CCM-10483: add readme

harrim91 · harrim91 · commit 6eccceed0b99 · 2025-07-01T16:02:44.000+01:00
diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt
@@ -4,6 +4,7 @@ bot
 Cognito
 Cyber
 Dependabot
+dev
 draw.io
 drawio
 endcapture
@@ -21,8 +22,10 @@ onboarding
 Podman
 Python
 rawContent
+repo
 sed
 Syft
 Terraform
 toolchain
 Trufflehog
+Zod
diff --git a/tests/contracts/README.md b/tests/contracts/README.md
@@ -0,0 +1,213 @@
+# Contract Testing Spike
+
+## Summary
+
+This spike demonstrates an event-driven contract testing framework with the following features:
+
+- Consumers defining their expectations with Pact
+- Providers defining canonical schema contracts with JSON schema (golden contracts)
+- Contract sharing with S3
+- CI enforcing both consumer-driven and provider-driven correctness
+
+---
+
+## Terminology
+
+**Consumer**
+The system (usually a service or Lambda) that **receives** or **reacts to** an event. In Pact contract testing, the consumer defines what kind of event payloads it can handle.
+
+**Provider**
+The system that **produces** and emits an event. In this setup, providers define canonical JSON Schemas (golden contracts) for the events they emit.
+
+> N.B. A service can be both a provider and a consumer of events
+
+**Golden Contract**
+A JSON Schema file generated and owned by the provider, representing the authoritative shape of an event. Consumers use this to validate they are handling messages correctly.
+
+**Pact**
+A contract testing tool used for consumer-driven contracts. Consumers define what they expect from the provider, and providers verify that they meet those expectations.
+
+---
+
+## Project Structure
+
+```txt
+├── scripts # bash heaven
+│   ├── ci-verify-provider.sh - mushes together steps required for provider-side validation in CI
+│   ├── clean.sh # deletes all local generated/downloaded contract files
+│   ├── download-consumer-pacts.sh # downloads pact files generated by consumers for use in provider-side pact tests
+│   ├── download-golden-contracts.sh # downloads golden contracts generated by providers, for use in consumer-side validation
+│   ├── generate-golden-contracts.ts # generates golden contracts for event providers
+│   ├── upload-consumer-pacts.sh # uploads pact files generated by consumer-side pact tests
+│   ├── upload-golden-contracts.sh # uploads generated golden contracts to s3
+│   └── verify-golden-contracts.sh # verifies client-provided example events against provider-generated golden contracts
+|
+├── src # pseudo source-code
+│   ├── <service>
+│   │   ├── events # code related to publishing events
+│   │   │   ├── .schemas # generated golden contracts - gitignored
+│   │   │   │   └── <EventName>.schema.json
+│   │   │   |
+│   │   │   └── <event-name>.event.ts # code that generates an event payload
+│   │   |
+│   │   └── handlers # code related to consuming events
+│   │       └── template-deleted.handler.ts # event parsing and handling code
+|
+├── tests # contract testing code
+│   ├── <service>
+│   │   ├── consumer # tests for event consumption
+│   │   │   ├── .pacts # generated pact files outlining consumers expectations - gitignored
+│   │   │   │   └── <consumer>-<provider>.json
+│   │   │   |
+│   │   │   ├── .schemas # downloaded golden contracts from providers - gitignored
+│   │   │   │   └── <provider>
+│   │   │   │       └── <EventName>.schema.json
+│   │   │   |
+│   │   │   ├── config.json # Lists the provider(s) and event(s) that the consumer depends on. Used to fetch only the relevant golden contracts
+│   │   │   |
+│   │   │   ├── examples # sample json files representing what the consumer thinks it might receive. These are validated against golden contracts to catch schema mismatches
+│   │   │   │   └── <provider>
+│   │   │   │       └── <EventName>
+│   │   │   │           └── <scenario>.json
+│   │   │   │
+│   │   │   └── <event-name>.consumer.pact.test.ts # pact test file, outlines consumers expectations and generates pact file
+│   │   |
+│   │   └── provider # tests for event production
+│   │       ├── .pacts # downloaded pact files from consumers - gitignored
+│   │       │   └── <consumer>-<provider>.json
+│   │       └── <event-name>.provider.pact.test.ts # validates an emitted event against consumer expectations
+```
+
+---
+
+## Scenario
+
+The POC defines 3 services - `auth`, `core` and `templates`, which act as event providers and consumers:
+
+### Service Event Responsibilities
+
+#### auth
+
+**Emits:**
+
+| Event       | Consumed By |
+|-------------|-------------|
+| UserCreated | templates   |
+
+**Consumes:**
+
+| Event           | Emitted By |
+|------------------|-------------|
+| TemplateDeleted  | templates   |
+
+---
+
+#### templates
+
+**Emits:**
+
+| Event           | Consumed By     |
+|------------------|------------------|
+| TemplateDeleted  | auth, core       |
+
+**Consumes:**
+
+| Event       | Emitted By |
+|-------------|-------------|
+| UserCreated | auth        |
+
+---
+
+#### core
+
+**Emits:** _(none)_
+
+**Consumes:**
+
+| Event           | Emitted By |
+|------------------|-------------|
+| TemplateDeleted  | templates   |
+
+---
+
+## Contract Types
+
+### Consumer-Driven (Pact)
+
+- Pact consumer tests generate `.json` contracts for expected messages.
+- Stored under: `tests/<service>/consumer/.pacts/`
+- Uploaded to: `s3://<bucket>/pacts/<provider>/` - indexed by provider for easy download by provider
+- Downloaded and validated on provider-side, to ensure that the provider is meeting consumer expectations
+
+### Provider-Driven (Golden Contracts)
+
+- JSON Schemas are generated by event providers using Zod + `zod-to-json-schema`.
+- Flattened at generation time to avoid `$ref` - this is a bit of a quirk
+- Saved to: `src/<service>/events/.schemas/`
+- Uploaded to: `s3://<bucket>/golden/<provider>/<Event>.schema.json`
+- Downloaded and validated against example events on client-side
+
+## Running locally
+
+Ensure you are signed into AWS, and have `PACT_BUCKET` set in your environment variables. I've been using the artifact bucket in the templates dev account.
+
+Then from the repository root, let's test out some golden contracts:
+
+- Start by generating some golden contracts for the provider services - `npm run test:contracts:generate:provider`
+- Upload the golden contracts to S3 - `npm run test:contracts:upload:provider`
+- Download them from S3 into the consumer tests - `npm run test:contracts:download:provider`
+- Validate that the consumers expectations are valid against the golden contracts - `npm run test:contracts:consumer:golden`
+
+Next, lets run some consumer-driven pact tests:
+
+- Run the consumer tests, and generate some Pact contract files - `npm run test:contracts:consumer`
+- Upload those to S3 - `npm run test:contracts:upload:consumer`
+- Now download those Pact contracts into the provider tests - `npm run test:contracts:download:consumer`
+- And validate that the events emitted by providers match the expectations of the consumers - `npm run test:contracts:provider`
+
+At any point, clean up all of the locally stored contract files using `npm run test:contracts:clean`
+
+I apologize for the very confusing command names.
+
+## CI Flow
+
+The CI flow contains both consumer and provider test jobs - a service can be both a provider and consumer of events.
+
+Currently the CI bits have been plumbed into the existing CI job. Because this repo defines multiple services which emit and consume events, it loops over each service and runs the tests all at once. In reality a repo would only define a single service, and only one set of provider tests and one set of consumer tests would be executed.
+
+### Consumer job
+
+The consumer test job in CI performs the following steps:
+
+1. **Download golden contracts**
+   Based on the consumer's `config.json`, only the required event schemas are pulled from S3.
+
+2. **Validate consumer example payloads**
+   Local examples are validated against the downloaded golden contracts using `@sourcemeta/jsonschema`. If any validation fails, the job stops here - no Pact contracts are generated or uploaded.
+
+3. **Run Pact consumer tests**
+   If schema validation passes, Pact tests are run to verify that the consumer's expectations are correctly captured in the contract.
+
+4. **Upload Pact contracts to S3**
+   Validated contracts are published to S3 under a provider-specific path for use in provider-side verification.
+
+### Provider Job
+
+The provider test job in CI performs the following steps:
+
+1. **Download Pact contracts from S3**
+   All Pact contracts for the provider are downloaded from `s3://<bucket>/pacts/<provider>/`. These contracts are written by consumers and define their expected message shapes. (N.B. Different consumers can have different expectations!)
+
+2. **Run Pact provider tests**
+   The provider uses real message-producing code to generate event payloads, which are then validated against each downloaded Pact contract.
+
+3. **Skip verification gracefully if no contracts found**
+   If no contracts are present in S3 (i.e. if nobody is consuming any events) the job logs a warning and exits successfully without running tests.
+
+This job ensures that the provider is compatible with all currently published consumer expectations.
+
+## Next Steps
+
+- Try open-source, self-hosted Pact broker for sharing contracts (instead of S3)
+- Think about versioning contracts (using git branch/tags/commit-sha?)
+- Simplify scripts and CI - remove iteration, run steps for one service at a time
