Lab #555: feat: giga-swamp comprehensive UAT coverage

Problem

Giga-swamp is feature-complete (all 7 phases + extensions shipped) but has zero UAT coverage. The existing datastore tests (sync_test.ts, lock_test.ts, setup_test.ts, status_test.ts, compact_test.ts) all operate in solo mode. Namespace commands, namespace-scoped sync, cross-namespace queries, and data migration are untested in the UAT suite.

Previous scoped sync PRs (#1386, #134) passed all unit tests but failed in production. The UAT suite is the only reliable validation for cross-repo datastore scenarios. Without namespace UAT coverage, regressions in giga-swamp will be caught by users, not CI.

Test Infrastructure

All cloud-dependent tests use local containers — no real AWS/GCS credentials needed for development:

S3 tests use a ministack container (ministack.org) for S3-compatible local testing
GCS tests use fake-gcs-server for GCS-compatible local testing
The existing getTestBackends() pattern runs tests against both backends automatically
Tests skip gracefully when a backend is unavailable

Each phase should be its own commit so git bisect can isolate regressions.

Phase A: Infrastructure + Helpers (commit 1)

Extend the helper infrastructure before writing any tests. Zero risk — purely additive.

New file: src/cli/helpers/datastore_namespace_helpers.ts

Helper functions:

namespaceSet(runner, cwd, slug) — runs swamp datastore namespace set
namespaceUnset(runner, cwd, opts?) — runs swamp datastore namespace unset, with optional --migrate --confirm flags
namespaceMigrate(runner, cwd, opts?) — runs swamp datastore namespace migrate, with optional --confirm and --reverse flags
namespaceList(runner, cwd) — runs swamp datastore namespaces --json
catalogPull(runner, cwd, namespaces) — runs swamp datastore catalog pull --namespaces

Extend DatastoreBackend interface:

setupDatastoreWithNamespace(runner, cwd, prefix, namespace) — same as setupDatastore but adds namespace to the config JSON

Add JSON schemas to schemas.ts:

NamespaceListSchema, NamespaceSetSchema, NamespaceMigrateSchema

Export everything from mod.ts.

Phase B: Namespace Commands — filesystem only (commit 2)

File: tests/cli/datastore/namespace/commands_test.ts

No cloud credentials needed. Tests against filesystem datastores.

namespace set happy path — fresh repo + filesystem datastore, verify .swamp.yaml updated, manifest exists
namespace set validation — invalid slugs (uppercase, special chars, 65 chars, leading hyphen) rejected
namespace set already set — same value errors
namespace set conflict — two repos same datastore, second claims same slug, conflict error
namespace set different slugs — two repos, infra and security, both succeed
namespaces list empty — no namespaces, empty output
namespaces list with entries — two namespaces, both listed, current marked
namespaces JSON mode — validates against NamespaceListSchema
namespace unset happy path — single namespace, succeeds
namespace unset with multiple — two namespaces exist, error
namespace unset when not set — no namespace configured, error

Phase C: Data Migration — filesystem only (commit 3)

File: tests/cli/datastore/namespace/migrate_test.ts

No cloud credentials needed.

Forward migration round-trip — solo repo with data, namespace set, verify orphaned (total: 0), migrate --confirm, data list shows all data with namespace
Data integrity — diff pre/post migration JSON (minus namespace field), identical
Dry-run accuracy — migrate without --confirm shows preview, no files moved, then confirm, preview matched
Reverse migration round-trip — after forward, unset --migrate --confirm, data list byte-identical to pre-migration
Conflict on reverse — forward migrate, create file at un-namespaced path, reverse refuses
Data written after set before migrate — new data goes to namespaced path, old orphaned, migrate brings both together

Phase D: Namespace-Scoped Sync — S3/GCS required (commit 4)

File: tests/cli/datastore/namespace/sync_test.ts

Uses getTestBackends() against ministack (S3) and fake-gcs-server (GCS). This is the critical phase — the PR #1386 failure mode lives here.

THE KILL SWITCH — Repo A (ns: infra) writes + syncs. Repo B (ns: security) writes + syncs. Repo B wipes cache, pulls. data list returns own data. If this returns 0 rows, catalog rebuild didnt fire after pull.
Namespace isolation in bucket — listObjects shows infra/ and security/ prefixes only, no un-namespaced keys
Per-namespace index — infra/.datastore-index.json and security/.datastore-index.json exist, no global
Cross-namespace deletion safety — Repo A pushes, Repo B pushes, Repo A pushes again, Repo B keys untouched
Namespace fast-path — push twice with no changes, second is no-op (sidecar works per-namespace)
Foreign catalog export/pull — Repo A exports catalog, Repo B pulls foreign catalog, Repo B queries ns == infra, sees metadata
Solo mode regression — solo repo against same backend, push/pull/data list unchanged

Phase E: CEL Cross-Namespace Queries — filesystem only (commit 5)

File: tests/cli/data/namespace/query_test.ts

No cloud credentials needed.

Own-namespace default — namespaced repo, data.latest returns own namespace only
Cross-namespace ns:model — two namespaces seeded, data query ns == security returns foreign data
Wildcard ambiguity — same model name in two namespaces, wildcard errors
Wildcard unambiguous — model in one namespace, wildcard succeeds
data.query() spans all — no ns predicate returns all namespaces
NAMESPACE column in output — namespaced repo shows column
Solo mode no column — solo repo hides column
ns == empty string in solo — returns all data

Phase F: Feature Interactions — mostly filesystem (commit 6)

File: tests/cli/e2e/namespace_features_test.ts

Workflow in namespaced mode — multi-step workflow, all data carries correct namespace
Data GC in namespaced mode — only own namespace cleaned, foreign rows untouched
Data delete in namespaced mode — only own namespace affected
Datastore compact — works with namespaced catalog
Lock status — shows per-namespace lock key
Extension model in namespaced mode — test fixture model writes data with correct namespace

Phase G: Adversarial + Regressions (commit 7)

File: tests/cli/adversarial/namespace_isolation_test.ts File: tests/cli/datastore/namespace/regressions_test.ts

Named regression tests for specific bugs found during implementation: 39. PR #1386 regression — explicit: writer pushes, reader pulls, catalog rebuilt, data visible 40. Bug #534 regression — explicit sync --push in namespaced mode lands data under ns/ prefix 41. Bug #536 regression — datastore setup extension in namespaced mode respects namespace

Adversarial scenarios: 42. Concurrent namespace push — two repos different namespaces push simultaneously via runConcurrent, no corruption 43. Corrupt .namespace.json — invalid JSON in manifest, namespaces list handles gracefully 44. Missing manifest but namespace configured — system works without conflict detection 45. Half-migrated state — some dirs moved, migrate handles remaining or errors clearly 46. Catalog rebuild preserves own data loses foreign — delete catalog, backfill, own data survives, catalog pull restores foreign

Upgrade path: 47. Solo to namespace upgrade journey — solo repo with data, upgrade binary, data list identical, namespace set, migrate, push to S3, pull from fresh cache, data visible

Phase H: User Journeys — S3/GCS required (commit 8)

File: tests/cli/e2e/namespace_journey_test.ts

Full end-to-end user journeys against real (local) S3/GCS:

Two teams one bucket — Repo A (infra) and Repo B (security) against same bucket. Both write, push, pull foreign catalogs, query cross-namespace. Complete isolation + visibility.
Solo repo joins a giga-swamp — existing solo repo with data, namespace set, migrate, push to shared bucket where another namespaced repo has data. Both visible.
Leave the giga-swamp — namespaced repo, unset --migrate, back to solo. New datastore. Push. Data intact.

Rollout Order

A (helpers) ships first, unblocks everything. B + C + E can develop in parallel (filesystem only, no cloud deps). D is the critical cloud phase — gates on ministack + fake-gcs-server. F builds on B. G builds on D. H builds on everything.

Ship order: A, B, C, E, D, F, G, H — each as its own commit.

Verification

Each phase must pass deno test locally before committing. The full suite runs in CI against ministack and fake-gcs-server containers. Cloud-dependent tests (D, G adversarial, H) skip gracefully when containers are unavailable.

@webframp/hashicorp-vault: empty KV engine causes 'data.data.keys is not iterable' on vault put

workflow resume fails to register all extension model types (local and pulled) — "Unknown model type"

model method run: cannot pass arrays, numbers, or booleans via --input

extension push --dry-run --json reports local helper imports as bogus model entries

Extension source: direct-content export scan only reads first 64 KiB, silently drops exports beyond it

Homepage install command: wrong domain and missing https:// protocol

Homepage install command: wrong domain and missing https:// protocol

first-class refresh hook for short-lived vault values (gcloud / aws-sso / kubectl-oidc token UX)

swamp issue ripple logged "Posted ripple on issue #514" but the ripple is not visible on the Lab

vault guide promotes inline secret values (KEY=VALUE) as a primary "swamp vault put" example

swamp-getting-started SKILL.md still references removed swamp-model / swamp-workflow / swamp-vault / swamp-extension / swamp-repo skills

extension rm blocked by stale /workspace bundle_types rows from prior container sessions with host repo bind-mounted

extension search returns null repository fields that extension info populates

Quality rubric: scope "No slow types" for model extensions (consumed via model+CEL, not type imports)

data get/list --workflow and workflow history get/logs cannot resolve extension-delivered workflows (Workflow not found)

Docs: add doctor secrets and doctor vaults to the troubleshooting how-to guide

UAT: sensitive resource output without vault produces clear pre-flight error

Docs: add doctor vaults subcommand and pre-flight vault validation

gcs-datastore: registerNamespace does not detect conflicts with existing registrations

Validate vault availability when model has sensitive output fields

Managed skills ship with dangling reference-doc links

swamp-club: update skill references and CLAUDE.md after superskill consolidation

swamp-uat: init_test.ts asserts old skill directory names after superskill consolidation

Codegen: auto-merge resources across GCP API versions instead of manual ADDITIONAL_VERSION_RESOURCE_FILTER

fix: giga-swamp UAT failures — 9 bugs found during comprehensive testing

fix: datastore setup extension with namespace config doesn't scope sync or register manifest

fix: namespace set on default repo writes incomplete filesystem config (missing path)

@swamp/1password put double-escapes JSON values

feat: giga-swamp comprehensive UAT coverage

@swamp/kubernetes 2026.06.04.1 missing upgrade path from 2026.05.27.2

@swamp/kubernetes ignores certificate-authority-data from kubeconfig for self-signed CAs

Inconsistent failures in swamp doctor extensions (database is locked, bundle build failed)

docs: giga-swamp user documentation — reference, how-to, and conceptual guide

@swamp/gcp/iam missing serviceAccounts model type

@swamp/ssh@2026.06.04.1 fails to load: bare zod import + missing 2026.06.04.1 upgrade entry

feat: giga-swamp phase 7 — Data migration commands

feat: S3/GCS extension namespace manifest support (registerNamespace/listNamespaces)

Relocate Docker image from systeminit org to swamp-club

Move JSR packages from @systeminit to @swamp-club scope

Should be able to see all the issues I created by a filter "submitted by me"

Ability to change the email address associated with my Swamp Club Account

feat: giga-swamp phase 5 — CLI output + namespace management commands

CI review jobs use two-dot diff that includes files the PR never touched

paths.base: manifest is not honored for workflows: — bundled workflows only resolve from repo root, blocking self-contained subdir layouts (sibling to #459)

Lab profanity filter rejects legitimate CLI flag tokens via substring match

Sign and notarize the swamp macOS binary

Add platform type to issue-lifecycle extension model Zod schema

fix: datastoreSetupExtension() ignores namespace config on initial migration push/pull

Remote execution: orchestrator/worker fan-out (replaces execution drivers)

swamp datastore sync --push creates global .datastore-index.json ignoring namespace config

feat: S3/GCS extension namespace-scoped sync support

Copy explicitGlobalArgs before mutation in resolveOrCreateDefinition

vault.get() expressions in extension model globalArguments are not resolved at runtime

swamp-issue skill should scrub secrets and org-specific data before submission

workflow validate: trim stale 'skipped' label from model_not_found warning

Add pi coding agent support

hashicorp-vault should read token from env

swamp-extension adversarial review skill needs mandatory mechanical verification checklist

feat: giga-swamp phase 6 — Namespace-scoped sync

swamp workflow validate emits misleading "Extension failed to load" warning when type resolves locally

Add issue search/list command to discover existing issues

Support vault-resolved private key content in transport auth (not just file paths)

Workflow engine resolves extension methods against base type, ignoring extension-registered methods

Per-model LockTimeoutError at 60s causes cascading failures under concurrent access

Persistent, queryable workflow runs (status / cancel from any shell)

swamp repo upgrade: ERR_SQLITE_ERROR 'attempt to write a readonly database' during extension catalog schema migration

workflow validate: fail on references to unknown model instances (typo'd modelIdOrName)

feat: giga-swamp phase 4 — CEL cross-namespace queries

Docs: document the extension push adversarial-review gate

vault://local_encryption token does not round-trip correctly for GCP OAuth2 access tokens

swamp issue: add ability to edit issue title and body after submission

@swamp/gcp/iam: add WIF pool, provider, service account, and binding support

Support vault-sourced identity keys

copy method reports success when scp exits non-zero (e.g. 255)

Docs: TLS behind inspecting proxies / private CAs (system trust store, DENO_CERT, SSL_CERT_FILE)

Extension quality/adversarial-review: add a 'published-surface hygiene' check for real infra identifiers

Feed-post scoring is a direct domain write, not a consumer of feed_post_approved telemetry

workflow validate silently PASSES steps whose model type is a pulled extension (step-inputs skipped = false pass)

extension quality fails to resolve bare specifiers — contradicts fmt no-import-prefix rule

Allow global arguments in direct type execution (workflow fan-out)