installer: PR26.5 — seed stub binaries in test mock for CI

itcmsgr · claude · itcmsgr · commit 7062c202e481 · 2026-04-30T21:36:40.000+03:00
Auditor flagged: TestStageAll_AllUnitNftbanOwnedExecStartPathsStaged_PR26_5
fails on CI because the runner ships a clean source checkout with no
prebuilt binaries. lab2 happened to have prebuilt binaries from prior
builds, so the test passed there. The test's intent is correct (assert
every shipped unit's nftban-owned ExecStart path is staged), but it
needs the binary source files to exist for the staging step to succeed.

Fix: per auditor option 1, add a `seedStubBuiltBinaries` helper that
populates `bin/&lt;name&gt;` with a stub byte-string in the test mock before
StageAll. Production payload.go is unchanged.

Helper applied to all 3 PR26.5 tests for environment consistency:
  TestStageAll_AllUnitNftbanOwnedExecStartPathsStaged_PR26_5  (the failing one)
  TestStageAll_AllPanelConfDStaged_PR26_5
  TestStageAll_PR26_5_NewShellCategoriesStaged

Lab proof — confirmed reproducer:
  rm -rf /root/nftban-src/bin &amp;&amp; go test -count=1 -v -run PR26_5 ./...
  → all 3 PR26.5 tests PASS (was: 1 FAIL pre-fix on empty bin/)

  go test ./...
  → 66 packages PASS, 0 FAIL

Production code: unchanged. The fix is fixture-only — no payload.go
edits, no validate/ edits, no buildEntries change.

Hard exclusions still preserved: no takeover preservation, no CSF
binary handling, no cPanel/Plesk adapters, no shell decommission, no
parser rewrite, no restore changes, no firewall mutation, no
destructive dns2 retry.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/installer/payload/payload_test.go b/internal/installer/payload/payload_test.go
@@ -689,6 +689,25 @@ func isNftbanOwnedPath(p string) bool {
 		p == "/usr/sbin/nftban"
 }
 
+// seedStubBuiltBinaries seeds stub source files for the four Go binaries
+// that StageAll expects under bin/<name>. CI runners produce a clean source
+// checkout without prebuilt binaries — preloadAllRepoFilesIntoMock therefore
+// cannot pre-load them. This helper closes that test-environment gap so the
+// integration tests don't depend on a prior `./build.sh` invocation.
+//
+// Production correctness is unaffected: payload.StageAll's binary entries
+// remain category=binaries, srcRel=bin/<name>. On real installs the build
+// step produces these files; in tests we pretend they exist (with arbitrary
+// content) so the subsequent staging copy-or-skip succeeds.
+func seedStubBuiltBinaries(t *testing.T, mock *executor.MockExecutor, repoRoot string) {
+	t.Helper()
+	for _, name := range []string{"nftban-core", "nftband", "nftban-validate", "nftban-installer"} {
+		p := filepath.Join(repoRoot, "bin", name)
+		mock.Files[p] = []byte("stub-binary")
+		mock.Dirs[filepath.Dir(p)] = true
+	}
+}
+
 // PR26.5 R1: every nftban-owned ExecStart path declared by the shipped
 // install/systemd/*.service unit files MUST be staged by payload.StageAll.
 // dns2 evidence (2026-04-30) failed exactly this — exporter/cron/scripts/
@@ -698,6 +717,10 @@ func TestStageAll_AllUnitNftbanOwnedExecStartPathsStaged_PR26_5(t *testing.T) {
 
 	mock := executor.NewMockExecutor()
 	preloadAllRepoFilesIntoMock(t, mock, repoRoot)
+	// CI runners ship a clean checkout without prebuilt binaries; seed
+	// stubs so the binary staging entries succeed and we can verify the
+	// end-state-on-mock invariant the test was written to enforce.
+	seedStubBuiltBinaries(t, mock, repoRoot)
 
 	if err := StageAll(mock, repoRoot, &detect.DistroInfo{ID: "rocky"}, newTestLogger()); err != nil {
 		t.Fatalf("StageAll: %v", err)
@@ -748,6 +771,12 @@ func TestStageAll_AllPanelConfDStaged_PR26_5(t *testing.T) {
 
 	mock := executor.NewMockExecutor()
 	preloadAllRepoFilesIntoMock(t, mock, repoRoot)
+	// Seed stub binaries so StageAll's binary entries succeed on CI runners
+	// that don't have prebuilt binaries in bin/. Doesn't affect this test's
+	// assertions (they check /etc/nftban/conf.d/panels/* destinations, not
+	// /usr/lib/nftban/bin/*) but keeps StageAll's overall completeness behavior
+	// consistent across tests.
+	seedStubBuiltBinaries(t, mock, repoRoot)
 
 	if err := StageAll(mock, repoRoot, &detect.DistroInfo{ID: "rocky"}, newTestLogger()); err != nil {
 		t.Fatalf("StageAll: %v", err)
@@ -788,6 +817,8 @@ func TestStageAll_PR26_5_NewShellCategoriesStaged(t *testing.T) {
 
 	mock := executor.NewMockExecutor()
 	preloadAllRepoFilesIntoMock(t, mock, repoRoot)
+	// Stub binaries (CI-runner consistency). See helper doc.
+	seedStubBuiltBinaries(t, mock, repoRoot)
 
 	if err := StageAll(mock, repoRoot, &detect.DistroInfo{ID: "rocky"}, newTestLogger()); err != nil {
 		t.Fatalf("StageAll: %v", err)
