test(drift): CI guard for source-of-truth drift (backend hosts + workload names)

[LukasWodka]

What

Net-new CI drift check — fails when two sources of truth that must agree have silently diverged. From the test-hardening analysis; the only roadmap item with no existing PR. Tracks backend#746.

Two checks (scripts/tests/check-drift.sh):

1. Backend API host parity — the dev/stg/prod hosts are hardcoded in three files (preflight.sh::_pf_backend_host, install-client-helm.sh::_backend_url, install-k8s.ps1::Get-BackendUrl). Asserts all three carry the identical *.tracebloc.io host set.

2. Workload-name contract — summary.sh (readiness wait, rollout status deployment/<name>) and diagnose.sh (--diagnose bundle, logs deploy/<name> + daemonset/<name>) reference mysql-client, <release>-jobs-manager, <release>-requests-proxy, tracebloc-resource-monitor by name. A chart rename breaks readiness + diagnostics silently — same class as the app=manager selector bug. Renders the chart (helm template) and asserts each name exists, and that the scripts still reference each (so the contract can't go stale on either side).

How

• .github/workflows/drift-checks.yaml runs on scripts/** OR client/** (either side moving is the drift), sets up helm, runs the check.
• scripts/tests/check-drift.bats — 8 cases (parity match / mismatch / removed; contract drop; render-missing; helm-absent skip).
• check-drift.sh added to the static job's shellcheck list.

Testing

• bash scripts/tests/check-drift.sh → green on develop (both checks pass; the chart render confirms the four workload names).
• bats scripts/tests/check-drift.bats → 8/8.
• Full suite: no new failures (same 4 pre-existing macOS-env failures).
• shellcheck (error severity) clean on the new script.

Follow-ups (separate)

• Cross-repo selector drift: Mintlify docs -l app=… selectors ↔ chart labels (the original app=manager surface) — needs a cross-repo guard.
• Preflight thresholds ↔ docs sizing numbers (cross-repo).
• Promote the Source-of-truth drift job to a required status check once proven stable.

Refs tracebloc/backend#746

🤖 Generated with Claude Code

[LukasWodka]

👋 Heads-up — Code review queue is at 24 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#102 — chore(kanban): declare staging as prod-truth branch via .kanban.yml · author: @LukasWodka · no reviewer assigned
• averaging-service#103 — fix(averaging): correctness foundations — DP, shape guard, sklearn weighting, bounded ensembles (chore: add default CODEOWNERS for auto-reviewer assignment #73) · author: @LukasWodka · reviewer: @shujaatTracebloc
• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• backend#732 — feat(experiments): add per-experiment aggregation_strategy field (#730) · author: @LukasWodka · reviewer: @saqlainsyed007, @shujaatTracebloc
• backend#735 — fix(flops): atomic flops_used + fire stop once on threshold crossing (#733) · author: @saadqbal · no reviewer assigned
• cli#61 — fix(install.sh): persist PATH to the shell rc (parity with install.ps1) · author: @LukasWodka · reviewer: @saadqbal
• client#207 — test(charts): add helm-unittest suite for ingestion-authz-configmap · author: @saadqbal · no reviewer assigned
• client#216 — test(charts): add helm-unittest suite for jobs-manager-service template · author: @saadqbal · no reviewer assigned
• client#217 — fix(installer): hard-gate low RAM and measure the container-runtime's view · author: @LukasWodka · no reviewer assigned
• data-ingestors#156 — harden(time-series): reject locale-ambiguous timestamps (silent mis-parse guard) · author: @LukasWodka · no reviewer assigned

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

[saadqbal]

Solid net-new drift guard — CI-only, can't affect runtime. Check 1 (backend host parity across preflight.sh / install-client-helm.sh / install-k8s.ps1) and Check 2 (workload-name contract: 2a scripts ↔ 2b helm template render) both look correct, and sourcing is side-effect-safe (set + main gated on direct execution) so the bats suite can exercise the helpers. 8/8 bats green. LGTM.