# Shopfloor enforcer regression tests

Lightweight harness for end-to-end validation of `GE-Enforce.ps1` +
`Install-FromManifest.ps1` against the v2 staging tree, using the Win11
analyzer VM as a synthetic shopfloor PC.

## Files

- `vm-test-harness.ps1` — setup + invocation of GE-Enforce inside the VM.
  Accepts `-PCType` and `-PCSubType` parameters. Creates
  `C:\Enrollment\` stubs (pc-type.txt, pc-subtype.txt, site-config.json),
  stages the enforcer runtime from `\\192.168.122.1\pxe-images\enforcer-stage\`,
  injects a fake SFLD credential in `HKLM:\SOFTWARE\GE\SFLD\Credentials\samba`
  pointing at the host's samba share as if it were tsgwp00525, then runs
  `GE-Enforce.ps1` with output captured.

## Prereqs

- `win11` libvirt VM running, IP reachable at 192.168.122.210
- qemu-guest-agent exec path available (`/tmp/guest-exec.sh`)
- host samba shares `pxe-images` + `windows-projects` writable by `camp` user
- enforcer staged at `/home/camp/pxe-images/enforcer-stage/` (via
  `cp <repo>/common/GE-Enforce.ps1 <repo>/common/lib/Install-FromManifest.ps1
  /home/camp/pxe-images/enforcer-stage/`)
- v2 share staging at `/home/camp/pxe-images/tsgwp00525-v2/...`

## Usage

From the repo root on the host:

```bash
# Round 1: Shopfloor scope (exercises common manifest, PCTypes filter for Oracle)
B64=$(iconv -f UTF-8 -t UTF-16LE common/test/vm-test-harness.ps1 | base64 -w0)
/tmp/guest-exec.sh powershell.exe "[\"-NoProfile\",\"-EncodedCommand\",\"$B64\"]"
```

Or with non-default pcType (wrap in a tiny outer script that sets parameters):

```bash
cat > /tmp/round.ps1 <<'EOF'
$PCType = 'Standard'
$PCSubType = 'Machine'
EOF
sed -n '/^param(/,/^)/!p' common/test/vm-test-harness.ps1 >> /tmp/round.ps1
B64=$(iconv -f UTF-8 -t UTF-16LE /tmp/round.ps1 | base64 -w0)
/tmp/guest-exec.sh powershell.exe "[\"-NoProfile\",\"-EncodedCommand\",\"$B64\"]"
```

## What each round validates

| Round | pcType / pcSubType | Exercises |
|---|---|---|
| 1 | Shopfloor / — | common manifest only, PCTypes filter (Oracle skips) |
| 2 | Standard / Machine | common + standard-machine manifests, eDNC upgrade detection, UDC skip, eMxInfo cmd |
| 3 | Keyence / — | common + keyence manifest, VR-6000 MSI detection, pnputil INF detection |
| 4 | Display / — | common + display manifest, kiosk-setup CMD wrapper |
| 5 (composite) | Shopfloor with a corrupted manifest / bad SFLD creds / tampered local XML | graceful-degradation paths + upgrade/rollback via hash mismatch |

See the main repo enforcer design doc (TBD) for scenario details.

## Known cleanup after test runs

- The harness intentionally leaves installed apps in place (Acrobat Reader DC,
  WJF Defect Tracker, 3OF9 font, Edge site-list XML, Firefox if tested).
  To reset to a clean baseline, revert the VM to the `clean-base` libvirt
  snapshot: `virsh snapshot-revert win11 clean-base`.

- Orphan `msiexec.exe` workers from long-running installs (UDC_Setup,
  PC-DMIS) can leave the MSI mutex held, blocking the next install with
  1619/1618. Between rounds if you hit this:

  ```powershell
  Get-Process -Name msiexec -ErrorAction SilentlyContinue | Stop-Process -Force
  ```

  Note: a Stage 2b lib improvement is planned to retry once on 1618 after
  killing stale msiexec processes.