@opensip-cli/tool-gitleaks 0.1.15

package/dist/__tests__/suite-step-e2e.test.js

@@ -0,0 +1,262 @@
+/**
+ * 04↔05 integration E2E — an EXTERNAL tool adapter (plan 04) runs as a host-owned
+ * SUITE step (plan 05 / ADR-0093) over the REAL forked-worker boundary, end-to-end
+ * against the BUILT CLI.
+ *
+ * This locks in the seam between the two planes that otherwise only meet at run
+ * time: the gitleaks adapter is an installed, EXTERNAL-provenance tool, so when it
+ * appears as a `suites:` step the orchestrator's `maybeDispatchExternal` hook MUST
+ * fork the ADR-0054 worker (it never runs the untrusted runtime in-host), and the
+ * worker's verdict MUST flow back into the suite's worst-of exit aggregation.
+ *
+ * The harness mirrors `worker-e2e.test.ts` (least-effort path): the REAL gitleaks
+ * package is presented as an installed npm tool (symlinked into the throwaway
+ * project's `node_modules` so the worker resolves its `@opensip-cli/*` workspace
+ * deps via realpath), a FAKE `gitleaks` on PATH makes the scan deterministic (copy
+ * the committed golden to `--report-path`, exit 1 like real gitleaks on findings),
+ * and `OPENSIP_CLI_ALLOW_INSTALLED_TOOLS` trusts it (installed tools are
+ * deny-by-default). The fake's golden path rides the documented
+ * `OPENSIP_CLI_TOOL_ENV_PASSTHROUGH` into the worker fork's curated env.
+ *
+ * What it proves:
+ *   - `suite add security --tool gitleaks --command gitleaks` resolves the tool
+ *     NAME to its canonical `ToolMetadata.id` UUID in `opensip-cli.config.yml`.
+ *   - `suite run security` dispatches the step through the forked worker: the raw
+ *     artifact lands at `.runtime/artifacts/gitleaks/<runId>/gitleaks.json`
+ *     (mode 0600 in a 0700 dir) — the worker boundary actually ran the scan.
+ *   - the gitleaks findings verdict propagates into the suite worst-of exit
+ *     (the 2 fixture secrets trip the findings gate ⇒ the suite exits non-zero,
+ *     the step summary records exit 1).
+ *   - the run persists under the suite grouping (`suiteRunId` / `suiteName`) with
+ *     the gitleaks verdict + finding count.
+ *   - the secret-egress guarantee STILL holds inside a suite (no raw `Secret`/
+ *     `Match` reaches the emitted output; only the masked preview survives).
+ *   - deny-by-default STILL applies in suite context: WITHOUT the trust env the
+ *     step is denied (non-zero exit, no artifact, no session) — it never silently
+ *     succeeds.
+ *
+ * Requires `pnpm build` first (the CLI dist + the gitleaks dist). Missing builds
+ * FAIL loudly (no silent skip).
+ *
+ * NOTE on the step command name: the adapter declares its scan command as `scan`,
+ * but `defineExternalToolAdapter` makes the first command the PRIMARY, which
+ * `defineTool` names from `identity.name` — so the resolvable `commandSpecs` name
+ * (and the suite step `command`) is `gitleaks`, not `scan`. `suite add --command
+ * scan` is rejected (`CONFIG.SUITE_ADD.UNKNOWN_COMMAND`, exit 2).
+ */
+import { execFileSync } from 'node:child_process';
+import { cpSync, existsSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync, statSync, symlinkSync, writeFileSync, } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { afterAll, beforeAll, describe, expect, it } from 'vitest';
+const HERE = dirname(fileURLToPath(import.meta.url));
+// .../packages/tool-gitleaks/src/__tests__ → repo root is four levels up.
+const REPO_ROOT = join(HERE, '..', '..', '..', '..');
+const CLI_DIST = join(REPO_ROOT, 'packages', 'cli', 'dist', 'index.js');
+const GITLEAKS_PKG_DIR = join(REPO_ROOT, 'packages', 'tool-gitleaks');
+const FIXTURES = join(GITLEAKS_PKG_DIR, '__fixtures__');
+const GOLDEN_PATH = join(FIXTURES, 'gitleaks-golden.json');
+// The gitleaks adapter's stable `ToolMetadata.id` (ADR-0048). Suite steps address
+// tools by this UUID; `suite add --tool gitleaks` must resolve the name to it.
+const GITLEAKS_STABLE_ID = 'cd08f737-ce8e-4813-9259-b4ffeb954268';
+// Raw matched-credential strings that must NEVER reach the emitted payload.
+const RAW_SECRETS = ['AKIAIOSFODNN7EXAMPLE', 'glpat-XXXXXXXXXXXXXXXXXXXX', 'aws_key ='];
+let binDir;
+let baseEnv;
+/** Run the built CLI as a child process, capturing stdout/stderr + exit code. */
+function runCli(args, extraEnv, cwd) {
+    try {
+        const stdout = execFileSync('node', [CLI_DIST, ...args], {
+            cwd,
+            env: { ...process.env, ...baseEnv, ...extraEnv },
+            encoding: 'utf8',
+            maxBuffer: 32 * 1024 * 1024,
+        });
+        return { stdout, stderr: '', status: 0 };
+    }
+    catch (error) {
+        const e = error;
+        return { stdout: e.stdout ?? '', stderr: e.stderr ?? '', status: e.status ?? 1 };
+    }
+}
+/** Scaffold a throwaway opensip-cli project that resolves the installed gitleaks tool. */
+function makeSuiteProject() {
+    const dir = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-suite-'));
+    writeFileSync(join(dir, 'opensip-cli.config.yml'), 'schemaVersion: 1\ntargets: {}\n', 'utf8');
+    // SYMLINK (not a copy) so the worker resolves the adapter's `@opensip-cli/*`
+    // workspace deps from the monorepo via realpath — a copy would orphan them.
+    const scopeDir = join(dir, 'node_modules', '@opensip-cli');
+    mkdirSync(scopeDir, { recursive: true });
+    symlinkSync(GITLEAKS_PKG_DIR, join(scopeDir, 'tool-gitleaks'), 'dir');
+    return dir;
+}
+/** Split the CLI's concatenated top-level `--json` outcome documents. */
+function parseOutcomes(stdout) {
+    // The CLI pretty-prints each top-level outcome object starting at column 0; a
+    // `suite run --json` emits the step's gitleaks envelope outcome AND the suite-run
+    // outcome back-to-back. Split before each line-leading `{`, then JSON.parse each.
+    return stdout
+        .split(/\n(?=\{)/)
+        .map((chunk) => chunk.trim())
+        .filter((chunk) => chunk.startsWith('{'))
+        .map((chunk) => JSON.parse(chunk));
+}
+beforeAll(() => {
+    if (!existsSync(CLI_DIST)) {
+        throw new Error(`built CLI not found at ${CLI_DIST} — run \`pnpm build\` first`);
+    }
+    if (!existsSync(join(GITLEAKS_PKG_DIR, 'dist', 'index.js'))) {
+        throw new Error('built tool-gitleaks dist not found — run `pnpm build` first');
+    }
+    // A FAKE gitleaks on PATH for determinism (copies the golden to --report-path,
+    // exits 1). PATH is auto-forwarded into the worker fork's curated env.
+    binDir = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-suite-bin-'));
+    cpSync(join(FIXTURES, 'fake-gitleaks'), join(binDir, 'gitleaks'));
+    execFileSync('chmod', ['+x', join(binDir, 'gitleaks')]);
+    baseEnv = {
+        PATH: `${binDir}:${process.env.PATH ?? ''}`,
+        FAKE_GITLEAKS_GOLDEN: GOLDEN_PATH,
+        OPENSIP_CLI_TOOL_ENV_PASSTHROUGH: 'FAKE_GITLEAKS_GOLDEN',
+        // Installed tools are deny-by-default — trust the gitleaks id (admission keys
+        // on `opensipTools.id`; the UUID is included per the ADR-0048 stable-id rule).
+        OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: `${GITLEAKS_STABLE_ID} gitleaks`,
+    };
+});
+afterAll(() => {
+    if (binDir !== undefined)
+        rmSync(binDir, { recursive: true, force: true });
+});
+describe('gitleaks as a suite step (04↔05) — external adapter over the worker boundary', () => {
+    let project;
+    let configText;
+    let addRun;
+    let suiteRun;
+    let suiteOutcome;
+    beforeAll(() => {
+        project = makeSuiteProject();
+        // 1) Author the suite via `suite add` — proving it resolves the tool NAME to
+        //    the canonical UUID (needs the trust env to admit the installed tool into
+        //    the registry it resolves against). `--command gitleaks` is the primary
+        //    command's resolvable name (see the file header NOTE).
+        addRun = runCli(['suite', 'add', 'security', '--tool', 'gitleaks', '--command', 'gitleaks'], {}, project);
+        configText = readFileSync(join(project, 'opensip-cli.config.yml'), 'utf8');
+        // 2) Run the suite over the real forked worker (single `--json` run drives all
+        //    the structured assertions + the on-disk side effects).
+        suiteRun = runCli(['suite', 'run', 'security', '--json'], {}, project);
+        const outcomes = parseOutcomes(suiteRun.stdout);
+        const found = outcomes.find((o) => o.kind === 'suite-run');
+        if (found === undefined) {
+            throw new Error(`no suite-run outcome in stdout:\n${suiteRun.stdout}`);
+        }
+        suiteOutcome = found.data;
+    });
+    afterAll(() => {
+        if (project !== undefined)
+            rmSync(project, { recursive: true, force: true });
+    });
+    it('`suite add` resolves the tool name to its canonical UUID in config', () => {
+        expect(addRun.status).toBe(0);
+        expect(configText).toContain(`tool: ${GITLEAKS_STABLE_ID}`);
+        expect(configText).toContain('command: gitleaks');
+    });
+    it('dispatches the step through the forked worker — raw artifact lands 0600 in a 0700 dir', () => {
+        const runDir = join(project, 'opensip-cli', '.runtime', 'artifacts', 'gitleaks');
+        expect(existsSync(runDir)).toBe(true);
+        const runs = readdirSync(runDir).filter((name) => name.startsWith('RUN_'));
+        expect(runs.length).toBeGreaterThan(0);
+        const perRunDir = join(runDir, runs[0]);
+        const artifact = join(perRunDir, 'gitleaks.json');
+        // The fake binary does NOT `mkdir -p` its --report-path dir — the artifact
+        // exists ONLY because the host `ensureArtifactDir` seam created the per-run dir
+        // (over the worker boundary) before the scan. Its presence proves the worker
+        // actually ran the gitleaks scan inside the suite step.
+        expect(existsSync(artifact)).toBe(true);
+        expect(statSync(perRunDir).mode & 0o777).toBe(0o700);
+        expect(statSync(artifact).mode & 0o777).toBe(0o600);
+        // The persisted artifact is the byte-preserved golden (two findings).
+        expect(JSON.parse(readFileSync(artifact, 'utf8'))).toHaveLength(2);
+    });
+    it('propagates the gitleaks findings verdict into the suite worst-of exit', () => {
+        // The 2 fixture secrets trip the findings gate ⇒ the worker verdict FAILS, and
+        // that must aggregate worst-of into the suite exit (process + structured both 1).
+        expect(suiteRun.status).toBe(1);
+        expect(suiteOutcome.exitCode).toBe(1);
+        expect(suiteOutcome.suiteRunId).toMatch(/^SUITE_/);
+        expect(suiteOutcome.steps).toHaveLength(1);
+        const [step] = suiteOutcome.steps;
+        expect(step?.tool).toBe('gitleaks');
+        expect(step?.stableId).toBe(GITLEAKS_STABLE_ID);
+        expect(step?.command).toBe('gitleaks');
+        expect(step?.exitCode).toBe(1);
+    });
+    it('persists the run under the suite grouping with the gitleaks verdict', () => {
+        const list = runCli(['sessions', 'list', '--json'], {}, project);
+        expect(list.status).toBe(0);
+        const data = parseOutcomes(list.stdout).find((o) => o.kind === 'history')?.data;
+        const gitleaksRow = (data?.sessions ?? []).find((s) => s.tool === 'gitleaks');
+        expect(gitleaksRow).toBeDefined();
+        expect(gitleaksRow?.suiteName).toBe('security');
+        expect(gitleaksRow?.suiteRunId ?? '').toMatch(/^SUITE_/);
+        // The grouped suiteRunId matches the suite-run outcome's id (same run).
+        expect(gitleaksRow?.suiteRunId).toBe(suiteOutcome.suiteRunId);
+        expect(gitleaksRow?.passed).toBe(false);
+        expect(gitleaksRow?.payload?.findings).toBe(2);
+    });
+    it('upholds the secret-egress guarantee inside the suite (masked preview only)', () => {
+        for (const raw of RAW_SECRETS) {
+            expect(suiteRun.stdout).not.toContain(raw);
+        }
+        expect(suiteRun.stdout).not.toContain('"Match"');
+        expect(suiteRun.stdout).not.toContain('"Secret"');
+        // The masked preview IS present (the finding stays identifiable in the suite).
+        expect(suiteRun.stdout).toContain('AKIA…');
+        expect(suiteRun.stdout).toContain('glpa…');
+    });
+});
+describe('gitleaks as a suite step — deny-by-default still applies in suite context', () => {
+    let project;
+    let denied;
+    beforeAll(() => {
+        project = makeSuiteProject();
+        // Author the suite config DIRECTLY (the installed gitleaks IS present in
+        // node_modules, so the deny is purely the trust gate, not absence of the tool).
+        writeFileSync(join(project, 'opensip-cli.config.yml'), [
+            'schemaVersion: 1',
+            'targets: {}',
+            'suites:',
+            '  security:',
+            '    steps:',
+            `      - tool: ${GITLEAKS_STABLE_ID}`,
+            '        name: gitleaks',
+            '        command: gitleaks',
+            '',
+        ].join('\n'), 'utf8');
+        // Run WITHOUT the trust allowlist (override baseEnv's trust to empty).
+        denied = runCli(['suite', 'run', 'security'], { OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: '' }, project);
+    });
+    afterAll(() => {
+        if (project !== undefined)
+            rmSync(project, { recursive: true, force: true });
+    });
+    it('denies the untrusted external step (non-zero exit — never a silent success)', () => {
+        // The installed gitleaks is not admitted, so the suite's UUID-addressed step
+        // resolves to no tool and the run fails (configuration error) rather than
+        // silently passing.
+        expect(denied.status).not.toBe(0);
+    });
+    it('runs no scan: no artifact and no gitleaks session were produced', () => {
+        const runDir = join(project, 'opensip-cli', '.runtime', 'artifacts', 'gitleaks');
+        const artifactCount = existsSync(runDir)
+            ? readdirSync(runDir)
+                .filter((name) => name.startsWith('RUN_'))
+                .filter((name) => existsSync(join(runDir, name, 'gitleaks.json'))).length
+            : 0;
+        expect(artifactCount).toBe(0);
+        const list = runCli(['sessions', 'list', '--json'], { OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: '' }, project);
+        const data = parseOutcomes(list.stdout).find((o) => o.kind === 'history')?.data;
+        const gitleaksRows = (data?.sessions ?? []).filter((s) => s.tool === 'gitleaks');
+        expect(gitleaksRows).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=suite-step-e2e.test.js.map

package/dist/__tests__/suite-step-e2e.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"suite-step-e2e.test.js","sourceRoot":"","sources":["../../src/__tests__/suite-step-e2e.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,MAAM,EACN,UAAU,EACV,SAAS,EACT,WAAW,EACX,WAAW,EACX,YAAY,EACZ,MAAM,EACN,QAAQ,EACR,WAAW,EACX,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEnE,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACrD,0EAA0E;AAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AACxE,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;AACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;AACxD,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC;AAE3D,kFAAkF;AAClF,+EAA+E;AAC/E,MAAM,kBAAkB,GAAG,sCAAsC,CAAC;AAElE,4EAA4E;AAC5E,MAAM,WAAW,GAAG,CAAC,sBAAsB,EAAE,4BAA4B,EAAE,WAAW,CAAC,CAAC;AAQxF,IAAI,MAAc,CAAC;AACnB,IAAI,OAA+B,CAAC;AAEpC,iFAAiF;AACjF,SAAS,MAAM,CAAC,IAAc,EAAE,QAAgC,EAAE,GAAW;IAC3E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,EAAE;YACvD,GAAG;YACH,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,QAAQ,EAAE;YAChD,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,GAAG,KAA8D,CAAC;QACzE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;IACnF,CAAC;AACH,CAAC;AAED,0FAA0F;AAC1F,SAAS,gBAAgB;IACvB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC,CAAC;IACnE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,wBAAwB,CAAC,EAAE,iCAAiC,EAAE,MAAM,CAAC,CAAC;IAC9F,6EAA6E;IAC7E,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAC3D,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,WAAW,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC,CAAC;IACtE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,yEAAyE;AACzE,SAAS,aAAa,CAAC,MAAc;IACnC,8EAA8E;IAC9E,kFAAkF;IAClF,kFAAkF;IAClF,OAAO,MAAM;SACV,KAAK,CAAC,UAAU,CAAC;SACjB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SACxC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAA4B,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,6BAA6B,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,+EAA+E;IAC/E,uEAAuE;IACvE,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,6BAA6B,CAAC,CAAC,CAAC;IACpE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;IAClE,YAAY,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IAExD,OAAO,GAAG;QACR,IAAI,EAAE,GAAG,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE;QAC3C,oBAAoB,EAAE,WAAW;QACjC,gCAAgC,EAAE,sBAAsB;QACxD,8EAA8E;QAC9E,+EAA+E;QAC/E,iCAAiC,EAAE,GAAG,kBAAkB,WAAW;KACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,GAAG,EAAE;IACZ,IAAI,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7E,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,8EAA8E,EAAE,GAAG,EAAE;IAC5F,IAAI,OAAe,CAAC;IACpB,IAAI,UAAkB,CAAC;IACvB,IAAI,MAAc,CAAC;IACnB,IAAI,QAAgB,CAAC;IACrB,IAAI,YAIH,CAAC;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,GAAG,gBAAgB,EAAE,CAAC;QAE7B,6EAA6E;QAC7E,8EAA8E;QAC9E,4EAA4E;QAC5E,2DAA2D;QAC3D,MAAM,GAAG,MAAM,CACb,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,EAC3E,EAAE,EACF,OAAO,CACR,CAAC;QACF,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC,EAAE,MAAM,CAAC,CAAC;QAE3E,+EAA+E;QAC/E,4DAA4D;QAC5D,QAAQ,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;QAC3D,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QACD,YAAY,GAAG,KAAK,CAAC,IAA2B,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,IAAI,OAAO,KAAK,SAAS;YAAE,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,SAAS,kBAAkB,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uFAAuF,EAAE,GAAG,EAAE;QAC/F,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QACjF,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QAClD,2EAA2E;QAC3E,gFAAgF;QAChF,6EAA6E;QAC7E,wDAAwD;QACxD,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpD,sEAAsE;QACtE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,+EAA+E;QAC/E,kFAAkF;QAClF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC;QAClC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,IAE1E,CAAC;QACF,MAAM,WAAW,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAO/D,CAAC;QACd,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,CAAC,WAAW,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,wEAAwE;QACxE,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,CAAC,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC7C,CAAC;QACD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAClD,+EAA+E;QAC/E,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2EAA2E,EAAE,GAAG,EAAE;IACzF,IAAI,OAAe,CAAC;IACpB,IAAI,MAAc,CAAC;IAEnB,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,GAAG,gBAAgB,EAAE,CAAC;QAC7B,yEAAyE;QACzE,gFAAgF;QAChF,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC,EACvC;YACE,kBAAkB;YAClB,aAAa;YACb,SAAS;YACT,aAAa;YACb,YAAY;YACZ,iBAAiB,kBAAkB,EAAE;YACrC,wBAAwB;YACxB,2BAA2B;YAC3B,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,EACZ,MAAM,CACP,CAAC;QACF,uEAAuE;QACvE,MAAM,GAAG,MAAM,CACb,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,EAC5B,EAAE,iCAAiC,EAAE,EAAE,EAAE,EACzC,OAAO,CACR,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,IAAI,OAAO,KAAK,SAAS;YAAE,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,GAAG,EAAE;QACrF,6EAA6E;QAC7E,0EAA0E;QAC1E,oBAAoB;QACpB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QACjF,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC;iBAChB,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;iBACzC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,MAAM;YAC7E,CAAC,CAAC,CAAC,CAAC;QACN,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE9B,MAAM,IAAI,GAAG,MAAM,CACjB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAC9B,EAAE,iCAAiC,EAAE,EAAE,EAAE,EACzC,OAAO,CACR,CAAC;QACF,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,IAE1E,CAAC;QACF,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;QACjF,MAAM,CAAC,YAAY,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/tool.test.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Tier-1 (in-process) tests for the gitleaks adapter `Tool` (ADR-0090 D6 Tier 1).
+ *
+ * Asserts the declarative surface (commandSpecs / identity / metadata), the binary
+ * helpers (version parse + scan args), the FROZEN exit model (Phase-0 decision 4),
+ * the manifest↔runtime host-shape guards (`assertManifestMatchesTool` +
+ * `deriveAdapterManifestCommands` parity), and the full normalize→envelope path
+ * via the acceptance harness — including a redaction check across the envelope.
+ */
+export {};
+//# sourceMappingURL=tool.test.d.ts.map

package/dist/__tests__/tool.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/tool.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/__tests__/tool.test.js

@@ -0,0 +1,197 @@
+/**
+ * Tier-1 (in-process) tests for the gitleaks adapter `Tool` (ADR-0090 D6 Tier 1).
+ *
+ * Asserts the declarative surface (commandSpecs / identity / metadata), the binary
+ * helpers (version parse + scan args), the FROZEN exit model (Phase-0 decision 4),
+ * the manifest↔runtime host-shape guards (`assertManifestMatchesTool` +
+ * `deriveAdapterManifestCommands` parity), and the full normalize→envelope path
+ * via the acceptance harness — including a redaction check across the envelope.
+ */
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { assertManifestMatchesTool } from '@opensip-cli/core';
+import { DEFAULT_EXIT_MODEL, deriveAdapterConfigManifest, deriveAdapterManifestCommands, deriveAdapterManifestRequires, interpretExit, normalizedSignalShape, runAcceptanceCase, } from '@opensip-cli/external-tool-adapter';
+import { describe, expect, it } from 'vitest';
+import { parseGitleaksJson } from '../parse-gitleaks-json.js';
+import { buildGitleaksExclude, buildScanArgs, GITLEAKS_STABLE_ID, parseGitleaksVersion, tool, } from '../tool.js';
+const PKG = JSON.parse(readFileSync(fileURLToPath(new URL('../../package.json', import.meta.url)), 'utf8'));
+const GOLDEN_RAW = readFileSync(fileURLToPath(new URL('../../__fixtures__/gitleaks-golden.json', import.meta.url)), 'utf8');
+const EXPECTED = JSON.parse(readFileSync(fileURLToPath(new URL('../../__fixtures__/expected-signals.json', import.meta.url)), 'utf8'));
+/** Reconstruct the admitted `ToolPluginManifest` the host builds from package.json. */
+function manifestFromPackage() {
+    return {
+        ...PKG.opensipTools,
+        name: PKG.name,
+        version: PKG.version,
+        apiVersion: PKG.opensipTools.apiVersion,
+    };
+}
+describe('gitleaks tool — identity + metadata', () => {
+    it('declares the gitleaks identity with the `secrets` alias', () => {
+        expect(tool.identity).toEqual({ name: 'gitleaks', aliases: ['secrets'] });
+    });
+    it('carries the stable UUID and a description', () => {
+        expect(tool.metadata.id).toBe(GITLEAKS_STABLE_ID);
+        expect(tool.metadata.name).toBe('gitleaks');
+        expect(tool.metadata.description).toBe('Secret scanning via Gitleaks');
+    });
+    it('defaults to the line-shift-tolerant message-hash fingerprint strategy', () => {
+        expect(tool.extensionPoints?.fingerprintStrategy?.id).toBe('external-tool-adapter.sha256-file-rule-message');
+    });
+});
+const byName = (name) => tool.commandSpecs?.find((c) => c.name === name);
+describe('gitleaks tool — commandSpecs', () => {
+    it('mounts the primary scan, plus nested doctor + version', () => {
+        const names = (tool.commandSpecs ?? []).map((c) => c.name);
+        expect(names).toEqual(['gitleaks', 'doctor', 'version']);
+    });
+    it('the primary command is `gitleaks` (aliased `secrets`), project-scoped, raw-stream dispatch', () => {
+        const primary = byName('gitleaks');
+        expect(primary?.parent).toBeUndefined();
+        expect(primary?.aliases).toEqual(['secrets']);
+        expect(primary?.scope).toBe('project');
+        expect(primary?.output).toBe('raw-stream');
+        expect(primary?.rawStreamReason).toBe('runtime-render-dispatch');
+    });
+    it('doctor + version are nested under gitleaks, scope:none, diagnostic-gate', () => {
+        for (const name of ['doctor', 'version']) {
+            const spec = byName(name);
+            expect(spec?.parent).toBe('gitleaks');
+            expect(spec?.scope).toBe('none');
+            expect(spec?.output).toBe('raw-stream');
+            expect(spec?.rawStreamReason).toBe('diagnostic-gate');
+        }
+    });
+});
+describe('gitleaks tool — binary helpers', () => {
+    it('parses the gitleaks version stdout (with or without a leading v)', () => {
+        expect(parseGitleaksVersion('8.18.4')).toBe('8.18.4');
+        expect(parseGitleaksVersion('v8.18.4\n')).toBe('8.18.4');
+        expect(parseGitleaksVersion('gitleaks version 8.19.0')).toBe('8.19.0');
+    });
+    it('falls back to the trimmed stdout when no semver is present', () => {
+        expect(parseGitleaksVersion('  unknown  ')).toBe('unknown');
+    });
+    it('builds the filesystem-scan argv writing JSON to the run artifact path', () => {
+        const ctx = {
+            projectRoot: '/proj',
+            artifactPath: (name) => `/proj/.runtime/artifacts/gitleaks/run1/${name}`,
+        };
+        expect(buildScanArgs(ctx)).toEqual([
+            'detect',
+            '--no-git',
+            '--source',
+            '/proj',
+            '--report-format',
+            'json',
+            '--report-path',
+            '/proj/.runtime/artifacts/gitleaks/run1/gitleaks.json',
+        ]);
+    });
+});
+describe('gitleaks tool — A3 .runtime exclusion (buildGitleaksExclude)', () => {
+    const ex = buildGitleaksExclude({
+        excludePath: '/proj/opensip-cli/.runtime',
+        configPath: (name) => `/proj/opensip-cli/.runtime/artifacts/gitleaks/run1/${name}`,
+    });
+    it('references a generated --config allowlist written to the per-run dir', () => {
+        const cfg = '/proj/opensip-cli/.runtime/artifacts/gitleaks/run1/gitleaks-exclude.toml';
+        expect(ex.args).toEqual(['--config', cfg]);
+        expect(ex.configFile.path).toBe(cfg);
+    });
+    it('extends the default ruleset and allowlists the .runtime store (with the E2E marker)', () => {
+        expect(ex.configFile.contents).toContain('useDefault = true');
+        // The allowlist path regex matches any file under opensip-cli/.runtime.
+        expect(ex.configFile.contents).toContain('opensip-cli/\\.runtime');
+        // The marker the deterministic worker-E2E fake reads to honor the exclusion.
+        expect(ex.configFile.contents).toContain('# opensip-cli A3 exclude: opensip-cli/.runtime');
+    });
+});
+describe('gitleaks tool — exit model (Phase-0 decision 4)', () => {
+    const model = { ok: [0], findings: [1], errorFrom: 2 };
+    it('exit 0 ⇒ clean (no findings)', () => {
+        expect(interpretExit(0, model)).toBe('ok');
+    });
+    it('exit 1 + a valid artifact ⇒ findings', () => {
+        expect(interpretExit(1, model, { artifactValid: true })).toBe('findings');
+    });
+    it('exit 1 + a missing/garbage artifact ⇒ fault (the gitleaks disambiguation)', () => {
+        expect(interpretExit(1, model, { artifactValid: false })).toBe('fault');
+    });
+    it('exit >= 2 ⇒ fault', () => {
+        expect(interpretExit(2, model)).toBe('fault');
+        expect(interpretExit(7, model)).toBe('fault');
+    });
+    it('matches the substrate default model', () => {
+        expect(model).toEqual(DEFAULT_EXIT_MODEL);
+    });
+});
+describe('gitleaks tool — manifest ↔ runtime host-shape guards', () => {
+    it('the package.json manifest matches the runtime tool (no drift)', () => {
+        expect(() => {
+            assertManifestMatchesTool(manifestFromPackage(), tool);
+        }).not.toThrow();
+    });
+    it('the generated manifest commands equal the derived runtime command shells', () => {
+        // The package.json `commands` are written by the shared manifest generator
+        // (which OMITS an empty `aliases`), while the substrate's
+        // `deriveAdapterManifestCommands` always emits `aliases: []`. Canonicalize
+        // that one representational difference (`aliases ?? []`) before comparing the
+        // substantive shells.
+        const canon = (c) => ({
+            ...c,
+            aliases: c.aliases ?? [],
+        });
+        const generated = PKG.opensipTools.commands.map(canon);
+        const derived = deriveAdapterManifestCommands(tool).map((c) => canon(c));
+        expect(generated).toEqual(derived);
+    });
+    it('the generated manifest requires equal the posture-derived requires (no drift)', () => {
+        // A13: `requires` is DERIVED from the network posture, not hand-typed. The
+        // generated manifest must match the substrate derivation byte-for-byte, so a
+        // posture flip surfaces as a `--check` drift.
+        expect(PKG.opensipTools.requires).toEqual(deriveAdapterManifestRequires(tool));
+    });
+    it('derives subprocess + filesystem only (local-only posture, no network)', () => {
+        expect(PKG.opensipTools.requires.map((r) => r.resource)).toEqual([
+            'subprocess',
+            'filesystem',
+        ]);
+    });
+    it('the generated manifest config descriptor equals the derived namespace claim (A4)', () => {
+        // A4: the installed-path namespace claim (so the host pre-fork pass recognizes a
+        // `gitleaks:` block and never bricks). Generator parity guards against drift.
+        const derived = deriveAdapterConfigManifest(tool);
+        expect(derived?.namespace).toBe('gitleaks');
+        expect(PKG.opensipTools.config).toEqual(derived);
+    });
+});
+describe('gitleaks tool — acceptance harness (normalize → envelope)', () => {
+    const result = runAcceptanceCase({
+        tool: 'gitleaks',
+        kind: 'json',
+        raw: GOLDEN_RAW,
+        parse: parseGitleaksJson,
+        fingerprintStrategy: 'message-hash',
+    });
+    it('produces the golden normalized signals', () => {
+        expect(result.signals.map(normalizedSignalShape)).toEqual(EXPECTED);
+    });
+    it('builds an envelope whose verdict FAILS (high-severity secrets are error-rung)', () => {
+        expect(result.envelope.tool).toBe('gitleaks');
+        expect(result.envelope.verdict.passed).toBe(false);
+    });
+    it('stamps a message-hash fingerprint on every envelope signal worker-side', () => {
+        expect(result.envelope.signals).toHaveLength(2);
+        for (const s of result.envelope.signals) {
+            expect(s.fingerprint).toMatch(/^[0-9a-f]{64}$/);
+        }
+    });
+    it('NEVER lets a raw secret into the built envelope (secret-egress guard)', () => {
+        const serialized = JSON.stringify(result.envelope);
+        for (const raw of ['AKIAIOSFODNN7EXAMPLE', 'glpat-XXXXXXXXXXXXXXXXXXXX', 'aws_key =']) {
+            expect(serialized).not.toContain(raw);
+        }
+    });
+});
+//# sourceMappingURL=tool.test.js.map

package/dist/__tests__/tool.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.test.js","sourceRoot":"","sources":["../../src/__tests__/tool.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,6BAA6B,EAC7B,6BAA6B,EAC7B,aAAa,EACb,qBAAqB,EACrB,iBAAiB,GAClB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,IAAI,GACL,MAAM,YAAY,CAAC;AAKpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CACR,CAAC;AAE9E,MAAM,UAAU,GAAG,YAAY,CAC7B,aAAa,CAAC,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAClF,MAAM,CACP,CAAC;AACF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,YAAY,CACV,aAAa,CAAC,IAAI,GAAG,CAAC,0CAA0C,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EACnF,MAAM,CACP,CACW,CAAC;AAEf,uFAAuF;AACvF,SAAS,mBAAmB;IAC1B,OAAO;QACL,GAAI,GAAG,CAAC,YAAuB;QAC/B,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,UAAU,EAAE,GAAG,CAAC,YAAY,CAAC,UAAoB;KAC5B,CAAC;AAC1B,CAAC;AAED,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC,IAAI,CACxD,gDAAgD,CACjD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,MAAM,MAAM,GAAG,CAAC,IAAY,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AAEjF,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4FAA4F,EAAE,GAAG,EAAE;QACpG,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACxC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9C,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACtC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACxC,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,GAAG,GAAG;YACV,WAAW,EAAE,OAAO;YACpB,YAAY,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,0CAA0C,IAAI,EAAE;SACjD,CAAC;QAClC,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC;YACjC,QAAQ;YACR,UAAU;YACV,UAAU;YACV,OAAO;YACP,iBAAiB;YACjB,MAAM;YACN,eAAe;YACf,sDAAsD;SACvD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,8DAA8D,EAAE,GAAG,EAAE;IAC5E,MAAM,EAAE,GAAG,oBAAoB,CAAC;QAC9B,WAAW,EAAE,4BAA4B;QACzC,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,sDAAsD,IAAI,EAAE;KACnF,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,GAAG,GAAG,0EAA0E,CAAC;QACvF,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC;QAC3C,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qFAAqF,EAAE,GAAG,EAAE;QAC7F,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC9D,wEAAwE;QACxE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACnE,6EAA6E;QAC7E,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,gDAAgD,CAAC,CAAC;IAC7F,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iDAAiD,EAAE,GAAG,EAAE;IAC/D,MAAM,KAAK,GAAqB,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAEzE,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,sDAAsD,EAAE,GAAG,EAAE;IACpE,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CAAC,GAAG,EAAE;YACV,yBAAyB,CAAC,mBAAmB,EAAE,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,2EAA2E;QAC3E,0DAA0D;QAC1D,2EAA2E;QAC3E,8EAA8E;QAC9E,sBAAsB;QACtB,MAAM,KAAK,GAAG,CAAC,CAA0B,EAA2B,EAAE,CAAC,CAAC;YACtE,GAAG,CAAC;YACJ,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,EAAE;SACzB,CAAC,CAAC;QACH,MAAM,SAAS,GAAI,GAAG,CAAC,YAAY,CAAC,QAAsC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtF,MAAM,OAAO,GAAG,6BAA6B,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5D,KAAK,CAAC,CAAuC,CAAC,CAC/C,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,2EAA2E;QAC3E,6EAA6E;QAC7E,8CAA8C;QAC9C,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,IAAI,CAAC,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,CAAE,GAAG,CAAC,YAAY,CAAC,QAAmC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;YAC3F,YAAY;YACZ,YAAY;SACb,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kFAAkF,EAAE,GAAG,EAAE;QAC1F,iFAAiF;QACjF,8EAA8E;QAC9E,MAAM,OAAO,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2DAA2D,EAAE,GAAG,EAAE;IACzE,MAAM,MAAM,GAAG,iBAAiB,CAAC;QAC/B,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,UAAU;QACf,KAAK,EAAE,iBAAiB;QACxB,mBAAmB,EAAE,cAAc;KACpC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACxC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnD,KAAK,MAAM,GAAG,IAAI,CAAC,sBAAsB,EAAE,4BAA4B,EAAE,WAAW,CAAC,EAAE,CAAC;YACtF,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/worker-e2e.test.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Tier-2 worker E2E (ADR-0090 D6 Tier 2) — install / discover / dispatch the
+ * gitleaks adapter over a REAL forked worker, end-to-end against the BUILT CLI.
+ *
+ * Unlike the in-process Tier-1 suites, this proves the FULL installed-tool path:
+ *   - the gitleaks package is presented as a genuinely INSTALLED npm tool in a
+ *     throwaway project (symlinked into its `node_modules` so the worker resolves
+ *     the adapter's workspace deps from the monorepo via realpath);
+ *   - `OPENSIP_CLI_ALLOW_INSTALLED_TOOLS` trusts it (installed tools are
+ *     deny-by-default);
+ *   - a FAKE `gitleaks` binary on PATH makes the run deterministic (it copies the
+ *     committed golden to `--report-path` and exits 1, like real gitleaks on
+ *     findings). The worker fork curates its env to an allow-list, so the golden
+ *     path is forwarded via the documented `OPENSIP_CLI_TOOL_ENV_PASSTHROUGH`.
+ *
+ * `opensip gitleaks` forks a worker that re-discovers + imports the real runtime
+ * and runs the scan loop; this suite asserts the worker→host result + the
+ * host-side effects: normalized signals match the golden, the raw artifact lands
+ * at `.runtime/artifacts/gitleaks/<runId>/gitleaks.json` with mode 0600, the
+ * `--json` envelope is well-formed, the session row persists with provenance, and
+ * — the load-bearing negative — NO raw `Secret`/`Match` substring ever reaches the
+ * emitted worker→host payload.
+ *
+ * Requires `pnpm build` first (the CLI dist + the gitleaks dist). Missing builds
+ * FAIL loudly (no silent skip).
+ */
+export {};
+//# sourceMappingURL=worker-e2e.test.d.ts.map

package/dist/__tests__/worker-e2e.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker-e2e.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/worker-e2e.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG"}