comisai 1.0.11 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
- package/node_modules/@comis/agent/package.json +1 -1
- package/node_modules/@comis/channels/package.json +1 -1
- package/node_modules/@comis/cli/package.json +1 -1
- package/node_modules/@comis/core/package.json +1 -1
- package/node_modules/@comis/daemon/package.json +1 -1
- package/node_modules/@comis/gateway/package.json +1 -1
- package/node_modules/@comis/infra/package.json +1 -1
- package/node_modules/@comis/memory/package.json +1 -1
- package/node_modules/@comis/scheduler/package.json +1 -1
- package/node_modules/@comis/shared/package.json +1 -1
- package/node_modules/@comis/skills/package.json +1 -1
- package/package.json +18 -18
- package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
- package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
- package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
- package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
- package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
- package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
- package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
- package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
- package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
- package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
- package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
- package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
- package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
- package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
- package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
- package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
- package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
- package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
- package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
- package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
- package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
- package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
- package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
- package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/context/context.test.js +0 -276
- package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
- package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
- package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
- package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
- package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
- package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
- package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
- package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
- package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/load-env.test.js +0 -21
- package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
- package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
- package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
- package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
- package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
- package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
- package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
- package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
- package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
- package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
- package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
- package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
- package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
- package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
- package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
- package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
- package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
- package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
- package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
- package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
- package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
- package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
- package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
- package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
- package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
- package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
- package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
- package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
- package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
- package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
- package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
- package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/schema.test.js +0 -240
- package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
- package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
- package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
- package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/abort.test.js +0 -71
- package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/result.test.js +0 -178
- package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
- package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
- package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
|
@@ -1,231 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect, beforeEach } from "vitest";
|
|
2
|
-
import { createSecretManager } from "./secret-manager.js";
|
|
3
|
-
import { createScopedSecretManager } from "./scoped-secret-manager.js";
|
|
4
|
-
import { TypedEventBus } from "../event-bus/index.js";
|
|
5
|
-
describe("ScopedSecretManager", () => {
|
|
6
|
-
const baseSecrets = {
|
|
7
|
-
OPENAI_API_KEY: "sk-test",
|
|
8
|
-
ANTHROPIC_API_KEY: "ak-test",
|
|
9
|
-
STRIPE_KEY: "sk_live_test",
|
|
10
|
-
UNRELATED: "value",
|
|
11
|
-
};
|
|
12
|
-
let base;
|
|
13
|
-
let bus;
|
|
14
|
-
let events;
|
|
15
|
-
beforeEach(() => {
|
|
16
|
-
base = createSecretManager(baseSecrets);
|
|
17
|
-
bus = new TypedEventBus();
|
|
18
|
-
events = [];
|
|
19
|
-
bus.on("secret:accessed", (e) => events.push(e));
|
|
20
|
-
});
|
|
21
|
-
it("get() delegates to base when pattern matches", () => {
|
|
22
|
-
const scoped = createScopedSecretManager(base, {
|
|
23
|
-
agentId: "agent-1",
|
|
24
|
-
allowPatterns: ["openai_*"],
|
|
25
|
-
eventBus: bus,
|
|
26
|
-
});
|
|
27
|
-
const value = scoped.get("OPENAI_API_KEY");
|
|
28
|
-
expect(value).toBe("sk-test");
|
|
29
|
-
expect(events).toHaveLength(1);
|
|
30
|
-
expect(events[0].outcome).toBe("success");
|
|
31
|
-
});
|
|
32
|
-
it("get() returns undefined when pattern denies", () => {
|
|
33
|
-
const scoped = createScopedSecretManager(base, {
|
|
34
|
-
agentId: "agent-1",
|
|
35
|
-
allowPatterns: ["openai_*"],
|
|
36
|
-
eventBus: bus,
|
|
37
|
-
});
|
|
38
|
-
const value = scoped.get("STRIPE_KEY");
|
|
39
|
-
expect(value).toBeUndefined();
|
|
40
|
-
expect(events).toHaveLength(1);
|
|
41
|
-
expect(events[0].outcome).toBe("denied");
|
|
42
|
-
});
|
|
43
|
-
it("get() emits not_found when base has no value", () => {
|
|
44
|
-
const scoped = createScopedSecretManager(base, {
|
|
45
|
-
agentId: "agent-1",
|
|
46
|
-
allowPatterns: ["openai_*"],
|
|
47
|
-
eventBus: bus,
|
|
48
|
-
});
|
|
49
|
-
const value = scoped.get("OPENAI_OTHER");
|
|
50
|
-
expect(value).toBeUndefined();
|
|
51
|
-
expect(events).toHaveLength(1);
|
|
52
|
-
expect(events[0].outcome).toBe("not_found");
|
|
53
|
-
});
|
|
54
|
-
it("has() returns false when pattern denies", () => {
|
|
55
|
-
const scoped = createScopedSecretManager(base, {
|
|
56
|
-
agentId: "agent-1",
|
|
57
|
-
allowPatterns: ["openai_*"],
|
|
58
|
-
eventBus: bus,
|
|
59
|
-
});
|
|
60
|
-
const result = scoped.has("STRIPE_KEY");
|
|
61
|
-
expect(result).toBe(false);
|
|
62
|
-
expect(events).toHaveLength(1);
|
|
63
|
-
expect(events[0].outcome).toBe("denied");
|
|
64
|
-
});
|
|
65
|
-
it("has() delegates when pattern allows", () => {
|
|
66
|
-
const scoped = createScopedSecretManager(base, {
|
|
67
|
-
agentId: "agent-1",
|
|
68
|
-
allowPatterns: ["openai_*"],
|
|
69
|
-
eventBus: bus,
|
|
70
|
-
});
|
|
71
|
-
const result = scoped.has("OPENAI_API_KEY");
|
|
72
|
-
expect(result).toBe(true);
|
|
73
|
-
expect(events).toHaveLength(1);
|
|
74
|
-
expect(events[0].outcome).toBe("success");
|
|
75
|
-
});
|
|
76
|
-
it("require() throws when pattern denies", () => {
|
|
77
|
-
const scoped = createScopedSecretManager(base, {
|
|
78
|
-
agentId: "agent-1",
|
|
79
|
-
allowPatterns: ["openai_*"],
|
|
80
|
-
eventBus: bus,
|
|
81
|
-
});
|
|
82
|
-
expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
|
|
83
|
-
expect(events).toHaveLength(1);
|
|
84
|
-
expect(events[0].outcome).toBe("denied");
|
|
85
|
-
});
|
|
86
|
-
it("require() throws when key not found in base", () => {
|
|
87
|
-
const scoped = createScopedSecretManager(base, {
|
|
88
|
-
agentId: "agent-1",
|
|
89
|
-
allowPatterns: ["openai_*"],
|
|
90
|
-
eventBus: bus,
|
|
91
|
-
});
|
|
92
|
-
expect(() => scoped.require("OPENAI_MISSING")).toThrow("not set");
|
|
93
|
-
expect(events).toHaveLength(1);
|
|
94
|
-
expect(events[0].outcome).toBe("not_found");
|
|
95
|
-
});
|
|
96
|
-
it("require() returns value when allowed and exists", () => {
|
|
97
|
-
const scoped = createScopedSecretManager(base, {
|
|
98
|
-
agentId: "agent-1",
|
|
99
|
-
allowPatterns: ["openai_*"],
|
|
100
|
-
eventBus: bus,
|
|
101
|
-
});
|
|
102
|
-
const value = scoped.require("OPENAI_API_KEY");
|
|
103
|
-
expect(value).toBe("sk-test");
|
|
104
|
-
expect(events).toHaveLength(1);
|
|
105
|
-
expect(events[0].outcome).toBe("success");
|
|
106
|
-
});
|
|
107
|
-
it("keys() filters by allow patterns", () => {
|
|
108
|
-
const scoped = createScopedSecretManager(base, {
|
|
109
|
-
agentId: "agent-1",
|
|
110
|
-
allowPatterns: ["openai_*", "anthropic_*"],
|
|
111
|
-
eventBus: bus,
|
|
112
|
-
});
|
|
113
|
-
const keys = scoped.keys();
|
|
114
|
-
expect(keys).toEqual(["OPENAI_API_KEY", "ANTHROPIC_API_KEY"]);
|
|
115
|
-
// keys() is a listing operation — no events emitted
|
|
116
|
-
expect(events).toHaveLength(0);
|
|
117
|
-
});
|
|
118
|
-
it("empty allow patterns = unrestricted access", () => {
|
|
119
|
-
const scoped = createScopedSecretManager(base, {
|
|
120
|
-
agentId: "agent-1",
|
|
121
|
-
allowPatterns: [],
|
|
122
|
-
eventBus: bus,
|
|
123
|
-
});
|
|
124
|
-
expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
|
|
125
|
-
expect(scoped.get("STRIPE_KEY")).toBe("sk_live_test");
|
|
126
|
-
expect(scoped.has("UNRELATED")).toBe(true);
|
|
127
|
-
expect(scoped.require("ANTHROPIC_API_KEY")).toBe("ak-test");
|
|
128
|
-
expect(scoped.keys()).toEqual(expect.arrayContaining([
|
|
129
|
-
"OPENAI_API_KEY",
|
|
130
|
-
"ANTHROPIC_API_KEY",
|
|
131
|
-
"STRIPE_KEY",
|
|
132
|
-
"UNRELATED",
|
|
133
|
-
]));
|
|
134
|
-
// All access events should be "success"
|
|
135
|
-
expect(events.every((e) => e.outcome === "success")).toBe(true);
|
|
136
|
-
});
|
|
137
|
-
it("works without eventBus (no audit events)", () => {
|
|
138
|
-
const scoped = createScopedSecretManager(base, {
|
|
139
|
-
agentId: "agent-1",
|
|
140
|
-
allowPatterns: ["openai_*"],
|
|
141
|
-
// eventBus intentionally omitted
|
|
142
|
-
});
|
|
143
|
-
// All methods should work without crashing
|
|
144
|
-
expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
|
|
145
|
-
expect(scoped.get("STRIPE_KEY")).toBeUndefined();
|
|
146
|
-
expect(scoped.has("OPENAI_API_KEY")).toBe(true);
|
|
147
|
-
expect(scoped.has("STRIPE_KEY")).toBe(false);
|
|
148
|
-
expect(scoped.require("OPENAI_API_KEY")).toBe("sk-test");
|
|
149
|
-
expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
|
|
150
|
-
expect(scoped.keys()).toEqual(["OPENAI_API_KEY"]);
|
|
151
|
-
// No events emitted to the bus we set up separately
|
|
152
|
-
expect(events).toHaveLength(0);
|
|
153
|
-
});
|
|
154
|
-
it("event payload includes agentId and timestamp", () => {
|
|
155
|
-
const scoped = createScopedSecretManager(base, {
|
|
156
|
-
agentId: "agent-audit-test",
|
|
157
|
-
allowPatterns: ["openai_*"],
|
|
158
|
-
eventBus: bus,
|
|
159
|
-
});
|
|
160
|
-
scoped.get("OPENAI_API_KEY");
|
|
161
|
-
expect(events).toHaveLength(1);
|
|
162
|
-
const event = events[0];
|
|
163
|
-
expect(event.agentId).toBe("agent-audit-test");
|
|
164
|
-
expect(event.secretName).toBe("OPENAI_API_KEY");
|
|
165
|
-
expect(event.outcome).toBe("success");
|
|
166
|
-
expect(typeof event.timestamp).toBe("number");
|
|
167
|
-
expect(event.timestamp).toBeGreaterThan(0);
|
|
168
|
-
});
|
|
169
|
-
});
|
|
170
|
-
describe("security:warn for unrestricted access (CORE-02)", () => {
|
|
171
|
-
const baseSecrets = {
|
|
172
|
-
OPENAI_API_KEY: "sk-test",
|
|
173
|
-
ANTHROPIC_API_KEY: "ak-test",
|
|
174
|
-
};
|
|
175
|
-
it("emits security:warn on first access when allowPatterns is empty", () => {
|
|
176
|
-
const base = createSecretManager(baseSecrets);
|
|
177
|
-
const bus = new TypedEventBus();
|
|
178
|
-
const warnEvents = [];
|
|
179
|
-
bus.on("security:warn", (e) => warnEvents.push(e));
|
|
180
|
-
const scoped = createScopedSecretManager(base, {
|
|
181
|
-
agentId: "agent-unrestricted",
|
|
182
|
-
allowPatterns: [],
|
|
183
|
-
eventBus: bus,
|
|
184
|
-
});
|
|
185
|
-
scoped.get("OPENAI_API_KEY");
|
|
186
|
-
expect(warnEvents).toHaveLength(1);
|
|
187
|
-
expect(warnEvents[0].category).toBe("secret_access");
|
|
188
|
-
expect(warnEvents[0].agentId).toBe("agent-unrestricted");
|
|
189
|
-
expect(warnEvents[0].message).toContain("secrets.allow");
|
|
190
|
-
expect(warnEvents[0].message).toContain("agent-unrestricted");
|
|
191
|
-
expect(typeof warnEvents[0].timestamp).toBe("number");
|
|
192
|
-
});
|
|
193
|
-
it("emits security:warn only once (subsequent accesses do not re-emit)", () => {
|
|
194
|
-
const base = createSecretManager(baseSecrets);
|
|
195
|
-
const bus = new TypedEventBus();
|
|
196
|
-
const warnEvents = [];
|
|
197
|
-
bus.on("security:warn", (e) => warnEvents.push(e));
|
|
198
|
-
const scoped = createScopedSecretManager(base, {
|
|
199
|
-
agentId: "agent-once",
|
|
200
|
-
allowPatterns: [],
|
|
201
|
-
eventBus: bus,
|
|
202
|
-
});
|
|
203
|
-
scoped.get("OPENAI_API_KEY");
|
|
204
|
-
scoped.has("ANTHROPIC_API_KEY");
|
|
205
|
-
scoped.require("OPENAI_API_KEY");
|
|
206
|
-
expect(warnEvents).toHaveLength(1);
|
|
207
|
-
});
|
|
208
|
-
it("does NOT emit security:warn when allowPatterns is non-empty", () => {
|
|
209
|
-
const base = createSecretManager(baseSecrets);
|
|
210
|
-
const bus = new TypedEventBus();
|
|
211
|
-
const warnEvents = [];
|
|
212
|
-
bus.on("security:warn", (e) => warnEvents.push(e));
|
|
213
|
-
const scoped = createScopedSecretManager(base, {
|
|
214
|
-
agentId: "agent-restricted",
|
|
215
|
-
allowPatterns: ["OPENAI_*"],
|
|
216
|
-
eventBus: bus,
|
|
217
|
-
});
|
|
218
|
-
scoped.get("OPENAI_API_KEY");
|
|
219
|
-
expect(warnEvents).toHaveLength(0);
|
|
220
|
-
});
|
|
221
|
-
it("does NOT emit security:warn when no eventBus is provided", () => {
|
|
222
|
-
const base = createSecretManager(baseSecrets);
|
|
223
|
-
const scoped = createScopedSecretManager(base, {
|
|
224
|
-
agentId: "agent-no-bus",
|
|
225
|
-
allowPatterns: [],
|
|
226
|
-
// eventBus intentionally omitted
|
|
227
|
-
});
|
|
228
|
-
// Should not throw
|
|
229
|
-
expect(() => scoped.get("OPENAI_API_KEY")).not.toThrow();
|
|
230
|
-
});
|
|
231
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,41 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect } from "vitest";
|
|
2
|
-
import { matchesSecretPattern, isSecretAccessible } from "./secret-access.js";
|
|
3
|
-
describe("matchesSecretPattern", () => {
|
|
4
|
-
it("exact match (case-insensitive)", () => {
|
|
5
|
-
expect(matchesSecretPattern("OPENAI_API_KEY", "openai_api_key")).toBe(true);
|
|
6
|
-
});
|
|
7
|
-
it("exact match fails on different name", () => {
|
|
8
|
-
expect(matchesSecretPattern("OPENAI_API_KEY", "anthropic_api_key")).toBe(false);
|
|
9
|
-
});
|
|
10
|
-
it("wildcard prefix match", () => {
|
|
11
|
-
expect(matchesSecretPattern("OPENAI_API_KEY", "openai_*")).toBe(true);
|
|
12
|
-
});
|
|
13
|
-
it("wildcard suffix match", () => {
|
|
14
|
-
expect(matchesSecretPattern("MY_OPENAI_KEY", "*_openai_*")).toBe(true);
|
|
15
|
-
});
|
|
16
|
-
it("wildcard star-only matches everything", () => {
|
|
17
|
-
expect(matchesSecretPattern("ANYTHING", "*")).toBe(true);
|
|
18
|
-
});
|
|
19
|
-
it("no wildcard requires exact match", () => {
|
|
20
|
-
expect(matchesSecretPattern("OPENAI_API_KEY", "OPENAI_API")).toBe(false);
|
|
21
|
-
});
|
|
22
|
-
it("handles regex special characters in pattern", () => {
|
|
23
|
-
// Dot should be literal, not regex wildcard
|
|
24
|
-
expect(matchesSecretPattern("my.key", "my.key")).toBe(true);
|
|
25
|
-
expect(matchesSecretPattern("myXkey", "my.key")).toBe(false);
|
|
26
|
-
});
|
|
27
|
-
});
|
|
28
|
-
describe("isSecretAccessible", () => {
|
|
29
|
-
it("empty array allows all", () => {
|
|
30
|
-
expect(isSecretAccessible("ANY_KEY", [])).toBe(true);
|
|
31
|
-
});
|
|
32
|
-
it("matching pattern allows", () => {
|
|
33
|
-
expect(isSecretAccessible("OPENAI_KEY", ["openai_*"])).toBe(true);
|
|
34
|
-
});
|
|
35
|
-
it("no matching pattern denies", () => {
|
|
36
|
-
expect(isSecretAccessible("STRIPE_KEY", ["openai_*", "anthropic_*"])).toBe(false);
|
|
37
|
-
});
|
|
38
|
-
it("multiple patterns, one matches", () => {
|
|
39
|
-
expect(isSecretAccessible("ANTHROPIC_KEY", ["openai_*", "anthropic_*"])).toBe(true);
|
|
40
|
-
});
|
|
41
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,113 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect } from "vitest";
|
|
2
|
-
import { randomBytes } from "node:crypto";
|
|
3
|
-
import { createSecretsCrypto, parseMasterKey } from "./secret-crypto.js";
|
|
4
|
-
describe("SecretsCrypto", () => {
|
|
5
|
-
const masterKey = randomBytes(32);
|
|
6
|
-
const crypto = createSecretsCrypto(masterKey);
|
|
7
|
-
it("encrypts and decrypts round-trip", () => {
|
|
8
|
-
const plaintext = "sk-abc123-secret-value";
|
|
9
|
-
const encResult = crypto.encrypt(plaintext);
|
|
10
|
-
expect(encResult.ok).toBe(true);
|
|
11
|
-
if (!encResult.ok)
|
|
12
|
-
return;
|
|
13
|
-
const decResult = crypto.decrypt(encResult.value);
|
|
14
|
-
expect(decResult.ok).toBe(true);
|
|
15
|
-
if (!decResult.ok)
|
|
16
|
-
return;
|
|
17
|
-
expect(decResult.value).toBe(plaintext);
|
|
18
|
-
});
|
|
19
|
-
it("handles empty string", () => {
|
|
20
|
-
const encResult = crypto.encrypt("");
|
|
21
|
-
expect(encResult.ok).toBe(true);
|
|
22
|
-
if (!encResult.ok)
|
|
23
|
-
return;
|
|
24
|
-
const decResult = crypto.decrypt(encResult.value);
|
|
25
|
-
expect(decResult.ok).toBe(true);
|
|
26
|
-
if (!decResult.ok)
|
|
27
|
-
return;
|
|
28
|
-
expect(decResult.value).toBe("");
|
|
29
|
-
});
|
|
30
|
-
it("handles unicode content", () => {
|
|
31
|
-
const plaintext = "Hello World! Emoji test: \u{1F680}\u{1F30D}\u{2764}\uFE0F CJK: \u4F60\u597D\u4E16\u754C \u3053\u3093\u306B\u3061\u306F";
|
|
32
|
-
const encResult = crypto.encrypt(plaintext);
|
|
33
|
-
expect(encResult.ok).toBe(true);
|
|
34
|
-
if (!encResult.ok)
|
|
35
|
-
return;
|
|
36
|
-
const decResult = crypto.decrypt(encResult.value);
|
|
37
|
-
expect(decResult.ok).toBe(true);
|
|
38
|
-
if (!decResult.ok)
|
|
39
|
-
return;
|
|
40
|
-
expect(decResult.value).toBe(plaintext);
|
|
41
|
-
});
|
|
42
|
-
it("produces different ciphertexts for same plaintext (random nonce)", () => {
|
|
43
|
-
const encResult1 = crypto.encrypt("same-value");
|
|
44
|
-
const encResult2 = crypto.encrypt("same-value");
|
|
45
|
-
expect(encResult1.ok && encResult2.ok).toBe(true);
|
|
46
|
-
if (!encResult1.ok || !encResult2.ok)
|
|
47
|
-
return;
|
|
48
|
-
expect(encResult1.value.iv).not.toEqual(encResult2.value.iv);
|
|
49
|
-
expect(encResult1.value.ciphertext).not.toEqual(encResult2.value.ciphertext);
|
|
50
|
-
});
|
|
51
|
-
it("returns err() with wrong master key", () => {
|
|
52
|
-
const wrongCrypto = createSecretsCrypto(randomBytes(32));
|
|
53
|
-
const encResult = crypto.encrypt("secret");
|
|
54
|
-
expect(encResult.ok).toBe(true);
|
|
55
|
-
if (!encResult.ok)
|
|
56
|
-
return;
|
|
57
|
-
const decResult = wrongCrypto.decrypt(encResult.value);
|
|
58
|
-
expect(decResult.ok).toBe(false);
|
|
59
|
-
});
|
|
60
|
-
it("returns err() with corrupted auth tag", () => {
|
|
61
|
-
const encResult = crypto.encrypt("secret");
|
|
62
|
-
expect(encResult.ok).toBe(true);
|
|
63
|
-
if (!encResult.ok)
|
|
64
|
-
return;
|
|
65
|
-
// Corrupt the auth tag by flipping a byte
|
|
66
|
-
const corrupted = { ...encResult.value };
|
|
67
|
-
const corruptedTag = Buffer.from(corrupted.authTag);
|
|
68
|
-
corruptedTag[0] = corruptedTag[0] ^ 0xff;
|
|
69
|
-
corrupted.authTag = corruptedTag;
|
|
70
|
-
const decResult = crypto.decrypt(corrupted);
|
|
71
|
-
expect(decResult.ok).toBe(false);
|
|
72
|
-
});
|
|
73
|
-
it("throws on master key shorter than 32 bytes", () => {
|
|
74
|
-
expect(() => createSecretsCrypto(randomBytes(16))).toThrow("Master key must be at least 32 bytes");
|
|
75
|
-
});
|
|
76
|
-
it("defensive copy: caller buffer mutation does not affect encryption (CORE-03)", () => {
|
|
77
|
-
const mutableKey = Buffer.alloc(32, 0xaa);
|
|
78
|
-
const cryptoEngine = createSecretsCrypto(mutableKey);
|
|
79
|
-
// Encrypt with original key
|
|
80
|
-
const encResult = cryptoEngine.encrypt("test-value");
|
|
81
|
-
expect(encResult.ok).toBe(true);
|
|
82
|
-
if (!encResult.ok)
|
|
83
|
-
return;
|
|
84
|
-
// Mutate the caller's buffer after creation
|
|
85
|
-
mutableKey.fill(0x00);
|
|
86
|
-
// Decryption should still work (engine has its own copy)
|
|
87
|
-
const decResult = cryptoEngine.decrypt(encResult.value);
|
|
88
|
-
expect(decResult.ok).toBe(true);
|
|
89
|
-
if (!decResult.ok)
|
|
90
|
-
return;
|
|
91
|
-
expect(decResult.value).toBe("test-value");
|
|
92
|
-
});
|
|
93
|
-
});
|
|
94
|
-
describe("parseMasterKey", () => {
|
|
95
|
-
it("parses hex string", () => {
|
|
96
|
-
const original = randomBytes(32);
|
|
97
|
-
const hex = original.toString("hex");
|
|
98
|
-
const parsed = parseMasterKey(hex);
|
|
99
|
-
expect(parsed).toEqual(original);
|
|
100
|
-
expect(parsed.length).toBe(32);
|
|
101
|
-
});
|
|
102
|
-
it("parses base64 string", () => {
|
|
103
|
-
const original = randomBytes(32);
|
|
104
|
-
const b64 = original.toString("base64");
|
|
105
|
-
const parsed = parseMasterKey(b64);
|
|
106
|
-
expect(parsed).toEqual(original);
|
|
107
|
-
expect(parsed.length).toBe(32);
|
|
108
|
-
});
|
|
109
|
-
it("rejects short key", () => {
|
|
110
|
-
const short = randomBytes(16).toString("hex"); // 32 hex chars = 16 bytes
|
|
111
|
-
expect(() => parseMasterKey(short)).toThrow("Master key must be at least 32 bytes");
|
|
112
|
-
});
|
|
113
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|