using System.Text.Json; using StellaOps.AirGap.Policy; using StellaOps.TaskRunner.Infrastructure.Execution; using StellaOps.TestKit; namespace StellaOps.TaskRunner.Tests; public sealed class FilesystemPackRunDispatcherTests { [Trait("Category", TestCategories.Unit)] [Fact] public async Task TryDequeueAsync_BlocksJob_WhenEgressPolicyDeniesDestination() { var root = Path.Combine(Path.GetTempPath(), "StellaOps_TaskRunnerTests", Guid.NewGuid().ToString("n")); Directory.CreateDirectory(root); var cancellationToken = CancellationToken.None; var queuePath = Path.Combine(root, "queue"); var archivePath = Path.Combine(root, "archive"); Directory.CreateDirectory(queuePath); Directory.CreateDirectory(archivePath); var manifestPath = Path.Combine(queuePath, "manifest.yaml"); await File.WriteAllTextAsync(manifestPath, TestManifests.EgressBlocked, cancellationToken); var jobEnvelope = new { RunId = "run-egress-blocked", ManifestPath = Path.GetFileName(manifestPath), InputsPath = (string?)null, RequestedAt = (DateTimeOffset?)null }; var jobPath = Path.Combine(queuePath, "job.json"); await File.WriteAllTextAsync(jobPath, JsonSerializer.Serialize(jobEnvelope), cancellationToken); var policy = new EgressPolicy(new EgressPolicyOptions { Mode = EgressPolicyMode.Sealed, AllowLoopback = false, AllowPrivateNetworks = false }); try { var dispatcher = new FilesystemPackRunDispatcher(queuePath, archivePath, policy); var result = await dispatcher.TryDequeueAsync(cancellationToken); Assert.Null(result); Assert.False(File.Exists(jobPath)); Assert.True(File.Exists(jobPath + ".failed")); Assert.Empty(Directory.GetFiles(archivePath)); } finally { try { Directory.Delete(root, recursive: true); } catch { // Best-effort cleanup; ignore failures to avoid masking test results. } } } }