Add sunbeam check verb with service-level health probes

11 checks across 7 namespaces: gitea version+auth, postgres CNPG readiness, valkey PONG, openbao sealed state, seaweedfs filer, kratos health, hydra OIDC discovery, people HTTP (catches 502s), people API, and livekit. Supports ns and ns/svc scoping. - checks.py: new module with _http_get (no-redirect opener + mkcert SSL), kube_exec-based exec checks, and cmd_check dispatch - kube.py: add kube_exec() and get_domain() (reads from cluster configmap) - cli.py: add 'check [target]' verb - 103 tests, all passing
2026-03-02 21:49:57 +00:00
parent cdc109d728
commit 1573faa0fd
5 changed files with 625 additions and 0 deletions
--- a/sunbeam/checks.py
+++ b/sunbeam/checks.py
@@ -0,0 +1,269 @@
 """Service-level health checks — functional probes beyond pod readiness."""
 import base64
 import json
 import ssl
 import subprocess
 import urllib.error
 import urllib.request
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
 from sunbeam.kube import get_domain, kube_exec, kube_out, parse_target
 from sunbeam.output import ok, step, warn
@dataclass
 class CheckResult:
    name: str
    ns: str
    svc: str
    passed: bool
    detail: str = ""
 def _ssl_ctx() -> ssl.SSLContext:
    """Return an SSL context that trusts the mkcert local CA if available."""
    ctx = ssl.create_default_context()
    try:
        r = subprocess.run(["mkcert", "-CAROOT"], capture_output=True, text=True)
        if r.returncode == 0:
            ca_file = Path(r.stdout.strip()) / "rootCA.pem"
            if ca_file.exists():
                ctx.load_verify_locations(cafile=str(ca_file))
    except FileNotFoundError:
        pass
    return ctx
 def _kube_secret(ns: str, name: str, key: str) -> str:
    """Read a base64-encoded K8s secret value and return the decoded string."""
    raw = kube_out("get", "secret", name, "-n", ns, f"-o=jsonpath={{.data.{key}}}")
    if not raw:
        return ""
    try:
        return base64.b64decode(raw + "==").decode()
    except Exception:
        return ""
 class _NoRedirect(urllib.request.HTTPRedirectHandler):
    """Prevent urllib from following redirects so we can inspect the status code."""
    def redirect_request(self, req, fp, code, msg, headers, newurl):
        return None
 def _opener(ssl_ctx: ssl.SSLContext) -> urllib.request.OpenerDirector:
    return urllib.request.build_opener(
        _NoRedirect(),
        urllib.request.HTTPSHandler(context=ssl_ctx),
    )
 def _http_get(url: str, opener: urllib.request.OpenerDirector, *,
              headers: dict | None = None, timeout: int = 10) -> tuple[int, bytes]:
    """Return (status_code, body). Redirects are not followed."""
    req = urllib.request.Request(url, headers=headers or {})
    try:
        with opener.open(req, timeout=timeout) as resp:
            return resp.status, resp.read()
    except urllib.error.HTTPError as e:
        return e.code, b""
 # ── Individual checks ─────────────────────────────────────────────────────────
 def check_gitea_version(domain: str, opener) -> CheckResult:
    """GET /api/v1/version -> JSON with version field."""
    url = f"https://src.{domain}/api/v1/version"
    try:
        status, body = _http_get(url, opener)
        if status == 200:
            ver = json.loads(body).get("version", "?")
            return CheckResult("gitea-version", "devtools", "gitea", True, f"v{ver}")
        return CheckResult("gitea-version", "devtools", "gitea", False, f"HTTP {status}")
    except urllib.error.URLError as e:
        return CheckResult("gitea-version", "devtools", "gitea", False, str(e.reason))
 def check_gitea_auth(domain: str, opener) -> CheckResult:
    """GET /api/v1/user with admin credentials -> 200 and login field."""
    username = _kube_secret("devtools", "gitea-admin-credentials", "admin-username") or "gitea_admin"
    password = _kube_secret("devtools", "gitea-admin-credentials", "admin-password")
    if not password:
        return CheckResult("gitea-auth", "devtools", "gitea", False,
                           "admin-password not found in secret")
    creds = base64.b64encode(f"{username}:{password}".encode()).decode()
    url = f"https://src.{domain}/api/v1/user"
    try:
        status, body = _http_get(url, opener, headers={"Authorization": f"Basic {creds}"})
        if status == 200:
            login = json.loads(body).get("login", "?")
            return CheckResult("gitea-auth", "devtools", "gitea", True, f"user={login}")
        return CheckResult("gitea-auth", "devtools", "gitea", False, f"HTTP {status}")
    except urllib.error.URLError as e:
        return CheckResult("gitea-auth", "devtools", "gitea", False, str(e.reason))
 def check_postgres(domain: str, opener) -> CheckResult:
    """CNPG Cluster readyInstances == instances."""
    ready = kube_out("get", "cluster", "postgres", "-n", "data",
                     "-o=jsonpath={.status.readyInstances}")
    total = kube_out("get", "cluster", "postgres", "-n", "data",
                     "-o=jsonpath={.status.instances}")
    if ready and total and ready == total:
        return CheckResult("postgres", "data", "postgres", True, f"{ready}/{total} ready")
    detail = (f"{ready or '?'}/{total or '?'} ready"
              if (ready or total) else "cluster not found")
    return CheckResult("postgres", "data", "postgres", False, detail)
 def check_valkey(domain: str, opener) -> CheckResult:
    """kubectl exec valkey pod -- valkey-cli ping -> PONG."""
    pod = kube_out("get", "pods", "-n", "data", "-l", "app=valkey",
                   "--no-headers", "-o=custom-columns=NAME:.metadata.name")
    pod = pod.splitlines()[0].strip() if pod else ""
    if not pod:
        return CheckResult("valkey", "data", "valkey", False, "no valkey pod")
    _, out = kube_exec("data", pod, "valkey-cli", "ping")
    return CheckResult("valkey", "data", "valkey", out == "PONG", out or "no response")
 def check_openbao(domain: str, opener) -> CheckResult:
    """kubectl exec openbao-0 -- bao status -format=json -> initialized + unsealed."""
    rc, out = kube_exec("data", "openbao-0", "bao", "status", "-format=json")
    if not out:
        return CheckResult("openbao", "data", "openbao", False, "no response")
    try:
        data = json.loads(out)
        init = data.get("initialized", False)
        sealed = data.get("sealed", True)
        return CheckResult("openbao", "data", "openbao", init and not sealed,
                           f"init={init}, sealed={sealed}")
    except json.JSONDecodeError:
        return CheckResult("openbao", "data", "openbao", False, out[:80])
 def check_seaweedfs(domain: str, opener) -> CheckResult:
    """kubectl exec seaweedfs-filer pod -- wget /dir/status -> filer responding."""
    pod = kube_out("get", "pods", "-n", "storage", "-l", "app=seaweedfs-filer",
                   "--no-headers", "-o=custom-columns=NAME:.metadata.name")
    pod = pod.splitlines()[0].strip() if pod else ""
    if not pod:
        return CheckResult("seaweedfs", "storage", "seaweedfs", False, "no seaweedfs-filer pod")
    rc, out = kube_exec("storage", pod, "wget", "-qO-", "http://localhost:8888/dir/status")
    if rc == 0 and out:
        return CheckResult("seaweedfs", "storage", "seaweedfs", True, "filer responding")
    return CheckResult("seaweedfs", "storage", "seaweedfs", False, "filer not responding")
 def check_kratos(domain: str, opener) -> CheckResult:
    """GET /kratos/health/ready -> 200."""
    url = f"https://auth.{domain}/kratos/health/ready"
    try:
        status, body = _http_get(url, opener)
        ok_flag = status == 200
        detail = f"HTTP {status}"
        if not ok_flag and body:
            detail += f": {body.decode(errors='replace')[:80]}"
        return CheckResult("kratos", "ory", "kratos", ok_flag, detail)
    except urllib.error.URLError as e:
        return CheckResult("kratos", "ory", "kratos", False, str(e.reason))
 def check_hydra_oidc(domain: str, opener) -> CheckResult:
    """GET /.well-known/openid-configuration -> 200 with issuer field."""
    url = f"https://auth.{domain}/.well-known/openid-configuration"
    try:
        status, body = _http_get(url, opener)
        if status == 200:
            issuer = json.loads(body).get("issuer", "?")
            return CheckResult("hydra-oidc", "ory", "hydra", True, f"issuer={issuer}")
        return CheckResult("hydra-oidc", "ory", "hydra", False, f"HTTP {status}")
    except urllib.error.URLError as e:
        return CheckResult("hydra-oidc", "ory", "hydra", False, str(e.reason))
 def check_people(domain: str, opener) -> CheckResult:
    """GET https://people.{domain}/ -> any response < 500 (302 to OIDC is fine)."""
    url = f"https://people.{domain}/"
    try:
        status, _ = _http_get(url, opener)
        return CheckResult("people", "lasuite", "people", status < 500, f"HTTP {status}")
    except urllib.error.URLError as e:
        return CheckResult("people", "lasuite", "people", False, str(e.reason))
 def check_people_api(domain: str, opener) -> CheckResult:
    """GET /api/v1.0/config/ -> any response < 500 (401 auth-required is fine)."""
    url = f"https://people.{domain}/api/v1.0/config/"
    try:
        status, _ = _http_get(url, opener)
        return CheckResult("people-api", "lasuite", "people", status < 500, f"HTTP {status}")
    except urllib.error.URLError as e:
        return CheckResult("people-api", "lasuite", "people", False, str(e.reason))
 def check_livekit(domain: str, opener) -> CheckResult:
    """kubectl exec livekit-server pod -- wget localhost:7880/ -> rc 0."""
    pod = kube_out("get", "pods", "-n", "media", "-l", "app.kubernetes.io/name=livekit-server",
                   "--no-headers", "-o=custom-columns=NAME:.metadata.name")
    pod = pod.splitlines()[0].strip() if pod else ""
    if not pod:
        return CheckResult("livekit", "media", "livekit", False, "no livekit pod")
    rc, _ = kube_exec("media", pod, "wget", "-qO-", "http://localhost:7880/")
    if rc == 0:
        return CheckResult("livekit", "media", "livekit", True, "server responding")
    return CheckResult("livekit", "media", "livekit", False, "server not responding")
 # ── Check registry ────────────────────────────────────────────────────────────
 CHECKS: list[tuple[Any, str, str]] = [
    (check_gitea_version, "devtools", "gitea"),
    (check_gitea_auth,    "devtools", "gitea"),
    (check_postgres,      "data",     "postgres"),
    (check_valkey,        "data",     "valkey"),
    (check_openbao,       "data",     "openbao"),
    (check_seaweedfs,     "storage",  "seaweedfs"),
    (check_kratos,        "ory",      "kratos"),
    (check_hydra_oidc,    "ory",      "hydra"),
    (check_people,        "lasuite",  "people"),
    (check_people_api,    "lasuite",  "people"),
    (check_livekit,       "media",    "livekit"),
 ]
 def cmd_check(target: str | None) -> None:
    """Run service-level health checks, optionally scoped to a namespace or service."""
    step("Service health checks...")
    domain = get_domain()
    ssl_ctx = _ssl_ctx()
    op = _opener(ssl_ctx)
    ns_filter, svc_filter = parse_target(target) if target else (None, None)
    fns = [
        fn for fn, ns, svc in CHECKS
        if (ns_filter is None or ns == ns_filter)
        and (svc_filter is None or svc == svc_filter)
    ]
    if not fns:
        warn(f"No checks match target: {target}")
        return
    results = []
    for fn in fns:
        r = fn(domain, op)
        results.append(r)
        icon = "\u2713" if r.passed else "\u2717"
        detail = f"  ({r.detail})" if r.detail else ""
        print(f"  {icon} {r.ns}/{r.svc} [{r.name}]{detail}")
    print()
    failed = [r for r in results if not r.passed]
    if failed:
        warn(f"{len(failed)} check(s) failed.")
    else:
        ok(f"All {len(results)} check(s) passed.")
--- a/sunbeam/cli.py
+++ b/sunbeam/cli.py
@@ -53,6 +53,11 @@ def main() -> None:
    p_build.add_argument("what", choices=["proxy"],
                         help="What to build (proxy)")
    # sunbeam check [ns[/name]]
    p_check = sub.add_parser("check", help="Functional service health checks")
    p_check.add_argument("target", nargs="?", default=None,
                         help="namespace or namespace/name")
    # sunbeam mirror
    sub.add_parser("mirror", help="Mirror amd64-only La Suite images")
@@ -106,6 +111,10 @@ def main() -> None:
        from sunbeam.images import cmd_build
        cmd_build(args.what)
    elif args.verb == "check":
        from sunbeam.checks import cmd_check
        cmd_check(args.target)
    elif args.verb == "mirror":
        from sunbeam.images import cmd_mirror
        cmd_mirror()
--- a/sunbeam/kube.py
+++ b/sunbeam/kube.py
@@ -93,6 +93,28 @@ def create_secret(ns: str, name: str, **literals) -> None:
             "--field-manager=sunbeam", "-f", "-", input=manifest)
 def kube_exec(ns: str, pod: str, *cmd: str) -> tuple[int, str]:
    """Run a command inside a pod. Returns (returncode, stdout)."""
    r = run_tool("kubectl", "--context=sunbeam", "exec", "-n", ns, pod,
                 "--", *cmd,
                 capture_output=True, text=True, check=False)
    return r.returncode, r.stdout.strip()
 def get_domain() -> str:
    """Discover the active domain from cluster state.
    Reads a known substituted configmap value; falls back to the Lima VM IP.
    """
    raw = kube_out("get", "configmap", "lasuite-oidc-provider", "-n", "lasuite",
                   "-o=jsonpath={.data.OIDC_OP_JWKS_ENDPOINT}")
    if raw and "https://auth." in raw:
        # e.g. "https://auth.192.168.105.2.sslip.io/.well-known/jwks.json"
        return raw.split("https://auth.")[1].split("/")[0]
    ip = get_lima_ip()
    return f"{ip}.sslip.io"
 def kustomize_build(overlay: Path, domain: str) -> str:
    """Run kustomize build --enable-helm and apply domain substitution."""
    r = run_tool(
--- a/sunbeam/tests/test_checks.py
+++ b/sunbeam/tests/test_checks.py
@@ -0,0 +1,284 @@
 """Tests for checks.py — service-level health probes."""
 import json
 import unittest
 from unittest.mock import MagicMock, patch
 class TestCheckGiteaVersion(unittest.TestCase):
    def test_ok_returns_version(self):
        body = json.dumps({"version": "1.21.0"}).encode()
        with patch("sunbeam.checks._http_get", return_value=(200, body)):
            from sunbeam import checks
            r = checks.check_gitea_version("testdomain", None)
        self.assertTrue(r.passed)
        self.assertIn("1.21.0", r.detail)
    def test_non_200_fails(self):
        with patch("sunbeam.checks._http_get", return_value=(502, b"")):
            from sunbeam import checks
            r = checks.check_gitea_version("testdomain", None)
        self.assertFalse(r.passed)
        self.assertIn("502", r.detail)
    def test_connection_error_fails(self):
        import urllib.error
        with patch("sunbeam.checks._http_get", side_effect=urllib.error.URLError("refused")):
            from sunbeam import checks
            r = checks.check_gitea_version("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckGiteaAuth(unittest.TestCase):
    def _secret(self, key, val):
        def side_effect(ns, name, k):
            return val if k == key else "gitea_admin"
        return side_effect
    def test_ok_returns_login(self):
        body = json.dumps({"login": "gitea_admin"}).encode()
        with patch("sunbeam.checks._kube_secret",
                   side_effect=self._secret("admin-password", "hunter2")):
            with patch("sunbeam.checks._http_get", return_value=(200, body)):
                from sunbeam import checks
                r = checks.check_gitea_auth("testdomain", None)
        self.assertTrue(r.passed)
        self.assertIn("gitea_admin", r.detail)
    def test_missing_password_fails(self):
        with patch("sunbeam.checks._kube_secret", return_value=""):
            from sunbeam import checks
            r = checks.check_gitea_auth("testdomain", None)
        self.assertFalse(r.passed)
        self.assertIn("secret", r.detail)
    def test_non_200_fails(self):
        with patch("sunbeam.checks._kube_secret",
                   side_effect=self._secret("admin-password", "hunter2")):
            with patch("sunbeam.checks._http_get", return_value=(401, b"")):
                from sunbeam import checks
                r = checks.check_gitea_auth("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckPostgres(unittest.TestCase):
    def test_ready_passes(self):
        with patch("sunbeam.checks.kube_out", side_effect=["1", "1"]):
            from sunbeam import checks
            r = checks.check_postgres("testdomain", None)
        self.assertTrue(r.passed)
        self.assertIn("1/1", r.detail)
    def test_not_ready_fails(self):
        with patch("sunbeam.checks.kube_out", side_effect=["0", "1"]):
            from sunbeam import checks
            r = checks.check_postgres("testdomain", None)
        self.assertFalse(r.passed)
    def test_cluster_not_found_fails(self):
        with patch("sunbeam.checks.kube_out", return_value=""):
            from sunbeam import checks
            r = checks.check_postgres("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckValkey(unittest.TestCase):
    def test_pong_passes(self):
        with patch("sunbeam.checks.kube_out", return_value="valkey-abc"):
            with patch("sunbeam.checks.kube_exec", return_value=(0, "PONG")):
                from sunbeam import checks
                r = checks.check_valkey("testdomain", None)
        self.assertTrue(r.passed)
    def test_no_pod_fails(self):
        with patch("sunbeam.checks.kube_out", return_value=""):
            from sunbeam import checks
            r = checks.check_valkey("testdomain", None)
        self.assertFalse(r.passed)
    def test_no_pong_fails(self):
        with patch("sunbeam.checks.kube_out", return_value="valkey-abc"):
            with patch("sunbeam.checks.kube_exec", return_value=(1, "")):
                from sunbeam import checks
                r = checks.check_valkey("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckOpenbao(unittest.TestCase):
    def test_unsealed_passes(self):
        out = json.dumps({"initialized": True, "sealed": False})
        with patch("sunbeam.checks.kube_exec", return_value=(0, out)):
            from sunbeam import checks
            r = checks.check_openbao("testdomain", None)
        self.assertTrue(r.passed)
    def test_sealed_fails(self):
        out = json.dumps({"initialized": True, "sealed": True})
        with patch("sunbeam.checks.kube_exec", return_value=(2, out)):
            from sunbeam import checks
            r = checks.check_openbao("testdomain", None)
        self.assertFalse(r.passed)
    def test_no_output_fails(self):
        with patch("sunbeam.checks.kube_exec", return_value=(1, "")):
            from sunbeam import checks
            r = checks.check_openbao("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckSeaweedfs(unittest.TestCase):
    def test_responding_passes(self):
        with patch("sunbeam.checks.kube_out", return_value="seaweedfs-filer-abc"):
            with patch("sunbeam.checks.kube_exec", return_value=(0, "filer status data")):
                from sunbeam import checks
                r = checks.check_seaweedfs("testdomain", None)
        self.assertTrue(r.passed)
    def test_no_pod_fails(self):
        with patch("sunbeam.checks.kube_out", return_value=""):
            from sunbeam import checks
            r = checks.check_seaweedfs("testdomain", None)
        self.assertFalse(r.passed)
    def test_exec_fails(self):
        with patch("sunbeam.checks.kube_out", return_value="seaweedfs-filer-abc"):
            with patch("sunbeam.checks.kube_exec", return_value=(1, "")):
                from sunbeam import checks
                r = checks.check_seaweedfs("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckKratos(unittest.TestCase):
    def test_200_passes(self):
        with patch("sunbeam.checks._http_get", return_value=(200, b"")):
            from sunbeam import checks
            r = checks.check_kratos("testdomain", None)
        self.assertTrue(r.passed)
    def test_503_fails(self):
        with patch("sunbeam.checks._http_get", return_value=(503, b"not ready")):
            from sunbeam import checks
            r = checks.check_kratos("testdomain", None)
        self.assertFalse(r.passed)
        self.assertIn("503", r.detail)
 class TestCheckHydraOidc(unittest.TestCase):
    def test_200_with_issuer_passes(self):
        body = json.dumps({"issuer": "https://auth.testdomain/"}).encode()
        with patch("sunbeam.checks._http_get", return_value=(200, body)):
            from sunbeam import checks
            r = checks.check_hydra_oidc("testdomain", None)
        self.assertTrue(r.passed)
        self.assertIn("testdomain", r.detail)
    def test_502_fails(self):
        with patch("sunbeam.checks._http_get", return_value=(502, b"")):
            from sunbeam import checks
            r = checks.check_hydra_oidc("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckPeople(unittest.TestCase):
    def test_200_passes(self):
        with patch("sunbeam.checks._http_get", return_value=(200, b"<html>")):
            from sunbeam import checks
            r = checks.check_people("testdomain", None)
        self.assertTrue(r.passed)
    def test_302_redirect_passes(self):
        with patch("sunbeam.checks._http_get", return_value=(302, b"")):
            from sunbeam import checks
            r = checks.check_people("testdomain", None)
        self.assertTrue(r.passed)
        self.assertIn("302", r.detail)
    def test_502_fails(self):
        with patch("sunbeam.checks._http_get", return_value=(502, b"")):
            from sunbeam import checks
            r = checks.check_people("testdomain", None)
        self.assertFalse(r.passed)
        self.assertIn("502", r.detail)
 class TestCheckPeopleApi(unittest.TestCase):
    def test_200_passes(self):
        with patch("sunbeam.checks._http_get", return_value=(200, b"{}")):
            from sunbeam import checks
            r = checks.check_people_api("testdomain", None)
        self.assertTrue(r.passed)
    def test_401_auth_required_passes(self):
        with patch("sunbeam.checks._http_get", return_value=(401, b"")):
            from sunbeam import checks
            r = checks.check_people_api("testdomain", None)
        self.assertTrue(r.passed)
    def test_502_fails(self):
        with patch("sunbeam.checks._http_get", return_value=(502, b"")):
            from sunbeam import checks
            r = checks.check_people_api("testdomain", None)
        self.assertFalse(r.passed)
 class TestCheckLivekit(unittest.TestCase):
    def test_responding_passes(self):
        with patch("sunbeam.checks.kube_out", return_value="livekit-server-abc"):
            with patch("sunbeam.checks.kube_exec", return_value=(0, "")):
                from sunbeam import checks
                r = checks.check_livekit("testdomain", None)
        self.assertTrue(r.passed)
    def test_no_pod_fails(self):
        with patch("sunbeam.checks.kube_out", return_value=""):
            from sunbeam import checks
            r = checks.check_livekit("testdomain", None)
        self.assertFalse(r.passed)
    def test_exec_fails(self):
        with patch("sunbeam.checks.kube_out", return_value="livekit-server-abc"):
            with patch("sunbeam.checks.kube_exec", return_value=(1, "")):
                from sunbeam import checks
                r = checks.check_livekit("testdomain", None)
        self.assertFalse(r.passed)
 class TestCmdCheck(unittest.TestCase):
    def _run(self, target, mock_list):
        from sunbeam import checks
        result = checks.CheckResult("x", "ns", "svc", True, "ok")
        fns = [MagicMock(return_value=result) for _ in mock_list]
        patched = list(zip(fns, [ns for _, ns, _ in mock_list], [s for _, _, s in mock_list]))
        with patch("sunbeam.checks.get_domain", return_value="td"), \
             patch("sunbeam.checks._ssl_ctx", return_value=None), \
             patch("sunbeam.checks._opener", return_value=None), \
             patch.object(checks, "CHECKS", patched):
            checks.cmd_check(target)
        return fns
    def test_no_target_runs_all(self):
        mock_list = [("unused", "devtools", "gitea"), ("unused", "data", "postgres")]
        fns = self._run(None, mock_list)
        fns[0].assert_called_once_with("td", None)
        fns[1].assert_called_once_with("td", None)
    def test_ns_filter_skips_other_namespaces(self):
        mock_list = [("unused", "devtools", "gitea"), ("unused", "data", "postgres")]
        fns = self._run("devtools", mock_list)
        fns[0].assert_called_once()
        fns[1].assert_not_called()
    def test_svc_filter(self):
        mock_list = [("unused", "ory", "kratos"), ("unused", "ory", "hydra")]
        fns = self._run("ory/kratos", mock_list)
        fns[0].assert_called_once()
        fns[1].assert_not_called()
    def test_no_match_warns(self):
        from sunbeam import checks
        with patch("sunbeam.checks.get_domain", return_value="td"), \
             patch("sunbeam.checks._ssl_ctx", return_value=None), \
             patch("sunbeam.checks._opener", return_value=None), \
             patch.object(checks, "CHECKS", []), \
             patch("sunbeam.checks.warn") as mock_warn:
            checks.cmd_check("nonexistent")
        mock_warn.assert_called_once()
--- a/sunbeam/tests/test_cli.py
+++ b/sunbeam/tests/test_cli.py
@@ -31,6 +31,8 @@ class TestArgParsing(unittest.TestCase):
        p_build.add_argument("what", choices=["proxy"])
        sub.add_parser("mirror")
        sub.add_parser("bootstrap")
        p_check = sub.add_parser("check")
        p_check.add_argument("target", nargs="?", default=None)
        return parser.parse_args(argv)
    def test_up(self):
@@ -83,6 +85,21 @@ class TestArgParsing(unittest.TestCase):
        with self.assertRaises(SystemExit):
            self._parse(["get", "ory/kratos-abc", "-o", "toml"])
    def test_check_no_target(self):
        args = self._parse(["check"])
        self.assertEqual(args.verb, "check")
        self.assertIsNone(args.target)
    def test_check_with_namespace(self):
        args = self._parse(["check", "devtools"])
        self.assertEqual(args.verb, "check")
        self.assertEqual(args.target, "devtools")
    def test_check_with_service(self):
        args = self._parse(["check", "lasuite/people"])
        self.assertEqual(args.verb, "check")
        self.assertEqual(args.target, "lasuite/people")
    def test_no_args_verb_is_none(self):
        args = self._parse([])
        self.assertIsNone(args.verb)
@@ -189,3 +206,27 @@ class TestCliDispatch(unittest.TestCase):
                except SystemExit:
                    pass
        mock_build.assert_called_once_with("proxy")
    def test_check_no_target(self):
        mock_check = MagicMock()
        with patch.object(sys, "argv", ["sunbeam", "check"]):
            with patch.dict("sys.modules", {"sunbeam.checks": MagicMock(cmd_check=mock_check)}):
                import importlib, sunbeam.cli as cli_mod
                importlib.reload(cli_mod)
                try:
                    cli_mod.main()
                except SystemExit:
                    pass
        mock_check.assert_called_once_with(None)
    def test_check_with_target(self):
        mock_check = MagicMock()
        with patch.object(sys, "argv", ["sunbeam", "check", "lasuite/people"]):
            with patch.dict("sys.modules", {"sunbeam.checks": MagicMock(cmd_check=mock_check)}):
                import importlib, sunbeam.cli as cli_mod
                importlib.reload(cli_mod)
                try:
                    cli_mod.main()
                except SystemExit:
                    pass
        mock_check.assert_called_once_with("lasuite/people")