-enforce/tamper.ps1 - applies driftScenarios from matrix.json. Methods: RegRemove, RegSet, FileDelete, FileOverwrite, FileGrepDelete. Path A (imaging-time install) and remaining 8 PC-type rows are next. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 17:15:37 -04:00

Author

SHA1

Message

Date

cproudlock

eaf2dbf167

test harness: smoke-pass B-enforce, fix four issues

Harness now passes 9/9 across baseline + heal + idempotent phases on the
win11 VM (Standard/Machine), with 6 drift scenarios applied + healed
between the baseline and heal cycles in ~30s total.

Fixes:

1. lib/qga-run.py - extracted the qga round-trip out of an inline
   `python3 - <<PY` heredoc. The inline form clobbered stdin (heredoc
   replaces stdin to feed python the script, leaving sys.stdin empty
   for the PowerShell snippet the function caller piped in).
2. lib/qga.sh - dropped `set -euo pipefail`. When sourced, it leaked
   into the harness shell. Then any captured `out=$(qga_run_ps ...)`
   that exited non-zero (verify-state.ps1 returns 1 on any FAIL,
   normal during drift phases) would silently abort the harness.
   Callers handle non-zero with `|| rc=$?`.
3. B-enforce/run.sh do_verify - rewritten to capture rc, parse summary
   line, distinguish expect_pass=true vs false, route to ok / fail
   helper without aborting the harness on a normal non-zero verify.
4. matrix.json WJF Defect Tracker entry - switched detection from File
   to Registry (uninstall key DisplayVersion). The MSI does not drop
   the Defect_Tracker.exe artifact at the documented path even though
   the manifest's File detection treats it as installed; the uninstall
   reg entry is the reliable install marker. v2 manifest's File
   detection path may also need fixing, separate task.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 17:45:06 -04:00

cproudlock

db1cdf7aee

test harness: Path B (manifest-engine) for Standard-Machine

Initial harness scaffolding per SCOPE.md. Drives the win11 analyzer VM
via qemu-guest-agent (runs as NT AUTHORITY\SYSTEM, same context as
GE-Enforce in production - see reference-vm-qga-as-system memory note
for why this is preferred over WinRM).

Pieces:

- lib/qga.sh - host-side helpers (qga round-trip, snapshot revert,
  share mount via cmdkey + net use, file upload). Source from any
  harness script.
- lib/verify-state.ps1 - VM-side detection runner. Parses matrix.json,
  walks each app's verify block, prints PASS/FAIL with detail, exits
  0 only if every check passes. Methods: Registry, File, FileVersion,
  Hash, FileGrep.
- matrix.json - PC-type matrix data. Currently only Standard/Machine
  rows populated (apps + drift scenarios). Extending to other PC types
  is just adding rows.
- B-enforce/run.sh - 5-phase orchestrator (stage / baseline / tamper /
  heal / idempotent). Defaults to Standard/Machine. SKIP_REVERT=1 for
  faster iteration without burning the snapshot revert.
- B-enforce/tamper.ps1 - applies driftScenarios from matrix.json.
  Methods: RegRemove, RegSet, FileDelete, FileOverwrite, FileGrepDelete.

Path A (imaging-time install) and remaining 8 PC-type rows are next.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 17:15:37 -04:00

2 Commits