@openparachute/agent 0.2.2 → 0.2.3-rc.3

package/src/channel-backend-wiring.test.ts

@@ -1,237 +0,0 @@
-/**
- * Tests for the ATTACHED-backend daemon wiring (design 2026-06-18-attached-backend.md,
- * phases 1-2) — the two load-bearing seams:
- *
- *   1. The DAEMON ROUTING FORK (`contextFor`): an inbound for a `backend:attached`
- *      agent must NOT enqueue to the ProgrammaticAgentRegistry (no `claude -p`) and
- *      lands as a durable queue note; an inbound for a programmatic agent still
- *      enqueues as before (no regression).
- *   2. The CHANNEL MCP SURFACE (`dispatchChannelTool`): pending / next-message /
- *      reply / release dispatch to the AttachedQueueRegistry; the outbound from `reply`
- *      goes through the channel transport's reply (the `#agent/message/outbound` path —
- *      loop-safe).
- *
- * Fakes throughout — no real vault / hub / tmux.
- */
-
-import { describe, test, expect } from "bun:test";
-import { contextFor } from "./daemon.ts";
-import { ClientRegistry } from "./routing.ts";
-import { DeliveryState } from "./delivery-state.ts";
-import {
-  ProgrammaticAgentRegistry,
-  type WriteOutbound,
-} from "./backends/registry.ts";
-import {
-  AttachedQueueRegistry,
-  type AttachedQueueStore,
-} from "./backends/attached-queue.ts";
-import { dispatchChannelTool } from "./mcp-http.ts";
-import { SCOPE_READ, SCOPE_WRITE } from "./auth.ts";
-import type { AgentBackend, AgentHandle, AgentStatus, DeliverResult } from "./backends/types.ts";
-import type { AgentSpec } from "./sandbox/types.ts";
-import type { InboundQueueNote, InboundStatus } from "./transports/vault.ts";
-
-// --- fakes -----------------------------------------------------------------
-
-/** A programmatic backend whose `deliver` (the `claude -p` turn) records calls. */
-class FakeProgrammaticBackend implements AgentBackend {
-  readonly kind = "programmatic";
-  readonly delivered: string[] = [];
-  async start(spec: AgentSpec): Promise<AgentHandle> {
-    return { backend: this.kind, channel: spec.channels[0] as string, name: spec.name, spec };
-  }
-  async deliver(_handle: AgentHandle, message: string): Promise<DeliverResult> {
-    this.delivered.push(message);
-    return { ok: true, reply: `auto:${message}` };
-  }
-  async stop(): Promise<void> {}
-  async status(): Promise<AgentStatus> {
-    return { live: true };
-  }
-}
-
-function noopWriteOutbound(): WriteOutbound {
-  return async () => {};
-}
-
-/** A fake attached-queue store: in-memory notes + recorded outbound. */
-class FakeStore implements AttachedQueueStore {
-  readonly notes = new Map<string, InboundQueueNote>();
-  readonly outbound: Array<{ text: string; inReplyTo?: string }> = [];
-  add(n: InboundQueueNote): void {
-    this.notes.set(n.id, n);
-  }
-  async listInboundQueue(): Promise<InboundQueueNote[]> {
-    return [...this.notes.values()].map((n) => ({ ...n })).sort((a, b) => (a.ts < b.ts ? -1 : 1));
-  }
-  async setInboundStatus(id: string, status: InboundStatus, claimedAt?: string | null): Promise<void> {
-    const n = this.notes.get(id)!;
-    n.status = status;
-    if (claimedAt === null) delete n.claimedAt;
-    else if (claimedAt !== undefined) n.claimedAt = claimedAt;
-  }
-  async reply(args: { text: string; inReplyTo?: string }): Promise<{ sent: string[] }> {
-    this.outbound.push({ text: args.text, ...(args.inReplyTo ? { inReplyTo: args.inReplyTo } : {}) });
-    return { sent: ["out-1"] };
-  }
-}
-
-const channelSpec = (name: string, systemPrompt?: string): AgentSpec => ({
-  name,
-  channels: [name],
-  backend: "attached",
-  ...(systemPrompt ? { systemPrompt } : {}),
-});
-
-// --- 1. the daemon routing fork --------------------------------------------
-
-describe("daemon routing fork (contextFor) — attached vs programmatic", () => {
-  test("an attached-backend inbound does NOT enqueue to the programmatic worker", async () => {
-    const backend = new FakeProgrammaticBackend();
-    const programmatic = new ProgrammaticAgentRegistry({ backend, writeOutbound: noopWriteOutbound() });
-    const attachedQueue = new AttachedQueueRegistry();
-    const store = new FakeStore();
-    // Register an ATTACHED agent for "laptop" (its queue store is the fake).
-    attachedQueue.register(channelSpec("laptop"), store);
-
-    const registry = new ClientRegistry();
-    const ctx = contextFor(registry, "laptop", new DeliveryState(), programmatic, attachedQueue);
-    // Simulate the vault trigger delivering an inbound for the channel.
-    ctx.emit({
-      channel: "laptop",
-      content: "handle this when you're around",
-      meta: { note_id: "note-1", ts: "2026-06-18T10:00:00Z" },
-      source: "vault",
-    });
-
-    // THE ASSERTION: the programmatic worker was NOT invoked (no `claude -p` turn).
-    expect(backend.delivered).toEqual([]);
-    // And the durable note is the queue item — it's pending (the trigger creates it as
-    // status:pending; emit doesn't mutate it). The note already lives in the vault; the
-    // channel registry reads it on the next pull.
-    store.add({ id: "note-1", text: "handle this when you're around", sender: "operator", ts: "2026-06-18T10:00:00Z", status: "pending" });
-    const view = await attachedQueue.pending("laptop");
-    expect(view.count).toBe(1);
-  });
-
-  test("a programmatic inbound STILL enqueues to the worker (no regression)", async () => {
-    const backend = new FakeProgrammaticBackend();
-    const programmatic = new ProgrammaticAgentRegistry({ backend, writeOutbound: noopWriteOutbound() });
-    await programmatic.register({ name: "eng", channels: ["eng"], backend: "programmatic" });
-    const attachedQueue = new AttachedQueueRegistry(); // no attached agent for "eng".
-
-    const registry = new ClientRegistry();
-    const ctx = contextFor(registry, "eng", new DeliveryState(), programmatic, attachedQueue);
-    ctx.emit({ channel: "eng", content: "do a task", meta: { note_id: "n-eng" }, source: "vault" });
-
-    // The serial worker drains async — wait for the turn to run.
-    for (let i = 0; i < 200 && backend.delivered.length === 0; i++) {
-      await new Promise<void>((r) => setTimeout(r, 1));
-    }
-    expect(backend.delivered).toEqual(["do a task"]); // the programmatic path is untouched.
-  });
-
-  test("the channel fork is checked FIRST — a name in BOTH registries routes to channel", async () => {
-    // Defense-in-depth: even if a programmatic agent somehow shares the channel, the
-    // channel check short-circuits (the fork is explicit + first), so no `claude -p`.
-    const backend = new FakeProgrammaticBackend();
-    const programmatic = new ProgrammaticAgentRegistry({ backend, writeOutbound: noopWriteOutbound() });
-    await programmatic.register({ name: "dual", channels: ["dual"], backend: "programmatic" });
-    const attachedQueue = new AttachedQueueRegistry();
-    attachedQueue.register(channelSpec("dual"), new FakeStore());
-
-    const ctx = contextFor(new ClientRegistry(), "dual", new DeliveryState(), programmatic, attachedQueue);
-    ctx.emit({ channel: "dual", content: "x", meta: {}, source: "vault" });
-    await new Promise<void>((r) => setTimeout(r, 10));
-    expect(backend.delivered).toEqual([]); // channel won the fork.
-  });
-});
-
-// --- 2. the channel MCP surface --------------------------------------------
-
-const RW = [SCOPE_READ, SCOPE_WRITE];
-
-function parse(result: { content: Array<{ type: "text"; text: string }> }): unknown {
-  return JSON.parse(result.content[0]!.text);
-}
-
-describe("channel MCP surface (dispatchChannelTool)", () => {
-  test("pending → { count, items }", async () => {
-    const reg = new AttachedQueueRegistry();
-    const store = new FakeStore();
-    store.add({ id: "a", text: "hi", sender: "operator", ts: "2026-06-18T10:00:00Z", status: "pending" });
-    reg.register(channelSpec("laptop"), store);
-
-    const r = await dispatchChannelTool("laptop", reg, RW, "pending", {});
-    expect(r.isError).toBeUndefined();
-    expect(parse(r)).toEqual({ count: 1, items: [{ id: "a", preview: "hi" }] });
-  });
-
-  test("next-message claims + returns id/text/inReplyTo/systemPrompt", async () => {
-    const reg = new AttachedQueueRegistry();
-    const store = new FakeStore();
-    store.add({ id: "a", text: "the question", sender: "operator", ts: "2026-06-18T10:00:00Z", status: "pending" });
-    reg.register(channelSpec("laptop", "You are laptop."), store);
-
-    const r = await dispatchChannelTool("laptop", reg, RW, "next-message", {});
-    const claimed = parse(r) as { id: string; text: string; inReplyTo: string; systemPrompt: string };
-    expect(claimed.id).toBe("a");
-    expect(claimed.text).toBe("the question");
-    expect(claimed.inReplyTo).toBe("a");
-    expect(claimed.systemPrompt).toBe("You are laptop.");
-    expect(store.notes.get("a")!.status).toBe("in-flight");
-  });
-
-  test("next-message returns a null-message sentinel when the queue is empty", async () => {
-    const reg = new AttachedQueueRegistry();
-    reg.register(channelSpec("laptop"), new FakeStore());
-    const r = await dispatchChannelTool("laptop", reg, RW, "next-message", {});
-    expect(parse(r)).toEqual({ message: null, note: "no pending messages" });
-  });
-
-  test("reply writes the outbound (loop-safe path) + marks handled", async () => {
-    const reg = new AttachedQueueRegistry();
-    const store = new FakeStore();
-    store.add({ id: "a", text: "q", sender: "operator", ts: "2026-06-18T10:00:00Z", status: "in-flight", claimedAt: "2026-06-18T10:01:00Z" });
-    reg.register(channelSpec("laptop"), store);
-
-    const r = await dispatchChannelTool("laptop", reg, RW, "reply", { inReplyTo: "a", text: "the answer" });
-    expect(r.isError).toBeUndefined();
-    // The outbound went through the channel transport's reply seam — which writes a
-    // `#agent/message/outbound` note (loop-safe; the inbound trigger never fires on it).
-    expect(store.outbound).toEqual([{ text: "the answer", inReplyTo: "a" }]);
-    expect(store.notes.get("a")!.status).toBe("handled");
-  });
-
-  test("release un-claims back to pending", async () => {
-    const reg = new AttachedQueueRegistry();
-    const store = new FakeStore();
-    store.add({ id: "a", text: "q", sender: "operator", ts: "t", status: "in-flight", claimedAt: "2026-06-18T10:00:00Z" });
-    reg.register(channelSpec("laptop"), store);
-
-    const r = await dispatchChannelTool("laptop", reg, RW, "release", { id: "a" });
-    expect(r.isError).toBeUndefined();
-    expect(store.notes.get("a")!.status).toBe("pending");
-  });
-
-  test("write tools require agent:write; a read-only token is refused", async () => {
-    const reg = new AttachedQueueRegistry();
-    reg.register(channelSpec("laptop"), new FakeStore());
-    for (const tool of ["next-message", "reply", "release"]) {
-      const r = await dispatchChannelTool("laptop", reg, [SCOPE_READ], tool, { id: "a", text: "x" });
-      expect(r.isError).toBe(true);
-      expect(r.content[0]!.text).toContain(SCOPE_WRITE);
-    }
-    // pending is read-only — works with a read token.
-    const ok = await dispatchChannelTool("laptop", reg, [SCOPE_READ], "pending", {});
-    expect(ok.isError).toBeUndefined();
-  });
-
-  test("a non-attached channel gates cleanly (tool error, not a crash)", async () => {
-    const reg = new AttachedQueueRegistry(); // nothing registered.
-    const r = await dispatchChannelTool("nope", reg, RW, "pending", {});
-    expect(r.isError).toBe(true);
-    expect(r.content[0]!.text).toContain("no attached-backend agent");
-  });
-});

package/src/credentials.test.ts

@@ -1,274 +0,0 @@
-/**
- * Per-channel Claude OAuth credential store (design §6).
- *
- * Covers: store/retrieve round-trip, 0600 on the secret file, redaction (the
- * raw token never appears in the inspection helper / serialized output), and
- * default-vs-override resolution (override wins, falls back to default, errors
- * when neither). All hermetic under a throwaway state dir.
- */
-import { describe, test, expect, beforeEach, afterEach } from "bun:test";
-import { mkdtempSync, rmSync, existsSync, readFileSync, statSync } from "fs";
-import { join } from "path";
-import { tmpdir } from "os";
-import {
-  setDefaultClaudeCredential,
-  setChannelClaudeCredential,
-  removeChannelClaudeCredential,
-  resolveClaudeCredential,
-  describeClaudeCredentials,
-  readCredentialsFile,
-  credentialsFilePath,
-  CredentialNotConfiguredError,
-  setChannelEnvVar,
-  removeChannelEnvVar,
-  resolveChannelEnv,
-  describeChannelEnv,
-  DenylistedEnvError,
-  DENYLISTED_ENV,
-} from "./credentials.ts";
-
-const DEFAULT_TOKEN = "oat_DEFAULT-OPERATOR-TOKEN-SECRET";
-const OVERRIDE_TOKEN = "oat_PER-CHANNEL-OVERRIDE-SECRET";
-
-let dir: string;
-beforeEach(() => {
-  dir = mkdtempSync(join(tmpdir(), "channel-creds-"));
-});
-afterEach(() => {
-  rmSync(dir, { recursive: true, force: true });
-});
-
-describe("store / retrieve round-trip", () => {
-  test("default token: set then resolve returns it", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    expect(resolveClaudeCredential("any-channel", dir)).toBe(DEFAULT_TOKEN);
-  });
-
-  test("per-channel override: set then resolve returns it for that channel", () => {
-    setChannelClaudeCredential("aaron-dev", OVERRIDE_TOKEN, dir);
-    expect(resolveClaudeCredential("aaron-dev", dir)).toBe(OVERRIDE_TOKEN);
-  });
-
-  test("setting one slice preserves the other (read-modify-write)", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    setChannelClaudeCredential("aaron-dev", OVERRIDE_TOKEN, dir);
-    setChannelClaudeCredential("ops", "oat_OPS", dir);
-    const file = readCredentialsFile(dir);
-    expect(file.claude!.default).toBe(DEFAULT_TOKEN);
-    expect(file.claude!.channels!["aaron-dev"]).toBe(OVERRIDE_TOKEN);
-    expect(file.claude!.channels!["ops"]).toBe("oat_OPS");
-  });
-
-  test("empty token is rejected (never persists a blank credential)", () => {
-    expect(() => setDefaultClaudeCredential("", dir)).toThrow(/non-empty token/);
-    expect(() => setChannelClaudeCredential("c", "", dir)).toThrow(/non-empty token/);
-    expect(existsSync(credentialsFilePath(dir))).toBe(false);
-  });
-});
-
-describe("0600 on the secret file", () => {
-  test("the credentials file is written 0600 (holds a secret)", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    const file = credentialsFilePath(dir);
-    expect(existsSync(file)).toBe(true);
-    expect(statSync(file).mode & 0o777).toBe(0o600);
-  });
-
-  test("a subsequent write keeps it 0600 (chmod is unconditional)", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    // Loosen perms behind the store's back, then write again → must re-tighten.
-    const fs = require("fs") as typeof import("fs");
-    fs.chmodSync(credentialsFilePath(dir), 0o644);
-    setChannelClaudeCredential("c", OVERRIDE_TOKEN, dir);
-    expect(statSync(credentialsFilePath(dir)).mode & 0o777).toBe(0o600);
-  });
-});
-
-describe("redaction — the raw token never leaks via the inspection helper", () => {
-  test("describeClaudeCredentials reports presence + channel names, NOT the token", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    setChannelClaudeCredential("aaron-dev", OVERRIDE_TOKEN, dir);
-    setChannelClaudeCredential("ops", "oat_OPS", dir);
-    const desc = describeClaudeCredentials(dir);
-    expect(desc.defaultSet).toBe(true);
-    expect(desc.channels).toEqual(["aaron-dev", "ops"]); // sorted, names only
-    const serialized = JSON.stringify(desc);
-    expect(serialized).not.toContain(DEFAULT_TOKEN);
-    expect(serialized).not.toContain(OVERRIDE_TOKEN);
-    expect(serialized).not.toContain("oat_OPS");
-  });
-
-  test("describe on an empty store: defaultSet false, no channels", () => {
-    const desc = describeClaudeCredentials(dir);
-    expect(desc).toEqual({ defaultSet: false, channels: [] });
-  });
-});
-
-describe("default-vs-override resolution", () => {
-  test("override WINS over the default for its channel", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    setChannelClaudeCredential("aaron-dev", OVERRIDE_TOKEN, dir);
-    expect(resolveClaudeCredential("aaron-dev", dir)).toBe(OVERRIDE_TOKEN);
-    // A different channel with no override falls back to the default.
-    expect(resolveClaudeCredential("other", dir)).toBe(DEFAULT_TOKEN);
-  });
-
-  test("falls back to the default when the channel has no override", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    expect(resolveClaudeCredential("never-configured", dir)).toBe(DEFAULT_TOKEN);
-  });
-
-  test("ERRORS when neither an override nor a default is set", () => {
-    expect(() => resolveClaudeCredential("ghost", dir)).toThrow(CredentialNotConfiguredError);
-    expect(() => resolveClaudeCredential("ghost", dir)).toThrow(/no Claude credential for channel "ghost"/);
-  });
-
-  test("removing an override falls back to the default; removing a missing one is a no-op", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    setChannelClaudeCredential("aaron-dev", OVERRIDE_TOKEN, dir);
-    expect(removeChannelClaudeCredential("aaron-dev", dir)).toBe(true);
-    expect(resolveClaudeCredential("aaron-dev", dir)).toBe(DEFAULT_TOKEN); // back to default
-    expect(removeChannelClaudeCredential("aaron-dev", dir)).toBe(false); // already gone
-    // The default is untouched by an override removal.
-    expect(readCredentialsFile(dir).claude!.default).toBe(DEFAULT_TOKEN);
-  });
-
-  test("resolution is read dynamically — a rotate takes effect on the next resolve", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    expect(resolveClaudeCredential("c", dir)).toBe(DEFAULT_TOKEN);
-    setDefaultClaudeCredential("oat_ROTATED", dir);
-    expect(resolveClaudeCredential("c", dir)).toBe("oat_ROTATED");
-  });
-});
-
-// ===========================================================================
-// Generic per-channel env store (GH_TOKEN / CLOUDFLARE_API_TOKEN / …)
-// ===========================================================================
-const GH = "ghp_GITHUB-TOKEN-SECRET";
-const CF = "cf_CLOUDFLARE-TOKEN-SECRET";
-
-describe("env store — set / resolve / channel-over-default merge", () => {
-  test("default var: set with null channel, resolves for any channel", () => {
-    setChannelEnvVar(null, "GH_TOKEN", GH, dir);
-    expect(resolveChannelEnv("anything", dir)).toEqual({ GH_TOKEN: GH });
-    // An empty-string channel also targets the default layer.
-    setChannelEnvVar("", "CF_TOKEN", CF, dir);
-    expect(resolveChannelEnv("anything", dir)).toEqual({ GH_TOKEN: GH, CF_TOKEN: CF });
-  });
-
-  test("per-channel override WINS over the default for that channel; others see only the default", () => {
-    setChannelEnvVar(null, "GH_TOKEN", "ghp_DEFAULT", dir);
-    setChannelEnvVar("aaron-dev", "GH_TOKEN", "ghp_AARON", dir);
-    setChannelEnvVar("aaron-dev", "CLOUDFLARE_API_TOKEN", CF, dir);
-    // channel layer wins on GH_TOKEN, plus its own CF token, plus inherits nothing extra.
-    expect(resolveChannelEnv("aaron-dev", dir)).toEqual({ GH_TOKEN: "ghp_AARON", CLOUDFLARE_API_TOKEN: CF });
-    // a different channel falls back to the default only.
-    expect(resolveChannelEnv("other", dir)).toEqual({ GH_TOKEN: "ghp_DEFAULT" });
-  });
-
-  test("resolves to {} when nothing is configured (env injection is optional)", () => {
-    expect(resolveChannelEnv("ghost", dir)).toEqual({});
-  });
-
-  test("setting an env var preserves the Claude slice (independent namespaces)", () => {
-    setDefaultClaudeCredential(DEFAULT_TOKEN, dir);
-    setChannelEnvVar(null, "GH_TOKEN", GH, dir);
-    const file = readCredentialsFile(dir);
-    expect(file.claude!.default).toBe(DEFAULT_TOKEN); // untouched
-    expect(file.env!.default!.GH_TOKEN).toBe(GH);
-  });
-
-  test("read dynamically — a value change takes effect on the next resolve", () => {
-    setChannelEnvVar("c", "GH_TOKEN", "ghp_OLD", dir);
-    expect(resolveChannelEnv("c", dir).GH_TOKEN).toBe("ghp_OLD");
-    setChannelEnvVar("c", "GH_TOKEN", "ghp_NEW", dir);
-    expect(resolveChannelEnv("c", dir).GH_TOKEN).toBe("ghp_NEW");
-  });
-
-  test("the env store file is written 0600 (holds secrets)", () => {
-    setChannelEnvVar(null, "GH_TOKEN", GH, dir);
-    expect(statSync(credentialsFilePath(dir)).mode & 0o777).toBe(0o600);
-  });
-});
-
-describe("env store — remove", () => {
-  test("remove a default var; remove a missing one is a no-op (false)", () => {
-    setChannelEnvVar(null, "GH_TOKEN", GH, dir);
-    setChannelEnvVar(null, "CF_TOKEN", CF, dir);
-    expect(removeChannelEnvVar(null, "GH_TOKEN", dir)).toBe(true);
-    expect(resolveChannelEnv("any", dir)).toEqual({ CF_TOKEN: CF });
-    expect(removeChannelEnvVar(null, "GH_TOKEN", dir)).toBe(false); // already gone
-  });
-
-  test("remove a channel override; the default for that name re-emerges", () => {
-    setChannelEnvVar(null, "GH_TOKEN", "ghp_DEFAULT", dir);
-    setChannelEnvVar("aaron-dev", "GH_TOKEN", "ghp_AARON", dir);
-    expect(removeChannelEnvVar("aaron-dev", "GH_TOKEN", dir)).toBe(true);
-    expect(resolveChannelEnv("aaron-dev", dir)).toEqual({ GH_TOKEN: "ghp_DEFAULT" }); // back to default
-  });
-
-  test("removing the last var of a channel prunes the empty channel map", () => {
-    setChannelEnvVar("c", "GH_TOKEN", GH, dir);
-    removeChannelEnvVar("c", "GH_TOKEN", dir);
-    const file = readCredentialsFile(dir);
-    // The channel (and the now-empty channels map) is pruned, not left as {}.
-    expect(file.env?.channels).toBeUndefined();
-  });
-});
-
-describe("env store — redaction (describeChannelEnv returns NAMES only)", () => {
-  test("describe reports names per layer, never the values", () => {
-    setChannelEnvVar(null, "GH_TOKEN", GH, dir);
-    setChannelEnvVar("aaron-dev", "CLOUDFLARE_API_TOKEN", CF, dir);
-    setChannelEnvVar("aaron-dev", "GH_TOKEN", "ghp_AARON", dir);
-    const desc = describeChannelEnv(dir);
-    expect(desc.default).toEqual(["GH_TOKEN"]);
-    expect(desc.channels["aaron-dev"]).toEqual(["CLOUDFLARE_API_TOKEN", "GH_TOKEN"]); // sorted
-    const serialized = JSON.stringify(desc);
-    expect(serialized).not.toContain(GH);
-    expect(serialized).not.toContain(CF);
-    expect(serialized).not.toContain("ghp_AARON");
-  });
-
-  test("describe on an empty store: no default, no channels", () => {
-    expect(describeChannelEnv(dir)).toEqual({ default: [], channels: {} });
-  });
-});
-
-describe("env store — denylist (the Claude-auth trio is never settable)", () => {
-  test("the denylist is exactly the Claude-auth vars", () => {
-    expect([...DENYLISTED_ENV].sort()).toEqual(
-      ["ANTHROPIC_API_KEY", "CLAUDE_API_KEY", "CLAUDE_CODE_OAUTH_TOKEN"].sort(),
-    );
-  });
-
-  test("setter REJECTS each denylisted name (default + channel), nothing persisted", () => {
-    for (const name of DENYLISTED_ENV) {
-      expect(() => setChannelEnvVar(null, name, "x", dir)).toThrow(DenylistedEnvError);
-      expect(() => setChannelEnvVar("c", name, "x", dir)).toThrow(DenylistedEnvError);
-    }
-    expect(existsSync(credentialsFilePath(dir))).toBe(false);
-  });
-
-  test("setter rejects a malformed name + an empty value", () => {
-    expect(() => setChannelEnvVar(null, "9BAD", "x", dir)).toThrow(/invalid/);
-    expect(() => setChannelEnvVar(null, "has space", "x", dir)).toThrow(/invalid/);
-    expect(() => setChannelEnvVar(null, "GH_TOKEN", "", dir)).toThrow(/non-empty/);
-    expect(existsSync(credentialsFilePath(dir))).toBe(false);
-  });
-
-  test("resolve defensively STRIPS a denylisted key planted by a hand-edited file", () => {
-    // Plant a denylisted key directly on disk (bypassing the setter), then prove
-    // resolveChannelEnv never returns it — the injection defense's first line.
-    setChannelEnvVar(null, "GH_TOKEN", GH, dir);
-    const fs = require("fs") as typeof import("fs");
-    const file = JSON.parse(fs.readFileSync(credentialsFilePath(dir), "utf8")) as {
-      env: { default: Record<string, string> };
-    };
-    file.env.default.ANTHROPIC_API_KEY = "sk-ant-SMUGGLED";
-    fs.writeFileSync(credentialsFilePath(dir), JSON.stringify(file));
-    const resolved = resolveChannelEnv("any", dir);
-    expect(resolved.GH_TOKEN).toBe(GH);
-    expect(resolved.ANTHROPIC_API_KEY).toBeUndefined();
-  });
-});