From a751e544bef580c966f2a908fc939853b5232fbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?m=C3=BCde?= <git@darkest.space>
Date: Thu, 14 May 2026 23:26:58 +0200
Subject: [PATCH] =?UTF-8?q?tests:=20approval.sh=20=E2=80=94=20Phase=205c?=
 =?UTF-8?q?=20end-to-end?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tests/approval.sh | 91 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100755 tests/approval.sh

diff --git a/tests/approval.sh b/tests/approval.sh
new file mode 100755
index 0000000..5848823
--- /dev/null
+++ b/tests/approval.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# Phase 5c end-to-end approval flow:
+#   manager edits proposed -> commits -> request_apply_commit
+#   user approves on host -> hive-c0re applies into authoritative repo -> rebuild
+#   sub-agent container has the new package
+#
+# Runs as root on a host with services.hive-c0re enabled and the hm1nd
+# container declared. Idempotent — wipes any prior alice state.
+
+set -euo pipefail
+
+AGENT=alice
+PKG=htop
+
+cleanup() {
+    echo "=== cleanup ==="
+    sudo hive-c0re kill "$AGENT" 2>/dev/null || true
+    sudo nixos-container destroy "h-${AGENT}" 2>/dev/null || true
+    sudo rm -rf \
+        "/var/lib/hyperhive/agents/${AGENT}" \
+        "/var/lib/hyperhive/applied/${AGENT}"
+}
+
+cleanup
+
+echo "=== spawn ${AGENT} ==="
+sudo hive-c0re spawn "$AGENT"
+
+echo "=== two-repo split visible ==="
+echo "  proposed (manager-editable):"
+sudo ls -la "/var/lib/hyperhive/agents/${AGENT}/config/" | sed 's/^/    /'
+echo "  applied (hive-c0re only):"
+sudo ls -la "/var/lib/hyperhive/applied/${AGENT}/" | sed 's/^/    /'
+
+echo "=== manager cannot see the applied repo ==="
+if sudo nixos-container run hm1nd -- ls "/var/lib/hyperhive/applied/${AGENT}" 2>/dev/null; then
+    echo "FAIL: manager can see applied/ — bind-mount leak"
+    exit 1
+fi
+echo "  manager has no path to applied/ ✓"
+
+echo "=== ${PKG} not installed in h-${AGENT} (pre-approve) ==="
+if sudo nixos-container run "h-${AGENT}" -- which "$PKG" 2>/dev/null; then
+    echo "FAIL: ${PKG} already in path"
+    exit 1
+fi
+echo "  not in path ✓"
+
+echo "=== manager: edit agent.nix + commit + request_apply_commit ==="
+sudo nixos-container run hm1nd -- bash -c "
+    set -euo pipefail
+    cd /agents/${AGENT}/config
+    cat > agent.nix <<'EOF'
+{ pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.${PKG} ];
+}
+EOF
+    git commit -am 'add ${PKG}'
+    SHA=\$(git rev-parse HEAD)
+    echo \"  manager commit SHA=\$SHA\"
+    hive-m1nd request-apply-commit ${AGENT} \$SHA
+"
+
+echo "=== pending approvals ==="
+sudo hive-c0re pending
+
+ID=$(sudo hive-c0re pending \
+    | python3 -c 'import sys,json;print(json.load(sys.stdin)["approvals"][-1]["id"])')
+echo "  using approval id ${ID}"
+
+echo "=== approve ${ID} (advances applied/main + rebuilds h-${AGENT}) ==="
+sudo hive-c0re approve "$ID"
+
+echo "=== verify ${PKG} now in path ==="
+sudo nixos-container run "h-${AGENT}" -- which "$PKG"
+
+echo "=== applied repo git log ==="
+sudo git -C "/var/lib/hyperhive/applied/${AGENT}" log --oneline -5
+
+echo "=== approvals table ==="
+if command -v sqlite3 >/dev/null; then
+    sudo sqlite3 /var/lib/hyperhive/broker.sqlite \
+        "SELECT id, agent, substr(commit_ref,1,12) AS sha, status FROM approvals ORDER BY id DESC LIMIT 5;"
+else
+    echo "  (sqlite3 not on host PATH — skip)"
+fi
+
+echo
+read -r -p "press enter to tear down, Ctrl-C to leave running: "
+cleanup