@agentuity/cli 0.0.69 → 0.0.70

package/src/crypto/box.test.ts

@@ -1,431 +0,0 @@
-import { describe, test, expect, beforeAll } from 'bun:test';
-import { generateKeyPairSync, KeyObject } from 'node:crypto';
-import { Readable, Writable } from 'node:stream';
-import { encryptFIPSKEMDEMStream, decryptFIPSKEMDEMStream } from './box';
-
-function createReadableStream(data: Buffer): Readable {
-	return Readable.from([data]);
-}
-
-class CollectorStream extends Writable {
-	private chunks: Buffer[] = [];
-
-	_write(chunk: Buffer, _encoding: string, callback: () => void): void {
-		this.chunks.push(chunk);
-		callback();
-	}
-
-	getData(): Buffer {
-		return Buffer.concat(this.chunks);
-	}
-}
-
-function generateP256KeyPair(): { publicKey: KeyObject; privateKey: KeyObject } {
-	return generateKeyPairSync('ec', {
-		namedCurve: 'prime256v1',
-	});
-}
-
-function generateP384KeyPair(): { publicKey: KeyObject; privateKey: KeyObject } {
-	return generateKeyPairSync('ec', {
-		namedCurve: 'secp384r1',
-	});
-}
-
-describe('crypto/box', () => {
-	describe('TestBasicEncryptDecrypt', () => {
-		let keyPair: { publicKey: KeyObject; privateKey: KeyObject };
-
-		beforeAll(() => {
-			keyPair = generateP256KeyPair();
-		});
-
-		const testCases = [
-			{ name: 'empty', data: Buffer.alloc(0) },
-			{ name: 'small', data: Buffer.from('hello world') },
-			{ name: 'medium', data: Buffer.alloc(1000).fill('A') },
-			{ name: 'large', data: Buffer.alloc(100000).fill('B') },
-			{ name: 'exactly_one_frame', data: Buffer.alloc(64 * 1024).fill('C') },
-			{ name: 'just_over_one_frame', data: Buffer.alloc(64 * 1024 + 1).fill('D') },
-		];
-
-		for (const tc of testCases) {
-			test(tc.name, async () => {
-				const src = createReadableStream(tc.data);
-				const encrypted = new CollectorStream();
-				const written = await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-
-				expect(written).toBe(tc.data.length);
-
-				const encryptedData = encrypted.getData();
-				const decryptSrc = createReadableStream(encryptedData);
-				const decrypted = new CollectorStream();
-				const read = await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted);
-
-				expect(read).toBe(tc.data.length);
-
-				const decryptedData = decrypted.getData();
-				expect(decryptedData.equals(tc.data)).toBe(true);
-			});
-		}
-	});
-
-	describe('TestDifferentKeys', () => {
-		test('should fail to decrypt with wrong key', async () => {
-			const keyPair1 = generateP256KeyPair();
-			const keyPair2 = generateP256KeyPair();
-
-			const data = Buffer.from('test data');
-
-			const src = createReadableStream(data);
-			const encrypted = new CollectorStream();
-			await encryptFIPSKEMDEMStream(keyPair1.publicKey, src, encrypted);
-
-			const encryptedData = encrypted.getData();
-			const decryptSrc = createReadableStream(encryptedData);
-			const decrypted = new CollectorStream();
-
-			await expect(
-				decryptFIPSKEMDEMStream(keyPair2.privateKey, decryptSrc, decrypted)
-			).rejects.toThrow('DEK unwrap failed');
-		});
-	});
-
-	describe('TestMalformedHeaders', () => {
-		let keyPair: { publicKey: KeyObject; privateKey: KeyObject };
-
-		beforeAll(() => {
-			keyPair = generateP256KeyPair();
-		});
-
-		const testCases = [
-			{ name: 'empty', data: Buffer.alloc(0), err: 'unexpected EOF' },
-			{ name: 'partial_len', data: Buffer.from([0]), err: 'unexpected EOF' },
-			{
-				name: 'invalid_wrapped_len',
-				data: Buffer.from([0x10, 0x00]),
-				err: 'invalid wrapped DEK length',
-			},
-			{ name: 'zero_len', data: Buffer.from([0x00, 0x00]), err: 'invalid wrapped DEK length' },
-		];
-
-		for (const tc of testCases) {
-			test(tc.name, async () => {
-				const src = createReadableStream(tc.data);
-				const decrypted = new CollectorStream();
-
-				await expect(
-					decryptFIPSKEMDEMStream(keyPair.privateKey, src, decrypted)
-				).rejects.toThrow(tc.err);
-			});
-		}
-	});
-
-	describe('TestMalformedChunks', () => {
-		test('should fail authentication for malformed chunk', async () => {
-			const keyPair = generateP256KeyPair();
-
-			const buf = Buffer.alloc(2 + 113 + 12 + 2 + 32);
-			let offset = 0;
-
-			buf.writeUInt16BE(113, offset); // reasonable wrapped length (65+32+16)
-			offset += 2;
-			offset += 113;
-			offset += 12;
-
-			buf.writeUInt16BE(32, offset); // reasonable chunk size
-			offset += 2;
-
-			const src = createReadableStream(buf);
-			const decrypted = new CollectorStream();
-
-			await expect(
-				decryptFIPSKEMDEMStream(keyPair.privateKey, src, decrypted)
-			).rejects.toThrow();
-		});
-	});
-
-	describe('TestStreamEOF', () => {
-		test('should handle empty stream', async () => {
-			const keyPair = generateP256KeyPair();
-
-			const src = createReadableStream(Buffer.alloc(0));
-			const encrypted = new CollectorStream();
-
-			const written = await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-			expect(written).toBe(0);
-
-			const encryptedData = encrypted.getData();
-			const decryptSrc = createReadableStream(encryptedData);
-			const decrypted = new CollectorStream();
-
-			const read = await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted);
-			expect(read).toBe(0);
-		});
-	});
-
-	describe('TestNonceReuseProtection', () => {
-		test('different encryptions should produce different ciphertexts', async () => {
-			const keyPair = generateP256KeyPair();
-			const data = Buffer.from('test data for nonce reuse protection');
-
-			const src1 = createReadableStream(data);
-			const encrypted1 = new CollectorStream();
-			await encryptFIPSKEMDEMStream(keyPair.publicKey, src1, encrypted1);
-
-			const src2 = createReadableStream(data);
-			const encrypted2 = new CollectorStream();
-			await encryptFIPSKEMDEMStream(keyPair.publicKey, src2, encrypted2);
-
-			const enc1Data = encrypted1.getData();
-			const enc2Data = encrypted2.getData();
-			expect(enc1Data.equals(enc2Data)).toBe(false);
-
-			const decryptSrc1 = createReadableStream(enc1Data);
-			const decrypted1 = new CollectorStream();
-			await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc1, decrypted1);
-
-			const decryptSrc2 = createReadableStream(enc2Data);
-			const decrypted2 = new CollectorStream();
-			await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc2, decrypted2);
-
-			expect(decrypted1.getData().equals(data)).toBe(true);
-			expect(decrypted2.getData().equals(data)).toBe(true);
-		});
-	});
-
-	describe('TestFrameSizeBoundaries', () => {
-		let keyPair: { publicKey: KeyObject; privateKey: KeyObject };
-
-		beforeAll(() => {
-			keyPair = generateP256KeyPair();
-		});
-
-		const FRAME = 65519;
-		const testCases = [
-			{ name: 'exactly_max_frame', size: FRAME },
-			{ name: 'max_frame_minus_1', size: FRAME - 1 },
-			{ name: 'max_frame_plus_1', size: FRAME + 1 },
-			{ name: 'half_frame', size: Math.floor(FRAME / 2) },
-			{ name: 'double_frame', size: FRAME * 2 },
-		];
-
-		for (const tc of testCases) {
-			test(tc.name, async () => {
-				const data = Buffer.alloc(tc.size).fill('A');
-
-				const src = createReadableStream(data);
-				const encrypted = new CollectorStream();
-				const written = await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-
-				expect(written).toBe(tc.size);
-
-				const encryptedData = encrypted.getData();
-				const decryptSrc = createReadableStream(encryptedData);
-				const decrypted = new CollectorStream();
-				const read = await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted);
-
-				expect(read).toBe(tc.size);
-
-				const decryptedData = decrypted.getData();
-				expect(decryptedData.equals(data)).toBe(true);
-			});
-		}
-	});
-
-	describe('TestUint16OverflowProtection', () => {
-		test('should not overflow with maximum frame size', async () => {
-			const FRAME = 65519;
-			const GCM_TAG = 16;
-
-			const maxExpected = FRAME + GCM_TAG;
-			expect(maxExpected).toBeLessThanOrEqual(0xffff);
-
-			const keyPair = generateP256KeyPair();
-			const data = Buffer.alloc(FRAME).fill('B');
-
-			const src = createReadableStream(data);
-			const encrypted = new CollectorStream();
-
-			await expect(encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted)).resolves.toBe(
-				FRAME
-			);
-		});
-	});
-
-	describe('TestUnsupportedCurves', () => {
-		test('should reject P-384 keys', async () => {
-			const keyPair384 = generateP384KeyPair();
-			const data = Buffer.from('test data');
-
-			const src = createReadableStream(data);
-			const encrypted = new CollectorStream();
-
-			await expect(
-				encryptFIPSKEMDEMStream(keyPair384.publicKey, src, encrypted)
-			).rejects.toThrow('only P-256 keys supported');
-
-			const decryptSrc = createReadableStream(Buffer.alloc(0));
-			const decrypted = new CollectorStream();
-
-			await expect(
-				decryptFIPSKEMDEMStream(keyPair384.privateKey, decryptSrc, decrypted)
-			).rejects.toThrow('only P-256 keys supported');
-		});
-	});
-
-	describe('TestConcurrentOperations', () => {
-		test('should handle concurrent encrypt/decrypt operations', async () => {
-			const keyPair = generateP256KeyPair();
-			const numGoroutines = 10;
-			const dataSize = 10000;
-
-			const promises: Promise<void>[] = [];
-
-			for (let i = 0; i < numGoroutines; i++) {
-				const promise = (async (id: number) => {
-					const data = Buffer.alloc(Math.floor(dataSize / 10))
-						.fill(`data${id}`)
-						.subarray(0, Math.floor(dataSize / 10));
-
-					const src = createReadableStream(data);
-					const encrypted = new CollectorStream();
-					await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-
-					const encryptedData = encrypted.getData();
-					const decryptSrc = createReadableStream(encryptedData);
-					const decrypted = new CollectorStream();
-					await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted);
-
-					const decryptedData = decrypted.getData();
-					if (!decryptedData.equals(data)) {
-						throw new Error(`goroutine ${id} data mismatch`);
-					}
-				})(i);
-
-				promises.push(promise);
-			}
-
-			await Promise.all(promises);
-		});
-	});
-
-	describe('TestDifferentKeyPairs', () => {
-		test('should work with correct key and fail with wrong key', async () => {
-			const keyPair1 = generateP256KeyPair();
-			const keyPair2 = generateP256KeyPair();
-			const data = Buffer.from('test data');
-
-			const src = createReadableStream(data);
-			const encrypted = new CollectorStream();
-			const written = await encryptFIPSKEMDEMStream(keyPair1.publicKey, src, encrypted);
-
-			expect(written).toBe(data.length);
-
-			const encryptedData = encrypted.getData();
-			const decryptSrc1 = createReadableStream(encryptedData);
-			const decrypted1 = new CollectorStream();
-			const read = await decryptFIPSKEMDEMStream(keyPair1.privateKey, decryptSrc1, decrypted1);
-
-			expect(read).toBe(data.length);
-			expect(decrypted1.getData().equals(data)).toBe(true);
-
-			const decryptSrc2 = createReadableStream(encryptedData);
-			const decrypted2 = new CollectorStream();
-
-			await expect(
-				decryptFIPSKEMDEMStream(keyPair2.privateKey, decryptSrc2, decrypted2)
-			).rejects.toThrow();
-
-			expect(decrypted2.getData().length).toBe(0);
-		});
-	});
-
-	describe('TestPartialCorruption', () => {
-		test('should handle corrupted data gracefully', async () => {
-			const keyPair = generateP256KeyPair();
-			const testData = Buffer.from('This is test data for corruption testing');
-
-			const src = createReadableStream(testData);
-			const encrypted = new CollectorStream();
-			await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-
-			const validEncrypted = encrypted.getData();
-
-			const corruptPositions = [
-				0, // Header start
-				1, // Header middle
-				Math.floor(validEncrypted.length / 4), // Early data
-				Math.floor(validEncrypted.length / 2), // Middle data
-				Math.floor((3 * validEncrypted.length) / 4), // Late data
-				validEncrypted.length - 1, // End data
-			];
-
-			for (const pos of corruptPositions) {
-				if (pos >= validEncrypted.length) {
-					continue;
-				}
-
-				const corrupted = Buffer.from(validEncrypted);
-				corrupted[pos] ^= 0x01; // Flip one bit
-
-				const decryptSrc = createReadableStream(corrupted);
-				const decrypted = new CollectorStream();
-
-				await expect(
-					decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted)
-				).rejects.toThrow();
-			}
-		});
-	});
-
-	describe('TestLargeData', () => {
-		test('should handle multi-megabyte data', async () => {
-			const keyPair = generateP256KeyPair();
-			const data = Buffer.alloc(1024 * 1024).fill('X');
-
-			const src = createReadableStream(data);
-			const encrypted = new CollectorStream();
-			const written = await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-
-			expect(written).toBe(data.length);
-
-			const encryptedData = encrypted.getData();
-			const decryptSrc = createReadableStream(encryptedData);
-			const decrypted = new CollectorStream();
-			const read = await decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted);
-
-			expect(read).toBe(data.length);
-
-			const decryptedData = decrypted.getData();
-			expect(decryptedData.equals(data)).toBe(true);
-		});
-	});
-
-	describe('TestChunkTooLarge', () => {
-		test('should reject chunks that are too large', async () => {
-			const keyPair = generateP256KeyPair();
-			const data = Buffer.from('test data');
-
-			const src = createReadableStream(data);
-			const encrypted = new CollectorStream();
-			await encryptFIPSKEMDEMStream(keyPair.publicKey, src, encrypted);
-
-			const validEncrypted = encrypted.getData();
-			const headerSize = 2 + validEncrypted.readUInt16BE(0) + 12;
-			const chunkSizeOffset = headerSize;
-
-			const corrupted = Buffer.from(validEncrypted);
-			const FRAME = 65519;
-			const GCM_TAG = 16;
-			corrupted.writeUInt16BE(FRAME + GCM_TAG, chunkSizeOffset);
-
-			const decryptSrc = createReadableStream(corrupted);
-			const decrypted = new CollectorStream();
-
-			await expect(
-				decryptFIPSKEMDEMStream(keyPair.privateKey, decryptSrc, decrypted)
-			).rejects.toThrow();
-		});
-	});
-});

package/src/env-util.test.ts

@@ -1,194 +0,0 @@
-import { describe, test, expect } from 'bun:test';
-import { looksLikeSecret } from './env-util';
-
-describe('looksLikeSecret', () => {
-	describe('key name patterns', () => {
-		test('detects _SECRET suffix', () => {
-			expect(looksLikeSecret('API_SECRET', 'value')).toBe(true);
-			expect(looksLikeSecret('DB_SECRET', 'value')).toBe(true);
-		});
-
-		test('detects _KEY suffix', () => {
-			expect(looksLikeSecret('API_KEY', 'value')).toBe(true);
-			expect(looksLikeSecret('STRIPE_KEY', 'value')).toBe(true);
-		});
-
-		test('detects _TOKEN suffix', () => {
-			expect(looksLikeSecret('AUTH_TOKEN', 'value')).toBe(true);
-			expect(looksLikeSecret('GITHUB_TOKEN', 'value')).toBe(true);
-		});
-
-		test('detects _PASSWORD suffix', () => {
-			expect(looksLikeSecret('DB_PASSWORD', 'value')).toBe(true);
-			expect(looksLikeSecret('ADMIN_PASSWORD', 'value')).toBe(true);
-		});
-
-		test('detects _PRIVATE suffix', () => {
-			expect(looksLikeSecret('SSH_PRIVATE', 'value')).toBe(true);
-		});
-
-		test('detects _CERT and _CERTIFICATE suffixes', () => {
-			expect(looksLikeSecret('SSL_CERT', 'value')).toBe(true);
-			expect(looksLikeSecret('SSL_CERTIFICATE', 'value')).toBe(true);
-		});
-
-		test('detects SECRET_ prefix', () => {
-			expect(looksLikeSecret('SECRET_VALUE', 'value')).toBe(true);
-		});
-
-		test('detects APIKEY and API_KEY patterns', () => {
-			expect(looksLikeSecret('APIKEY', 'value')).toBe(true);
-			expect(looksLikeSecret('API_KEY', 'value')).toBe(true);
-		});
-
-		test('detects JWT prefix', () => {
-			expect(looksLikeSecret('JWT_SECRET', 'value')).toBe(true);
-			expect(looksLikeSecret('JWT', 'value')).toBe(true);
-		});
-
-		test('detects PASSWORD in key name', () => {
-			expect(looksLikeSecret('DATABASE_PASSWORD', 'value')).toBe(true);
-			expect(looksLikeSecret('PASSWORD', 'value')).toBe(true);
-		});
-
-		test('detects CREDENTIAL in key name', () => {
-			expect(looksLikeSecret('AWS_CREDENTIALS', 'value')).toBe(true);
-		});
-
-		test('detects AUTH.*KEY pattern', () => {
-			expect(looksLikeSecret('AUTH_API_KEY', 'value')).toBe(true);
-			expect(looksLikeSecret('AUTHKEY', 'value')).toBe(true);
-		});
-
-		test('is case insensitive for key patterns', () => {
-			expect(looksLikeSecret('api_secret', 'value')).toBe(true);
-			expect(looksLikeSecret('Api_Key', 'value')).toBe(true);
-			expect(looksLikeSecret('AUTH_token', 'value')).toBe(true);
-		});
-	});
-
-	describe('value patterns', () => {
-		test('detects JWT tokens', () => {
-			const jwt =
-				'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
-			expect(looksLikeSecret('TOKEN', jwt)).toBe(true);
-			expect(looksLikeSecret('SOME_VAR', jwt)).toBe(true);
-		});
-
-		test('detects Bearer tokens', () => {
-			expect(looksLikeSecret('AUTH', 'Bearer abc123def456ghi789jkl012mno345pqr')).toBe(true);
-		});
-
-		test('detects AWS access keys', () => {
-			expect(looksLikeSecret('AWS', 'AKIAIOSFODNN7EXAMPLE')).toBe(true);
-			expect(looksLikeSecret('AWS', 'ASIAIOSFODNN7EXAMPLE')).toBe(true);
-		});
-
-		test('detects GitHub tokens', () => {
-			expect(looksLikeSecret('GH', 'ghp_1234567890abcdefghijklmnopqrstuvwxyz')).toBe(true);
-			expect(looksLikeSecret('GH', 'ghs_1234567890abcdefghijklmnopqrstuvwxyz')).toBe(true);
-		});
-
-		test('detects long alphanumeric strings (API keys)', () => {
-			// 32+ characters, mixed alphanumeric
-			expect(
-				looksLikeSecret('KEY', 'sk_test_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6')
-			).toBe(true);
-			expect(looksLikeSecret('KEY', 'abc123def456ghi789jkl012mno345pqr678stu901vwx234yz')).toBe(
-				true
-			);
-		});
-
-		test('does not flag numeric-only long strings', () => {
-			expect(looksLikeSecret('ID', '12345678901234567890123456789012')).toBe(false);
-		});
-
-		test('detects PEM certificates', () => {
-			expect(looksLikeSecret('CERT', '-----BEGIN CERTIFICATE-----\nMIIC...')).toBe(true);
-			expect(looksLikeSecret('CERT', '-----BEGIN PRIVATE KEY-----\nMIIC...')).toBe(true);
-			expect(looksLikeSecret('CERT', '-----BEGIN RSA PRIVATE KEY-----\nMIIC...')).toBe(true);
-		});
-
-		test('does not flag short values', () => {
-			expect(looksLikeSecret('VAR', 'short')).toBe(false);
-			expect(looksLikeSecret('VAR', '1234567')).toBe(false);
-		});
-
-		test('does not flag empty values', () => {
-			expect(looksLikeSecret('VAR', '')).toBe(false);
-		});
-	});
-
-	describe('non-secret patterns', () => {
-		test('regular environment variables are not flagged', () => {
-			expect(looksLikeSecret('NODE_ENV', 'production')).toBe(false);
-			expect(looksLikeSecret('PORT', '3500')).toBe(false);
-			expect(looksLikeSecret('HOST', 'localhost')).toBe(false);
-			expect(looksLikeSecret('DATABASE_URL', 'postgres://localhost:5432/mydb')).toBe(false);
-		});
-
-		test('configuration values are not flagged', () => {
-			expect(looksLikeSecret('LOG_LEVEL', 'debug')).toBe(false);
-			expect(looksLikeSecret('CACHE_TTL', '3600')).toBe(false);
-			expect(looksLikeSecret('MAX_CONNECTIONS', '100')).toBe(false);
-		});
-
-		test('URLs without secrets are not flagged', () => {
-			expect(looksLikeSecret('API_URL', 'https://api.example.com')).toBe(false);
-			expect(looksLikeSecret('WEBHOOK_URL', 'https://example.com/webhook')).toBe(false);
-		});
-
-		test('paths are not flagged', () => {
-			expect(looksLikeSecret('DATA_PATH', '/var/data/app')).toBe(false);
-			expect(looksLikeSecret('CONFIG_FILE', '/etc/app/config.json')).toBe(false);
-		});
-	});
-
-	describe('edge cases', () => {
-		test('handles mixed key and value patterns', () => {
-			// Key pattern triggers detection
-			expect(looksLikeSecret('API_KEY', 'simple')).toBe(true);
-
-			// Value pattern triggers detection even without key pattern
-			const jwt =
-				'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
-			expect(looksLikeSecret('CONFIG', jwt)).toBe(true);
-		});
-
-		test('real-world API key formats', () => {
-			// Stripe (contains underscore, 32+ chars)
-			expect(looksLikeSecret('STRIPE', 'sk_test_51HqL7xAbCdEfGhIjK12345678901234567890')).toBe(
-				true
-			);
-
-			// Long API key format (32+ alphanumeric)
-			expect(looksLikeSecret('OPENAI', 'sk-proj-1234567890abcdefghijklmnopqrstuvwxyz')).toBe(
-				true
-			);
-
-			// Contains dots (periods not in our pattern, but key name helps)
-			expect(
-				looksLikeSecret(
-					'SENDGRID_API_KEY',
-					'SG.1234567890abcdefghijklmnopqrstuvwxyz.1234567890abcdefghijklmnopqrstuvwxyz'
-				)
-			).toBe(true);
-		});
-
-		test('UUIDs are correctly identified as non-secrets', () => {
-			// Standard UUID format should not be flagged
-			expect(looksLikeSecret('REQUEST_ID', '550e8400-e29b-41d4-a716-446655440000')).toBe(false);
-			expect(looksLikeSecret('USER_ID', '123e4567-e89b-12d3-a456-426614174000')).toBe(false);
-		});
-
-		test('hex hashes are flagged (better safe than sorry)', () => {
-			// 32+ character hex strings could be secrets or hashes - we flag them
-			// Users can confirm they're just hashes if needed
-			expect(looksLikeSecret('BUILD_HASH', 'a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6')).toBe(true);
-
-			// But with context that clearly indicates it's not a secret, the key name won't trigger
-			// So short hex strings without secret-like key names won't be flagged
-			expect(looksLikeSecret('COMMIT', 'abc123def')).toBe(false);
-		});
-	});
-});