ci: add service host discovery and strict policy docs validation

- Add multi-candidate host discovery (localhost, host.docker.internal, gateway) in api-endpoint-tests
- Pass discovered service host via AITBC_API_HOST environment variable to test script
- Update test_api_endpoints.py to use AITBC_API_HOST for all service URLs
- Add validate-policies-strict job to docs-validation workflow for policy Markdown files
- Add job names to package-tests matrix for better CI output clarity
- Add --import

.gitea/workflows/api-endpoint-tests.yml

@@ -43,22 +43,51 @@ jobs:
       - name: Wait for services
         run: |
           echo "Waiting for AITBC services..."
+          gateway_host=$(ip route 2>/dev/null | awk '/default/ {print $3; exit}')
+          host_candidates=(localhost host.docker.internal)
+          if [[ -n "$gateway_host" ]]; then
+            host_candidates+=("$gateway_host")
+          fi
+
+          service_host=""
+          for candidate in "${host_candidates[@]}"; do
+            code=$(curl -so /dev/null -w '%{http_code}' "http://$candidate:8000/health" 2>/dev/null) || code=0
+            if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
+              service_host="$candidate"
+              break
+            fi
+
+            code=$(curl -so /dev/null -w '%{http_code}' "http://$candidate:8000/v1/health" 2>/dev/null) || code=0
+            if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
+              service_host="$candidate"
+              break
+            fi
+          done
+
+          if [[ -z "$service_host" ]]; then
+            echo "❌ Could not find a reachable API host"
+            exit 1
+          fi
+
+          echo "$service_host" > /var/lib/aitbc-workspaces/api-tests/service_host
+          echo "Using service host: $service_host"
+
           for port in 8000 8001 8003 8006; do
             port_ready=0
             for i in $(seq 1 15); do
-              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/health" 2>/dev/null) || code=0
+              code=$(curl -so /dev/null -w '%{http_code}' "http://$service_host:$port/health" 2>/dev/null) || code=0
               if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                 echo "✅ Port $port ready (HTTP $code)"
                 port_ready=1
                 break
               fi
-              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/api/health" 2>/dev/null) || code=0
+              code=$(curl -so /dev/null -w '%{http_code}' "http://$service_host:$port/api/health" 2>/dev/null) || code=0
               if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                 echo "✅ Port $port ready (HTTP $code)"
                 port_ready=1
                 break
               fi
-              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/" 2>/dev/null) || code=0
+              code=$(curl -so /dev/null -w '%{http_code}' "http://$service_host:$port/" 2>/dev/null) || code=0
               if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                 echo "✅ Port $port ready (HTTP $code)"
                 port_ready=1
@@ -76,7 +105,8 @@ jobs:
       - name: Run API endpoint tests
         run: |
           cd /var/lib/aitbc-workspaces/api-tests/repo
-          venv/bin/python scripts/ci/test_api_endpoints.py
+          service_host=$(cat /var/lib/aitbc-workspaces/api-tests/service_host)
+          AITBC_API_HOST="$service_host" venv/bin/python scripts/ci/test_api_endpoints.py
           echo "✅ API endpoint tests completed"
 
       - name: Cleanup

.gitea/workflows/docs-validation.yml

@@ -101,3 +101,43 @@ jobs:
       - name: Cleanup
         if: always()
         run: rm -rf /var/lib/aitbc-workspaces/docs-validation
+
+  validate-policies-strict:
+    runs-on: debian
+    timeout-minutes: 10
+
+    steps:
+      - name: Clone repository
+        run: |
+          WORKSPACE="/var/lib/aitbc-workspaces/docs-validation-policies"
+          rm -rf "$WORKSPACE"
+          mkdir -p "$WORKSPACE"
+          cd "$WORKSPACE"
+          git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo
+
+      - name: Install markdownlint
+        run: |
+          npm install -g markdownlint-cli
+
+      - name: Strict lint policy docs
+        run: |
+          cd /var/lib/aitbc-workspaces/docs-validation-policies/repo
+
+          # Ensure standard directories exist
+          mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
+
+          shopt -s globstar nullglob
+          mapfile -t targets < <(printf '%s\n' docs/policies/*.md docs/policies/**/*.md | awk '!seen[$0]++')
+
+          if [[ ${#targets[@]} -eq 0 ]]; then
+            echo "❌ No policy Markdown files found"
+            exit 1
+          fi
+
+          echo "Strict docs scope: ${#targets[@]} policy Markdown files"
+          markdownlint "${targets[@]}"
+          echo "✅ Policy docs lint passed"
+
+      - name: Cleanup
+        if: always()
+        run: rm -rf /var/lib/aitbc-workspaces/docs-validation-policies

.gitea/workflows/package-tests.yml

@@ -17,6 +17,7 @@ concurrency:
 
 jobs:
   test-python-packages:
+    name: Python package - ${{ matrix.package.name }}
     runs-on: debian
     timeout-minutes: 15
 
@@ -101,6 +102,7 @@ jobs:
         run: rm -rf "/var/lib/aitbc-workspaces/pkg-${{ matrix.package.name }}"
 
   test-javascript-packages:
+    name: JavaScript package - ${{ matrix.package.name }}
     runs-on: debian
     timeout-minutes: 15
 

.gitea/workflows/production-tests.yml

@@ -0,0 +1,125 @@
+name: Production Tests
+
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - 'tests/production/**'
+      - 'apps/agent-coordinator/**'
+      - '.gitea/workflows/production-tests.yml'
+  pull_request:
+    branches: [main, develop]
+  workflow_dispatch:
+
+concurrency:
+  group: production-tests-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-production:
+    name: Production Integration Tests
+    runs-on: debian
+    timeout-minutes: 20
+
+    steps:
+      - name: Clone repository
+        run: |
+          WORKSPACE="/var/lib/aitbc-workspaces/production-tests"
+          rm -rf "$WORKSPACE"
+          mkdir -p "$WORKSPACE"
+          cd "$WORKSPACE"
+          git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo
+
+      - name: Setup test environment
+        run: |
+          cd /var/lib/aitbc-workspaces/production-tests/repo
+          python3 -m venv venv
+          venv/bin/pip install -q \
+            pytest \
+            pytest-asyncio \
+            pytest-timeout \
+            requests \
+            pyjwt \
+            fastapi \
+            uvicorn[standard] \
+            redis \
+            bcrypt \
+            websockets \
+            numpy \
+            psutil \
+            prometheus-client
+
+          # Ensure standard directories exist
+          mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
+
+      - name: Start Redis
+        run: |
+          redis-server --daemonize yes --port 6379
+          sleep 2
+          redis-cli ping || exit 1
+          echo "✅ Redis started"
+
+      - name: Start agent coordinator
+        run: |
+          cd /var/lib/aitbc-workspaces/production-tests/repo
+          source venv/bin/activate
+          export PYTHONPATH="apps/agent-coordinator/src:$PYTHONPATH"
+          
+          # Start agent coordinator in background
+          nohup uvicorn src.app.main:app \
+            --host 0.0.0.0 \
+            --port 9001 \
+            --log-level info \
+            > /tmp/agent-coordinator.log 2>&1 &
+          
+          echo $! > /tmp/agent-coordinator.pid
+          echo "✅ Agent coordinator started (PID: $(cat /tmp/agent-coordinator.pid))"
+
+      - name: Wait for agent coordinator ready
+        run: |
+          echo "Waiting for agent coordinator on port 9001..."
+          for i in $(seq 1 30); do
+            code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:9001/health" 2>/dev/null) || code=0
+            if [ "$code" -ge 200 ] && [ "$code" -lt 600 ]; then
+              echo "✅ Agent coordinator ready (HTTP $code)"
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "❌ Agent coordinator not ready"
+          cat /tmp/agent-coordinator.log
+          exit 1
+
+      - name: Run production tests
+        run: |
+          cd /var/lib/aitbc-workspaces/production-tests/repo
+          source venv/bin/activate
+          export PYTHONPATH="apps/agent-coordinator/src:$PYTHONPATH"
+          
+          pytest tests/production/ \
+            -v \
+            --tb=short \
+            --timeout=30 \
+            --import-mode=importlib \
+            -k "not test_error_handling"
+          
+          echo "✅ Production tests completed"
+
+      - name: Agent coordinator logs
+        if: always()
+        run: |
+          if [ -f /tmp/agent-coordinator.log ]; then
+            echo "=== Agent Coordinator Logs ==="
+            cat /tmp/agent-coordinator.log
+          fi
+
+      - name: Cleanup
+        if: always()
+        run: |
+          if [ -f /tmp/agent-coordinator.pid ]; then
+            kill $(cat /tmp/agent-coordinator.pid) 2>/dev/null || true
+            rm -f /tmp/agent-coordinator.pid
+          fi
+          pkill -f "uvicorn src.app.main:app" 2>/dev/null || true
+          redis-cli shutdown 2>/dev/null || true
+          rm -rf /var/lib/aitbc-workspaces/production-tests

.gitea/workflows/python-tests.yml

@@ -78,7 +78,8 @@ jobs:
             apps/wallet/tests/ \
             packages/py/aitbc-crypto/tests/ \
             packages/py/aitbc-sdk/tests/ \
-            --tb=short -q --timeout=30 \
+            --tb=short -q --timeout=30 --import-mode=importlib \
+            --ignore=tests/production \
             --ignore=apps/coordinator-api/tests/test_confidential*.py
 
           echo "✅ Python tests completed"