426e9eeabd
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
Chat shell gestures / Chat shell gesture + parity e2e (push) Has been cancelled
Cloud Gateway Discord / Test (push) Has been cancelled
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Has been cancelled
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Has been cancelled
Build Agent Image / build-and-push (push) Has been cancelled
Dev Smoke / bun run dev onboarding chat (push) Has been cancelled
Dev Smoke / Vite HMR dependency-level smoke (push) Has been cancelled
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Has been cancelled
Publish @elizaos/example-code / check_npm (push) Has been cancelled
Publish @elizaos/example-code / publish_npm (push) Has been cancelled
Publish @elizaos/plugin-elizacloud / verify_version (push) Has been cancelled
Publish @elizaos/plugin-elizacloud / publish_npm (push) Has been cancelled
Sandbox Live Smoke / Sandbox live smoke (push) Has been cancelled
Snap Build & Test / Build Snap (amd64) (push) Has been cancelled
Snap Build & Test / Build Snap (arm64) (push) Has been cancelled
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Has been cancelled
Cloud Gateway Webhook / Test (push) Has been cancelled
Cloud Tests / lint-and-types (push) Has been cancelled
Cloud Tests / unit-tests (push) Has been cancelled
Cloud Tests / integration-tests (push) Has been cancelled
Cloud Tests / e2e-tests (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Deploy Apps Worker (Product 2) / Determine environment (push) Has been cancelled
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Has been cancelled
Deploy Eliza Provisioning Worker / Determine environment (push) Has been cancelled
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Has been cancelled
Dev Smoke / Classify changed paths (push) Has been cancelled
supply-chain / sbom (push) Has been cancelled
supply-chain / vulnerability-scan (push) Has been cancelled
Build, Push & Deploy to Phala Cloud / build-and-push (push) Has been cancelled
Test Packaging / Validate Packaging Configs (push) Has been cancelled
Test Packaging / Build & Test PyPI Package (push) Has been cancelled
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Has been cancelled
Test Packaging / Pack & Test JS Tarballs (push) Has been cancelled
UI Fixture E2E / ui-fixture-e2e (push) Has been cancelled
UI Fixture E2E / fixture-e2e (push) Has been cancelled
UI Story Gate / story-gate (push) Has been cancelled
vault-ci / test (macos-latest) (push) Has been cancelled
vault-ci / test (ubuntu-latest) (push) Has been cancelled
vault-ci / test (windows-latest) (push) Has been cancelled
vault-ci / app-core wiring tests (push) Has been cancelled
verify-patches / verify patches/CHECKSUMS.sha256 (push) Has been cancelled
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Has been cancelled
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Has been cancelled
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Has been cancelled
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Has been cancelled
Voice Benchmark Smoke / voice bench smoke summary (push) Has been cancelled
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Has been cancelled
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Has been cancelled
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Has been cancelled
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Has been cancelled
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Has been cancelled
247 lines
9.0 KiB
TypeScript
247 lines
9.0 KiB
TypeScript
#!/usr/bin/env bun
|
|
/**
|
|
* LIVE multi-account orchestrator e2e (#9960) — the real-account counterpart to
|
|
* the secret-free `compose-multi-account-e2e.ts` (which uses a fake `acpx`).
|
|
*
|
|
* Seeds the account pool from CI/operator-provided real credentials — ≥1 (ideally
|
|
* 2) Claude `anthropic-subscription` OAuth tokens and ≥1 (ideally 2) Codex
|
|
* `openai-codex` `auth.json` blobs — then drives the REAL coding-account bridge
|
|
* to prove, per provider:
|
|
* - the bridge selects a healthy account and injects its credential into the
|
|
* spawn env (Claude → CLAUDE_CODE_OAUTH_TOKEN, Codex → per-account CODEX_HOME
|
|
* with a materialized auth.json),
|
|
* - consecutive selections ROTATE across DISTINCT accounts when ≥2 are present.
|
|
*
|
|
* Gated by ORCHESTRATOR_LIVE_MULTI_ACCOUNT=1 AND the presence of the credential
|
|
* env vars. With neither configured it SKIPS CLEANLY (exit 0 + ::notice::) so it
|
|
* never fails CI when the live secrets are absent — the scheduled lane relies on
|
|
* this. The proof is selection + credential injection + distinct-account
|
|
* rotation (no real spawn, so it does not burn task quota).
|
|
*
|
|
* Credential env vars (JSON or raw token; 1..N indexed):
|
|
* ELIZA_LIVE_CLAUDE_OAUTH_TOKEN_1 .. _N raw Claude Code OAuth token
|
|
* ELIZA_LIVE_CODEX_AUTH_JSON_1 .. _N full ~/.codex/auth.json contents
|
|
*
|
|
* Run:
|
|
* ORCHESTRATOR_LIVE_MULTI_ACCOUNT=1 bun \
|
|
* plugins/plugin-agent-orchestrator/scripts/live-multi-account-e2e.ts
|
|
*/
|
|
|
|
import { mkdtempSync, readFileSync } from "node:fs";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
// Pure readiness assessor — no app-core graph, safe to import before the gate.
|
|
import { assessCodingAccountReadiness } from "../src/services/coding-account-selection.js";
|
|
|
|
// The runtime deps (account storage + coding-account bridge) pull in the full
|
|
// app-core/core graph. They are dynamically imported AFTER the gate so the
|
|
// clean-skip path never loads them — the scheduled lane invokes this with no
|
|
// secrets and must exit 0 without touching the build graph.
|
|
type SaveAccount = typeof import("@elizaos/auth/account-storage").saveAccount;
|
|
type GetBridge =
|
|
typeof import("../../../packages/app-core/src/services/coding-account-bridge.ts").getCodingAgentSelectorBridge;
|
|
let saveAccount: SaveAccount;
|
|
let getCodingAgentSelectorBridge: GetBridge;
|
|
|
|
const log = (m: string) => console.log(`[live-multi-account] ${m}`);
|
|
const notice = (m: string) => console.log(`::notice::${m}`);
|
|
|
|
function gatedOff(reason: string): never {
|
|
notice(`live multi-account e2e skipped — ${reason}`);
|
|
process.exit(0);
|
|
}
|
|
|
|
function jwtExpMs(jwt: string): number {
|
|
try {
|
|
const p = jwt.split(".")[1] ?? "";
|
|
const json = JSON.parse(
|
|
Buffer.from(
|
|
p + "=".repeat((4 - (p.length % 4)) % 4),
|
|
"base64url",
|
|
).toString("utf-8"),
|
|
);
|
|
return typeof json.exp === "number" ? json.exp * 1000 : 0;
|
|
} catch {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
/** Collect ELIZA_LIVE_<base>_1.._N env values (stops at the first gap). */
|
|
function collectIndexed(base: string): string[] {
|
|
const out: string[] = [];
|
|
for (let i = 1; i <= 16; i++) {
|
|
const v = process.env[`${base}_${i}`]?.trim();
|
|
if (v) out.push(v);
|
|
}
|
|
return out;
|
|
}
|
|
|
|
function seedClaude(tokens: string[]): string[] {
|
|
const ids: string[] = [];
|
|
tokens.forEach((token, idx) => {
|
|
const id = `live-claude-${idx + 1}`;
|
|
saveAccount({
|
|
id,
|
|
providerId: "anthropic-subscription",
|
|
label: `Live Claude ${idx + 1}`,
|
|
source: "oauth",
|
|
credentials: { access: token, refresh: "", expires: jwtExpMs(token) },
|
|
createdAt: Date.now(),
|
|
updatedAt: Date.now(),
|
|
});
|
|
ids.push(id);
|
|
});
|
|
return ids;
|
|
}
|
|
|
|
function seedCodex(blobs: string[]): string[] {
|
|
const ids: string[] = [];
|
|
blobs.forEach((blob, idx) => {
|
|
const auth = JSON.parse(blob);
|
|
const access = auth?.tokens?.access_token as string | undefined;
|
|
const refresh = (auth?.tokens?.refresh_token as string | undefined) ?? "";
|
|
const idToken = auth?.tokens?.id_token as string | undefined;
|
|
const accountId = auth?.tokens?.account_id as string | undefined;
|
|
if (!access || !accountId) {
|
|
log(
|
|
`SKIP codex blob ${idx + 1}: not a ChatGPT login (no access/account_id)`,
|
|
);
|
|
return;
|
|
}
|
|
const id = `live-codex-${idx + 1}`;
|
|
saveAccount({
|
|
id,
|
|
providerId: "openai-codex",
|
|
label: `Live Codex ${idx + 1}`,
|
|
source: "oauth",
|
|
credentials: {
|
|
access,
|
|
refresh,
|
|
expires: jwtExpMs(access),
|
|
...(idToken ? { idToken } : {}),
|
|
},
|
|
createdAt: Date.now(),
|
|
updatedAt: Date.now(),
|
|
organizationId: accountId,
|
|
});
|
|
ids.push(id);
|
|
});
|
|
return ids;
|
|
}
|
|
|
|
async function assertRotation(
|
|
agentType: "claude" | "codex",
|
|
expectedEnvKey: string,
|
|
seededIds: string[],
|
|
): Promise<void> {
|
|
const bridge = getCodingAgentSelectorBridge();
|
|
if (!bridge) throw new Error("coding-account bridge not installed");
|
|
|
|
// Two consecutive selections under least-used must rotate across distinct
|
|
// accounts when ≥2 are seeded; with 1 account both pick it (no rotation).
|
|
const first = await bridge.select(agentType, { strategy: "least-used" });
|
|
if (!first) throw new Error(`${agentType}: bridge selected no account`);
|
|
if (!first.envPatch[expectedEnvKey]) {
|
|
throw new Error(`${agentType}: env patch missing ${expectedEnvKey}`);
|
|
}
|
|
log(`${agentType} #1 -> ${first.accountId} (${expectedEnvKey} injected)`);
|
|
|
|
const second = await bridge.select(agentType, {
|
|
strategy: "least-used",
|
|
exclude: [first.accountId],
|
|
});
|
|
if (seededIds.length >= 2) {
|
|
if (!second || second.accountId === first.accountId) {
|
|
throw new Error(
|
|
`${agentType}: expected a DISTINCT 2nd account, got ${second?.accountId ?? "none"}`,
|
|
);
|
|
}
|
|
log(`${agentType} #2 -> ${second.accountId} (distinct ✓)`);
|
|
} else {
|
|
log(`${agentType}: only 1 account seeded — rotation not asserted`);
|
|
}
|
|
}
|
|
|
|
async function main(): Promise<void> {
|
|
if (process.env.ORCHESTRATOR_LIVE_MULTI_ACCOUNT !== "1") {
|
|
gatedOff("ORCHESTRATOR_LIVE_MULTI_ACCOUNT is not 1");
|
|
}
|
|
const claudeTokens = collectIndexed("ELIZA_LIVE_CLAUDE_OAUTH_TOKEN");
|
|
const codexBlobs = collectIndexed("ELIZA_LIVE_CODEX_AUTH_JSON");
|
|
if (claudeTokens.length === 0 || codexBlobs.length === 0) {
|
|
gatedOff(
|
|
`need ≥1 Claude token AND ≥1 Codex auth blob (have claude=${claudeTokens.length} codex=${codexBlobs.length})`,
|
|
);
|
|
}
|
|
|
|
const home = mkdtempSync(path.join(os.tmpdir(), "live-multi-account-"));
|
|
process.env.ELIZA_HOME = home;
|
|
process.env.ELIZA_STATE_DIR = home;
|
|
process.env.ELIZA_ACP_STATE_DIR = path.join(home, "acp");
|
|
process.env.ELIZA_CODING_ACCOUNT_STRATEGY ??= "least-used";
|
|
|
|
// Gate passed and credentials present — now load the runtime graph.
|
|
({ saveAccount } = await import("@elizaos/auth/account-storage"));
|
|
({ getCodingAgentSelectorBridge } = await import(
|
|
"../../../packages/app-core/src/services/coding-account-bridge.ts"
|
|
));
|
|
|
|
const claudeIds = seedClaude(claudeTokens);
|
|
const codexIds = seedCodex(codexBlobs);
|
|
log(
|
|
`seeded ${claudeIds.length} Claude + ${codexIds.length} Codex account(s)`,
|
|
);
|
|
if (claudeIds.length === 0 || codexIds.length === 0) {
|
|
throw new Error("seeding produced no usable account for one provider");
|
|
}
|
|
|
|
await assertRotation("claude", "CLAUDE_CODE_OAUTH_TOKEN", claudeIds);
|
|
await assertRotation("codex", "CODEX_HOME", codexIds);
|
|
|
|
// Loud readiness gate (#9960): the seeded pool must actually be ready for live
|
|
// coding work — ≥1 healthy Claude AND ≥1 healthy Codex, and ≥2 each (rotation
|
|
// posture) when ≥2 of each were seeded. A thin/unhealthy pool fails HERE
|
|
// instead of silently degrading to single-account at spawn time.
|
|
const wantRotation = claudeIds.length >= 2 && codexIds.length >= 2;
|
|
const readiness = assessCodingAccountReadiness(
|
|
getCodingAgentSelectorBridge()?.describe() ?? {},
|
|
{ rotation: wantRotation },
|
|
);
|
|
if (!readiness.ready) {
|
|
throw new Error(
|
|
`account-readiness gate failed (rotation=${wantRotation}): ${readiness.problems.join("; ")}`,
|
|
);
|
|
}
|
|
log(
|
|
`readiness OK (rotation=${wantRotation}) — ${readiness.providers
|
|
.map((p) => `${p.agentType}:${p.healthy}/${p.required}`)
|
|
.join(" ")}`,
|
|
);
|
|
|
|
// Materialization check: Codex selection writes a per-account auth.json.
|
|
const bridge = getCodingAgentSelectorBridge();
|
|
const codexSel = await bridge?.select("codex", { strategy: "least-used" });
|
|
const codexHome = codexSel?.envPatch.CODEX_HOME;
|
|
if (codexHome) {
|
|
const materialized = JSON.parse(
|
|
readFileSync(path.join(codexHome, "auth.json"), "utf-8"),
|
|
);
|
|
if (materialized?.auth_mode !== "chatgpt") {
|
|
throw new Error("materialized Codex auth.json is not chatgpt-mode");
|
|
}
|
|
log(`Codex CODEX_HOME materialized auth.json (auth_mode=chatgpt ✓)`);
|
|
}
|
|
|
|
log("PASS — real Claude + Codex accounts selected, injected, and rotated");
|
|
}
|
|
|
|
main().then(
|
|
() => process.exit(0),
|
|
(err) => {
|
|
console.error(
|
|
`[live-multi-account] FAIL: ${err instanceof Error ? err.message : String(err)}`,
|
|
);
|
|
process.exit(1);
|
|
},
|
|
);
|