@vellumai/assistant 0.4.35 → 0.4.37

package/src/__tests__/key-migration.test.ts

@@ -1,240 +0,0 @@
-import { randomBytes } from "node:crypto";
-import {
-  existsSync,
-  mkdirSync,
-  readFileSync,
-  rmSync,
-  writeFileSync,
-} from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-
-// ---------------------------------------------------------------------------
-// Mocks — declared before imports
-// ---------------------------------------------------------------------------
-
-const TEST_DIR = join(
-  tmpdir(),
-  `vellum-migration-test-${randomBytes(4).toString("hex")}`,
-);
-const WORKSPACE_DIR = join(TEST_DIR, "workspace");
-const CONFIG_PATH = join(WORKSPACE_DIR, "config.json");
-const STORE_PATH = join(TEST_DIR, "keys.enc");
-
-mock.module("../util/logger.js", () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-
-mock.module("../util/platform.js", () => ({
-  getRootDir: () => TEST_DIR,
-  getWorkspaceDir: () => WORKSPACE_DIR,
-  getWorkspaceConfigPath: () => CONFIG_PATH,
-  getDataDir: () => join(TEST_DIR, "data"),
-  getLogPath: () => join(TEST_DIR, "logs", "vellum.log"),
-  ensureDataDir: () => {
-    if (!existsSync(TEST_DIR)) mkdirSync(TEST_DIR, { recursive: true });
-    if (!existsSync(WORKSPACE_DIR))
-      mkdirSync(WORKSPACE_DIR, { recursive: true });
-    const logsDir = join(TEST_DIR, "logs");
-    if (!existsSync(logsDir)) mkdirSync(logsDir, { recursive: true });
-  },
-  migrateToWorkspaceLayout: () => {},
-  migrateToDataLayout: () => {},
-  migratePath: () => {},
-  isMacOS: () => false,
-  isLinux: () => false,
-  isWindows: () => false,
-}));
-
-import { invalidateConfigCache, loadConfig } from "../config/loader.js";
-import { _setStorePath } from "../security/encrypted-store.js";
-import { _setBackend } from "../security/secure-keys.js";
-import { getSecureKey } from "../security/secure-keys.js";
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
-// API key env vars that loadConfig checks — must be cleared during tests
-// so they don't override the migrated values under test.
-const API_KEY_ENV_VARS = [
-  "ANTHROPIC_API_KEY",
-  "OPENAI_API_KEY",
-  "GEMINI_API_KEY",
-  "OLLAMA_API_KEY",
-  "FIREWORKS_API_KEY",
-  "OPENROUTER_API_KEY",
-  "BRAVE_API_KEY",
-  "PERPLEXITY_API_KEY",
-];
-
-describe("key migration", () => {
-  const savedEnv: Record<string, string | undefined> = {};
-
-  beforeEach(() => {
-    // Save and clear API key env vars
-    for (const key of API_KEY_ENV_VARS) {
-      savedEnv[key] = process.env[key];
-      delete process.env[key];
-    }
-    if (existsSync(TEST_DIR)) {
-      rmSync(TEST_DIR, { recursive: true, force: true });
-    }
-    mkdirSync(TEST_DIR, { recursive: true });
-    mkdirSync(WORKSPACE_DIR, { recursive: true });
-    mkdirSync(join(TEST_DIR, "logs"), { recursive: true });
-    _setStorePath(STORE_PATH);
-    _setBackend("encrypted");
-    invalidateConfigCache();
-  });
-
-  afterEach(() => {
-    _setStorePath(null);
-    _setBackend(undefined);
-    invalidateConfigCache();
-    // Restore API key env vars
-    for (const key of API_KEY_ENV_VARS) {
-      if (savedEnv[key] === undefined) delete process.env[key];
-      else process.env[key] = savedEnv[key]!;
-    }
-  });
-
-  test("[experimental] migrates plaintext apiKeys from config.json to secure storage", () => {
-    const configPath = CONFIG_PATH;
-    writeFileSync(
-      configPath,
-      JSON.stringify({
-        provider: "anthropic",
-        apiKeys: {
-          anthropic: "sk-ant-test-key-123",
-          openai: "sk-openai-test-456",
-        },
-      }),
-    );
-
-    const config = loadConfig();
-
-    // Keys should be in the loaded config (from secure storage)
-    expect(config.apiKeys.anthropic).toBe("sk-ant-test-key-123");
-    expect(config.apiKeys.openai).toBe("sk-openai-test-456");
-
-    // Keys should be in secure storage
-    expect(getSecureKey("anthropic")).toBe("sk-ant-test-key-123");
-    expect(getSecureKey("openai")).toBe("sk-openai-test-456");
-
-    // Keys should be removed from config.json
-    const rawJson = JSON.parse(readFileSync(configPath, "utf-8"));
-    expect(rawJson.apiKeys).toBeUndefined();
-    // Other config should still be there
-    expect(rawJson.provider).toBe("anthropic");
-  });
-
-  test("does not migrate when no apiKeys in config.json", () => {
-    const configPath = CONFIG_PATH;
-    writeFileSync(
-      configPath,
-      JSON.stringify({
-        provider: "anthropic",
-        model: "claude-sonnet-4-6",
-      }),
-    );
-
-    const config = loadConfig();
-    expect(config.provider).toBe("anthropic");
-
-    // Config file should be unchanged
-    const rawJson = JSON.parse(readFileSync(configPath, "utf-8"));
-    expect(rawJson.provider).toBe("anthropic");
-    expect(rawJson.model).toBe("claude-sonnet-4-6");
-  });
-
-  test("does not migrate empty apiKeys object", () => {
-    const configPath = CONFIG_PATH;
-    writeFileSync(
-      configPath,
-      JSON.stringify({
-        provider: "anthropic",
-        apiKeys: {},
-      }),
-    );
-
-    loadConfig();
-
-    // Config file should still have the empty apiKeys
-    const rawJson = JSON.parse(readFileSync(configPath, "utf-8"));
-    expect(rawJson.apiKeys).toEqual({});
-  });
-
-  test("preserves other config fields during migration", () => {
-    const configPath = CONFIG_PATH;
-    writeFileSync(
-      configPath,
-      JSON.stringify({
-        provider: "openai",
-        model: "gpt-4",
-        maxTokens: 4096,
-        apiKeys: { anthropic: "sk-ant-test" },
-        timeouts: { shellDefaultTimeoutSec: 30 },
-      }),
-    );
-
-    loadConfig();
-
-    const rawJson = JSON.parse(readFileSync(configPath, "utf-8"));
-    expect(rawJson.provider).toBe("openai");
-    expect(rawJson.model).toBe("gpt-4");
-    expect(rawJson.maxTokens).toBe(4096);
-    expect(rawJson.timeouts.shellDefaultTimeoutSec).toBe(30);
-    expect(rawJson.apiKeys).toBeUndefined();
-  });
-
-  test("[experimental] migration only happens once (idempotent)", () => {
-    const configPath = CONFIG_PATH;
-    writeFileSync(
-      configPath,
-      JSON.stringify({
-        provider: "anthropic",
-        apiKeys: { anthropic: "sk-ant-test-key" },
-      }),
-    );
-
-    // First load — triggers migration
-    loadConfig();
-    expect(getSecureKey("anthropic")).toBe("sk-ant-test-key");
-
-    // Verify config.json no longer has apiKeys
-    const rawAfter = JSON.parse(readFileSync(configPath, "utf-8"));
-    expect(rawAfter.apiKeys).toBeUndefined();
-
-    // Second load — should not error or duplicate
-    invalidateConfigCache();
-    const config2 = loadConfig();
-    expect(config2.apiKeys.anthropic).toBe("sk-ant-test-key");
-  });
-
-  test("skips non-string values in apiKeys during migration", () => {
-    const configPath = CONFIG_PATH;
-    writeFileSync(
-      configPath,
-      JSON.stringify({
-        provider: "anthropic",
-        apiKeys: {
-          anthropic: "sk-ant-valid",
-          broken: 123,
-          empty: "",
-        },
-      }),
-    );
-
-    loadConfig();
-
-    // Only the valid key should be migrated
-    expect(getSecureKey("anthropic")).toBe("sk-ant-valid");
-    expect(getSecureKey("broken")).toBeUndefined();
-    expect(getSecureKey("empty")).toBeUndefined();
-  });
-});

package/src/__tests__/keychain.test.ts

@@ -1,286 +0,0 @@
-import { afterAll, beforeEach, describe, expect, test } from "bun:test";
-
-import {
-  _overrideDeps,
-  _resetDeps,
-  deleteKey,
-  getKey,
-  isKeychainAvailable,
-  setKey,
-} from "../security/keychain.js";
-
-// ---------------------------------------------------------------------------
-// Test state — uses _overrideDeps instead of mock.module to avoid
-// process-global mock leakage between test files in Bun's shared runner.
-// ---------------------------------------------------------------------------
-
-let mockPlatform = "darwin";
-let execFileCalls: Array<{
-  cmd: string;
-  args: string[];
-  opts: Record<string, unknown>;
-}> = [];
-let execFileResults: Map<string, string | Error> = new Map();
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
-describe("keychain", () => {
-  beforeEach(() => {
-    execFileCalls = [];
-    execFileResults = new Map();
-    mockPlatform = "darwin";
-
-    _overrideDeps({
-      isMacOS: () => mockPlatform === "darwin",
-      isLinux: () => mockPlatform === "linux",
-      execFileSync: ((
-        cmd: string,
-        args: string[],
-        opts: Record<string, unknown>,
-      ) => {
-        execFileCalls.push({ cmd, args: [...args], opts: { ...opts } });
-
-        const key = `${cmd} ${args.join(" ")}`;
-        for (const [pattern, result] of execFileResults) {
-          if (key.includes(pattern)) {
-            if (result instanceof Error) throw result;
-            return result;
-          }
-        }
-        return "";
-      }) as typeof import("node:child_process").execFileSync,
-    });
-  });
-
-  afterAll(() => {
-    _resetDeps();
-  });
-
-  // -----------------------------------------------------------------------
-  // isKeychainAvailable
-  // -----------------------------------------------------------------------
-  describe("isKeychainAvailable", () => {
-    test("returns true on macOS when security CLI works", () => {
-      mockPlatform = "darwin";
-      expect(isKeychainAvailable()).toBe(true);
-      expect(execFileCalls[0].cmd).toBe("security");
-      expect(execFileCalls[0].args).toContain("list-keychains");
-    });
-
-    test("returns true on Linux when secret-tool exists", () => {
-      mockPlatform = "linux";
-      expect(isKeychainAvailable()).toBe(true);
-      expect(execFileCalls[0].cmd).toBe("which");
-      expect(execFileCalls[0].args).toContain("secret-tool");
-    });
-
-    test("returns false on unsupported platform", () => {
-      mockPlatform = "win32";
-      expect(isKeychainAvailable()).toBe(false);
-    });
-
-    test("returns false when CLI command fails", () => {
-      mockPlatform = "darwin";
-      execFileResults.set("list-keychains", new Error("not found"));
-      expect(isKeychainAvailable()).toBe(false);
-    });
-  });
-
-  // -----------------------------------------------------------------------
-  // macOS getKey / setKey / deleteKey
-  // -----------------------------------------------------------------------
-  describe("macOS", () => {
-    beforeEach(() => {
-      mockPlatform = "darwin";
-    });
-
-    test("getKey calls security find-generic-password", () => {
-      execFileResults.set("find-generic-password", "my-secret-value\n");
-      const result = getKey("anthropic");
-      expect(result).toBe("my-secret-value");
-      const call = execFileCalls.find((c) =>
-        c.args.includes("find-generic-password"),
-      );
-      expect(call).toBeDefined();
-      expect(call!.args).toContain("-s");
-      expect(call!.args).toContain("vellum-assistant");
-      expect(call!.args).toContain("-a");
-      expect(call!.args).toContain("anthropic");
-      expect(call!.args).toContain("-w");
-    });
-
-    test("getKey returns null when key not found", () => {
-      const err = Object.assign(new Error("item not found"), { status: 44 });
-      execFileResults.set("find-generic-password", err);
-      expect(getKey("nonexistent")).toBeNull();
-    });
-
-    test("getKey throws on runtime errors", () => {
-      const err = Object.assign(new Error("keychain locked"), { status: 1 });
-      execFileResults.set("find-generic-password", err);
-      expect(() => getKey("test")).toThrow("keychain locked");
-    });
-
-    test("setKey calls security add-generic-password with -U flag", () => {
-      const result = setKey("anthropic", "sk-ant-key123");
-      expect(result).toBe(true);
-      const addCall = execFileCalls.find((c) =>
-        c.args.includes("add-generic-password"),
-      );
-      expect(addCall).toBeDefined();
-      expect(addCall!.args).toContain("-U");
-      expect(addCall!.args).toContain("-w");
-    });
-
-    test("setKey passes secret as -w argument", () => {
-      setKey("anthropic", "sk-ant-key123");
-      const addCall = execFileCalls.find((c) =>
-        c.args.includes("add-generic-password"),
-      );
-      expect(addCall).toBeDefined();
-      const wIndex = addCall!.args.indexOf("-w");
-      expect(wIndex).toBeGreaterThanOrEqual(0);
-      expect(addCall!.args[wIndex + 1]).toBe("sk-ant-key123");
-    });
-
-    test("setKey does not delete before adding (relies on -U flag)", () => {
-      setKey("anthropic", "new-value");
-      const deleteCall = execFileCalls.find((c) =>
-        c.args.includes("delete-generic-password"),
-      );
-      expect(deleteCall).toBeUndefined();
-    });
-
-    test("getKey preserves internal whitespace", () => {
-      execFileResults.set("find-generic-password", " value with spaces \n");
-      const result = getKey("test");
-      expect(result).toBe(" value with spaces ");
-    });
-
-    test("deleteKey calls security delete-generic-password", () => {
-      const result = deleteKey("anthropic");
-      expect(result).toBe(true);
-      const call = execFileCalls.find((c) =>
-        c.args.includes("delete-generic-password"),
-      );
-      expect(call).toBeDefined();
-      expect(call!.args).toContain("vellum-assistant");
-      expect(call!.args).toContain("anthropic");
-    });
-
-    test("deleteKey returns false on error", () => {
-      execFileResults.set(
-        "delete-generic-password",
-        new Error("item not found"),
-      );
-      expect(deleteKey("nonexistent")).toBe(false);
-    });
-  });
-
-  // -----------------------------------------------------------------------
-  // Linux getKey / setKey / deleteKey
-  // -----------------------------------------------------------------------
-  describe("Linux", () => {
-    beforeEach(() => {
-      mockPlatform = "linux";
-    });
-
-    test("getKey calls secret-tool lookup", () => {
-      execFileResults.set("lookup", "linux-secret-value\n");
-      const result = getKey("openai");
-      expect(result).toBe("linux-secret-value");
-      const call = execFileCalls.find(
-        (c) => c.cmd === "secret-tool" && c.args.includes("lookup"),
-      );
-      expect(call).toBeDefined();
-      expect(call!.args).toContain("service");
-      expect(call!.args).toContain("vellum-assistant");
-      expect(call!.args).toContain("account");
-      expect(call!.args).toContain("openai");
-    });
-
-    test("getKey returns null when key not found", () => {
-      const err = Object.assign(new Error("not found"), { status: 1 });
-      execFileResults.set("lookup", err);
-      expect(getKey("missing")).toBeNull();
-    });
-
-    test("getKey throws on runtime errors (exit code 1 with stderr)", () => {
-      const err = Object.assign(new Error("D-Bus error"), {
-        status: 1,
-        stderr: "Cannot autolaunch D-Bus without X11",
-      });
-      execFileResults.set("lookup", err);
-      expect(() => getKey("test")).toThrow("D-Bus error");
-    });
-
-    test("getKey preserves internal whitespace", () => {
-      execFileResults.set("lookup", " value with spaces \n");
-      const result = getKey("test");
-      expect(result).toBe(" value with spaces ");
-    });
-
-    test("setKey calls secret-tool store with input", () => {
-      const result = setKey("gemini", "gemini-key-123");
-      expect(result).toBe(true);
-      const call = execFileCalls.find(
-        (c) => c.cmd === "secret-tool" && c.args.includes("store"),
-      );
-      expect(call).toBeDefined();
-      expect(call!.args).toContain("--label");
-      expect(call!.opts.input).toBe("gemini-key-123");
-    });
-
-    test("deleteKey calls secret-tool clear", () => {
-      const result = deleteKey("gemini");
-      expect(result).toBe(true);
-      const call = execFileCalls.find(
-        (c) => c.cmd === "secret-tool" && c.args.includes("clear"),
-      );
-      expect(call).toBeDefined();
-      expect(call!.args).toContain("vellum-assistant");
-      expect(call!.args).toContain("gemini");
-    });
-  });
-
-  // -----------------------------------------------------------------------
-  // Unsupported platform
-  // -----------------------------------------------------------------------
-  describe("unsupported platform", () => {
-    beforeEach(() => {
-      mockPlatform = "win32";
-    });
-
-    test("getKey returns null", () => {
-      expect(getKey("any")).toBeNull();
-    });
-
-    test("setKey returns false", () => {
-      expect(setKey("any", "value")).toBe(false);
-    });
-
-    test("deleteKey returns false", () => {
-      expect(deleteKey("any")).toBe(false);
-    });
-  });
-
-  // -----------------------------------------------------------------------
-  // Error handling
-  // -----------------------------------------------------------------------
-  describe("error handling", () => {
-    test("getKey throws on unexpected runtime errors", () => {
-      mockPlatform = "darwin";
-      const err = Object.assign(new Error("unexpected"), { status: 1 });
-      execFileResults.set("find-generic-password", err);
-      expect(() => getKey("key")).toThrow("unexpected");
-    });
-
-    test("setKey gracefully handles unexpected errors", () => {
-      mockPlatform = "darwin";
-      execFileResults.set("add-generic-password", new Error("unexpected"));
-      expect(setKey("key", "val")).toBe(false);
-    });
-  });
-});