Pin env-var surface parity between docker-compose ci backend and GHA workflow (BS#958)

[jakebromberg]

Closes #958.

Summary

tests/unit/scripts/ci-env-surface-parity.test.ts — source-grep test that extracts env-var KEYS from both CI surfaces and asserts any divergence falls in an explicit allowlist. Adding a new env var to one surface now fails CI unless mirrored or justified.

Why

Per #164, the GHA integration suite deliberately runs the backend as a host node process with env from .github/workflows/test.yml. npm run ci:testmock runs it as a docker container with env from dev_env/docker-compose.yml. The two env surfaces drift independently, and a new var landing in one but not the other can silently break the integration suite.

#955 was the most recent symptom: G4's LML_CLIENT_MAX_CONCURRENT + LML_CLIENT_RATE_PER_MIN overrides made it into the unit-test harness but neither CI surface, so the integration suite's bucket drained and metadata-lml.spec.js started timing out. The manual fix in #957 wired the limiter env vars to both sides with a per-PR source-grep test pinning the values. This PR generalizes the pattern so the next limiter knob (or any other new env var) doesn't need its own per-PR pin.

Scope choice

Of the three options listed in #958:

1. Mechanical guard ← this PR. Smallest change, preserves the dual-path model.
2. Shared source of truth (factor into .env.ci consumed by both).
3. Retire ci:testmock entirely.

(2) and (3) are deferred — both are larger investments and the mechanical guard catches the bug class today.

How it works

The test asserts:

• actualOnlyInCompose === EXPECTED_ONLY_IN_COMPOSE
• actualOnlyInWorkflow === EXPECTED_ONLY_IN_WORKFLOW

The two allowlist arrays capture today's intentional divergence (18 compose-only keys, 9 workflow-only keys), each with a one-line // Why: comment — the deliberate-thought receipt. When the test fails, the dev either:

• Mirrors the new var to the other surface (preferred), or
• Adds it to the appropriate allowlist with a Why: justification.

What this does not do

• Doesn't enforce value equality. LML_CLIENT_RATE_PER_MIN=60000 in workflow vs =10000 in compose would both pass this guard. The existing lml-limiter-test-env.test.ts value-pin therefore stays useful and is not retired.
• Doesn't fix the existing divergences. Some entries on the allowlist (e.g. CATALOG_TRACK_SEARCH_* only in compose, BETTER_AUTH_AUDIENCE/ISSUER/JWKS_URL only in compose) may be genuine coverage gaps — but resolving each is its own ticket.

Test plan

• Test passes on main (npx jest --testPathPatterns ci-env-surface-parity) — 2/2 pass.
• Full unit suite — 1978/1978 pass.
• Negative test: temporarily added FAKE_GUARD_TEST_KEY=value to the compose backend env; test failed with a clean diff showing the unauthorized key. File restored.
• Typecheck + format:check clean.

Related

• #164 — the deliberate-divergence decision this PR makes mechanically enforceable.
• #955 — the BS-prod-affecting incident this prevents recurrence of.
• #957 — the manual fix whose pattern this PR generalizes.
• #959 — the other point patch from the Integration tests fail deterministically in metadata-lml.spec.js (post-#949 PR run) #955 debugging session (DB_PORT conflation); separate PR.