akm-cli 0.7.0 → 0.7.2

package/dist/tests/vault-qa-fixes.test.js

@@ -1,194 +0,0 @@
-import { afterAll, describe, expect, test } from "bun:test";
-import { spawnSync } from "node:child_process";
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { loadEnv, setKey } from "../src/commands/vault";
-// ── Helpers ──────────────────────────────────────────────────────────────────
-const tempDirs = [];
-function makeTempDir(prefix = "akm-vqa-") {
-    const dir = fs.mkdtempSync(path.join(os.tmpdir(), prefix));
-    tempDirs.push(dir);
-    return dir;
-}
-afterAll(() => {
-    for (const dir of tempDirs) {
-        fs.rmSync(dir, { recursive: true, force: true });
-    }
-});
-const xdgCache = makeTempDir("akm-vqa-cache-");
-const xdgConfig = makeTempDir("akm-vqa-config-");
-const isolatedHome = makeTempDir("akm-vqa-home-");
-const repoRoot = path.resolve(import.meta.dir, "..");
-const cliPath = path.join(repoRoot, "src", "cli.ts");
-function runCli(args, extraEnv = {}) {
-    const result = spawnSync("bun", [cliPath, ...args], {
-        encoding: "utf8",
-        timeout: 30_000,
-        cwd: repoRoot,
-        env: {
-            ...process.env,
-            HOME: isolatedHome,
-            XDG_CACHE_HOME: xdgCache,
-            XDG_CONFIG_HOME: xdgConfig,
-            AKM_STASH_DIR: undefined,
-            ...extraEnv,
-        },
-    });
-    return {
-        stdout: result.stdout ?? "",
-        stderr: result.stderr ?? "",
-        status: result.status ?? 1,
-    };
-}
-// ── setKey comment parameter (unit tests) ────────────────────────────────────
-describe("setKey: comment parameter", () => {
-    test("1. writes a new key with a leading comment line when comment provided", () => {
-        const dir = makeTempDir();
-        const fp = path.join(dir, "v.env");
-        setKey(fp, "DB_URL", "postgres://localhost/mydb", "database connection string");
-        const text = fs.readFileSync(fp, "utf8");
-        const lines = text.split("\n").filter((l) => l.length > 0);
-        const commentIdx = lines.indexOf("# database connection string");
-        const keyIdx = lines.findIndex((l) => l.startsWith("DB_URL="));
-        expect(commentIdx).toBeGreaterThanOrEqual(0);
-        expect(keyIdx).toBe(commentIdx + 1);
-        expect(loadEnv(fp).DB_URL).toBe("postgres://localhost/mydb");
-    });
-    test("2. updates an existing comment line in-place when the key is overwritten with a new comment", () => {
-        const dir = makeTempDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "# old comment\nDB_URL=postgres://old\n");
-        setKey(fp, "DB_URL", "postgres://new", "new comment");
-        const text = fs.readFileSync(fp, "utf8");
-        expect(text).toContain("# new comment");
-        expect(text).not.toContain("# old comment");
-        expect(loadEnv(fp).DB_URL).toBe("postgres://new");
-        // Comment line should immediately precede the key line
-        const lines = text.split("\n").filter((l) => l.length > 0);
-        const commentIdx = lines.indexOf("# new comment");
-        const keyIdx = lines.findIndex((l) => l.startsWith("DB_URL="));
-        expect(keyIdx).toBe(commentIdx + 1);
-    });
-    test("3. inserts a new comment before an existing key that lacks one", () => {
-        const dir = makeTempDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "FOO=bar\nDB_URL=postgres://old\nBAZ=qux\n");
-        setKey(fp, "DB_URL", "postgres://new", "injected comment");
-        const text = fs.readFileSync(fp, "utf8");
-        expect(text).toContain("# injected comment");
-        const lines = text.split("\n").filter((l) => l.length > 0);
-        const commentIdx = lines.indexOf("# injected comment");
-        const keyIdx = lines.findIndex((l) => l.startsWith("DB_URL="));
-        expect(keyIdx).toBe(commentIdx + 1);
-        // Other keys preserved
-        expect(loadEnv(fp).FOO).toBe("bar");
-        expect(loadEnv(fp).BAZ).toBe("qux");
-    });
-    test("4. without comment does not modify surrounding comments", () => {
-        const dir = makeTempDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "# original comment\nDB_URL=old\n");
-        setKey(fp, "DB_URL", "new");
-        const text = fs.readFileSync(fp, "utf8");
-        expect(text).toContain("# original comment");
-        expect(loadEnv(fp).DB_URL).toBe("new");
-    });
-});
-// ── vault show alias (CLI tests) ─────────────────────────────────────────────
-describe("vault show: alias for vault list <ref>", () => {
-    test("5. vault show vault:prod matches vault list vault:prod output", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "# production keys\nAPI_KEY=secret\nDB_PASS=hidden\n", "utf8");
-        const listResult = runCli(["vault", "list", "vault:prod"], { AKM_STASH_DIR: stashDir });
-        const showResult = runCli(["vault", "show", "vault:prod"], { AKM_STASH_DIR: stashDir });
-        expect(listResult.status).toBe(0);
-        expect(showResult.status).toBe(0);
-        const listParsed = JSON.parse(listResult.stdout.trim());
-        const showParsed = JSON.parse(showResult.stdout.trim());
-        expect(showParsed).toEqual(listParsed);
-    });
-});
-describe("vault list: output flags with optional ref", () => {
-    test("6. vault list --format json returns the vault list, not a vault:json error", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "API_KEY=secret\n", "utf8");
-        const result = runCli(["vault", "list", "--format", "json"], { AKM_STASH_DIR: stashDir });
-        expect(result.status).toBe(0);
-        expect(result.stderr).not.toContain("Vault not found: vault:json");
-        const parsed = JSON.parse(result.stdout.trim());
-        expect(parsed.vaults).toEqual([
-            expect.objectContaining({
-                ref: "vault:prod",
-                path: path.join(stashDir, "vaults", "prod.env"),
-                keyCount: 1,
-            }),
-        ]);
-    });
-    test("7. vault list json --format json still treats json as the ref", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "json.env"), "# json vault\nAPI_KEY=secret\n", "utf8");
-        const result = runCli(["vault", "list", "json", "--format", "json"], { AKM_STASH_DIR: stashDir });
-        expect(result.status).toBe(0);
-        const parsed = JSON.parse(result.stdout.trim());
-        expect(parsed).toMatchObject({
-            ref: "vault:json",
-            path: path.join(stashDir, "vaults", "json.env"),
-            entries: [expect.objectContaining({ key: "API_KEY" })],
-        });
-    });
-});
-// ── vault set combined KEY=VALUE form (CLI tests) ────────────────────────────
-describe("vault set: KEY=VALUE combined form", () => {
-    test("8. vault set prod KEY=value succeeds and writes KEY=value", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "", "utf8");
-        const result = runCli(["vault", "set", "prod", "MY_KEY=myvalue"], { AKM_STASH_DIR: stashDir });
-        expect(result.status).toBe(0);
-        const vaultPath = path.join(stashDir, "vaults", "prod.env");
-        expect(loadEnv(vaultPath).MY_KEY).toBe("myvalue");
-    });
-    test("9. vault set prod KEY value (3-arg form) still works", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "", "utf8");
-        const result = runCli(["vault", "set", "prod", "ANOTHER_KEY", "anothervalue"], { AKM_STASH_DIR: stashDir });
-        expect(result.status).toBe(0);
-        const vaultPath = path.join(stashDir, "vaults", "prod.env");
-        expect(loadEnv(vaultPath).ANOTHER_KEY).toBe("anothervalue");
-    });
-    test("10. vault set prod KEY=val1=val2 writes KEY with value val1=val2 (split on first =)", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "", "utf8");
-        const result = runCli(["vault", "set", "prod", "COMPLEX_KEY=val1=val2"], { AKM_STASH_DIR: stashDir });
-        expect(result.status).toBe(0);
-        const vaultPath = path.join(stashDir, "vaults", "prod.env");
-        expect(loadEnv(vaultPath).COMPLEX_KEY).toBe("val1=val2");
-    });
-});
-// ── vault set --comment flag (CLI tests) ─────────────────────────────────────
-describe("vault set: --comment flag", () => {
-    test("11. vault set prod KEY val --comment writes a comment line above the key", () => {
-        const stashDir = makeTempDir("akm-vqa-stash-");
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "", "utf8");
-        const result = runCli(["vault", "set", "prod", "AUTH_TOKEN", "tok123", "--comment", "auth secret"], {
-            AKM_STASH_DIR: stashDir,
-        });
-        expect(result.status).toBe(0);
-        const vaultPath = path.join(stashDir, "vaults", "prod.env");
-        const text = fs.readFileSync(vaultPath, "utf8");
-        expect(text).toContain("# auth secret");
-        const lines = text.split("\n").filter((l) => l.length > 0);
-        const commentIdx = lines.indexOf("# auth secret");
-        const keyIdx = lines.findIndex((l) => l.startsWith("AUTH_TOKEN="));
-        expect(commentIdx).toBeGreaterThanOrEqual(0);
-        expect(keyIdx).toBe(commentIdx + 1);
-        expect(loadEnv(vaultPath).AUTH_TOKEN).toBe("tok123");
-    });
-});

package/dist/tests/vault.test.js

@@ -1,429 +0,0 @@
-import { afterAll, afterEach, beforeEach, describe, expect, test } from "bun:test";
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { buildShellExportScript, createVault, injectIntoEnv, listKeys, loadEnv, setKey, unsetKey, } from "../src/commands/vault";
-import { getDbPath } from "../src/core/paths";
-import { closeDatabase, getAllEntries, openDatabase } from "../src/indexer/db";
-import { akmIndex } from "../src/indexer/indexer";
-// ── Test fixtures ───────────────────────────────────────────────────────────
-const createdTmpDirs = [];
-function tmpDir(label = "vault") {
-    const dir = fs.mkdtempSync(path.join(os.tmpdir(), `akm-${label}-`));
-    createdTmpDirs.push(dir);
-    return dir;
-}
-afterAll(() => {
-    for (const dir of createdTmpDirs) {
-        fs.rmSync(dir, { recursive: true, force: true });
-    }
-});
-// ── listKeys ────────────────────────────────────────────────────────────────
-describe("listKeys", () => {
-    test("returns keys + comments only, no values", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, ["# top comment", "DB_URL=postgres://example", "API_TOKEN=secret-value-do-not-leak", "# bottom comment"].join("\n"));
-        const result = listKeys(fp);
-        expect(result.keys).toEqual(["DB_URL", "API_TOKEN"]);
-        expect(result.comments).toEqual(["top comment", "bottom comment"]);
-        // Sanity: the function's return shape has no value-bearing field
-        expect(Object.keys(result).sort()).toEqual(["comments", "keys"]);
-    });
-    test("captures only start-of-line comments, never trailing/inline", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, [
-            "# header comment",
-            "  # indented comment",
-            "FOO=bar # trailing-comment-not-extracted",
-            "BAZ=qux",
-            "# footer comment",
-        ].join("\n"));
-        const result = listKeys(fp);
-        expect(result.comments).toEqual(["header comment", "indented comment", "footer comment"]);
-        // The trailing-comment text must not leak in via comments
-        expect(result.comments.join(" ")).not.toContain("trailing-comment-not-extracted");
-    });
-    test("preserves key order and de-duplicates", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "FOO=first\nBAR=middle\nFOO=second\n");
-        expect(listKeys(fp).keys).toEqual(["FOO", "BAR"]);
-    });
-    test("recognises `export KEY=value`", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "export FOO=bar\n");
-        expect(listKeys(fp).keys).toEqual(["FOO"]);
-    });
-    test("returns empty result for missing file", () => {
-        const result = listKeys(path.join(tmpDir(), "missing.env"));
-        expect(result).toEqual({ keys: [], comments: [] });
-    });
-});
-// ── loadEnv (delegates to dotenv) ───────────────────────────────────────────
-describe("loadEnv", () => {
-    test("returns parsed key/value pairs via dotenv", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, 'FOO=bar\nQUOTED="hello world"\nMULTI="line1\\nline2"\n');
-        const env = loadEnv(fp);
-        expect(env.FOO).toBe("bar");
-        expect(env.QUOTED).toBe("hello world");
-        expect(env.MULTI).toBe("line1\nline2");
-    });
-    test("returns empty object for missing file", () => {
-        expect(loadEnv(path.join(tmpDir(), "missing.env"))).toEqual({});
-    });
-});
-// ── setKey / unsetKey ───────────────────────────────────────────────────────
-describe("setKey", () => {
-    test("creates the file and parent directory if missing", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "vaults", "new.env");
-        setKey(fp, "FOO", "bar");
-        expect(fs.existsSync(fp)).toBe(true);
-        expect(fs.readFileSync(fp, "utf8")).toContain("FOO=bar");
-    });
-    test("preserves comments and order when adding a new key", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "# top\nFOO=one\n# middle\nBAR=two\n");
-        setKey(fp, "BAZ", "three");
-        const text = fs.readFileSync(fp, "utf8");
-        expect(text).toContain("# top");
-        expect(text).toContain("# middle");
-        expect(text).toContain("FOO=one");
-        expect(text).toContain("BAR=two");
-        expect(text).toContain("BAZ=three");
-        // New key appended after existing content (order preserved)
-        expect(text.indexOf("BAR=two")).toBeLessThan(text.indexOf("BAZ=three"));
-    });
-    test("replaces existing key in place", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "FOO=old\nBAR=keep\n");
-        setKey(fp, "FOO", "new");
-        const result = listKeys(fp);
-        expect(result.keys).toEqual(["FOO", "BAR"]);
-        expect(loadEnv(fp).FOO).toBe("new");
-        expect(loadEnv(fp).BAR).toBe("keep");
-    });
-    test("round-trips values containing whitespace, quotes, and special characters", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        setKey(fp, "FOO", "hello world");
-        setKey(fp, "BAR", 'has"quote');
-        setKey(fp, "BAZ", "trailing # not a comment");
-        setKey(fp, "EQ", "a=b=c");
-        setKey(fp, "BACK", "C:\\path\\to\\file");
-        setKey(fp, "APOS", "it's fine");
-        const env = loadEnv(fp);
-        expect(env.FOO).toBe("hello world");
-        expect(env.BAR).toBe('has"quote');
-        expect(env.BAZ).toBe("trailing # not a comment");
-        expect(env.EQ).toBe("a=b=c");
-        expect(env.BACK).toBe("C:\\path\\to\\file");
-        expect(env.APOS).toBe("it's fine");
-    });
-    test("rejects values containing newlines", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        expect(() => setKey(fp, "FOO", "line1\nline2")).toThrow();
-    });
-    test("rejects values containing both single and double quotes", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        expect(() => setKey(fp, "FOO", 'it\'s "complicated"')).toThrow();
-    });
-    test("rejects invalid key names", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        expect(() => setKey(fp, "1BAD", "x")).toThrow();
-        expect(() => setKey(fp, "WITH-DASH", "x")).toThrow();
-        expect(() => setKey(fp, "WITH SPACE", "x")).toThrow();
-    });
-    test("file is written with mode 0600", () => {
-        if (process.platform === "win32")
-            return; // chmod is best-effort on win32
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        setKey(fp, "FOO", "bar");
-        const stat = fs.statSync(fp);
-        expect(stat.mode & 0o777).toBe(0o600);
-    });
-});
-describe("unsetKey", () => {
-    test("removes a key and returns true", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "FOO=one\nBAR=two\n");
-        expect(unsetKey(fp, "FOO")).toBe(true);
-        expect(listKeys(fp).keys).toEqual(["BAR"]);
-    });
-    test("returns false when the key is absent", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "FOO=one\n");
-        expect(unsetKey(fp, "NOPE")).toBe(false);
-    });
-    test("returns false when the file does not exist", () => {
-        expect(unsetKey(path.join(tmpDir(), "missing.env"), "FOO")).toBe(false);
-    });
-});
-// ── createVault ─────────────────────────────────────────────────────────────
-describe("createVault", () => {
-    test("creates an empty file", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "vaults", "prod.env");
-        createVault(fp);
-        expect(fs.existsSync(fp)).toBe(true);
-        expect(fs.readFileSync(fp, "utf8")).toBe("");
-    });
-    test("does not overwrite an existing file", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "FOO=existing\n");
-        createVault(fp);
-        expect(loadEnv(fp).FOO).toBe("existing");
-    });
-});
-// ── injectIntoEnv ───────────────────────────────────────────────────────────
-describe("injectIntoEnv", () => {
-    test("assigns values into the supplied target and returns the list of keys set", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        fs.writeFileSync(fp, "ALPHA=one\nBETA=two\n");
-        const target = { PRE_EXISTING: "kept" };
-        const keys = injectIntoEnv(fp, target);
-        expect(keys.sort()).toEqual(["ALPHA", "BETA"]);
-        expect(target.ALPHA).toBe("one");
-        expect(target.BETA).toBe("two");
-        expect(target.PRE_EXISTING).toBe("kept");
-    });
-    test("returns empty list when the file is missing", () => {
-        const target = {};
-        expect(injectIntoEnv(path.join(tmpDir(), "missing.env"), target)).toEqual([]);
-        expect(target).toEqual({});
-    });
-});
-// ── quoteValue hardening (shell-metachar defence-in-depth) ──────────────────
-//
-// Even though `vault load` no longer `source`s the raw vault file (it
-// parses with dotenv and sources a safely-escaped temp file), the on-disk
-// vault format itself must be robust to direct `source` by any future
-// caller. These tests lock in that every non-trivial value is quoted.
-describe("setKey: shell-metachar hardening", () => {
-    test("values containing $, backticks, or $(...) are quoted on disk", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        setKey(fp, "DOLLAR", "abc$DEF");
-        setKey(fp, "BACKTICK", "pre`whoami`post");
-        setKey(fp, "CMDSUB", "pre$(id)post");
-        const raw = fs.readFileSync(fp, "utf8");
-        // None of these should appear as an unquoted assignment that a shell
-        // would expand on `source`. Our impl single-quotes them.
-        expect(raw).toMatch(/^DOLLAR='abc\$DEF'$/m);
-        expect(raw).toMatch(/^BACKTICK='pre`whoami`post'$/m);
-        expect(raw).toMatch(/^CMDSUB='pre\$\(id\)post'$/m);
-    });
-    test("values with shell-special chars ; & | * ? ( ) { } [ ] > < ~ ! are quoted", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        for (const [k, v] of Object.entries({
-            SEMI: "a;b",
-            AMP: "a&b",
-            PIPE: "a|b",
-            GLOB: "abc*",
-            QMARK: "abc?",
-            PAREN: "a(b)c",
-            BRACE: "a{b}c",
-            BRACK: "a[b]c",
-            REDIR: "a>b",
-            REDIR2: "a<b",
-            TILDE: "~/foo",
-            BANG: "a!b",
-        })) {
-            setKey(fp, k, v);
-        }
-        const raw = fs.readFileSync(fp, "utf8");
-        for (const line of raw.split("\n")) {
-            if (!line.includes("="))
-                continue;
-            const [, val] = line.match(/^[A-Z_]+=(.*)$/) ?? [];
-            if (!val)
-                continue;
-            // Any non-empty value must be quoted (either '...' or "...").
-            expect(val[0] === "'" || val[0] === '"').toBe(true);
-        }
-    });
-    test("round-trip preserves exact values through dotenv.parse", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        const payloads = {
-            DOLLAR: "abc$HOME",
-            BACKTICK: "pre`whoami`",
-            CMDSUB: "pre$(rm -rf /tmp/shouldnothappen)post",
-            GLOB: "*.env",
-            TILDE: "~/root",
-            SEMI: "a;b",
-            BANG: "echo!123",
-            AMPERSAND: "x && y",
-            NESTED: 'it has "double" quotes only',
-        };
-        for (const [k, v] of Object.entries(payloads))
-            setKey(fp, k, v);
-        const env = loadEnv(fp);
-        for (const [k, v] of Object.entries(payloads)) {
-            expect(env[k]).toBe(v);
-        }
-    });
-});
-// ── buildShellExportScript (vault load safety) ──────────────────────────────
-describe("buildShellExportScript", () => {
-    test("emits export lines with `'\\''` escaping; no expansion-triggering syntax", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        setKey(fp, "PLAIN", "hello");
-        setKey(fp, "DOLLAR", "abc$HOME");
-        setKey(fp, "APOS", "it's fine");
-        const script = buildShellExportScript(fp);
-        // Every line must be a single-quoted export assignment.
-        for (const line of script.split("\n").filter(Boolean)) {
-            expect(line).toMatch(/^export [A-Za-z_][A-Za-z0-9_]*='.*'$/);
-        }
-        expect(script).toContain("export PLAIN='hello'");
-        expect(script).toContain("export DOLLAR='abc$HOME'");
-        // Single quote inside value must be encoded as '\''
-        expect(script).toContain("export APOS='it'\\''s fine'");
-    });
-    test("sourcing the emitted script populates env without executing payloads", () => {
-        const dir = tmpDir();
-        const fp = path.join(dir, "v.env");
-        // The "value" is designed to execute `touch evidence` if it ever
-        // reaches a shell without quoting; a safe implementation must keep it
-        // literal.
-        const evidence = path.join(dir, "evidence");
-        setKey(fp, "EVIL", `$(touch ${evidence})`);
-        setKey(fp, "OK", "ok-value");
-        const script = buildShellExportScript(fp);
-        const scriptPath = path.join(dir, "source-me.sh");
-        fs.writeFileSync(scriptPath, script);
-        const { spawnSync } = require("node:child_process");
-        const result = spawnSync("bash", ["-c", `set -eu; . '${scriptPath}'; printf '%s\\n' "$EVIL" "$OK"`], {
-            encoding: "utf8",
-        });
-        expect(result.status).toBe(0);
-        const [evilOut, okOut] = (result.stdout ?? "").split("\n");
-        // EVIL must come back as the literal string — not executed.
-        expect(evilOut).toBe(`$(touch ${evidence})`);
-        expect(okOut).toBe("ok-value");
-        // The command substitution must NOT have run.
-        expect(fs.existsSync(evidence)).toBe(false);
-    });
-});
-// ── Indexer leakage safety (the critical security test) ─────────────────────
-const originalXdgConfig = process.env.XDG_CONFIG_HOME;
-const originalXdgCache = process.env.XDG_CACHE_HOME;
-const originalAkmStash = process.env.AKM_STASH_DIR;
-let testConfigDir = "";
-let testCacheDir = "";
-beforeEach(() => {
-    testConfigDir = fs.mkdtempSync(path.join(os.tmpdir(), "akm-vault-config-"));
-    testCacheDir = fs.mkdtempSync(path.join(os.tmpdir(), "akm-vault-cache-"));
-    process.env.XDG_CONFIG_HOME = testConfigDir;
-    process.env.XDG_CACHE_HOME = testCacheDir;
-    const dbPath = getDbPath();
-    for (const f of [dbPath, `${dbPath}-wal`, `${dbPath}-shm`]) {
-        try {
-            fs.unlinkSync(f);
-        }
-        catch {
-            /* ignore */
-        }
-    }
-});
-afterEach(() => {
-    if (originalXdgConfig === undefined)
-        delete process.env.XDG_CONFIG_HOME;
-    else
-        process.env.XDG_CONFIG_HOME = originalXdgConfig;
-    if (originalXdgCache === undefined)
-        delete process.env.XDG_CACHE_HOME;
-    else
-        process.env.XDG_CACHE_HOME = originalXdgCache;
-    if (originalAkmStash === undefined)
-        delete process.env.AKM_STASH_DIR;
-    else
-        process.env.AKM_STASH_DIR = originalAkmStash;
-    if (testConfigDir)
-        fs.rmSync(testConfigDir, { recursive: true, force: true });
-    if (testCacheDir)
-        fs.rmSync(testCacheDir, { recursive: true, force: true });
-});
-const SECRET_VALUE = "correct-horse-battery-staple-do-not-leak";
-describe("vault indexer safety", () => {
-    test("vault values never appear in the FTS index, search_text, or entry_json", async () => {
-        const stashDir = fs.mkdtempSync(path.join(os.tmpdir(), "akm-vault-stash-"));
-        createdTmpDirs.push(stashDir);
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        const vaultPath = path.join(stashDir, "vaults", "prod.env");
-        fs.writeFileSync(vaultPath, [
-            "# Production secrets",
-            `SECRET_TOKEN=${SECRET_VALUE}`,
-            "DB_PASSWORD=another-secret-pa55w0rd",
-            "# Last rotated 2026-04-01",
-        ].join("\n"));
-        process.env.AKM_STASH_DIR = stashDir;
-        const result = await akmIndex({ stashDir, full: true });
-        expect(result.totalEntries).toBe(1);
-        const db = openDatabase();
-        try {
-            const entries = getAllEntries(db);
-            expect(entries.length).toBe(1);
-            const vaultEntry = entries[0];
-            // 1. The entry is classified as vault
-            expect(vaultEntry.entry.type).toBe("vault");
-            expect(vaultEntry.entry.name).toBe("prod");
-            // 2. Keys are exposed via searchHints
-            expect(vaultEntry.entry.searchHints).toContain("SECRET_TOKEN");
-            expect(vaultEntry.entry.searchHints).toContain("DB_PASSWORD");
-            // 3. Comments are surfaced in the description
-            expect(vaultEntry.entry.description).toContain("Production secrets");
-            // 4. CRITICAL: the secret value is nowhere in the persisted record
-            const json = JSON.stringify(vaultEntry);
-            expect(json).not.toContain(SECRET_VALUE);
-            expect(json).not.toContain("another-secret-pa55w0rd");
-            const rows = db.query("SELECT search_text, entry_json FROM entries WHERE entry_type = ?").all("vault");
-            expect(rows.length).toBe(1);
-            expect(rows[0].search_text ?? "").not.toContain(SECRET_VALUE);
-            expect(rows[0].entry_json).not.toContain(SECRET_VALUE);
-            const ftsHit = db
-                .query("SELECT count(*) AS c FROM entries_fts WHERE entries_fts MATCH ?")
-                .get("correct");
-            expect(ftsHit.c).toBe(0);
-        }
-        finally {
-            closeDatabase(db);
-        }
-    });
-    test("vault entries are searchable by key name", async () => {
-        const stashDir = fs.mkdtempSync(path.join(os.tmpdir(), "akm-vault-stash-"));
-        createdTmpDirs.push(stashDir);
-        fs.mkdirSync(path.join(stashDir, "vaults"), { recursive: true });
-        fs.writeFileSync(path.join(stashDir, "vaults", "prod.env"), "STRIPE_API_KEY=sk_test_xxx\n");
-        process.env.AKM_STASH_DIR = stashDir;
-        await akmIndex({ stashDir, full: true });
-        const db = openDatabase();
-        try {
-            const hit = db
-                .query("SELECT count(*) AS c FROM entries_fts WHERE entries_fts MATCH ?")
-                .get("STRIPE_API_KEY");
-            expect(hit.c).toBe(1);
-        }
-        finally {
-            closeDatabase(db);
-        }
-    });
-});