name: ADR-115 MQTT integration tests

# Runs the Mosquitto-broker-backed integration tests for ADR-115's MQTT
# publisher. These prove the publisher reaches a real broker, emits the
# expected HA-discovery topic shape, and honours --privacy-mode at the
# wire boundary (not just in unit-test logic).
#
# Default `cargo test --workspace` does not run these tests because they
# require a broker and pull rumqttc into the build. This workflow opts
# into both by setting --features mqtt and RUVIEW_RUN_INTEGRATION=1.

on:
  pull_request:
    paths:
      - 'v2/crates/wifi-densepose-sensing-server/src/mqtt/**'
      - 'v2/crates/wifi-densepose-sensing-server/tests/mqtt_integration.rs'
      - 'v2/crates/wifi-densepose-sensing-server/Cargo.toml'
      - '.github/workflows/mqtt-integration.yml'
  push:
    branches: [main]
    paths:
      - 'v2/crates/wifi-densepose-sensing-server/src/mqtt/**'
  workflow_dispatch: {}

jobs:
  mqtt-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 20

    # NB: we don't use a `services:` mosquitto container here because the
    # eclipse-mosquitto:2.x image rejects anonymous connections by default
    # and GH Actions `services` doesn't easily support mounting a custom
    # config file. We start mosquitto manually in a step below with an
    # inline `allow_anonymous true` config.

    env:
      RUVIEW_RUN_INTEGRATION: "1"
      RUVIEW_TEST_MQTT_PORT: "11883"
      CARGO_TERM_COLOR: always
      RUST_BACKTRACE: 1

    steps:
      - uses: actions/checkout@v4

      - name: Install mosquitto + clients and start with allow_anonymous
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y mosquitto mosquitto-clients
          sudo systemctl stop mosquitto || true
          # Inline config: anon listener on 11883 only — no TLS, no auth,
          # OK for CI because we test the wire shape, not security.
          # Production deployments enable mTLS per ADR-115 §3.9.
          cat > /tmp/mosquitto-ci.conf <<'EOF'
          listener 11883
          allow_anonymous true
          persistence false
          log_dest stdout
          EOF
          mosquitto -c /tmp/mosquitto-ci.conf -d
          for i in {1..20}; do
            if mosquitto_pub -h 127.0.0.1 -p 11883 -t healthcheck -m ok -q 0 2>/dev/null; then
              echo "mosquitto reachable on 11883"; exit 0
            fi
            sleep 2
          done
          echo "mosquitto never became reachable" >&2
          tail -50 /var/log/mosquitto/*.log 2>/dev/null || true
          exit 1

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          toolchain: stable

      - name: Cache cargo registry + build
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: v2 -> target

      - name: Validate HA Blueprints
        run: |
          python -m pip install --quiet pyyaml
          python scripts/validate-ha-blueprints.py

      - name: Verify unit tests still pass under --features mqtt
        working-directory: v2
        # `cargo test` accepts a single TESTNAME filter, so we run the
        # whole --lib suite here. That gives us the full 410-test green
        # bar under --features mqtt (which is more reassuring than
        # filtering anyway).
        run: >-
          cargo test -p wifi-densepose-sensing-server
          --features mqtt --no-default-features
          --lib
          --no-fail-fast

      - name: Run integration tests against mosquitto
        working-directory: v2
        run: >-
          cargo test -p wifi-densepose-sensing-server
          --features mqtt --no-default-features
          --test mqtt_integration
          --no-fail-fast
          -- --test-threads=1 --nocapture

      - name: Dump broker logs on failure
        if: failure()
        run: |
          docker ps -a
          docker logs $(docker ps -aqf "ancestor=eclipse-mosquitto:2.0.18") || true