begin-testbox: self-terminate when phone-home is rejected by the backend

action.yml

@@ -1,13 +1,13 @@
 name: 'Begin Testbox'
 description: 'Initialize a Blacksmith Testbox session. Phones home to receive config, installs SSH key and rsync.'
 
 inputs:
   testbox_id:
     description: 'Testbox session ID (from workflow_dispatch input). Leave empty for validation mode.'
     required: false
     default: ''
   api_url:
     description: 'Override the backend API URL (default: discovered from VM metadata)'
     required: false
 
 runs:
@@ -17,7 +17,7 @@
       shell: bash
       run: |
         if [ -z "${{ inputs.testbox_id }}" ]; then
           echo "::notice::Running in validation mode — setup steps will be validated without starting a testbox session."
         fi
 
     - name: Discover metadata service
@@ -26,7 +26,7 @@
       run: |
         METADATA_PORT="${METADATA_PORT:-}"
         if [ -z "$METADATA_PORT" ]; then
           METADATA_PORT=$(cat /proc/cmdline | tr ' ' '\n' | grep '^metadata_port=' | cut -d'=' -f2)
           if [ -z "$METADATA_PORT" ]; then
             echo "metadata_port not found in kernel cmdline"
             echo "available=false" >> "$GITHUB_OUTPUT"
@@ -49,20 +49,20 @@
         mkdir -p "$STATE"
         chmod 700 "$STATE"
 
         INSTALLATION_MODEL_ID=$(curl -s --connect-timeout 2 --max-time 5 "http://${METADATA_ADDR}/installationModelID")
         if [ -n "$API_URL_OVERRIDE" ]; then
           API_URL="$API_URL_OVERRIDE"
         else
           API_URL=$(curl -s --connect-timeout 2 --max-time 5 "http://${METADATA_ADDR}/backendURL")
         fi
 
         # Piggyback on the VM's stickyDiskToken for phone-home authentication.
         # This is a Sanctum token that proves the caller is a real Blacksmith VM
         # belonging to the claimed installation — it's only accessible from inside
         # the VM via the metadata service and is not publicly visible.
         AUTH_TOKEN=$(curl -s --connect-timeout 2 --max-time 5 "http://${METADATA_ADDR}/stickyDiskToken")
 
         if [ -z "$API_URL" ] || [ -z "$INSTALLATION_MODEL_ID" ] || [ -z "$AUTH_TOKEN" ]; then
           echo "Warning: could not read required metadata (backendURL, installationModelID, stickyDiskToken)"
           exit 0
         fi
@@ -74,7 +74,10 @@
         fi
         RUNNER_SSH_PORT="${BLACKSMITH_SSH_PORT:-22}"
 
-        RESPONSE=$(curl -s -f -X POST "${API_URL}/api/testbox/phone-home" \
+        # Capture the HTTP status separately from the body so we can tell a
+        # definitive backend rejection (4xx) apart from a transient failure
+        # (5xx / network error). Transport errors leave HTTP_STATUS as 000.
+        HTTP_STATUS=$(curl -s -o "$STATE/phone_home_response" -w "%{http_code}" -X POST "${API_URL}/api/testbox/phone-home" \
           -H "Content-Type: application/json" \
           -H "Authorization: Bearer ${AUTH_TOKEN}" \
           -d "{
@@ -86,10 +89,29 @@
             \"working_directory\": \"${GITHUB_WORKSPACE}\",
             \"adopted_run_id\": \"${GITHUB_RUN_ID}\",
             \"metadata\": {}
-          }" 2>/dev/null) || {
-          echo "Warning: phone-home (hydrating) failed, continuing in degraded mode"
-          RESPONSE=""
-        }
+          }" 2>/dev/null) || HTTP_STATUS="000"
+        RESPONSE=$(cat "$STATE/phone_home_response" 2>/dev/null || true)
+        rm -f "$STATE/phone_home_response"
+
+        case "$HTTP_STATUS" in
+          2*)
+            ;;
+          4*)
+            # The backend understood the handshake and refused it: it has no
+            # record of this testbox (typically a staging/production backend
+            # mismatch), the token is invalid, or the testbox was already shut
+            # down. Keeping the runner alive would just hang until the idle
+            # timeout, so self-terminate instead.
+            echo "::error::Testbox phone-home rejected by ${API_URL} (HTTP ${HTTP_STATUS}): ${RESPONSE}"
+            echo "::error::This backend has no usable record of testbox ${TESTBOX_ID}. This usually means the testbox was dispatched against a different backend environment (staging vs production) than the one serving this runner. Self-terminating."
+            rm -rf "$STATE"
+            exit 1
+            ;;
+          *)
+            echo "Warning: phone-home (hydrating) failed (HTTP ${HTTP_STATUS}), continuing in degraded mode"
+            RESPONSE=""
+            ;;
+        esac
 
         echo "$TESTBOX_ID" > "$STATE/testbox_id"
         echo "$INSTALLATION_MODEL_ID" > "$STATE/installation_model_id"