@enactprotocol/secrets 2.0.0

package/tests/keyring.test.ts

@@ -0,0 +1,250 @@
+import { beforeEach, describe, expect, it } from "bun:test";
+import { KEYRING_SERVICE } from "../src/types";
+import {
+  createMockKeyringFunctions,
+  mockKeyring,
+  resetMockKeyring,
+  seedMockKeyring,
+} from "./mocks/keyring";
+
+describe("keyring", () => {
+  const testService = "test-enact-cli";
+  const { setSecret, getSecret, listSecrets, deleteSecret, secretExists, listAllSecrets } =
+    createMockKeyringFunctions(testService);
+
+  beforeEach(() => {
+    resetMockKeyring();
+  });
+
+  describe("KEYRING_SERVICE", () => {
+    it("should be defined as enact-cli", () => {
+      expect(KEYRING_SERVICE).toBe("enact-cli");
+    });
+  });
+
+  describe("setSecret", () => {
+    it("should store a secret in the keyring", async () => {
+      await setSecret("alice/api", "API_KEY", "secret123");
+      const stored = await mockKeyring.getPassword(testService, "alice/api:API_KEY");
+      expect(stored).toBe("secret123");
+    });
+
+    it("should store multiple secrets for different namespaces", async () => {
+      await setSecret("alice/api", "KEY1", "value1");
+      await setSecret("bob/api", "KEY2", "value2");
+
+      expect(await mockKeyring.getPassword(testService, "alice/api:KEY1")).toBe("value1");
+      expect(await mockKeyring.getPassword(testService, "bob/api:KEY2")).toBe("value2");
+    });
+
+    it("should overwrite existing secret", async () => {
+      await setSecret("alice/api", "API_KEY", "old-value");
+      await setSecret("alice/api", "API_KEY", "new-value");
+
+      expect(await mockKeyring.getPassword(testService, "alice/api:API_KEY")).toBe("new-value");
+    });
+
+    it("should handle empty namespace", async () => {
+      await setSecret("", "GLOBAL_KEY", "global-value");
+      expect(await mockKeyring.getPassword(testService, ":GLOBAL_KEY")).toBe("global-value");
+    });
+
+    it("should handle special characters in key names", async () => {
+      await setSecret("namespace", "MY_API_KEY_123", "special-value");
+      expect(await mockKeyring.getPassword(testService, "namespace:MY_API_KEY_123")).toBe(
+        "special-value"
+      );
+    });
+  });
+
+  describe("getSecret", () => {
+    it("should retrieve a stored secret", async () => {
+      await setSecret("alice/api", "API_KEY", "secret123");
+      const result = await getSecret("alice/api", "API_KEY");
+      expect(result).toBe("secret123");
+    });
+
+    it("should return null for non-existent secret", async () => {
+      const result = await getSecret("alice/api", "NONEXISTENT");
+      expect(result).toBeNull();
+    });
+
+    it("should return null for non-existent namespace", async () => {
+      const result = await getSecret("nonexistent/namespace", "KEY");
+      expect(result).toBeNull();
+    });
+
+    it("should differentiate between namespaces", async () => {
+      await setSecret("alice/api", "API_KEY", "alice-secret");
+      await setSecret("bob/api", "API_KEY", "bob-secret");
+
+      const aliceResult = await getSecret("alice/api", "API_KEY");
+      const bobResult = await getSecret("bob/api", "API_KEY");
+
+      expect(aliceResult).toBe("alice-secret");
+      expect(bobResult).toBe("bob-secret");
+    });
+  });
+
+  describe("listSecrets", () => {
+    it("should return empty array for namespace with no secrets", async () => {
+      const result = await listSecrets("empty/namespace");
+      expect(result).toEqual([]);
+    });
+
+    it("should list all secrets in a namespace", async () => {
+      await setSecret("alice/api", "KEY1", "value1");
+      await setSecret("alice/api", "KEY2", "value2");
+      await setSecret("alice/api", "KEY3", "value3");
+
+      const result = await listSecrets("alice/api");
+      expect(result).toHaveLength(3);
+      expect(result).toContain("KEY1");
+      expect(result).toContain("KEY2");
+      expect(result).toContain("KEY3");
+    });
+
+    it("should only list secrets for specified namespace", async () => {
+      await setSecret("alice/api", "ALICE_KEY", "alice-value");
+      await setSecret("bob/api", "BOB_KEY", "bob-value");
+
+      const aliceSecrets = await listSecrets("alice/api");
+      const bobSecrets = await listSecrets("bob/api");
+
+      expect(aliceSecrets).toEqual(["ALICE_KEY"]);
+      expect(bobSecrets).toEqual(["BOB_KEY"]);
+    });
+
+    it("should handle nested namespaces correctly", async () => {
+      await setSecret("alice", "ROOT_KEY", "root-value");
+      await setSecret("alice/api", "API_KEY", "api-value");
+      await setSecret("alice/api/slack", "SLACK_KEY", "slack-value");
+
+      const rootSecrets = await listSecrets("alice");
+      const apiSecrets = await listSecrets("alice/api");
+      const slackSecrets = await listSecrets("alice/api/slack");
+
+      expect(rootSecrets).toEqual(["ROOT_KEY"]);
+      expect(apiSecrets).toEqual(["API_KEY"]);
+      expect(slackSecrets).toEqual(["SLACK_KEY"]);
+    });
+  });
+
+  describe("deleteSecret", () => {
+    it("should delete an existing secret", async () => {
+      await setSecret("alice/api", "API_KEY", "secret123");
+      const deleted = await deleteSecret("alice/api", "API_KEY");
+
+      expect(deleted).toBe(true);
+      expect(await getSecret("alice/api", "API_KEY")).toBeNull();
+    });
+
+    it("should return false for non-existent secret", async () => {
+      const deleted = await deleteSecret("alice/api", "NONEXISTENT");
+      expect(deleted).toBe(false);
+    });
+
+    it("should only delete specified secret", async () => {
+      await setSecret("alice/api", "KEY1", "value1");
+      await setSecret("alice/api", "KEY2", "value2");
+
+      await deleteSecret("alice/api", "KEY1");
+
+      expect(await getSecret("alice/api", "KEY1")).toBeNull();
+      expect(await getSecret("alice/api", "KEY2")).toBe("value2");
+    });
+
+    it("should not affect other namespaces", async () => {
+      await setSecret("alice/api", "KEY", "alice-value");
+      await setSecret("bob/api", "KEY", "bob-value");
+
+      await deleteSecret("alice/api", "KEY");
+
+      expect(await getSecret("alice/api", "KEY")).toBeNull();
+      expect(await getSecret("bob/api", "KEY")).toBe("bob-value");
+    });
+  });
+
+  describe("secretExists", () => {
+    it("should return true for existing secret", async () => {
+      await setSecret("namespace", "KEY", "value");
+      const exists = await secretExists("namespace", "KEY");
+      expect(exists).toBe(true);
+    });
+
+    it("should return false for non-existent secret", async () => {
+      const exists = await secretExists("namespace", "NONEXISTENT");
+      expect(exists).toBe(false);
+    });
+  });
+
+  describe("listAllSecrets", () => {
+    it("should return empty array when no secrets exist", async () => {
+      const result = await listAllSecrets();
+      expect(result).toEqual([]);
+    });
+
+    it("should list all secrets across all namespaces", async () => {
+      await setSecret("alice/api", "KEY1", "value1");
+      await setSecret("bob/api", "KEY2", "value2");
+      await setSecret("charlie", "KEY3", "value3");
+
+      const result = await listAllSecrets();
+      expect(result).toHaveLength(3);
+      expect(result).toContainEqual({ namespace: "alice/api", key: "KEY1" });
+      expect(result).toContainEqual({ namespace: "bob/api", key: "KEY2" });
+      expect(result).toContainEqual({ namespace: "charlie", key: "KEY3" });
+    });
+  });
+
+  describe("seedMockKeyring", () => {
+    it("should seed the mock keyring with test data", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice/api", name: "KEY1", value: "value1" },
+        { namespace: "bob/api", name: "KEY2", value: "value2" },
+      ]);
+
+      const result1 = await getSecret("alice/api", "KEY1");
+      const result2 = await getSecret("bob/api", "KEY2");
+
+      expect(result1).toBe("value1");
+      expect(result2).toBe("value2");
+    });
+  });
+
+  describe("edge cases", () => {
+    it("should handle secrets with empty values", async () => {
+      await setSecret("namespace", "EMPTY_KEY", "");
+      const result = await getSecret("namespace", "EMPTY_KEY");
+      expect(result).toBe("");
+    });
+
+    it("should handle secrets with special characters in values", async () => {
+      const specialValue = "pass=word!@#$%^&*()[]{}|;':\",./<>?`~";
+      await setSecret("namespace", "SPECIAL_KEY", specialValue);
+      const result = await getSecret("namespace", "SPECIAL_KEY");
+      expect(result).toBe(specialValue);
+    });
+
+    it("should handle secrets with newlines", async () => {
+      const multilineValue = "line1\nline2\nline3";
+      await setSecret("namespace", "MULTILINE_KEY", multilineValue);
+      const result = await getSecret("namespace", "MULTILINE_KEY");
+      expect(result).toBe(multilineValue);
+    });
+
+    it("should handle unicode in values", async () => {
+      const unicodeValue = "emoji: 🔐 日本語 中文";
+      await setSecret("namespace", "UNICODE_KEY", unicodeValue);
+      const result = await getSecret("namespace", "UNICODE_KEY");
+      expect(result).toBe(unicodeValue);
+    });
+
+    it("should handle very long namespace paths", async () => {
+      const longNamespace = "org/team/project/service/component/instance";
+      await setSecret(longNamespace, "KEY", "deep-value");
+      const result = await getSecret(longNamespace, "KEY");
+      expect(result).toBe("deep-value");
+    });
+  });
+});

package/tests/mocks/keyring.ts

@@ -0,0 +1,164 @@
+/**
+ * Mock keyring for testing
+ *
+ * Provides an in-memory implementation of the keyring interface
+ * that can be used in tests without touching the real system keyring.
+ */
+
+import type { SecretMetadata } from "../../src/types";
+
+interface Credential {
+  account: string;
+  password: string;
+}
+
+/**
+ * In-memory credential store
+ */
+const store = new Map<string, Map<string, string>>();
+
+/**
+ * Mock keyring implementation
+ */
+export const mockKeyring = {
+  /**
+   * Set a password in the mock keyring
+   */
+  async setPassword(service: string, account: string, password: string): Promise<void> {
+    if (!store.has(service)) {
+      store.set(service, new Map());
+    }
+    store.get(service)?.set(account, password);
+  },
+
+  /**
+   * Get a password from the mock keyring
+   */
+  async getPassword(service: string, account: string): Promise<string | null> {
+    const serviceStore = store.get(service);
+    if (!serviceStore) {
+      return null;
+    }
+    return serviceStore.get(account) ?? null;
+  },
+
+  /**
+   * Delete a password from the mock keyring
+   */
+  async deletePassword(service: string, account: string): Promise<boolean> {
+    const serviceStore = store.get(service);
+    if (!serviceStore) {
+      return false;
+    }
+    return serviceStore.delete(account);
+  },
+
+  /**
+   * Find all credentials for a service
+   */
+  async findCredentials(service: string): Promise<Credential[]> {
+    const serviceStore = store.get(service);
+    if (!serviceStore) {
+      return [];
+    }
+
+    const credentials: Credential[] = [];
+    for (const [account, password] of serviceStore.entries()) {
+      credentials.push({ account, password });
+    }
+    return credentials;
+  },
+
+  /**
+   * Clear all credentials (for test cleanup)
+   */
+  clear(): void {
+    store.clear();
+  },
+
+  /**
+   * Clear credentials for a specific service
+   */
+  clearService(service: string): void {
+    store.delete(service);
+  },
+
+  /**
+   * Get all stored credentials (for debugging)
+   */
+  getAll(): Map<string, Map<string, string>> {
+    return new Map(store);
+  },
+};
+
+/**
+ * Create mock keyring functions that use the mock store
+ * These have the same signature as the real keyring functions
+ */
+export function createMockKeyringFunctions(service: string) {
+  const getSecretFn = async (namespace: string, name: string): Promise<string | null> => {
+    const account = `${namespace}:${name}`;
+    return mockKeyring.getPassword(service, account);
+  };
+
+  return {
+    async setSecret(namespace: string, name: string, value: string): Promise<void> {
+      const account = `${namespace}:${name}`;
+      await mockKeyring.setPassword(service, account, value);
+    },
+
+    getSecret: getSecretFn,
+
+    async deleteSecret(namespace: string, name: string): Promise<boolean> {
+      const account = `${namespace}:${name}`;
+      return mockKeyring.deletePassword(service, account);
+    },
+
+    async listSecrets(namespace: string): Promise<string[]> {
+      const credentials = await mockKeyring.findCredentials(service);
+      const prefix = `${namespace}:`;
+      return credentials
+        .filter((cred) => cred.account.startsWith(prefix))
+        .map((cred) => cred.account.slice(prefix.length));
+    },
+
+    async listAllSecrets(): Promise<SecretMetadata[]> {
+      const credentials = await mockKeyring.findCredentials(service);
+      return credentials.map((cred) => {
+        const colonIndex = cred.account.lastIndexOf(":");
+        return {
+          key: cred.account.slice(colonIndex + 1),
+          namespace: cred.account.slice(0, colonIndex),
+        };
+      });
+    },
+
+    async secretExists(namespace: string, name: string): Promise<boolean> {
+      const value = await getSecretFn(namespace, name);
+      return value !== null;
+    },
+  };
+}
+
+/**
+ * Reset the mock keyring between tests
+ */
+export function resetMockKeyring(): void {
+  mockKeyring.clear();
+}
+
+/**
+ * Seed the mock keyring with test data
+ */
+export function seedMockKeyring(
+  service: string,
+  secrets: Array<{ namespace: string; name: string; value: string }>
+): void {
+  for (const { namespace, name, value } of secrets) {
+    const account = `${namespace}:${name}`;
+    if (!store.has(service)) {
+      store.set(service, new Map());
+    }
+    store.get(service)?.set(account, value);
+  }
+}

package/tests/resolver.test.ts

@@ -0,0 +1,287 @@
+import { beforeEach, describe, expect, it, mock } from "bun:test";
+import { KEYRING_SERVICE } from "../src/types";
+import { mockKeyring, resetMockKeyring, seedMockKeyring } from "./mocks/keyring";
+
+// Mock the keyring module before importing resolver
+mock.module("../src/keyring", () => ({
+  getSecret: async (namespace: string, name: string) => {
+    const account = `${namespace}:${name}`;
+    return mockKeyring.getPassword(KEYRING_SERVICE, account);
+  },
+}));
+
+// Import after mocking
+const {
+  getNamespaceChain,
+  resolveSecret,
+  traceSecretResolution,
+  resolveSecrets,
+  checkRequiredSecrets,
+} = await import("../src/resolver");
+
+describe("resolver", () => {
+  const testService = KEYRING_SERVICE;
+
+  beforeEach(() => {
+    resetMockKeyring();
+  });
+
+  describe("getNamespaceChain", () => {
+    it("should return the full namespace chain for a path", () => {
+      const chain = getNamespaceChain("alice/api/slack");
+      expect(chain).toEqual(["alice/api/slack", "alice/api", "alice"]);
+    });
+
+    it("should return single element for simple namespace", () => {
+      const chain = getNamespaceChain("alice");
+      expect(chain).toEqual(["alice"]);
+    });
+
+    it("should return empty array for empty string", () => {
+      const chain = getNamespaceChain("");
+      expect(chain).toEqual([]);
+    });
+
+    it("should handle deep namespaces", () => {
+      const chain = getNamespaceChain("org/team/project/service/component");
+      expect(chain).toEqual([
+        "org/team/project/service/component",
+        "org/team/project/service",
+        "org/team/project",
+        "org/team",
+        "org",
+      ]);
+    });
+
+    it("should handle leading/trailing slashes", () => {
+      const chain = getNamespaceChain("/alice/api/");
+      expect(chain).toEqual(["alice/api", "alice"]);
+    });
+
+    it("should handle multiple consecutive slashes", () => {
+      const chain = getNamespaceChain("alice//api");
+      expect(chain).toEqual(["alice/api", "alice"]);
+    });
+  });
+
+  describe("resolveSecret", () => {
+    it("should find secret in exact namespace", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice/api/slack", name: "API_TOKEN", value: "slack-token" },
+      ]);
+
+      const result = await resolveSecret("alice/api/slack", "API_TOKEN");
+
+      expect(result.found).toBe(true);
+      if (result.found) {
+        expect(result.namespace).toBe("alice/api/slack");
+        expect(result.value).toBe("slack-token");
+      }
+    });
+
+    it("should walk up namespace chain to find secret", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice/api", name: "API_TOKEN", value: "api-level-token" },
+      ]);
+
+      const result = await resolveSecret("alice/api/slack", "API_TOKEN");
+
+      expect(result.found).toBe(true);
+      if (result.found) {
+        expect(result.namespace).toBe("alice/api");
+        expect(result.value).toBe("api-level-token");
+      }
+    });
+
+    it("should find secret at root namespace", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice", name: "SHARED_KEY", value: "root-level-key" },
+      ]);
+
+      const result = await resolveSecret("alice/api/slack", "SHARED_KEY");
+
+      expect(result.found).toBe(true);
+      if (result.found) {
+        expect(result.namespace).toBe("alice");
+        expect(result.value).toBe("root-level-key");
+      }
+    });
+
+    it("should prefer more specific namespace", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice", name: "API_TOKEN", value: "root-token" },
+        { namespace: "alice/api", name: "API_TOKEN", value: "api-token" },
+        { namespace: "alice/api/slack", name: "API_TOKEN", value: "slack-token" },
+      ]);
+
+      const result = await resolveSecret("alice/api/slack", "API_TOKEN");
+
+      expect(result.found).toBe(true);
+      if (result.found) {
+        expect(result.namespace).toBe("alice/api/slack");
+        expect(result.value).toBe("slack-token");
+      }
+    });
+
+    it("should return not found for missing secret", async () => {
+      const result = await resolveSecret("alice/api/slack", "NONEXISTENT");
+
+      expect(result.found).toBe(false);
+      if (!result.found) {
+        expect(result.searchedNamespaces).toEqual(["alice/api/slack", "alice/api", "alice"]);
+      }
+    });
+
+    it("should include key in result", async () => {
+      seedMockKeyring(testService, [{ namespace: "alice", name: "MY_SECRET", value: "value" }]);
+
+      const result = await resolveSecret("alice/api", "MY_SECRET");
+
+      expect(result.key).toBe("MY_SECRET");
+    });
+  });
+
+  describe("traceSecretResolution", () => {
+    it("should trace all checked namespaces", async () => {
+      seedMockKeyring(testService, [{ namespace: "alice/api", name: "API_TOKEN", value: "token" }]);
+
+      const trace = await traceSecretResolution("alice/api/slack", "API_TOKEN");
+
+      expect(trace.key).toBe("API_TOKEN");
+      expect(trace.toolPath).toBe("alice/api/slack");
+      expect(trace.entries).toHaveLength(3);
+
+      // First entry (most specific) - not found
+      const entry0 = trace.entries[0];
+      const entry1 = trace.entries[1];
+      const entry2 = trace.entries[2];
+      expect(entry0).toBeDefined();
+      expect(entry1).toBeDefined();
+      expect(entry2).toBeDefined();
+
+      expect(entry0?.namespace).toBe("alice/api/slack");
+      expect(entry0?.found).toBe(false);
+
+      // Second entry - found
+      expect(entry1?.namespace).toBe("alice/api");
+      expect(entry1?.found).toBe(true);
+
+      // Third entry - not found (but would have been checked)
+      expect(entry2?.namespace).toBe("alice");
+      expect(entry2?.found).toBe(false);
+
+      // Result should be the first found
+      expect(trace.result.found).toBe(true);
+      if (trace.result.found) {
+        expect(trace.result.namespace).toBe("alice/api");
+      }
+    });
+
+    it("should trace all namespaces when secret not found", async () => {
+      const trace = await traceSecretResolution("alice/api", "MISSING");
+
+      expect(trace.entries).toHaveLength(2);
+      expect(trace.entries.every((e) => !e.found)).toBe(true);
+      expect(trace.result.found).toBe(false);
+    });
+
+    it("should include account format in entries", async () => {
+      seedMockKeyring(testService, [{ namespace: "alice", name: "KEY", value: "value" }]);
+
+      const trace = await traceSecretResolution("alice/api", "KEY");
+      const entry0 = trace.entries[0];
+      const entry1 = trace.entries[1];
+
+      expect(entry0?.account).toBe("alice/api:KEY");
+      expect(entry1?.account).toBe("alice:KEY");
+    });
+  });
+
+  describe("resolveSecrets", () => {
+    it("should resolve multiple secrets", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice", name: "KEY1", value: "value1" },
+        { namespace: "alice/api", name: "KEY2", value: "value2" },
+      ]);
+
+      const results = await resolveSecrets("alice/api", ["KEY1", "KEY2", "KEY3"]);
+
+      expect(results.size).toBe(3);
+
+      const key1 = results.get("KEY1");
+      expect(key1?.found).toBe(true);
+      if (key1?.found) {
+        expect(key1.value).toBe("value1");
+      }
+
+      const key2 = results.get("KEY2");
+      expect(key2?.found).toBe(true);
+      if (key2?.found) {
+        expect(key2.value).toBe("value2");
+      }
+
+      const key3 = results.get("KEY3");
+      expect(key3?.found).toBe(false);
+    });
+
+    it("should return empty map for empty secret list", async () => {
+      const results = await resolveSecrets("alice/api", []);
+      expect(results.size).toBe(0);
+    });
+  });
+
+  describe("checkRequiredSecrets", () => {
+    it("should report all found when all secrets exist", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice", name: "KEY1", value: "value1" },
+        { namespace: "alice/api", name: "KEY2", value: "value2" },
+      ]);
+
+      const check = await checkRequiredSecrets("alice/api", ["KEY1", "KEY2"]);
+
+      expect(check.allFound).toBe(true);
+      expect(check.found).toHaveLength(2);
+      expect(check.missing).toEqual([]);
+    });
+
+    it("should report missing secrets", async () => {
+      seedMockKeyring(testService, [{ namespace: "alice", name: "KEY1", value: "value1" }]);
+
+      const check = await checkRequiredSecrets("alice/api", ["KEY1", "KEY2", "KEY3"]);
+
+      expect(check.allFound).toBe(false);
+      expect(check.found).toHaveLength(1);
+      expect(check.missing).toEqual(["KEY2", "KEY3"]);
+    });
+
+    it("should report all missing when no secrets exist", async () => {
+      const check = await checkRequiredSecrets("alice/api", ["KEY1", "KEY2"]);
+
+      expect(check.allFound).toBe(false);
+      expect(check.found).toHaveLength(0);
+      expect(check.missing).toEqual(["KEY1", "KEY2"]);
+    });
+
+    it("should return allFound true for empty required list", async () => {
+      const check = await checkRequiredSecrets("alice/api", []);
+
+      expect(check.allFound).toBe(true);
+      expect(check.found).toHaveLength(0);
+      expect(check.missing).toEqual([]);
+    });
+
+    it("should include resolution details in found results", async () => {
+      seedMockKeyring(testService, [
+        { namespace: "alice", name: "SHARED_KEY", value: "shared-value" },
+      ]);
+
+      const check = await checkRequiredSecrets("alice/api/slack", ["SHARED_KEY"]);
+      const foundResult = check.found[0];
+      expect(foundResult).toBeDefined();
+
+      expect(foundResult?.namespace).toBe("alice");
+      expect(foundResult?.value).toBe("shared-value");
+      expect(foundResult?.key).toBe("SHARED_KEY");
+    });
+  });
+});