+12 -2

src/commands/test/labeler.rs

reviewed

··· 1 1 //! `atproto-devtool test labeler <target>` command. 2 2 3 3 + pub mod http; 3 4 pub mod identity; 4 5 pub mod pipeline; 5 6 pub mod report; ··· 51 52 let target = parse_target(&self.target, self.did.as_deref()) 52 53 .map_err(|e| miette::miette!("{e}"))?; 53 54 54 54 - // Build HTTP and DNS clients. 55 55 - let http = RealHttpClient::new() 55 55 + // Build a single shared HTTP client. 56 56 + let reqwest_client = reqwest::Client::builder() 57 57 + .use_rustls_tls() 58 58 + .user_agent("atproto-devtool/0.0.0") 59 59 + .timeout(std::time::Duration::from_secs(10)) 60 60 + .build() 56 61 .map_err(|e| miette::miette!("Failed to initialize HTTP client: {}", e))?; 62 62 + 63 63 + // Build HTTP and DNS clients using the shared client. 64 64 + let http = RealHttpClient::from_client(reqwest_client.clone()); 57 65 let dns = RealDnsResolver::new(); 58 66 59 67 // Run the pipeline. 60 68 let opts = LabelerOptions { 61 69 http: &http, 62 70 dns: &dns, 71 71 + raw_http_tee: None, 72 72 + reqwest_client: Some(&reqwest_client), 63 73 subscribe_timeout: self.subscribe_timeout, 64 74 verbose: self.verbose, 65 75 };

+464

src/commands/test/labeler/http.rs

reviewed

··· 1 1 + //! HTTP stage for the labeler conformance suite. 2 2 + //! 3 3 + //! Performs `com.atproto.label.queryLabels` requests against the labeler endpoint, 4 4 + //! verifies schema conformance, and exercises pagination. 5 5 + 6 6 + use std::borrow::Cow; 7 7 + use std::sync::Arc; 8 8 + 9 9 + use async_trait::async_trait; 10 10 + use atrium_api::com::atproto::label::defs::Label; 11 11 + use atrium_api::com::atproto::label::query_labels; 12 12 + use miette::{Diagnostic, NamedSource, SourceSpan}; 13 13 + use thiserror::Error; 14 14 + use url::Url; 15 15 + 16 16 + use crate::commands::test::labeler::report::{CheckResult, CheckStatus, Stage}; 17 17 + 18 18 + /// HTTP stage check result IDs. 19 19 + pub const ENDPOINT_REACHABLE: &str = "http::endpoint_reachable"; 20 20 + pub const QUERY_LABELS_SCHEMA_FIRST_PAGE: &str = "http::query_labels_schema_first_page"; 21 21 + pub const QUERY_LABELS_EMPTY_ADVISORY: &str = "http::query_labels_empty_advisory"; 22 22 + pub const QUERY_LABELS_SCHEMA_SECOND_PAGE: &str = "http::query_labels_schema_second_page"; 23 23 + pub const PAGINATION_ROUND_TRIP: &str = "http::pagination_round_trip"; 24 24 + pub const PAGINATION_IGNORED_CURSOR: &str = "http::pagination_ignored_cursor"; 25 25 + 26 26 + /// Facts gathered from the HTTP stage, populated only when all checks pass. 27 27 + #[derive(Debug, Clone)] 28 28 + pub struct HttpFacts { 29 29 + /// The parsed labels from the first page of the query response. 30 30 + pub first_page: Vec<Label>, 31 31 + /// Raw bytes of the first page response body. 32 32 + pub first_page_raw_bytes: Arc<[u8]>, 33 33 + /// The source URL where the first page was retrieved. 34 34 + pub first_page_source_url: String, 35 35 + /// Whether pagination passed the round-trip check. 36 36 + pub pagination_ok: bool, 37 37 + } 38 38 + 39 39 + /// Output from the HTTP stage: facts (if all checks pass) plus all check results. 40 40 + #[derive(Debug)] 41 41 + pub struct HttpStageOutput { 42 42 + /// Facts populated only when all checks pass and no check is blocking. 43 43 + pub facts: Option<HttpFacts>, 44 44 + /// All check results from this stage. 45 45 + pub results: Vec<CheckResult>, 46 46 + } 47 47 + 48 48 + /// Raw HTTP response with both decoded and raw body. 49 49 + pub struct RawXrpcResponse { 50 50 + /// HTTP status code. 51 51 + pub status: reqwest::StatusCode, 52 52 + /// Raw response body bytes. 53 53 + pub raw_body: Arc<[u8]>, 54 54 + /// Decoded typed response. 55 55 + pub decoded: query_labels::Output, 56 56 + /// The source URL where the response came from. 57 57 + pub source_url: String, 58 58 + } 59 59 + 60 60 + /// Diagnostic for schema decode failures with source context. 61 61 + #[derive(Debug, Error, Diagnostic)] 62 62 + #[error("{message}")] 63 63 + #[diagnostic(code = "labeler::http::schema_failure")] 64 64 + pub struct HttpDecodeFailure { 65 65 + /// The error message. 66 66 + pub message: String, 67 67 + /// The raw response bytes. 68 68 + #[source_code] 69 69 + pub source_code: NamedSource<Arc<[u8]>>, 70 70 + /// Span highlighting the error location. 71 71 + #[label("JSON error")] 72 72 + pub span: Option<SourceSpan>, 73 73 + } 74 74 + 75 75 + /// Error type for HTTP stage operations. 76 76 + #[derive(Debug, Error)] 77 77 + pub enum HttpStageError { 78 78 + /// Network or TLS error reaching the endpoint. 79 79 + #[error("HTTP transport error: {message}")] 80 80 + Transport { 81 81 + /// Human-readable error message. 82 82 + message: String, 83 83 + /// The underlying error, if available. 84 84 + #[source] 85 85 + source: Option<Box<dyn std::error::Error + Send + Sync>>, 86 86 + }, 87 87 + 88 88 + /// Decode failure of a valid HTTP response. 89 89 + #[error("Schema decode failure")] 90 90 + DecodeFailed { 91 91 + /// Raw response body bytes. 92 92 + raw_body: Arc<[u8]>, 93 93 + /// The JSON decode error. 94 94 + source: serde_json::Error, 95 95 + /// The source URL for diagnostic context. 96 96 + source_url: String, 97 97 + }, 98 98 + } 99 99 + 100 100 + /// Trait for teeing HTTP responses, allowing both decode and raw bytes capture. 101 101 + /// 102 102 + /// Implementations perform `com.atproto.label.queryLabels` calls and return both 103 103 + /// the decoded typed response and the raw bytes for diagnostics. 104 104 + #[async_trait] 105 105 + pub trait RawHttpTee: Send + Sync { 106 106 + /// Perform a `com.atproto.label.queryLabels` call against the labeler. 107 107 + /// 108 108 + /// Returns both the raw response body and, if decoding succeeded, the typed Output. 109 109 + /// 110 110 + /// # Arguments 111 111 + /// * `cursor` - Optional cursor string for pagination. 112 112 + async fn query_labels(&self, cursor: Option<&str>) -> Result<RawXrpcResponse, HttpStageError>; 113 113 + } 114 114 + 115 115 + /// Real HTTP client implementation using reqwest. 116 116 + pub struct RealHttpTee { 117 117 + /// The base HTTP client. 118 118 + client: reqwest::Client, 119 119 + /// The labeler endpoint URL. 120 120 + endpoint: Url, 121 121 + } 122 122 + 123 123 + impl RealHttpTee { 124 124 + /// Create a new RealHttpTee with the given endpoint. 125 125 + pub fn new(client: reqwest::Client, endpoint: Url) -> Self { 126 126 + RealHttpTee { client, endpoint } 127 127 + } 128 128 + } 129 129 + 130 130 + #[async_trait] 131 131 + impl RawHttpTee for RealHttpTee { 132 132 + async fn query_labels(&self, cursor: Option<&str>) -> Result<RawXrpcResponse, HttpStageError> { 133 133 + // Build the XRPC endpoint URL. 134 134 + let mut url = self.endpoint.clone(); 135 135 + url.set_path("xrpc/com.atproto.label.queryLabels"); 136 136 + 137 137 + // Set query parameters. 138 138 + { 139 139 + let mut query = url.query_pairs_mut(); 140 140 + query.append_pair("uriPatterns", "*"); 141 141 + query.append_pair("limit", "50"); 142 142 + if let Some(c) = cursor { 143 143 + query.append_pair("cursor", c); 144 144 + } 145 145 + } 146 146 + 147 147 + let source_url = url.to_string(); 148 148 + 149 149 + // Perform the GET request. 150 150 + let response = 151 151 + self.client 152 152 + .get(url.as_str()) 153 153 + .send() 154 154 + .await 155 155 + .map_err(|e| HttpStageError::Transport { 156 156 + message: e.to_string(), 157 157 + source: Some(Box::new(e)), 158 158 + })?; 159 159 + 160 160 + let status = response.status(); 161 161 + let body_bytes = response 162 162 + .bytes() 163 163 + .await 164 164 + .map_err(|e| HttpStageError::Transport { 165 165 + message: e.to_string(), 166 166 + source: Some(Box::new(e)), 167 167 + })?; 168 168 + let raw_body: Arc<[u8]> = Arc::from(body_bytes.as_ref()); 169 169 + 170 170 + // Attempt to decode the response. 171 171 + let decoded = 172 172 + serde_json::from_slice::<query_labels::Output>(&raw_body).map_err(|source| { 173 173 + HttpStageError::DecodeFailed { 174 174 + raw_body: raw_body.clone(), 175 175 + source, 176 176 + source_url: source_url.clone(), 177 177 + } 178 178 + })?; 179 179 + 180 180 + Ok(RawXrpcResponse { 181 181 + status, 182 182 + raw_body, 183 183 + decoded, 184 184 + source_url, 185 185 + }) 186 186 + } 187 187 + } 188 188 + 189 189 + /// Compute a small SourceSpan near the serde_json error location. 190 190 + /// 191 191 + /// Walks the raw body to convert `err.line()` + `err.column()` (1-based) into 192 192 + /// a byte offset, then returns a span of ~1 byte at that offset. Falls back 193 193 + /// to a span at the end of the body if conversion fails or the line is out 194 194 + /// of range. 195 195 + fn span_for_json_error(body: &[u8], err: &serde_json::Error) -> SourceSpan { 196 196 + let target_line = err.line(); // 1-based; 0 means unknown. 197 197 + let target_column = err.column(); // 1-based. 198 198 + if target_line == 0 { 199 199 + let end = body.len().saturating_sub(1); 200 200 + return SourceSpan::new(end.into(), 1); 201 201 + } 202 202 + let mut current_line = 1usize; 203 203 + let mut line_start = 0usize; 204 204 + for (offset, &byte) in body.iter().enumerate() { 205 205 + if current_line == target_line { 206 206 + let column_offset = target_column.saturating_sub(1); 207 207 + let span_start = line_start + column_offset; 208 208 + if span_start < body.len() { 209 209 + return SourceSpan::new(span_start.into(), 1); 210 210 + } else { 211 211 + return SourceSpan::new(line_start.into(), body.len() - line_start); 212 212 + } 213 213 + } 214 214 + if byte == b'\n' { 215 215 + current_line += 1; 216 216 + line_start = offset + 1; 217 217 + } 218 218 + } 219 219 + // Fallback: span at end of body. 220 220 + let end = body.len().saturating_sub(1); 221 221 + SourceSpan::new(end.into(), 1) 222 222 + } 223 223 + 224 224 + /// Run the HTTP stage against a labeler endpoint. 225 225 + /// 226 226 + /// # Arguments 227 227 + /// * `http` - The HTTP client implementation (usually `RealHttpTee` in production, or fake in tests). 228 228 + /// 229 229 + /// # Returns 230 230 + /// `HttpStageOutput` containing check results and facts (if all checks pass). 231 231 + pub async fn run(http: &dyn RawHttpTee) -> HttpStageOutput { 232 232 + let mut results = Vec::new(); 233 233 + 234 234 + // Fetch first page; derive both endpoint_reachable and query_labels_schema_first_page from the same request. 235 235 + let first_response = match http.query_labels(None).await { 236 236 + Ok(resp) => { 237 237 + // Endpoint is reachable if we got any response (2xx or non-2xx). 238 238 + if resp.status.is_success() { 239 239 + results.push(CheckResult { 240 240 + id: ENDPOINT_REACHABLE, 241 241 + stage: Stage::Http, 242 242 + status: CheckStatus::Pass, 243 243 + summary: Cow::Borrowed("Labeler endpoint is reachable"), 244 244 + diagnostic: None, 245 245 + skipped_reason: None, 246 246 + }); 247 247 + } else { 248 248 + let status_code = resp.status; 249 249 + results.push(CheckResult { 250 250 + id: ENDPOINT_REACHABLE, 251 251 + stage: Stage::Http, 252 252 + status: CheckStatus::Pass, 253 253 + summary: Cow::Owned(format!( 254 254 + "Labeler endpoint is reachable (status {status_code})" 255 255 + )), 256 256 + diagnostic: None, 257 257 + skipped_reason: None, 258 258 + }); 259 259 + } 260 260 + resp 261 261 + } 262 262 + Err(HttpStageError::Transport { message, .. }) => { 263 263 + // Network/TLS error: endpoint is unreachable. 264 264 + results.push(CheckResult { 265 265 + id: ENDPOINT_REACHABLE, 266 266 + stage: Stage::Http, 267 267 + status: CheckStatus::NetworkError, 268 268 + summary: Cow::Owned(format!("Network error: {message}")), 269 269 + diagnostic: None, 270 270 + skipped_reason: None, 271 271 + }); 272 272 + return HttpStageOutput { 273 273 + facts: None, 274 274 + results, 275 275 + }; 276 276 + } 277 277 + Err(HttpStageError::DecodeFailed { 278 278 + raw_body, 279 279 + source, 280 280 + source_url, 281 281 + }) => { 282 282 + // Endpoint is reachable, but schema decode failed. 283 283 + results.push(CheckResult { 284 284 + id: ENDPOINT_REACHABLE, 285 285 + stage: Stage::Http, 286 286 + status: CheckStatus::Pass, 287 287 + summary: Cow::Borrowed("Labeler endpoint is reachable"), 288 288 + diagnostic: None, 289 289 + skipped_reason: None, 290 290 + }); 291 291 + let diagnostic = Box::new(HttpDecodeFailure { 292 292 + message: format!("Failed to decode query_labels response: {source}"), 293 293 + source_code: NamedSource::new(source_url.clone(), raw_body.clone()), 294 294 + span: Some(span_for_json_error(&raw_body, &source)), 295 295 + }); 296 296 + results.push(CheckResult { 297 297 + id: QUERY_LABELS_SCHEMA_FIRST_PAGE, 298 298 + stage: Stage::Http, 299 299 + status: CheckStatus::SpecViolation, 300 300 + summary: Cow::Borrowed("Schema validation failed"), 301 301 + diagnostic: Some(diagnostic), 302 302 + skipped_reason: None, 303 303 + }); 304 304 + return HttpStageOutput { 305 305 + facts: None, 306 306 + results, 307 307 + }; 308 308 + } 309 309 + }; 310 310 + 311 311 + // Decode succeeded (we return early on decode failure above). 312 312 + let output = &first_response.decoded; 313 313 + results.push(CheckResult { 314 314 + id: QUERY_LABELS_SCHEMA_FIRST_PAGE, 315 315 + stage: Stage::Http, 316 316 + status: CheckStatus::Pass, 317 317 + summary: Cow::Borrowed("First page schema is valid"), 318 318 + diagnostic: None, 319 319 + skipped_reason: None, 320 320 + }); 321 321 + 322 322 + let first_page_labels = output.labels.clone(); 323 323 + let first_page_raw_bytes = first_response.raw_body.clone(); 324 324 + let first_page_source_url = first_response.source_url.clone(); 325 325 + 326 326 + if first_page_labels.is_empty() { 327 327 + results.push(CheckResult { 328 328 + id: QUERY_LABELS_EMPTY_ADVISORY, 329 329 + stage: Stage::Http, 330 330 + status: CheckStatus::Advisory, 331 331 + summary: Cow::Borrowed("Labeler has no published labels"), 332 332 + diagnostic: None, 333 333 + skipped_reason: None, 334 334 + }); 335 335 + } 336 336 + 337 337 + let pagination_ok = if let Some(cursor) = &output.cursor { 338 338 + match http.query_labels(Some(cursor)).await { 339 339 + Ok(second_resp) => { 340 340 + let second_output = &second_resp.decoded; 341 341 + // Check if cursor was actually honored. 342 342 + if second_output.labels == first_page_labels { 343 343 + results.push(CheckResult { 344 344 + id: QUERY_LABELS_SCHEMA_SECOND_PAGE, 345 345 + stage: Stage::Http, 346 346 + status: CheckStatus::Pass, 347 347 + summary: Cow::Borrowed("Second page schema is valid"), 348 348 + diagnostic: None, 349 349 + skipped_reason: None, 350 350 + }); 351 351 + results.push(CheckResult { 352 352 + id: PAGINATION_IGNORED_CURSOR, 353 353 + stage: Stage::Http, 354 354 + status: CheckStatus::SpecViolation, 355 355 + summary: Cow::Borrowed("Labeler ignored the cursor parameter"), 356 356 + diagnostic: None, 357 357 + skipped_reason: None, 358 358 + }); 359 359 + false 360 360 + } else { 361 361 + results.push(CheckResult { 362 362 + id: QUERY_LABELS_SCHEMA_SECOND_PAGE, 363 363 + stage: Stage::Http, 364 364 + status: CheckStatus::Pass, 365 365 + summary: Cow::Borrowed("Second page schema is valid"), 366 366 + diagnostic: None, 367 367 + skipped_reason: None, 368 368 + }); 369 369 + results.push(CheckResult { 370 370 + id: PAGINATION_ROUND_TRIP, 371 371 + stage: Stage::Http, 372 372 + status: CheckStatus::Pass, 373 373 + summary: Cow::Borrowed("Pagination round-trip successful"), 374 374 + diagnostic: None, 375 375 + skipped_reason: None, 376 376 + }); 377 377 + true 378 378 + } 379 379 + } 380 380 + Err(HttpStageError::Transport { message, .. }) => { 381 381 + results.push(CheckResult { 382 382 + id: QUERY_LABELS_SCHEMA_SECOND_PAGE, 383 383 + stage: Stage::Http, 384 384 + status: CheckStatus::NetworkError, 385 385 + summary: Cow::Owned(format!("Network error fetching second page: {message}")), 386 386 + diagnostic: None, 387 387 + skipped_reason: None, 388 388 + }); 389 389 + false 390 390 + } 391 391 + Err(HttpStageError::DecodeFailed { 392 392 + raw_body, 393 393 + source, 394 394 + source_url, 395 395 + }) => { 396 396 + let diagnostic = Box::new(HttpDecodeFailure { 397 397 + message: format!("Failed to decode second page response: {source}"), 398 398 + source_code: NamedSource::new(source_url, raw_body.clone()), 399 399 + span: Some(span_for_json_error(&raw_body, &source)), 400 400 + }); 401 401 + results.push(CheckResult { 402 402 + id: QUERY_LABELS_SCHEMA_SECOND_PAGE, 403 403 + stage: Stage::Http, 404 404 + status: CheckStatus::SpecViolation, 405 405 + summary: Cow::Borrowed("Second page schema validation failed"), 406 406 + diagnostic: Some(diagnostic), 407 407 + skipped_reason: None, 408 408 + }); 409 409 + false 410 410 + } 411 411 + } 412 412 + } else { 413 413 + // No cursor: pagination not exercised, but that's OK. 414 414 + results.push(CheckResult { 415 415 + id: PAGINATION_ROUND_TRIP, 416 416 + stage: Stage::Http, 417 417 + status: CheckStatus::Pass, 418 418 + summary: Cow::Borrowed("First page was complete; pagination not exercised"), 419 419 + diagnostic: None, 420 420 + skipped_reason: None, 421 421 + }); 422 422 + true 423 423 + }; 424 424 + 425 425 + // Build and return facts. 426 426 + let facts = HttpFacts { 427 427 + first_page: first_page_labels, 428 428 + first_page_raw_bytes, 429 429 + first_page_source_url, 430 430 + pagination_ok, 431 431 + }; 432 432 + 433 433 + HttpStageOutput { 434 434 + facts: Some(facts), 435 435 + results, 436 436 + } 437 437 + } 438 438 + 439 439 + #[cfg(test)] 440 440 + mod tests { 441 441 + use super::*; 442 442 + 443 443 + #[test] 444 444 + fn span_for_json_error_unknown_line() { 445 445 + let body = b"some json content that is long enough"; 446 446 + let err = serde_json::from_str::<serde_json::Value>("").unwrap_err(); 447 447 + let span = span_for_json_error(body, &err); 448 448 + // When line=0 (unknown), should return span at end of body. 449 449 + // The span should be smaller than the entire body. 450 450 + assert!(span.len() <= 1 && (span.offset() as usize) < body.len()); 451 451 + } 452 452 + 453 453 + #[test] 454 454 + fn span_for_json_error_known_location() { 455 455 + // Create a JSON error at a known line and column by parsing invalid JSON. 456 456 + let body = br#"{"key": 123, "broken": "unclosed string} 457 457 + extra"#; 458 458 + let err = serde_json::from_slice::<serde_json::Value>(body).unwrap_err(); 459 459 + let span = span_for_json_error(body, &err); 460 460 + // The error is at line 1, column somewhere in the line. 461 461 + // We just verify the span is valid and smaller than the whole body. 462 462 + assert!(span.len() < body.len()); 463 463 + } 464 464 + }

+59 -17

src/commands/test/labeler/pipeline.rs

reviewed

··· 7 7 use thiserror::Error; 8 8 use url::Url; 9 9 10 10 - use crate::commands::test::labeler::report::{CheckResult, LabelerReport, ReportHeader, Stage}; 10 10 + use crate::commands::test::labeler::http::{self, RealHttpTee}; 11 11 + use crate::commands::test::labeler::report::{ 12 12 + CheckResult, CheckStatus, LabelerReport, ReportHeader, Stage, 13 13 + }; 11 14 use crate::common::identity::{Did, DnsResolver, HttpClient}; 12 15 13 16 /// A labeler target: either a resolvable identifier (handle or DID) or a raw endpoint URL. ··· 44 47 pub http: &'a dyn HttpClient, 45 48 /// DNS resolver for handle lookups. 46 49 pub dns: &'a dyn DnsResolver, 50 50 + /// HTTP tee for the labeler endpoint (optional, defaults to RealHttpTee). 51 51 + pub raw_http_tee: Option<&'a dyn crate::commands::test::labeler::http::RawHttpTee>, 52 52 + /// Shared reqwest client for both identity and HTTP stages (optional). 53 53 + pub reqwest_client: Option<&'a reqwest::Client>, 47 54 /// Per-connection time budget for subscription checks. 48 55 pub subscribe_timeout: Duration, 49 56 /// Whether to emit verbose diagnostics. ··· 176 183 /// Run the full labeler conformance pipeline. 177 184 /// 178 185 /// This is the main driver that orchestrates all validation stages. 179 179 - /// Currently only identity checks are implemented; later stages return `Skipped` results. 180 186 pub async fn run_pipeline(target: LabelerTarget, opts: LabelerOptions<'_>) -> LabelerReport { 181 187 // Build initial header from target. 182 188 let header = ReportHeader { ··· 204 210 // should say they're "not yet implemented" rather than "blocked". Otherwise, they're blocked. 205 211 let is_no_did_supplied = !identity_output.results.is_empty() 206 212 && identity_output.results.iter().all(|r| { 207 207 - r.status == crate::commands::test::labeler::report::CheckStatus::Skipped 213 213 + r.status == CheckStatus::Skipped 208 214 && r.skipped_reason 209 215 .as_ref() 210 216 .map(|reason| reason.contains("no DID supplied")) ··· 222 228 None 223 229 }; 224 230 225 225 - // Stub HTTP stage. 226 226 - let http_reason = blocked_reason 227 227 - .clone() 228 228 - .or(Some(Cow::Borrowed("not yet implemented (phase 4)"))); 229 229 - report.record(CheckResult { 230 230 - id: "http::stub", 231 231 - stage: Stage::Http, 232 232 - status: crate::commands::test::labeler::report::CheckStatus::Skipped, 233 233 - summary: Cow::Borrowed("HTTP stage (stub)"), 234 234 - diagnostic: None, 235 235 - skipped_reason: http_reason, 236 236 - }); 231 231 + // Determine the labeler endpoint for the HTTP stage. 232 232 + let labeler_endpoint = if let Some(ref facts) = identity_output.facts { 233 233 + Some(facts.labeler_endpoint.clone()) 234 234 + } else if let LabelerTarget::Endpoint { url, .. } = &target { 235 235 + Some(url.clone()) 236 236 + } else { 237 237 + None 238 238 + }; 239 239 + 240 240 + // Run the HTTP stage if we have an endpoint. 241 241 + if let Some(endpoint) = labeler_endpoint { 242 242 + let http_output = if let Some(tee) = opts.raw_http_tee { 243 243 + // Use the supplied tee (for testing). 244 244 + http::run(tee).await 245 245 + } else { 246 246 + // Use the real HTTP tee (for production). 247 247 + let http_client = if let Some(client) = opts.reqwest_client { 248 248 + client.clone() 249 249 + } else { 250 250 + reqwest::Client::new() 251 251 + }; 252 252 + let real_tee = RealHttpTee::new(http_client, endpoint.clone()); 253 253 + http::run(&real_tee).await 254 254 + }; 255 255 + for result in http_output.results { 256 256 + report.record(result); 257 257 + } 258 258 + } else if identity_output.facts.is_none() && !is_no_did_supplied { 259 259 + // HTTP stage blocked by identity failures. 260 260 + report.record(CheckResult { 261 261 + id: "http::not_run", 262 262 + stage: Stage::Http, 263 263 + status: CheckStatus::Skipped, 264 264 + summary: Cow::Borrowed("HTTP stage (not run)"), 265 265 + diagnostic: None, 266 266 + skipped_reason: Some(Cow::Borrowed("blocked by identity stage failures")), 267 267 + }); 268 268 + } else { 269 269 + // HTTP stage not run because no endpoint could be derived. 270 270 + report.record(CheckResult { 271 271 + id: "http::not_run", 272 272 + stage: Stage::Http, 273 273 + status: CheckStatus::Skipped, 274 274 + summary: Cow::Borrowed("HTTP stage (not run)"), 275 275 + diagnostic: None, 276 276 + skipped_reason: Some(Cow::Borrowed("identity stage produced no labeler endpoint")), 277 277 + }); 278 278 + } 237 279 238 280 // Stub subscription stage. 239 281 let sub_reason = blocked_reason ··· 242 284 report.record(CheckResult { 243 285 id: "subscription::stub", 244 286 stage: Stage::Subscription, 245 245 - status: crate::commands::test::labeler::report::CheckStatus::Skipped, 287 287 + status: CheckStatus::Skipped, 246 288 summary: Cow::Borrowed("Subscription stage (stub)"), 247 289 diagnostic: None, 248 290 skipped_reason: sub_reason, ··· 253 295 report.record(CheckResult { 254 296 id: "crypto::stub", 255 297 stage: Stage::Crypto, 256 256 - status: crate::commands::test::labeler::report::CheckStatus::Skipped, 298 298 + status: CheckStatus::Skipped, 257 299 summary: Cow::Borrowed("Crypto stage (stub)"), 258 300 diagnostic: None, 259 301 skipped_reason: crypto_reason,

+7

src/common/identity.rs

reviewed

··· 317 317 .build()?; 318 318 Ok(Self { inner: client }) 319 319 } 320 320 + 321 321 + /// Creates a new HTTP client from an existing reqwest::Client. 322 322 + /// 323 323 + /// Allows sharing a single client instance across multiple stages. 324 324 + pub fn from_client(client: reqwest::Client) -> Self { 325 325 + Self { inner: client } 326 326 + } 320 327 } 321 328 322 329 #[async_trait]

+98

tests/common/mod.rs

reviewed

··· 1 1 + //! Common test utilities shared across integration tests. 2 2 + //! 3 3 + //! This module uses the `tests/common/mod.rs` idiom because cargo treats each 4 4 + //! `tests/*.rs` as a separate crate and requires this pattern to share code. 5 5 + 6 6 + use async_trait::async_trait; 7 7 + use atproto_devtool::commands::test::labeler::http::{HttpStageError, RawHttpTee, RawXrpcResponse}; 8 8 + use std::collections::HashMap; 9 9 + use std::sync::{Arc, Mutex}; 10 10 + 11 11 + /// Type alias for HTTP response map in tests. 12 12 + pub type FakeHttpResponses = Arc<Mutex<HashMap<Option<String>, (reqwest::StatusCode, Vec<u8>)>>>; 13 13 + 14 14 + /// Fake HTTP tee for testing, returns pre-defined responses. 15 15 + pub struct FakeRawHttpTee { 16 16 + /// Map of cursor -> response bytes. 17 17 + responses: FakeHttpResponses, 18 18 + /// Whether to return a transport error. 19 19 + transport_error: Arc<Mutex<bool>>, 20 20 + } 21 21 + 22 22 + impl FakeRawHttpTee { 23 23 + /// Create a new FakeRawHttpTee. 24 24 + pub fn new() -> Self { 25 25 + Self { 26 26 + responses: Arc::new(Mutex::new(HashMap::new())), 27 27 + transport_error: Arc::new(Mutex::new(false)), 28 28 + } 29 29 + } 30 30 + 31 31 + /// Add a response for a given cursor. 32 32 + pub fn add_response(&self, cursor: Option<&str>, status: u16, body: Vec<u8>) { 33 33 + self.responses.lock().unwrap().insert( 34 34 + cursor.map(|s| s.to_string()), 35 35 + (reqwest::StatusCode::from_u16(status).unwrap(), body), 36 36 + ); 37 37 + } 38 38 + 39 39 + /// Set the transport error flag to simulate network failures. 40 40 + #[allow( 41 41 + dead_code, 42 42 + reason = "shared integration-test helper; cargo compiles each tests/*.rs as a separate binary so unused-in-one-binary triggers dead_code — tests/common/mod.rs is the cargo-idiomatic shared module" 43 43 + )] 44 44 + pub fn set_transport_error(&self) { 45 45 + *self.transport_error.lock().unwrap() = true; 46 46 + } 47 47 + } 48 48 + 49 49 + impl Default for FakeRawHttpTee { 50 50 + fn default() -> Self { 51 51 + Self::new() 52 52 + } 53 53 + } 54 54 + 55 55 + #[async_trait] 56 56 + impl RawHttpTee for FakeRawHttpTee { 57 57 + async fn query_labels(&self, cursor: Option<&str>) -> Result<RawXrpcResponse, HttpStageError> { 58 58 + if *self.transport_error.lock().unwrap() { 59 59 + // Return a realistic transport error simulating TCP connection refused. 60 60 + return Err(HttpStageError::Transport { 61 61 + message: "tcp connect: connection refused".into(), 62 62 + source: None, 63 63 + }); 64 64 + } 65 65 + 66 66 + let cursor_key = cursor.map(|s| s.to_string()); 67 67 + let responses = self.responses.lock().unwrap(); 68 68 + 69 69 + match responses.get(&cursor_key) { 70 70 + Some((status, body)) => { 71 71 + let raw_body: Arc<[u8]> = Arc::from(body.as_slice()); 72 72 + let decoded = serde_json::from_slice::< 73 73 + atrium_api::com::atproto::label::query_labels::Output, 74 74 + >(body) 75 75 + .map_err(|source| HttpStageError::DecodeFailed { 76 76 + raw_body: raw_body.clone(), 77 77 + source, 78 78 + source_url: "https://example.com/xrpc/com.atproto.label.queryLabels" 79 79 + .to_string(), 80 80 + })?; 81 81 + Ok(RawXrpcResponse { 82 82 + status: *status, 83 83 + raw_body, 84 84 + decoded, 85 85 + source_url: "https://example.com/xrpc/com.atproto.label.queryLabels" 86 86 + .to_string(), 87 87 + }) 88 88 + } 89 89 + None => { 90 90 + // Return a realistic transport error for unconfigured cursor. 91 91 + Err(HttpStageError::Transport { 92 92 + message: "tcp connect: connection refused".into(), 93 93 + source: None, 94 94 + }) 95 95 + } 96 96 + } 97 97 + } 98 98 + }

+1

tests/fixtures/labeler/http/healthy/first_page.json

reviewed

··· 1 1 + {"cursor":"cursor1","labels":[{"ver":1,"src":"did:plc:test123456789abcdefghijklmnop","uri":"at://did:plc:test123456789abcdefghijklmnop/app.bsky.feed.post/abc1","val":"spam","neg":false,"cts":"2026-01-01T00:00:00.000Z"},{"ver":1,"src":"did:plc:test123456789abcdefghijklmnop","uri":"at://did:plc:test123456789abcdefghijklmnop/app.bsky.feed.post/abc2","val":"impersonation","neg":false,"cts":"2026-01-02T00:00:00.000Z"}]}

+92 -2

tests/labeler_identity.rs

reviewed

··· 1 1 //! Integration tests for the labeler identity stage using snapshot tests. 2 2 3 3 + mod common; 4 4 + 3 5 use async_trait::async_trait; 4 6 use atproto_devtool::commands::test::labeler::pipeline::{ 5 7 LabelerOptions, parse_target, run_pipeline, ··· 96 98 String::from_utf8(buf).expect("invalid utf-8") 97 99 } 98 100 101 101 + /// Helper to normalize timing in rendered reports for snapshot testing. 102 102 + fn normalize_timing(rendered: String) -> String { 103 103 + // Replace patterns like "elapsed: 1ms" with "elapsed: Xms" for consistent snapshots. 104 104 + let mut result = rendered.clone(); 105 105 + let start = result.find("elapsed: "); 106 106 + if let Some(pos) = start { 107 107 + let remaining = &result[pos + 9..]; 108 108 + if let Some(end) = remaining.find("ms") { 109 109 + result.replace_range(pos + 9..pos + 9 + end, "X"); 110 110 + } 111 111 + } 112 112 + result 113 113 + } 114 114 + 115 115 + /// Helper function to return a healthy labels response (non-empty with valid labels). 116 116 + fn healthy_labels_response() -> Vec<u8> { 117 117 + include_bytes!("fixtures/labeler/http/healthy/first_page.json").to_vec() 118 118 + } 119 119 + 99 120 #[tokio::test] 100 121 async fn healthy_plc_renders_all_ok() { 101 122 // Load fixtures. ··· 121 142 ); 122 143 123 144 let target = parse_target("did:plc:test123456789abcdefghijklmnop", None).expect("parse failed"); 145 145 + let fake_tee = common::FakeRawHttpTee::new(); 146 146 + fake_tee.add_response(None, 200, healthy_labels_response()); 147 147 + 124 148 let opts = LabelerOptions { 125 149 http: &http, 126 150 dns: &dns, 151 151 + raw_http_tee: Some(&fake_tee), 152 152 + reqwest_client: None, 127 153 subscribe_timeout: std::time::Duration::from_secs(5), 128 154 verbose: false, 129 155 }; 130 156 131 157 let report = run_pipeline(target, opts).await; 132 158 133 133 - let rendered = render_report_to_string(&report); 159 159 + let rendered = normalize_timing(render_report_to_string(&report)); 134 160 insta::assert_snapshot!(rendered); 135 161 } 136 162 ··· 140 166 let dns = FakeDnsResolver::new(); 141 167 142 168 let target = parse_target("https://example.com/labeler", None).expect("parse failed"); 169 169 + let fake_tee = common::FakeRawHttpTee::new(); 170 170 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 171 171 + fake_tee.add_response(None, 200, empty_response); 172 172 + 143 173 let opts = LabelerOptions { 144 174 http: &http, 145 175 dns: &dns, 176 176 + raw_http_tee: Some(&fake_tee), 177 177 + reqwest_client: None, 146 178 subscribe_timeout: std::time::Duration::from_secs(5), 147 179 verbose: false, 148 180 }; ··· 182 214 ); 183 215 184 216 let target = parse_target("alice.example", None).expect("parse failed"); 217 217 + let fake_tee = common::FakeRawHttpTee::new(); 218 218 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 219 219 + fake_tee.add_response(None, 200, empty_response); 220 220 + 185 221 let opts = LabelerOptions { 186 222 http: &http, 187 223 dns: &dns, 224 224 + raw_http_tee: Some(&fake_tee), 225 225 + reqwest_client: None, 188 226 subscribe_timeout: std::time::Duration::from_secs(5), 189 227 verbose: false, 190 228 }; ··· 218 256 ); 219 257 220 258 let target = parse_target("did:plc:test123456789abcdefghijklmnop", None).expect("parse failed"); 259 259 + let fake_tee = common::FakeRawHttpTee::new(); 260 260 + fake_tee.add_response(None, 200, healthy_labels_response()); 261 261 + 221 262 let opts = LabelerOptions { 222 263 http: &http, 223 264 dns: &dns, 265 265 + raw_http_tee: Some(&fake_tee), 266 266 + reqwest_client: None, 224 267 subscribe_timeout: std::time::Duration::from_secs(5), 225 268 verbose: false, 226 269 }; 227 270 228 271 let report = run_pipeline(target, opts).await; 229 229 - let rendered = render_report_to_string(&report); 272 272 + let rendered = normalize_timing(render_report_to_string(&report)); 230 273 231 274 insta::assert_snapshot!(rendered); 232 275 } ··· 254 297 ); 255 298 256 299 let target = parse_target("did:web:web-labeler.example", None).expect("parse failed"); 300 300 + let fake_tee = common::FakeRawHttpTee::new(); 301 301 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 302 302 + fake_tee.add_response(None, 200, empty_response); 303 303 + 257 304 let opts = LabelerOptions { 258 305 http: &http, 259 306 dns: &dns, 307 307 + raw_http_tee: Some(&fake_tee), 308 308 + reqwest_client: None, 260 309 subscribe_timeout: std::time::Duration::from_secs(5), 261 310 verbose: false, 262 311 }; ··· 275 324 // Don't add any response for PLC directory or DNS resolver - causes network error. 276 325 277 326 let target = parse_target("alice.test", None).expect("parse failed"); 327 327 + let fake_tee = common::FakeRawHttpTee::new(); 328 328 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 329 329 + fake_tee.add_response(None, 200, empty_response); 330 330 + 278 331 let opts = LabelerOptions { 279 332 http: &http, 280 333 dns: &dns, 334 334 + raw_http_tee: Some(&fake_tee), 335 335 + reqwest_client: None, 281 336 subscribe_timeout: std::time::Duration::from_secs(5), 282 337 verbose: false, 283 338 }; ··· 309 364 ); 310 365 311 366 let target = parse_target("did:plc:test123456789abcdefghijklmnop", None).expect("parse failed"); 367 367 + let fake_tee = common::FakeRawHttpTee::new(); 368 368 + fake_tee.add_response(None, 200, healthy_labels_response()); 369 369 + 312 370 let opts = LabelerOptions { 313 371 http: &http, 314 372 dns: &dns, 373 373 + raw_http_tee: Some(&fake_tee), 374 374 + reqwest_client: None, 315 375 subscribe_timeout: std::time::Duration::from_secs(5), 316 376 verbose: false, 317 377 }; ··· 346 406 347 407 let target = 348 408 parse_target("did:plc:missing_service_test_123456789", None).expect("parse failed"); 409 409 + let fake_tee = common::FakeRawHttpTee::new(); 410 410 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 411 411 + fake_tee.add_response(None, 200, empty_response); 412 412 + 349 413 let opts = LabelerOptions { 350 414 http: &http, 351 415 dns: &dns, 416 416 + raw_http_tee: Some(&fake_tee), 417 417 + reqwest_client: None, 352 418 subscribe_timeout: std::time::Duration::from_secs(5), 353 419 verbose: false, 354 420 }; ··· 385 451 386 452 let target = 387 453 parse_target("did:plc:missing_signing_key_test_12345", None).expect("parse failed"); 454 454 + let fake_tee = common::FakeRawHttpTee::new(); 455 455 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 456 456 + fake_tee.add_response(None, 200, empty_response); 457 457 + 388 458 let opts = LabelerOptions { 389 459 http: &http, 390 460 dns: &dns, 461 461 + raw_http_tee: Some(&fake_tee), 462 462 + reqwest_client: None, 391 463 subscribe_timeout: std::time::Duration::from_secs(5), 392 464 verbose: false, 393 465 }; ··· 422 494 423 495 let target = 424 496 parse_target("did:plc:non_https_endpoint_test_123456", None).expect("parse failed"); 497 497 + let fake_tee = common::FakeRawHttpTee::new(); 498 498 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 499 499 + fake_tee.add_response(None, 200, empty_response); 500 500 + 425 501 let opts = LabelerOptions { 426 502 http: &http, 427 503 dns: &dns, 504 504 + raw_http_tee: Some(&fake_tee), 505 505 + reqwest_client: None, 428 506 subscribe_timeout: std::time::Duration::from_secs(5), 429 507 verbose: false, 430 508 }; ··· 459 537 460 538 let target = 461 539 parse_target("did:plc:empty_policies_test_123456789ab", None).expect("parse failed"); 540 540 + let fake_tee = common::FakeRawHttpTee::new(); 541 541 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 542 542 + fake_tee.add_response(None, 200, empty_response); 543 543 + 462 544 let opts = LabelerOptions { 463 545 http: &http, 464 546 dns: &dns, 547 547 + raw_http_tee: Some(&fake_tee), 548 548 + reqwest_client: None, 465 549 subscribe_timeout: std::time::Duration::from_secs(5), 466 550 verbose: false, 467 551 }; ··· 500 584 Some("did:plc:endpoint_mismatch_test_123456789"), 501 585 ) 502 586 .expect("parse failed"); 587 587 + let fake_tee = common::FakeRawHttpTee::new(); 588 588 + let empty_response = br#"{"cursor":null,"labels":[]}"#.to_vec(); 589 589 + fake_tee.add_response(None, 200, empty_response); 590 590 + 503 591 let opts = LabelerOptions { 504 592 http: &http, 505 593 dns: &dns, 594 594 + raw_http_tee: Some(&fake_tee), 595 595 + reqwest_client: None, 506 596 subscribe_timeout: std::time::Duration::from_secs(5), 507 597 verbose: false, 508 598 };

+5 -3

tests/snapshots/labeler_identity__did_plc_direct_happy_path.snap

reviewed

··· 6 6 Resolved DID: did:plc:test123456789abcdefghijklmnop 7 7 PDS endpoint: https://pds.example.com/ 8 8 Labeler endpoint: https://labeler.example.com/ 9 9 - elapsed: 0ms 9 9 + elapsed: Xms 10 10 11 11 == Identity == 12 12 [OK] target resolved ··· 19 19 [OK] labeler record fetched 20 20 [OK] labeler record policies nonempty 21 21 == HTTP == 22 22 - [SKIP] HTTP stage (stub) — not yet implemented (phase 4) 22 22 + [OK] Labeler endpoint is reachable 23 23 + [OK] First page schema is valid 24 24 + [NET] Network error fetching second page: tcp connect: connection refused 23 25 == Subscription == 24 26 [SKIP] Subscription stage (stub) — not yet implemented (phase 5) 25 27 == Crypto == 26 28 [SKIP] Crypto stage (stub) — not yet implemented (phase 6) 27 29 28 28 - Summary: 8 passed, 0 failed (spec), 0 network errors, 0 advisories, 4 skipped. Exit code: 0 30 30 + Summary: 10 passed, 0 failed (spec), 1 network errors, 0 advisories, 3 skipped. Exit code: 0

+5 -2

tests/snapshots/labeler_identity__did_web_direct_happy_path.snap

reviewed

··· 19 19 [OK] labeler record fetched 20 20 [OK] labeler record policies nonempty 21 21 == HTTP == 22 22 - [SKIP] HTTP stage (stub) — not yet implemented (phase 4) 22 22 + [OK] Labeler endpoint is reachable 23 23 + [OK] First page schema is valid 24 24 + [WARN] Labeler has no published labels 25 25 + [OK] First page was complete; pagination not exercised 23 26 == Subscription == 24 27 [SKIP] Subscription stage (stub) — not yet implemented (phase 5) 25 28 == Crypto == 26 29 [SKIP] Crypto stage (stub) — not yet implemented (phase 6) 27 30 28 28 - Summary: 8 passed, 0 failed (spec), 0 network errors, 0 advisories, 4 skipped. Exit code: 0 31 31 + Summary: 11 passed, 0 failed (spec), 0 network errors, 1 advisories, 3 skipped. Exit code: 0

+1 -1

tests/snapshots/labeler_identity__empty_policies_renders_spec_violation_with_span.snap

reviewed

··· 26 26 6 │ } 27 27 ╰──── 28 28 == HTTP == 29 29 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 29 29 + [SKIP] HTTP stage (not run) — blocked by identity stage failures 30 30 == Subscription == 31 31 [SKIP] Subscription stage (stub) — blocked by identity stage failures 32 32 == Crypto ==

+5 -2

tests/snapshots/labeler_identity__endpoint_mismatch_spec_violation.snap

reviewed

··· 26 26 [OK] labeler record fetched 27 27 [OK] labeler record policies nonempty 28 28 == HTTP == 29 29 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 29 29 + [OK] Labeler endpoint is reachable 30 30 + [OK] First page schema is valid 31 31 + [WARN] Labeler has no published labels 32 32 + [OK] First page was complete; pagination not exercised 30 33 == Subscription == 31 34 [SKIP] Subscription stage (stub) — blocked by identity stage failures 32 35 == Crypto == 33 36 [SKIP] Crypto stage (stub) — blocked by identity stage failures 34 37 35 35 - Summary: 8 passed, 1 failed (spec), 0 network errors, 0 advisories, 3 skipped. Exit code: 1 38 38 + Summary: 11 passed, 1 failed (spec), 0 network errors, 1 advisories, 2 skipped. Exit code: 1

+5 -2

tests/snapshots/labeler_identity__endpoint_only_no_did_skips_identity.snap

reviewed

··· 16 16 [SKIP] labeler record fetched — no DID supplied; run with a handle, a DID, or --did <did> 17 17 [SKIP] labeler record policies nonempty — no DID supplied; run with a handle, a DID, or --did <did> 18 18 == HTTP == 19 19 - [SKIP] HTTP stage (stub) — not yet implemented (phase 4) 19 19 + [OK] Labeler endpoint is reachable 20 20 + [OK] First page schema is valid 21 21 + [WARN] Labeler has no published labels 22 22 + [OK] First page was complete; pagination not exercised 20 23 == Subscription == 21 24 [SKIP] Subscription stage (stub) — not yet implemented (phase 5) 22 25 == Crypto == 23 26 [SKIP] Crypto stage (stub) — not yet implemented (phase 6) 24 27 25 25 - Summary: 0 passed, 0 failed (spec), 0 network errors, 0 advisories, 12 skipped. Exit code: 0 28 28 + Summary: 3 passed, 0 failed (spec), 0 network errors, 1 advisories, 11 skipped. Exit code: 0

+5 -2

tests/snapshots/labeler_identity__handle_resolution_happy_path.snap

reviewed

··· 19 19 [OK] labeler record fetched 20 20 [OK] labeler record policies nonempty 21 21 == HTTP == 22 22 - [SKIP] HTTP stage (stub) — not yet implemented (phase 4) 22 22 + [OK] Labeler endpoint is reachable 23 23 + [OK] First page schema is valid 24 24 + [WARN] Labeler has no published labels 25 25 + [OK] First page was complete; pagination not exercised 23 26 == Subscription == 24 27 [SKIP] Subscription stage (stub) — not yet implemented (phase 5) 25 28 == Crypto == 26 29 [SKIP] Crypto stage (stub) — not yet implemented (phase 6) 27 30 28 28 - Summary: 8 passed, 0 failed (spec), 0 network errors, 0 advisories, 4 skipped. Exit code: 0 31 31 + Summary: 11 passed, 0 failed (spec), 0 network errors, 1 advisories, 3 skipped. Exit code: 0

+5 -3

tests/snapshots/labeler_identity__healthy_plc_renders_all_ok.snap

reviewed

··· 6 6 Resolved DID: did:plc:test123456789abcdefghijklmnop 7 7 PDS endpoint: https://pds.example.com/ 8 8 Labeler endpoint: https://labeler.example.com/ 9 9 - elapsed: 0ms 9 9 + elapsed: Xms 10 10 11 11 == Identity == 12 12 [OK] target resolved ··· 19 19 [OK] labeler record fetched 20 20 [OK] labeler record policies nonempty 21 21 == HTTP == 22 22 - [SKIP] HTTP stage (stub) — not yet implemented (phase 4) 22 22 + [OK] Labeler endpoint is reachable 23 23 + [OK] First page schema is valid 24 24 + [NET] Network error fetching second page: tcp connect: connection refused 23 25 == Subscription == 24 26 [SKIP] Subscription stage (stub) — not yet implemented (phase 5) 25 27 == Crypto == 26 28 [SKIP] Crypto stage (stub) — not yet implemented (phase 6) 27 29 28 28 - Summary: 8 passed, 0 failed (spec), 0 network errors, 0 advisories, 4 skipped. Exit code: 0 30 30 + Summary: 10 passed, 0 failed (spec), 1 network errors, 0 advisories, 3 skipped. Exit code: 0

+1 -1

tests/snapshots/labeler_identity__missing_labeler_record_renders_404_distinct_from_transport.snap

reviewed

··· 19 19 × PDS returned 404: labeler record not found 20 20 [SKIP] labeler record policies nonempty — blocked by identity::labeler_record_fetched 21 21 == HTTP == 22 22 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 22 22 + [SKIP] HTTP stage (not run) — blocked by identity stage failures 23 23 == Subscription == 24 24 [SKIP] Subscription stage (stub) — blocked by identity stage failures 25 25 == Crypto ==

+1 -1

tests/snapshots/labeler_identity__missing_service_renders_spec_violation_with_span.snap

reviewed

··· 26 26 [OK] labeler record fetched 27 27 [OK] labeler record policies nonempty 28 28 == HTTP == 29 29 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 29 29 + [SKIP] HTTP stage (not run) — blocked by identity stage failures 30 30 == Subscription == 31 31 [SKIP] Subscription stage (stub) — blocked by identity stage failures 32 32 == Crypto ==

+1 -1

tests/snapshots/labeler_identity__missing_signing_key_renders_spec_violation.snap

reviewed

··· 26 26 [OK] labeler record fetched 27 27 [OK] labeler record policies nonempty 28 28 == HTTP == 29 29 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 29 29 + [SKIP] HTTP stage (not run) — blocked by identity stage failures 30 30 == Subscription == 31 31 [SKIP] Subscription stage (stub) — blocked by identity stage failures 32 32 == Crypto ==

+1 -1

tests/snapshots/labeler_identity__non_https_endpoint_renders_spec_violation.snap

reviewed

··· 26 26 [OK] labeler record fetched 27 27 [OK] labeler record policies nonempty 28 28 == HTTP == 29 29 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 29 29 + [SKIP] HTTP stage (not run) — blocked by identity stage failures 30 30 == Subscription == 31 31 [SKIP] Subscription stage (stub) — blocked by identity stage failures 32 32 == Crypto ==

+1 -1

tests/snapshots/labeler_identity__plc_directory_unreachable_renders_network_error.snap

reviewed

··· 16 16 [SKIP] labeler record fetched — blocked by identity::target_resolved 17 17 [SKIP] labeler record policies nonempty — blocked by identity::target_resolved 18 18 == HTTP == 19 19 - [SKIP] HTTP stage (stub) — blocked by identity stage failures 19 19 + [SKIP] HTTP stage (not run) — blocked by identity stage failures 20 20 == Subscription == 21 21 [SKIP] Subscription stage (stub) — blocked by identity stage failures 22 22 == Crypto ==