@vellumai/credential-executor 0.7.0 → 0.7.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/credential-executor",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -8,7 +8,8 @@
   },
   "bin": {
     "credential-executor": "./src/main.ts",
-    "credential-executor-managed": "./src/managed-main.ts"
+    "credential-executor-managed": "./src/managed-main.ts",
+    "ces": "./src/cli.ts"
   },
   "scripts": {
     "dev": "bun run src/main.ts",

package/src/__tests__/ces-migrations-002-api-keys.test.ts

@@ -0,0 +1,185 @@
+import { describe, expect, test } from "bun:test";
+
+import { apiKeyToCredentialsMigration } from "../migrations/002-api-keys-to-credentials.js";
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Creates an in-memory SecureKeyBackend backed by a Map<string, string>.
+ * Allows us to assert state before/after migration without relying on mocked
+ * function call tracking.
+ */
+function makeMapBackend(
+  initial: Record<string, string> = {},
+): SecureKeyBackend & { store: Map<string, string> } {
+  const store = new Map<string, string>(Object.entries(initial));
+  return {
+    store,
+    get: (_key: string) => Promise.resolve(store.get(_key)),
+    set: (_key: string, value: string) => {
+      store.set(_key, value);
+      return Promise.resolve(true);
+    },
+    delete: (_key: string) => {
+      const existed = store.has(_key);
+      store.delete(_key);
+      return Promise.resolve({ deleted: existed });
+    },
+    list: () => Promise.resolve([...store.keys()]),
+  } as unknown as SecureKeyBackend & { store: Map<string, string> };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("apiKeyToCredentialsMigration (002)", () => {
+  // -------------------------------------------------------------------------
+  // run()
+  // -------------------------------------------------------------------------
+
+  describe("run()", () => {
+    test("bare key present — writes credential key and deletes bare key", async () => {
+      const backend = makeMapBackend({ anthropic: "sk-ant-123" });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      expect(backend.store.get("credential/anthropic/api_key")).toBe(
+        "sk-ant-123",
+      );
+      expect(backend.store.has("anthropic")).toBe(false);
+    });
+
+    test("idempotent — credential key already exists: bare key deleted, credential value unchanged", async () => {
+      const backend = makeMapBackend({
+        anthropic: "sk-ant-new",
+        "credential/anthropic/api_key": "sk-ant-existing",
+      });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // Credential key must NOT be overwritten
+      expect(backend.store.get("credential/anthropic/api_key")).toBe(
+        "sk-ant-existing",
+      );
+      // Bare key must be removed
+      expect(backend.store.has("anthropic")).toBe(false);
+    });
+
+    test("no bare key for provider — no write and no delete for that provider", async () => {
+      // Store only has a key for openai; anthropic has nothing
+      const backend = makeMapBackend({ openai: "sk-openai-abc" });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // openai should be migrated
+      expect(backend.store.get("credential/openai/api_key")).toBe(
+        "sk-openai-abc",
+      );
+      expect(backend.store.has("openai")).toBe(false);
+
+      // anthropic: credential key should NOT exist (no accidental write)
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+
+    test("multiple providers — each handled independently", async () => {
+      const backend = makeMapBackend({
+        anthropic: "sk-ant-multi",
+        openai: "sk-openai-multi",
+        gemini: "gemini-key",
+        brave: "brave-key",
+      });
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // All bare keys gone
+      for (const provider of ["anthropic", "openai", "gemini", "brave"]) {
+        expect(backend.store.has(provider)).toBe(false);
+      }
+
+      // All credential keys present
+      expect(backend.store.get("credential/anthropic/api_key")).toBe(
+        "sk-ant-multi",
+      );
+      expect(backend.store.get("credential/openai/api_key")).toBe(
+        "sk-openai-multi",
+      );
+      expect(backend.store.get("credential/gemini/api_key")).toBe("gemini-key");
+      expect(backend.store.get("credential/brave/api_key")).toBe("brave-key");
+
+      // Providers that had no bare key should have no credential key
+      for (const provider of [
+        "ollama",
+        "fireworks",
+        "openrouter",
+        "perplexity",
+        "deepgram",
+        "xai",
+      ]) {
+        expect(backend.store.has(`credential/${provider}/api_key`)).toBe(false);
+      }
+    });
+
+    test("set() failure — bare key preserved, credential key absent", async () => {
+      const backend = makeMapBackend({ anthropic: "sk-ant-123" });
+      // Simulate a write failure
+      backend.set = (_key: string, _value: string) => Promise.resolve(false);
+
+      await apiKeyToCredentialsMigration.run(backend);
+
+      // Bare key must survive — it was not deleted because set() failed
+      expect(backend.store.get("anthropic")).toBe("sk-ant-123");
+      // Credential key must not exist
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+
+    test("run() is idempotent — running twice leaves store in same state as once", async () => {
+      const backend = makeMapBackend({
+        anthropic: "sk-ant-idem",
+        openai: "sk-openai-idem",
+      });
+
+      await apiKeyToCredentialsMigration.run(backend);
+      // Capture state after first run
+      const afterFirst = new Map(backend.store);
+
+      await apiKeyToCredentialsMigration.run(backend);
+      // State after second run must match first run
+      expect(backend.store).toEqual(afterFirst);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // down()
+  // -------------------------------------------------------------------------
+
+  describe("down()", () => {
+    test("reverses a migrated key back to bare name", async () => {
+      const backend = makeMapBackend({
+        "credential/anthropic/api_key": "sk-ant-rev",
+      });
+
+      await apiKeyToCredentialsMigration.down(backend);
+
+      expect(backend.store.get("anthropic")).toBe("sk-ant-rev");
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+
+    test("idempotent — bare key already exists: credential key deleted, bare key value unchanged", async () => {
+      const backend = makeMapBackend({
+        "credential/anthropic/api_key": "sk-ant-cred",
+        anthropic: "sk-ant-original",
+      });
+
+      await apiKeyToCredentialsMigration.down(backend);
+
+      // Bare key value must NOT be overwritten
+      expect(backend.store.get("anthropic")).toBe("sk-ant-original");
+      // Credential key must be removed
+      expect(backend.store.has("credential/anthropic/api_key")).toBe(false);
+    });
+  });
+});

package/src/__tests__/ces-migrations-runner.test.ts

@@ -0,0 +1,227 @@
+import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import type { SecureKeyBackend } from "@vellumai/credential-storage";
+
+import type { CesMigration } from "../migrations/types.js";
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+let mockFileExists = false;
+let mockFileContents: string | null = null;
+let useMocks = true;
+
+const existsSyncFn = mock((_path: string): boolean => mockFileExists);
+const mkdirSyncFn = mock((): void => {});
+const readFileSyncFn = mock((): string => {
+  if (mockFileContents === null) {
+    throw Object.assign(new Error("ENOENT"), { code: "ENOENT" });
+  }
+  return mockFileContents;
+});
+const writeFileSyncFn = mock((): void => {});
+const renameSyncFn = mock((): void => {});
+const logWarnFn = mock((): void => {});
+const logInfoFn = mock((): void => {});
+const logErrorFn = mock((..._args: unknown[]): void => {});
+
+// ---------------------------------------------------------------------------
+// Mock modules — before importing module under test
+//
+// mock.module is process-global in bun. To avoid poisoning other test files,
+// each overridden function delegates to a real implementation (captured via
+// require() before mocking) once `useMocks` is flipped false in afterAll.
+// All other node:fs exports are forwarded unchanged.
+// ---------------------------------------------------------------------------
+
+/* eslint-disable @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires */
+const _realFs = require("node:fs");
+/* eslint-enable @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires */
+
+mock.module("node:fs", () => {
+  const proxy: Record<string, unknown> = {};
+  // Forward every export from the real module.
+  for (const key of Object.keys(_realFs)) {
+    proxy[key] = _realFs[key];
+  }
+  // Override only the five functions the migration runner uses.
+  // The proxy captures args as any[] and delegates to either our mocks or the
+  // real fs. We cast through Function.apply to satisfy overloaded signatures.
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  type AnyFn = (...args: any[]) => any;
+  proxy.existsSync = (...a: unknown[]) =>
+    useMocks ? existsSyncFn(a[0] as string) : (_realFs.existsSync as AnyFn)(...a);
+  proxy.mkdirSync = (...a: unknown[]) =>
+    useMocks ? (mkdirSyncFn as AnyFn)(...a) : (_realFs.mkdirSync as AnyFn)(...a);
+  proxy.readFileSync = (...a: unknown[]) =>
+    useMocks ? (readFileSyncFn as AnyFn)(...a) : (_realFs.readFileSync as AnyFn)(...a);
+  proxy.writeFileSync = (...a: unknown[]) =>
+    useMocks ? (writeFileSyncFn as AnyFn)(...a) : (_realFs.writeFileSync as AnyFn)(...a);
+  proxy.renameSync = (...a: unknown[]) =>
+    useMocks ? (renameSyncFn as AnyFn)(...a) : (_realFs.renameSync as AnyFn)(...a);
+  return proxy;
+});
+
+// Intercept pino at the package level (same technique as workspace-migrations-runner.test.ts)
+// so that the lazy proxy in getLogger() returns our mock child logger.
+const mockChildLogger = {
+  debug: (): void => {},
+  info: logInfoFn,
+  warn: logWarnFn,
+  error: logErrorFn,
+  child: () => mockChildLogger,
+};
+const mockPinoLogger = Object.assign(() => mockChildLogger, {
+  destination: () => ({}),
+  multistream: () => ({}),
+});
+mock.module("pino", () => ({ default: mockPinoLogger }));
+mock.module("pino-pretty", () => ({ default: (): object => ({}) }));
+
+// Import after mocking
+import { runCesMigrations } from "../migrations/runner.js";
+
+// ---------------------------------------------------------------------------
+// Restore real behavior after all tests so other files aren't poisoned.
+// ---------------------------------------------------------------------------
+afterAll(() => {
+  useMocks = false;
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const CES_DATA_ROOT = "/tmp/test-ces";
+
+function makeBackend(): SecureKeyBackend {
+  return {
+    get: mock(() => Promise.resolve(undefined)),
+    set: mock(() => Promise.resolve(true)),
+    delete: mock(() => Promise.resolve({ deleted: true })),
+    list: mock(() => Promise.resolve([])),
+  } as unknown as SecureKeyBackend;
+}
+
+function makeMigration(id: string): CesMigration {
+  return {
+    id,
+    description: `Migration ${id}`,
+    run: mock((): void => {}),
+    down: mock((): void => {}),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("runCesMigrations", () => {
+  beforeEach(() => {
+    mockFileExists = false;
+    mockFileContents = null;
+    existsSyncFn.mockClear();
+    mkdirSyncFn.mockClear();
+    readFileSyncFn.mockClear();
+    writeFileSyncFn.mockClear();
+    renameSyncFn.mockClear();
+    logWarnFn.mockClear();
+    logInfoFn.mockClear();
+    logErrorFn.mockClear();
+  });
+
+  test("fresh install — no checkpoint file — runs all migrations", async () => {
+    const backend = makeBackend();
+    const m1 = makeMigration("001");
+    const m2 = makeMigration("002");
+
+    await runCesMigrations(CES_DATA_ROOT, backend, [m1, m2]);
+
+    expect(m1.run).toHaveBeenCalledTimes(1);
+    expect(m2.run).toHaveBeenCalledTimes(1);
+    expect(m1.run).toHaveBeenCalledWith(backend);
+  });
+
+  test("already-completed migration is skipped", async () => {
+    mockFileExists = true;
+    mockFileContents = JSON.stringify({
+      applied: {
+        "001": { appliedAt: "2025-01-01T00:00:00.000Z", status: "completed" },
+      },
+    });
+    const backend = makeBackend();
+    const m1 = makeMigration("001");
+    const m2 = makeMigration("002");
+
+    await runCesMigrations(CES_DATA_ROOT, backend, [m1, m2]);
+
+    expect(m1.run).not.toHaveBeenCalled();
+    expect(m2.run).toHaveBeenCalledTimes(1);
+  });
+
+  test("interrupted migration (started status) is re-run", async () => {
+    mockFileExists = true;
+    mockFileContents = JSON.stringify({
+      applied: {
+        "001": { appliedAt: "2025-01-01T00:00:00.000Z", status: "started" },
+      },
+    });
+    const backend = makeBackend();
+    const m1 = makeMigration("001");
+
+    await runCesMigrations(CES_DATA_ROOT, backend, [m1]);
+
+    expect(m1.run).toHaveBeenCalledTimes(1);
+    expect(logWarnFn).toHaveBeenCalled();
+  });
+
+  test("failed migration is NOT re-run", async () => {
+    mockFileExists = true;
+    mockFileContents = JSON.stringify({
+      applied: {
+        "001": { appliedAt: "2025-01-01T00:00:00.000Z", status: "failed" },
+      },
+    });
+    const backend = makeBackend();
+    const m1 = makeMigration("001");
+
+    await runCesMigrations(CES_DATA_ROOT, backend, [m1]);
+
+    expect(m1.run).not.toHaveBeenCalled();
+  });
+
+  test("duplicate migration IDs throw at startup", async () => {
+    const backend = makeBackend();
+    const m1 = makeMigration("001");
+    const m2 = makeMigration("001");
+
+    await expect(
+      runCesMigrations(CES_DATA_ROOT, backend, [m1, m2]),
+    ).rejects.toThrow('Duplicate CES migration id: "001"');
+
+    expect(m1.run).not.toHaveBeenCalled();
+  });
+
+  test("migration that throws is marked failed and startup continues", async () => {
+    const backend = makeBackend();
+    const m1 = makeMigration("001");
+    const m2 = makeMigration("002");
+    (m1.run as ReturnType<typeof mock>).mockImplementation((): never => {
+      throw new Error("m1 blew up");
+    });
+
+    await runCesMigrations(CES_DATA_ROOT, backend, [m1, m2]);
+
+    // m2 should still run after m1's failure
+    expect(m2.run).toHaveBeenCalledTimes(1);
+    // error was logged
+    expect(logErrorFn).toHaveBeenCalled();
+
+    // Checkpoint writes: started m1, failed m1, started m2, completed m2 = 4
+    expect(writeFileSyncFn).toHaveBeenCalledTimes(4);
+    const failedWrite = (writeFileSyncFn.mock.calls[1] as unknown[])[1] as string;
+    const failedParsed = JSON.parse(failedWrite);
+    expect(failedParsed.applied["001"].status).toBe("failed");
+  });
+});

package/src/__tests__/cli.test.ts

@@ -0,0 +1,139 @@
+/**
+ * CES CLI integration tests.
+ *
+ * Exercises the CLI entrypoint (src/cli.ts) against a temporary encrypted
+ * key store. Each test gets a fresh temp directory with its own keys.enc
+ * and store.key so tests are fully isolated.
+ */
+
+import { describe, expect, test, beforeEach, afterEach } from "bun:test";
+import { mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { randomUUID } from "node:crypto";
+import { tmpdir } from "node:os";
+
+const CLI_PATH = join(import.meta.dir, "..", "cli.ts");
+
+function makeTempDir(): string {
+  const dir = join(tmpdir(), `ces-cli-test-${randomUUID()}`);
+  mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+function runCli(
+  args: string[],
+  env: Record<string, string>,
+): { exitCode: number; stdout: string; stderr: string } {
+  const result = Bun.spawnSync(["bun", "run", CLI_PATH, ...args], {
+    env: { ...process.env, ...env },
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  return {
+    exitCode: result.exitCode,
+    stdout: result.stdout.toString(),
+    stderr: result.stderr.toString(),
+  };
+}
+
+describe("ces", () => {
+  let secDir: string;
+  let env: Record<string, string>;
+
+  beforeEach(() => {
+    secDir = makeTempDir();
+    env = { CREDENTIAL_SECURITY_DIR: secDir };
+  });
+
+  afterEach(() => {
+    rmSync(secDir, { recursive: true, force: true });
+  });
+
+  test("list on empty store shows no credentials", () => {
+    const { exitCode, stdout } = runCli(["list"], env);
+    expect(exitCode).toBe(0);
+    expect(stdout.trim()).toBe("(no credentials stored)");
+  });
+
+  test("set + get round-trip", () => {
+    const account = "credential/vellum/platform_organization_id";
+    const value = "test-org-uuid-1234";
+
+    const set = runCli(["set", account, value], env);
+    expect(set.exitCode).toBe(0);
+    expect(set.stdout).toContain(`Set: ${account}`);
+
+    const get = runCli(["get", account], env);
+    expect(get.exitCode).toBe(0);
+    expect(get.stdout).toBe(value);
+  });
+
+  test("list shows stored credentials", () => {
+    runCli(["set", "credential/vellum/org_id", "org-1"], env);
+    runCli(["set", "credential/vellum/user_id", "user-1"], env);
+
+    const { exitCode, stdout } = runCli(["list"], env);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("credential/vellum/org_id");
+    expect(stdout).toContain("credential/vellum/user_id");
+  });
+
+  test("get on missing key exits 1", () => {
+    const { exitCode, stderr } = runCli(["get", "credential/nonexistent/key"], env);
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain("Not found");
+  });
+
+  test("set + delete + get shows not found", () => {
+    const account = "credential/test/deleteme";
+    runCli(["set", account, "temporary"], env);
+
+    const del = runCli(["delete", account], env);
+    expect(del.exitCode).toBe(0);
+    expect(del.stdout).toContain("Deleted");
+
+    const get = runCli(["get", account], env);
+    expect(get.exitCode).toBe(1);
+    expect(get.stderr).toContain("Not found");
+  });
+
+  test("delete on missing key exits 1", () => {
+    const { exitCode, stderr } = runCli(["delete", "credential/nonexistent/key"], env);
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain("Not found");
+  });
+
+  test("no args prints usage", () => {
+    const { exitCode, stdout } = runCli([], env);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("CES CLI");
+    expect(stdout).toContain("ces list");
+  });
+
+  test("--help prints usage", () => {
+    const { exitCode, stdout } = runCli(["--help"], env);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("CES CLI");
+  });
+
+  test("unknown command exits 1", () => {
+    const { exitCode, stderr } = runCli(["frobnicate"], env);
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain("Unknown command");
+  });
+
+  test("set without value exits 1", () => {
+    const { exitCode, stderr } = runCli(["set", "credential/test/key"], env);
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain("Usage");
+  });
+
+  test("overwrite existing credential", () => {
+    const account = "credential/vellum/overwrite_test";
+    runCli(["set", account, "first"], env);
+    runCli(["set", account, "second"], env);
+
+    const { stdout } = runCli(["get", account], env);
+    expect(stdout).toBe("second");
+  });
+});