fix(test): stabilize cloud mock e2e stack

[NubsCarson]

Summary

• Stabilize the mock cloud E2E stack that was still red after fix(os): polish elizaOS live demo #7803 merged (Mock-stack E2E).
• Run the Cloud API route graph under a local Bun/Hono launcher for this mock harness instead of Wrangler dev, while leaving the production Worker path unchanged.
• Align the E2E fixture around one TCP PGlite URL, run migrations before API startup, preserve process logs as hidden artifacts, and close cached DB pools before tearing down PGlite.
• Update provisioning/deprovision tests to the current agent-create + /provision contract.
• Teach the control-plane mock to process DB-backed provision/delete jobs when the API forwards x-eliza-cloud-database-url, and accept the internal sidecar token forwarded by the API.

Validation

• bunx @biomejs/biome check .github/workflows/cloud-e2e.yml packages/scripts/cloud/admin/dev/cloud-api-hono-dev.ts packages/test/cloud-e2e/src/fixtures/stack.ts packages/test/cloud-e2e/src/helpers/provisioning.ts packages/test/cloud-e2e/tests/deprovision.spec.ts packages/test/cloud-e2e/tests/provision.spec.ts packages/test/cloud-e2e/tests/stuck-cleanup.spec.ts packages/test/cloud-mocks/src/control-plane/server.ts packages/test/cloud-mocks/package.json packages/cloud-shared/src/db/client.ts
• git diff --check
• bun run --cwd packages/test/cloud-e2e typecheck && bun run --cwd packages/cloud-shared typecheck
• CI=true timeout 12m bun run cloud:e2e -> 4 passed in 28.9s on latest origin/develop

Note

• packages/test/cloud-mocks/test/control-plane.test.ts currently hangs under bun test in this checkout even when filtered to a single public health test, so I did not use that standalone unit file as the ship gate. The CI blocker this PR targets is the full mock-stack E2E workflow, which now passes locally.

Greptile Summary

This PR stabilizes the mock-stack E2E suite by replacing Wrangler dev with a local Bun/Hono launcher for the cloud-api subprocess, running DB migrations before API startup, and teaching the control-plane mock to process DB-backed provisioning/delete jobs when the API forwards x-eliza-cloud-database-url. Teardown ordering is also fixed so process-level pg/PGlite pools are drained before the PGlite TCP bridge is killed.

• New cloud-api-hono-dev.ts: Runs the same Hono app as the Worker under Bun, providing an in-memory blob store and no-op ExecutionContext; the production Cloudflare Worker path is untouched.
• closeDatabaseConnectionsForTests() in client.ts: WeakMap-backed closer registry lets test harnesses explicitly drain PGlite/pg pools before tearing down the ephemeral PGlite server.
• processDbBackedJobs in the control-plane mock: Dynamic imports from @elizaos/cloud-shared allow the mock to claim and complete real DB provisioning/delete jobs, with the sidecar token (x-container-control-plane-token) used as the sole auth check replacing the old bearer-only gate.

Confidence Score: 4/5

Safe to merge — all changes are confined to test infrastructure and dev tooling; the production Cloudflare Worker and cloud-shared production paths are not affected.

The auth middleware in the control-plane mock now accepts requests carrying only the sidecar aux token, silently dropping the bearer-token check when expectedAuxToken is set, and its JSDoc still describes the old dual-token contract. The /cron/process-provisioning-jobs endpoint also returns structurally different response bodies depending on whether the DB-URL header is present. Both issues are in test-only mocks with no production exposure.

packages/test/cloud-mocks/src/control-plane/server.ts — the auth middleware change and the divergent cron-tick response shapes.

Important Files Changed

Filename	Overview
packages/test/cloud-mocks/src/control-plane/server.ts	Significant auth-middleware restructuring: aux token now grants access without bearer check; adds DB-backed provisioning job processing via dynamic cloud-shared imports; response shape of the cron tick endpoint diverges between the two code paths.
packages/cloud-shared/src/db/client.ts	Adds WeakMap-based closer registry so PGlite/pg pool connections can be explicitly closed; exposes closeDatabaseConnectionsForTests() for teardown harnesses. Logic looks correct and is scoped to test/dev paths.
packages/scripts/cloud/admin/dev/cloud-api-hono-dev.ts	New local Bun/Hono launcher replacing Wrangler for mock E2E; provides an in-process R2-like blob store, a no-op ExecutionContext, and health endpoint. Clean scoped addition, no production path touched.
packages/test/cloud-e2e/src/fixtures/stack.ts	Switches API subprocess from Wrangler to the new Hono launcher, wraps startup in a try/catch that calls stop() on error, adds a runLogged helper for the migration step, and delays PGlite teardown until process-level DB connections are closed.
packages/test/cloud-e2e/src/helpers/provisioning.ts	Extracts createCloudAgent and startAgentProvisioning helpers, aligning tests to the two-step create + /provision contract. Clean refactor with no logic concerns.

Comments Outside Diff (2)

1. packages/test/cloud-mocks/src/control-plane/server.ts, line 39-45 (link)

   The option documentation still says the aux token is checked "in addition to the bearer token", but the new implementation accepts requests carrying only the aux token. Update the JSDoc to reflect the actual precedence: when expectedAuxToken is set it is the sole auth check; the bearer token is only used when no aux token is configured.

2. packages/test/cloud-mocks/src/control-plane/server.ts, line 370-380 (link)

   /cron/process-provisioning-jobs response shape diverges between the two code paths

   When x-eliza-cloud-database-url is present the handler returns { claimed, succeeded, failed, errors } (from processDbBackedJobs); when absent it returns { processed, failed, skipped } (from tick()). The same endpoint now emits structurally different payloads depending on a runtime header. Current tests don't inspect the body, so this is silent today — but any future consumer that introspects the result will need to know which path was taken.

_{Reviews (1): Last reviewed commit: "fix(test): stabilize cloud mock e2e stac..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 77fd43b1-282c-47c3-bd83-9e908188cb8e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nubs/fix-cloud-e2e-mock-stack-20260520

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude encountered an error after 0s —— View job

---

I'll analyze this and get back to you.

[greptile-apps]

expectedAuxToken now fully bypasses bearer-token check

The middleware now returns next() immediately after the aux token validates, so the bearer token is never checked when expectedAuxToken is set. The JSDoc comment on ControlPlaneMockOptions.expectedAuxToken still reads "in addition to the bearer token", which is now incorrect. Any caller that sets both options expecting dual-token enforcement will silently get single-token enforcement — requests carrying only the aux token will be accepted with no bearer at all.