@vellumai/assistant 0.4.17 → 0.4.18

package/src/__tests__/credential-security-invariants.test.ts

@@ -1,40 +1,49 @@
-import { randomBytes } from 'node:crypto';
-import { mkdirSync, rmSync } from 'node:fs';
-import { readFileSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { dirname,resolve } from 'node:path';
-import { fileURLToPath } from 'node:url';
-
-import { afterAll, afterEach, beforeEach, describe, expect, mock,test } from 'bun:test';
+import { randomBytes } from "node:crypto";
+import { mkdirSync, rmSync } from "node:fs";
+import { readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import {
+  afterAll,
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  mock,
+  test,
+} from "bun:test";
 
 import {
   contextInjectionCases,
   directReadCases,
   logLeakageCases,
   policyMisuseCases,
-} from './fixtures/credential-security-fixtures.js';
+} from "./fixtures/credential-security-fixtures.js";
 
 // ---------------------------------------------------------------------------
 // Mock logger
 // ---------------------------------------------------------------------------
 
-mock.module('../util/logger.js', () => ({
-  getLogger: () => new Proxy({} as Record<string, unknown>, {
-    get: () => () => {},
-  }),
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
 }));
 
 // ---------------------------------------------------------------------------
 // Use encrypted backend (no keychain) with a temp store path
 // ---------------------------------------------------------------------------
 
-import { _overrideDeps, _resetDeps } from '../security/keychain.js';
+import { _overrideDeps, _resetDeps } from "../security/keychain.js";
 
 _overrideDeps({
   isMacOS: () => false,
   isLinux: () => false,
-  execFileSync: (() => '') as unknown as typeof import('node:child_process').execFileSync,
+  execFileSync: (() =>
+    "") as unknown as typeof import("node:child_process").execFileSync,
 });
 
 // Restore process-level keychain deps so later test files are not affected
@@ -43,17 +52,20 @@ afterAll(() => {
   mock.restore();
 });
 
-import { _setStorePath } from '../security/encrypted-store.js';
-import { _resetBackend } from '../security/secure-keys.js';
+import { _setStorePath } from "../security/encrypted-store.js";
+import { _resetBackend } from "../security/secure-keys.js";
 
-const TEST_DIR = join(tmpdir(), `vellum-invariants-test-${randomBytes(4).toString('hex')}`);
-const STORE_PATH = join(TEST_DIR, 'keys.enc');
+const TEST_DIR = join(
+  tmpdir(),
+  `vellum-invariants-test-${randomBytes(4).toString("hex")}`,
+);
+const STORE_PATH = join(TEST_DIR, "keys.enc");
 
 // ---------------------------------------------------------------------------
 // Mock registry to avoid double-registration
 // ---------------------------------------------------------------------------
 
-mock.module('../tools/registry.js', () => ({
+mock.module("../tools/registry.js", () => ({
   registerTool: () => {},
 }));
 
@@ -61,11 +73,14 @@ mock.module('../tools/registry.js', () => ({
 // Imports under test
 // ---------------------------------------------------------------------------
 
-import { DEFAULT_CONFIG } from '../config/defaults.js';
-import { redactSensitiveFields } from '../security/redaction.js';
-import { setSecureKey } from '../security/secure-keys.js';
-import { CredentialBroker } from '../tools/credentials/broker.js';
-import { _setMetadataPath,upsertCredentialMetadata } from '../tools/credentials/metadata-store.js';
+import { DEFAULT_CONFIG } from "../config/defaults.js";
+import { redactSensitiveFields } from "../security/redaction.js";
+import { setSecureKey } from "../security/secure-keys.js";
+import { CredentialBroker } from "../tools/credentials/broker.js";
+import {
+  _setMetadataPath,
+  upsertCredentialMetadata,
+} from "../tools/credentials/metadata-store.js";
 
 /**
  * Security invariant test harness for credential storage hardening.
@@ -84,33 +99,41 @@ import { _setMetadataPath,upsertCredentialMetadata } from '../tools/credentials/
 // Invariant 1 — Context Injection Prevention
 // ---------------------------------------------------------------------------
 
-describe('Invariant 1: secrets never enter LLM context', () => {
+describe("Invariant 1: secrets never enter LLM context", () => {
   for (const tc of contextInjectionCases) {
-    if (tc.vector === 'tool_output' && tc.tool === 'credential_store' && tc.input.action === 'store') {
+    if (
+      tc.vector === "tool_output" &&
+      tc.tool === "credential_store" &&
+      tc.input.action === "store"
+    ) {
       // Store output never includes the value
       test(`${tc.label}: secret not in output`, () => {
         expect(tc.forbiddenValue).toBeTruthy();
         // Actual assertion is in credential-vault.test.ts baseline section
       });
-    } else if (tc.vector === 'confirmation_payload') {
+    } else if (tc.vector === "confirmation_payload") {
       // PR 23 added redaction to confirmation_request payloads via redactSensitiveFields
       test(`${tc.label}: secret redacted from confirmation payload`, () => {
         const payload = { ...tc.input };
-        const redacted = redactSensitiveFields(payload as Record<string, unknown>);
+        const redacted = redactSensitiveFields(
+          payload as Record<string, unknown>,
+        );
 
         // The 'value' key is in SENSITIVE_KEYS and gets redacted
-        if ('value' in payload && payload.value != null) {
-          expect(redacted.value).toBe('<redacted />');
+        if ("value" in payload && payload.value != null) {
+          expect(redacted.value).toBe("<redacted />");
           expect(redacted.value).not.toBe(tc.forbiddenValue);
         }
       });
-    } else if (tc.vector === 'lifecycle_event') {
+    } else if (tc.vector === "lifecycle_event") {
       // PR 22 added recursive redaction in tool executor lifecycle events
       test(`${tc.label}: secret redacted from lifecycle event`, () => {
         const input = { ...tc.input };
-        const redacted = redactSensitiveFields(input as Record<string, unknown>);
-        if ('value' in input && input.value != null) {
-          expect(redacted.value).toBe('<redacted />');
+        const redacted = redactSensitiveFields(
+          input as Record<string, unknown>,
+        );
+        if ("value" in input && input.value != null) {
+          expect(redacted.value).toBe("<redacted />");
           expect(redacted.value).not.toBe(tc.forbiddenValue);
         }
       });
@@ -123,15 +146,15 @@ describe('Invariant 1: secrets never enter LLM context', () => {
   }
 
   // PR 27 — secret ingress block scans inbound messages
-  test('user message containing secret is blocked from entering history', () => {
+  test("user message containing secret is blocked from entering history", () => {
     // Mock config to enable block mode
-    mock.module('../config/loader.js', () => ({
+    mock.module("../config/loader.js", () => ({
       applyNestedDefaults: (config: unknown) => config,
       getConfig: () => ({
         ui: {},
         secretDetection: {
           enabled: true,
-          action: 'block',
+          action: "block",
           blockIngress: true,
         },
       }),
@@ -140,7 +163,7 @@ describe('Invariant 1: secrets never enter LLM context', () => {
         ui: {},
         secretDetection: {
           enabled: true,
-          action: 'block',
+          action: "block",
           blockIngress: true,
         },
       }),
@@ -148,10 +171,10 @@ describe('Invariant 1: secrets never enter LLM context', () => {
 
     // Re-import to pick up the mock
     // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { checkIngressForSecrets } = require('../security/secret-ingress.js');
+    const { checkIngressForSecrets } = require("../security/secret-ingress.js");
 
     // Build a fake AWS key at runtime to avoid pre-commit hook
-    const fakeKey = ['AKIA', 'IOSFODNN7', 'REALKEY'].join('');
+    const fakeKey = ["AKIA", "IOSFODNN7", "REALKEY"].join("");
     const result = checkIngressForSecrets(`My key is ${fakeKey}`);
 
     expect(result.blocked).toBe(true);
@@ -166,7 +189,7 @@ describe('Invariant 1: secrets never enter LLM context', () => {
 // Invariant 2 — No Generic Plaintext Read API
 // ---------------------------------------------------------------------------
 
-describe('Invariant 2: no generic plaintext secret read API', () => {
+describe("Invariant 2: no generic plaintext secret read API", () => {
   for (const tc of directReadCases) {
     test(`${tc.modulePath} does not export ${tc.exportName}`, async () => {
       const mod = await import(`../${tc.modulePath}.js`);
@@ -174,68 +197,68 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
     });
   }
 
-  test('browser_fill_credential does not import getCredentialValue', () => {
+  test("browser_fill_credential does not import getCredentialValue", () => {
     const thisDir = dirname(fileURLToPath(import.meta.url));
     const browserSrc = readFileSync(
-      resolve(thisDir, '../tools/browser/headless-browser.ts'),
-      'utf-8',
+      resolve(thisDir, "../tools/browser/headless-browser.ts"),
+      "utf-8",
     );
-    expect(browserSrc).not.toContain('getCredentialValue');
+    expect(browserSrc).not.toContain("getCredentialValue");
   });
 
-  test('getSecureKey is only imported by authorized modules', () => {
+  test("getSecureKey is only imported by authorized modules", () => {
     // Hard boundary: only these production files may import getSecureKey.
     // Any new import must be reviewed for secret-leak risk and added here.
     const ALLOWED_IMPORTERS = new Set([
-      'security/secure-keys.ts',       // self (re-export infrastructure)
-      'index.ts',                       // daemon startup / API key config
-      'config/loader.ts',              // config management (API keys)
-      'tools/credentials/vault.ts',    // credential store tool
-      'tools/credentials/broker.ts',   // brokered credential access
-      'tools/network/web-search.ts',   // web search API key lookup
-      'daemon/handlers.ts',            // Vercel API token + integration OAuth
-      'daemon/handlers/config-integrations.ts', // Vercel API token + Twitter integration OAuth
-      'daemon/handlers/config-telegram.ts',     // Telegram bot token management
-      'daemon/handlers/config-ingress.ts',      // Ingress config (reads Twilio credentials for webhook sync)
-      'runtime/routes/twilio-routes.ts',        // Twilio credential management (HTTP control-plane)
-      'security/token-manager.ts',     // OAuth token refresh flow
-      'email/providers/index.ts',      // email provider API key lookup
-      'tools/network/script-proxy/session-manager.ts', // proxy credential injection at runtime
-      'messaging/registry.ts',          // checks stored credentials for connected providers
-      'calls/call-domain.ts',            // caller identity resolution (user phone number lookup)
-      'calls/elevenlabs-config.ts',     // ElevenLabs voice quality API key lookup
-      'calls/twilio-config.ts',         // call infrastructure credential lookup
-      'calls/twilio-provider.ts',       // call infrastructure credential lookup
-      'calls/twilio-rest.ts',            // Twilio REST API credential lookup
-      'cli/config-commands.ts',         // CLI credential management commands
-      'runtime/http-server.ts',         // HTTP server credential lookup
-      'daemon/handlers/twitter-auth.ts', // Twitter OAuth token storage
-      'twitter/oauth-client.ts',         // Twitter OAuth API client (reads access token for API calls)
-      'calls/elevenlabs-config.ts',      // ElevenLabs credential lookup
-      'cli/config-commands.ts',          // CLI config management
-      'messaging/providers/telegram-bot/adapter.ts', // Telegram bot token lookup for connectivity check
-      'messaging/providers/sms/adapter.ts', // Twilio credential lookup for SMS connectivity check
-      'runtime/channel-readiness-service.ts', // channel readiness probes for SMS/Telegram connectivity
-      'messaging/providers/whatsapp/adapter.ts', // WhatsApp credential lookup for connectivity check
-      'schedule/integration-status.ts',          // integration status checks for scheduled reports
-      'daemon/handlers/oauth-connect.ts',        // OAuth connect handler for integration setup
-      'daemon/handlers/config-slack-channel.ts', // Slack channel config credential management
+      "security/secure-keys.ts", // self (re-export infrastructure)
+      "index.ts", // daemon startup / API key config
+      "config/loader.ts", // config management (API keys)
+      "tools/credentials/vault.ts", // credential store tool
+      "tools/credentials/broker.ts", // brokered credential access
+      "tools/network/web-search.ts", // web search API key lookup
+      "daemon/handlers.ts", // Vercel API token + integration OAuth
+      "daemon/handlers/config-integrations.ts", // Vercel API token + Twitter integration OAuth
+      "daemon/handlers/config-telegram.ts", // Telegram bot token management
+      "daemon/handlers/config-ingress.ts", // Ingress config (reads Twilio credentials for webhook sync)
+      "runtime/routes/twilio-routes.ts", // Twilio credential management (HTTP control-plane)
+      "security/token-manager.ts", // OAuth token refresh flow
+      "email/providers/index.ts", // email provider API key lookup
+      "tools/network/script-proxy/session-manager.ts", // proxy credential injection at runtime
+      "messaging/registry.ts", // checks stored credentials for connected providers
+      "calls/call-domain.ts", // caller identity resolution (user phone number lookup)
+      "calls/elevenlabs-config.ts", // ElevenLabs voice quality API key lookup
+      "calls/twilio-config.ts", // call infrastructure credential lookup
+      "calls/twilio-provider.ts", // call infrastructure credential lookup
+      "calls/twilio-rest.ts", // Twilio REST API credential lookup
+      "cli/config-commands.ts", // CLI credential management commands
+      "runtime/http-server.ts", // HTTP server credential lookup
+      "daemon/handlers/twitter-auth.ts", // Twitter OAuth token storage
+      "twitter/oauth-client.ts", // Twitter OAuth API client (reads access token for API calls)
+      "calls/elevenlabs-config.ts", // ElevenLabs credential lookup
+      "cli/config-commands.ts", // CLI config management
+      "messaging/providers/telegram-bot/adapter.ts", // Telegram bot token lookup for connectivity check
+      "messaging/providers/sms/adapter.ts", // Twilio credential lookup for SMS connectivity check
+      "runtime/channel-readiness-service.ts", // channel readiness probes for SMS/Telegram connectivity
+      "messaging/providers/whatsapp/adapter.ts", // WhatsApp credential lookup for connectivity check
+      "schedule/integration-status.ts", // integration status checks for scheduled reports
+      "daemon/handlers/oauth-connect.ts", // OAuth connect handler for integration setup
+      "daemon/handlers/config-slack-channel.ts", // Slack channel config credential management
     ]);
 
     const thisDir = dirname(fileURLToPath(import.meta.url));
-    const srcDir = resolve(thisDir, '..');
+    const srcDir = resolve(thisDir, "..");
     // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { readdirSync, statSync } = require('node:fs');
+    const { readdirSync, statSync } = require("node:fs");
 
     // Recursively collect all .ts files in src/ (excluding __tests__)
     function collectTsFiles(dir: string, files: string[] = []): string[] {
       for (const entry of readdirSync(dir)) {
         const full = join(dir, entry);
-        if (entry === '__tests__' || entry === 'node_modules') continue;
+        if (entry === "__tests__" || entry === "node_modules") continue;
         const s = statSync(full);
         if (s.isDirectory()) {
           collectTsFiles(full, files);
-        } else if (entry.endsWith('.ts') && !entry.endsWith('.d.ts')) {
+        } else if (entry.endsWith(".ts") && !entry.endsWith(".d.ts")) {
           files.push(full);
         }
       }
@@ -246,9 +269,13 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
     const unauthorizedImporters: string[] = [];
 
     for (const filePath of allFiles) {
-      const content = readFileSync(filePath, 'utf-8');
+      const content = readFileSync(filePath, "utf-8");
       // Check for imports of getSecureKey via static import, dynamic import(), or require()
-      if (content.match(/\bgetSecureKey\b/) && (content.match(/from\s+['"].*secure-keys/) || content.match(/(?:import|require)\s*\(\s*['"].*secure-keys/))) {
+      if (
+        content.match(/\bgetSecureKey\b/) &&
+        (content.match(/from\s+['"].*secure-keys/) ||
+          content.match(/(?:import|require)\s*\(\s*['"].*secure-keys/))
+      ) {
         const relative = filePath.slice(srcDir.length + 1);
         if (!ALLOWED_IMPORTERS.has(relative)) {
           unauthorizedImporters.push(relative);
@@ -264,39 +291,43 @@ describe('Invariant 2: no generic plaintext secret read API', () => {
 // Invariant 3 — No Plaintext Secret Logging
 // ---------------------------------------------------------------------------
 
-describe('Invariant 3: secrets never logged in plaintext', () => {
+describe("Invariant 3: secrets never logged in plaintext", () => {
   for (const tc of logLeakageCases) {
-    if (tc.component === 'tool_executor') {
+    if (tc.component === "tool_executor") {
       // PR 22 — executor redaction via redactSensitiveFields
       test(`${tc.label}`, () => {
         // Simulate a tool input with sensitive fields
         // Build test values at runtime to avoid pre-commit hook false positives
-        const testValue = ['ghp_super', 'secret123'].join('');
-        const testPassword = ['hunt', 'er2'].join('');
-        const testToken = ['nested_', 'token_value'].join('');
+        const testValue = ["ghp_super", "secret123"].join("");
+        const testPassword = ["hunt", "er2"].join("");
+        const testToken = ["nested_", "token_value"].join("");
         const input = {
-          action: 'store',
-          service: 'github',
-          field: 'token',
+          action: "store",
+          service: "github",
+          field: "token",
           value: testValue,
           password: testPassword,
           nested: {
             token: testToken,
-            safe: 'this is fine',
+            safe: "this is fine",
           },
         };
         const redacted = redactSensitiveFields(input);
 
         // All sensitive keys must be redacted
-        expect(redacted.value).toBe('<redacted />');
-        expect(redacted.password).toBe('<redacted />');
-        expect((redacted.nested as Record<string, unknown>).token).toBe('<redacted />');
+        expect(redacted.value).toBe("<redacted />");
+        expect(redacted.password).toBe("<redacted />");
+        expect((redacted.nested as Record<string, unknown>).token).toBe(
+          "<redacted />",
+        );
         // Non-sensitive keys preserved
-        expect(redacted.action).toBe('store');
-        expect(redacted.service).toBe('github');
-        expect((redacted.nested as Record<string, unknown>).safe).toBe('this is fine');
+        expect(redacted.action).toBe("store");
+        expect(redacted.service).toBe("github");
+        expect((redacted.nested as Record<string, unknown>).safe).toBe(
+          "this is fine",
+        );
       });
-    } else if (tc.component === 'ipc_decode') {
+    } else if (tc.component === "ipc_decode") {
       // PR 24 — IPC decode log hygiene: the TS daemon's IPC parser must
       // not log raw message content that could contain secrets.
       // Logging metadata (line length, error type) is acceptable; logging
@@ -304,8 +335,8 @@ describe('Invariant 3: secrets never logged in plaintext', () => {
       test(`${tc.label}`, () => {
         const thisDir = dirname(fileURLToPath(import.meta.url));
         const ipcSrc = readFileSync(
-          resolve(thisDir, '../daemon/ipc-protocol.ts'),
-          'utf-8',
+          resolve(thisDir, "../daemon/ipc-protocol.ts"),
+          "utf-8",
         );
         // Verify log calls never include raw content fields — only safe
         // metadata like lineLength and errorType are permitted.
@@ -326,8 +357,8 @@ describe('Invariant 3: secrets never logged in plaintext', () => {
       test(`${tc.label}`, () => {
         const thisDir = dirname(fileURLToPath(import.meta.url));
         const prompterSrc = readFileSync(
-          resolve(thisDir, '../permissions/secret-prompter.ts'),
-          'utf-8',
+          resolve(thisDir, "../permissions/secret-prompter.ts"),
+          "utf-8",
         );
 
         // Extract all log.* call arguments: log.warn({...}, 'msg')
@@ -337,19 +368,29 @@ describe('Invariant 3: secrets never logged in plaintext', () => {
         let match;
         while ((match = logCallPattern.exec(prompterSrc)) != null) {
           // Collect field names from the structured log object
-          const fields = match[1].split(',').map(f => f.trim().split(':')[0].trim());
+          const fields = match[1]
+            .split(",")
+            .map((f) => f.trim().split(":")[0].trim());
           loggedFields.push(...fields);
         }
 
         // None of the logged fields should be sensitive credential fields
-        const sensitiveFields = ['value', 'secret', 'password', 'token', 'api_key', 'credentials'];
+        const sensitiveFields = [
+          "value",
+          "secret",
+          "password",
+          "token",
+          "api_key",
+          "credentials",
+        ];
         for (const field of loggedFields) {
           expect(sensitiveFields).not.toContain(field);
         }
 
         // Additionally verify the resolveSecret method never logs its value parameter
         // by checking that log calls in resolveSecret only reference requestId
-        const resolveBlock = prompterSrc.match(/resolveSecret[\s\S]*?^\s{2}\}/m)?.[0] ?? '';
+        const resolveBlock =
+          prompterSrc.match(/resolveSecret[\s\S]*?^\s{2}\}/m)?.[0] ?? "";
         expect(resolveBlock).not.toMatch(/log\.\w+\(.*\bvalue\b/);
       });
     }
@@ -360,14 +401,14 @@ describe('Invariant 3: secrets never logged in plaintext', () => {
 // Invariant 4 — Usage-Constrained Credentials (Tool + Domain Policy)
 // ---------------------------------------------------------------------------
 
-describe('Invariant 4: credentials only used for allowed purpose', () => {
+describe("Invariant 4: credentials only used for allowed purpose", () => {
   let broker: CredentialBroker;
 
   beforeEach(() => {
     mkdirSync(TEST_DIR, { recursive: true });
     _setStorePath(STORE_PATH);
     _resetBackend();
-    _setMetadataPath(join(TEST_DIR, 'metadata.json'));
+    _setMetadataPath(join(TEST_DIR, "metadata.json"));
     broker = new CredentialBroker();
   });
 
@@ -382,15 +423,15 @@ describe('Invariant 4: credentials only used for allowed purpose', () => {
     // PRs 19-20 — tool + domain policy enforcement in broker
     test(`${tc.label}`, async () => {
       // Set up credential with the specified policy
-      upsertCredentialMetadata(tc.credentialId, 'token', {
+      upsertCredentialMetadata(tc.credentialId, "token", {
         allowedTools: tc.allowedTools,
         allowedDomains: tc.allowedDomains,
       });
-      setSecureKey(`credential:${tc.credentialId}:token`, 'test-secret-value');
+      setSecureKey(`credential:${tc.credentialId}:token`, "test-secret-value");
 
       const result = await broker.browserFill({
         service: tc.credentialId,
-        field: 'token',
+        field: "token",
         toolName: tc.requestingTool,
         domain: tc.requestDomain,
         fill: async () => {},
@@ -406,18 +447,18 @@ describe('Invariant 4: credentials only used for allowed purpose', () => {
   }
 
   // PR 20 — domain policy uses registrable-domain matching
-  test('domain policy allows subdomains of registrable domain', async () => {
-    upsertCredentialMetadata('github', 'token', {
-      allowedTools: ['browser_fill_credential'],
-      allowedDomains: ['github.com'],
+  test("domain policy allows subdomains of registrable domain", async () => {
+    upsertCredentialMetadata("github", "token", {
+      allowedTools: ["browser_fill_credential"],
+      allowedDomains: ["github.com"],
     });
-    setSecureKey('credential:github:token', 'ghp_secret123');
+    setSecureKey("credential:github:token", "ghp_secret123");
 
     const result = await broker.browserFill({
-      service: 'github',
-      field: 'token',
-      toolName: 'browser_fill_credential',
-      domain: 'login.github.com',
+      service: "github",
+      field: "token",
+      toolName: "browser_fill_credential",
+      domain: "login.github.com",
       fill: async () => {},
     });
 
@@ -425,19 +466,21 @@ describe('Invariant 4: credentials only used for allowed purpose', () => {
   });
 
   // PR 18 — vault policy fields with strict defaults
-  test('credential without explicit policy gets strict defaults (deny all)', () => {
+  test("credential without explicit policy gets strict defaults (deny all)", () => {
     // A credential stored without allowed_tools defaults to empty array,
     // which the broker's isToolAllowed check fails closed on.
-    upsertCredentialMetadata('test-svc', 'pass', {});
+    upsertCredentialMetadata("test-svc", "pass", {});
 
     const result = broker.authorize({
-      service: 'test-svc',
-      field: 'pass',
-      toolName: 'browser_fill_credential',
+      service: "test-svc",
+      field: "pass",
+      toolName: "browser_fill_credential",
     });
 
     expect(result.authorized).toBe(false);
-    expect(!result.authorized && result.reason).toContain('No tools are currently allowed');
+    expect(!result.authorized && result.reason).toContain(
+      "No tools are currently allowed",
+    );
   });
 });
 
@@ -445,21 +488,21 @@ describe('Invariant 4: credentials only used for allowed purpose', () => {
 // Cross-Cutting — One-Time Send Override
 // ---------------------------------------------------------------------------
 
-describe('One-time send override', () => {
-  test('transient_send delivery type is defined in SecretPromptResult', () => {
-    const delivery: 'store' | 'transient_send' = 'transient_send';
-    expect(delivery).toBe('transient_send');
+describe("One-time send override", () => {
+  test("transient_send delivery type is defined in SecretPromptResult", () => {
+    const delivery: "store" | "transient_send" = "transient_send";
+    expect(delivery).toBe("transient_send");
   });
 
-  test('allowOneTimeSend defaults to false in config', () => {
+  test("allowOneTimeSend defaults to false in config", () => {
     expect(DEFAULT_CONFIG.secretDetection.allowOneTimeSend).toBe(false);
   });
 
-  test('default secretDetection.action is redact', () => {
-    expect(DEFAULT_CONFIG.secretDetection.action).toBe('redact');
+  test("default secretDetection.action is redact", () => {
+    expect(DEFAULT_CONFIG.secretDetection.action).toBe("redact");
   });
 
-  test('default secretDetection.blockIngress is true', () => {
+  test("default secretDetection.blockIngress is true", () => {
     expect(DEFAULT_CONFIG.secretDetection.blockIngress).toBe(true);
   });
 });
@@ -472,130 +515,132 @@ import {
   createSafeLogEntry,
   sanitizeHeaders,
   sanitizeUrl,
-} from '../tools/network/script-proxy/logging.js';
+} from "../tools/network/script-proxy/logging.js";
 
-describe('Invariant 5: proxy log entries never contain secrets', () => {
-  test('Authorization headers are redacted in log entries', () => {
+describe("Invariant 5: proxy log entries never contain secrets", () => {
+  test("Authorization headers are redacted in log entries", () => {
     const headers: Record<string, string> = {
-      'Authorization': 'Bearer ghp_s3cr3tT0k3n',
-      'Content-Type': 'application/json',
-      'X-Custom': 'safe-value',
+      Authorization: "Bearer ghp_s3cr3tT0k3n",
+      "Content-Type": "application/json",
+      "X-Custom": "safe-value",
     };
 
-    const sanitized = sanitizeHeaders(headers, ['authorization']);
+    const sanitized = sanitizeHeaders(headers, ["authorization"]);
 
-    expect(sanitized['Authorization']).toBe('[REDACTED]');
-    expect(sanitized['Content-Type']).toBe('application/json');
-    expect(sanitized['X-Custom']).toBe('safe-value');
+    expect(sanitized["Authorization"]).toBe("[REDACTED]");
+    expect(sanitized["Content-Type"]).toBe("application/json");
+    expect(sanitized["X-Custom"]).toBe("safe-value");
   });
 
-  test('header redaction is case-insensitive', () => {
+  test("header redaction is case-insensitive", () => {
     const headers: Record<string, string> = {
-      'authorization': 'Bearer secret123',
-      'X-Api-Key': 'key-abc-123',
+      authorization: "Bearer secret123",
+      "X-Api-Key": "key-abc-123",
     };
 
-    const sanitized = sanitizeHeaders(headers, ['Authorization', 'x-api-key']);
+    const sanitized = sanitizeHeaders(headers, ["Authorization", "x-api-key"]);
 
-    expect(sanitized['authorization']).toBe('[REDACTED]');
-    expect(sanitized['X-Api-Key']).toBe('[REDACTED]');
+    expect(sanitized["authorization"]).toBe("[REDACTED]");
+    expect(sanitized["X-Api-Key"]).toBe("[REDACTED]");
   });
 
-  test('API key query params are redacted', () => {
-    const url = 'https://api.example.com/v1/search?api_key=sk-secret-value&q=hello';
-    const sanitized = sanitizeUrl(url, ['api_key']);
+  test("API key query params are redacted", () => {
+    const url =
+      "https://api.example.com/v1/search?api_key=sk-secret-value&q=hello";
+    const sanitized = sanitizeUrl(url, ["api_key"]);
 
-    expect(sanitized).not.toContain('sk-secret-value');
-    expect(sanitized).toContain('api_key=%5BREDACTED%5D');
-    expect(sanitized).toContain('q=hello');
+    expect(sanitized).not.toContain("sk-secret-value");
+    expect(sanitized).toContain("api_key=%5BREDACTED%5D");
+    expect(sanitized).toContain("q=hello");
   });
 
-  test('multiple sensitive query params are all redacted', () => {
-    const url = 'https://api.example.com/path?token=abc123&key=def456&safe=keep';
-    const sanitized = sanitizeUrl(url, ['token', 'key']);
+  test("multiple sensitive query params are all redacted", () => {
+    const url =
+      "https://api.example.com/path?token=abc123&key=def456&safe=keep";
+    const sanitized = sanitizeUrl(url, ["token", "key"]);
 
-    expect(sanitized).not.toContain('abc123');
-    expect(sanitized).not.toContain('def456');
-    expect(sanitized).toContain('safe=keep');
+    expect(sanitized).not.toContain("abc123");
+    expect(sanitized).not.toContain("def456");
+    expect(sanitized).toContain("safe=keep");
   });
 
-  test('sanitizeUrl handles path-only URLs', () => {
-    const url = '/v1/search?api_key=secret&q=hello';
-    const sanitized = sanitizeUrl(url, ['api_key']);
+  test("sanitizeUrl handles path-only URLs", () => {
+    const url = "/v1/search?api_key=secret&q=hello";
+    const sanitized = sanitizeUrl(url, ["api_key"]);
 
-    expect(sanitized).not.toContain('secret');
-    expect(sanitized).toContain('q=hello');
+    expect(sanitized).not.toContain("secret");
+    expect(sanitized).toContain("q=hello");
     // Result should still be a path, not an absolute URL
     expect(sanitized).toMatch(/^\//);
   });
 
-  test('sanitizeUrl returns URL unchanged when no query string', () => {
-    const url = 'https://api.example.com/v1/resource';
-    expect(sanitizeUrl(url, ['api_key'])).toBe(url);
+  test("sanitizeUrl returns URL unchanged when no query string", () => {
+    const url = "https://api.example.com/v1/resource";
+    expect(sanitizeUrl(url, ["api_key"])).toBe(url);
   });
 
-  test('credential values from injection templates never appear in sanitized output', () => {
+  test("credential values from injection templates never appear in sanitized output", () => {
     // Simulate a header-injected credential (e.g. "Authorization: Key <secret>")
-    const secretValue = ['Key ', 'fal_', 'superSecretApiKey'].join('');
+    const secretValue = ["Key ", "fal_", "superSecretApiKey"].join("");
     const req = {
-      method: 'POST',
-      url: 'https://api.fal.ai/v1/generate',
+      method: "POST",
+      url: "https://api.fal.ai/v1/generate",
       headers: {
-        'Authorization': secretValue,
-        'Content-Type': 'application/json',
-        'Host': 'api.fal.ai',
+        Authorization: secretValue,
+        "Content-Type": "application/json",
+        Host: "api.fal.ai",
       },
     };
 
-    const entry = createSafeLogEntry(req, ['Authorization']);
+    const entry = createSafeLogEntry(req, ["Authorization"]);
     const serialized = JSON.stringify(entry);
 
-    expect(serialized).not.toContain('fal_');
-    expect(serialized).not.toContain('superSecretApiKey');
-    expect(entry.headers['Authorization']).toBe('[REDACTED]');
-    expect(entry.headers['Content-Type']).toBe('application/json');
-    expect(entry.method).toBe('POST');
+    expect(serialized).not.toContain("fal_");
+    expect(serialized).not.toContain("superSecretApiKey");
+    expect(entry.headers["Authorization"]).toBe("[REDACTED]");
+    expect(entry.headers["Content-Type"]).toBe("application/json");
+    expect(entry.method).toBe("POST");
   });
 
-  test('credential values from query injection templates never appear in sanitized output', () => {
+  test("credential values from query injection templates never appear in sanitized output", () => {
     // Simulate a query-injected credential (e.g. "?api_key=<secret>")
-    const secretValue = ['sk-live-', 'abc123', 'xyz789'].join('');
+    const secretValue = ["sk-live-", "abc123", "xyz789"].join("");
     const req = {
-      method: 'GET',
+      method: "GET",
       url: `https://api.example.com/v1/data?api_key=${secretValue}&format=json`,
       headers: {
-        'Host': 'api.example.com',
+        Host: "api.example.com",
       },
     };
 
-    const entry = createSafeLogEntry(req, ['api_key']);
+    const entry = createSafeLogEntry(req, ["api_key"]);
     const serialized = JSON.stringify(entry);
 
-    expect(serialized).not.toContain('sk-live-');
-    expect(serialized).not.toContain('abc123');
-    expect(serialized).not.toContain('xyz789');
-    expect(entry.url).toContain('format=json');
+    expect(serialized).not.toContain("sk-live-");
+    expect(serialized).not.toContain("abc123");
+    expect(serialized).not.toContain("xyz789");
+    expect(entry.url).toContain("format=json");
   });
 
-  test('createSafeLogEntry redacts both headers and query params together', () => {
-    const headerSecret = ['Bearer ', 'ghp_', 'tokenValue'].join('');
-    const querySecret = ['secret-', 'key-', '42'].join('');
+  test("createSafeLogEntry redacts both headers and query params together", () => {
+    const headerSecret = ["Bearer ", "ghp_", "tokenValue"].join("");
+    const querySecret = ["secret-", "key-", "42"].join("");
     const req = {
-      method: 'GET',
+      method: "GET",
       url: `https://api.github.com/repos?access_token=${querySecret}`,
       headers: {
-        'Authorization': headerSecret,
-        'Accept': 'application/json',
+        Authorization: headerSecret,
+        Accept: "application/json",
       },
     };
 
-    const entry = createSafeLogEntry(req, ['Authorization', 'access_token']);
+    const entry = createSafeLogEntry(req, ["Authorization", "access_token"]);
     const serialized = JSON.stringify(entry);
 
-    expect(serialized).not.toContain('ghp_');
-    expect(serialized).not.toContain('tokenValue');
-    expect(serialized).not.toContain('secret-');
-    expect(serialized).not.toContain('key-42');
-    expect(entry.headers['Accept']).toBe('application/json');
+    expect(serialized).not.toContain("ghp_");
+    expect(serialized).not.toContain("tokenValue");
+    expect(serialized).not.toContain("secret-");
+    expect(serialized).not.toContain("key-42");
+    expect(entry.headers["Accept"]).toBe("application/json");
   });
 });