Testing Strategy and Suites
The testing infrastructure is built around the concept of Deterministic Core verification. Because LLM-based systems are inherently non-deterministic, Palyra utilizes a combination of “fake” provider adapters and golden fixture snapshots to ensure that the internal state machine, tool dispatch logic, and journal serialization remain consistent across changes.Core Verification Layers
- Deterministic Core Suite: Validates the
palyra-daemonandpalyra-cliintegration, including session bootstrapping, gRPC service persistence, and tool registry dispatch scripts/test/run-deterministic-core.sh#72-92. - Workflow Regression Matrix: A comprehensive test suite that runs agent scenarios against a contract-based harness to prevent regressions in complex tool-use flows scripts/test/run-workflow-regression.sh#1-10.
- Fuzz Testing: Targeted fuzzing of high-risk parsers (A2UI JSON, Webhook payloads, Auth profiles) using
cargo-fuzzjustfile#172-185. - Performance and Soak Tests: Validates system stability under load and over long durations justfile#88-92.
Test Suite Execution Mapping
The following diagram maps high-level test suites to the specific scripts and code entities they exercise. Test Mapping: Logic to Code Sources: justfile#47-108, scripts/test/run-deterministic-core.sh#1-100, .github/workflows/ci.yml#103-140CI/CD Pipelines and Security Gates
Palyra uses GitHub Actions to enforce quality and security standards on every pull request and push to themain branch. The pipeline is split into functional “Gates” that must be passed before code is considered merge-ready.
Pipeline Structure
- CI Pipeline (
ci.yml): Handles multi-OS builds (Ubuntu, macOS, Windows), workspace-wide testing, and UI build verification .github/workflows/ci.yml#16-34. - Security Gates (
security.yml): Executes the security SDLC, includingcargo-auditfor vulnerabilities,cargo-denyfor license/advisory checks, andgitleaksfor secret detection .github/workflows/security.yml#95-124. - CodeQL (
codeql.yml): Performs static analysis for Rust, JavaScript/TypeScript, and GitHub Actions .github/workflows/codeql.yml#19-48. - Pre-push Hooks: A local
pre-pushhook runs a “fast” version of the CI checks to provide immediate feedback to developers .githooks/pre-push#1-4.
Security Gate Workflow
The security pipeline generates a comprehensive set of artifacts, including a Software Bill of Materials (SBOM). Security Pipeline Diagram Sources: .github/workflows/security.yml#95-148, justfile#148-154Release Process and Packaging
The release infrastructure automates the creation of portable bundles and platform-specific installers. It ensures that the daemon (palyrad), CLI (palyra), browser bridge (palyra-browserd), and the web dashboard are correctly colocated and functional.
Release Lifecycle
- Metadata Preparation: Derives versioning and generates release/migration notes based on repository state .github/workflows/release.yml#30-119.
- Portable Bundling: Compiles binaries and packages them with the UI assets into
.zipand.tar.gzarchives for all supported OSs .github/workflows/release.yml#120-173. - Release Smoke Test: Executes a full lifecycle test (install -> setup -> gateway start -> onboarding) on the final packaged artifacts to ensure no missing dependencies .github/workflows/cli-full-regression.yml#54-107.
- Attestation: Generates build attestations and provenance sidecars for the released assets .github/workflows/release.yml#22-23.
Release Task Summary
The project usesjust (or make) as a task runner to provide a consistent interface for release-related operations.
| Task | Command | Description |
|---|---|---|
| Release Smoke | just release-smoke | Runs full packaging and lifecycle verification justfile#76-77. |
| Version Audit | assert-version-coherence.ps1 | Ensures versions match across all manifests .github/workflows/release.yml#45. |
| SBOM Generation | just sbom | Generates CycloneDX SBOM for the workspace justfile#164-165. |
| Doctor Check | just doctor | Validates local environment readiness for builds justfile#7-11. |