@marcusrbrown/infra 0.8.0 → 0.9.0

package/src/commands/cliproxy/setup.test.ts

@@ -1,9 +1,10 @@
 /// <reference types="bun" />
 
 import type {SpinnerResult} from '@clack/prompts'
-import {afterEach, describe, expect, it, mock, spyOn} from 'bun:test'
+import type {ProviderId} from './setup/providers'
+import {log} from '@clack/prompts'
+import {afterEach, beforeEach, describe, expect, it, mock, spyOn} from 'bun:test'
 import {goke} from 'goke'
-
 import {
   buildNonInteractivePlan,
   redactKey,
@@ -395,9 +396,9 @@ describe('destructive overwrite UX', () => {
 })
 
 // ── Smoke test runner tests moved to setup/smoke-test.test.ts ─────────────────
-// ── P1 regression tests ───────────────────────────────────────────────────────
+// ── regression tests ────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 
-describe('P1 #1 regression — dry-run early return before mutations', () => {
+describe('dry-run early return before mutations', () => {
   const BASE_URL = 'https://cliproxy.fro.bot'
   const KEY = 'sk-test-key'
 
@@ -444,7 +445,7 @@ describe('P1 #1 regression — dry-run early return before mutations', () => {
   })
 })
 
-describe('P1 #2 regression — --force honored by non-interactive collision gate', () => {
+describe('--force honored by non-interactive collision gate', () => {
   // The collision gate lives in runSetupCommand (not exported), so we test the
   // surrounding logic: buildNonInteractivePlan succeeds with --force, and the
   // collision gate behavior is verified via the error message shape.
@@ -516,7 +517,7 @@ describe('P1 #2 regression — --force honored by non-interactive collision gate
   })
 })
 
-describe('safe_auto #2 regression — /v1/models body Bearer token redaction', () => {
+describe('/v1/models body Bearer token redaction', () => {
   const BASE_URL = 'https://cliproxy.fro.bot'
   const KEY = 'sk-test-key'
 
@@ -577,8 +578,6 @@ describe('safe_auto #2 regression — /v1/models body Bearer token redaction', (
   })
 })
 
-/* eslint-disable @typescript-eslint/no-explicit-any -- spyOn mock return values require `any` casts */
-
 // Fix 3 — dry-run isolation regression tests
 //
 // The action handler in registerCliproxySetup is not exported, so we test the
@@ -607,9 +606,9 @@ describe('cliproxy setup --dry-run is offline-safe (action handler contract)', (
 
   it('dry-run skips gh auth check — Bun.spawn not called during buildNonInteractivePlan', async () => {
     // Spy Bun.spawn to fail hard if called (simulates unauthenticated environment)
-    spawnSpy = spyOn(Bun, 'spawn').mockImplementation((..._args: any[]) => {
+    spawnSpy = spyOn(Bun, 'spawn').mockImplementation(((_cmds: string[]) => {
       throw new Error('gh auth status called during dry-run — should be skipped')
-    })
+    }) as unknown as typeof Bun.spawn)
 
     // Should complete without throwing (dry-run early return in buildNonInteractivePlan)
     const plan = await buildNonInteractivePlan({repo: 'owner/repo', harness: 'opencode', dryRun: true}, BASE_URL)
@@ -678,7 +677,6 @@ describe('cliproxy setup --dry-run is offline-safe (action handler contract)', (
     expect(fetchMock.mock.calls.length).toBeGreaterThan(0)
   })
 })
-/* eslint-enable @typescript-eslint/no-explicit-any */
 
 // ── runSetupCommand DI boundary tests ─────────────────────────────────
 
@@ -1373,14 +1371,7 @@ describe('runSetupCommand action handler', () => {
     ).resolves.toBeUndefined()
   })
 
-  // ── Interactive R8 ack-key-reuse prompt: redaction + cancel/continue ──────────
-  //
-  // Note: full interactive integration tests are limited by the F16 (issue #311) gap —
-  // buildInteractivePlan calls real @clack/prompts.text() for the key-name and harness
-  // prompts that DI doesn't cover yet. We test the redaction contract directly via
-  // the exported redactKey helper, then a unit test confirms the prompt template uses
-  // the redacted form. Interactive cancel/continue paths are exercised under F16 once
-  // RunSetupDeps covers all prompt sites.
+  // ── Interactive key-reuse confirm prompt: redaction + cancel/continue ──────────
 
   it('redactKey: keys >= 12 chars use first-3 + *** + last-4 shape', () => {
     expect(redactKey('sk-PLAINTEXT-LONGKEY')).toBe('sk-***GKEY')
@@ -1400,8 +1391,8 @@ describe('runSetupCommand action handler', () => {
     expect(redacted.length).toBeLessThan(RAW.length)
   })
 
-  it('Interactive R8 prompt template uses redactKey output, never the raw key (source-level contract)', async () => {
-    // Read the setup.ts source and assert the R8 prompt-message template uses ${redactKey(options.key)}
+  it('interactive key-reuse prompt template uses redactKey output, never the raw key (source-level contract)', async () => {
+    // Read the setup.ts source and assert the key-reuse prompt-message template uses ${redactKey(options.key)}
     // and never `${options.key}` raw. This is a source-level guard so a future refactor that
     // accidentally drops the redaction call fails the test even if integration coverage lags.
     const source = await Bun.file(new URL('./setup.ts', import.meta.url).pathname).text()
@@ -1412,25 +1403,21 @@ describe('runSetupCommand action handler', () => {
     expect(promptContext).not.toMatch(/--key \$\{options\.key\}/)
   })
 
-  // The two interactive R8 integration tests below are skipped pending F16 (issue #311):
-  // RunSetupDeps must cover the buildInteractivePlan prompt sites before the interactive
-  // path can be exercised end-to-end with deps mocks alone.
-
-  it.skip('Interactive R8: confirm prompt fires with redacted key (not raw token)', async () => {
+  it('interactive key-reuse confirm shows a redacted key, never the raw token', async () => {
     const {ctx} = makeCtx()
     const PLAINTEXT_KEY = 'sk-PLAINTEXT-LONGKEY-SHOULD-NOT-LEAK'
     const MODELS_FIXTURE = {data: [{id: 'gpt-5.4-mini', owned_by: 'openai'}]}
     const originalFetch = globalThis.fetch
     globalThis.fetch = mock(async () => new Response(JSON.stringify(MODELS_FIXTURE))) as unknown as typeof fetch
 
-    let confirmMessage = ''
+    const confirmMessages: string[] = []
     const captureConfirm = (opts: {message: string}): Promise<boolean | symbol> => {
-      confirmMessage = opts.message
+      confirmMessages.push(opts.message)
       return Promise.resolve(true)
     }
 
     // Interactive mode resolves promptValue to the awaited prompt result. Our captureConfirm
-    // returns true, so the wizard proceeds past the R8 gate. We assert on the captured message.
+    // returns true, so the wizard proceeds past the key-reuse gate. We assert on the captured message.
     const interactivePromptValue = async <T>(prompt: Promise<T | symbol>): Promise<T> => {
       const result = await prompt
       return result as T
@@ -1466,6 +1453,8 @@ describe('runSetupCommand action handler', () => {
             intro: () => {},
             note: () => {},
             outro: () => {},
+            promptForProviders: (): Promise<ProviderId[]> => Promise.resolve(['openai']),
+            promptForModel: (_providers: ProviderId[]): Promise<string> => Promise.resolve('openai/gpt-5.4-mini'),
           },
           smoke: {runSmokeTest: async () => ({kind: 'pass', message: 'ok', runUrl: 'https://example.com/run/1'})},
           validation: {
@@ -1479,18 +1468,19 @@ describe('runSetupCommand action handler', () => {
       globalThis.fetch = originalFetch
     }
 
-    // The R8 confirm prompt must be the one captured (interactive flow has more than one confirm
-    // in some paths; we look for the one containing the verify-bearer language).
-    expect(confirmMessage).toContain('Verify it matches the bearer token')
+    // The key-reuse confirm prompt must appear among the captured confirms (interactive flow
+    // has more than one confirm in some paths; we find the one with the verify-bearer language).
+    const keyReuseMessage = confirmMessages.find(m => m.includes('Verify it matches the bearer token'))
+    expect(keyReuseMessage).toBeDefined()
     // The raw key must NEVER appear in the prompt text — security regression guard.
-    expect(confirmMessage).not.toContain(PLAINTEXT_KEY)
+    expect(keyReuseMessage).not.toContain(PLAINTEXT_KEY)
     // Redacted form must be present (first 3 + last 4 chars per redactKey helper).
-    expect(confirmMessage).toContain('sk-')
-    expect(confirmMessage).toContain('***')
-    expect(confirmMessage).toContain('LEAK')
+    expect(keyReuseMessage).toContain('sk-')
+    expect(keyReuseMessage).toContain('***')
+    expect(keyReuseMessage).toContain('LEAK')
   })
 
-  it.skip('Interactive R8: confirm returns false → cancelAndExit invoked, applyGhValue never called', async () => {
+  it('interactive key-reuse confirm returning false cancels before any GitHub write', async () => {
     const {ctx} = makeCtx()
     const MODELS_FIXTURE = {data: [{id: 'gpt-5.4-mini', owned_by: 'openai'}]}
     const originalFetch = globalThis.fetch
@@ -1499,6 +1489,17 @@ describe('runSetupCommand action handler', () => {
     let applyGhValueCalled = false
     let exitCode: number | undefined
 
+    // The interactive flow shows a generic "Proceed?" confirm BEFORE the key-reuse
+    // gate. Approve the generic prompt so the run actually reaches the key-reuse
+    // confirm, then reject only that one — otherwise the test would cancel at the
+    // first prompt and never exercise the gate it claims to cover.
+    const confirmMessages: string[] = []
+    const messageAwareConfirm = (opts: {message: string}): Promise<boolean | symbol> => {
+      confirmMessages.push(opts.message)
+      const isKeyReusePrompt = opts.message.includes('Verify it matches the bearer token')
+      return Promise.resolve(!isKeyReusePrompt)
+    }
+
     const interactivePromptValue = async <T>(prompt: Promise<T | symbol>): Promise<T> => {
       const result = await prompt
       return result as T
@@ -1540,11 +1541,13 @@ describe('runSetupCommand action handler', () => {
           },
           prompts: {
             promptValue: interactivePromptValue,
-            // User rejects the R8 confirmation → cancelAndExit fires.
-            confirm: () => Promise.resolve(false) as Promise<boolean | symbol>,
+            // Approve the generic proceed confirm, reject only the key-reuse confirm.
+            confirm: messageAwareConfirm,
             intro: () => {},
             note: () => {},
             outro: () => {},
+            promptForProviders: (): Promise<ProviderId[]> => Promise.resolve(['openai']),
+            promptForModel: (_providers: ProviderId[]): Promise<string> => Promise.resolve('openai/gpt-5.4-mini'),
           },
           smoke: {runSmokeTest: async () => ({kind: 'pass', message: 'ok', runUrl: 'https://example.com/run/1'})},
           validation: {
@@ -1555,7 +1558,7 @@ describe('runSetupCommand action handler', () => {
         },
       )
       // If we get here, cancelAndExit didn't fire. Fail the test.
-      throw new Error('expected cancelAndExit to fire on R8 reject')
+      throw new Error('expected cancelAndExit to fire on key-reuse reject')
     } catch (error) {
       // cancelAndExit throws because we stubbed process.exit to throw.
       expect(error instanceof Error && error.message).toBe('process.exit-stubbed')
@@ -1564,6 +1567,9 @@ describe('runSetupCommand action handler', () => {
       globalThis.fetch = originalFetch
     }
 
+    // Guard against a vacuous pass: the run must have actually reached the
+    // key-reuse confirm, not cancelled at the earlier generic proceed prompt.
+    expect(confirmMessages.some(m => m.includes('Verify it matches the bearer token'))).toBe(true)
     expect(exitCode).toBe(0)
     expect(applyGhValueCalled).toBe(false)
   })
@@ -1802,9 +1808,9 @@ describe('runSetupCommand action handler', () => {
     expect(deleteCalledWith).toBeDefined()
   })
 
-  // ── F5: --dry-run with no --repo/--harness ─────────────────────────────────
+  // ── --dry-run with no --repo/--harness ─────────────────────────────────
 
-  it('F5: --dry-run with no --repo/--harness prints preview and does not throw', async () => {
+  it('--dry-run with no --repo/--harness prints preview and does not throw', async () => {
     const {ctx, logs} = makeCtx()
     await runSetupCommand({dryRun: true}, {ctx})
     const output = logs.map(args => args.join(' ')).join('\n')
@@ -1812,7 +1818,7 @@ describe('runSetupCommand action handler', () => {
     expect(output).toContain('No mutations will be performed.')
   })
 
-  it('F5: --dry-run does not call assertGhInstalled even with no flags', async () => {
+  it('--dry-run does not call assertGhInstalled even with no flags', async () => {
     const {ctx} = makeCtx()
     let ghCalled = false
     await runSetupCommand(
@@ -1836,9 +1842,9 @@ describe('runSetupCommand action handler', () => {
     expect(ghCalled).toBe(false)
   })
 
-  // ── F8: Rollback event-order assertions ────────────────────────────────────
+  // ── Rollback event-order assertions ────────────────────────────────────
 
-  it('F8: applyGhValue fails → deleteManagementApiKey called BEFORE error propagates (event order)', async () => {
+  it('applyGhValue fails → deleteManagementApiKey called BEFORE error propagates (event order)', async () => {
     const {ctx} = makeCtx()
     const events: string[] = []
 
@@ -1887,7 +1893,7 @@ describe('runSetupCommand action handler', () => {
     expect(events).toEqual(['create', 'apply-fail', 'delete'])
   })
 
-  it('F8: assertProxyKeyWorks fails → deleteManagementApiKey called BEFORE error propagates (event order)', async () => {
+  it('assertProxyKeyWorks fails → deleteManagementApiKey called BEFORE error propagates (event order)', async () => {
     const {ctx} = makeCtx()
     const events: string[] = []
 
@@ -1938,9 +1944,9 @@ describe('runSetupCommand action handler', () => {
     expect(events).toEqual(['create', 'apply-success', 'verify-fail', 'delete'])
   })
 
-  // ── F9: --force pre-gate fires before verifyModelsAvailable ────────────────
+  // ── --force pre-gate fires before verifyModelsAvailable ────────────────
 
-  it('F9: missing --force on provider change does not call fetch (verifyModelsAvailable skipped)', async () => {
+  it('missing --force on provider change does not call fetch (verifyModelsAvailable skipped)', async () => {
     let fetchCalled = false
     const originalFetch = globalThis.fetch
     globalThis.fetch = mock(async () => {
@@ -1959,3 +1965,403 @@ describe('runSetupCommand action handler', () => {
     expect(fetchCalled).toBe(false)
   })
 })
+
+// ── post-write readback verification ──────────────────────────────────────────
+
+describe('post-write readback verification', () => {
+  const BASE_URL = 'https://cliproxy.fro.bot'
+  const KEY = 'sk-test-key'
+
+  // Capture log.warn calls from @clack/prompts
+  let warnSpy: ReturnType<typeof spyOn>
+  let warnMessages: string[]
+
+  // Standard DI deps for a successful non-interactive setup run.
+  // listExistingGhNames is overridden per-test to control readback behavior.
+  function makeDeps(
+    listExistingGhNames: (repo: string, kind: 'secret' | 'variable') => Promise<string[]>,
+    deleteManagementApiKey?: () => Promise<void>,
+  ) {
+    const {ctx} = makeCtx()
+    return {
+      ctx,
+      deps: {
+        interactive: false,
+        baseUrl: BASE_URL,
+        ctx,
+        gh: {
+          assertGhInstalled: async () => {},
+          assertGhAuthenticated: async () => {},
+          assertRepoAccess: async () => {},
+          listExistingGhNames,
+          createManagementApiKey: async () => {},
+          deleteManagementApiKey: deleteManagementApiKey ?? (async () => {}),
+          applyGhValue: async () => {},
+          withGhRetry: async (_label, fn) => fn(makeSpinner()),
+        },
+        prompts: {
+          promptValue: autoPromptValue,
+          confirm: () => Promise.resolve(true) as Promise<boolean | symbol>,
+          intro: () => {},
+          note: () => {},
+          outro: () => {},
+        },
+        smoke: {
+          runSmokeTest: async () => ({kind: 'pass' as const, message: 'ok', runUrl: 'https://example.com/run/1'}),
+        },
+        validation: {
+          assertProxyReachable: async () => {},
+          assertProxyKeyWorks: async () => {},
+          verifyModelsAvailable: async () => {},
+        },
+      } satisfies Parameters<typeof runSetupCommand>[1],
+    }
+  }
+
+  // Standard options for a non-interactive anthropic-only setup (no --force needed)
+  const baseOptions = {
+    key: KEY,
+    repo: 'owner/repo',
+    harness: 'opencode' as const,
+  }
+
+  beforeEach(() => {
+    warnMessages = []
+    warnSpy = spyOn(log, 'warn').mockImplementation((msg: string) => {
+      warnMessages.push(msg)
+    })
+  })
+
+  afterEach(() => {
+    warnSpy.mockRestore()
+  })
+
+  it('happy path: readback returns all written names → no new warning emitted', async () => {
+    // Pre-write list is empty; post-write readback returns all written names
+    // The opencode harness writes: OPENCODE_AUTH_JSON, OPENCODE_CONFIG, OMO_PROVIDERS (secrets)
+    // and FRO_BOT_MODEL (variable)
+    let callCount = 0
+    const {deps} = makeDeps(async (_repo, kind) => {
+      callCount++
+      if (callCount <= 2) {
+        // Pre-write calls: return empty (fresh repo)
+        return []
+      }
+      // Post-write readback: return all written names
+      if (kind === 'secret') return ['OPENCODE_AUTH_JSON', 'OPENCODE_CONFIG', 'OMO_PROVIDERS']
+      return ['FRO_BOT_MODEL']
+    })
+
+    await runSetupCommand(baseOptions, deps)
+
+    // No verified-mismatch or cannot-verify warning should have been emitted
+    const readbackWarnings = warnMessages.filter(
+      m => m.includes('not visible') || m.includes('could not verify') || m.includes('may have been bypassed'),
+    )
+    expect(readbackWarnings).toHaveLength(0)
+  })
+
+  it('verified mismatch (secret): readback succeeds but written secret absent → loud warning naming absent secret', async () => {
+    // Pre-write: empty. Post-write secret readback: missing OPENCODE_AUTH_JSON
+    let callCount = 0
+    const {deps} = makeDeps(async (_repo, kind) => {
+      callCount++
+      if (callCount <= 2) return []
+      // Post-write: secret readback missing OPENCODE_AUTH_JSON
+      if (kind === 'secret') return ['OPENCODE_CONFIG', 'OMO_PROVIDERS']
+      return ['FRO_BOT_MODEL']
+    })
+
+    await runSetupCommand(baseOptions, deps)
+
+    const mismatchWarnings = warnMessages.filter(m => m.includes('may have been bypassed'))
+    expect(mismatchWarnings.length).toBeGreaterThan(0)
+    // Must name the absent secret
+    expect(mismatchWarnings.some(m => m.includes('OPENCODE_AUTH_JSON'))).toBe(true)
+    // Must direct operator to manual verification
+    expect(mismatchWarnings.some(m => m.includes('gh secret list'))).toBe(true)
+  })
+
+  it('verified mismatch (variable): secret readback complete but variable absent → warning lists absent variable', async () => {
+    // Pre-write: empty. Post-write: all secrets present, but FRO_BOT_MODEL missing from variables
+    let callCount = 0
+    const {deps} = makeDeps(async (_repo, kind) => {
+      callCount++
+      if (callCount <= 2) return []
+      if (kind === 'secret') return ['OPENCODE_AUTH_JSON', 'OPENCODE_CONFIG', 'OMO_PROVIDERS']
+      // Variable readback missing FRO_BOT_MODEL
+      return []
+    })
+
+    await runSetupCommand(baseOptions, deps)
+
+    const mismatchWarnings = warnMessages.filter(m => m.includes('may have been bypassed'))
+    expect(mismatchWarnings.length).toBeGreaterThan(0)
+    expect(mismatchWarnings.some(m => m.includes('FRO_BOT_MODEL'))).toBe(true)
+    expect(mismatchWarnings.some(m => m.includes('gh variable list'))).toBe(true)
+  })
+
+  it('partial visibility: readback shows some but not all written names → warning lists exactly the absent names', async () => {
+    // Post-write: OPENCODE_CONFIG and OMO_PROVIDERS present, OPENCODE_AUTH_JSON absent
+    let callCount = 0
+    const {deps} = makeDeps(async (_repo, kind) => {
+      callCount++
+      if (callCount <= 2) return []
+      if (kind === 'secret') return ['OPENCODE_CONFIG', 'OMO_PROVIDERS'] // OPENCODE_AUTH_JSON absent
+      return ['FRO_BOT_MODEL']
+    })
+
+    await runSetupCommand(baseOptions, deps)
+
+    const mismatchWarnings = warnMessages.filter(m => m.includes('may have been bypassed'))
+    expect(mismatchWarnings.length).toBeGreaterThan(0)
+    // Must name OPENCODE_AUTH_JSON (absent)
+    expect(mismatchWarnings.some(m => m.includes('OPENCODE_AUTH_JSON'))).toBe(true)
+    // Must NOT name OPENCODE_CONFIG or OMO_PROVIDERS (they ARE present)
+    expect(mismatchWarnings.some(m => m.includes('OPENCODE_CONFIG'))).toBe(false)
+    expect(mismatchWarnings.some(m => m.includes('OMO_PROVIDERS'))).toBe(false)
+  })
+
+  it('cannot verify: listExistingGhNames throws on post-write call → softer warning, command does NOT throw, rollback NOT fired', async () => {
+    let deleteCalledWith: string | undefined
+    let callCount = 0
+
+    const {deps} = makeDeps(
+      async (_repo, _kind) => {
+        callCount++
+        if (callCount <= 2) return [] // Pre-write calls succeed
+        // Post-write readback throws
+        throw new Error('gh: command failed')
+      },
+      async () => {
+        deleteCalledWith = 'called'
+      },
+    )
+
+    // Command must NOT throw
+    await expect(runSetupCommand(baseOptions, deps)).resolves.toBeUndefined()
+
+    // Must emit the cannot-verify warning (softer wording)
+    const cannotVerifyWarnings = warnMessages.filter(m => m.includes('could not verify'))
+    expect(cannotVerifyWarnings.length).toBeGreaterThan(0)
+
+    // Must NOT emit the verified-mismatch warning
+    const mismatchWarnings = warnMessages.filter(m => m.includes('may have been bypassed'))
+    expect(mismatchWarnings).toHaveLength(0)
+
+    // Rollback must NOT have fired (key was not created by this run since --key was supplied)
+    expect(deleteCalledWith).toBeUndefined()
+  })
+
+  it('createKey:true path — post-write readback throws → command resolves, key created, rollback suppressed', async () => {
+    // This test drives the createKey:true path (no --key supplied, wizard mints a key).
+    // The post-write readback throws after the key is created and secrets are written.
+    // Asserts: (1) createManagementApiKey WAS called, (2) command resolves, (3) deleteManagementApiKey NOT called.
+    const {ctx} = makeCtx()
+
+    let createCalled = false
+    let deleteCalled = false
+    let listCallCount = 0
+
+    await runSetupCommand(
+      {
+        // No --key → createKey=true
+        repo: 'owner/repo',
+        harness: 'claude-code',
+        force: true,
+      },
+      {
+        interactive: true,
+        baseUrl: BASE_URL,
+        ctx,
+        resolveManagementKey: () => 'mgmt-test-key',
+        gh: {
+          assertGhInstalled: async () => {},
+          assertGhAuthenticated: async () => {},
+          assertRepoAccess: async () => {},
+          listExistingGhNames: async (_repo, _kind) => {
+            listCallCount++
+            if (listCallCount <= 2) return [] // Pre-write calls succeed (empty repo)
+            // Post-write readback throws
+            throw new Error('gh: post-write readback failed')
+          },
+          createManagementApiKey: async () => {
+            createCalled = true
+          },
+          deleteManagementApiKey: async () => {
+            deleteCalled = true
+          },
+          applyGhValue: async () => {},
+          withGhRetry: async (_label, fn) => fn(makeSpinner()),
+        },
+        prompts: {
+          promptValue: autoPromptValue,
+          confirm: () => Promise.resolve(true) as Promise<boolean | symbol>,
+          intro: () => {},
+          note: () => {},
+          outro: () => {},
+        },
+        smoke: {
+          runSmokeTest: async () => ({kind: 'pass' as const, message: 'ok', runUrl: 'https://example.com/run/1'}),
+        },
+        validation: {
+          assertProxyReachable: async () => {},
+          assertProxyKeyWorks: async () => {},
+          verifyModelsAvailable: async () => {},
+        },
+      },
+    )
+
+    // Key was created this run
+    expect(createCalled).toBe(true)
+    // Command resolved (did not throw)
+    // (implicit — if it threw, the test would fail above)
+    // Rollback must NOT have fired — post-write readback failure must not trigger key deletion
+    expect(deleteCalled).toBe(false)
+  })
+
+  it('whole-block guard: throw during diff/warning path → command does NOT throw, rollback NOT fired', async () => {
+    // Simulate a throw that occurs after the gh calls succeed but during processing.
+    // We do this by making the post-write secret readback return a value that causes
+    // an error in the diff computation — specifically, we inject a non-iterable value
+    // by making listExistingGhNames return a Proxy that throws on iteration.
+    let deleteCalledWith: string | undefined
+    let callCount = 0
+
+    const {deps} = makeDeps(
+      async (_repo, _kind) => {
+        callCount++
+        if (callCount <= 2) return []
+        // Return a value that will cause an error during set-difference computation:
+        // a Proxy that throws when iterated
+        const throwingArray = new Proxy([] as string[], {
+          get(target, prop) {
+            if (prop === 'includes' || prop === Symbol.iterator || prop === 'forEach') {
+              throw new Error('injected-diff-error')
+            }
+            return Reflect.get(target, prop)
+          },
+        })
+        return throwingArray
+      },
+      async () => {
+        deleteCalledWith = 'called'
+      },
+    )
+
+    // Command must NOT throw
+    await expect(runSetupCommand(baseOptions, deps)).resolves.toBeUndefined()
+
+    // Rollback must NOT have fired
+    expect(deleteCalledWith).toBeUndefined()
+  })
+
+  it('existing secret + ack-key-reuse: readback shows all names → no new warning', async () => {
+    // Pre-write: OPENCODE_AUTH_JSON already exists (triggers ack-key-reuse path)
+    // Post-write readback: all names present
+    let callCount = 0
+    const {deps} = makeDeps(async (_repo, kind) => {
+      callCount++
+      if (callCount <= 2) {
+        // Pre-write: OPENCODE_AUTH_JSON exists
+        if (kind === 'secret') return ['OPENCODE_AUTH_JSON']
+        return []
+      }
+      // Post-write readback: all names present
+      if (kind === 'secret') return ['OPENCODE_AUTH_JSON', 'OPENCODE_CONFIG', 'OMO_PROVIDERS']
+      return ['FRO_BOT_MODEL']
+    })
+
+    await runSetupCommand({...baseOptions, ackKeyReuse: true, force: true}, deps)
+
+    const readbackWarnings = warnMessages.filter(
+      m => m.includes('not visible') || m.includes('could not verify') || m.includes('may have been bypassed'),
+    )
+    expect(readbackWarnings).toHaveLength(0)
+  })
+})
+
+// ── concurrency caveat on the non-interactive overwrite warning ─────────────────
+
+describe('non-interactive overwrite warning concurrency caveat', () => {
+  const BASE_URL = 'https://cliproxy.fro.bot'
+  const KEY = 'sk-test-key'
+
+  let warnSpy: ReturnType<typeof spyOn>
+  let warnMessages: string[]
+
+  function makeDeps(listExistingGhNames: (repo: string, kind: 'secret' | 'variable') => Promise<string[]>) {
+    const {ctx} = makeCtx()
+    return {
+      interactive: false,
+      baseUrl: BASE_URL,
+      ctx,
+      gh: {
+        assertGhInstalled: async () => {},
+        assertGhAuthenticated: async () => {},
+        assertRepoAccess: async () => {},
+        listExistingGhNames,
+        createManagementApiKey: async () => {},
+        deleteManagementApiKey: async () => {},
+        applyGhValue: async () => {},
+        withGhRetry: async (_label, fn) => fn(makeSpinner()),
+      },
+      prompts: {
+        promptValue: autoPromptValue,
+        confirm: () => Promise.resolve(true) as Promise<boolean | symbol>,
+        intro: () => {},
+        note: () => {},
+        outro: () => {},
+      },
+      smoke: {
+        runSmokeTest: async () => ({kind: 'pass' as const, message: 'ok', runUrl: 'https://example.com/run/1'}),
+      },
+      validation: {
+        assertProxyReachable: async () => {},
+        assertProxyKeyWorks: async () => {},
+        verifyModelsAvailable: async () => {},
+      },
+    } satisfies Parameters<typeof runSetupCommand>[1]
+  }
+
+  beforeEach(() => {
+    warnMessages = []
+    warnSpy = spyOn(log, 'warn').mockImplementation((msg: string) => {
+      warnMessages.push(msg)
+    })
+  })
+
+  afterEach(() => {
+    warnSpy.mockRestore()
+  })
+
+  it('--force overwrite with a collision present → warning carries the last-write-wins concurrency caveat', async () => {
+    // OPENCODE_AUTH_JSON already exists → collision on the opencode secret set → overwrite warning fires.
+    const deps = makeDeps(async (_repo, kind) => {
+      if (kind === 'secret') return ['OPENCODE_AUTH_JSON', 'OPENCODE_CONFIG', 'OMO_PROVIDERS']
+      return ['FRO_BOT_MODEL']
+    })
+
+    await runSetupCommand({key: KEY, repo: 'owner/repo', harness: 'opencode', ackKeyReuse: true, force: true}, deps)
+
+    const overwriteWarnings = warnMessages.filter(m => m.includes('Overwriting existing GitHub values'))
+    expect(overwriteWarnings.length).toBeGreaterThan(0)
+    expect(overwriteWarnings.some(m => m.includes('last-write-wins'))).toBe(true)
+    expect(overwriteWarnings.some(m => m.includes('two places at once'))).toBe(true)
+  })
+
+  it('--force with no collision → no overwrite warning, so no concurrency caveat (fresh-run race has no signal)', async () => {
+    // Fresh repo: empty pre-write list → no collision → overwrite warning never fires.
+    // This documents that the concurrency caveat does NOT cover the fresh-run race.
+    const deps = makeDeps(async (_repo, kind) => {
+      // Pre-write empty; post-write readback returns all written names (no readback warning either).
+      if (kind === 'secret') return []
+      return []
+    })
+
+    await runSetupCommand({key: KEY, repo: 'owner/repo', harness: 'opencode', force: true}, deps)
+
+    const concurrencyWarnings = warnMessages.filter(m => m.includes('last-write-wins'))
+    expect(concurrencyWarnings).toHaveLength(0)
+  })
+})