fix(worker): fix GCS FUSE k8s runner shell syntax, sidecar detection, and Helm config

- k8s-runner: fix VOLUME_CAPTURE_SCRIPT join from '; ' to '\n' — busybox ash
  rejects 'do;' as a syntax error, causing all K8s jobs to fail with
  'sh: syntax error: unexpected ";"'
- k8s-runner: check initContainerStatuses as well as containerStatuses for
  GCS FUSE sidecar detection (GKE ≥1.28 native sidecar injection)
- test-gcs-volume: use printf instead of echo to produce valid JSON output;
  remove unused OUTPUT_DELIMITER constant
- helm/app-secret: add SECRET_STORE_MASTER_KEY to both system and workers
  namespace secrets (required by new env validation schema)
- helm/worker-deployment: expose SECRET_STORE_MASTER_KEY from secret as env var
- helm/gke-managed: add secretStoreMasterKey dev value; add GCS FUSE k8s config
  (gcsBucket, jobServiceAccount, jobRunnerGcpSa, workerGcpSa); update worker
  image tag to tested build 49d5de9-wk-fix2-20260218003437
- infra/dev/main.tf: add GCS FUSE CSI addon; volumes bucket with 7-day lifecycle;
  worker and job-runner GCP SAs with Workload Identity bindings and bucket IAM

Integration test validated: worker uploads input.txt to GCS, K8s alpine job
reads it via GCS FUSE CSI mount at /inputs, writes JSON output, worker parses
result. All tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>

Author: betterclever

deploy/helm/shipsec/templates/app-secret.local.yaml

@@ -13,6 +13,7 @@ stringData:
   MINIO_ROOT_PASSWORD: {{ .Values.secrets.minioRootPassword | quote }}
   MINIO_ACCESS_KEY: {{ .Values.secrets.minioRootUser | quote }}
   MINIO_SECRET_KEY: {{ .Values.secrets.minioRootPassword | quote }}
+  SECRET_STORE_MASTER_KEY: {{ .Values.secrets.secretStoreMasterKey | quote }}
 ---
 apiVersion: v1
 kind: Secret
@@ -28,4 +29,5 @@ stringData:
   MINIO_ROOT_PASSWORD: {{ .Values.secrets.minioRootPassword | quote }}
   MINIO_ACCESS_KEY: {{ .Values.secrets.minioRootUser | quote }}
   MINIO_SECRET_KEY: {{ .Values.secrets.minioRootPassword | quote }}
+  SECRET_STORE_MASTER_KEY: {{ .Values.secrets.secretStoreMasterKey | quote }}
 {{- end }}

deploy/helm/shipsec/templates/worker-deployment.yaml

@@ -42,6 +42,11 @@ spec:
             secretKeyRef:
               name: {{ .Values.secrets.name }}
               key: MINIO_SECRET_KEY
+        - name: SECRET_STORE_MASTER_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.name }}
+              key: SECRET_STORE_MASTER_KEY
         {{- if eq .Values.execution.mode "k8s" }}
         - name: EXECUTION_MODE
           value: "k8s"

deploy/helm/shipsec/values/gke-managed.yaml

@@ -14,6 +14,7 @@ secrets:
   databaseUrl: 'postgresql://shipsec:shipsec-dev-2026@10.25.225.3:5432/shipsec'
   minioRootUser: minioadmin
   minioRootPassword: minioadmin
+  secretStoreMasterKey: '0123456789abcdef0123456789abcdef'
 
 backend:
   image:
@@ -44,7 +45,7 @@ backend:
 worker:
   image:
     repository: us-central1-docker.pkg.dev/shipsec/shipsec-studio/worker
-    tag: f1b15727-wk-amd64-v3
+    tag: 49d5de9a-wk-fix2-20260218003437
   env:
     NODE_ENV: production
     SHIPSEC_ENV: local

infra/gcp/envs/dev/main.tf

@@ -274,6 +274,27 @@ resource "google_storage_bucket" "volumes" {
   }
 }
 
+# GCP SA for the worker pod (Workload Identity → GCS SDK access)
+resource "google_service_account" "worker" {
+  project      = var.project_id
+  account_id   = "shipsec-worker"
+  display_name = "ShipSec Worker"
+}
+
+# Workload Identity: shipsec-workers/shipsec-worker KSA → shipsec-worker GCP SA
+resource "google_service_account_iam_member" "worker_wi" {
+  service_account_id = google_service_account.worker.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[shipsec-workers/shipsec-worker]"
+}
+
+# Worker SA → volumes bucket access (reads inputs, reads outputs via SDK)
+resource "google_storage_bucket_iam_member" "worker_volumes" {
+  bucket = google_storage_bucket.volumes.name
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.worker.email}"
+}
+
 # GCP SA for job pods (mounted via GCS FUSE CSI)
 resource "google_service_account" "job_runner" {
   project      = var.project_id
@@ -349,3 +370,7 @@ output "gcs_volumes_bucket" {
 output "job_runner_sa_email" {
   value = google_service_account.job_runner.email
 }
+
+output "worker_sa_email" {
+  value = google_service_account.worker.email
+}

worker/src/testing/test-gcs-volume.ts

@@ -0,0 +1,140 @@
+#!/usr/bin/env bun
+/**
+ * End-to-end integration test for GCS FUSE volume sharing.
+ *
+ * Validates the full flow:
+ *   1. IsolatedGcsVolume.initialize() uploads files to GCS
+ *   2. K8s job mounts them via GCS FUSE CSI at /inputs
+ *   3. Job reads the file, writes output to /shipsec-output/result.json
+ *   4. Worker reads the JSON output from pod logs
+ *   5. volume.cleanup() removes GCS objects
+ *
+ * Run inside the worker pod:
+ *   kubectl exec -n shipsec-workers <pod> -- bun run /app/worker/src/testing/test-gcs-volume.ts
+ */
+
+import { IsolatedGcsVolume } from '../utils/gcs-volume';
+import { runComponentInK8sJob } from '../utils/k8s-runner';
+import type { ExecutionContext } from '@shipsec/component-sdk';
+import type { DockerRunnerConfig } from '@shipsec/component-sdk';
+
+const PASS = '\x1b[32m✓\x1b[0m';
+const FAIL = '\x1b[31m✗\x1b[0m';
+
+function makeContext(): ExecutionContext {
+  return {
+    runId: `test-gcs-${Date.now()}`,
+    componentRef: 'test.gcs.volume',
+    logger: {
+      info: (msg: string) => console.log(`  [info] ${msg}`),
+      warn: (msg: string) => console.warn(`  [warn] ${msg}`),
+      error: (msg: string) => console.error(`  [error] ${msg}`),
+      debug: (msg: string) => console.log(`  [debug] ${msg}`),
+    },
+    emitProgress: (msg: string) => console.log(`  [progress] ${msg}`),
+    secrets: undefined,
+    storage: undefined,
+    artifacts: undefined,
+    trace: undefined,
+    logCollector: undefined,
+    terminalCollector: undefined,
+    metadata: { runId: `test-gcs-${Date.now()}`, componentRef: 'test.gcs.volume' },
+    http: { fetch: fetch as any, toCurl: () => '' },
+  } as any;
+}
+
+async function testVolumeWriteRead() {
+  console.log('\n── Test 1: GCS volume write → K8s job read ──');
+
+  const volume = new IsolatedGcsVolume('testtenant', `run${Date.now()}`);
+  const testContent = `hello-from-gcs-${Date.now()}`;
+
+  // 1. Upload file to GCS
+  const prefix = await volume.initialize({ 'input.txt': testContent });
+  console.log(`  ${PASS} Uploaded input.txt to GCS prefix: ${prefix}`);
+
+  const ctx = makeContext();
+
+  // 2. Runner: alpine reads /inputs/input.txt and writes JSON output
+  const runner: DockerRunnerConfig = {
+    kind: 'docker',
+    image: 'alpine:3.20',
+    entrypoint: 'sh',
+    command: [
+      '-c',
+      `content=$(cat /inputs/input.txt); printf '{"content":"%s"}' "$content" > /shipsec-output/result.json`,
+    ],
+    timeoutSeconds: 60,
+    volumes: [volume.getVolumeConfig('/inputs', true)],
+  };
+
+  try {
+    const result = await runComponentInK8sJob<unknown, { content: string }>(runner, {}, ctx);
+    console.log(`  ${PASS} K8s job completed, result:`, result);
+
+    if (result?.content === testContent) {
+      console.log(`  ${PASS} Content matches! "${result.content}"`);
+    } else {
+      console.error(
+        `  ${FAIL} Content mismatch: expected "${testContent}", got "${result?.content}"`,
+      );
+      process.exit(1);
+    }
+  } finally {
+    await volume.cleanup();
+    console.log(`  ${PASS} GCS volume cleaned up`);
+  }
+}
+
+async function testVolumeCleanup() {
+  console.log('\n── Test 2: GCS volume cleanup removes objects ──');
+
+  const { Storage } = await import('@google-cloud/storage');
+  const storage = new Storage();
+  const bucket = storage.bucket(process.env.GCS_VOLUME_BUCKET!);
+
+  const volume = new IsolatedGcsVolume('testcleanup', `run${Date.now()}`);
+  await volume.initialize({ 'deleteme.txt': 'temporary' });
+  const prefix = volume.getVolumeName()!;
+
+  // Verify file exists
+  const [before] = await bucket.getFiles({ prefix });
+  if (before.length === 0) {
+    console.error(`  ${FAIL} File not found in GCS before cleanup`);
+    process.exit(1);
+  }
+  console.log(`  ${PASS} File exists in GCS (${before.length} object(s))`);
+
+  await volume.cleanup();
+
+  // Verify file deleted
+  const [after] = await bucket.getFiles({ prefix });
+  if (after.length === 0) {
+    console.log(`  ${PASS} GCS objects cleaned up successfully`);
+  } else {
+    console.error(`  ${FAIL} ${after.length} objects still remain after cleanup`);
+    process.exit(1);
+  }
+}
+
+async function main() {
+  console.log('🧪 GCS FUSE Volume Integration Tests');
+  console.log(`   EXECUTION_MODE=${process.env.EXECUTION_MODE}`);
+  console.log(`   GCS_VOLUME_BUCKET=${process.env.GCS_VOLUME_BUCKET}`);
+  console.log(`   K8S_JOB_NAMESPACE=${process.env.K8S_JOB_NAMESPACE}`);
+
+  if (!process.env.GCS_VOLUME_BUCKET) {
+    console.error(`${FAIL} GCS_VOLUME_BUCKET not set`);
+    process.exit(1);
+  }
+
+  await testVolumeCleanup();
+  await testVolumeWriteRead();
+
+  console.log('\n\x1b[32m✓ All tests passed\x1b[0m\n');
+}
+
+main().catch((err) => {
+  console.error(`\n${FAIL} Test failed:`, err);
+  process.exit(1);
+});

worker/src/utils/k8s-runner.ts

@@ -84,7 +84,7 @@ const VOLUME_CAPTURE_SCRIPT = [
   '    echo "___FILE_END___"',
   '  done',
   'done',
-].join('; ');
+].join('\n');
 
 /**
  * Build the command wrapper that emits the output file to stdout.
@@ -711,7 +711,13 @@ async function waitForGcsFuseFlush(
 
   while (Date.now() < deadline) {
     const pod = await core.readNamespacedPod({ name: podName, namespace });
-    const sidecar = pod.status?.containerStatuses?.find((c) => c.name === 'gke-gcsfuse-sidecar');
+    // GCS FUSE sidecar may appear in containerStatuses (K8s ≥1.28 native sidecar)
+    // or initContainerStatuses (older injection approach)
+    const allStatuses = [
+      ...(pod.status?.containerStatuses ?? []),
+      ...(pod.status?.initContainerStatuses ?? []),
+    ];
+    const sidecar = allStatuses.find((c) => c.name === 'gke-gcsfuse-sidecar');
 
     if (!sidecar) {
       // No sidecar found — GCS FUSE may not have been injected, skip wait