@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/control-plane/secret-backend.test.ts

@@ -1,5 +1,5 @@
 import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
-import { lstatSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { appendFileSync, lstatSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import {
@@ -8,39 +8,35 @@ import {
   ensureSecrets,
   validatePassEntryName,
 } from '../index.js';
-import { PlaintextBackend, PassBackend } from './secret-backend.js';
-import { generateRedactSchema } from './redact-schema.js';
-import { getCoreSecretMappings } from './secret-mappings.js';
 import { writeSecretProviderConfig } from './provider-config.js';
+import { akmUserVaultPathSync } from './akm-vault.js';
+import { dirname } from 'node:path';
 
 let rootDir = '';
 
 function createState(): ControlPlaneState {
-  const vaultDir = join(rootDir, 'vault');
-  const dataDir = join(rootDir, 'data');
+  const stateDir = join(rootDir, 'state');
   const configDir = join(rootDir, 'config');
-  const logsDir = join(rootDir, 'logs');
+  const stackDir = join(configDir, 'stack');
   const cacheDir = join(rootDir, 'cache');
-  mkdirSync(vaultDir, { recursive: true });
-  mkdirSync(dataDir, { recursive: true });
+  mkdirSync(stateDir, { recursive: true });
+  mkdirSync(stackDir, { recursive: true });
   mkdirSync(configDir, { recursive: true });
-  mkdirSync(logsDir, { recursive: true });
+  mkdirSync(join(rootDir, 'stash'), { recursive: true });
+  mkdirSync(join(rootDir, 'workspace'), { recursive: true });
   mkdirSync(cacheDir, { recursive: true });
 
   return {
-    adminToken: 'admin-token',
-    assistantToken: '',
-    setupToken: 'setup-token',
     homeDir: rootDir,
     configDir,
-    vaultDir,
-    dataDir,
-    logsDir,
+    stashDir: join(rootDir, 'stash'),
+    workspaceDir: join(rootDir, 'workspace'),
     cacheDir,
+    stateDir,
+    stackDir,
     services: {},
     artifacts: { compose: '' },
     artifactMeta: [],
-    audit: [],
   };
 }
 
@@ -55,11 +51,11 @@ afterEach(() => {
 describe('secret backend', () => {
   test('ensureSecrets repairs auth.json when Docker created it as a directory', () => {
     const state = createState();
-    mkdirSync(join(state.vaultDir, 'stack', 'auth.json'), { recursive: true });
+    mkdirSync(join(state.configDir, "auth.json"), { recursive: true });
 
     ensureSecrets(state);
 
-    const authJsonPath = join(state.vaultDir, 'stack', 'auth.json');
+    const authJsonPath = join(state.configDir, "auth.json");
     expect(lstatSync(authJsonPath).isFile()).toBe(true);
     expect(readFileSync(authJsonPath, 'utf-8')).toBe('{}\n');
   });
@@ -70,6 +66,9 @@ describe('secret backend', () => {
     const backend = detectSecretBackend(state);
 
     expect(backend.provider).toBe('plaintext');
+    expect(backend.capabilities.generate).toBe(true);
+    expect(backend.capabilities.remove).toBe(true);
+    expect(backend.capabilities.rename).toBe(false);
 
     const entry = await backend.write('openpalm/custom/example', 'very-secret');
     expect(entry.provider).toBe('plaintext');
@@ -77,7 +76,7 @@ describe('secret backend', () => {
     expect(await backend.exists('openpalm/custom/example')).toBe(true);
 
     // Custom secrets are now written to stack.env (all secrets consolidated there)
-    const stackEnv = readFileSync(join(state.vaultDir, 'stack', 'stack.env'), 'utf-8');
+    const stackEnv = readFileSync(join(state.stackDir, "stack.env"), 'utf-8');
     expect(stackEnv).toContain('very-secret');
   });
 
@@ -109,11 +108,11 @@ describe('secret backend', () => {
   });
 });
 
-describe('PlaintextBackend', () => {
+describe('plaintext backend (via detectSecretBackend)', () => {
   test('remove clears value for non-core secrets', async () => {
     const state = createState();
     ensureSecrets(state);
-    const backend = new PlaintextBackend(state);
+    const backend = detectSecretBackend(state);
 
     await backend.write('openpalm/custom/temp', 'temp-value');
     expect(await backend.exists('openpalm/custom/temp')).toBe(true);
@@ -132,7 +131,7 @@ describe('PlaintextBackend', () => {
   test('remove clears value but keeps index for core secrets', async () => {
     const state = createState();
     ensureSecrets(state);
-    const backend = new PlaintextBackend(state);
+    const backend = detectSecretBackend(state);
 
     // Write a core secret
     await backend.write('openpalm/admin-token', 'my-token');
@@ -150,7 +149,7 @@ describe('PlaintextBackend', () => {
   test('list includes both core and indexed entries', async () => {
     const state = createState();
     ensureSecrets(state);
-    const backend = new PlaintextBackend(state);
+    const backend = detectSecretBackend(state);
 
     await backend.write('openpalm/custom/my-key', 'value');
 
@@ -166,16 +165,71 @@ describe('PlaintextBackend', () => {
   test('generate creates a secret with random value', async () => {
     const state = createState();
     ensureSecrets(state);
-    const backend = new PlaintextBackend(state);
+    const backend = detectSecretBackend(state);
 
     const entry = await backend.generate('openpalm/custom/generated', 64);
     expect(entry.present).toBe(true);
     expect(await backend.exists('openpalm/custom/generated')).toBe(true);
   });
+
+  test('user-scope reads from akm vault, system-scope reads from stack.env', async () => {
+    // Regression test: user scope must consult the akm vault file, system scope
+    // must consult state/stack.env. When both files define the same key with
+    // different values, the two scopes must return their own file's value.
+    const state = createState();
+    ensureSecrets(state);
+    const backend = detectSecretBackend(state);
+
+    // Seed the akm vault file with a user-scope value.
+    const akmPath = akmUserVaultPathSync(state);
+    mkdirSync(dirname(akmPath), { recursive: true });
+    writeFileSync(akmPath, 'OPENAI_API_KEY=akm-vault-openai\n');
+
+    // Stack.env already exists from ensureSecrets — seed the system password.
+    const stackEnvPath = join(state.stackDir, "stack.env");
+    const stackContent = readFileSync(stackEnvPath, 'utf-8')
+      .replace(/^OP_UI_LOGIN_PASSWORD=.*$/m, 'OP_UI_LOGIN_PASSWORD=stack-login-password');
+    writeFileSync(stackEnvPath, stackContent);
+
+    // System scope reads stack.env exclusively.
+    expect(await backend.exists('openpalm/ui-login-password')).toBe(true);
+    const systemEntries = await backend.list('openpalm/ui-login-password');
+    expect(systemEntries.find((e) => e.key === 'openpalm/ui-login-password')?.present).toBe(true);
+
+    // User scope reads akm vault file.
+    const userEntries = await backend.list('openpalm/openai/');
+    const openai = userEntries.find((e) => e.key === 'openpalm/openai/api-key');
+    expect(openai).toBeDefined();
+    expect(openai?.scope).toBe('user');
+    expect(openai?.present).toBe(true);
+  });
+
+  test('list/exists resolve user-scope secrets from akm vault', async () => {
+    // The backend MUST resolve user-managed secrets through the akm vault file
+    // (stash/vaults/user.env), not from any legacy path.
+    const state = createState();
+    ensureSecrets(state);
+    const backend = detectSecretBackend(state);
+
+    // Place the secret in the akm vault file.
+    const akmPath = akmUserVaultPathSync(state);
+    mkdirSync(dirname(akmPath), { recursive: true });
+    writeFileSync(akmPath, 'OPENAI_API_KEY=migrated-akm-value\n');
+
+    // exists() must report the user-scope secret as present.
+    expect(await backend.exists('openpalm/openai/api-key')).toBe(true);
+
+    // list() must enumerate it with present: true.
+    const entries = await backend.list('openpalm/openai/');
+    const openai = entries.find((e) => e.key === 'openpalm/openai/api-key');
+    expect(openai).toBeDefined();
+    expect(openai?.scope).toBe('user');
+    expect(openai?.present).toBe(true);
+  });
 });
 
-describe('PassBackend', () => {
-  test('constructor reads passPrefix from provider config', () => {
+describe('pass backend (via detectSecretBackend)', () => {
+  test('reports pass provider when configured', () => {
     const state = createState();
     writeSecretProviderConfig(state, {
       provider: 'pass',
@@ -183,40 +237,42 @@ describe('PassBackend', () => {
       passPrefix: 'myprefix',
     });
 
-    const backend = new PassBackend(state);
+    const backend = detectSecretBackend(state);
     expect(backend.provider).toBe('pass');
-    // Verify it doesn't throw with valid config
     expect(backend.capabilities.generate).toBe(true);
   });
 
-  test('constructor uses default store dir when no config', () => {
+  test('uses default store dir when no config', () => {
     const state = createState();
-    const backend = new PassBackend(state);
+    writeSecretProviderConfig(state, { provider: 'pass' });
+    const backend = detectSecretBackend(state);
     expect(backend.provider).toBe('pass');
   });
 
   test('exists returns false for non-existent entries', async () => {
     const state = createState();
-    const storeDir = join(rootDir, 'data', 'secrets', 'pass-store');
+    const storeDir = join(rootDir, 'state', 'secrets', 'pass-store');
     mkdirSync(storeDir, { recursive: true });
+    writeSecretProviderConfig(state, { provider: 'pass', passwordStoreDir: storeDir });
 
-    const backend = new PassBackend(state);
+    const backend = detectSecretBackend(state);
     expect(await backend.exists('openpalm/nonexistent')).toBe(false);
   });
 
   test('list returns empty array for empty store', async () => {
     const state = createState();
-    const storeDir = join(rootDir, 'data', 'secrets', 'pass-store');
+    const storeDir = join(rootDir, 'state', 'secrets', 'pass-store');
     mkdirSync(storeDir, { recursive: true });
+    writeSecretProviderConfig(state, { provider: 'pass', passwordStoreDir: storeDir });
 
-    const backend = new PassBackend(state);
+    const backend = detectSecretBackend(state);
     const entries = await backend.list();
     expect(entries).toEqual([]);
   });
 
   test('list scopes to passPrefix subdirectory', async () => {
     const state = createState();
-    const storeDir = join(rootDir, 'data', 'secrets', 'pass-store');
+    const storeDir = join(rootDir, 'state', 'secrets', 'pass-store');
 
     // Create fake .gpg files under the prefix subdirectory
     const prefixDir = join(storeDir, 'myprefix', 'openpalm');
@@ -234,7 +290,7 @@ describe('PassBackend', () => {
       passPrefix: 'myprefix',
     });
 
-    const backend = new PassBackend(state);
+    const backend = detectSecretBackend(state);
     const entries = await backend.list();
 
     expect(entries).toHaveLength(2);
@@ -245,7 +301,7 @@ describe('PassBackend', () => {
 
   test('exists checks prefixed path in store', async () => {
     const state = createState();
-    const storeDir = join(rootDir, 'data', 'secrets', 'pass-store');
+    const storeDir = join(rootDir, 'state', 'secrets', 'pass-store');
     const prefixDir = join(storeDir, 'myprefix');
     mkdirSync(join(prefixDir, 'openpalm'), { recursive: true });
     writeFileSync(join(prefixDir, 'openpalm', 'admin-token.gpg'), 'fake');
@@ -256,21 +312,20 @@ describe('PassBackend', () => {
       passPrefix: 'myprefix',
     });
 
-    const backend = new PassBackend(state);
+    const backend = detectSecretBackend(state);
     expect(await backend.exists('openpalm/admin-token')).toBe(true);
     expect(await backend.exists('openpalm/nonexistent')).toBe(false);
   });
 });
 
 describe('detectSecretBackend', () => {
-  test('returns PlaintextBackend by default', () => {
+  test('returns plaintext provider by default', () => {
     const state = createState();
     const backend = detectSecretBackend(state);
     expect(backend.provider).toBe('plaintext');
-    expect(backend).toBeInstanceOf(PlaintextBackend);
   });
 
-  test('returns PassBackend when provider.json has provider: pass', () => {
+  test('returns pass provider when provider.json has provider: pass', () => {
     const state = createState();
     writeSecretProviderConfig(state, {
       provider: 'pass',
@@ -279,81 +334,13 @@ describe('detectSecretBackend', () => {
 
     const backend = detectSecretBackend(state);
     expect(backend.provider).toBe('pass');
-    expect(backend).toBeInstanceOf(PassBackend);
   });
 
-  test('returns PassBackend when schema contains @varlock/pass-plugin', () => {
-    const state = createState();
-    mkdirSync(join(state.vaultDir, 'user'), { recursive: true });
-    writeFileSync(
-      join(state.vaultDir, 'user', 'user.env.schema'),
-      '# @plugin(@varlock/pass-plugin)\nOPENAI_API_KEY=pass("openpalm/openai/api-key")\n',
-    );
-
-    const backend = detectSecretBackend(state);
-    expect(backend.provider).toBe('pass');
-    expect(backend).toBeInstanceOf(PassBackend);
-  });
-
-  test('returns PlaintextBackend when provider.json has provider: plaintext', () => {
+  test('returns plaintext provider when provider.json has provider: plaintext', () => {
     const state = createState();
     writeSecretProviderConfig(state, { provider: 'plaintext' });
 
     const backend = detectSecretBackend(state);
     expect(backend.provider).toBe('plaintext');
-    expect(backend).toBeInstanceOf(PlaintextBackend);
-  });
-});
-
-describe('generateRedactSchema', () => {
-  test('output includes all mapped env keys', () => {
-    const systemEnv: Record<string, string> = {};
-    const schema = generateRedactSchema(systemEnv);
-
-    // All static core mappings should be present
-    expect(schema).toContain('OP_ADMIN_TOKEN=');
-    expect(schema).toContain('OP_ASSISTANT_TOKEN=');
-    expect(schema).toContain('OP_MEMORY_TOKEN=');
-    expect(schema).toContain('OPENAI_API_KEY=');
-    expect(schema).toContain('ANTHROPIC_API_KEY=');
-    expect(schema).toContain('GROQ_API_KEY=');
-    expect(schema).toContain('MISTRAL_API_KEY=');
-    expect(schema).toContain('GOOGLE_API_KEY=');
-    expect(schema).toContain('MCP_API_KEY=');
-    expect(schema).toContain('EMBEDDING_API_KEY=');
-  });
-
-  test('includes legacy aliases', () => {
-    const schema = generateRedactSchema({});
-    expect(schema).toContain('ADMIN_TOKEN=');
-    expect(schema).toContain('OP_OPENCODE_PASSWORD=');
-  });
-
-  test('includes dynamic channel secrets', () => {
-    const systemEnv = {
-      CHANNEL_DISCORD_SECRET: 'abc123',
-      CHANNEL_SLACK_SECRET: 'def456',
-    };
-    const schema = generateRedactSchema(systemEnv);
-    expect(schema).toContain('CHANNEL_DISCORD_SECRET=');
-    expect(schema).toContain('CHANNEL_SLACK_SECRET=');
-  });
-
-  test('has correct header format', () => {
-    const schema = generateRedactSchema({});
-    expect(schema).toContain('@defaultSensitive=true');
-    expect(schema).toContain('@defaultRequired=false');
-  });
-
-  test('entries are sorted', () => {
-    const schema = generateRedactSchema({});
-    const lines = schema
-      .split('\n')
-      .filter((l) => l.match(/^[A-Z]/))
-      .map((l) => l.replace(/=.*$/, ''));
-
-    const sorted = [...lines].sort();
-    expect(lines).toEqual(sorted);
   });
 });
-