test: migrate runtime coverage toward ginkgo e2e

[guoqqqi]

Summary

• migrate the E2E entrypoint to Ginkgo and add a local-stability spec that exercises the current route/service, debug trace, secret, and stream-route workflows against a real environment
• enforce the new testing policy by removing command-level Admin API mock tests and replacing the remaining coverage with pure logic unit tests only
• fix two CLI mismatches surfaced by issue Follow-up: a7 test / skills / docs review findings #1: secret create now accepts the documented positional ID form, and stream-route update -f no longer incorrectly requires --upstream-id
• update docs/testing-strategy.md, Makefile, and the E2E workflow so local and CI execution use the same Ginkgo-based path

Validation

• go test ./...
• go test -c -tags=e2e ./test/e2e

Notes

• Live E2E execution was not possible in this shell because A7_ADMIN_URL, A7_TOKEN, A7_GATEWAY_URL, and HTTPBIN_URL are not set here.
• This PR builds the migration rail for the remaining test/e2e/*.go cases while making new and modified E2E coverage Ginkgo-based immediately.

Refs #1

Summary by CodeRabbit

• New Features

  • Secret provider creation accepts an optional positional provider/ID.

• Tests

  • Modernized E2E test harness to a newer runner and added a Ginkgo-based suite.
  • Increased CI/test timeouts and improved pre-test dependency handling for more reliable E2E runs.

• Documentation

  • Updated testing strategy with refined principles and E2E expectations.

• Chores

  • Bumped Go toolchain and added testing framework dependencies.

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrates many command-level mocked tests to Ginkgo v2 E2E tests, updates Go toolchain and CI timeout, adds Ginkgo suite entrypoint, introduces new E2E helpers and polling logic, removes numerous httpmock-based command tests, updates docs to require E2E for API-dependent behavior, and adjusts a few CLI command behaviors.

Changes

Cohort / File(s)	Summary
Build & CI go.mod, .github/workflows/e2e.yml, Makefile	Bumped Go toolchain to 1.23.0, added Ginkgo/Gomega deps, increased CI e2e job timeout (30→50m), added go mod download in workflow, and switched Makefile e2e runner to Ginkgo v2 with longer timeout.
Testing policy & docs docs/testing-strategy.md	Rewrote testing strategy: restrict unit tests to self-contained logic, require E2E (Ginkgo) for API-dependent features, defined Test Pyramid and env var requirements.
Ginkgo test infra test/e2e/e2e_suite_test.go, test/e2e/local_stability_ginkgo_test.go	Added Ginkgo v2 suite entrypoint and new Ginkgo-based local stability E2E specs (ordered checks covering version, routing, debug trace, secrets, stream routes).
E2E helpers & tests test/e2e/... (consumer, debug, route, service, stream_route, secret, config_sync, setup_test.go, many test files)	Introduced/updated helpers (testTB interface, polling/wait helpers, sanitize/trim config dumps), switched route payloads to use services, added service lifecycle management and stricter admin API error handling, added CLI timeout context.
Unit test refactor (client/update) internal/update/github_test.go, pkg/api/client_test.go	Replaced httptest.NewServer mocks with custom roundTripFunc RoundTripper; reduced/increased scope to focused unit tests on transport/unwrapping and helper logic.
Ginkgo runner tests test/e2e/*_ginkgo_test.go, test/e2e/e2e_suite_test.go	New Ginkgo test files gated by e2e build tag and integrated into test runner.
Deleted mocked command tests pkg/cmd/.../…_test.go (50+ files; examples: pkg/cmd/config/diff/diff_test.go, pkg/cmd/route/list/list_test.go, pkg/cmd/service/*_test.go, pkg/cmd/consumer/*_test.go, pkg/cmd/plugin-*/*_test.go, pkg/cmd/secret/*_test.go, pkg/cmd/upstream/*_test.go, etc.)	Removed extensive httpmock-based command test suites that mocked APISIX admin API and validated command-level control flow and output formatting.
Command behavior tweaks pkg/cmd/secret/create/create.go, pkg/cmd/stream-route/update/update.go	Secret create now accepts optional positional provider/id and reconciles with --id; stream-route update defers http client init and relaxes --upstream-id requirement for file-based updates.
E2E test adjustments (existing files) test/e2e/*_test.go (config_sync, consumer, debug, route, service, stream_route, secret)	Numerous updates to helper signatures (use testTB), stricter failure handling for admin API calls, polling-based propagation waits, resource trimming for config sync, and response-based test skips for unstable CI environments.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• test: refactor automation strategy around real APISIX E2E and Ginkgo a6#19: aligns with the requested Ginkgo/E2E migration and testing-strategy changes; this PR implements that foundation.
• test: migrate core command coverage from mocked Admin API tests to real E2E a6#22: implements migration of mocked command tests to real E2E suites and removal of many httpmock-based tests.
• docs(test): redefine unit-vs-e2e policy for a6 a6#20: updates testing documentation and enforces unit vs E2E boundaries as described in the issue.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
E2e Test Quality Review	⚠️ Warning	PR adds E2E Ginkgo tests but has two significant blockers: review feedback on isKnownRoundtripSyncGap remains unaddressed (overly permissive matching), and trimDumpForRoundtrip lacks validation when collections are missing.	Narrow isKnownRoundtripSyncGap to match specific error patterns only; enforce hard failures for missing services/routes collections; evaluate edge case coverage from 60 deleted command-level tests.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'test: migrate runtime coverage toward ginkgo e2e' directly summarizes the primary change: migrating the test suite to use Ginkgo for E2E testing. It is concise, specific, and clearly conveys the main objective from the developer's perspective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Security analysis across all 7 mandatory vulnerability categories reveals no issues in sensitive data exposure, database encryption, authorization, resource isolation, TLS configuration, or secret resolution.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/local-stability-ginkgo-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Migrates the E2E test entrypoint to a Ginkgo-based suite, adds a local-stability spec that exercises real EE/gateway workflows, and enforces the updated testing strategy by removing Admin-API-mocking command tests while fixing CLI behavior mismatches.

Changes:

• Add Ginkgo/Gomega E2E suite + “local stability” specs and supporting E2E helpers/cleanup improvements.
• Remove command-level httpmock/httptest-based CLI tests per updated testing policy and shift remaining verification to E2E + pure logic tests.
• Fix CLI behavior: secret create supports positional provider/id, and stream-route update -f doesn’t require --upstream-id.

Reviewed changes

Copilot reviewed 88 out of 89 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/e2e/stream_route_test.go	Align stream-route E2E CRUD with service-backed model and stronger cleanup.
test/e2e/setup_test.go	Introduce testTB interface + update helpers to accept both *testing.T and Ginkgo GinkgoT().
test/e2e/service_test.go	Improve Admin API cleanup semantics and error surfacing for service deletion.
test/e2e/secret_test.go	Generalize secret cleanup helper to accept testTB.
test/e2e/local_stability_ginkgo_test.go	Add new Ginkgo Ordered E2E “local stability” spec covering route/service, trace, secret, stream-route flows.
test/e2e/e2e_suite_test.go	Add Ginkgo suite entrypoint (RunSpecs).
test/e2e/consumer_test.go	Add gateway poll helper and adjust key-auth E2E to use service-backed routes and propagation polling.
test/e2e/config_sync_test.go	Add dump sanitization/trim helpers to reduce shared-env flakiness and focus roundtrip on owned resources.
pkg/cmd/upstream/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/upstream/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/upstream/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/upstream/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/upstream/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/upstream/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/stream-route/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/stream-route/update/update.go	Allow stream-route update -f without requiring --upstream-id.
pkg/cmd/stream-route/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/stream-route/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/stream-route/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/stream-route/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/stream-route/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/ssl/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/service/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/service/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/service/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/service/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/service/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/service/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/secret/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/secret/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/secret/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/secret/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/secret/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/secret/create/create.go	Update secret create to accept positional [provider/id].
pkg/cmd/route/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/route/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/route/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/route/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/route/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/proto/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/proto/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/proto/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/proto/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/proto/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/proto/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-metadata/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-metadata/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-metadata/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-metadata/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-config/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-config/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-config/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-config/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-config/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/plugin-config/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/global-rule/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/global-rule/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/global-rule/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/gateway-group/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/credential/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/credential/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/credential/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/credential/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/credential/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/context/create/create_test.go	Remove httptest-based command coverage per new testing policy.
pkg/cmd/consumer/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer-group/update/update_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer-group/list/list_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer-group/get/get_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer-group/export/export_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer-group/delete/delete_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/consumer-group/create/create_test.go	Remove httpmock-based command tests per new testing policy.
pkg/cmd/config/sync/sync_test.go	Remove httpmock-based config sync command tests per new testing policy.
pkg/cmd/config/diff/diff_test.go	Remove httpmock-based config diff command tests per new testing policy.
internal/update/github_test.go	Replace httptest server with stub RoundTripper-based tests.
go.mod	Bump Go version and add Ginkgo/Gomega dependencies for E2E.
docs/testing-strategy.md	Update testing strategy (Ginkgo E2E, avoid Admin API mocks).
Makefile	Run E2E via Ginkgo CLI for consistent local/CI behavior.
.github/workflows/e2e.yml	Adjust E2E workflow timeout and module download step.

Comments suppressed due to low confidence (4)

test/e2e/consumer_test.go:1

• In waitForGatewayStatus, the response body is closed without draining. In tight polling loops this can prevent connection reuse and cause resource/FD churn, especially in CI. Consider draining to io.Discard (up to a reasonable cap) before closing, and optionally handling the Close() error.
  test/e2e/stream_route_test.go:1
• deleteStreamRouteViaAdmin silently ignores non-nil errors and does not check for non-2xx status codes, which can hide cleanup failures and lead to resource collisions across E2E runs. It would be more robust to mirror deleteServiceViaAdmin: fail (or at least Errorf) on request errors and unexpected status codes, while allowing 404 as a no-op, and always closing the body.
  test/e2e/setup_test.go:1
• This custom testTB duplicates a subset of testing.TB and can drift over time (e.g., missing methods that helpers/libraries may start relying on). Prefer taking a testing.TB directly where possible; it already includes Helper, TempDir, Cleanup, and skip/fail methods, and improves interoperability with both *testing.T and Ginkgo's GinkgoT().
  pkg/cmd/secret/create/create.go:1
• With cobra.MaximumNArgs(1), secret create accepts zero args even though the Use string documents a positional [provider/id]. If the command also supports --id, consider adding an Args validator that enforces 'exactly one of positional arg or --id' and produces a clear, up-to-date error message; otherwise, consider cobra.ExactArgs(1) to match the documented usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow pins Go 1.22, but go.mod now requires Go 1.23.0. This will fail in CI with a 'go.mod requires go >= 1.23' style error. Update actions/setup-go to use Go 1.23.x (or align go.mod back to 1.22) so CI can build and run E2E.

Suggested change

	go-version: '1.22'
	go-version: '1.23'

[Copilot]

The module now requires Go 1.23.0, which needs to be consistently reflected across CI (and any pinned local dev tooling). Ensure all workflows and release/build pipelines that use go-version or pinned toolchains are updated to Go 1.23.x to avoid build failures.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/e2e.yml (1)

21-29: ⚠️ Potential issue | 🟠 Major

Wire A7_GATEWAY_URL and HTTPBIN_URL into the E2E workflow.

The make test-e2e step (lines 26-28) only provides A7_ADMIN_URL, A7_TOKEN, and A7_GATEWAY_GROUP. However, test/e2e/setup_test.go references A7_GATEWAY_URL and HTTPBIN_URL and skips gateway traffic and httpbin-dependent tests when these are absent. Add these to the env block to ensure full test coverage in CI.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yml around lines 21 - 29, Add the missing environment
variables A7_GATEWAY_URL and HTTPBIN_URL to the "Run E2E tests" step so make
test-e2e runs with the same inputs expected by test/e2e/setup_test.go; update
the env block that currently sets A7_ADMIN_URL, A7_TOKEN, and A7_GATEWAY_GROUP
to also set A7_GATEWAY_URL: ${{ secrets.A7_GATEWAY_URL }} and HTTPBIN_URL: ${{
secrets.HTTPBIN_URL }} (or appropriate secret names) so tests that check
A7_GATEWAY_URL and HTTPBIN_URL are not skipped.

test/e2e/consumer_test.go (1)

59-64: ⚠️ Potential issue | 🟠 Major

Keep consumer cleanup idempotent, not silent.

This makes the second delete in TestConsumer_CRUD harmless, but it also hides real cleanup failures and leaked consumers. Please special-case not-found only and surface the rest.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/consumer_test.go` around lines 59 - 64, The deleteConsumerViaAdmin
helper currently swallows errors and only closes resp.Body when err==nil, hiding
real failures; update it to always close resp.Body when resp is non-nil, and
treat HTTP 404 (not found) as a no-op but surface any other non-success status
or err via t.Fatalf/t.Errorf; reference the deleteConsumerViaAdmin function and
the runtimeAdminAPI call to locate where to check resp.StatusCode and err, close
the response body, and fail the test on unexpected errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: The project declares Go 1.23.0 in go.mod but the E2E workflow still
uses Go 1.22; update the GitHub Actions e2e workflow's setup step (the action
that uses the go-version/go-version matrix entry) to use 1.23.0 (or 1.23) so the
runner's Go matches the module's required version and avoids failing on go mod
download/run; also check any other workflow steps or matrix entries that pin Go
versions and align them to 1.23.0.

In `@pkg/cmd/secret/create/create.go`:
- Around line 39-42: The RunE handler currently unconditionally overwrites
opts.ID with the positional arg (in the RunE func for the cobra.Command),
allowing conflicting sources like `a7 secret create foo --id bar`; change the
logic to detect both sources and reject or require them to match: if args length
> 0 and opts.ID is non-empty, return an error unless args[0] == opts.ID;
otherwise set opts.ID = args[0] only when opts.ID is empty; ensure this
validation happens early in the RunE before proceeding with creation.

In `@test/e2e/config_sync_test.go`:
- Around line 43-48: The test currently replaces cfg["services"] and
cfg["routes"] with filtered slices that may be empty, masking a roundtrip dump
regression; update the test in config_sync_test.go to check the results of
filterResourcesByID (for the variables/services identified by serviceID and
routeID) and fail fast (use t.Fatalf or t.Fatalf-style failure) if the filtered
slice is empty so the test fails when the target service or route is dropped
rather than silently proceeding with an empty collection; keep using the
existing filterResourcesByID helper and the cfg map keys "services" and "routes"
to locate the values.

In `@test/e2e/consumer_test.go`:
- Around line 21-49: The polling helper waitForGatewayStatus currently returns
lastErr on timeout even if an HTTP response was observed earlier, which lets a
transient transport error override a valid lastStatus; change the final return
logic so that a transport error (lastErr) is only returned when no HTTP status
was ever observed (lastStatus == 0). In practice, update the tail of
waitForGatewayStatus to check lastStatus == 0 && lastErr != nil and return the
transport error only in that case, otherwise return the lastStatus with a nil
error so callers like route_test.go and debug_test.go get the last observed HTTP
code.

In `@test/e2e/local_stability_ginkgo_test.go`:
- Around line 101-104: The test currently treats any error from runA7WithEnv
when creating the secret as a skip, which can hide real regressions; change the
logic in the secret creation call (the stdout, stderr, err := runA7WithEnv(env,
"secret", "create", secretID, "-f", tmpFile, "-g", gatewayGroup) block) so you
only call Skip for known environment-capability failures (e.g., detect specific
error strings or a sentinel error returned by runA7WithEnv) and for all other
errors fail the test (use t.Fatalf or t.Error/t.FailNow) with the captured
stdout/stderr to surface regressions; apply the same change to the analogous
runA7WithEnv error handling in the later secret-update/assertion block.

In `@test/e2e/route_test.go`:
- Around line 26-31: deleteRouteViaAdmin currently swallows all errors from
runtimeAdminAPI which hides real failures; change it to call runtimeAdminAPI and
if it returns an error or a non-2xx response, inspect the response (resp != nil)
and only ignore the expected "not found" case (HTTP 404) — for any other error
or status code, report the failure via the test helper (t.Fatalf or t.Errorf) so
leaked routes fail the test; ensure you always close resp.Body when resp is
non-nil. Reference: function deleteRouteViaAdmin and runtimeAdminAPI.

---

Outside diff comments:
In @.github/workflows/e2e.yml:
- Around line 21-29: Add the missing environment variables A7_GATEWAY_URL and
HTTPBIN_URL to the "Run E2E tests" step so make test-e2e runs with the same
inputs expected by test/e2e/setup_test.go; update the env block that currently
sets A7_ADMIN_URL, A7_TOKEN, and A7_GATEWAY_GROUP to also set A7_GATEWAY_URL:
${{ secrets.A7_GATEWAY_URL }} and HTTPBIN_URL: ${{ secrets.HTTPBIN_URL }} (or
appropriate secret names) so tests that check A7_GATEWAY_URL and HTTPBIN_URL are
not skipped.

In `@test/e2e/consumer_test.go`:
- Around line 59-64: The deleteConsumerViaAdmin helper currently swallows errors
and only closes resp.Body when err==nil, hiding real failures; update it to
always close resp.Body when resp is non-nil, and treat HTTP 404 (not found) as a
no-op but surface any other non-success status or err via t.Fatalf/t.Errorf;
reference the deleteConsumerViaAdmin function and the runtimeAdminAPI call to
locate where to check resp.StatusCode and err, close the response body, and fail
the test on unexpected errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3476bfe5-185e-4b9b-9cf0-13ed5291e5e5

📥 Commits

Reviewing files that changed from the base of the PR and between 69c5178 and 0069781.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (88)

• .github/workflows/e2e.yml
• Makefile
• docs/testing-strategy.md
• go.mod
• internal/update/github_test.go
• pkg/api/client_test.go
• pkg/cmd/config/diff/diff_test.go
• pkg/cmd/config/dump/dump_test.go
• pkg/cmd/config/sync/sync_test.go
• pkg/cmd/consumer-group/create/create_test.go
• pkg/cmd/consumer-group/delete/delete_test.go
• pkg/cmd/consumer-group/export/export_test.go
• pkg/cmd/consumer-group/get/get_test.go
• pkg/cmd/consumer-group/list/list_test.go
• pkg/cmd/consumer-group/update/update_test.go
• pkg/cmd/consumer/create/create_test.go
• pkg/cmd/consumer/export/export_test.go
• pkg/cmd/consumer/list/list_test.go
• pkg/cmd/context/create/create_test.go
• pkg/cmd/credential/create/create_test.go
• pkg/cmd/credential/delete/delete_test.go
• pkg/cmd/credential/get/get_test.go
• pkg/cmd/credential/list/list_test.go
• pkg/cmd/credential/update/update_test.go
• pkg/cmd/debug/trace/trace_test.go
• pkg/cmd/gateway-group/list/list_test.go
• pkg/cmd/global-rule/export/export_test.go
• pkg/cmd/global-rule/get/get_test.go
• pkg/cmd/global-rule/list/list_test.go
• pkg/cmd/plugin-config/create/create_test.go
• pkg/cmd/plugin-config/delete/delete_test.go
• pkg/cmd/plugin-config/export/export_test.go
• pkg/cmd/plugin-config/get/get_test.go
• pkg/cmd/plugin-config/list/list_test.go
• pkg/cmd/plugin-config/update/update_test.go
• pkg/cmd/plugin-metadata/create/create_test.go
• pkg/cmd/plugin-metadata/delete/delete_test.go
• pkg/cmd/plugin-metadata/get/get_test.go
• pkg/cmd/plugin-metadata/update/update_test.go
• pkg/cmd/plugin/get/get_test.go
• pkg/cmd/proto/create/create_test.go
• pkg/cmd/proto/delete/delete_test.go
• pkg/cmd/proto/export/export_test.go
• pkg/cmd/proto/get/get_test.go
• pkg/cmd/proto/list/list_test.go
• pkg/cmd/proto/update/update_test.go
• pkg/cmd/route/create/create_test.go
• pkg/cmd/route/delete/delete_test.go
• pkg/cmd/route/export/export_test.go
• pkg/cmd/route/get/get_test.go
• pkg/cmd/route/list/list_test.go
• pkg/cmd/route/update/update_test.go
• pkg/cmd/secret/create/create.go
• pkg/cmd/secret/create/create_test.go
• pkg/cmd/secret/delete/delete_test.go
• pkg/cmd/secret/get/get_test.go
• pkg/cmd/secret/list/list_test.go
• pkg/cmd/secret/update/update_test.go
• pkg/cmd/service/create/create_test.go
• pkg/cmd/service/delete/delete_test.go
• pkg/cmd/service/export/export_test.go
• pkg/cmd/service/get/get_test.go
• pkg/cmd/service/list/list_test.go
• pkg/cmd/service/update/update_test.go
• pkg/cmd/ssl/export/export_test.go
• pkg/cmd/stream-route/create/create_test.go
• pkg/cmd/stream-route/delete/delete_test.go
• pkg/cmd/stream-route/export/export_test.go
• pkg/cmd/stream-route/get/get_test.go
• pkg/cmd/stream-route/list/list_test.go
• pkg/cmd/stream-route/update/update.go
• pkg/cmd/stream-route/update/update_test.go
• pkg/cmd/upstream/create/create_test.go
• pkg/cmd/upstream/delete/delete_test.go
• pkg/cmd/upstream/export/export_test.go
• pkg/cmd/upstream/get/get_test.go
• pkg/cmd/upstream/list/list_test.go
• pkg/cmd/upstream/update/update_test.go
• test/e2e/config_sync_test.go
• test/e2e/consumer_test.go
• test/e2e/debug_test.go
• test/e2e/e2e_suite_test.go
• test/e2e/local_stability_ginkgo_test.go
• test/e2e/route_test.go
• test/e2e/secret_test.go
• test/e2e/service_test.go
• test/e2e/setup_test.go
• test/e2e/stream_route_test.go

💤 Files with no reviewable changes (69)

• pkg/cmd/consumer-group/delete/delete_test.go
• pkg/cmd/credential/list/list_test.go
• pkg/cmd/credential/delete/delete_test.go
• pkg/cmd/secret/get/get_test.go
• pkg/cmd/consumer/export/export_test.go
• pkg/cmd/consumer/create/create_test.go
• pkg/cmd/plugin/get/get_test.go
• pkg/cmd/plugin-metadata/get/get_test.go
• pkg/cmd/upstream/get/get_test.go
• pkg/cmd/upstream/export/export_test.go
• pkg/cmd/route/export/export_test.go
• pkg/cmd/plugin-config/update/update_test.go
• pkg/cmd/upstream/create/create_test.go
• pkg/cmd/secret/update/update_test.go
• pkg/cmd/plugin-metadata/update/update_test.go
• pkg/cmd/global-rule/get/get_test.go
• pkg/cmd/credential/create/create_test.go
• pkg/cmd/route/delete/delete_test.go
• pkg/cmd/proto/update/update_test.go
• pkg/cmd/consumer/list/list_test.go
• pkg/cmd/route/list/list_test.go
• pkg/cmd/service/delete/delete_test.go
• pkg/cmd/credential/update/update_test.go
• pkg/cmd/route/update/update_test.go
• pkg/cmd/config/dump/dump_test.go
• pkg/cmd/secret/create/create_test.go
• pkg/cmd/config/sync/sync_test.go
• pkg/cmd/consumer-group/create/create_test.go
• pkg/cmd/route/create/create_test.go
• pkg/cmd/context/create/create_test.go
• pkg/cmd/plugin-config/export/export_test.go
• pkg/cmd/secret/delete/delete_test.go
• pkg/cmd/consumer-group/export/export_test.go
• pkg/cmd/plugin-config/list/list_test.go
• pkg/cmd/proto/create/create_test.go
• pkg/cmd/secret/list/list_test.go
• pkg/cmd/upstream/delete/delete_test.go
• pkg/cmd/proto/get/get_test.go
• pkg/cmd/consumer-group/get/get_test.go
• pkg/cmd/service/create/create_test.go
• pkg/cmd/stream-route/export/export_test.go
• pkg/cmd/service/get/get_test.go
• pkg/cmd/stream-route/delete/delete_test.go
• pkg/cmd/service/list/list_test.go
• pkg/cmd/proto/export/export_test.go
• pkg/cmd/global-rule/export/export_test.go
• pkg/cmd/gateway-group/list/list_test.go
• pkg/cmd/plugin-config/create/create_test.go
• pkg/cmd/consumer-group/list/list_test.go
• pkg/cmd/upstream/list/list_test.go
• pkg/cmd/plugin-config/delete/delete_test.go
• pkg/cmd/service/export/export_test.go
• pkg/cmd/plugin-metadata/create/create_test.go
• pkg/cmd/proto/list/list_test.go
• pkg/cmd/credential/get/get_test.go
• pkg/cmd/stream-route/create/create_test.go
• pkg/cmd/global-rule/list/list_test.go
• pkg/cmd/upstream/update/update_test.go
• pkg/cmd/ssl/export/export_test.go
• pkg/cmd/stream-route/get/get_test.go
• pkg/cmd/plugin-metadata/delete/delete_test.go
• pkg/cmd/stream-route/update/update_test.go
• pkg/cmd/route/get/get_test.go
• pkg/cmd/service/update/update_test.go
• pkg/cmd/config/diff/diff_test.go
• pkg/cmd/stream-route/list/list_test.go
• pkg/cmd/proto/delete/delete_test.go
• pkg/cmd/plugin-config/get/get_test.go
• pkg/cmd/consumer-group/update/update_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don't turn CLI regressions into skips.

Both branches currently skip on any runA7WithEnv error. That means the positional secret create flow this PR is trying to lock in can regress without failing, and a broken stream-route setup will hide the update assertion entirely. Please skip only on known environment-capability errors and fail everything else.

Also applies to: 131-134

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/local_stability_ginkgo_test.go` around lines 101 - 104, The test
currently treats any error from runA7WithEnv when creating the secret as a skip,
which can hide real regressions; change the logic in the secret creation call
(the stdout, stderr, err := runA7WithEnv(env, "secret", "create", secretID,
"-f", tmpFile, "-g", gatewayGroup) block) so you only call Skip for known
environment-capability failures (e.g., detect specific error strings or a
sentinel error returned by runA7WithEnv) and for all other errors fail the test
(use t.Fatalf or t.Error/t.FailNow) with the captured stdout/stderr to surface
regressions; apply the same change to the analogous runA7WithEnv error handling
in the later secret-update/assertion block.

[guoqqqi]

Addressed the valid review items in 14a17fb:

• aligned .github/workflows/e2e.yml with go 1.23.0 and passed A7_GATEWAY_URL / HTTPBIN_URL
• tightened secret create so positional ID and --id cannot silently conflict
• made config_sync roundtrip fail fast when the dumped service/route disappears
• fixed waitForGatewayStatus so a transient transport error does not override an observed HTTP status, and drained response bodies during polling
• made route / consumer / secret / stream-route cleanup helpers idempotent without swallowing unexpected failures
• narrowed the Ginkgo secret test so it only Skips on known environment capability gaps and fails on unexpected regressions

I did not apply the low-confidence suggestion to replace the custom testTB with testing.TB. GinkgoT() does not satisfy testing.TB on current Go because of the extra methods on testing.TB (for example ArtifactDir), so keeping a smaller helper interface here is intentional.

[Copilot]

Pull request overview

Copilot reviewed 89 out of 90 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

isKnownSecretCapabilityGap includes the needle "vault", which is likely to appear in many secret-related error messages (and even echoed IDs like "vault/..."), causing the test to Skip on unexpected failures and masking real regressions. Tighten this matcher (remove "vault" or match more specific phrases) so only known environment capability gaps are skipped.

[Copilot]

The header comment still suggests running E2E via go test ... ./test/e2e/..., but the Makefile/CI path now uses the Ginkgo CLI runner. Updating this line to the canonical Ginkgo invocation (or pointing to make test-e2e) would avoid confusion for contributors.

[Copilot]

test-e2e and test-e2e-full currently run the exact same Ginkgo command, so the additional target is misleading/unused. Either remove test-e2e-full or differentiate it (e.g., focus/label selection or additional env prechecks) so the names reflect distinct behavior.

Suggested change

	go run github.com/onsi/ginkgo/v2/ginkgo -r --procs=1 --tags=e2e --timeout=45m ./test/e2e/...
	@set -e; \
	trap '$(MAKE) docker-down' EXIT; \
	$(MAKE) docker-up; \
	$(MAKE) test-e2e

[Copilot]

This change introduces new CLI parsing behavior (positional provider/id with conflict detection vs --id), but there is no unit-level test coverage for it in this package after removing the prior command tests. Since the new E2E coverage may be skipped depending on environment capabilities, consider adding a small pure-logic test for the arg/flag resolution and conflict error path to prevent regressions.

[Copilot]

The upstream-id validation behavior changed so file-based updates no longer require --upstream-id, but the previous unit tests for this command were removed and there is no remaining unit-level coverage for the validation branch. Given the E2E scenario may skip when stream routes are disabled, consider adding a small pure-logic unit test around the file vs flag validation decision to lock in the intended behavior.

[Copilot]

deleteServiceViaAdmin assumes resp is non-nil and only defers resp.Body.Close() after checking err. http.Client.Do can return a non-nil resp with a non-nil err (and resp may also be nil on success in some edge cases), so this can leak bodies on error or panic on nil resp. Consider mirroring the other cleanup helpers: if resp != nil { defer resp.Body.Close() } before handling err/status codes.

[Copilot]

waitForGatewayStatus calls cancel() immediately after insecureClient.Do returns, before draining/closing resp.Body. Canceling the request context can interrupt body reads and prevent connection reuse, which may cause flaky polling and excess connections. Consider deferring cancel until after io.Copy/io.Discard and resp.Body.Close(), and still ensure cancel happens on the error path.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e/gateway_group_test.go (1)

17-24: ⚠️ Potential issue | 🟡 Minor

deleteGatewayGroupViaAdmin still silently swallows non-2xx responses and transport errors.

Every other admin-cleanup helper in this PR (deleteRouteViaAdmin, deleteConsumerViaAdmin, deleteSecretViaAdmin, deleteStreamRouteViaAdmin) was tightened to fatal on transport errors and non-2xx (treating 404 as already-deleted). This one was left as-is, and with TestGatewayGroup_CRUD now opt-in via A7_E2E_ENABLE_GATEWAY_GROUP_CRUD=1, a leaked gateway group during that opt-in run will silently poison subsequent runs of the same env without any test signal.

♻️ Align with the rest of the E2E cleanup helpers

-// deleteGatewayGroupViaAdmin deletes a gateway group via the control-plane API.
-func deleteGatewayGroupViaAdmin(t *testing.T, id string) {
-	t.Helper()
-	resp, err := adminAPI("DELETE", fmt.Sprintf("/api/gateway_groups/%s", id), nil)
-	if err == nil {
-		resp.Body.Close()
-	}
-}
+// deleteGatewayGroupViaAdmin deletes a gateway group via the control-plane API.
+func deleteGatewayGroupViaAdmin(t testTB, id string) {
+	t.Helper()
+	resp, err := adminAPI("DELETE", fmt.Sprintf("/api/gateway_groups/%s", id), nil)
+	if resp != nil {
+		defer resp.Body.Close()
+	}
+	if err != nil {
+		t.Fatalf("delete gateway group %s via admin API failed: %v", id, err)
+	}
+	if resp.StatusCode == http.StatusNotFound {
+		return
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		body, _ := io.ReadAll(resp.Body)
+		t.Fatalf("delete gateway group %s via admin API returned %d: %s", id, resp.StatusCode, string(body))
+	}
+}

(Requires adding io and net/http to imports.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/gateway_group_test.go` around lines 17 - 24, The helper
deleteGatewayGroupViaAdmin currently swallows transport errors and non-2xx
responses; update it to call t.Fatalf on transport errors and on non-2xx
responses except treat http.StatusNotFound (404) as already-deleted, and ensure
resp.Body is fully read and closed (use io.ReadAll or io.Copy to drain) before
checking status; reference the deleteGatewayGroupViaAdmin function and adminAPI
call and add imports for io and net/http as needed.

🧹 Nitpick comments (2)

test/e2e/consumer_test.go (1)

31-42: Cancel the per-request context after draining the body, not before.

The request is bound to ctx via req.WithContext(ctx), so calling cancel() on Line 34 before io.Copy(io.Discard, resp.Body) on Line 41 can cause the body read to short-circuit with a context-canceled error. The error is swallowed by _, _ = io.Copy(...), but an incompletely drained body prevents the HTTP client from returning the connection to the idle pool — so polling churns through new TCP/TLS handshakes instead of reusing keep-alive connections.

♻️ Proposed fix

-		ctx, cancel := context.WithDeadline(context.Background(), deadline)
-		req = req.WithContext(ctx)
-		resp, err := insecureClient.Do(req)
-		cancel()
-		if err != nil {
-			lastErr = err
-			time.Sleep(500 * time.Millisecond)
-			continue
-		}
-		lastStatus = resp.StatusCode
-		_, _ = io.Copy(io.Discard, resp.Body)
-		resp.Body.Close()
+		ctx, cancel := context.WithDeadline(context.Background(), deadline)
+		req = req.WithContext(ctx)
+		resp, err := insecureClient.Do(req)
+		if err != nil {
+			cancel()
+			lastErr = err
+			time.Sleep(500 * time.Millisecond)
+			continue
+		}
+		lastStatus = resp.StatusCode
+		_, _ = io.Copy(io.Discard, resp.Body)
+		resp.Body.Close()
+		cancel()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/consumer_test.go` around lines 31 - 42, The per-request context
created with context.WithDeadline and attached via req.WithContext(ctx) is being
canceled (cancel()) before the response body is drained and closed, which can
cause io.Copy(io.Discard, resp.Body) to short-circuit and prevent connection
reuse; move the cancel() call to after the body has been fully read and closed
(i.e., perform insecureClient.Do(req), then on success call io.Copy(io.Discard,
resp.Body), resp.Body.Close(), and only then call cancel()) so connections
return to the idle pool; update the request handling around
context.WithDeadline, req.WithContext, cancel(), io.Copy and resp.Body.Close
accordingly.

Makefile (1)

46-50: test-e2e and test-e2e-full have identical recipes.

docs/testing-strategy.md positions test-e2e-full as the "full local E2E with gateway/data-plane coverage" variant (requiring A7_GATEWAY_URL/HTTPBIN_URL), but the two targets invoke the exact same Ginkgo command. That makes the target pair purely cosmetic today and, more importantly, removes any mechanical way to keep default CI runs narrower than the full local run — which is the stated intent of "narrow default e2e to control-plane coverage" in the commit history.

Consider either:

• differentiating test-e2e-full via a Ginkgo label/focus (e.g., add --label-filter='gateway||dataplane' to -full and --label-filter='!gateway && !dataplane' to the default), and labeling the relevant specs accordingly, or
• documenting explicitly that the two are intentional aliases while runtime gating is done solely via env-var skips (e.g., requireGatewayURL, requireHTTPBin, A7_E2E_ENABLE_GATEWAY_GROUP_CRUD).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 46 - 50, The Makefile targets test-e2e and
test-e2e-full are identical; update the Makefile so test-e2e runs the narrower
control-plane suite and test-e2e-full runs the gateway/dataplane-inclusive suite
by adding Ginkgo label filters: change the test-e2e recipe to include
--label-filter='!gateway && !dataplane' and change test-e2e-full to include
--label-filter='gateway||dataplane' (or, if you prefer the env-var gating
approach, add a comment in the Makefile stating they are deliberate aliases and
ensure test specs use the existing
requireGatewayURL/requireHTTPBin/A7_E2E_ENABLE_GATEWAY_GROUP_CRUD guards); refer
to the Makefile targets test-e2e and test-e2e-full and to the Ginkgo flag
--label-filter and your gateway/dataplane spec labels when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/config_sync_test.go`:
- Around line 93-104: The helper isKnownRoundtripSyncGap is too permissive
because the needle "not found" can mask real regressions; update the function to
remove the generic "not found" entry and replace it with tighter,
control-plane-specific phrases or stable error codes (e.g., the exact structured
prefixes or error codes your control-plane emits) and/or a precise regex match,
so only the intended capability-gap messages (for example the exact "resource
not found" variant or an identified error code) return true; adjust the needle
list used in isKnownRoundtripSyncGap (and the combined variable usage)
accordingly to only match those specific messages.
- Around line 44-57: The test currently only fatals when
filteredServices/filteredRoutes are empty but skips if cfg["services"] or
cfg["routes"] is missing or not a slice; update the helper around cfg,
filterResourcesByID, serviceID and routeID to first assert the presence and type
of cfg["services"] and cfg["routes"] (e.g., check existence and that they are
[]interface{}), and call t.Fatalf with a clear message when a key is missing or
not the expected slice type before proceeding to filterResourcesByID and the
existing empty checks.

---

Outside diff comments:
In `@test/e2e/gateway_group_test.go`:
- Around line 17-24: The helper deleteGatewayGroupViaAdmin currently swallows
transport errors and non-2xx responses; update it to call t.Fatalf on transport
errors and on non-2xx responses except treat http.StatusNotFound (404) as
already-deleted, and ensure resp.Body is fully read and closed (use io.ReadAll
or io.Copy to drain) before checking status; reference the
deleteGatewayGroupViaAdmin function and adminAPI call and add imports for io and
net/http as needed.

---

Nitpick comments:
In `@Makefile`:
- Around line 46-50: The Makefile targets test-e2e and test-e2e-full are
identical; update the Makefile so test-e2e runs the narrower control-plane suite
and test-e2e-full runs the gateway/dataplane-inclusive suite by adding Ginkgo
label filters: change the test-e2e recipe to include --label-filter='!gateway &&
!dataplane' and change test-e2e-full to include
--label-filter='gateway||dataplane' (or, if you prefer the env-var gating
approach, add a comment in the Makefile stating they are deliberate aliases and
ensure test specs use the existing
requireGatewayURL/requireHTTPBin/A7_E2E_ENABLE_GATEWAY_GROUP_CRUD guards); refer
to the Makefile targets test-e2e and test-e2e-full and to the Ginkgo flag
--label-filter and your gateway/dataplane spec labels when making the change.

In `@test/e2e/consumer_test.go`:
- Around line 31-42: The per-request context created with context.WithDeadline
and attached via req.WithContext(ctx) is being canceled (cancel()) before the
response body is drained and closed, which can cause io.Copy(io.Discard,
resp.Body) to short-circuit and prevent connection reuse; move the cancel() call
to after the body has been fully read and closed (i.e., perform
insecureClient.Do(req), then on success call io.Copy(io.Discard, resp.Body),
resp.Body.Close(), and only then call cancel()) so connections return to the
idle pool; update the request handling around context.WithDeadline,
req.WithContext, cancel(), io.Copy and resp.Body.Close accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 361dfd57-b68a-46d6-b964-196a58779296

📥 Commits

Reviewing files that changed from the base of the PR and between 0069781 and 7b34897.

📒 Files selected for processing (12)

• .github/workflows/e2e.yml
• Makefile
• docs/testing-strategy.md
• pkg/cmd/secret/create/create.go
• test/e2e/config_sync_test.go
• test/e2e/consumer_test.go
• test/e2e/gateway_group_test.go
• test/e2e/local_stability_ginkgo_test.go
• test/e2e/route_test.go
• test/e2e/secret_test.go
• test/e2e/setup_test.go
• test/e2e/stream_route_test.go

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/e2e.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e/setup_test.go
• test/e2e/local_stability_ginkgo_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing services/routes collection still passes silently.

The fatal-on-empty check only runs when the type assertion succeeds. If a future regression causes config dump to omit the services or routes key entirely (or emit it as nil/non-slice), ok is false and the block is skipped — returning to the same "roundtrip proves nothing" failure mode the previous review round was meant to close. Since this helper is called immediately after a dump that is expected to contain both collections (the test just created them), absence should itself be a hard failure.

♻️ Proposed fix

-	if services, ok := cfg["services"].([]interface{}); ok {
-		filteredServices := filterResourcesByID(services, serviceID)
-		if len(filteredServices) == 0 {
-			t.Fatalf("roundtrip dump is missing expected service %q", serviceID)
-		}
-		cfg["services"] = filteredServices
-	}
-	if routes, ok := cfg["routes"].([]interface{}); ok {
-		filteredRoutes := filterResourcesByID(routes, routeID)
-		if len(filteredRoutes) == 0 {
-			t.Fatalf("roundtrip dump is missing expected route %q", routeID)
-		}
-		cfg["routes"] = filteredRoutes
-	}
+	services, ok := cfg["services"].([]interface{})
+	require.Truef(t, ok, "roundtrip dump missing services collection, got %T", cfg["services"])
+	filteredServices := filterResourcesByID(services, serviceID)
+	require.NotEmptyf(t, filteredServices, "roundtrip dump is missing expected service %q", serviceID)
+	cfg["services"] = filteredServices
+
+	routes, ok := cfg["routes"].([]interface{})
+	require.Truef(t, ok, "roundtrip dump missing routes collection, got %T", cfg["routes"])
+	filteredRoutes := filterResourcesByID(routes, routeID)
+	require.NotEmptyf(t, filteredRoutes, "roundtrip dump is missing expected route %q", routeID)
+	cfg["routes"] = filteredRoutes

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/config_sync_test.go` around lines 44 - 57, The test currently only
fatals when filteredServices/filteredRoutes are empty but skips if
cfg["services"] or cfg["routes"] is missing or not a slice; update the helper
around cfg, filterResourcesByID, serviceID and routeID to first assert the
presence and type of cfg["services"] and cfg["routes"] (e.g., check existence
and that they are []interface{}), and call t.Fatalf with a clear message when a
key is missing or not the expected slice type before proceeding to
filterResourcesByID and the existing empty checks.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

"not found" is too permissive as a skip gate.

isKnownRoundtripSyncGap treats any message containing "not found" (case-insensitive) in combined stdout/stderr as a known environment gap and skips. This also matches benign-looking but real regressions like "upstream http backend not found", "plugin X not found", or "credential not found" that would indicate a genuine sync bug rather than a shared-env capability gap.

Consider narrowing the match to something tighter, e.g. structured error phrases actually emitted by the control-plane on the capability gap you're working around (ideally a stable prefix or error code), so a future real regression in config sync isn't silently skipped.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/config_sync_test.go` around lines 93 - 104, The helper
isKnownRoundtripSyncGap is too permissive because the needle "not found" can
mask real regressions; update the function to remove the generic "not found"
entry and replace it with tighter, control-plane-specific phrases or stable
error codes (e.g., the exact structured prefixes or error codes your
control-plane emits) and/or a precise regex match, so only the intended
capability-gap messages (for example the exact "resource not found" variant or
an identified error code) return true; adjust the needle list used in
isKnownRoundtripSyncGap (and the combined variable usage) accordingly to only
match those specific messages.