feat(doccano-django): keploy compat lane sample + Python line coverage gate (#101)

* feat: add doccano-django sample (keploy postgres-v3 simple-Query bind regression)

Minimum reproducer for the polymorphic-resourcetype failure that
motivated keploy/integrations#177. Wraps doccano v1.8.5 +
django-rest-polymorphic + postgres 13.3-alpine — the same shape
the bug originally surfaced on (keploy/enterprise PRs #1889 / #1964,
pipelines 3556 / 3572).

Per the keploy-ci-debug skill, the sample owns ALL orchestration
the lane scripts in keploy/integrations and keploy/enterprise need:
the docker-compose, the admin-bootstrap flow, the API traffic loop,
the noise filter (via keploy.yml.template), and a coverage-report
helper. Future lanes that exercise the same backend re-use this
directory; they don't redefine compose / bootstrap / traffic in
their own scripts. The intent is to migrate
enterprise/.ci/scripts/doccano-linux.sh from its current ~400-line
inlined-everything shape down to a thin "clone sample → wrap in
keploy → assert" wrapper in a follow-up PR.

Layout:

* `Dockerfile` — `FROM doccano/doccano:backend`. Wrapper exists
  so a future doccano patch (or a backport of an upstream fix that
  changes the bug-triggering shape) is a one-line edit here, not
  scattered across lane scripts.
* `docker-compose.yml` — postgres + doccano backend on a fixed
  subnet, every name fully env-driven (DOCCANO_BACKEND_CONTAINER /
  DOCCANO_DB_CONTAINER / DOCCANO_APP_PORT / DOCCANO_DB_IP /
  DOCCANO_NETWORK_SUBNET). Lane scripts running multiple matrix
  cells in parallel pass per-cell values so the cells don't
  collide on container names. Two-phase boot
  (DOCCANO_SKIP_BOOTSTRAP=0 → migrations + admin; named volume
  retained; DOCCANO_SKIP_BOOTSTRAP=1 → gunicorn-only against the
  populated volume) so record/replay see a deterministic state.
* `flow.sh` — four subcommands:
    bootstrap      — log in as admin, install the deterministic
                     authtoken_token row so record-time and
                     replay-time Authorization headers match.
    record-traffic — drive the API: 16-call /v1/me warmup hammer
                     (gunicorn worker contenttypes-cache warmup,
                     necessary for the SIGINT-driven shutdown
                     pattern lanes use), POST a polymorphic
                     TextClassificationProject, GET / PATCH it,
                     plus dependent category-types / examples /
                     categories / metrics reads that exercise the
                     multi-bind django_content_type lookups the
                     fix targets. Fire-and-forget; keploy is the
                     assertion layer at replay.
    coverage       — walk the running backend's URL resolver
                     (introspecting actual served methods, not
                     Django's permissive http_method_names default)
                     and the just-recorded keploy/test-set-*
                     tests; emit a (method, path) coverage
                     percentage for the v1/projects + accessory
                     surface.
    list-routes    — print the route table the coverage report
                     uses as its denominator (diagnostic).
* `keploy.yml.template` — globalNoise filter for the inherently
  non-deterministic fields (Date/Expires headers, created_at/
  updated_at body fields). Centralised here so a future doccano
  version that adds another auto-timestamp field is one edit
  rather than a fan-out across lane scripts. Lane scripts
  envsubst this template into the per-cell run dir.
* `README.md` — bug shape, local-run instructions, lane pointers.

Sample is keploy-independent: `docker compose up && bash flow.sh
bootstrap && bash flow.sh record-traffic` works against bare
doccano. Verified locally: 25/25 calls return expected status,
polymorphic resourcetype is `TextClassificationProject` end-to-end.
The route walker emits 144 (method, path) pairs for the v1/projects
+ /v1/me + /v1/users + /v1/health + /v1/auth surface; coverage
matching against synthetic recorded tests rounds correctly.

Lanes that pin to this sample (pinned to the
feat/doccano-django-sample branch via --branch until this PR
merges):

* keploy/integrations `.woodpecker/doccano-postgres.yml` —
  three-way matrix (record-build × replay-build, record-latest ×
  replay-build, record-build × replay-latest); depends_on
  prepare-and-run.
* keploy/enterprise `.woodpecker/doccano-linux.yml` — being
  migrated to consume this sample in a follow-up PR; today still
  uses inline compose generation.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* fix(doccano-django): gate record-traffic on a real readiness signal

Pipeline 3597 / 909 (post-compose-render fix) failed at:

  Container ... Error dependency postgres failed to start

Misleading. Real cause: doccano_record_traffic fired its very
first POST /v1/projects against a backend whose port was open but
gunicorn was still booting; the 5xx response failed `curl -fsS`,
set -e killed the script silently, the lane saw a zero-second
"traffic done", SIGINTed keploy ~3s later, and the recording
captured nothing. The "dependency postgres failed" line in the
log is downstream noise from the SIGINT compose-down.

Fix: gate doccano_record_traffic on doccano_wait_for_fixed_token
before any curl fires. /v1/me with the fixed Authorization
header is a stronger readiness signal than wait_for_port: it
proves gunicorn is past boot, auth is wired, the named-volume
token is loaded, and the DB is responsive — all four guarantees
the first POST needs.

Lane scripts can keep their own port-level wait (wait_for_port),
but the sample's flow.sh now refuses to fire traffic until the
backend is genuinely serving. Local smoke-test pattern is
unchanged: bootstrap + record-traffic still work standalone.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* ci: doccano-django sample coverage gate (build vs release)

Adds .github/workflows/doccano-django.yml — runs ONLY on changes
under doccano-django/ (or this workflow file) so unrelated
samples in this repo don't pay the doccano runtime cost.

Three jobs:

* `build-coverage` — checks out the PR's HEAD ref, brings up
  the sample's compose, drives flow.sh bootstrap +
  record-traffic with a per-call audit log enabled, runs
  flow.sh coverage. Captures the percentage as a job output.
* `release-coverage` — same end-to-end against
  github.event.pull_request.base.ref (typically main) so we
  have a baseline to compare against. Skipped on direct push
  events to main (no baseline to diff against — main IS the
  baseline).
* `coverage-gate` — fails the PR if build's coverage drops
  more than COVERAGE_THRESHOLD pp below release.
  COVERAGE_THRESHOLD defaults to 1.0pp; override with the
  `DOCCANO_COVERAGE_THRESHOLD` actions variable per-repo.
  Sticky-comments the PR with the diff via
  marocchino/sticky-pull-request-comment so reviewers see the
  delta inline.

The two measurement jobs share their body via
.github/workflows/scripts/run-and-measure.sh — same script,
different ref. Lifting it out of the YAML keeps the YAML focused
on orchestration (matrix / outputs / artifacts) and the bash on
the actual workflow logic.

Coverage source uses flow.sh's per-call audit log
(DOCCANO_FIRED_ROUTES_FILE). That makes the measurement genuinely
keploy-independent: the workflow doesn't run keploy at all,
doesn't compare against recorded test sets, just measures what
the sample's flow.sh ACTUALLY exercises against doccano's URL
resolver. Lane scripts in keploy/integrations and keploy/enterprise
consume the same flow.sh but use the keploy/test-set-*/tests/*.yaml
tree as their numerator (authoritative — only calls keploy actually
captured count). Both modes are wired into
flow.sh::doccano_list_recorded_routes via the
DOCCANO_FIRED_ROUTES_FILE fallback.

Sample-side changes:

* flow.sh::doccano_wait_for_fixed_token extracted as its own
  function (was inlined into doccano_bootstrap_token, broke
  doccano_record_traffic's forward reference and silently
  fail-fasted under set -e).
* flow.sh::doccano_record_traffic gates on
  doccano_wait_for_fixed_token before any curl fires —
  port-open isn't a sufficient readiness signal under
  SIGINT-driven shutdown, the very first curl -fsS POST would
  5xx on a still-booting gunicorn and silently kill the script.
* flow.sh::log_fired writes (METHOD, URL) to
  DOCCANO_FIRED_ROUTES_FILE before each curl in
  doccano_record_traffic. Cheap, optional (no-op when env var
  unset), and keeps the audit log adjacent to the curl that
  produces it so future contributors can't add a curl without
  also adding the log entry.
* flow.sh::doccano_list_recorded_routes falls back to the audit
  log when no keploy/test-set-*/tests/*.yaml exists — the
  standalone-mode numerator the workflow needs.

Verified locally: workflow body (`run-and-measure.sh`) runs
end-to-end against bare doccano in ~3 minutes, captures 16
unique (method, path) pairs, emits coverage=11.1% to
GITHUB_OUTPUT. The gate logic itself is plain bash + python3
arithmetic; no codecov/coveralls dependency, no hosted service
needed.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* ci(doccano-django): graceful bootstrap when base ref lacks the sample

Run 25196349264 (the very PR introducing doccano-django/) failed
in release-coverage with:

  An error occurred trying to start process '/usr/bin/bash' with
  working directory '.../doccano-django'. No such file or directory

Expected: the workflow checks out the PR's base ref to compute
the baseline coverage, but on the introducing PR there's no
baseline — `doccano-django/` doesn't exist on main yet.

Fix: a `detect` step inspects whether `doccano-django/flow.sh`
exists on the checked-out base ref. If yes, the measurement
runs as before. If no (first-PR-bootstrap case), an
`empty-baseline` step emits coverage=0.0 onto the job output,
the measurement step is skipped via `if:`, and the upload-
artifact step is also skipped (so we don't claim a non-existent
report file). The job's `outputs.coverage` falls back through
`||` so the gate sees 0.0 either way.

Net effect on the introducing PR: build's coverage (currently
~11%) is compared against 0%, gate trivially passes. After
this PR merges and a future PR edits doccano-django/, the
detect step finds the sample on main, real measurement runs,
real diff applies.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* feat(doccano-django): real Python line coverage via coverage.py overlay

Replaces the prior API-route-surface "coverage" (which counted
fired routes / known routes — a proxy that read like real coverage
but didn't measure code execution) with actual line coverage via
coverage.py 7.6.1.

Architecture:
  - `Dockerfile.coverage` extends `doccano/doccano:backend` to
    install coverage[toml] and drop a `coverage_subprocess.pth`
    file into site-packages, so every gunicorn worker that forks
    auto-starts `coverage.process_startup()`.
  - `.coveragerc` runs in parallel mode (one .coverage.<pid> per
    worker) with sigterm = true so flushing happens on graceful
    shutdown.
  - `docker-compose.coverage.yml` is an OVERLAY: the GH Actions
    coverage workflow applies it via `-f docker-compose.yml -f
    docker-compose.coverage.yml`. The base `Dockerfile` and
    `docker-compose.yml` are untouched, so keploy/integrations and
    keploy/enterprise CI lanes consume the base compose and pay
    zero coverage-instrumentation cost.
  - `flow.sh::doccano_report_coverage` shells into the running
    backend, runs `coverage combine` + `coverage report
    --format=total`, emits `Covered N/M (XX.X%)` matching the
    helper script's regex. When called against the base image
    (no overlay) it prints "INFO: ... uninstrumented" and exits 0
    so enterprise lanes' `flow.sh coverage || true` informational
    calls keep working.

Removed:
  - `doccano_list_routes` (the Django URL-resolver walk).
  - `doccano_list_recorded_routes` (the keploy-tests / fired-routes
    reader).
  - The legacy route-surface `doccano_report_coverage` body.
  - `list-routes` subcommand (was diagnostic only for the surface
    metric).

Validated locally: e2e run produced `coverage=59.0` to
GITHUB_OUTPUT against a clean stack (gunicorn 4 workers, traffic
loop fired, SIGTERM flush, combine+report inside container).
59% reflects bootstrap + the sample's small traffic surface;
adding curls to flow.sh::doccano_record_traffic moves the
number up.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* ci(doccano-django): drop trailing prose from sticky comment

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* docs(doccano-django): split run section into smoke / coverage / keploy modes

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* fix(doccano-django): own skip-bootstrap replay mode

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

* fix(doccano-django): nest globalNoise schema so the filter actually applies

keploy's GlobalNoise type is map[string]map[string][]string —
outer key is the response section ("header" / "body"), inner
key is the field name. Flat dotted keys like `body.created_at: []`
get put into the outer map as literal key "body.created_at" and
never match any section, so the noise is silently dropped. The
template's drift-suppression list was a no-op; only Date got
ignored at compare time because keploy auto-stamps Date as per-test
noise on every recording, and everything else slipped through.

Same shape of fix landed in samples-typescript/umami-postgres in
93bbdae; documenting the gotcha in this template's comments so
the next sample doesn't repeat it.

Validation pending — doccano cells haven't run yet on the active
keploy/enterprise PR (#1889). The matrix-cell collision fix
landed in keploy/enterprise#1889 (commit 84cd64b1) opens up the
lane enough for the noise filter to actually be exercised against
real drift.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

---------

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

Author: AkashKumar7902

.github/workflows/doccano-django.yml

@@ -0,0 +1,197 @@
+# doccano-django sample CI — keploy-independent end-to-end smoke +
+# coverage gate.
+#
+# Triggers ONLY on changes under doccano-django/ (or this workflow
+# file). Other samples in this repo have their own orthogonal CI;
+# gating the whole repo on every doccano change would slow them
+# all down for no benefit.
+#
+# What it gates:
+#   * `release-coverage` — checks out the PR's base branch (main)
+#     and runs the sample end-to-end: docker compose up, bootstrap
+#     admin token, drive flow.sh record-traffic with the per-call
+#     audit log enabled, capture the route-coverage percentage from
+#     `flow.sh coverage`. This is the baseline.
+#   * `build-coverage` — same end-to-end against the PR's HEAD ref.
+#   * `coverage-gate` — fails the PR if `build`'s coverage drops
+#     more than COVERAGE_THRESHOLD percentage points below
+#     `release`. Default threshold is 1.0pp; override via repo
+#     variable `DOCCANO_COVERAGE_THRESHOLD` for a tighter or
+#     looser bar.
+#
+# On push to main, only `build-coverage` runs (no baseline to
+# compare against — main IS the baseline).
+#
+# Standards-aligned choices:
+#   * `paths:` filter on both push and pull_request triggers — the
+#     canonical GH Actions way to scope a workflow to one
+#     subdirectory.
+#   * Job outputs (steps.<id>.outputs.coverage → needs.<job>.outputs)
+#     to thread the captured percentage between jobs.
+#   * `concurrency:` cancel-in-progress on the same ref so a stale
+#     run doesn't waste runner minutes.
+#   * actions/upload-artifact for the human-readable
+#     coverage_report.txt — reviewers can inspect missing routes
+#     directly from the PR's "checks" tab.
+#   * marocchino/sticky-pull-request-comment for the PR-side diff
+#     comment. Pinned-by-header so successive runs update the same
+#     comment instead of fanning out.
+#   * The compare step is plain bash + python3 (no external
+#     coverage service). For full Python coverage.py XMLs you'd
+#     want diff-cover or codecov, but the sample's coverage is
+#     API-route-based (single percentage), so the gate is a 3-line
+#     subtraction.
+#
+# Sample is genuinely keploy-independent here: the workflow uses
+# flow.sh's $DOCCANO_FIRED_ROUTES_FILE per-call audit log as its
+# numerator source, not a keploy recording. The lane scripts in
+# keploy/integrations and keploy/enterprise consume the same
+# flow.sh, but use the keploy/test-set-*/tests/*.yaml tree as
+# their numerator (authoritative — only calls keploy actually
+# CAPTURED count). Both modes are wired into
+# `flow.sh::doccano_list_recorded_routes`.
+name: doccano-django sample
+
+on:
+  pull_request:
+    paths:
+      - 'doccano-django/**'
+      - '.github/workflows/doccano-django.yml'
+  push:
+    branches: [main]
+    paths:
+      - 'doccano-django/**'
+      - '.github/workflows/doccano-django.yml'
+  workflow_dispatch: {}
+
+concurrency:
+  group: doccano-django-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  COVERAGE_THRESHOLD: ${{ vars.DOCCANO_COVERAGE_THRESHOLD || '1.0' }}
+
+jobs:
+  build-coverage:
+    name: build (current ref) coverage
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      coverage: ${{ steps.measure.outputs.coverage }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: measure
+        name: Run sample end-to-end + measure coverage
+        working-directory: doccano-django
+        env:
+          DOCCANO_FIRED_ROUTES_FILE: ${{ runner.temp }}/fired-routes-build.log
+          DOCCANO_PHASE: ci-build
+        run: ../.github/workflows/scripts/run-and-measure.sh
+
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-build
+          path: doccano-django/coverage_report.txt
+          if-no-files-found: warn
+
+  release-coverage:
+    if: github.event_name == 'pull_request'
+    name: release (base ref) coverage
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      coverage: ${{ steps.measure.outputs.coverage || steps.empty-baseline.outputs.coverage }}
+      sample-existed: ${{ steps.detect.outputs.sample-existed }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+
+      # First-PR bootstrap escape hatch: the very PR that
+      # introduces the doccano-django/ sample has no baseline
+      # (doccano-django/ doesn't exist on the base ref). Detect
+      # that and short-circuit to coverage=0; the gate then
+      # treats build's coverage as the new baseline and trivially
+      # passes for any percentage > 0. After the introducing PR
+      # merges, every subsequent PR has a real baseline to diff
+      # against.
+      - id: detect
+        name: Detect baseline presence
+        run: |
+          if [ -d doccano-django ] && [ -x doccano-django/flow.sh ]; then
+            echo "sample-existed=true" >>"$GITHUB_OUTPUT"
+            echo "Sample exists on base ref — running full measurement."
+          else
+            echo "sample-existed=false" >>"$GITHUB_OUTPUT"
+            echo "No doccano-django/ on base ref — first-PR bootstrap; baseline coverage treated as 0%."
+          fi
+
+      - id: measure
+        name: Run sample end-to-end + measure coverage
+        if: steps.detect.outputs.sample-existed == 'true'
+        working-directory: doccano-django
+        env:
+          DOCCANO_FIRED_ROUTES_FILE: ${{ runner.temp }}/fired-routes-release.log
+          DOCCANO_PHASE: ci-release
+        run: ../.github/workflows/scripts/run-and-measure.sh
+
+      - id: empty-baseline
+        name: Emit zero baseline (first-PR bootstrap)
+        if: steps.detect.outputs.sample-existed != 'true'
+        run: echo "coverage=0.0" >>"$GITHUB_OUTPUT"
+
+      - name: Upload coverage report
+        if: always() && steps.detect.outputs.sample-existed == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-release
+          path: doccano-django/coverage_report.txt
+          if-no-files-found: warn
+
+  coverage-gate:
+    if: github.event_name == 'pull_request'
+    name: coverage gate
+    needs: [build-coverage, release-coverage]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Compare build vs release
+        env:
+          BUILD: ${{ needs.build-coverage.outputs.coverage }}
+          RELEASE: ${{ needs.release-coverage.outputs.coverage }}
+          THRESHOLD: ${{ env.COVERAGE_THRESHOLD }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          set -Eeuo pipefail
+          if [ -z "${BUILD:-}" ] || [ -z "${RELEASE:-}" ]; then
+            echo "::error::missing coverage outputs — build='${BUILD:-}' release='${RELEASE:-}'"
+            exit 1
+          fi
+          drop=$(python3 -c "print(round(${RELEASE} - ${BUILD}, 2))")
+          echo "Release (${BASE_REF}): ${RELEASE}%"
+          echo "Build   (this PR):     ${BUILD}%"
+          echo "Drop:                  ${drop}pp (threshold ${THRESHOLD}pp)"
+          if python3 -c "import sys; sys.exit(0 if (${RELEASE} - ${BUILD}) > ${THRESHOLD} else 1)"; then
+            echo "::error::doccano-django coverage dropped from ${RELEASE}% → ${BUILD}% (-${drop}pp), exceeding the ${THRESHOLD}pp threshold."
+            echo "Suggested actions:"
+            echo "  * Add curl(s) to flow.sh::doccano_record_traffic that exercise the new code paths."
+            echo "  * Or extend the .coveragerc 'omit' list if the new module is not part of the runtime backend (migrations, management commands, tests)."
+            exit 1
+          fi
+          echo "OK — coverage delta within ${THRESHOLD}pp threshold."
+
+      - name: Sticky PR comment
+        if: ${{ !cancelled() }}
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: doccano-django-coverage
+          message: |
+            ### doccano-django sample coverage
+
+            | ref | coverage |
+            |---|---|
+            | base (`${{ github.event.pull_request.base.ref }}`) | **${{ needs.release-coverage.outputs.coverage }}%** |
+            | this PR | **${{ needs.build-coverage.outputs.coverage }}%** |
+
+            Threshold: PR may not drop coverage by more than **${{ env.COVERAGE_THRESHOLD }}pp**. Override per-repo via the `DOCCANO_COVERAGE_THRESHOLD` actions variable.

.github/workflows/scripts/run-and-measure.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+#
+# run-and-measure.sh — bring doccano up under the coverage overlay,
+# run flow.sh bootstrap + record-traffic, flush coverage from each
+# gunicorn worker, run flow.sh coverage to combine + report, and
+# emit `coverage=PCT` onto $GITHUB_OUTPUT for the downstream
+# coverage-gate job.
+#
+# Called from .github/workflows/doccano-django.yml's build-coverage
+# and release-coverage jobs (one per ref under comparison). Both
+# jobs source the same script so the measurement is identical
+# across refs — any drift in the numerator definition would
+# otherwise produce a misleading delta.
+#
+# Coverage isolation contract:
+#   * Base `Dockerfile` and `docker-compose.yml` are untouched.
+#   * The overlay `Dockerfile.coverage` + `docker-compose.coverage.yml`
+#     adds coverage.py + the auto-start .pth file. ONLY this script
+#     applies the overlay; the keploy/integrations and
+#     keploy/enterprise CI lanes consume the base compose and pay
+#     zero coverage-instrumentation cost.
+#
+# Inputs (from the workflow env):
+#   DOCCANO_PHASE     — label spliced into the project name so
+#                       build vs release runs don't collide.
+#   GITHUB_OUTPUT     — standard GH Actions sink for step outputs.
+set -Eeuo pipefail
+
+export DOCCANO_BACKEND_CONTAINER="${DOCCANO_BACKEND_CONTAINER:-doccano_backend}"
+export DOCCANO_DB_CONTAINER="${DOCCANO_DB_CONTAINER:-doccano_db}"
+export DOCCANO_APP_PORT="${DOCCANO_APP_PORT:-18080}"
+export DOCCANO_FIXED_TOKEN="${DOCCANO_FIXED_TOKEN:-ac38262065f0ae1476b6a707d9d697a101764a6b}"
+
+mkdir -p coverage
+chmod 777 coverage    # worker UID inside container differs from runner UID
+sudo rm -rf coverage/.coverage* 2>/dev/null || rm -rf coverage/.coverage* 2>/dev/null || true
+
+COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.coverage.yml)
+
+# Stage 1: bring up doccano with bootstrap so the schema migrations
+# and the admin user persist into the named DB volume. The overlay
+# image runs gunicorn with coverage.process_startup() auto-armed in
+# every forked worker.
+DOCCANO_SKIP_BOOTSTRAP=0 "${COMPOSE[@]}" up -d --build
+
+# Wait for the backend to start serving (cold doccano boot runs
+# Django migrations + admin user create — on a GH runner this can
+# hit 90-120s).
+for i in $(seq 1 120); do
+    code=$(curl -sS -o /dev/null -w '%{http_code}' \
+        "http://127.0.0.1:${DOCCANO_APP_PORT}/v1/health/" 2>/dev/null || echo "")
+    if [ -n "$code" ] && [ "$code" != "000" ]; then break; fi
+    sleep 2
+done
+
+bash flow.sh bootstrap 240
+"${COMPOSE[@]}" down --remove-orphans
+
+# Stage 2: re-launch in skip-bootstrap mode against the populated
+# volume; same shape the keploy lanes use. The overlay layer is
+# preserved across compose-down (only `down -v` would wipe the
+# named volume), so coverage tooling is still wired in.
+DOCCANO_SKIP_BOOTSTRAP=1 "${COMPOSE[@]}" up -d
+
+# flow.sh::doccano_record_traffic gates on doccano_wait_for_fixed_token
+# internally, so this won't fire curls at a half-booted backend.
+bash flow.sh record-traffic
+
+# Flush coverage from each gunicorn worker. coverage.py with
+# sigterm = true writes the in-flight per-worker .coverage.<pid>
+# data file to /coverage on SIGTERM; `compose kill -s SIGTERM`
+# delivers it to the container's main process which propagates to
+# its workers via gunicorn's graceful shutdown.
+"${COMPOSE[@]}" kill -s SIGTERM backend
+# coverage.py's sigterm hook is synchronous but the OS-level
+# write+fsync needs a moment.
+sleep 3
+
+# Bring backend back up so `flow.sh coverage` can docker-exec
+# `coverage combine` + `coverage report` inside.
+"${COMPOSE[@]}" up -d backend
+for i in $(seq 1 60); do
+    if docker exec "$DOCCANO_BACKEND_CONTAINER" sh -c 'ls /coverage/.coverage.* >/dev/null 2>&1'; then
+        break
+    fi
+    sleep 1
+done
+
+COVERAGE_REPORT_FILE="$PWD/coverage_report.txt" bash flow.sh coverage
+
+# Parse `Covered N/M (XX.X%)` — anchored on the parenthesised form
+# so a future report-prose change doesn't break the parse.
+pct=$(grep -oE '\([0-9]+\.[0-9]+%\)' coverage_report.txt | head -1 | tr -d '()%')
+if [ -z "$pct" ]; then
+    echo "::error::Could not parse coverage percentage from coverage_report.txt"
+    cat coverage_report.txt || true
+    exit 1
+fi
+echo "coverage=${pct}" >>"$GITHUB_OUTPUT"
+echo "coverage: ${pct}% (Python line coverage via coverage.py)"
+
+"${COMPOSE[@]}" down -v --remove-orphans

doccano-django/.coveragerc

@@ -0,0 +1,21 @@
+[run]
+# Per-process line coverage of the backend Django code.
+#
+# parallel + sigterm: gunicorn forks WORKERS subprocesses; each
+# writes its own .coverage.<host>.<pid> file under /coverage.
+# `combine` merges them at report time. `sigterm = true` flushes
+# the in-flight data on SIGTERM so the reaper from the workflow
+# captures it.
+parallel = true
+sigterm = true
+branch = false
+data_file = /coverage/.coverage
+source = /backend
+
+omit =
+    */tests/*
+    */migrations/*
+    */__pycache__/*
+    /backend/manage.py
+    /backend/config/wsgi.py
+    /backend/config/asgi.py

doccano-django/.gitignore

@@ -0,0 +1,2 @@
+coverage/
+coverage_report.txt

doccano-django/Dockerfile

@@ -0,0 +1,21 @@
+# Thin wrapper around doccano's official backend image at the version
+# this sample tracks. Pinning here (rather than in each lane script
+# under keploy/integrations / keploy/enterprise) means a future
+# doccano release that changes the bug-triggering shape is a one-line
+# retag in this repo, not a hunt across the CI tree.
+#
+# Upstream tag: doccano/doccano:backend (the rolling backend tag)
+# Source pin:   doccano/doccano @ v1.8.5
+#               https://github.com/doccano/doccano/releases/tag/v1.8.5
+#
+# v1.8.5 was the version exercised on keploy/enterprise pipeline 3556
+# (PR #1889) and pipeline 3572 (PR #1964 minimal repro) where the
+# bug originally manifested.
+FROM doccano/doccano:backend
+
+USER root
+COPY doccano-entrypoint.sh /opt/bin/doccano-keploy-entrypoint.sh
+RUN chmod +x /opt/bin/doccano-keploy-entrypoint.sh
+USER doccano
+
+ENTRYPOINT ["/opt/bin/doccano-keploy-entrypoint.sh"]

doccano-django/Dockerfile.coverage

@@ -0,0 +1,37 @@
+# Coverage-instrumented variant of the doccano backend image.
+#
+# Base `Dockerfile` (and `docker-compose.yml`) are deliberately
+# untouched so the keploy enterprise / integrations lanes — which
+# consume them as-is — pay zero coverage-instrumentation cost. This
+# overlay image is built and run ONLY by the standalone GitHub
+# Actions workflow under `.github/workflows/doccano-django.yml`,
+# wired in via `docker-compose.coverage.yml`.
+#
+# What the overlay adds:
+#   * `coverage` (Python coverage.py) installed into the same
+#     site-packages as gunicorn / Django.
+#   * `.coveragerc` placed at /backend/.coveragerc — the working
+#     directory the upstream image starts gunicorn from. With
+#     `COVERAGE_PROCESS_START=/backend/.coveragerc` exported into
+#     the container env (set in the compose overlay), every
+#     gunicorn worker that imports `coverage.process_startup` via
+#     site-packages will pick the rcfile up; combined with `parallel
+#     = true` and `sigterm = true` in the rcfile, this gives us
+#     real per-worker line coverage that flushes on SIGTERM.
+FROM doccano/doccano:backend
+
+USER root
+RUN pip install --no-cache-dir 'coverage[toml]==7.6.1'
+
+# Subprocess auto-start: a .pth file in site-packages is processed
+# at every Python startup, so each gunicorn worker that forks calls
+# coverage.process_startup() before any Django code runs. This is
+# the canonical way coverage.py instruments forked subprocesses
+# (see "Measuring sub-processes" in the coverage.py docs).
+RUN echo 'import coverage; coverage.process_startup()' \
+    > /usr/local/lib/python3.10/site-packages/coverage_subprocess.pth
+
+COPY .coveragerc /backend/.coveragerc
+RUN mkdir -p /coverage \
+    && chown -R doccano:doccano /coverage /backend/.coveragerc
+USER doccano