test: expand sanity suite with branding, deny enforcement, driver, and resilience tests

Add 22 new sanity tests across all phases:

verify-install.sh:
- Semver version format check (#212)
- --help branding leak detection for "opencode" strings (#416, #417)
- "altimate run --help" branding leak detection
- 9 driver resolvability checks: pg, snowflake-sdk, mysql2, mssql,
  duckdb, mongodb, bigquery, databricks, oracledb (#295)

resilience.sh (reorganized from 8 to 10 tests):
- Yolo deny enforcement using observable side-effect marker file,
  with config written to correct altimate-code/ subdir (#372, #377)
- Missing API key graceful handling
- No-internet graceful error via TEST-NET-1 proxy (#181)

smoke-tests.sh:
- dbt config discovery in isolated tmpdir (#448, #270)
- altimate check command with positional file arg (#453)
- MongoDB smoke test alongside existing postgres/snowflake

Infrastructure:
- Dockerfile: install all 9 driver packages (not just altimate-core)
- docker-compose.yml: add MongoDB 7 service with healthcheck
- ci-local.sh: add mongodb to Docker services, bump healthy count to 5,
  add mongodb E2E test step
- pr-tests/generate.sh: add triggers for permission/yolo, branding,
  dbt, and driver file changes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: kulvirgit

test/sanity/Dockerfile

@@ -24,9 +24,11 @@ COPY --chown=testuser packages/opencode/script/postinstall.mjs /home/testuser/.a
 COPY --chown=testuser packages/opencode/package.json /home/testuser/.altimate-install/package.json
 COPY --chown=testuser .opencode/skills/ /home/testuser/.altimate-install/skills/
 
-# Install altimate-core native binding (required at runtime)
+# Install altimate-core native binding + all database drivers (required at runtime)
+# Drivers are optionalDependencies in @altimateai/drivers — must be explicitly installed
+# to match what a real `npm install` with peerDependencies would provide.
 RUN cd /home/testuser/.altimate-install && \
-    echo '{"dependencies":{"@altimateai/altimate-core":"latest"}}' > package.json && \
+    echo '{"dependencies":{"@altimateai/altimate-core":"latest","pg":"^8.0.0","snowflake-sdk":"^2.0.3","mysql2":"^3.0.0","mssql":"^11.0.0","duckdb":"^1.0.0","mongodb":"^6.0.0","@google-cloud/bigquery":"^8.0.0","@databricks/sql":"^1.0.0","oracledb":"^6.0.0"}}' > package.json && \
     bun install && \
     node -e "require('@altimateai/altimate-core')" 2>/dev/null || { echo "FATAL: altimate-core install failed"; exit 1; }
 

test/sanity/ci-local.sh

@@ -56,25 +56,25 @@ if [ "$MODE" = "--full" ] || [ "$MODE" = "full" ]; then
   echo "=== Full CI (Docker) ==="
 
   # Driver E2E with Docker containers
-  run_step "Docker Services Up" docker compose -f "$REPO_ROOT/test/sanity/docker-compose.yml" up -d postgres mysql mssql redshift
+  run_step "Docker Services Up" docker compose -f "$REPO_ROOT/test/sanity/docker-compose.yml" up -d postgres mysql mssql redshift mongodb
 
   echo "  Waiting for services to be healthy..."
   HEALTHY=0
   for _wait in $(seq 1 30); do
     HEALTHY=$(docker compose -f "$REPO_ROOT/test/sanity/docker-compose.yml" ps --format json 2>/dev/null | grep -c '"healthy"' || echo "0")
-    if [ "$HEALTHY" -ge 4 ]; then break; fi
+    if [ "$HEALTHY" -ge 5 ]; then break; fi
     sleep 2
   done
 
-  if [ "$HEALTHY" -lt 4 ]; then
-    echo "  >>> Docker Services: FAILED ($HEALTHY/4 healthy after 60s)"
+  if [ "$HEALTHY" -lt 5 ]; then
+    echo "  >>> Docker Services: FAILED ($HEALTHY/5 healthy after 60s)"
     EXIT_CODE=1
   else
-    echo "  >>> Docker Services: $HEALTHY/4 healthy"
+    echo "  >>> Docker Services: $HEALTHY/5 healthy"
   fi
 
   # Skip driver tests if services aren't healthy
-  if [ "$HEALTHY" -lt 4 ]; then
+  if [ "$HEALTHY" -lt 5 ]; then
     echo "  SKIP: Driver E2E tests (services not healthy)"
   else
 
@@ -88,6 +88,10 @@ if [ "$MODE" = "--full" ] || [ "$MODE" = "full" ]; then
     TEST_REDSHIFT_HOST=127.0.0.1 TEST_REDSHIFT_PORT=15439 TEST_REDSHIFT_PASSWORD=testpass123 \
     bun test test/altimate/drivers-docker-e2e.test.ts --timeout 30000"
 
+  run_step "Driver E2E (mongodb)" bash -c "cd $REPO_ROOT/packages/opencode && \
+    TEST_MONGODB_HOST=127.0.0.1 TEST_MONGODB_PORT=17017 \
+    bun test test/altimate/drivers-mongodb-e2e.test.ts --timeout 30000"
+
   # Full sanity suite in Docker
   run_step "Sanity Suite (Docker)" docker compose -f "$REPO_ROOT/test/sanity/docker-compose.yml" \
     up --build --abort-on-container-exit --exit-code-from sanity

test/sanity/docker-compose.yml

@@ -18,6 +18,8 @@ services:
       - TEST_REDSHIFT_HOST=redshift
       - TEST_REDSHIFT_PORT=5432
       - TEST_REDSHIFT_PASSWORD=testpass123
+      - TEST_MONGODB_HOST=mongodb
+      - TEST_MONGODB_PORT=27017
     depends_on:
       postgres:
         condition: service_healthy
@@ -27,6 +29,8 @@ services:
         condition: service_healthy
       redshift:
         condition: service_healthy
+      mongodb:
+        condition: service_healthy
 
   postgres:
     image: postgres:16-alpine
@@ -74,3 +78,12 @@ services:
       test: pg_isready
       interval: 5s
       retries: 10
+
+  mongodb:
+    image: mongo:7
+    ports:
+      - "17017:27017"
+    healthcheck:
+      test: mongosh --eval "db.adminCommand('ping')" --quiet
+      interval: 5s
+      retries: 10

test/sanity/phases/resilience.sh

@@ -23,7 +23,7 @@ echo '{}' > package.json
 git add -A && git commit -q -m "init"
 
 # 1. SQLite DB created after first run
-echo "  [1/7] SQLite DB creation..."
+echo "  [1/10] SQLite DB creation..."
 if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
   altimate_run "db-create" "say hello" || true
   # Find the DB — could be opencode.db, opencode-latest.db, or opencode-{channel}.db
@@ -42,7 +42,7 @@ else
 fi
 
 # 2. WAL mode enabled
-echo "  [2/7] WAL mode..."
+echo "  [2/10] WAL mode..."
 if [ -n "$DB_PATH" ] && [ -f "$DB_PATH" ] && command -v sqlite3 >/dev/null 2>&1; then
   WAL_MODE=$(sqlite3 "$DB_PATH" "PRAGMA journal_mode;" 2>/dev/null || echo "unknown")
   assert_eq "$WAL_MODE" "wal" "WAL mode enabled"
@@ -51,7 +51,7 @@ else
 fi
 
 # 3. Session persisted
-echo "  [3/7] Session persistence..."
+echo "  [3/10] Session persistence..."
 if [ -n "$DB_PATH" ] && [ -f "$DB_PATH" ] && command -v sqlite3 >/dev/null 2>&1; then
   SESSION_COUNT=$(sqlite3 "$DB_PATH" "SELECT count(*) FROM session;" 2>/dev/null || echo "0")
   assert_ge "$SESSION_COUNT" 1 "session persisted (got $SESSION_COUNT)"
@@ -60,7 +60,7 @@ else
 fi
 
 # 4. Session continue (DB survives restart)
-echo "  [4/7] Session continue..."
+echo "  [4/10] Session continue..."
 if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
   altimate_run "continue" --continue "what was my last message" || true
   assert_not_contains "$(get_output continue)" "TIMEOUT" "session continue works"
@@ -69,7 +69,7 @@ else
 fi
 
 # 5. Compaction doesn't crash (best-effort — seed if fixture available)
-echo "  [5/7] Compaction resilience..."
+echo "  [5/10] Compaction resilience..."
 if [ -n "$DB_PATH" ] && [ -f "$SCRIPT_DIR/fixtures/compaction-session.sql" ] && command -v sqlite3 >/dev/null 2>&1; then
   sqlite3 "$DB_PATH" < "$SCRIPT_DIR/fixtures/compaction-session.sql" 2>/dev/null || true
   if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
@@ -90,20 +90,8 @@ else
   skip_test "Compaction resilience" "fixture or sqlite3 not available"
 fi
 
-# 6. Graceful on missing provider key
-echo "  [6/7] Missing API key handling..."
-SAVED_KEY="${ANTHROPIC_API_KEY:-}"
-unset ANTHROPIC_API_KEY
-OUTPUT=$(timeout 10 altimate run --max-turns 1 --yolo "hello" 2>&1 || true)
-# Should get a clean error, not an unhandled exception / stack trace
-assert_not_contains "$OUTPUT" "TypeError" "no TypeError on missing key"
-assert_not_contains "$OUTPUT" "Cannot read properties" "no unhandled error on missing key"
-if [ -n "$SAVED_KEY" ]; then
-  export ANTHROPIC_API_KEY="$SAVED_KEY"
-fi
-
-# 7. Config backwards compatibility
-echo "  [7/7] Config backwards compat..."
+# 6. Config backwards compatibility
+echo "  [6/10] Config backwards compat..."
 CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/altimate-code"
 mkdir -p "$CONFIG_DIR"
 if [ -f "$SCRIPT_DIR/fixtures/old-config.json" ]; then
@@ -119,8 +107,8 @@ else
   skip_test "Config backwards compat" "old-config.json fixture not found"
 fi
 
-# 8. Broken config graceful handling
-echo "  [8/8] Broken config handling..."
+# 7. Broken config graceful handling
+echo "  [7/10] Broken config handling..."
 if [ -f "$SCRIPT_DIR/fixtures/broken-config.json" ]; then
   cp "$SCRIPT_DIR/fixtures/broken-config.json" "$CONFIG_DIR/opencode.json"
   if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
@@ -135,6 +123,76 @@ else
   skip_test "Broken config handling" "broken-config.json fixture not found"
 fi
 
+# 8. Yolo deny enforcement — deny rules block even with --yolo (#372, #377)
+echo "  [8/10] Yolo deny enforcement..."
+if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
+  # Create a config with an explicit deny rule
+  # App reads from $XDG_CONFIG_HOME/altimate-code/opencode.jsonc
+  DENY_CONFIG_DIR=$(mktemp -d /tmp/sanity-deny-config-XXXXXX)
+  DENY_MARKER="$DENY_CONFIG_DIR/deny-marker"
+  mkdir -p "$DENY_CONFIG_DIR/altimate-code"
+  cat > "$DENY_CONFIG_DIR/altimate-code/opencode.jsonc" <<DENYEOF
+{
+  "permission": {
+    "bash": {
+      "*": "allow",
+      "touch ${DENY_MARKER}": "deny",
+      "touch /tmp/sanity-deny-*": "deny"
+    }
+  }
+}
+DENYEOF
+  # Use an observable side-effect: deny "touch" on a marker file.
+  # If deny enforcement works, the marker file will NOT be created.
+  DENY_OUTPUT=$(XDG_CONFIG_HOME="$DENY_CONFIG_DIR" timeout 30 altimate run --max-turns 2 --yolo --format json \
+    "run this exact bash command: touch $DENY_MARKER" 2>&1 || true)
+  # Primary check: the marker file must not exist (deny blocked execution)
+  if [ -f "$DENY_MARKER" ]; then
+    echo "  FAIL: yolo mode bypassed deny rule — denied command was executed"
+    FAIL_COUNT=$((FAIL_COUNT + 1))
+  elif echo "$DENY_OUTPUT" | grep -qi "denied\|blocked\|BLOCKED by deny rule\|not allowed"; then
+    echo "  PASS: yolo deny rule explicitly blocked command"
+    PASS_COUNT=$((PASS_COUNT + 1))
+  elif [ -z "$DENY_OUTPUT" ]; then
+    echo "  FAIL: no output from deny enforcement test"
+    FAIL_COUNT=$((FAIL_COUNT + 1))
+  else
+    # Model may have refused on its own — marker absent so still safe
+    echo "  PASS: yolo deny rule (command not executed, marker absent)"
+    PASS_COUNT=$((PASS_COUNT + 1))
+  fi
+  rm -rf "$DENY_CONFIG_DIR"
+else
+  skip_test "Yolo deny enforcement" "no ANTHROPIC_API_KEY"
+fi
+
+# 9. Missing API key handling (no unhandled exceptions)
+echo "  [9/10] Missing API key handling..."
+SAVED_KEY="${ANTHROPIC_API_KEY:-}"
+unset ANTHROPIC_API_KEY
+OUTPUT=$(timeout 10 altimate run --max-turns 1 --yolo "hello" 2>&1 || true)
+assert_not_contains "$OUTPUT" "TypeError" "no TypeError on missing key"
+assert_not_contains "$OUTPUT" "Cannot read properties" "no unhandled error on missing key"
+if [ -n "$SAVED_KEY" ]; then
+  export ANTHROPIC_API_KEY="$SAVED_KEY"
+fi
+
+# 10. No internet — graceful error, not blank screen (#181)
+echo "  [10/10] No internet graceful handling..."
+# Use an unreachable DNS to simulate no internet (timeout quickly)
+NO_NET_OUTPUT=$(timeout 15 env https_proxy=http://192.0.2.1:1 http_proxy=http://192.0.2.1:1 \
+  altimate run --max-turns 1 --yolo "hello" 2>&1 || true)
+assert_not_contains "$NO_NET_OUTPUT" "TypeError" "no TypeError without internet"
+assert_not_contains "$NO_NET_OUTPUT" "Cannot read properties" "no unhandled error without internet"
+# Should get some kind of connection/auth error, not a blank hang
+if [ -z "$NO_NET_OUTPUT" ]; then
+  echo "  FAIL: no output at all without internet (blank screen)"
+  FAIL_COUNT=$((FAIL_COUNT + 1))
+else
+  echo "  PASS: produced output without internet ($(echo "$NO_NET_OUTPUT" | wc -l) lines)"
+  PASS_COUNT=$((PASS_COUNT + 1))
+fi
+
 # Cleanup
 rm -rf "$WORKDIR"
 

test/sanity/phases/smoke-tests.sh

@@ -79,12 +79,19 @@ test_duckdb() {
 }
 
 test_postgres() {
-  if [ -z "${TEST_PG_HOST:-}" ]; then
-    echo "SKIP" > "$RESULTS_DIR/postgres"
-    return
+  # Use env vars if set (Docker compose), else probe local Docker port
+  local pg_host="${TEST_PG_HOST:-}"
+  local pg_port="${TEST_PG_PORT:-5432}"
+  if [ -z "$pg_host" ]; then
+    if timeout 2 bash -c "echo >/dev/tcp/127.0.0.1/15432" 2>/dev/null; then
+      pg_host="127.0.0.1"; pg_port="15432"
+    else
+      echo "SKIP" > "$RESULTS_DIR/postgres"
+      return
+    fi
   fi
   cd "$WORKDIR" || return 1
-  altimate_run "postgres" "run SELECT 1 against postgres at ${TEST_PG_HOST}:${TEST_PG_PORT:-5432}"
+  altimate_run "postgres" "run SELECT 1 against postgres at ${pg_host}:${pg_port}"
   local output=$(get_output "postgres")
   if echo "$output" | grep -qi "TIMEOUT\|unhandled"; then
     echo "FAIL" > "$RESULTS_DIR/postgres"
@@ -94,9 +101,19 @@ test_postgres() {
 }
 
 test_snowflake() {
+  # Snowflake requires real cloud credentials — cannot be Docker'd.
+  # Accepts either ALTIMATE_CODE_CONN_SNOWFLAKE_TEST (JSON config) or
+  # individual SNOWFLAKE_ACCOUNT/USER/PASSWORD env vars.
   if [ -z "${ALTIMATE_CODE_CONN_SNOWFLAKE_TEST:-}" ]; then
-    echo "SKIP" > "$RESULTS_DIR/snowflake"
-    return
+    if [ -n "${SNOWFLAKE_ACCOUNT:-}" ] && [ -n "${SNOWFLAKE_USER:-}" ] && [ -n "${SNOWFLAKE_PASSWORD:-}" ]; then
+      export ALTIMATE_CODE_CONN_SNOWFLAKE_TEST=$(cat <<SFEOF
+{"type":"snowflake","account":"${SNOWFLAKE_ACCOUNT}","user":"${SNOWFLAKE_USER}","password":"${SNOWFLAKE_PASSWORD}","warehouse":"${SNOWFLAKE_WAREHOUSE:-COMPUTE_WH}","role":"${SNOWFLAKE_ROLE:-PUBLIC}"}
+SFEOF
+      )
+    else
+      echo "SKIP" > "$RESULTS_DIR/snowflake"
+      return
+    fi
   fi
   cd "$WORKDIR" || return 1
   altimate_run "snowflake" "run SELECT 1 against snowflake"
@@ -108,6 +125,28 @@ test_snowflake() {
   fi
 }
 
+test_mongodb() {
+  # Use env vars if set (Docker compose), else probe local Docker port
+  local mongo_host="${TEST_MONGODB_HOST:-}"
+  local mongo_port="${TEST_MONGODB_PORT:-27017}"
+  if [ -z "$mongo_host" ]; then
+    if timeout 2 bash -c "echo >/dev/tcp/127.0.0.1/17017" 2>/dev/null; then
+      mongo_host="127.0.0.1"; mongo_port="17017"
+    else
+      echo "SKIP" > "$RESULTS_DIR/mongodb"
+      return
+    fi
+  fi
+  cd "$WORKDIR" || return 1
+  altimate_run "mongodb" "run a find command on the admin database against mongodb at ${mongo_host}:${mongo_port}"
+  local output=$(get_output "mongodb")
+  if echo "$output" | grep -qi "TIMEOUT\|unhandled\|driver not installed"; then
+    echo "FAIL" > "$RESULTS_DIR/mongodb"
+  else
+    echo "PASS" > "$RESULTS_DIR/mongodb"
+  fi
+}
+
 test_builder() {
   cd "$WORKDIR"
   altimate_run "builder" --agent builder "say hello"
@@ -152,6 +191,47 @@ test_discover() {
   fi
 }
 
+test_dbt_discover() {
+  # Use isolated workdir to avoid race conditions with parallel tests (#448, #270)
+  local dbt_dir=$(mktemp -d /tmp/sanity-dbt-XXXXXX)
+  cd "$dbt_dir"
+  git init -q
+  git config user.name "sanity-test"
+  git config user.email "sanity@test.local"
+  echo '{}' > package.json
+  mkdir -p models
+  cat > dbt_project.yml <<'DBTEOF'
+name: sanity_test
+version: '1.0.0'
+config-version: 2
+profile: sanity_test
+DBTEOF
+  cat > models/test_model.sql <<'SQLEOF'
+SELECT 1 AS id
+SQLEOF
+  git add -A && git commit -q -m "add dbt project"
+  SANITY_TIMEOUT=90 altimate_run_with_turns "dbt-discover" 2 "discover dbt project config in this repo" || true
+  local output=$(get_output "dbt-discover")
+  if echo "$output" | grep -qi "unhandled\|TypeError\|Cannot read"; then
+    echo "FAIL" > "$RESULTS_DIR/dbt-discover"
+  else
+    echo "PASS" > "$RESULTS_DIR/dbt-discover"
+  fi
+  rm -rf "$dbt_dir"
+}
+
+test_check_command() {
+  cd "$WORKDIR"
+  # altimate-code check should run deterministic SQL checks without LLM (#453)
+  echo "SELECT * FROM users WHERE 1=1;" > check_target.sql
+  local output=$(timeout 30 altimate check check_target.sql 2>&1 || true)
+  if echo "$output" | grep -qi "TypeError\|unhandled\|Cannot read properties"; then
+    echo "FAIL" > "$RESULTS_DIR/check-cmd"
+  else
+    echo "PASS" > "$RESULTS_DIR/check-cmd"
+  fi
+}
+
 # Run tests in parallel batches
 echo ""
 echo "  Running $MAX_PARALLEL tests concurrently..."
@@ -164,10 +244,13 @@ TESTS=(
   "test_duckdb"
   "test_postgres"
   "test_snowflake"
+  "test_mongodb"
   "test_builder"
   "test_analyst"
   "test_bad_command"
   "test_discover"
+  "test_dbt_discover"
+  "test_check_command"
 )
 
 TEST_NAMES=(
@@ -177,10 +260,13 @@ TEST_NAMES=(
   "duckdb"
   "postgres"
   "snowflake"
+  "mongodb"
   "builder"
   "analyst"
   "bad-cmd"
   "discover"
+  "dbt-discover"
+  "check-cmd"
 )
 
 # Launch in batches of MAX_PARALLEL