@marcusrbrown/infra 0.7.0 → 0.8.1

package/src/commands/cliproxy/setup/smoke-test.ts

@@ -0,0 +1,223 @@
+/// <reference types="bun" />
+
+import {z} from 'zod'
+
+export type SmokeResult =
+  | {kind: 'pass'; message: string; runUrl: string}
+  | {kind: 'fail'; message: string; runUrl: string}
+  | {kind: 'unverified'; message: string; runUrl?: string}
+
+// Zod schemas for gh CLI JSON output — single source of truth.
+const baselineRunSchema = z.array(z.object({databaseId: z.number()}))
+
+const ghRunEntrySchema = z.object({
+  databaseId: z.number(),
+  status: z.string(),
+  conclusion: z.string().nullable(),
+  url: z.string(),
+  createdAt: z.string(),
+})
+
+// Exported for tests only.
+export type GhRunEntry = z.infer<typeof ghRunEntrySchema>
+
+// Exported for tests only. Override poll delays and trigger time.
+export interface SmokeTestInternals {
+  /** Override per-poll delay in ms (default: real backoff schedule). */
+  _testDelayMs?: number
+  /** Override the trigger timestamp used for createdAt heuristic. */
+  _testTriggerTime?: Date
+}
+
+/**
+ * Run an optional post-mutation smoke test by triggering `fro-bot.yaml` and
+ * polling for completion. Returns a non-blocking SmokeResult — never throws.
+ *
+ * Race-safe: captures the highest existing run ID before triggering, then
+ * filters poll results to runs with databaseId > baselineId. When no prior
+ * runs exist (baselineId=null), falls back to createdAt > triggerTime.
+ *
+ * Known edge case: if a concurrent contributor's run appears before ours,
+ * we pick the highest databaseId above baseline — this may misattribute
+ * the concurrent run as ours. This is the best heuristic available without
+ * a run-specific correlation ID from `gh workflow run`.
+ */
+export async function runSmokeTest(
+  repo: string,
+  _model: string,
+  internals: SmokeTestInternals = {},
+): Promise<SmokeResult> {
+  const BACKOFF_MS = [5_000, 15_000, 30_000, 60_000, 60_000]
+  const delayFn = async (ms: number): Promise<void> => {
+    if (internals._testDelayMs !== undefined) {
+      if (internals._testDelayMs > 0) {
+        await new Promise(resolve => setTimeout(resolve, internals._testDelayMs))
+      }
+      return
+    }
+    await new Promise(resolve => setTimeout(resolve, ms))
+  }
+
+  const repoUrl = `https://github.com/${repo}`
+
+  // ── Step 1: Capture baseline run ID ──────────────────────────────────────
+  let baselineId: number | null = null
+  try {
+    const baselineChild = Bun.spawn(
+      ['gh', 'run', 'list', '--workflow=fro-bot.yaml', '--repo', repo, '--limit', '1', '--json', 'databaseId'],
+      {stdout: 'pipe', stderr: 'pipe', env: process.env},
+    )
+    const [baselineStdout, , baselineExit] = await Promise.all([
+      new Response(baselineChild.stdout).text(),
+      new Response(baselineChild.stderr).text(),
+      baselineChild.exited,
+    ])
+    if (baselineExit === 0) {
+      const parseResult = baselineRunSchema.safeParse(JSON.parse(baselineStdout))
+      if (parseResult.success && parseResult.data.length > 0 && parseResult.data[0]) {
+        baselineId = parseResult.data[0].databaseId
+      }
+      // If schema validation fails, baselineId stays null — we'll use createdAt heuristic
+    }
+    // If baseline call fails, baselineId stays null — we'll use createdAt heuristic
+  } catch {
+    // Network/parse error — continue with null baseline
+  }
+
+  // ── Step 2: Trigger the workflow ──────────────────────────────────────────
+  const triggerTime = internals._testTriggerTime ?? new Date()
+
+  const triggerChild = Bun.spawn(
+    ['gh', 'workflow', 'run', 'fro-bot.yaml', '--repo', repo, '-f', 'prompt=reply with exactly: ack'],
+    {stdout: 'pipe', stderr: 'pipe', env: process.env},
+  )
+  const [, triggerStderr, triggerExit] = await Promise.all([
+    new Response(triggerChild.stdout).text(),
+    new Response(triggerChild.stderr).text(),
+    triggerChild.exited,
+  ])
+
+  if (triggerExit !== 0) {
+    const redacted = triggerStderr.slice(0, 200)
+    return {kind: 'unverified', message: `gh workflow run failed: ${redacted}`}
+  }
+
+  // ── Step 3: Poll for the new run ──────────────────────────────────────────
+  let latestMatchedRun: GhRunEntry | undefined
+
+  for (const BACKOFF_M of BACKOFF_MS) {
+    await delayFn(BACKOFF_M ?? 60_000)
+
+    let pollRuns: GhRunEntry[] = []
+    try {
+      const pollChild = Bun.spawn(
+        [
+          'gh',
+          'run',
+          'list',
+          '--workflow=fro-bot.yaml',
+          '--repo',
+          repo,
+          '--limit',
+          '5',
+          '--json',
+          'databaseId,status,conclusion,url,createdAt',
+        ],
+        {stdout: 'pipe', stderr: 'pipe', env: process.env},
+      )
+      const [pollStdout, , pollExit] = await Promise.all([
+        new Response(pollChild.stdout).text(),
+        new Response(pollChild.stderr).text(),
+        pollChild.exited,
+      ])
+      if (pollExit === 0) {
+        const rawParsed: unknown = JSON.parse(pollStdout)
+        if (Array.isArray(rawParsed)) {
+          // Validate each entry independently so a single malformed row does not
+          // discard the whole batch — dropping a legitimate matching run would be
+          // worse than skipping the bad entry.
+          pollRuns = rawParsed.flatMap(entry => {
+            const entryResult = ghRunEntrySchema.safeParse(entry)
+            return entryResult.success ? [entryResult.data] : []
+          })
+        }
+        // Non-array payload or all entries malformed → pollRuns stays [] — retry on next poll
+      }
+    } catch {
+      // Parse/network error — retry on next poll
+      continue
+    }
+
+    // Filter to runs triggered after our baseline
+    const candidates = pollRuns.filter(run => {
+      if (baselineId !== null) {
+        return run.databaseId > baselineId
+      }
+      // No baseline: use createdAt heuristic
+      return new Date(run.createdAt) > triggerTime
+    })
+
+    if (candidates.length === 0) {
+      // Our run not visible yet — keep polling
+      continue
+    }
+
+    // Pick the highest databaseId from candidates (most likely ours)
+    const matched = candidates.reduce((best, run) => (run.databaseId > best.databaseId ? run : best))
+    latestMatchedRun = matched
+
+    const {status, conclusion, url: runUrl} = matched
+
+    // Environment approval gate (simplified — the pending+approval branch was dead).
+    // When status=pending, gh returns conclusion=null, so /approval/i.test('') = false.
+    // Only status=waiting triggers the env-approval gate.
+    if (status === 'waiting') {
+      return {kind: 'unverified', message: `Workflow requires environment approval at ${runUrl}`, runUrl}
+    }
+
+    if (status === 'completed') {
+      if (conclusion === 'success') {
+        // Best-effort log grep for "ack"
+        let logNote = ''
+        try {
+          const logChild = Bun.spawn(['gh', 'run', 'view', String(matched.databaseId), '--log', '--repo', repo], {
+            stdout: 'pipe',
+            stderr: 'pipe',
+            env: process.env,
+          })
+          const [logStdout, , logExit] = await Promise.all([
+            new Response(logChild.stdout).text(),
+            new Response(logChild.stderr).text(),
+            logChild.exited,
+          ])
+          if (logExit !== 0) {
+            logNote = ' (log fetch failed, but run conclusion is success)'
+          } else if (!/\back\b/i.test(logStdout)) {
+            logNote = ' (log fetch succeeded but "ack" not found in output)'
+          }
+        } catch {
+          logNote = ' (log fetch failed, but run conclusion is success)'
+        }
+        return {kind: 'pass', message: `Smoke test passed${logNote}`, runUrl}
+      }
+
+      return {kind: 'fail', message: `Run completed with conclusion=${conclusion ?? 'unknown'}`, runUrl}
+    }
+
+    // Still in progress (queued, in_progress, pending) — continue polling
+  }
+
+  // All polls exhausted
+  if (latestMatchedRun) {
+    return {
+      kind: 'unverified',
+      message: `Smoke test did not complete in 5 minutes; check ${latestMatchedRun.url}`,
+      runUrl: latestMatchedRun.url,
+    }
+  }
+
+  return {
+    kind: 'unverified',
+    message: `Smoke test trigger not yet visible; check ${repoUrl}/actions`,
+  }
+}

package/src/commands/cliproxy/setup/templates.test.ts

@@ -0,0 +1,358 @@
+/// <reference types="bun" />
+
+import {describe, expect, it} from 'bun:test'
+
+import {
+  collectCollisions,
+  formatTemplateSummary,
+  getHarnessTemplate,
+  harnessSchema,
+  stripTrailingSlash,
+  type HarnessTemplate,
+  type SecretAssignment,
+  type VariableAssignment,
+} from './templates'
+
+// ── stripTrailingSlash (new unit tests — RED first) ──────────────────────────
+
+describe('stripTrailingSlash', () => {
+  it('removes a trailing slash', () => {
+    expect(stripTrailingSlash('https://example.com/')).toBe('https://example.com')
+  })
+
+  it('is a no-op when there is no trailing slash', () => {
+    expect(stripTrailingSlash('https://example.com')).toBe('https://example.com')
+  })
+
+  it('returns empty string for empty input', () => {
+    expect(stripTrailingSlash('')).toBe('')
+  })
+
+  it('removes only one trailing slash', () => {
+    expect(stripTrailingSlash('https://example.com//')).toBe('https://example.com/')
+  })
+})
+
+// ── harnessSchema (new unit test) ────────────────────────────────────────────
+
+describe('harnessSchema', () => {
+  it('parses valid harness values', () => {
+    expect(harnessSchema.parse('opencode')).toBe('opencode')
+    expect(harnessSchema.parse('claude-code')).toBe('claude-code')
+    expect(harnessSchema.parse('generic')).toBe('generic')
+  })
+
+  it('throws on invalid harness value', () => {
+    expect(() => harnessSchema.parse('unknown')).toThrow()
+  })
+})
+
+// ── collectCollisions (new unit tests — RED first) ───────────────────────────
+
+describe('collectCollisions', () => {
+  const template: HarnessTemplate = {
+    secrets: [
+      {name: 'OPENCODE_AUTH_JSON', value: 'x'},
+      {name: 'OPENCODE_CONFIG', value: 'y'},
+    ],
+    variables: [{name: 'FRO_BOT_MODEL', value: 'z'}],
+  }
+
+  it('returns empty array when no collisions', () => {
+    expect(collectCollisions(template, [], [])).toEqual([])
+  })
+
+  it('detects a colliding secret', () => {
+    const result = collectCollisions(template, ['OPENCODE_AUTH_JSON'], [])
+    expect(result).toContain('secret OPENCODE_AUTH_JSON')
+  })
+
+  it('detects a colliding variable', () => {
+    const result = collectCollisions(template, [], ['FRO_BOT_MODEL'])
+    expect(result).toContain('variable FRO_BOT_MODEL')
+  })
+
+  it('detects multiple collisions', () => {
+    const result = collectCollisions(template, ['OPENCODE_AUTH_JSON', 'OPENCODE_CONFIG'], ['FRO_BOT_MODEL'])
+    expect(result).toHaveLength(3)
+    expect(result).toContain('secret OPENCODE_AUTH_JSON')
+    expect(result).toContain('secret OPENCODE_CONFIG')
+    expect(result).toContain('variable FRO_BOT_MODEL')
+  })
+
+  it('ignores non-colliding existing names', () => {
+    const result = collectCollisions(template, ['SOME_OTHER_SECRET'], ['SOME_OTHER_VAR'])
+    expect(result).toEqual([])
+  })
+})
+
+// ── formatTemplateSummary (new unit tests — RED first) ───────────────────────
+
+describe('formatTemplateSummary', () => {
+  it('lists secrets and variables with their prefixes', () => {
+    const template: HarnessTemplate = {
+      secrets: [{name: 'OPENCODE_AUTH_JSON', value: 'x'}],
+      variables: [{name: 'FRO_BOT_MODEL', value: 'y'}],
+    }
+    const summary = formatTemplateSummary(template)
+    expect(summary).toContain('secret OPENCODE_AUTH_JSON')
+    expect(summary).toContain('variable FRO_BOT_MODEL')
+  })
+
+  it('returns only secret lines when no variables', () => {
+    const template: HarnessTemplate = {
+      secrets: [{name: 'ANTHROPIC_API_KEY', value: 'x'}],
+      variables: [],
+    }
+    const summary = formatTemplateSummary(template)
+    expect(summary).toBe('- secret ANTHROPIC_API_KEY')
+  })
+
+  it('returns empty string for empty template', () => {
+    const template: HarnessTemplate = {secrets: [], variables: []}
+    expect(formatTemplateSummary(template)).toBe('')
+  })
+})
+
+// ── getHarnessTemplate (pure-move from setup.test.ts L162) ───────────────────
+
+describe('getHarnessTemplate', () => {
+  it('returns the expected OpenCode secret and variable names', () => {
+    const template = getHarnessTemplate('opencode')
+
+    expect(template.secrets.map((entry: SecretAssignment) => entry.name)).toEqual([
+      'OPENCODE_AUTH_JSON',
+      'OPENCODE_CONFIG',
+      'OMO_PROVIDERS',
+    ])
+    expect(template.variables.map((entry: VariableAssignment) => entry.name)).toEqual(['FRO_BOT_MODEL'])
+  })
+
+  it('uses a provider-prefixed FRO_BOT_MODEL default value', () => {
+    const template = getHarnessTemplate('opencode', {keyValue: 'sk-test'})
+    const modelEntry = template.variables.find((entry: VariableAssignment) => entry.name === 'FRO_BOT_MODEL')
+
+    expect(modelEntry?.value).toMatch(/^anthropic\//)
+  })
+
+  it('uses the expected OMO_PROVIDERS default value', () => {
+    const template = getHarnessTemplate('opencode', {keyValue: 'sk-test'})
+    const providersEntry = template.secrets.find((entry: SecretAssignment) => entry.name === 'OMO_PROVIDERS')
+
+    expect(providersEntry?.value).toBe('claude-max20')
+  })
+
+  it('writes an OPENCODE_CONFIG baseURL with the /v1 suffix', () => {
+    const template = getHarnessTemplate('opencode', {keyValue: 'sk-test'})
+    const configEntry = template.secrets.find((entry: SecretAssignment) => entry.name === 'OPENCODE_CONFIG')
+    const parsed = JSON.parse(configEntry?.value ?? '{}')
+
+    expect(parsed.provider.anthropic.options.baseURL).toMatch(/\/v1$/)
+  })
+
+  it('writes OPENCODE_AUTH_JSON with type=api and the supplied key', () => {
+    const template = getHarnessTemplate('opencode', {keyValue: 'sk-test-key'})
+    const authEntry = template.secrets.find((entry: SecretAssignment) => entry.name === 'OPENCODE_AUTH_JSON')
+    const parsed = JSON.parse(authEntry?.value ?? '{}')
+
+    expect(parsed.anthropic).toEqual({type: 'api', key: 'sk-test-key'})
+  })
+})
+
+// ── getHarnessTemplate provider-aware (pure-move from setup.test.ts L508) ────
+
+describe('getHarnessTemplate provider-aware', () => {
+  // Frozen byte-identical string for the anthropic-only regression test.
+  // This is the EXACT output of getHarnessTemplate('opencode', {keyValue: 'test-key'})
+  // baseline anthropic-only output. Any change to this string is a breaking regression.
+  const ANTHROPIC_ONLY_AUTH_JSON = '{"anthropic":{"type":"api","key":"test-key"}}'
+  const ANTHROPIC_ONLY_CONFIG = '{"provider":{"anthropic":{"options":{"baseURL":"https://cliproxy.fro.bot/v1"}}}}'
+
+  describe('regression — anthropic-only (byte-identical)', () => {
+    it('no providers/model args → OPENCODE_AUTH_JSON is byte-identical to baseline', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'test-key'})
+      const authEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+
+      expect(authEntry?.value).toBe(ANTHROPIC_ONLY_AUTH_JSON)
+    })
+
+    it('no providers/model args → OPENCODE_CONFIG is byte-identical to baseline', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'test-key'})
+      const configEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_CONFIG')
+
+      expect(configEntry?.value).toBe(ANTHROPIC_ONLY_CONFIG)
+    })
+
+    it('no providers/model args → OMO_PROVIDERS is claude-max20', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'test-key'})
+      const entry = template.secrets.find((e: SecretAssignment) => e.name === 'OMO_PROVIDERS')
+
+      expect(entry?.value).toBe('claude-max20')
+    })
+
+    it('no providers/model args → FRO_BOT_MODEL is anthropic/claude-sonnet-4-6', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'test-key'})
+      const entry = template.variables.find((e: VariableAssignment) => e.name === 'FRO_BOT_MODEL')
+
+      expect(entry?.value).toBe('anthropic/claude-sonnet-4-6')
+    })
+
+    it("explicit providers: ['anthropic'] → byte-identical to no-providers output", () => {
+      const baseline = getHarnessTemplate('opencode', {keyValue: 'test-key'})
+      const explicit = getHarnessTemplate('opencode', {keyValue: 'test-key', providers: ['anthropic']})
+
+      const baselineAuth = baseline.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+      const explicitAuth = explicit.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+      expect(explicitAuth?.value).toBe(baselineAuth?.value)
+
+      const baselineConfig = baseline.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_CONFIG')
+      const explicitConfig = explicit.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_CONFIG')
+      expect(explicitConfig?.value).toBe(baselineConfig?.value)
+    })
+  })
+
+  describe('openai-only provider', () => {
+    it("providers: ['openai'], model: 'openai/gpt-5.4-mini' → correct OPENCODE_AUTH_JSON", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-openai-key',
+        providers: ['openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const authEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+
+      expect(authEntry?.value).toBe('{"openai":{"type":"api","key":"sk-openai-key"}}')
+    })
+
+    it("providers: ['openai'], model: 'openai/gpt-5.4-mini' → correct OPENCODE_CONFIG", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-openai-key',
+        providers: ['openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const configEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_CONFIG')
+
+      expect(configEntry?.value).toBe('{"provider":{"openai":{"options":{"baseURL":"https://cliproxy.fro.bot/v1"}}}}')
+    })
+
+    it("providers: ['openai'], model: 'openai/gpt-5.4-mini' → OMO_PROVIDERS is openai", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-openai-key',
+        providers: ['openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const entry = template.secrets.find((e: SecretAssignment) => e.name === 'OMO_PROVIDERS')
+
+      expect(entry?.value).toBe('openai')
+    })
+
+    it("providers: ['openai'], model: 'openai/gpt-5.4-mini' → FRO_BOT_MODEL is openai/gpt-5.4-mini", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-openai-key',
+        providers: ['openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const entry = template.variables.find((e: VariableAssignment) => e.name === 'FRO_BOT_MODEL')
+
+      expect(entry?.value).toBe('openai/gpt-5.4-mini')
+    })
+
+    it("providers: ['openai'] with no model → uses PROVIDER_DEFAULTS openai/gpt-5.4-mini", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-openai-key',
+        providers: ['openai'],
+      })
+      const entry = template.variables.find((e: VariableAssignment) => e.name === 'FRO_BOT_MODEL')
+
+      expect(entry?.value).toBe('openai/gpt-5.4-mini')
+    })
+  })
+
+  describe('dual-provider (anthropic + openai)', () => {
+    it("providers: ['anthropic', 'openai'] → OPENCODE_AUTH_JSON has anthropic-first key order", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-dual',
+        providers: ['anthropic', 'openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const authEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+
+      expect(authEntry?.value).toBe(
+        '{"anthropic":{"type":"api","key":"sk-dual"},"openai":{"type":"api","key":"sk-dual"}}',
+      )
+    })
+
+    it("providers: ['anthropic', 'openai'] → OPENCODE_CONFIG has anthropic-first key order", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-dual',
+        providers: ['anthropic', 'openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const configEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_CONFIG')
+
+      expect(configEntry?.value).toBe(
+        '{"provider":{"anthropic":{"options":{"baseURL":"https://cliproxy.fro.bot/v1"}},"openai":{"options":{"baseURL":"https://cliproxy.fro.bot/v1"}}}}',
+      )
+    })
+
+    it("providers: ['anthropic', 'openai'] → OMO_PROVIDERS is claude-max20,openai", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-dual',
+        providers: ['anthropic', 'openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const entry = template.secrets.find((e: SecretAssignment) => e.name === 'OMO_PROVIDERS')
+
+      expect(entry?.value).toBe('claude-max20,openai')
+    })
+
+    it("providers: ['anthropic', 'openai'] → FRO_BOT_MODEL is the supplied model", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-dual',
+        providers: ['anthropic', 'openai'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const entry = template.variables.find((e: VariableAssignment) => e.name === 'FRO_BOT_MODEL')
+
+      expect(entry?.value).toBe('openai/gpt-5.4-mini')
+    })
+
+    it("providers: ['openai', 'anthropic'] (openai first) → output is still anthropic-first in JSON", () => {
+      const template = getHarnessTemplate('opencode', {
+        keyValue: 'sk-dual',
+        providers: ['openai', 'anthropic'],
+        model: 'openai/gpt-5.4-mini',
+      })
+      const authEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+
+      expect(authEntry?.value).toBe(
+        '{"anthropic":{"type":"api","key":"sk-dual"},"openai":{"type":"api","key":"sk-dual"}}',
+      )
+    })
+
+    it('multiple providers with no model → throws "model required when multiple providers selected"', () => {
+      expect(() =>
+        getHarnessTemplate('opencode', {
+          keyValue: 'sk-dual',
+          providers: ['anthropic', 'openai'],
+        }),
+      ).toThrow('model required when multiple providers selected')
+    })
+  })
+
+  describe('edge cases', () => {
+    it('keyValue: undefined → auth-json key is sk-placeholder', () => {
+      const template = getHarnessTemplate('opencode', {providers: ['anthropic']})
+      const authEntry = template.secrets.find((e: SecretAssignment) => e.name === 'OPENCODE_AUTH_JSON')
+      const parsed = JSON.parse(authEntry?.value ?? '{}')
+
+      expect(parsed.anthropic.key).toBe('sk-placeholder')
+    })
+
+    it('claude-code harness is unaffected by providers/model args', () => {
+      const template = getHarnessTemplate('claude-code', {keyValue: 'sk-cc'})
+
+      expect(template.secrets).toHaveLength(1)
+      expect(template.secrets[0]?.name).toBe('ANTHROPIC_API_KEY')
+    })
+  })
+})