@enactprotocol/secrets 2.0.0

package/tests/dagger/secret-object.test.ts

@@ -0,0 +1,217 @@
+import { beforeEach, describe, expect, it, mock } from "bun:test";
+import { KEYRING_SERVICE } from "../../src/types";
+import { mockKeyring, resetMockKeyring, seedMockKeyring } from "../mocks/keyring";
+
+// Mock the keyring module before importing
+mock.module("../../src/keyring", () => ({
+  getSecret: async (namespace: string, name: string) => {
+    const account = `${namespace}:${name}`;
+    return mockKeyring.getPassword(KEYRING_SERVICE, account);
+  },
+}));
+
+// Import after mocking
+const { getSecretObject, getSecretObjects, parseSecretOverride, parseSecretOverrides } =
+  await import("../../src/dagger/secret-object");
+
+describe("dagger/secret-object", () => {
+  const testService = KEYRING_SERVICE;
+
+  beforeEach(() => {
+    resetMockKeyring();
+  });
+
+  describe("getSecretObject", () => {
+    it("should get secret from keyring", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice/api", name: "API_TOKEN", value: "keyring-token" },
+      ]);
+
+      const result = await getSecretObject("alice/api", "API_TOKEN");
+
+      expect(result.name).toBe("API_TOKEN");
+      expect(result.value).toBe("keyring-token");
+      expect(result.source).toBe("keyring");
+      expect(result.namespace).toBe("alice/api");
+    });
+
+    it("should use override URI when provided", async () => {
+      process.env.TEST_OVERRIDE_VAR = "override-value";
+
+      const result = await getSecretObject("alice/api", "API_TOKEN", {
+        overrideUri: "env://TEST_OVERRIDE_VAR",
+      });
+
+      expect(result.name).toBe("API_TOKEN");
+      expect(result.value).toBe("override-value");
+      expect(result.source).toBe("override");
+      expect(result.overrideUri).toBe("env://TEST_OVERRIDE_VAR");
+
+      process.env.TEST_OVERRIDE_VAR = undefined;
+    });
+
+    it("should prefer override URI over keyring", async () => {
+      process.env.TEST_PRIORITY_VAR = "override-wins";
+      seedMockKeyring(testService, [
+        { namespace: "alice/api", name: "API_TOKEN", value: "keyring-value" },
+      ]);
+
+      const result = await getSecretObject("alice/api", "API_TOKEN", {
+        overrideUri: "env://TEST_PRIORITY_VAR",
+      });
+
+      expect(result.value).toBe("override-wins");
+      expect(result.source).toBe("override");
+
+      process.env.TEST_PRIORITY_VAR = undefined;
+    });
+
+    it("should throw for missing secret without override", async () => {
+      await expect(getSecretObject("alice/api", "NONEXISTENT_SECRET")).rejects.toThrow(
+        /Secret.*not found/
+      );
+    });
+
+    it("should use namespace inheritance to find secrets", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice", name: "SHARED_KEY", value: "root-level" },
+      ]);
+
+      const result = await getSecretObject("alice/api/slack", "SHARED_KEY");
+
+      expect(result.value).toBe("root-level");
+      expect(result.namespace).toBe("alice");
+    });
+  });
+
+  describe("getSecretObjects", () => {
+    it("should get multiple secrets from keyring", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice/api", name: "KEY1", value: "value1" },
+        { namespace: "alice/api", name: "KEY2", value: "value2" },
+      ]);
+
+      const results = await getSecretObjects("alice/api", {
+        KEY1: undefined,
+        KEY2: undefined,
+      });
+
+      expect(results.size).toBe(2);
+      expect(results.get("KEY1")?.value).toBe("value1");
+      expect(results.get("KEY2")?.value).toBe("value2");
+    });
+
+    it("should support mixed keyring and override", async () => {
+      process.env.TEST_MIXED_VAR = "from-env";
+      seedMockKeyring(testService, [
+        { namespace: "alice/api", name: "KEY1", value: "from-keyring" },
+      ]);
+
+      const results = await getSecretObjects("alice/api", {
+        KEY1: undefined,
+        KEY2: "env://TEST_MIXED_VAR",
+      });
+
+      expect(results.get("KEY1")?.value).toBe("from-keyring");
+      expect(results.get("KEY1")?.source).toBe("keyring");
+      expect(results.get("KEY2")?.value).toBe("from-env");
+      expect(results.get("KEY2")?.source).toBe("override");
+
+      process.env.TEST_MIXED_VAR = undefined;
+    });
+
+    it("should return empty map for empty input", async () => {
+      const results = await getSecretObjects("alice/api", {});
+
+      expect(results.size).toBe(0);
+    });
+  });
+
+  describe("parseSecretOverride", () => {
+    it("should parse valid override", () => {
+      const result = parseSecretOverride("API_TOKEN=env://MY_TOKEN");
+
+      expect(result).not.toBeNull();
+      expect(result?.name).toBe("API_TOKEN");
+      expect(result?.uri).toBe("env://MY_TOKEN");
+    });
+
+    it("should parse override with file:// URI", () => {
+      const result = parseSecretOverride("SECRET_FILE=file:///etc/secret");
+
+      expect(result?.name).toBe("SECRET_FILE");
+      expect(result?.uri).toBe("file:///etc/secret");
+    });
+
+    it("should parse override with cmd:// URI", () => {
+      const result = parseSecretOverride("DYNAMIC=cmd://echo hello");
+
+      expect(result?.name).toBe("DYNAMIC");
+      expect(result?.uri).toBe("cmd://echo hello");
+    });
+
+    it("should return null for missing =", () => {
+      const result = parseSecretOverride("API_TOKEN");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for invalid URI", () => {
+      const result = parseSecretOverride("API_TOKEN=not-a-uri");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for empty name", () => {
+      const result = parseSecretOverride("=env://TOKEN");
+
+      expect(result).toBeNull();
+    });
+
+    it("should handle whitespace", () => {
+      const result = parseSecretOverride("  API_TOKEN  =  env://TOKEN  ");
+
+      expect(result?.name).toBe("API_TOKEN");
+      expect(result?.uri).toBe("env://TOKEN");
+    });
+  });
+
+  describe("parseSecretOverrides", () => {
+    it("should parse multiple overrides", () => {
+      const result = parseSecretOverrides([
+        "KEY1=env://VAR1",
+        "KEY2=file:///etc/secret",
+        "KEY3=cmd://echo test",
+      ]);
+
+      expect(result.KEY1).toBe("env://VAR1");
+      expect(result.KEY2).toBe("file:///etc/secret");
+      expect(result.KEY3).toBe("cmd://echo test");
+    });
+
+    it("should skip invalid overrides", () => {
+      const result = parseSecretOverrides([
+        "KEY1=env://VAR1",
+        "INVALID",
+        "KEY2=not-a-uri",
+        "KEY3=file:///valid",
+      ]);
+
+      expect(Object.keys(result)).toHaveLength(2);
+      expect(result.KEY1).toBe("env://VAR1");
+      expect(result.KEY3).toBe("file:///valid");
+    });
+
+    it("should return empty object for empty input", () => {
+      const result = parseSecretOverrides([]);
+
+      expect(result).toEqual({});
+    });
+
+    it("should handle duplicates (last wins)", () => {
+      const result = parseSecretOverrides(["KEY=env://VAR1", "KEY=env://VAR2"]);
+
+      expect(result.KEY).toBe("env://VAR2");
+    });
+  });
+});

package/tests/dagger/uri-parser.test.ts

@@ -0,0 +1,194 @@
+import { afterEach, beforeEach, describe, expect, it } from "bun:test";
+import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  getSupportedSchemes,
+  isSecretUri,
+  parseSecretUri,
+  resolveSecretUri,
+} from "../../src/dagger/uri-parser";
+
+describe("dagger/uri-parser", () => {
+  const testDir = join(tmpdir(), `enact-uri-test-${Date.now()}`);
+
+  beforeEach(() => {
+    mkdirSync(testDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    if (existsSync(testDir)) {
+      rmSync(testDir, { recursive: true });
+    }
+  });
+
+  describe("parseSecretUri", () => {
+    it("should parse env:// URI", () => {
+      const result = parseSecretUri("env://API_KEY");
+
+      expect(result.scheme).toBe("env");
+      expect(result.value).toBe("API_KEY");
+      expect(result.original).toBe("env://API_KEY");
+    });
+
+    it("should parse file:// URI", () => {
+      const result = parseSecretUri("file:///path/to/secret.txt");
+
+      expect(result.scheme).toBe("file");
+      expect(result.value).toBe("/path/to/secret.txt");
+    });
+
+    it("should parse cmd:// URI", () => {
+      const result = parseSecretUri("cmd://echo hello");
+
+      expect(result.scheme).toBe("cmd");
+      expect(result.value).toBe("echo hello");
+    });
+
+    it("should parse op:// URI (1Password)", () => {
+      const result = parseSecretUri("op://Private/API Token/credential");
+
+      expect(result.scheme).toBe("op");
+      expect(result.value).toBe("Private/API Token/credential");
+    });
+
+    it("should parse vault:// URI", () => {
+      const result = parseSecretUri("vault://secret/data/myapp#api_key");
+
+      expect(result.scheme).toBe("vault");
+      expect(result.value).toBe("secret/data/myapp#api_key");
+    });
+
+    it("should throw for invalid URI format", () => {
+      expect(() => parseSecretUri("not-a-uri")).toThrow(/Invalid secret URI format/);
+    });
+
+    it("should throw for missing scheme", () => {
+      expect(() => parseSecretUri("://value")).toThrow(/Invalid secret URI format/);
+    });
+
+    it("should throw for missing value", () => {
+      expect(() => parseSecretUri("env://")).toThrow(/Invalid secret URI format/);
+    });
+
+    it("should throw for invalid scheme", () => {
+      expect(() => parseSecretUri("http://example.com")).toThrow(/Invalid secret URI scheme/);
+    });
+  });
+
+  describe("isSecretUri", () => {
+    it("should return true for valid env:// URI", () => {
+      expect(isSecretUri("env://API_KEY")).toBe(true);
+    });
+
+    it("should return true for valid file:// URI", () => {
+      expect(isSecretUri("file:///etc/secret")).toBe(true);
+    });
+
+    it("should return true for valid cmd:// URI", () => {
+      expect(isSecretUri("cmd://cat /etc/secret")).toBe(true);
+    });
+
+    it("should return true for valid op:// URI", () => {
+      expect(isSecretUri("op://Vault/Item/Field")).toBe(true);
+    });
+
+    it("should return true for valid vault:// URI", () => {
+      expect(isSecretUri("vault://secret/path")).toBe(true);
+    });
+
+    it("should return false for plain string", () => {
+      expect(isSecretUri("just-a-value")).toBe(false);
+    });
+
+    it("should return false for invalid scheme", () => {
+      expect(isSecretUri("http://example.com")).toBe(false);
+    });
+
+    it("should return false for malformed URI", () => {
+      expect(isSecretUri("env:API_KEY")).toBe(false);
+    });
+  });
+
+  describe("resolveSecretUri", () => {
+    describe("env:// scheme", () => {
+      it("should resolve environment variable", async () => {
+        process.env.TEST_SECRET_VAR = "secret-value";
+
+        const result = await resolveSecretUri("env://TEST_SECRET_VAR");
+
+        expect(result).toBe("secret-value");
+
+        process.env.TEST_SECRET_VAR = undefined;
+      });
+
+      it("should throw for undefined environment variable", async () => {
+        await expect(resolveSecretUri("env://NONEXISTENT_VAR_12345")).rejects.toThrow(
+          /Environment variable.*is not set/
+        );
+      });
+    });
+
+    describe("file:// scheme", () => {
+      it("should read file contents", async () => {
+        const secretFile = join(testDir, "secret.txt");
+        writeFileSync(secretFile, "file-secret-value\n");
+
+        const result = await resolveSecretUri(`file://${secretFile}`);
+
+        expect(result).toBe("file-secret-value");
+      });
+
+      it("should trim whitespace from file contents", async () => {
+        const secretFile = join(testDir, "secret-ws.txt");
+        writeFileSync(secretFile, "  secret  \n\n");
+
+        const result = await resolveSecretUri(`file://${secretFile}`);
+
+        expect(result).toBe("secret");
+      });
+
+      it("should throw for non-existent file", async () => {
+        await expect(resolveSecretUri(`file://${testDir}/nonexistent.txt`)).rejects.toThrow(
+          /File not found/
+        );
+      });
+    });
+
+    describe("cmd:// scheme", () => {
+      it("should execute command and return output", async () => {
+        const result = await resolveSecretUri("cmd://echo test-output");
+
+        expect(result).toBe("test-output");
+      });
+
+      it("should trim command output", async () => {
+        const result = await resolveSecretUri("cmd://printf '  value  '");
+
+        expect(result).toBe("value");
+      });
+
+      it("should throw for failed command", async () => {
+        await expect(
+          resolveSecretUri("cmd://false") // 'false' command always fails
+        ).rejects.toThrow(/Command failed/);
+      });
+    });
+
+    // Note: op:// and vault:// tests would require those tools to be installed
+    // They're tested in integration tests with mocks
+  });
+
+  describe("getSupportedSchemes", () => {
+    it("should return all supported schemes", () => {
+      const schemes = getSupportedSchemes();
+
+      expect(schemes).toContain("env");
+      expect(schemes).toContain("file");
+      expect(schemes).toContain("cmd");
+      expect(schemes).toContain("op");
+      expect(schemes).toContain("vault");
+      expect(schemes).toHaveLength(5);
+    });
+  });
+});

package/tests/env/manager.test.ts

@@ -0,0 +1,220 @@
+import { afterEach, beforeEach, describe, expect, it } from "bun:test";
+import { existsSync, mkdirSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  deleteEnv,
+  getEnv,
+  getEnvValue,
+  hasLocalEnv,
+  listEnv,
+  resolveAllEnv,
+  resolveToolEnv,
+  setEnv,
+} from "../../src/env/manager";
+import { setLocalEnvVar } from "../../src/env/writer";
+
+describe("env/manager", () => {
+  const testDir = join(tmpdir(), `enact-manager-test-${Date.now()}`);
+  const localEnvDir = join(testDir, ".enact");
+  const localEnvPath = join(localEnvDir, ".env");
+
+  beforeEach(() => {
+    mkdirSync(testDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    if (existsSync(testDir)) {
+      rmSync(testDir, { recursive: true });
+    }
+  });
+
+  describe("setEnv", () => {
+    it("should set local env var when scope is local", () => {
+      setEnv("LOCAL_VAR", "local-value", "local", testDir);
+
+      expect(existsSync(localEnvPath)).toBe(true);
+      const result = getEnv("LOCAL_VAR", undefined, testDir);
+      expect(result?.value).toBe("local-value");
+      expect(result?.source).toBe("local");
+    });
+
+    // Note: Testing global env would require mocking homedir() or using temp home
+  });
+
+  describe("getEnv", () => {
+    it("should return local value with local source", () => {
+      setLocalEnvVar("KEY", "local-value", testDir);
+
+      const result = getEnv("KEY", undefined, testDir);
+
+      expect(result).not.toBeNull();
+      expect(result?.value).toBe("local-value");
+      expect(result?.source).toBe("local");
+      expect(result?.filePath).toContain(".enact");
+    });
+
+    it("should return default value when not found", () => {
+      const result = getEnv("NONEXISTENT", "default-value", testDir);
+
+      expect(result?.value).toBe("default-value");
+      expect(result?.source).toBe("default");
+    });
+
+    it("should return null when not found and no default", () => {
+      const result = getEnv("NONEXISTENT", undefined, testDir);
+
+      expect(result).toBeNull();
+    });
+
+    it("should include key in result", () => {
+      setLocalEnvVar("MY_KEY", "value", testDir);
+
+      const result = getEnv("MY_KEY", undefined, testDir);
+
+      expect(result?.key).toBe("MY_KEY");
+    });
+  });
+
+  describe("getEnvValue", () => {
+    it("should return just the value", () => {
+      setLocalEnvVar("KEY", "the-value", testDir);
+
+      const value = getEnvValue("KEY", undefined, testDir);
+
+      expect(value).toBe("the-value");
+    });
+
+    it("should return default if not found", () => {
+      const value = getEnvValue("NONEXISTENT", "default", testDir);
+
+      expect(value).toBe("default");
+    });
+
+    it("should return undefined if not found and no default", () => {
+      const value = getEnvValue("NONEXISTENT", undefined, testDir);
+
+      expect(value).toBeUndefined();
+    });
+  });
+
+  describe("deleteEnv", () => {
+    it("should delete local env var", () => {
+      setLocalEnvVar("TO_DELETE", "value", testDir);
+      expect(getEnvValue("TO_DELETE", undefined, testDir)).toBe("value");
+
+      const deleted = deleteEnv("TO_DELETE", "local", testDir);
+
+      expect(deleted).toBe(true);
+      expect(getEnvValue("TO_DELETE", undefined, testDir)).toBeUndefined();
+    });
+
+    it("should return false if var doesn't exist", () => {
+      // Create the file first with some other var
+      setLocalEnvVar("OTHER", "value", testDir);
+
+      const deleted = deleteEnv("NONEXISTENT", "local", testDir);
+
+      expect(deleted).toBe(false);
+    });
+  });
+
+  describe("listEnv", () => {
+    it("should list local env vars", () => {
+      setLocalEnvVar("KEY1", "value1", testDir);
+      setLocalEnvVar("KEY2", "value2", testDir);
+
+      const vars = listEnv("local", testDir);
+
+      expect(vars).toHaveLength(2);
+      expect(vars.find((v) => v.key === "KEY1")?.value).toBe("value1");
+      expect(vars.find((v) => v.key === "KEY2")?.value).toBe("value2");
+      expect(vars.every((v) => v.source === "local")).toBe(true);
+    });
+
+    it("should return empty array if no vars", () => {
+      const vars = listEnv("local", testDir);
+
+      expect(vars).toEqual([]);
+    });
+  });
+
+  describe("resolveAllEnv", () => {
+    it("should merge defaults with local vars", () => {
+      const defaults = { KEY1: "default1", KEY2: "default2" };
+      setLocalEnvVar("KEY2", "local2", testDir);
+
+      const resolved = resolveAllEnv(defaults, testDir);
+
+      expect(resolved.get("KEY1")?.value).toBe("default1");
+      expect(resolved.get("KEY1")?.source).toBe("default");
+      expect(resolved.get("KEY2")?.value).toBe("local2");
+      expect(resolved.get("KEY2")?.source).toBe("local");
+    });
+
+    it("should work with empty defaults", () => {
+      setLocalEnvVar("KEY", "value", testDir);
+
+      const resolved = resolveAllEnv({}, testDir);
+
+      expect(resolved.get("KEY")?.value).toBe("value");
+    });
+  });
+
+  describe("resolveToolEnv", () => {
+    it("should resolve env vars from tool declarations", () => {
+      setLocalEnvVar("API_URL", "https://api.example.com", testDir);
+
+      const declarations = {
+        API_URL: { description: "API endpoint" },
+        TIMEOUT: { description: "Timeout in ms", default: "5000" },
+      };
+
+      const { resolved, missing } = resolveToolEnv(declarations, testDir);
+
+      expect(missing).toEqual([]);
+      expect(resolved.get("API_URL")?.value).toBe("https://api.example.com");
+      expect(resolved.get("TIMEOUT")?.value).toBe("5000");
+      expect(resolved.get("TIMEOUT")?.source).toBe("default");
+    });
+
+    it("should report missing required vars", () => {
+      const declarations = {
+        REQUIRED_VAR: { description: "This is required" },
+        OPTIONAL_VAR: { description: "This has default", default: "default" },
+      };
+
+      const { resolved, missing } = resolveToolEnv(declarations, testDir);
+
+      expect(missing).toEqual(["REQUIRED_VAR"]);
+      expect(resolved.get("OPTIONAL_VAR")?.value).toBe("default");
+    });
+
+    it("should skip secret declarations", () => {
+      setLocalEnvVar("SECRET_KEY", "should-not-be-used", testDir);
+
+      const declarations = {
+        SECRET_KEY: { description: "API secret", secret: true },
+        NORMAL_KEY: { description: "Normal key", default: "default" },
+      };
+
+      const { resolved, missing } = resolveToolEnv(declarations, testDir);
+
+      expect(resolved.has("SECRET_KEY")).toBe(false);
+      expect(resolved.get("NORMAL_KEY")?.value).toBe("default");
+      expect(missing).toEqual([]);
+    });
+  });
+
+  describe("hasLocalEnv", () => {
+    it("should return true if local .env exists", () => {
+      setLocalEnvVar("KEY", "value", testDir);
+
+      expect(hasLocalEnv(testDir)).toBe(true);
+    });
+
+    it("should return false if local .env doesn't exist", () => {
+      expect(hasLocalEnv(testDir)).toBe(false);
+    });
+  });
+});