feat: VPS launch-proof contract on the existing /v1/vm path#29
Conversation
PR Reviewer Guide 🔍(Review updated until commit 0949be2)Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Latest suggestions up to 0949be2
Previous suggestionsSuggestions up to commit b83824c
|
Human-in-the-loop completion of the Engineering Loop's draft (issue #28): - drop unused `sqlalchemy.update` import (ruff) - coerce `_safe_getattr` results to str before VMStatus()/operator_message so mypy is satisfied (object -> str|None) The loop authored the contract (models, routes, orchestrator, launch_proof service, tests, docs); these three fixes make it green: ruff clean, mypy clean (80 files), 189 pytest passed. Co-Authored-By: hyrule-engineering-loop[bot] <noreply@as215932.net> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Persistent review updated to latest commit 0949be2 |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0949be2f1e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if not use_real_provisioning(): | ||
| await self._simulate_provisioning(vm_id) | ||
| return |
There was a problem hiding this comment.
Default to real provisioning on paid creates
With this guard, every environment that does not set the new HCP_LAUNCH_PROOF_REAL_XCPNG=1 variable now bypasses the existing XCP-NG/DNS/Openprovider path and marks paid VMs ready via _simulate_provisioning instead. I searched the repo and the deployment/config docs only define the existing XCPNG_* settings, so a normal production deploy would accept payment but never create a real VM, returning a fake documentation IPv6 instead.
Useful? React with 👍 / 👎.
| dns_aaaa_verified=lp["dns_aaaa_verified"], | ||
| ssh_smoke_status=lp["ssh_smoke_status"], | ||
| rollback_available=lp["rollback_available"], | ||
| operator_message=lp["operator_message"], |
There was a problem hiding this comment.
Keep operator errors out of the public status response
GET /v1/vm/{id}/status is explicitly unauthenticated/public, but this now serializes operator_message, and build_launch_proof populates it from row.error for failed VMs. In the failure scenario covered by the new tests, anyone with the VM id can read provider-internal errors such as XCP-NG/RPC details and UUIDs from the public status page, defeating the existing sanitized status contract; this field needs to be omitted here or only returned from an authenticated operator route.
Useful? React with 👍 / 👎.
Change class
app_feature
Repos touched
Senior role reviews
Source-of-truth files consulted
Validation gates run
Expected production impact
none
Rollback plan
Discard the generated feature worktree and branch; no production state was changed.
NOC handoff
Post-deploy checks
Operator notes
Closes #28