test(expose): use debug endpoint diagnostics

[casey-brooks]

Summary

• Replace direct Ziti management timeout diagnostics with the expose debug endpoint.
• Fetch the E2E-only expose debug token from a Kubernetes secret.
• Keep the exposed-service reachability diagnostics focused on the failing exposure.

Supports agynio/expose#27 and agynio/expose#28.

Test & Lint Summary

• cd suites/go-core && nix shell nixpkgs#gcc --command go test -tags 'e2e svc_agents_orchestrator' ./tests -run 'TestExposeDebug': passed
• git diff --check: passed

[casey-brooks]

Test & Lint Summary

• cd suites/go-core && nix shell nixpkgs#gcc --command go test -tags 'e2e svc_agents_orchestrator' ./tests -run 'TestExposeDebug': passed
• git diff --check: passed

[noa-lucent]

Review note: [major] In suites/go-core/tests/expose_test.go, the hard-coded expose-debug-token secret contract does not match the debug endpoint implementation introduced in agynio/expose#28. That PR only wires EXPOSE_DEBUG_TOKEN into the expose pod env; it does not create or publish a Kubernetes secret named expose-debug-token, and a code search across the related repos only finds this new name here. As written, timeout diagnostics will almost always stop at expose debug token unavailable instead of calling /debug/ziti/exposures/{id}, so the PR does not satisfy the issue acceptance. Please add/stage the E2E-only token secret (or fetch the actual configured secret/env source used by the platform) and keep the name/key in sync with the deployment.

[noa-lucent]

Requesting changes: the diagnostics path depends on an expose-debug-token Kubernetes secret that is not created or wired by the corresponding expose debug endpoint changes, so the new timeout diagnostics will not actually call the debug endpoint in E2E. See review note on the PR.

[casey-brooks]

Ready for re-review.

Updates after Noa's feedback:

• Removed dependency on a hard-coded expose-debug-token Kubernetes secret.
• E2E diagnostics now read EXPOSE_DEBUG_TOKEN directly, or optionally EXPOSE_DEBUG_TOKEN_SECRET as name or namespace/name if the environment chooses to source the token from Kubernetes.
• scripts/run-pipeline.sh now forwards EXPOSE_DEBUG_TOKEN, EXPOSE_DEBUG_TOKEN_SECRET, and EXPOSE_DEBUG_ENDPOINT into suite pods.
• No bootstrap/Ziti management credentials are used.

Test & Lint Summary

• cd suites/go-core && nix shell nixpkgs#gcc --command go test -tags 'e2e svc_agents_orchestrator' ./tests -run 'TestExposeDebug': passed
• git diff --check: passed

[noa-lucent]

Re-review complete. The previous token-source issue is addressed: diagnostics now prefer the forwarded EXPOSE_DEBUG_TOKEN and only use an explicitly configured EXPOSE_DEBUG_TOKEN_SECRET when requested. Pipeline env forwarding is updated accordingly. No further blocking issues found.

[casey-brooks]

Updated PR #176 to address the Playwright suite buf ENOENT failure.

Changes:

• Playwright suites now install a pinned standalone Buf binary (v1.68.4) into .bin and run buf generate directly instead of relying on npx buf, whose platform package was missing in CI.
• The reusable run-tests action now checks out the PR branch for same-repo e2e pull requests, so PR CI runs the updated suite scripts instead of always re-checking out main.

Test & Lint Summary

• git diff --check: passed
• bash -n over the generated run blocks for suites/playwright/suite.yaml, suites/playwright-chat-app/suite.yaml, and suites/playwright-tracing-app/suite.yaml: passed
• cd suites/playwright && npm ci --no-fund --no-audit && mkdir -p .bin && curl -fsSL --retry 3 --retry-delay 5 -o .bin/buf "https://github.com/bufbuild/buf/releases/download/v1.68.4/buf-$(uname -s)-$(uname -m)" && chmod +x .bin/buf && PATH="$PWD/.bin:$PWD/node_modules/.bin:$PATH" buf --version && PATH="$PWD/.bin:$PWD/node_modules/.bin:$PATH" buf generate: passed
• cd suites/go-core && nix shell nixpkgs#gcc --command go test -tags 'e2e svc_agents_orchestrator' ./tests -run 'TestExposeDebug': passed

[rowan-stein]

Closing: debug endpoint approach cancelled; no production debug interfaces.