Classify pf as shared platform service (Sam & Codex)

--- Build: pass | Tests: pass — 2221 passed (656 files)
2026-05-09 11:42:55 +02:00 · 2026-05-09 11:42:55 +02:00 · 4dd8bc14ff
commit 4dd8bc14ff
parent 34e2265ad9
4 changed files with 15 additions and 5 deletions
--- a/infra/tenants.yaml
+++ b/infra/tenants.yaml
@ -25,6 +25,7 @@ platform:
 shared:
  services:
    - postgresql
+    - pf
    - cms
    - web-service
    - code-service
--- a/src/hostd-authorization.test.ts
+++ b/src/hostd-authorization.test.ts
@ -38,6 +38,14 @@ describe('authorizeHostdOperation', () => {
        { tenantId: 'alpha', caller: 'tenant-agent', registry },
      ),
    ).toEqual({ allowed: true, owner: 'shared-platform' });
+
+    expect(
+      authorizeHostdOperation(
+        'service-status',
+        { name: 'pf' },
+        { tenantId: 'alpha', caller: 'tenant-agent', registry },
+      ),
+    ).toEqual({ allowed: true, owner: 'shared-platform' });
  });

  it('blocks shared jails for tenant agents', () => {
--- a/src/platform-audit-report.test.ts
+++ b/src/platform-audit-report.test.ts
@ -12,14 +12,15 @@ describe('platform-audit-report', () => {
  it('collects observed service, jail, and dataset ownership', async () => {
    // Service probes run in alphabetical order over the deduped union of
    // platform.services + shared.services + tenant services:
-    // clawdie, clawdie_hostd, cms, code-service, alpha, postgresql, web-service.
-    // Then jails, then datasets.
+    // alpha, clawdie, clawdie_hostd, cms, code-service, pf, postgresql,
+    // web-service. Then jails, then datasets.
    callAuthorizedHostdMock
+      .mockResolvedValueOnce({ ok: false, error: 'alpha is not running' })
      .mockResolvedValueOnce({ ok: false, error: 'clawdie is not running' })
      .mockResolvedValueOnce({ ok: false, error: 'clawdie_hostd is not running' })
      .mockResolvedValueOnce({ ok: false, error: 'cms is not running' })
      .mockResolvedValueOnce({ ok: false, error: 'code-service is not running' })
-      .mockResolvedValueOnce({ ok: false, error: 'alpha is not running' })
+      .mockResolvedValueOnce({ ok: true, output: 'Status: Enabled' })
      .mockResolvedValueOnce({ ok: true, output: 'postgresql is running as pid 1' })
      .mockResolvedValueOnce({ ok: false, error: 'web-service is not running' })
      .mockResolvedValueOnce({
@ -38,7 +39,7 @@ describe('platform-audit-report', () => {
      registry: makePlatformRegistryFixture(),
    });

-    expect(report.observedServices).toHaveLength(7);
+    expect(report.observedServices).toHaveLength(8);
    expect(report.observedJails).toEqual({
      shared: ['git'],
      tenants: { alpha: ['alpha_ctrl_worker'] },
--- a/src/test-fixtures/platform-registry.ts
+++ b/src/test-fixtures/platform-registry.ts
@ -30,7 +30,7 @@ export function makePlatformRegistryFixture(): PlatformRegistry {
      reservedHostLabels: ['ai', 'cms', 'git', 'web', 'www', 'mail'],
    },
    shared: {
-      services: ['postgresql', 'cms', 'code-service', 'web-service'],
+      services: ['postgresql', 'pf', 'cms', 'code-service', 'web-service'],
      datasets: ['zroot/clawdie-runtime', 'zroot/home/clawdie'],
      jails: ['cms', 'git'],
    },