feat: add validate command for API7 EE backend

[jarvis9443]

What

Add a validate subcommand that validates local ADC configuration against the server-side /apisix/admin/configs/validate API provided by API7 EE Dashboard. This performs comprehensive server-side validation (JSON Schema, plugin check_schema, duplicate ID detection) as a dry-run — nothing is persisted.

Why

The existing lint command only checks ADC's own Zod schema. It can't catch issues like invalid plugin configs, schema violations defined by the backend, or duplicate resource IDs. The validate API fills this gap by running the same validation that would happen during a real sync, without any side effects.

Changes

SDK (libs/sdk/src/backend/index.ts)

• Add BackendValidateResult and BackendValidationError interfaces
• Add optional validate() and supportValidate() methods to Backend interface

backend-api7 (libs/backend-api7/src/)

• New Validator class that transforms ADC hierarchical configuration to flat backend-native format and POSTs to the validate endpoint
• supportValidate() with version gating (>= 3.9.10)
• validate() method on BackendAPI7

CLI (apps/cli/src/)

• New ValidateTask with version checking and user-friendly error formatting
• New validate command: adc validate -f adc.yaml [--no-lint] [--backend api7ee]
• Pipeline: InitBackend → LoadLocal → Lint → Validate

E2E Tests (libs/backend-api7/e2e/validate.e2e-spec.ts)

• Valid config, invalid plugin, invalid route, multiple errors, mixed resources, dry-run verification
• Version-gated with conditionalDescribe(semverCondition(gte, '3.9.10'))

Usage

# Validate against API7 EE
adc validate -f adc.yaml --backend api7ee --gateway-group default

# Skip lint step
adc validate -f adc.yaml --no-lint

Scope

This PR covers API7 EE backend only. APISIX and standalone backend support will follow in a separate PR.

Summary by CodeRabbit

• New Features

  • Added an adc validate command to validate one or more local config files (supports label/resource selectors and --lint). Provides detailed, resource-aware validation errors and requires backend >= 3.9.10 to run.
  • Backends can now report validation results so validation is available when supported by the server.

• Tests

  • Added end-to-end tests covering validation success, failure cases, aggregation, and dry-run behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a294c6f4-92ad-4db9-a659-583a8f4108cd

📥 Commits

Reviewing files that changed from the base of the PR and between e374db9 and 5106e64.

📒 Files selected for processing (1)

• libs/backend-api7/e2e/validate.e2e-spec.ts

✅ Files skipped from review due to trivial changes (1)

• libs/backend-api7/e2e/validate.e2e-spec.ts

---

📝 Walkthrough

Walkthrough

Adds a new validation feature: CLI validate command and task, SDK validation types, BackendAPI7 validation support and Validator HTTP client, plus E2E tests exercising backend validation behavior.

Changes

Cohort / File(s)	Summary
CLI Command apps/cli/src/command/index.ts, apps/cli/src/command/validate.command.ts	Register new ValidateCommand; new command accepts multi --file and --lint, builds Listr pipeline to init backend, load/filter local configs, optionally lint, and run validation.
CLI Tasks apps/cli/src/tasks/index.ts, apps/cli/src/tasks/validate.ts	Re-export validate task; added ValidateTask that checks supportValidate(), calls backend.validate(), and formats/throws aggregated validation errors.
SDK Types libs/sdk/src/backend/index.ts	Added BackendValidationError and BackendValidateResult types; extended Backend interface with optional validate() method.
BackendAPI7 Core libs/backend-api7/src/index.ts	Added supportValidate() (semver check) and validate(config) methods delegating to Validator.
BackendAPI7 Validator libs/backend-api7/src/validator.ts	New Validator class that builds payloads, POSTs to /apisix/admin/configs/validate, handles 200/400 responses, emits AXIOS_DEBUG events, and maps errors into SDK result shape.
E2E Tests libs/backend-api7/e2e/validate.e2e-spec.ts	New comprehensive tests (gated >= 3.9.10) covering support detection, success/failure cases, multiple errors, mixed resources, and dry-run verification.

Sequence Diagram

sequenceDiagram
    participant CLI as CLI Command
    participant Task as Validate Task
    participant Backend as BackendAPI7
    participant Validator as Validator Class
    participant API as APISIX Admin API

    CLI->>Task: run validate with options
    Task->>Backend: supportValidate()
    Backend->>Backend: version() & semver check
    Backend-->>Task: support true/false

    alt supported
        Task->>Backend: validate(config)
        Backend->>Validator: new Validator(...).validate(config)
        Validator->>API: POST /apisix/admin/configs/validate
        alt 200 OK
            API-->>Validator: 200 {…}
            Validator-->>Backend: { success: true, errors: [] }
        else 400 Bad Request
            API-->>Validator: 400 { error_msg, errors }
            Validator-->>Backend: { success: false, errorMessage, errors }
        end
        Backend-->>Task: BackendValidateResult
        Task->>Task: format errors & throw if !success
    else not supported
        Task-->>Task: throw unsupported error
    end

    Task-->>CLI: return success or exit with error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

test/api7

Suggested reviewers

• bzp2010
• guoqqqi
• nic-6443

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main feature added: a new validate command for the API7 EE backend, which is the primary focus of all code changes.
E2e Test Quality Review	✅ Passed	E2E test suite uses real services, tests complete business flow, covers multiple validation scenarios with clear assertions, proper error handling throughout implementation, and comprehensive scenario coverage.
Security Check	✅ Passed	The validate command PR demonstrates solid security practices with proper credential handling, safe error extraction, and read-only operations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/validate-api7

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

libs/backend-api7/e2e/validate.e2e-spec.ts (1)

10-13: Unused imports: syncEvents, createEvent, deleteEvent.

These utilities are imported but not used in any test case.

♻️ Proposed fix

 import {
   conditionalDescribe,
   generateHTTPSAgent,
   semverCondition,
-  syncEvents,
-  createEvent,
-  deleteEvent,
 } from './support/utils';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/backend-api7/e2e/validate.e2e-spec.ts` around lines 10 - 13, The import
list includes unused symbols syncEvents, createEvent, and deleteEvent; remove
these three identifiers from the import statement (or, if they were intended to
be used, add the appropriate test cases that call syncEvents, createEvent, and
deleteEvent) so the test file no longer contains unused imports—update the
import line where syncEvents, createEvent, deleteEvent are listed to only import
the utilities actually used.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@libs/backend-api7/src/validator.ts`:
- Around line 113-118: The current mapping for config.ssls computes sslId as
ssl.id ?? ADCSDK.utils.generateId(ssl.snis?.[0] ?? '') which will call
generateId('') when snis is undefined or an empty array; change the logic in the
block that builds body.ssls (the map that sets sslId and calls
fromADC.transformSSL) to explicitly detect missing/empty ssl.snis and handle it
safely: either require/validate presence of snis (log a warning and skip or
throw), or derive a non-empty id using a safer seed (e.g., use a random/unique
value or serialize the ssl object) instead of ''. Ensure you reference
config.ssls, ssl.snis, ADCSDK.utils.generateId, sslId and fromADC.transformSSL
when making the change so no empty-string seed is passed to generateId.

---

Nitpick comments:
In `@libs/backend-api7/e2e/validate.e2e-spec.ts`:
- Around line 10-13: The import list includes unused symbols syncEvents,
createEvent, and deleteEvent; remove these three identifiers from the import
statement (or, if they were intended to be used, add the appropriate test cases
that call syncEvents, createEvent, and deleteEvent) so the test file no longer
contains unused imports—update the import line where syncEvents, createEvent,
deleteEvent are listed to only import the utilities actually used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ccc2e6a2-01a4-4230-8913-b42d44c6bdbe

📥 Commits

Reviewing files that changed from the base of the PR and between d13f53a and e374db9.

📒 Files selected for processing (8)

• apps/cli/src/command/index.ts
• apps/cli/src/command/validate.command.ts
• apps/cli/src/tasks/index.ts
• apps/cli/src/tasks/validate.ts
• libs/backend-api7/e2e/validate.e2e-spec.ts
• libs/backend-api7/src/index.ts
• libs/backend-api7/src/validator.ts
• libs/sdk/src/backend/index.ts