comisai 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (251) hide show
  1. package/README.md +3 -3
  2. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
  3. package/node_modules/@comis/agent/package.json +1 -1
  4. package/node_modules/@comis/channels/package.json +1 -1
  5. package/node_modules/@comis/cli/dist/wizard/steps/06-channels.js +88 -11
  6. package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +4 -0
  7. package/node_modules/@comis/cli/dist/wizard/types.d.ts +1 -0
  8. package/node_modules/@comis/cli/package.json +1 -1
  9. package/node_modules/@comis/core/package.json +1 -1
  10. package/node_modules/@comis/daemon/package.json +1 -1
  11. package/node_modules/@comis/gateway/package.json +1 -1
  12. package/node_modules/@comis/infra/package.json +1 -1
  13. package/node_modules/@comis/memory/package.json +1 -1
  14. package/node_modules/@comis/scheduler/package.json +1 -1
  15. package/node_modules/@comis/shared/package.json +1 -1
  16. package/node_modules/@comis/skills/package.json +1 -1
  17. package/package.json +18 -18
  18. package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
  19. package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
  20. package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
  21. package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
  22. package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
  23. package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
  24. package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
  25. package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
  26. package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
  27. package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
  28. package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
  29. package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
  30. package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
  31. package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
  32. package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
  33. package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
  34. package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
  35. package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
  36. package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
  37. package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
  38. package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
  39. package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
  40. package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
  41. package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
  42. package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
  43. package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
  44. package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
  45. package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
  46. package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
  47. package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
  48. package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
  49. package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
  50. package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
  51. package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
  52. package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
  53. package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
  54. package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
  55. package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
  56. package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
  57. package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
  58. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
  59. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
  60. package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
  61. package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
  62. package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
  63. package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
  64. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
  65. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
  66. package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
  67. package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
  68. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
  69. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
  70. package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
  71. package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
  72. package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
  73. package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
  74. package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
  75. package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
  76. package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
  77. package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
  78. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
  79. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
  80. package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
  81. package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
  82. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
  83. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
  84. package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
  85. package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
  86. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
  87. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
  88. package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
  89. package/node_modules/@comis/core/dist/context/context.test.js +0 -276
  90. package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
  91. package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
  92. package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
  93. package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
  94. package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
  95. package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
  96. package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
  97. package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
  98. package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
  99. package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
  100. package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
  101. package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
  102. package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
  103. package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
  104. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
  105. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
  106. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
  107. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
  108. package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
  109. package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
  110. package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
  111. package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
  112. package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
  113. package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
  114. package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
  115. package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
  116. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
  117. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
  118. package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
  119. package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
  120. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
  121. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
  122. package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
  123. package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
  124. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
  125. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
  126. package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
  127. package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
  128. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
  129. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
  130. package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
  131. package/node_modules/@comis/core/dist/load-env.test.js +0 -21
  132. package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
  133. package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
  134. package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
  135. package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
  136. package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
  137. package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
  138. package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
  139. package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
  140. package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
  141. package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
  142. package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
  143. package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
  144. package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
  145. package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
  146. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
  147. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
  148. package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
  149. package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
  150. package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
  151. package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
  152. package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
  153. package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
  154. package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
  155. package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
  156. package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
  157. package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
  158. package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
  159. package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
  160. package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
  161. package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
  162. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
  163. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
  164. package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
  165. package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
  166. package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
  167. package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
  168. package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
  169. package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
  170. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
  171. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
  172. package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
  173. package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
  174. package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
  175. package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
  176. package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
  177. package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
  178. package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
  179. package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
  180. package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
  181. package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
  182. package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
  183. package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
  184. package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
  185. package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
  186. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
  187. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
  188. package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
  189. package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
  190. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
  191. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
  192. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
  193. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
  194. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
  195. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
  196. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
  197. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
  198. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
  199. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
  200. package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
  201. package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
  202. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
  203. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
  204. package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
  205. package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
  206. package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
  207. package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
  208. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
  209. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
  210. package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
  211. package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
  212. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
  213. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
  214. package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
  215. package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
  216. package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
  217. package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
  218. package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
  219. package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
  220. package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
  221. package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
  222. package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
  223. package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
  224. package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
  225. package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
  226. package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
  227. package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
  228. package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
  229. package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
  230. package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
  231. package/node_modules/@comis/memory/dist/schema.test.js +0 -240
  232. package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
  233. package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
  234. package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
  235. package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
  236. package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
  237. package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
  238. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
  239. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
  240. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
  241. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
  242. package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
  243. package/node_modules/@comis/shared/dist/abort.test.js +0 -71
  244. package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
  245. package/node_modules/@comis/shared/dist/result.test.js +0 -178
  246. package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
  247. package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
  248. package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
  249. package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
  250. package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
  251. package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
@@ -1,394 +0,0 @@
1
- import { describe, it, expect, beforeEach } from "vitest";
2
- import { createSecretManager, envSubset, createScopedSecretManager } from "./secret-manager.js";
3
- import { TypedEventBus } from "../event-bus/index.js";
4
- describe("SecretManager", () => {
5
- const testEnv = {
6
- TEST_KEY: "test-value",
7
- API_TOKEN: "secret-token-123",
8
- EMPTY_KEY: "",
9
- UNDEF_KEY: undefined,
10
- };
11
- function makeManager() {
12
- return createSecretManager(testEnv);
13
- }
14
- describe("get()", () => {
15
- it("returns value when key exists", () => {
16
- const manager = makeManager();
17
- expect(manager.get("TEST_KEY")).toBe("test-value");
18
- });
19
- it("returns undefined when key does not exist", () => {
20
- const manager = makeManager();
21
- expect(manager.get("NONEXISTENT")).toBeUndefined();
22
- });
23
- it("treats undefined values as non-existent", () => {
24
- const manager = makeManager();
25
- expect(manager.get("UNDEF_KEY")).toBeUndefined();
26
- });
27
- });
28
- describe("has()", () => {
29
- it("returns true when key exists", () => {
30
- const manager = makeManager();
31
- expect(manager.has("TEST_KEY")).toBe(true);
32
- });
33
- it("returns false when key does not exist", () => {
34
- const manager = makeManager();
35
- expect(manager.has("NONEXISTENT")).toBe(false);
36
- });
37
- it("returns false for keys with undefined values", () => {
38
- const manager = makeManager();
39
- expect(manager.has("UNDEF_KEY")).toBe(false);
40
- });
41
- });
42
- describe("require()", () => {
43
- it("returns value when key exists", () => {
44
- const manager = makeManager();
45
- expect(manager.require("TEST_KEY")).toBe("test-value");
46
- });
47
- it("throws with key name in message when key does not exist", () => {
48
- const manager = makeManager();
49
- expect(() => manager.require("NONEXISTENT")).toThrow("NONEXISTENT");
50
- });
51
- it("SHR-01: error message does NOT enumerate available key names", () => {
52
- const manager = createSecretManager({ A: "val-a", B: "val-b" });
53
- try {
54
- manager.require("MISSING");
55
- expect.fail("should have thrown");
56
- }
57
- catch (e) {
58
- const msg = e.message;
59
- // Must mention the missing key
60
- expect(msg).toContain("MISSING");
61
- // Must NOT list other keys
62
- expect(msg).not.toContain("Available keys");
63
- expect(msg).not.toContain('"A"');
64
- expect(msg).not.toContain('"B"');
65
- expect(msg).not.toContain("A, B");
66
- expect(msg).not.toContain("B, A");
67
- // Should contain the new help text
68
- expect(msg).toContain("Check that this key is defined");
69
- }
70
- });
71
- it("LOG-06: require() error does not leak other key names or values", () => {
72
- const mgr = createSecretManager({
73
- KEY_A: "secret-val-1",
74
- KEY_B: "secret-val-2",
75
- OPENAI_API_KEY: "sk-realkey",
76
- });
77
- expect(() => mgr.require("MISSING")).toThrowError(/Required secret "MISSING"/);
78
- try {
79
- mgr.require("MISSING");
80
- }
81
- catch (e) {
82
- const msg = e.message;
83
- expect(msg).not.toContain("KEY_A");
84
- expect(msg).not.toContain("KEY_B");
85
- expect(msg).not.toContain("OPENAI_API_KEY");
86
- expect(msg).not.toContain("secret-val-1");
87
- expect(msg).not.toContain("sk-realkey");
88
- }
89
- });
90
- });
91
- describe("no credential enumeration", () => {
92
- it("does not expose .env property", () => {
93
- const manager = makeManager();
94
- expect(manager["env"]).toBeUndefined();
95
- });
96
- it("does not expose .getAll() method", () => {
97
- const manager = makeManager();
98
- expect(manager["getAll"]).toBeUndefined();
99
- });
100
- });
101
- describe("createSecretManager() with env overrides", () => {
102
- it("accepts a controlled record of env vars", () => {
103
- const manager = createSecretManager({ CUSTOM_KEY: "custom-value" });
104
- expect(manager.get("CUSTOM_KEY")).toBe("custom-value");
105
- });
106
- });
107
- describe("defensive copy", () => {
108
- it("modifying original env after creation does not affect manager", () => {
109
- const env = {
110
- MUTABLE_KEY: "original",
111
- };
112
- const manager = createSecretManager(env);
113
- // Mutate the original object
114
- env["MUTABLE_KEY"] = "mutated";
115
- env["NEW_KEY"] = "new-value";
116
- expect(manager.get("MUTABLE_KEY")).toBe("original");
117
- expect(manager.get("NEW_KEY")).toBeUndefined();
118
- });
119
- });
120
- describe("keys()", () => {
121
- it("returns available key names", () => {
122
- const manager = makeManager();
123
- const keys = manager.keys();
124
- expect(keys).toContain("TEST_KEY");
125
- expect(keys).toContain("API_TOKEN");
126
- expect(keys).toContain("EMPTY_KEY");
127
- // UNDEF_KEY should not be in keys since its value is undefined
128
- expect(keys).not.toContain("UNDEF_KEY");
129
- });
130
- it("returns a defensive copy of keys array", () => {
131
- const manager = makeManager();
132
- const keys1 = manager.keys();
133
- const keys2 = manager.keys();
134
- expect(keys1).toEqual(keys2);
135
- expect(keys1).not.toBe(keys2); // Different array instances
136
- });
137
- });
138
- });
139
- describe("envSubset()", () => {
140
- it("SHR-05: returns only requested keys from manager", () => {
141
- const manager = createSecretManager({
142
- A: "1",
143
- B: "2",
144
- C: "3",
145
- D: "4",
146
- E: "5",
147
- });
148
- const subset = envSubset(manager, ["A", "C"]);
149
- expect(subset).toEqual({ A: "1", C: "3" });
150
- expect(Object.keys(subset)).toHaveLength(2);
151
- });
152
- it("SHR-05: returns empty for non-existent keys", () => {
153
- const manager = createSecretManager({ A: "1" });
154
- const subset = envSubset(manager, ["MISSING_1", "MISSING_2"]);
155
- expect(subset).toEqual({});
156
- });
157
- it("SHR-05: returns a plain object, not a Map", () => {
158
- const manager = createSecretManager({ X: "val" });
159
- const subset = envSubset(manager, ["X"]);
160
- expect(subset).toBeTypeOf("object");
161
- expect(subset).not.toBeInstanceOf(Map);
162
- expect(subset.X).toBe("val");
163
- });
164
- });
165
- // ---------------------------------------------------------------------------
166
- // ScopedSecretManager tests (merged from scoped-secret-manager.test.ts)
167
- // ---------------------------------------------------------------------------
168
- describe("ScopedSecretManager", () => {
169
- const baseSecrets = {
170
- OPENAI_API_KEY: "sk-test",
171
- ANTHROPIC_API_KEY: "ak-test",
172
- STRIPE_KEY: "sk_live_test",
173
- UNRELATED: "value",
174
- };
175
- let base;
176
- let bus;
177
- let events;
178
- beforeEach(() => {
179
- base = createSecretManager(baseSecrets);
180
- bus = new TypedEventBus();
181
- events = [];
182
- bus.on("secret:accessed", (e) => events.push(e));
183
- });
184
- it("get() delegates to base when pattern matches", () => {
185
- const scoped = createScopedSecretManager(base, {
186
- agentId: "agent-1",
187
- allowPatterns: ["openai_*"],
188
- eventBus: bus,
189
- });
190
- const value = scoped.get("OPENAI_API_KEY");
191
- expect(value).toBe("sk-test");
192
- expect(events).toHaveLength(1);
193
- expect(events[0].outcome).toBe("success");
194
- });
195
- it("get() returns undefined when pattern denies", () => {
196
- const scoped = createScopedSecretManager(base, {
197
- agentId: "agent-1",
198
- allowPatterns: ["openai_*"],
199
- eventBus: bus,
200
- });
201
- const value = scoped.get("STRIPE_KEY");
202
- expect(value).toBeUndefined();
203
- expect(events).toHaveLength(1);
204
- expect(events[0].outcome).toBe("denied");
205
- });
206
- it("get() emits not_found when base has no value", () => {
207
- const scoped = createScopedSecretManager(base, {
208
- agentId: "agent-1",
209
- allowPatterns: ["openai_*"],
210
- eventBus: bus,
211
- });
212
- const value = scoped.get("OPENAI_OTHER");
213
- expect(value).toBeUndefined();
214
- expect(events).toHaveLength(1);
215
- expect(events[0].outcome).toBe("not_found");
216
- });
217
- it("has() returns false when pattern denies", () => {
218
- const scoped = createScopedSecretManager(base, {
219
- agentId: "agent-1",
220
- allowPatterns: ["openai_*"],
221
- eventBus: bus,
222
- });
223
- const result = scoped.has("STRIPE_KEY");
224
- expect(result).toBe(false);
225
- expect(events).toHaveLength(1);
226
- expect(events[0].outcome).toBe("denied");
227
- });
228
- it("has() delegates when pattern allows", () => {
229
- const scoped = createScopedSecretManager(base, {
230
- agentId: "agent-1",
231
- allowPatterns: ["openai_*"],
232
- eventBus: bus,
233
- });
234
- const result = scoped.has("OPENAI_API_KEY");
235
- expect(result).toBe(true);
236
- expect(events).toHaveLength(1);
237
- expect(events[0].outcome).toBe("success");
238
- });
239
- it("require() throws when pattern denies", () => {
240
- const scoped = createScopedSecretManager(base, {
241
- agentId: "agent-1",
242
- allowPatterns: ["openai_*"],
243
- eventBus: bus,
244
- });
245
- expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
246
- expect(events).toHaveLength(1);
247
- expect(events[0].outcome).toBe("denied");
248
- });
249
- it("require() throws when key not found in base", () => {
250
- const scoped = createScopedSecretManager(base, {
251
- agentId: "agent-1",
252
- allowPatterns: ["openai_*"],
253
- eventBus: bus,
254
- });
255
- expect(() => scoped.require("OPENAI_MISSING")).toThrow("not set");
256
- expect(events).toHaveLength(1);
257
- expect(events[0].outcome).toBe("not_found");
258
- });
259
- it("require() returns value when allowed and exists", () => {
260
- const scoped = createScopedSecretManager(base, {
261
- agentId: "agent-1",
262
- allowPatterns: ["openai_*"],
263
- eventBus: bus,
264
- });
265
- const value = scoped.require("OPENAI_API_KEY");
266
- expect(value).toBe("sk-test");
267
- expect(events).toHaveLength(1);
268
- expect(events[0].outcome).toBe("success");
269
- });
270
- it("keys() filters by allow patterns", () => {
271
- const scoped = createScopedSecretManager(base, {
272
- agentId: "agent-1",
273
- allowPatterns: ["openai_*", "anthropic_*"],
274
- eventBus: bus,
275
- });
276
- const keys = scoped.keys();
277
- expect(keys).toEqual(["OPENAI_API_KEY", "ANTHROPIC_API_KEY"]);
278
- // keys() is a listing operation — no events emitted
279
- expect(events).toHaveLength(0);
280
- });
281
- it("empty allow patterns = unrestricted access", () => {
282
- const scoped = createScopedSecretManager(base, {
283
- agentId: "agent-1",
284
- allowPatterns: [],
285
- eventBus: bus,
286
- });
287
- expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
288
- expect(scoped.get("STRIPE_KEY")).toBe("sk_live_test");
289
- expect(scoped.has("UNRELATED")).toBe(true);
290
- expect(scoped.require("ANTHROPIC_API_KEY")).toBe("ak-test");
291
- expect(scoped.keys()).toEqual(expect.arrayContaining([
292
- "OPENAI_API_KEY",
293
- "ANTHROPIC_API_KEY",
294
- "STRIPE_KEY",
295
- "UNRELATED",
296
- ]));
297
- // All access events should be "success"
298
- expect(events.every((e) => e.outcome === "success")).toBe(true);
299
- });
300
- it("works without eventBus (no audit events)", () => {
301
- const scoped = createScopedSecretManager(base, {
302
- agentId: "agent-1",
303
- allowPatterns: ["openai_*"],
304
- // eventBus intentionally omitted
305
- });
306
- // All methods should work without crashing
307
- expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
308
- expect(scoped.get("STRIPE_KEY")).toBeUndefined();
309
- expect(scoped.has("OPENAI_API_KEY")).toBe(true);
310
- expect(scoped.has("STRIPE_KEY")).toBe(false);
311
- expect(scoped.require("OPENAI_API_KEY")).toBe("sk-test");
312
- expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
313
- expect(scoped.keys()).toEqual(["OPENAI_API_KEY"]);
314
- // No events emitted to the bus we set up separately
315
- expect(events).toHaveLength(0);
316
- });
317
- it("event payload includes agentId and timestamp", () => {
318
- const scoped = createScopedSecretManager(base, {
319
- agentId: "agent-audit-test",
320
- allowPatterns: ["openai_*"],
321
- eventBus: bus,
322
- });
323
- scoped.get("OPENAI_API_KEY");
324
- expect(events).toHaveLength(1);
325
- const event = events[0];
326
- expect(event.agentId).toBe("agent-audit-test");
327
- expect(event.secretName).toBe("OPENAI_API_KEY");
328
- expect(event.outcome).toBe("success");
329
- expect(typeof event.timestamp).toBe("number");
330
- expect(event.timestamp).toBeGreaterThan(0);
331
- });
332
- });
333
- describe("security:warn for unrestricted access (CORE-02)", () => {
334
- const baseSecrets = {
335
- OPENAI_API_KEY: "sk-test",
336
- ANTHROPIC_API_KEY: "ak-test",
337
- };
338
- it("emits security:warn on first access when allowPatterns is empty", () => {
339
- const base = createSecretManager(baseSecrets);
340
- const bus = new TypedEventBus();
341
- const warnEvents = [];
342
- bus.on("security:warn", (e) => warnEvents.push(e));
343
- const scoped = createScopedSecretManager(base, {
344
- agentId: "agent-unrestricted",
345
- allowPatterns: [],
346
- eventBus: bus,
347
- });
348
- scoped.get("OPENAI_API_KEY");
349
- expect(warnEvents).toHaveLength(1);
350
- expect(warnEvents[0].category).toBe("secret_access");
351
- expect(warnEvents[0].agentId).toBe("agent-unrestricted");
352
- expect(warnEvents[0].message).toContain("secrets.allow");
353
- expect(warnEvents[0].message).toContain("agent-unrestricted");
354
- expect(typeof warnEvents[0].timestamp).toBe("number");
355
- });
356
- it("emits security:warn only once (subsequent accesses do not re-emit)", () => {
357
- const base = createSecretManager(baseSecrets);
358
- const bus = new TypedEventBus();
359
- const warnEvents = [];
360
- bus.on("security:warn", (e) => warnEvents.push(e));
361
- const scoped = createScopedSecretManager(base, {
362
- agentId: "agent-once",
363
- allowPatterns: [],
364
- eventBus: bus,
365
- });
366
- scoped.get("OPENAI_API_KEY");
367
- scoped.has("ANTHROPIC_API_KEY");
368
- scoped.require("OPENAI_API_KEY");
369
- expect(warnEvents).toHaveLength(1);
370
- });
371
- it("does NOT emit security:warn when allowPatterns is non-empty", () => {
372
- const base = createSecretManager(baseSecrets);
373
- const bus = new TypedEventBus();
374
- const warnEvents = [];
375
- bus.on("security:warn", (e) => warnEvents.push(e));
376
- const scoped = createScopedSecretManager(base, {
377
- agentId: "agent-restricted",
378
- allowPatterns: ["OPENAI_*"],
379
- eventBus: bus,
380
- });
381
- scoped.get("OPENAI_API_KEY");
382
- expect(warnEvents).toHaveLength(0);
383
- });
384
- it("does NOT emit security:warn when no eventBus is provided", () => {
385
- const base = createSecretManager(baseSecrets);
386
- const scoped = createScopedSecretManager(base, {
387
- agentId: "agent-no-bus",
388
- allowPatterns: [],
389
- // eventBus intentionally omitted
390
- });
391
- // Should not throw
392
- expect(() => scoped.get("OPENAI_API_KEY")).not.toThrow();
393
- });
394
- });
@@ -1,268 +0,0 @@
1
- import { describe, it, expect, vi } from "vitest";
2
- import { createSecretManager } from "./secret-manager.js";
3
- import { resolveSecretRef, resolveConfigSecretRefs } from "./secret-ref-resolver.js";
4
- // ---------------------------------------------------------------------------
5
- // Helpers
6
- // ---------------------------------------------------------------------------
7
- function makeDeps(env = {}, overrides = {}) {
8
- return {
9
- secretManager: createSecretManager(env),
10
- ...overrides,
11
- };
12
- }
13
- // ---------------------------------------------------------------------------
14
- // resolveSecretRef — env source
15
- // ---------------------------------------------------------------------------
16
- describe("resolveSecretRef — env source", () => {
17
- it("resolves a known env key", () => {
18
- const deps = makeDeps({ TELEGRAM_BOT_TOKEN: "my-secret-token" });
19
- const ref = { source: "env", provider: "telegram", id: "TELEGRAM_BOT_TOKEN" };
20
- const result = resolveSecretRef(ref, deps);
21
- expect(result.ok).toBe(true);
22
- if (result.ok)
23
- expect(result.value).toBe("my-secret-token");
24
- });
25
- it("returns error for unknown env key", () => {
26
- const deps = makeDeps({});
27
- const ref = { source: "env", provider: "telegram", id: "MISSING_KEY" };
28
- const result = resolveSecretRef(ref, deps);
29
- expect(result.ok).toBe(false);
30
- if (!result.ok)
31
- expect(result.error.message).toContain("not found in SecretManager");
32
- });
33
- });
34
- // ---------------------------------------------------------------------------
35
- // resolveSecretRef — file source
36
- // ---------------------------------------------------------------------------
37
- describe("resolveSecretRef — file source", () => {
38
- it("reads a single-value file and trims whitespace", () => {
39
- const deps = makeDeps({}, {
40
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 20, mode: 0o600 }),
41
- readFileSync: () => " secret-from-file \n",
42
- });
43
- const ref = { source: "file", provider: "vault", id: "/secrets/api.key" };
44
- const result = resolveSecretRef(ref, deps);
45
- expect(result.ok).toBe(true);
46
- if (result.ok)
47
- expect(result.value).toBe("secret-from-file");
48
- });
49
- it("extracts value via JSON Pointer from JSON file", () => {
50
- const jsonContent = JSON.stringify({
51
- data: { apiKey: "extracted-key", other: "ignored" },
52
- });
53
- const deps = makeDeps({}, {
54
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 100, mode: 0o600 }),
55
- readFileSync: () => jsonContent,
56
- });
57
- const ref = {
58
- source: "file",
59
- provider: "vault#/data/apiKey",
60
- id: "/secrets/vault-response.json",
61
- };
62
- const result = resolveSecretRef(ref, deps);
63
- expect(result.ok).toBe(true);
64
- if (result.ok)
65
- expect(result.value).toBe("extracted-key");
66
- });
67
- it("rejects relative paths", () => {
68
- const deps = makeDeps();
69
- const ref = { source: "file", provider: "vault", id: "relative/path.key" };
70
- const result = resolveSecretRef(ref, deps);
71
- expect(result.ok).toBe(false);
72
- if (!result.ok)
73
- expect(result.error.message).toContain("absolute path");
74
- });
75
- it("rejects paths with traversal segments", () => {
76
- const deps = makeDeps();
77
- const ref = { source: "file", provider: "vault", id: "/secrets/../etc/passwd" };
78
- const result = resolveSecretRef(ref, deps);
79
- expect(result.ok).toBe(false);
80
- if (!result.ok)
81
- expect(result.error.message).toContain("traversal");
82
- });
83
- it("rejects files exceeding size limit", () => {
84
- const deps = makeDeps({}, {
85
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 2_000_000, mode: 0o600 }),
86
- });
87
- const ref = { source: "file", provider: "vault", id: "/secrets/big.key" };
88
- const result = resolveSecretRef(ref, deps);
89
- expect(result.ok).toBe(false);
90
- if (!result.ok)
91
- expect(result.error.message).toContain("exceeds size limit");
92
- });
93
- it("returns error for nonexistent file", () => {
94
- const deps = makeDeps({}, {
95
- statSync: () => { throw new Error("ENOENT"); },
96
- });
97
- const ref = { source: "file", provider: "vault", id: "/secrets/missing.key" };
98
- const result = resolveSecretRef(ref, deps);
99
- expect(result.ok).toBe(false);
100
- if (!result.ok)
101
- expect(result.error.message).toContain("not found");
102
- });
103
- it("rejects non-file (directory)", () => {
104
- const deps = makeDeps({}, {
105
- statSync: () => ({ isFile: () => false, isSymbolicLink: () => false, size: 0, mode: 0o755 }),
106
- });
107
- const ref = { source: "file", provider: "vault", id: "/secrets" };
108
- const result = resolveSecretRef(ref, deps);
109
- expect(result.ok).toBe(false);
110
- if (!result.ok)
111
- expect(result.error.message).toContain("not a regular file");
112
- });
113
- it("returns error when JSON Pointer target is not a string", () => {
114
- const jsonContent = JSON.stringify({ data: { nested: { value: 42 } } });
115
- const deps = makeDeps({}, {
116
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 50, mode: 0o600 }),
117
- readFileSync: () => jsonContent,
118
- });
119
- const ref = {
120
- source: "file",
121
- provider: "vault#/data/nested",
122
- id: "/secrets/vault.json",
123
- };
124
- const result = resolveSecretRef(ref, deps);
125
- expect(result.ok).toBe(false);
126
- if (!result.ok)
127
- expect(result.error.message).toContain("expected string");
128
- });
129
- });
130
- // ---------------------------------------------------------------------------
131
- // resolveSecretRef — exec source
132
- // ---------------------------------------------------------------------------
133
- describe("resolveSecretRef — exec source", () => {
134
- it("resolves value from valid JSON RPC response", () => {
135
- const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({
136
- protocolVersion: 1,
137
- values: { "my-secret-id": "resolved-secret" },
138
- }));
139
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
140
- const ref = { source: "exec", provider: "op", id: "my-secret-id" };
141
- const result = resolveSecretRef(ref, deps);
142
- expect(result.ok).toBe(true);
143
- if (result.ok)
144
- expect(result.value).toBe("resolved-secret");
145
- // Verify protocol: command is ref.provider, args is empty array, input is JSON
146
- expect(mockExecFileSync).toHaveBeenCalledWith("op", [], expect.objectContaining({
147
- input: expect.stringContaining('"ids":["my-secret-id"]'),
148
- encoding: "utf-8",
149
- }));
150
- });
151
- it("returns error when command fails (timeout etc)", () => {
152
- const mockExecFileSync = vi.fn().mockImplementation(() => {
153
- throw new Error("ETIMEDOUT");
154
- });
155
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
156
- const ref = { source: "exec", provider: "slow-helper", id: "key" };
157
- const result = resolveSecretRef(ref, deps);
158
- expect(result.ok).toBe(false);
159
- if (!result.ok)
160
- expect(result.error.message).toContain("command failed");
161
- });
162
- it("returns error for invalid JSON response", () => {
163
- const mockExecFileSync = vi.fn().mockReturnValue("not-json");
164
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
165
- const ref = { source: "exec", provider: "broken-helper", id: "key" };
166
- const result = resolveSecretRef(ref, deps);
167
- expect(result.ok).toBe(false);
168
- if (!result.ok)
169
- expect(result.error.message).toContain("invalid JSON");
170
- });
171
- it("returns error for wrong protocol version", () => {
172
- const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({ protocolVersion: 2, values: {} }));
173
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
174
- const ref = { source: "exec", provider: "future-helper", id: "key" };
175
- const result = resolveSecretRef(ref, deps);
176
- expect(result.ok).toBe(false);
177
- if (!result.ok)
178
- expect(result.error.message).toContain("protocol");
179
- });
180
- it("returns error when requested key is missing from response", () => {
181
- const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({ protocolVersion: 1, values: { "other-key": "val" } }));
182
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
183
- const ref = { source: "exec", provider: "op", id: "missing-key" };
184
- const result = resolveSecretRef(ref, deps);
185
- expect(result.ok).toBe(false);
186
- if (!result.ok)
187
- expect(result.error.message).toContain("not found");
188
- });
189
- });
190
- // ---------------------------------------------------------------------------
191
- // resolveConfigSecretRefs — deep walk
192
- // ---------------------------------------------------------------------------
193
- describe("resolveConfigSecretRefs", () => {
194
- it("resolves nested SecretRef objects in config", () => {
195
- const deps = makeDeps({
196
- TELEGRAM_BOT_TOKEN: "tg-resolved",
197
- DISCORD_BOT_TOKEN: "dc-resolved",
198
- });
199
- const config = {
200
- channels: {
201
- telegram: {
202
- enabled: true,
203
- botToken: { source: "env", provider: "telegram", id: "TELEGRAM_BOT_TOKEN" },
204
- },
205
- discord: {
206
- enabled: true,
207
- botToken: { source: "env", provider: "discord", id: "DISCORD_BOT_TOKEN" },
208
- },
209
- },
210
- plainField: "stays-unchanged",
211
- };
212
- const result = resolveConfigSecretRefs(config, deps);
213
- expect(result.ok).toBe(true);
214
- if (result.ok) {
215
- const resolved = result.value;
216
- expect(resolved.channels.telegram.botToken).toBe("tg-resolved");
217
- expect(resolved.channels.discord.botToken).toBe("dc-resolved");
218
- expect(resolved.plainField).toBe("stays-unchanged");
219
- // Original should not be mutated
220
- expect(config.channels.telegram.botToken).toEqual({
221
- source: "env",
222
- provider: "telegram",
223
- id: "TELEGRAM_BOT_TOKEN",
224
- });
225
- }
226
- });
227
- it("returns first error when any ref fails", () => {
228
- const deps = makeDeps({}); // empty — env lookups will fail
229
- const config = {
230
- good: "plain-string",
231
- bad: { source: "env", provider: "x", id: "MISSING" },
232
- };
233
- const result = resolveConfigSecretRefs(config, deps);
234
- expect(result.ok).toBe(false);
235
- if (!result.ok)
236
- expect(result.error.message).toContain("not found in SecretManager");
237
- });
238
- it("returns clone unchanged when no SecretRefs present", () => {
239
- const deps = makeDeps();
240
- const config = {
241
- channels: { telegram: { enabled: false, botToken: "plain" } },
242
- nested: { array: [1, 2, 3] },
243
- };
244
- const result = resolveConfigSecretRefs(config, deps);
245
- expect(result.ok).toBe(true);
246
- if (result.ok) {
247
- expect(result.value).toEqual(config);
248
- // Must be a different object (clone)
249
- expect(result.value).not.toBe(config);
250
- }
251
- });
252
- it("resolves SecretRefs inside arrays", () => {
253
- const deps = makeDeps({ TOKEN_1: "val-1", TOKEN_2: "val-2" });
254
- const config = {
255
- tokens: [
256
- { source: "env", provider: "gw", id: "TOKEN_1" },
257
- "plain-token",
258
- { source: "env", provider: "gw", id: "TOKEN_2" },
259
- ],
260
- };
261
- const result = resolveConfigSecretRefs(config, deps);
262
- expect(result.ok).toBe(true);
263
- if (result.ok) {
264
- const resolved = result.value;
265
- expect(resolved.tokens).toEqual(["val-1", "plain-token", "val-2"]);
266
- }
267
- });
268
- });
@@ -1,10 +0,0 @@
1
- /**
2
- * Unit tests for secrets audit scanner.
3
- *
4
- * Tests scanConfigForSecrets, scanEnvForSecrets, and auditSecrets
5
- * covering config YAML scanning, .env scanning, SecretRef detection,
6
- * and combined audit scenarios.
7
- *
8
- * @module
9
- */
10
- export {};