@almightygpt/core 0.9.2 → 0.10.1

package/dist/adapters/factory.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Adapter factory — single place to map (name, provider) → concrete
+ * Adapter instance.
+ *
+ * Extracted from review/run-diff-review.ts during v0.10.0 (plan
+ * module) so the plan + review pipelines share the same factory and
+ * a new adapter only needs to be wired in one place.
+ */
+import { type Adapter } from "./types.js";
+export declare function makeAdapter(name: string, provider: string): Adapter;
+export declare function envHintForProvider(provider: string): string;
+//# sourceMappingURL=factory.d.ts.map

package/dist/adapters/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/adapters/factory.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,YAAY,CAAC;AAM1C,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAgBnE;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAW3D"}

package/dist/adapters/factory.js

@@ -0,0 +1,40 @@
+/**
+ * Adapter factory — single place to map (name, provider) → concrete
+ * Adapter instance.
+ *
+ * Extracted from review/run-diff-review.ts during v0.10.0 (plan
+ * module) so the plan + review pipelines share the same factory and
+ * a new adapter only needs to be wired in one place.
+ */
+import { MockAdapter } from "./mock.js";
+import { OpenAIAdapter } from "./openai.js";
+import { ClaudeAdapter } from "./claude.js";
+import { GeminiAdapter } from "./gemini.js";
+export function makeAdapter(name, provider) {
+    switch (provider) {
+        case "openai":
+            return new OpenAIAdapter(name);
+        case "anthropic":
+            return new ClaudeAdapter(name);
+        case "google":
+            return new GeminiAdapter(name);
+        case "mock":
+            return new MockAdapter();
+        default:
+            throw new Error(`Provider "${provider}" not supported. ` +
+                `Use "openai", "anthropic", "google", or "mock".`);
+    }
+}
+export function envHintForProvider(provider) {
+    switch (provider) {
+        case "openai":
+            return "Export OPENAI_API_KEY in your environment.";
+        case "anthropic":
+            return "Export ANTHROPIC_API_KEY in your environment.";
+        case "google":
+            return "Export GOOGLE_API_KEY (or GEMINI_API_KEY) in your environment.";
+        default:
+            return "";
+    }
+}
+//# sourceMappingURL=factory.js.map

package/dist/adapters/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/adapters/factory.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,QAAgB;IACxD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,WAAW;YACd,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,QAAQ;YACX,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,MAAM;YACT,OAAO,IAAI,WAAW,EAAE,CAAC;QAC3B;YACE,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,mBAAmB;gBACtC,iDAAiD,CACpD,CAAC;IACN,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,4CAA4C,CAAC;QACtD,KAAK,WAAW;YACd,OAAO,+CAA+C,CAAC;QACzD,KAAK,QAAQ;YACX,OAAO,gEAAgE,CAAC;QAC1E;YACE,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/auth/__tests__/keychain.test.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Keychain adapter tests.
+ *
+ * Strategy (addresses Codex's v0.8 plan-review R3 — "KeychainAdapter
+ * dependency injection"): we mock the dynamic import of
+ * `@napi-rs/keyring` itself, replacing the Entry class with a fake
+ * we control per test. This sidesteps needing to refactor the real
+ * code to accept an injected adapter — the dynamic-import boundary
+ * IS the seam we test against.
+ *
+ * Codex's main concern (P2 #4) was that read failures were silently
+ * converted into "absent". These tests prove the new behavior:
+ *   - found    → { kind: "found", key }
+ *   - absent   → { kind: "absent" }
+ *   - throws   → { kind: "error", message }  (was: silently dropped)
+ */
+export {};
+//# sourceMappingURL=keychain.test.d.ts.map

package/dist/auth/__tests__/keychain.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/keychain.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG"}

package/dist/auth/__tests__/keychain.test.js

@@ -0,0 +1,155 @@
+/**
+ * Keychain adapter tests.
+ *
+ * Strategy (addresses Codex's v0.8 plan-review R3 — "KeychainAdapter
+ * dependency injection"): we mock the dynamic import of
+ * `@napi-rs/keyring` itself, replacing the Entry class with a fake
+ * we control per test. This sidesteps needing to refactor the real
+ * code to accept an injected adapter — the dynamic-import boundary
+ * IS the seam we test against.
+ *
+ * Codex's main concern (P2 #4) was that read failures were silently
+ * converted into "absent". These tests prove the new behavior:
+ *   - found    → { kind: "found", key }
+ *   - absent   → { kind: "absent" }
+ *   - throws   → { kind: "error", message }  (was: silently dropped)
+ */
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { _resetKeychainCache } from "../keychain.js";
+// Track the entry methods per test so we can rewire mid-suite.
+let mockGetPassword;
+let mockSetPassword;
+let mockDeletePassword;
+let constructorThrows = false;
+let importThrows = false;
+vi.mock("@napi-rs/keyring", () => ({
+    get Entry() {
+        if (importThrows)
+            throw new Error("synthetic import failure");
+        return class FakeEntry {
+            constructor(_service, _account) {
+                if (constructorThrows) {
+                    throw new Error("native binding refused to initialize");
+                }
+            }
+            getPassword() {
+                return mockGetPassword();
+            }
+            setPassword(p) {
+                mockSetPassword(p);
+            }
+            deletePassword() {
+                return mockDeletePassword();
+            }
+        };
+    },
+}));
+import { getKeychain } from "../keychain.js";
+beforeEach(() => {
+    _resetKeychainCache();
+    mockGetPassword = () => null;
+    mockSetPassword = () => { };
+    mockDeletePassword = () => true;
+    constructorThrows = false;
+    importThrows = false;
+});
+describe("keychain adapter — availability", () => {
+    it("reports available=true when native binding loads cleanly", async () => {
+        const kc = await getKeychain();
+        expect(kc.available).toBe(true);
+        expect(kc.describeBackend()).not.toContain("unavailable");
+    });
+    it("reports available=false + reason when native binding throws on init", async () => {
+        constructorThrows = true;
+        const kc = await getKeychain();
+        expect(kc.available).toBe(false);
+        expect(kc.describeBackend()).toContain("unavailable");
+        expect(kc.describeBackend()).toMatch(/initialize|native/i);
+    });
+    it("get on unavailable adapter returns { kind: 'absent' } (not throw)", async () => {
+        constructorThrows = true;
+        const kc = await getKeychain();
+        const r = await kc.get("openai");
+        expect(r).toEqual({ kind: "absent" });
+    });
+    it("set on unavailable adapter throws with a clear hint", async () => {
+        constructorThrows = true;
+        const kc = await getKeychain();
+        await expect(kc.set("openai", "x")).rejects.toThrow(/unavailable|environment/i);
+    });
+});
+describe("keychain adapter — get behavior (Codex P2 #4 regression coverage)", () => {
+    it("found path returns { kind: 'found', key }", async () => {
+        mockGetPassword = () => "stored-secret";
+        const kc = await getKeychain();
+        const r = await kc.get("anthropic");
+        expect(r).toEqual({ kind: "found", key: "stored-secret" });
+    });
+    it("absent path returns { kind: 'absent' } when getPassword returns null", async () => {
+        mockGetPassword = () => null;
+        const kc = await getKeychain();
+        const r = await kc.get("openai");
+        expect(r).toEqual({ kind: "absent" });
+    });
+    it("error path returns { kind: 'error', message } when getPassword throws — NOT silently absent", async () => {
+        mockGetPassword = () => {
+            throw new Error("keyring locked by OS");
+        };
+        const kc = await getKeychain();
+        const r = await kc.get("openai");
+        expect(r.kind).toBe("error");
+        if (r.kind === "error") {
+            expect(r.message).toContain("keyring locked");
+        }
+    });
+    it("error path preserves non-Error throws via String(err)", async () => {
+        mockGetPassword = () => {
+            throw "raw string error";
+        };
+        const kc = await getKeychain();
+        const r = await kc.get("openai");
+        expect(r.kind).toBe("error");
+        if (r.kind === "error") {
+            expect(r.message).toContain("raw string error");
+        }
+    });
+});
+describe("keychain adapter — set / remove", () => {
+    it("set forwards the key to the underlying Entry", async () => {
+        const writes = [];
+        mockSetPassword = (p) => writes.push(p);
+        const kc = await getKeychain();
+        await kc.set("google", "new-key");
+        expect(writes).toEqual(["new-key"]);
+    });
+    it("remove returns true when entry existed", async () => {
+        mockDeletePassword = () => true;
+        const kc = await getKeychain();
+        const removed = await kc.remove("openai");
+        expect(removed).toBe(true);
+    });
+    it("remove returns false (not throws) when entry didn't exist", async () => {
+        mockDeletePassword = () => {
+            throw new Error("not found");
+        };
+        const kc = await getKeychain();
+        const removed = await kc.remove("openai");
+        expect(removed).toBe(false);
+    });
+});
+describe("keychain adapter — caching", () => {
+    it("getKeychain returns the same instance across calls (singleton)", async () => {
+        const a = await getKeychain();
+        const b = await getKeychain();
+        expect(a).toBe(b);
+    });
+    it("_resetKeychainCache forces a fresh load on next getKeychain", async () => {
+        const a = await getKeychain();
+        _resetKeychainCache();
+        constructorThrows = true; // change behavior between loads
+        const b = await getKeychain();
+        expect(a.available).toBe(true);
+        expect(b.available).toBe(false);
+    });
+});
+//# sourceMappingURL=keychain.test.js.map

package/dist/auth/__tests__/keychain.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.test.js","sourceRoot":"","sources":["../../../src/auth/__tests__/keychain.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,+DAA+D;AAC/D,IAAI,eAAoC,CAAC;AACzC,IAAI,eAAsC,CAAC;AAC3C,IAAI,kBAAiC,CAAC;AACtC,IAAI,iBAAiB,GAAG,KAAK,CAAC;AAC9B,IAAI,YAAY,GAAG,KAAK,CAAC;AAEzB,EAAE,CAAC,IAAI,CAAC,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC;IACjC,IAAI,KAAK;QACP,IAAI,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9D,OAAO,MAAM,SAAS;YACpB,YAAY,QAAgB,EAAE,QAAgB;gBAC5C,IAAI,iBAAiB,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;YACD,WAAW;gBACT,OAAO,eAAe,EAAE,CAAC;YAC3B,CAAC;YACD,WAAW,CAAC,CAAS;gBACnB,eAAe,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;YACD,cAAc;gBACZ,OAAO,kBAAkB,EAAE,CAAC;YAC9B,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC,CAAC;AAEJ,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,UAAU,CAAC,GAAG,EAAE;IACd,mBAAmB,EAAE,CAAC;IACtB,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC;IAC7B,eAAe,GAAG,GAAG,EAAE,GAAE,CAAC,CAAC;IAC3B,kBAAkB,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC;IAChC,iBAAiB,GAAG,KAAK,CAAC;IAC1B,YAAY,GAAG,KAAK,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,iBAAiB,GAAG,IAAI,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACtD,MAAM,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,iBAAiB,GAAG,IAAI,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,iBAAiB,GAAG,IAAI,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mEAAmE,EAAE,GAAG,EAAE;IACjF,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,eAAe,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC;QACxC,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACpC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC;QAC7B,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6FAA6F,EAAE,KAAK,IAAI,EAAE;QAC3G,eAAe,GAAG,GAAG,EAAE;YACrB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC,CAAC;QACF,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACvB,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,eAAe,GAAG,GAAG,EAAE;YACrB,MAAM,kBAAkB,CAAC;QAC3B,CAAC,CAAC;QACF,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACvB,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,eAAe,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,kBAAkB,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC;QAChC,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,kBAAkB,GAAG,GAAG,EAAE;YACxB,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/B,CAAC,CAAC;QACF,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAC;QAC9B,mBAAmB,EAAE,CAAC;QACtB,iBAAiB,GAAG,IAAI,CAAC,CAAC,gCAAgC;QAC1D,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/__tests__/resolver.test.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Resolver tests — proves the priority chain.
+ *
+ * Codex's v0.8 security review (P1 #3) called out that without these
+ * tests, the resolver could silently regress and ship — because
+ * `npm run test` would pass vacuously.
+ *
+ * Each test isolates the keychain via vi.mock so we control its
+ * behavior per case. Env vars are reset in beforeEach so test order
+ * doesn't matter.
+ */
+export {};
+//# sourceMappingURL=resolver.test.d.ts.map

package/dist/auth/__tests__/resolver.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/resolver.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}

package/dist/auth/__tests__/resolver.test.js

@@ -0,0 +1,182 @@
+/**
+ * Resolver tests — proves the priority chain.
+ *
+ * Codex's v0.8 security review (P1 #3) called out that without these
+ * tests, the resolver could silently regress and ship — because
+ * `npm run test` would pass vacuously.
+ *
+ * Each test isolates the keychain via vi.mock so we control its
+ * behavior per case. Env vars are reset in beforeEach so test order
+ * doesn't matter.
+ */
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { resolveApiKey, requireApiKey } from "../resolver.js";
+import { AuthMissingError } from "../types.js";
+// Mock the keychain module before any test runs. Each test then
+// overrides the mock's return for getKeychain().
+vi.mock("../keychain.js", () => ({
+    getKeychain: vi.fn(),
+}));
+import { getKeychain } from "../keychain.js";
+const PROVIDER_ENV_VAR = {
+    openai: "OPENAI_API_KEY",
+    anthropic: "ANTHROPIC_API_KEY",
+    google: "GOOGLE_API_KEY",
+};
+function makeKeychainStub(behavior) {
+    return {
+        available: behavior.available,
+        describeBackend: () => "test-backend",
+        get: behavior.get ?? (async () => ({ kind: "absent" })),
+        set: async () => { },
+        remove: async () => true,
+    };
+}
+describe("resolveApiKey — priority order", () => {
+    const savedEnv = {};
+    beforeEach(() => {
+        // Snapshot + clear all provider env vars so test inputs are
+        // deterministic.
+        for (const v of Object.values(PROVIDER_ENV_VAR)) {
+            savedEnv[v] = process.env[v];
+            delete process.env[v];
+        }
+        delete process.env.GEMINI_API_KEY;
+        vi.clearAllMocks();
+    });
+    afterEach(() => {
+        // Restore original env so we don't pollute the runner / sibling tests.
+        for (const [k, v] of Object.entries(savedEnv)) {
+            if (v === undefined)
+                delete process.env[k];
+            else
+                process.env[k] = v;
+        }
+    });
+    it("explicit param wins over env (which would otherwise win over keychain)", async () => {
+        process.env.OPENAI_API_KEY = "from-env";
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({
+            available: true,
+            get: async () => ({ kind: "found", key: "from-keychain" }),
+        }));
+        const r = await resolveApiKey("openai", { explicit: "from-explicit" });
+        expect(r.source).toBe("explicit");
+        expect(r.key).toBe("from-explicit");
+    });
+    it("env wins over keychain — prevents stale-keychain-key bug Codex flagged", async () => {
+        process.env.OPENAI_API_KEY = "from-env";
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({
+            available: true,
+            get: async () => ({ kind: "found", key: "from-keychain" }),
+        }));
+        const r = await resolveApiKey("openai");
+        expect(r.source).toBe("env");
+        expect(r.key).toBe("from-env");
+        expect(r.envVar).toBe("OPENAI_API_KEY");
+    });
+    it("keychain wins over missing", async () => {
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({
+            available: true,
+            get: async () => ({ kind: "found", key: "from-keychain" }),
+        }));
+        const r = await resolveApiKey("openai");
+        expect(r.source).toBe("keychain");
+        expect(r.key).toBe("from-keychain");
+    });
+    it("returns missing when no source has the key", async () => {
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({ available: true }));
+        const r = await resolveApiKey("openai");
+        expect(r.source).toBe("missing");
+        expect(r.key).toBeUndefined();
+    });
+    it("returns keychain_error (not missing) when keychain read fails", async () => {
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({
+            available: true,
+            get: async () => ({ kind: "error", message: "denied by OS" }),
+        }));
+        const r = await resolveApiKey("openai");
+        expect(r.source).toBe("keychain_error");
+        expect(r.keychainError).toBe("denied by OS");
+    });
+    it("keychain unavailability degrades to missing (not error) — backward compat", async () => {
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({ available: false }));
+        const r = await resolveApiKey("openai");
+        expect(r.source).toBe("missing");
+    });
+    it("skipKeychain option bypasses keychain entirely", async () => {
+        process.env.OPENAI_API_KEY = "from-env";
+        // Keychain mock would throw if called — proves skipKeychain takes effect.
+        vi.mocked(getKeychain).mockImplementation(() => {
+            throw new Error("getKeychain should not be called when skipKeychain is true");
+        });
+        const r = await resolveApiKey("openai", { skipKeychain: true });
+        expect(r.source).toBe("env");
+    });
+    it("Google provider checks BOTH GOOGLE_API_KEY and GEMINI_API_KEY", async () => {
+        delete process.env.GOOGLE_API_KEY;
+        process.env.GEMINI_API_KEY = "from-gemini-env";
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({ available: false }));
+        const r = await resolveApiKey("google");
+        expect(r.source).toBe("env");
+        expect(r.key).toBe("from-gemini-env");
+        expect(r.envVar).toBe("GEMINI_API_KEY");
+    });
+    it("Google prefers GOOGLE_API_KEY over GEMINI_API_KEY when both set", async () => {
+        process.env.GOOGLE_API_KEY = "primary";
+        process.env.GEMINI_API_KEY = "secondary";
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({ available: false }));
+        const r = await resolveApiKey("google");
+        expect(r.source).toBe("env");
+        expect(r.envVar).toBe("GOOGLE_API_KEY");
+        expect(r.key).toBe("primary");
+    });
+    it("empty env var is treated as not set (falls through to keychain)", async () => {
+        process.env.OPENAI_API_KEY = "";
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({
+            available: true,
+            get: async () => ({ kind: "found", key: "from-keychain" }),
+        }));
+        const r = await resolveApiKey("openai");
+        expect(r.source).toBe("keychain");
+    });
+});
+describe("requireApiKey — throws AuthMissingError on missing / keychain_error", () => {
+    const savedEnv = {};
+    beforeEach(() => {
+        for (const v of Object.values(PROVIDER_ENV_VAR)) {
+            savedEnv[v] = process.env[v];
+            delete process.env[v];
+        }
+        delete process.env.GEMINI_API_KEY;
+        vi.clearAllMocks();
+    });
+    afterEach(() => {
+        for (const [k, v] of Object.entries(savedEnv)) {
+            if (v === undefined)
+                delete process.env[k];
+            else
+                process.env[k] = v;
+        }
+    });
+    it("returns the key when found", async () => {
+        process.env.ANTHROPIC_API_KEY = "the-key";
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({ available: false }));
+        const key = await requireApiKey("anthropic");
+        expect(key).toBe("the-key");
+    });
+    it("throws AuthMissingError with provider + env var when missing", async () => {
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({ available: true }));
+        await expect(requireApiKey("anthropic")).rejects.toThrow(AuthMissingError);
+        await expect(requireApiKey("anthropic")).rejects.toThrow(/anthropic/);
+        await expect(requireApiKey("anthropic")).rejects.toThrow(/ANTHROPIC_API_KEY/);
+    });
+    it("throws AuthMissingError with a DIFFERENT message for keychain_error", async () => {
+        vi.mocked(getKeychain).mockResolvedValue(makeKeychainStub({
+            available: true,
+            get: async () => ({ kind: "error", message: "keyring locked" }),
+        }));
+        await expect(requireApiKey("anthropic")).rejects.toThrow(/keyring locked/);
+        await expect(requireApiKey("anthropic")).rejects.toThrow(/Keychain read failed/);
+    });
+});
+//# sourceMappingURL=resolver.test.js.map

package/dist/auth/__tests__/resolver.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.test.js","sourceRoot":"","sources":["../../../src/auth/__tests__/resolver.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C,gEAAgE;AAChE,iDAAiD;AACjD,EAAE,CAAC,IAAI,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;IAC/B,WAAW,EAAE,EAAE,CAAC,EAAE,EAAE;CACrB,CAAC,CAAC,CAAC;AACJ,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,MAAM,gBAAgB,GAAG;IACvB,MAAM,EAAE,gBAAgB;IACxB,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,gBAAgB;CAChB,CAAC;AAEX,SAAS,gBAAgB,CAAC,QAOzB;IACC,OAAO;QACL,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,eAAe,EAAE,GAAG,EAAE,CAAC,cAAc;QACrC,GAAG,EAAE,QAAQ,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,QAAiB,EAAE,CAAC,CAAC;QAChE,GAAG,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QACnB,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI;KACzB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,MAAM,QAAQ,GAAuC,EAAE,CAAC;IAExD,UAAU,CAAC,GAAG,EAAE;QACd,4DAA4D;QAC5D,iBAAiB;QACjB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAChD,QAAQ,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC7B,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAClC,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,uEAAuE;QACvE,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,SAAS;gBAAE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;;gBACtC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,UAAU,CAAC;QACxC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC;YACf,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC;SAC3D,CAAC,CACH,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,CAAC;QACvE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,UAAU,CAAC;QACxC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC;YACf,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC;SAC3D,CAAC,CACH,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC;YACf,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC;SAC3D,CAAC,CACH,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CACtC,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC;YACf,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;SAC9D,CAAC,CACH,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CACvC,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,UAAU,CAAC;QACxC,0EAA0E;QAC1E,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAC7C,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,iBAAiB,CAAC;QAC/C,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CACvC,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACtC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,SAAS,CAAC;QACvC,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,WAAW,CAAC;QACzC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CACvC,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,EAAE,CAAC;QAChC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC;YACf,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC;SAC3D,CAAC,CACH,CAAC;QACF,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qEAAqE,EAAE,GAAG,EAAE;IACnF,MAAM,QAAQ,GAAuC,EAAE,CAAC;IAExD,UAAU,CAAC,GAAG,EAAE;QACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAChD,QAAQ,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC7B,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAClC,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,SAAS;gBAAE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;;gBACtC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,SAAS,CAAC;QAC1C,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CACvC,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CACtC,CAAC;QACF,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3E,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACtE,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,iBAAiB,CACtC,gBAAgB,CAAC;YACf,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;SAChE,CAAC,CACH,CAAC;QACF,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3E,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/__tests__/validator.test.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Validator tests with mocked fetch.
+ *
+ * Covers Codex's v0.8 security review demand:
+ *   "Add a regression test that failed validation never logs or returns
+ *    a URL containing the key."
+ *
+ * Plus the broader contract:
+ *   - happy path → ok: true with model
+ *   - timeout → ok: false with friendly message
+ *   - non-OK response → normalized error with statusCode, never raw body
+ *   - submitted key NEVER appears in error / model field for ANY provider
+ */
+export {};
+//# sourceMappingURL=validator.test.d.ts.map

package/dist/auth/__tests__/validator.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/validator.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}