@vellumai/assistant 0.4.53 → 0.4.55

package/src/__tests__/secure-keys.test.ts

@@ -34,6 +34,7 @@ let mockBrokerGetError = false;
 let mockBrokerSetError = false;
 let mockBrokerDelError = false;
 let mockBrokerGetCalled = false;
+let mockBrokerSetCalled = false;
 
 mock.module("../security/keychain-broker-client.js", () => ({
   createBrokerClient: () => ({
@@ -48,6 +49,7 @@ mock.module("../security/keychain-broker-client.js", () => ({
       return { found: false };
     },
     set: async (account: string, value: string) => {
+      mockBrokerSetCalled = true;
       if (mockBrokerSetError)
         return {
           status: "rejected" as const,
@@ -67,18 +69,13 @@ mock.module("../security/keychain-broker-client.js", () => ({
   }),
 }));
 
+import * as encryptedStore from "../security/encrypted-store.js";
 import { _setStorePath } from "../security/encrypted-store.js";
 import {
   _resetBackend,
-  _setBackend,
-  deleteSecureKey,
   deleteSecureKeyAsync,
-  getBackendType,
-  getSecureKey,
   getSecureKeyAsync,
-  isDowngradedFromKeychain,
-  listSecureKeys,
-  setSecureKey,
+  listSecureKeysAsync,
   setSecureKeyAsync,
 } from "../security/secure-keys.js";
 
@@ -103,6 +100,10 @@ describe("secure-keys", () => {
     mockBrokerSetError = false;
     mockBrokerDelError = false;
     mockBrokerGetCalled = false;
+    mockBrokerSetCalled = false;
+
+    // Ensure VELLUM_DEV is NOT set so broker tests work by default
+    delete process.env.VELLUM_DEV;
 
     if (existsSync(TEST_DIR)) {
       rmSync(TEST_DIR, { recursive: true });
@@ -114,6 +115,7 @@ describe("secure-keys", () => {
   afterEach(() => {
     _setStorePath(null);
     _resetBackend();
+    delete process.env.VELLUM_DEV;
   });
 
   afterAll(() => {
@@ -123,337 +125,347 @@ describe("secure-keys", () => {
   });
 
   // -----------------------------------------------------------------------
-  // Backend selection
+  // CRUD operations (via encrypted store backend — broker unavailable)
   // -----------------------------------------------------------------------
-  describe("backend selection", () => {
-    test("returns encrypted when broker is unavailable", () => {
-      expect(getBackendType()).toBe("encrypted");
+  describe("CRUD with encrypted backend (broker unavailable)", () => {
+    test("set and get a key", async () => {
+      await setSecureKeyAsync("openai", "sk-openai-789");
+      expect(await getSecureKeyAsync("openai")).toBe("sk-openai-789");
     });
 
-    test("returns broker when broker is available", () => {
-      mockBrokerAvailable = true;
-      expect(getBackendType()).toBe("broker");
+    test("get returns undefined for nonexistent key", async () => {
+      expect(await getSecureKeyAsync("nonexistent")).toBeUndefined();
     });
 
-    test("isDowngradedFromKeychain always returns false", () => {
-      expect(isDowngradedFromKeychain()).toBe(false);
+    test("delete removes a key", async () => {
+      await setSecureKeyAsync("gemini", "gem-key");
+      expect(await deleteSecureKeyAsync("gemini")).toBe("deleted");
+      expect(await getSecureKeyAsync("gemini")).toBeUndefined();
+    });
+
+    test("delete returns not-found for nonexistent key", async () => {
+      expect(await deleteSecureKeyAsync("missing")).toBe("not-found");
     });
   });
 
   // -----------------------------------------------------------------------
-  // CRUD operations (via encrypted store backend — sync)
+  // Single-writer: writes go to keychain only when broker available
   // -----------------------------------------------------------------------
-  describe("CRUD with encrypted backend (sync)", () => {
-    test("set and get a key", () => {
-      setSecureKey("openai", "sk-openai-789");
-      expect(getSecureKey("openai")).toBe("sk-openai-789");
-    });
-
-    test("get returns undefined for nonexistent key", () => {
-      expect(getSecureKey("nonexistent")).toBeUndefined();
-    });
+  describe("single-writer with broker available", () => {
+    test("setSecureKeyAsync writes to broker only (not encrypted store)", async () => {
+      mockBrokerAvailable = true;
+      _resetBackend();
 
-    test("delete removes a key", () => {
-      setSecureKey("gemini", "gem-key");
-      expect(deleteSecureKey("gemini")).toBe("deleted");
-      expect(getSecureKey("gemini")).toBeUndefined();
+      const result = await setSecureKeyAsync("api-key", "new-value");
+      expect(result).toBe(true);
+      // Value is in the broker store
+      expect(mockBrokerStore.get("api-key")).toBe("new-value");
+      // Value should NOT be in the encrypted store (single-writer)
+      expect(encryptedStore.getKey("api-key")).toBeUndefined();
     });
 
-    test("delete returns not-found for nonexistent key", () => {
-      expect(deleteSecureKey("missing")).toBe("not-found");
-    });
+    test("setSecureKeyAsync returns false on broker set error", async () => {
+      mockBrokerAvailable = true;
+      mockBrokerSetError = true;
+      _resetBackend();
 
-    test("listSecureKeys returns all keys", () => {
-      setSecureKey("anthropic", "val1");
-      setSecureKey("openai", "val2");
-      const keys = listSecureKeys();
-      expect(keys).toContain("anthropic");
-      expect(keys).toContain("openai");
-      expect(keys.length).toBe(2);
+      const result = await setSecureKeyAsync("api-key", "new-value");
+      expect(result).toBe(false);
+      expect(mockBrokerStore.has("api-key")).toBe(false);
     });
   });
 
   // -----------------------------------------------------------------------
-  // Sync variants always use encrypted store even when broker is available
+  // Reads: primary backend first, legacy fallback to encrypted store
   // -----------------------------------------------------------------------
-  describe("sync variants ignore broker", () => {
-    test("getSecureKey uses encrypted store even when broker is available", () => {
+  describe("reads with broker available", () => {
+    test("getSecureKeyAsync reads from broker (primary backend)", async () => {
       mockBrokerAvailable = true;
+      _resetBackend();
+
       mockBrokerStore.set("api-key", "broker-value");
-      // Sync getter should not see broker-only keys
-      expect(getSecureKey("api-key")).toBeUndefined();
-      // But encrypted store keys should work
-      setSecureKey("api-key", "encrypted-value");
-      expect(getSecureKey("api-key")).toBe("encrypted-value");
+      const result = await getSecureKeyAsync("api-key");
+      expect(result).toBe("broker-value");
+      expect(mockBrokerGetCalled).toBe(true);
     });
 
-    test("setSecureKey uses encrypted store even when broker is available", () => {
+    test("getSecureKeyAsync falls back to encrypted store for legacy keys", async () => {
       mockBrokerAvailable = true;
-      setSecureKey("api-key", "encrypted-value");
-      expect(getSecureKey("api-key")).toBe("encrypted-value");
-      // Should not have written to broker
-      expect(mockBrokerStore.has("api-key")).toBe(false);
+      _resetBackend();
+
+      // Pre-populate encrypted store directly (legacy key not in broker)
+      encryptedStore.setKey("legacy-key", "legacy-value");
+
+      const result = await getSecureKeyAsync("legacy-key");
+      expect(result).toBe("legacy-value");
+      // Broker was checked first (returned nothing), then encrypted store
+      expect(mockBrokerGetCalled).toBe(true);
     });
 
-    test("deleteSecureKey uses encrypted store even when broker is available", () => {
+    test("getSecureKeyAsync returns undefined when neither store has the key", async () => {
       mockBrokerAvailable = true;
+      _resetBackend();
+
+      expect(await getSecureKeyAsync("missing-key")).toBeUndefined();
+    });
+
+    test("getSecureKeyAsync returns broker value even when encrypted store also has a value", async () => {
+      mockBrokerAvailable = true;
+      _resetBackend();
+
+      // Both stores have a value — broker (primary) should win
       mockBrokerStore.set("api-key", "broker-value");
-      setSecureKey("api-key", "encrypted-value");
-      deleteSecureKey("api-key");
-      expect(getSecureKey("api-key")).toBeUndefined();
-      // Broker value should be untouched
-      expect(mockBrokerStore.has("api-key")).toBe(true);
+      encryptedStore.setKey("api-key", "encrypted-value");
+
+      const result = await getSecureKeyAsync("api-key");
+      expect(result).toBe("broker-value");
     });
   });
 
   // -----------------------------------------------------------------------
-  // Async variants — broker available path
+  // Dev mode bypass — VELLUM_DEV=1 uses encrypted store only
   // -----------------------------------------------------------------------
-  describe("async variants with broker available", () => {
-    test("getSecureKeyAsync returns encrypted store value when both stores have key", async () => {
+  describe("dev mode bypass (VELLUM_DEV=1)", () => {
+    test("setSecureKeyAsync writes to encrypted store only, ignoring broker", async () => {
+      process.env.VELLUM_DEV = "1";
       mockBrokerAvailable = true;
-      mockBrokerStore.set("api-key", "broker-value");
-      setSecureKey("api-key", "encrypted-value");
-      // Encrypted store is checked first — broker is never called
-      expect(await getSecureKeyAsync("api-key")).toBe("encrypted-value");
-      expect(mockBrokerGetCalled).toBe(false);
+      _resetBackend();
+
+      const result = await setSecureKeyAsync("api-key", "dev-value");
+      expect(result).toBe(true);
+      // Written to encrypted store
+      expect(encryptedStore.getKey("api-key")).toBe("dev-value");
+      // NOT written to broker
+      expect(mockBrokerStore.has("api-key")).toBe(false);
+      expect(mockBrokerSetCalled).toBe(false);
     });
 
-    test("getSecureKeyAsync returns encrypted store value without calling broker", async () => {
+    test("getSecureKeyAsync reads from encrypted store only, ignoring broker", async () => {
+      process.env.VELLUM_DEV = "1";
       mockBrokerAvailable = true;
-      // Only encrypted store has the key — broker has nothing.
-      // Encrypted store is checked first, so broker.get() is never called.
-      setSecureKey("api-key", "encrypted-value");
-      expect(await getSecureKeyAsync("api-key")).toBe("encrypted-value");
+      _resetBackend();
+
+      mockBrokerStore.set("api-key", "broker-value");
+      encryptedStore.setKey("api-key", "encrypted-value");
+
+      const result = await getSecureKeyAsync("api-key");
+      expect(result).toBe("encrypted-value");
+      // Broker should not have been contacted
       expect(mockBrokerGetCalled).toBe(false);
     });
 
-    test("getSecureKeyAsync returns undefined when neither broker nor encrypted store has key", async () => {
+    test("getSecureKeyAsync returns undefined when encrypted store is empty (does not check broker)", async () => {
+      process.env.VELLUM_DEV = "1";
       mockBrokerAvailable = true;
-      // Neither store has the key — should return undefined
-      expect(await getSecureKeyAsync("missing-key")).toBeUndefined();
-    });
+      _resetBackend();
 
-    test("getSecureKeyAsync returns encrypted store value even when broker would error", async () => {
-      mockBrokerAvailable = true;
-      mockBrokerGetError = true;
-      // Encrypted store hit short-circuits — broker is never called, so
-      // the broker error flag is irrelevant.
-      setSecureKey("api-key", "encrypted-value");
-      expect(await getSecureKeyAsync("api-key")).toBe("encrypted-value");
+      mockBrokerStore.set("api-key", "broker-value");
+
+      const result = await getSecureKeyAsync("api-key");
+      expect(result).toBeUndefined();
       expect(mockBrokerGetCalled).toBe(false);
     });
+  });
 
-    test("setSecureKeyAsync writes to broker and encrypted store", async () => {
+  // -----------------------------------------------------------------------
+  // Delete always attempts both stores
+  // -----------------------------------------------------------------------
+  describe("delete attempts both stores", () => {
+    test("deleteSecureKeyAsync removes from both stores when broker available", async () => {
       mockBrokerAvailable = true;
-      const result = await setSecureKeyAsync("api-key", "new-value");
-      expect(result).toBe(true);
-      expect(mockBrokerStore.get("api-key")).toBe("new-value");
-      // Also persisted to encrypted store for sync callers
-      expect(getSecureKey("api-key")).toBe("new-value");
-    });
+      _resetBackend();
 
-    test("setSecureKeyAsync returns false on broker set error (no silent fallback)", async () => {
-      mockBrokerAvailable = true;
-      mockBrokerSetError = true;
-      const result = await setSecureKeyAsync("api-key", "new-value");
-      // Must return false — falling through to encrypted-only write would
-      // leave the broker with stale data that async readers still see.
-      expect(result).toBe(false);
+      mockBrokerStore.set("api-key", "broker-value");
+      encryptedStore.setKey("api-key", "encrypted-value");
+
+      const result = await deleteSecureKeyAsync("api-key");
+      expect(result).toBe("deleted");
       expect(mockBrokerStore.has("api-key")).toBe(false);
-      // Encrypted store should NOT have been written either.
-      expect(getSecureKey("api-key")).toBeUndefined();
+      expect(encryptedStore.getKey("api-key")).toBeUndefined();
     });
 
-    test("deleteSecureKeyAsync deletes from broker and encrypted store", async () => {
-      mockBrokerAvailable = true;
-      mockBrokerStore.set("api-key", "broker-value");
-      setSecureKey("api-key", "encrypted-value");
+    test("deleteSecureKeyAsync returns deleted when only encrypted store has key", async () => {
+      // Broker unavailable — only encrypted store
+      encryptedStore.setKey("api-key", "encrypted-value");
+
       const result = await deleteSecureKeyAsync("api-key");
       expect(result).toBe("deleted");
-      expect(mockBrokerStore.has("api-key")).toBe(false);
-      expect(getSecureKey("api-key")).toBeUndefined();
+      expect(encryptedStore.getKey("api-key")).toBeUndefined();
     });
 
-    test("deleteSecureKeyAsync returns error on broker del error (no silent fallback)", async () => {
+    test("deleteSecureKeyAsync returns error when broker delete fails", async () => {
       mockBrokerAvailable = true;
       mockBrokerDelError = true;
-      setSecureKey("api-key", "encrypted-value");
+      _resetBackend();
+
+      mockBrokerStore.set("api-key", "broker-value");
+      encryptedStore.setKey("api-key", "encrypted-value");
+
       const result = await deleteSecureKeyAsync("api-key");
-      // Must return "error" — falling through to encrypted-only delete would
-      // leave the broker with the key, and async readers would still see it.
       expect(result).toBe("error");
-      // Encrypted store should NOT have been modified either.
-      expect(getSecureKey("api-key")).toBe("encrypted-value");
-    });
-  });
-
-  // -----------------------------------------------------------------------
-  // Async variants — broker unavailable path
-  // -----------------------------------------------------------------------
-  describe("async variants with broker unavailable", () => {
-    test("getSecureKeyAsync uses encrypted store", async () => {
-      setSecureKey("api-key", "encrypted-value");
-      expect(await getSecureKeyAsync("api-key")).toBe("encrypted-value");
     });
 
-    test("getSecureKeyAsync returns undefined for missing key", async () => {
-      expect(await getSecureKeyAsync("missing")).toBeUndefined();
-    });
+    test("deleteSecureKeyAsync in dev mode still attempts both stores", async () => {
+      process.env.VELLUM_DEV = "1";
+      mockBrokerAvailable = true;
+      _resetBackend();
 
-    test("setSecureKeyAsync uses encrypted store", async () => {
-      const result = await setSecureKeyAsync("api-key", "new-value");
-      expect(result).toBe(true);
-      expect(getSecureKey("api-key")).toBe("new-value");
-    });
+      mockBrokerStore.set("api-key", "broker-value");
+      encryptedStore.setKey("api-key", "encrypted-value");
 
-    test("deleteSecureKeyAsync uses encrypted store", async () => {
-      setSecureKey("api-key", "value");
       const result = await deleteSecureKeyAsync("api-key");
       expect(result).toBe("deleted");
-      expect(getSecureKey("api-key")).toBeUndefined();
+      expect(mockBrokerStore.has("api-key")).toBe(false);
+      expect(encryptedStore.getKey("api-key")).toBeUndefined();
+    });
+
+    test("deleteSecureKeyAsync returns not-found when key missing from both stores", async () => {
+      // Broker unavailable, encrypted store empty
+      const result = await deleteSecureKeyAsync("missing-key");
+      expect(result).toBe("not-found");
     });
   });
 
   // -----------------------------------------------------------------------
-  // Encrypted-store-first read order
+  // Legacy read fallback
   // -----------------------------------------------------------------------
-  describe("encrypted-store-first read order", () => {
-    test("returns value from encrypted store without calling broker", async () => {
+  describe("legacy read fallback", () => {
+    test("returns encrypted store value when broker has no key (legacy migration)", async () => {
       mockBrokerAvailable = true;
-      setSecureKey("test-account", "test-secret");
-      mockBrokerStore.set("test-account", "broker-secret");
-
-      const result = await getSecureKeyAsync("test-account");
-      expect(result).toBe("test-secret");
-      // Broker should never have been called — encrypted store hit
-      // short-circuits the lookup.
-      expect(mockBrokerGetCalled).toBe(false);
-    });
-
-    test("falls back to broker when encrypted store returns undefined", async () => {
-      mockBrokerAvailable = true;
-      // Encrypted store has nothing for this key
-      mockBrokerStore.set("test-account", "broker-secret");
-
-      const result = await getSecureKeyAsync("test-account");
-      expect(result).toBe("broker-secret");
-      // Broker should have been called as fallback
-      expect(mockBrokerGetCalled).toBe(true);
-    });
+      _resetBackend();
 
-    test("returns undefined when neither store has the key", async () => {
-      mockBrokerAvailable = true;
-      // Neither encrypted store nor broker has the key
+      // Simulate a legacy key that was written to encrypted store before
+      // the single-writer migration — broker doesn't have it.
+      encryptedStore.setKey("legacy-account", "legacy-secret");
 
-      const result = await getSecureKeyAsync("test-account");
-      expect(result).toBeUndefined();
+      const result = await getSecureKeyAsync("legacy-account");
+      expect(result).toBe("legacy-secret");
     });
 
-    test("returns undefined without broker call when broker unavailable and encrypted store empty", async () => {
-      // Broker is unavailable (default state), encrypted store is empty
-      mockBrokerAvailable = false;
+    test("does not fall back to encrypted store when already using encrypted store backend", async () => {
+      // Broker unavailable — primary backend IS the encrypted store.
+      // No fallback needed.
+      encryptedStore.setKey("account", "value");
+      encryptedStore.setKey("other-account", "other-value");
 
-      const result = await getSecureKeyAsync("test-account");
-      expect(result).toBeUndefined();
-      // Broker.get() should not have been called since broker is unavailable
+      // Should read directly from encrypted store (primary)
+      const result = await getSecureKeyAsync("account");
+      expect(result).toBe("value");
+      // Broker should not have been contacted
       expect(mockBrokerGetCalled).toBe(false);
     });
   });
 
   // -----------------------------------------------------------------------
-  // Stale-value prevention — encrypted-store-first reads avoid stale broker data
+  // Stale-value prevention
   // -----------------------------------------------------------------------
   describe("stale-value prevention", () => {
-    test("setSecureKeyAsync updates both stores so encrypted-store-first read returns new value", async () => {
+    test("setSecureKeyAsync failure does not corrupt broker store", async () => {
       mockBrokerAvailable = true;
-      // Simulate broker holding an old value
-      mockBrokerStore.set("api-key", "old-broker-value");
-      setSecureKey("api-key", "old-encrypted-value");
+      _resetBackend();
+
+      // Pre-seed broker with original value
+      mockBrokerStore.set("api-key", "original-value");
 
-      // Update via async path (writes both broker + encrypted)
+      // Now fail the next set
+      mockBrokerSetError = true;
       const ok = await setSecureKeyAsync("api-key", "new-value");
-      expect(ok).toBe(true);
+      expect(ok).toBe(false);
 
-      // Encrypted-store-first read returns the new value
-      const value = await getSecureKeyAsync("api-key");
-      expect(value).toBe("new-value");
-      // Both stores should agree
-      expect(mockBrokerStore.get("api-key")).toBe("new-value");
-      expect(getSecureKey("api-key")).toBe("new-value");
+      // Broker should still have original value
+      expect(mockBrokerStore.get("api-key")).toBe("original-value");
     });
+  });
 
-    test("deleteSecureKeyAsync removes from both stores so read returns undefined", async () => {
+  // -----------------------------------------------------------------------
+  // listSecureKeysAsync — merged/deduplicated key listing
+  // -----------------------------------------------------------------------
+  describe("listSecureKeysAsync", () => {
+    test("returns merged, deduplicated keys when broker is primary and encrypted store has legacy keys", async () => {
       mockBrokerAvailable = true;
-      mockBrokerStore.set("api-key", "old-broker-value");
-      setSecureKey("api-key", "old-encrypted-value");
+      _resetBackend();
 
-      // Delete via async path (deletes from both broker + encrypted)
-      const result = await deleteSecureKeyAsync("api-key");
-      expect(result).toBe("deleted");
+      // Broker has some keys
+      mockBrokerStore.set("broker-key-1", "val1");
+      mockBrokerStore.set("shared-key", "broker-val");
 
-      // Neither store has the key — returns undefined
-      const value = await getSecureKeyAsync("api-key");
-      expect(value).toBeUndefined();
-    });
+      // Encrypted store has legacy keys (some overlapping)
+      encryptedStore.setKey("legacy-key-1", "val2");
+      encryptedStore.setKey("shared-key", "enc-val");
 
-    test("sync setSecureKey updates encrypted store — encrypted-store-first read returns fresh value", async () => {
-      mockBrokerAvailable = true;
-      mockBrokerStore.set("api-key", "old-broker-value");
+      const keys = await listSecureKeysAsync();
+      expect(keys).toContain("broker-key-1");
+      expect(keys).toContain("legacy-key-1");
+      expect(keys).toContain("shared-key");
+      // Should be exactly 3 unique keys (no duplicates)
+      expect(keys.length).toBe(3);
+    });
 
-      // Sync write only updates encrypted store, NOT broker
-      setSecureKey("api-key", "new-encrypted-value");
+    test("returns only encrypted store keys when broker is unavailable", async () => {
+      // Broker unavailable (default state) — primary backend is encrypted store
+      encryptedStore.setKey("enc-key-1", "val1");
+      encryptedStore.setKey("enc-key-2", "val2");
 
-      // Encrypted-store-first read returns the fresh encrypted value,
-      // bypassing the stale broker entirely.
-      const value = await getSecureKeyAsync("api-key");
-      expect(value).toBe("new-encrypted-value");
-      expect(mockBrokerGetCalled).toBe(false);
+      const keys = await listSecureKeysAsync();
+      expect(keys).toContain("enc-key-1");
+      expect(keys).toContain("enc-key-2");
+      expect(keys.length).toBe(2);
     });
 
-    test("setSecureKeyAsync failure leaves both stores unchanged", async () => {
+    test("returns only encrypted store keys when VELLUM_DEV=1 (even if broker available)", async () => {
+      process.env.VELLUM_DEV = "1";
       mockBrokerAvailable = true;
-      mockBrokerSetError = true;
-      mockBrokerStore.set("api-key", "original-value");
-      setSecureKey("api-key", "original-value");
+      _resetBackend();
 
-      const ok = await setSecureKeyAsync("api-key", "new-value");
-      expect(ok).toBe(false);
+      // Broker has keys that should be ignored
+      mockBrokerStore.set("broker-only", "val1");
 
-      // Both stores should retain original value — no partial update
-      expect(mockBrokerStore.get("api-key")).toBe("original-value");
-      expect(getSecureKey("api-key")).toBe("original-value");
+      // Encrypted store has keys
+      encryptedStore.setKey("dev-key-1", "val2");
+      encryptedStore.setKey("dev-key-2", "val3");
+
+      const keys = await listSecureKeysAsync();
+      expect(keys).toContain("dev-key-1");
+      expect(keys).toContain("dev-key-2");
+      // broker-only key should NOT appear since primary backend is encrypted store
+      expect(keys).not.toContain("broker-only");
+      expect(keys.length).toBe(2);
     });
 
-    test("deleteSecureKeyAsync failure leaves both stores unchanged", async () => {
+    test("returns broker-only keys when encrypted store is empty", async () => {
       mockBrokerAvailable = true;
-      mockBrokerDelError = true;
-      mockBrokerStore.set("api-key", "value");
-      setSecureKey("api-key", "value");
+      _resetBackend();
 
-      const result = await deleteSecureKeyAsync("api-key");
-      expect(result).toBe("error");
+      mockBrokerStore.set("broker-key-1", "val1");
+      mockBrokerStore.set("broker-key-2", "val2");
 
-      // Both stores should retain the key — no partial deletion
-      expect(mockBrokerStore.has("api-key")).toBe(true);
-      expect(getSecureKey("api-key")).toBe("value");
+      const keys = await listSecureKeysAsync();
+      expect(keys).toContain("broker-key-1");
+      expect(keys).toContain("broker-key-2");
+      expect(keys.length).toBe(2);
     });
-  });
 
-  // -----------------------------------------------------------------------
-  // _setBackend / _resetBackend (no-ops kept for test compat)
-  // -----------------------------------------------------------------------
-  describe("_setBackend", () => {
-    test("_setBackend is a no-op but does not throw", () => {
-      _setBackend("encrypted");
-      setSecureKey("test", "value");
-      expect(existsSync(STORE_PATH)).toBe(true);
+    test("deduplicates keys that exist in both stores", async () => {
+      mockBrokerAvailable = true;
+      _resetBackend();
+
+      // Same key in both stores
+      mockBrokerStore.set("api-key", "broker-val");
+      encryptedStore.setKey("api-key", "enc-val");
+
+      const keys = await listSecureKeysAsync();
+      expect(keys).toContain("api-key");
+      // Only one copy, not two
+      expect(keys.length).toBe(1);
+      expect(keys.filter((k) => k === "api-key").length).toBe(1);
     });
 
-    test("_resetBackend is a no-op but does not throw", () => {
+    test("returns empty array when both stores are empty", async () => {
+      mockBrokerAvailable = true;
       _resetBackend();
-      setSecureKey("test", "value");
-      expect(getSecureKey("test")).toBe("value");
+
+      const keys = await listSecureKeysAsync();
+      expect(keys).toEqual([]);
     });
   });
 });

package/src/__tests__/session-abort-tool-results.test.ts

@@ -17,7 +17,6 @@ mock.module("../util/platform.js", () => ({
 }));
 
 mock.module("../memory/guardian-action-store.js", () => ({
-  getPendingDeliveryByConversation: () => null,
   getGuardianActionRequest: () => null,
   resolveGuardianActionRequest: () => {},
 }));