comisai 1.0.11 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (247) hide show
  1. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
  2. package/node_modules/@comis/agent/package.json +1 -1
  3. package/node_modules/@comis/channels/package.json +1 -1
  4. package/node_modules/@comis/cli/package.json +1 -1
  5. package/node_modules/@comis/core/package.json +1 -1
  6. package/node_modules/@comis/daemon/package.json +1 -1
  7. package/node_modules/@comis/gateway/package.json +1 -1
  8. package/node_modules/@comis/infra/package.json +1 -1
  9. package/node_modules/@comis/memory/package.json +1 -1
  10. package/node_modules/@comis/scheduler/package.json +1 -1
  11. package/node_modules/@comis/shared/package.json +1 -1
  12. package/node_modules/@comis/skills/package.json +1 -1
  13. package/package.json +18 -18
  14. package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
  15. package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
  16. package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
  17. package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
  18. package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
  19. package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
  20. package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
  21. package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
  22. package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
  23. package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
  24. package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
  25. package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
  26. package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
  27. package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
  28. package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
  29. package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
  30. package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
  31. package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
  32. package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
  33. package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
  34. package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
  35. package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
  36. package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
  37. package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
  38. package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
  39. package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
  40. package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
  41. package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
  42. package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
  43. package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
  44. package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
  45. package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
  46. package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
  47. package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
  48. package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
  49. package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
  50. package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
  51. package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
  52. package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
  53. package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
  54. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
  55. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
  56. package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
  57. package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
  58. package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
  59. package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
  60. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
  61. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
  62. package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
  63. package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
  64. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
  65. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
  66. package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
  67. package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
  68. package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
  69. package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
  70. package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
  71. package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
  72. package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
  73. package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
  74. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
  75. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
  76. package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
  77. package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
  78. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
  79. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
  80. package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
  81. package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
  82. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
  83. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
  84. package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
  85. package/node_modules/@comis/core/dist/context/context.test.js +0 -276
  86. package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
  87. package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
  88. package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
  89. package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
  90. package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
  91. package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
  92. package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
  93. package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
  94. package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
  95. package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
  96. package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
  97. package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
  98. package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
  99. package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
  100. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
  101. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
  102. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
  103. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
  104. package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
  105. package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
  106. package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
  107. package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
  108. package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
  109. package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
  110. package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
  111. package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
  112. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
  113. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
  114. package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
  115. package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
  116. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
  117. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
  118. package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
  119. package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
  120. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
  121. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
  122. package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
  123. package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
  124. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
  125. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
  126. package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
  127. package/node_modules/@comis/core/dist/load-env.test.js +0 -21
  128. package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
  129. package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
  130. package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
  131. package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
  132. package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
  133. package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
  134. package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
  135. package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
  136. package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
  137. package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
  138. package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
  139. package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
  140. package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
  141. package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
  142. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
  143. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
  144. package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
  145. package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
  146. package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
  147. package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
  148. package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
  149. package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
  150. package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
  151. package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
  152. package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
  153. package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
  154. package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
  155. package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
  156. package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
  157. package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
  158. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
  159. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
  160. package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
  161. package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
  162. package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
  163. package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
  164. package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
  165. package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
  166. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
  167. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
  168. package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
  169. package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
  170. package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
  171. package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
  172. package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
  173. package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
  174. package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
  175. package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
  176. package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
  177. package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
  178. package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
  179. package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
  180. package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
  181. package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
  182. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
  183. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
  184. package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
  185. package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
  186. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
  187. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
  188. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
  189. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
  190. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
  191. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
  192. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
  193. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
  194. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
  195. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
  196. package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
  197. package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
  198. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
  199. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
  200. package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
  201. package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
  202. package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
  203. package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
  204. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
  205. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
  206. package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
  207. package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
  208. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
  209. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
  210. package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
  211. package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
  212. package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
  213. package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
  214. package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
  215. package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
  216. package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
  217. package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
  218. package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
  219. package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
  220. package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
  221. package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
  222. package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
  223. package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
  224. package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
  225. package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
  226. package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
  227. package/node_modules/@comis/memory/dist/schema.test.js +0 -240
  228. package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
  229. package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
  230. package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
  231. package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
  232. package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
  233. package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
  234. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
  235. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
  236. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
  237. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
  238. package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
  239. package/node_modules/@comis/shared/dist/abort.test.js +0 -71
  240. package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
  241. package/node_modules/@comis/shared/dist/result.test.js +0 -178
  242. package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
  243. package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
  244. package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
  245. package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
  246. package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
  247. package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
@@ -1,394 +0,0 @@
1
- import { describe, it, expect, beforeEach } from "vitest";
2
- import { createSecretManager, envSubset, createScopedSecretManager } from "./secret-manager.js";
3
- import { TypedEventBus } from "../event-bus/index.js";
4
- describe("SecretManager", () => {
5
- const testEnv = {
6
- TEST_KEY: "test-value",
7
- API_TOKEN: "secret-token-123",
8
- EMPTY_KEY: "",
9
- UNDEF_KEY: undefined,
10
- };
11
- function makeManager() {
12
- return createSecretManager(testEnv);
13
- }
14
- describe("get()", () => {
15
- it("returns value when key exists", () => {
16
- const manager = makeManager();
17
- expect(manager.get("TEST_KEY")).toBe("test-value");
18
- });
19
- it("returns undefined when key does not exist", () => {
20
- const manager = makeManager();
21
- expect(manager.get("NONEXISTENT")).toBeUndefined();
22
- });
23
- it("treats undefined values as non-existent", () => {
24
- const manager = makeManager();
25
- expect(manager.get("UNDEF_KEY")).toBeUndefined();
26
- });
27
- });
28
- describe("has()", () => {
29
- it("returns true when key exists", () => {
30
- const manager = makeManager();
31
- expect(manager.has("TEST_KEY")).toBe(true);
32
- });
33
- it("returns false when key does not exist", () => {
34
- const manager = makeManager();
35
- expect(manager.has("NONEXISTENT")).toBe(false);
36
- });
37
- it("returns false for keys with undefined values", () => {
38
- const manager = makeManager();
39
- expect(manager.has("UNDEF_KEY")).toBe(false);
40
- });
41
- });
42
- describe("require()", () => {
43
- it("returns value when key exists", () => {
44
- const manager = makeManager();
45
- expect(manager.require("TEST_KEY")).toBe("test-value");
46
- });
47
- it("throws with key name in message when key does not exist", () => {
48
- const manager = makeManager();
49
- expect(() => manager.require("NONEXISTENT")).toThrow("NONEXISTENT");
50
- });
51
- it("SHR-01: error message does NOT enumerate available key names", () => {
52
- const manager = createSecretManager({ A: "val-a", B: "val-b" });
53
- try {
54
- manager.require("MISSING");
55
- expect.fail("should have thrown");
56
- }
57
- catch (e) {
58
- const msg = e.message;
59
- // Must mention the missing key
60
- expect(msg).toContain("MISSING");
61
- // Must NOT list other keys
62
- expect(msg).not.toContain("Available keys");
63
- expect(msg).not.toContain('"A"');
64
- expect(msg).not.toContain('"B"');
65
- expect(msg).not.toContain("A, B");
66
- expect(msg).not.toContain("B, A");
67
- // Should contain the new help text
68
- expect(msg).toContain("Check that this key is defined");
69
- }
70
- });
71
- it("LOG-06: require() error does not leak other key names or values", () => {
72
- const mgr = createSecretManager({
73
- KEY_A: "secret-val-1",
74
- KEY_B: "secret-val-2",
75
- OPENAI_API_KEY: "sk-realkey",
76
- });
77
- expect(() => mgr.require("MISSING")).toThrowError(/Required secret "MISSING"/);
78
- try {
79
- mgr.require("MISSING");
80
- }
81
- catch (e) {
82
- const msg = e.message;
83
- expect(msg).not.toContain("KEY_A");
84
- expect(msg).not.toContain("KEY_B");
85
- expect(msg).not.toContain("OPENAI_API_KEY");
86
- expect(msg).not.toContain("secret-val-1");
87
- expect(msg).not.toContain("sk-realkey");
88
- }
89
- });
90
- });
91
- describe("no credential enumeration", () => {
92
- it("does not expose .env property", () => {
93
- const manager = makeManager();
94
- expect(manager["env"]).toBeUndefined();
95
- });
96
- it("does not expose .getAll() method", () => {
97
- const manager = makeManager();
98
- expect(manager["getAll"]).toBeUndefined();
99
- });
100
- });
101
- describe("createSecretManager() with env overrides", () => {
102
- it("accepts a controlled record of env vars", () => {
103
- const manager = createSecretManager({ CUSTOM_KEY: "custom-value" });
104
- expect(manager.get("CUSTOM_KEY")).toBe("custom-value");
105
- });
106
- });
107
- describe("defensive copy", () => {
108
- it("modifying original env after creation does not affect manager", () => {
109
- const env = {
110
- MUTABLE_KEY: "original",
111
- };
112
- const manager = createSecretManager(env);
113
- // Mutate the original object
114
- env["MUTABLE_KEY"] = "mutated";
115
- env["NEW_KEY"] = "new-value";
116
- expect(manager.get("MUTABLE_KEY")).toBe("original");
117
- expect(manager.get("NEW_KEY")).toBeUndefined();
118
- });
119
- });
120
- describe("keys()", () => {
121
- it("returns available key names", () => {
122
- const manager = makeManager();
123
- const keys = manager.keys();
124
- expect(keys).toContain("TEST_KEY");
125
- expect(keys).toContain("API_TOKEN");
126
- expect(keys).toContain("EMPTY_KEY");
127
- // UNDEF_KEY should not be in keys since its value is undefined
128
- expect(keys).not.toContain("UNDEF_KEY");
129
- });
130
- it("returns a defensive copy of keys array", () => {
131
- const manager = makeManager();
132
- const keys1 = manager.keys();
133
- const keys2 = manager.keys();
134
- expect(keys1).toEqual(keys2);
135
- expect(keys1).not.toBe(keys2); // Different array instances
136
- });
137
- });
138
- });
139
- describe("envSubset()", () => {
140
- it("SHR-05: returns only requested keys from manager", () => {
141
- const manager = createSecretManager({
142
- A: "1",
143
- B: "2",
144
- C: "3",
145
- D: "4",
146
- E: "5",
147
- });
148
- const subset = envSubset(manager, ["A", "C"]);
149
- expect(subset).toEqual({ A: "1", C: "3" });
150
- expect(Object.keys(subset)).toHaveLength(2);
151
- });
152
- it("SHR-05: returns empty for non-existent keys", () => {
153
- const manager = createSecretManager({ A: "1" });
154
- const subset = envSubset(manager, ["MISSING_1", "MISSING_2"]);
155
- expect(subset).toEqual({});
156
- });
157
- it("SHR-05: returns a plain object, not a Map", () => {
158
- const manager = createSecretManager({ X: "val" });
159
- const subset = envSubset(manager, ["X"]);
160
- expect(subset).toBeTypeOf("object");
161
- expect(subset).not.toBeInstanceOf(Map);
162
- expect(subset.X).toBe("val");
163
- });
164
- });
165
- // ---------------------------------------------------------------------------
166
- // ScopedSecretManager tests (merged from scoped-secret-manager.test.ts)
167
- // ---------------------------------------------------------------------------
168
- describe("ScopedSecretManager", () => {
169
- const baseSecrets = {
170
- OPENAI_API_KEY: "sk-test",
171
- ANTHROPIC_API_KEY: "ak-test",
172
- STRIPE_KEY: "sk_live_test",
173
- UNRELATED: "value",
174
- };
175
- let base;
176
- let bus;
177
- let events;
178
- beforeEach(() => {
179
- base = createSecretManager(baseSecrets);
180
- bus = new TypedEventBus();
181
- events = [];
182
- bus.on("secret:accessed", (e) => events.push(e));
183
- });
184
- it("get() delegates to base when pattern matches", () => {
185
- const scoped = createScopedSecretManager(base, {
186
- agentId: "agent-1",
187
- allowPatterns: ["openai_*"],
188
- eventBus: bus,
189
- });
190
- const value = scoped.get("OPENAI_API_KEY");
191
- expect(value).toBe("sk-test");
192
- expect(events).toHaveLength(1);
193
- expect(events[0].outcome).toBe("success");
194
- });
195
- it("get() returns undefined when pattern denies", () => {
196
- const scoped = createScopedSecretManager(base, {
197
- agentId: "agent-1",
198
- allowPatterns: ["openai_*"],
199
- eventBus: bus,
200
- });
201
- const value = scoped.get("STRIPE_KEY");
202
- expect(value).toBeUndefined();
203
- expect(events).toHaveLength(1);
204
- expect(events[0].outcome).toBe("denied");
205
- });
206
- it("get() emits not_found when base has no value", () => {
207
- const scoped = createScopedSecretManager(base, {
208
- agentId: "agent-1",
209
- allowPatterns: ["openai_*"],
210
- eventBus: bus,
211
- });
212
- const value = scoped.get("OPENAI_OTHER");
213
- expect(value).toBeUndefined();
214
- expect(events).toHaveLength(1);
215
- expect(events[0].outcome).toBe("not_found");
216
- });
217
- it("has() returns false when pattern denies", () => {
218
- const scoped = createScopedSecretManager(base, {
219
- agentId: "agent-1",
220
- allowPatterns: ["openai_*"],
221
- eventBus: bus,
222
- });
223
- const result = scoped.has("STRIPE_KEY");
224
- expect(result).toBe(false);
225
- expect(events).toHaveLength(1);
226
- expect(events[0].outcome).toBe("denied");
227
- });
228
- it("has() delegates when pattern allows", () => {
229
- const scoped = createScopedSecretManager(base, {
230
- agentId: "agent-1",
231
- allowPatterns: ["openai_*"],
232
- eventBus: bus,
233
- });
234
- const result = scoped.has("OPENAI_API_KEY");
235
- expect(result).toBe(true);
236
- expect(events).toHaveLength(1);
237
- expect(events[0].outcome).toBe("success");
238
- });
239
- it("require() throws when pattern denies", () => {
240
- const scoped = createScopedSecretManager(base, {
241
- agentId: "agent-1",
242
- allowPatterns: ["openai_*"],
243
- eventBus: bus,
244
- });
245
- expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
246
- expect(events).toHaveLength(1);
247
- expect(events[0].outcome).toBe("denied");
248
- });
249
- it("require() throws when key not found in base", () => {
250
- const scoped = createScopedSecretManager(base, {
251
- agentId: "agent-1",
252
- allowPatterns: ["openai_*"],
253
- eventBus: bus,
254
- });
255
- expect(() => scoped.require("OPENAI_MISSING")).toThrow("not set");
256
- expect(events).toHaveLength(1);
257
- expect(events[0].outcome).toBe("not_found");
258
- });
259
- it("require() returns value when allowed and exists", () => {
260
- const scoped = createScopedSecretManager(base, {
261
- agentId: "agent-1",
262
- allowPatterns: ["openai_*"],
263
- eventBus: bus,
264
- });
265
- const value = scoped.require("OPENAI_API_KEY");
266
- expect(value).toBe("sk-test");
267
- expect(events).toHaveLength(1);
268
- expect(events[0].outcome).toBe("success");
269
- });
270
- it("keys() filters by allow patterns", () => {
271
- const scoped = createScopedSecretManager(base, {
272
- agentId: "agent-1",
273
- allowPatterns: ["openai_*", "anthropic_*"],
274
- eventBus: bus,
275
- });
276
- const keys = scoped.keys();
277
- expect(keys).toEqual(["OPENAI_API_KEY", "ANTHROPIC_API_KEY"]);
278
- // keys() is a listing operation — no events emitted
279
- expect(events).toHaveLength(0);
280
- });
281
- it("empty allow patterns = unrestricted access", () => {
282
- const scoped = createScopedSecretManager(base, {
283
- agentId: "agent-1",
284
- allowPatterns: [],
285
- eventBus: bus,
286
- });
287
- expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
288
- expect(scoped.get("STRIPE_KEY")).toBe("sk_live_test");
289
- expect(scoped.has("UNRELATED")).toBe(true);
290
- expect(scoped.require("ANTHROPIC_API_KEY")).toBe("ak-test");
291
- expect(scoped.keys()).toEqual(expect.arrayContaining([
292
- "OPENAI_API_KEY",
293
- "ANTHROPIC_API_KEY",
294
- "STRIPE_KEY",
295
- "UNRELATED",
296
- ]));
297
- // All access events should be "success"
298
- expect(events.every((e) => e.outcome === "success")).toBe(true);
299
- });
300
- it("works without eventBus (no audit events)", () => {
301
- const scoped = createScopedSecretManager(base, {
302
- agentId: "agent-1",
303
- allowPatterns: ["openai_*"],
304
- // eventBus intentionally omitted
305
- });
306
- // All methods should work without crashing
307
- expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
308
- expect(scoped.get("STRIPE_KEY")).toBeUndefined();
309
- expect(scoped.has("OPENAI_API_KEY")).toBe(true);
310
- expect(scoped.has("STRIPE_KEY")).toBe(false);
311
- expect(scoped.require("OPENAI_API_KEY")).toBe("sk-test");
312
- expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
313
- expect(scoped.keys()).toEqual(["OPENAI_API_KEY"]);
314
- // No events emitted to the bus we set up separately
315
- expect(events).toHaveLength(0);
316
- });
317
- it("event payload includes agentId and timestamp", () => {
318
- const scoped = createScopedSecretManager(base, {
319
- agentId: "agent-audit-test",
320
- allowPatterns: ["openai_*"],
321
- eventBus: bus,
322
- });
323
- scoped.get("OPENAI_API_KEY");
324
- expect(events).toHaveLength(1);
325
- const event = events[0];
326
- expect(event.agentId).toBe("agent-audit-test");
327
- expect(event.secretName).toBe("OPENAI_API_KEY");
328
- expect(event.outcome).toBe("success");
329
- expect(typeof event.timestamp).toBe("number");
330
- expect(event.timestamp).toBeGreaterThan(0);
331
- });
332
- });
333
- describe("security:warn for unrestricted access (CORE-02)", () => {
334
- const baseSecrets = {
335
- OPENAI_API_KEY: "sk-test",
336
- ANTHROPIC_API_KEY: "ak-test",
337
- };
338
- it("emits security:warn on first access when allowPatterns is empty", () => {
339
- const base = createSecretManager(baseSecrets);
340
- const bus = new TypedEventBus();
341
- const warnEvents = [];
342
- bus.on("security:warn", (e) => warnEvents.push(e));
343
- const scoped = createScopedSecretManager(base, {
344
- agentId: "agent-unrestricted",
345
- allowPatterns: [],
346
- eventBus: bus,
347
- });
348
- scoped.get("OPENAI_API_KEY");
349
- expect(warnEvents).toHaveLength(1);
350
- expect(warnEvents[0].category).toBe("secret_access");
351
- expect(warnEvents[0].agentId).toBe("agent-unrestricted");
352
- expect(warnEvents[0].message).toContain("secrets.allow");
353
- expect(warnEvents[0].message).toContain("agent-unrestricted");
354
- expect(typeof warnEvents[0].timestamp).toBe("number");
355
- });
356
- it("emits security:warn only once (subsequent accesses do not re-emit)", () => {
357
- const base = createSecretManager(baseSecrets);
358
- const bus = new TypedEventBus();
359
- const warnEvents = [];
360
- bus.on("security:warn", (e) => warnEvents.push(e));
361
- const scoped = createScopedSecretManager(base, {
362
- agentId: "agent-once",
363
- allowPatterns: [],
364
- eventBus: bus,
365
- });
366
- scoped.get("OPENAI_API_KEY");
367
- scoped.has("ANTHROPIC_API_KEY");
368
- scoped.require("OPENAI_API_KEY");
369
- expect(warnEvents).toHaveLength(1);
370
- });
371
- it("does NOT emit security:warn when allowPatterns is non-empty", () => {
372
- const base = createSecretManager(baseSecrets);
373
- const bus = new TypedEventBus();
374
- const warnEvents = [];
375
- bus.on("security:warn", (e) => warnEvents.push(e));
376
- const scoped = createScopedSecretManager(base, {
377
- agentId: "agent-restricted",
378
- allowPatterns: ["OPENAI_*"],
379
- eventBus: bus,
380
- });
381
- scoped.get("OPENAI_API_KEY");
382
- expect(warnEvents).toHaveLength(0);
383
- });
384
- it("does NOT emit security:warn when no eventBus is provided", () => {
385
- const base = createSecretManager(baseSecrets);
386
- const scoped = createScopedSecretManager(base, {
387
- agentId: "agent-no-bus",
388
- allowPatterns: [],
389
- // eventBus intentionally omitted
390
- });
391
- // Should not throw
392
- expect(() => scoped.get("OPENAI_API_KEY")).not.toThrow();
393
- });
394
- });
@@ -1,268 +0,0 @@
1
- import { describe, it, expect, vi } from "vitest";
2
- import { createSecretManager } from "./secret-manager.js";
3
- import { resolveSecretRef, resolveConfigSecretRefs } from "./secret-ref-resolver.js";
4
- // ---------------------------------------------------------------------------
5
- // Helpers
6
- // ---------------------------------------------------------------------------
7
- function makeDeps(env = {}, overrides = {}) {
8
- return {
9
- secretManager: createSecretManager(env),
10
- ...overrides,
11
- };
12
- }
13
- // ---------------------------------------------------------------------------
14
- // resolveSecretRef — env source
15
- // ---------------------------------------------------------------------------
16
- describe("resolveSecretRef — env source", () => {
17
- it("resolves a known env key", () => {
18
- const deps = makeDeps({ TELEGRAM_BOT_TOKEN: "my-secret-token" });
19
- const ref = { source: "env", provider: "telegram", id: "TELEGRAM_BOT_TOKEN" };
20
- const result = resolveSecretRef(ref, deps);
21
- expect(result.ok).toBe(true);
22
- if (result.ok)
23
- expect(result.value).toBe("my-secret-token");
24
- });
25
- it("returns error for unknown env key", () => {
26
- const deps = makeDeps({});
27
- const ref = { source: "env", provider: "telegram", id: "MISSING_KEY" };
28
- const result = resolveSecretRef(ref, deps);
29
- expect(result.ok).toBe(false);
30
- if (!result.ok)
31
- expect(result.error.message).toContain("not found in SecretManager");
32
- });
33
- });
34
- // ---------------------------------------------------------------------------
35
- // resolveSecretRef — file source
36
- // ---------------------------------------------------------------------------
37
- describe("resolveSecretRef — file source", () => {
38
- it("reads a single-value file and trims whitespace", () => {
39
- const deps = makeDeps({}, {
40
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 20, mode: 0o600 }),
41
- readFileSync: () => " secret-from-file \n",
42
- });
43
- const ref = { source: "file", provider: "vault", id: "/secrets/api.key" };
44
- const result = resolveSecretRef(ref, deps);
45
- expect(result.ok).toBe(true);
46
- if (result.ok)
47
- expect(result.value).toBe("secret-from-file");
48
- });
49
- it("extracts value via JSON Pointer from JSON file", () => {
50
- const jsonContent = JSON.stringify({
51
- data: { apiKey: "extracted-key", other: "ignored" },
52
- });
53
- const deps = makeDeps({}, {
54
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 100, mode: 0o600 }),
55
- readFileSync: () => jsonContent,
56
- });
57
- const ref = {
58
- source: "file",
59
- provider: "vault#/data/apiKey",
60
- id: "/secrets/vault-response.json",
61
- };
62
- const result = resolveSecretRef(ref, deps);
63
- expect(result.ok).toBe(true);
64
- if (result.ok)
65
- expect(result.value).toBe("extracted-key");
66
- });
67
- it("rejects relative paths", () => {
68
- const deps = makeDeps();
69
- const ref = { source: "file", provider: "vault", id: "relative/path.key" };
70
- const result = resolveSecretRef(ref, deps);
71
- expect(result.ok).toBe(false);
72
- if (!result.ok)
73
- expect(result.error.message).toContain("absolute path");
74
- });
75
- it("rejects paths with traversal segments", () => {
76
- const deps = makeDeps();
77
- const ref = { source: "file", provider: "vault", id: "/secrets/../etc/passwd" };
78
- const result = resolveSecretRef(ref, deps);
79
- expect(result.ok).toBe(false);
80
- if (!result.ok)
81
- expect(result.error.message).toContain("traversal");
82
- });
83
- it("rejects files exceeding size limit", () => {
84
- const deps = makeDeps({}, {
85
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 2_000_000, mode: 0o600 }),
86
- });
87
- const ref = { source: "file", provider: "vault", id: "/secrets/big.key" };
88
- const result = resolveSecretRef(ref, deps);
89
- expect(result.ok).toBe(false);
90
- if (!result.ok)
91
- expect(result.error.message).toContain("exceeds size limit");
92
- });
93
- it("returns error for nonexistent file", () => {
94
- const deps = makeDeps({}, {
95
- statSync: () => { throw new Error("ENOENT"); },
96
- });
97
- const ref = { source: "file", provider: "vault", id: "/secrets/missing.key" };
98
- const result = resolveSecretRef(ref, deps);
99
- expect(result.ok).toBe(false);
100
- if (!result.ok)
101
- expect(result.error.message).toContain("not found");
102
- });
103
- it("rejects non-file (directory)", () => {
104
- const deps = makeDeps({}, {
105
- statSync: () => ({ isFile: () => false, isSymbolicLink: () => false, size: 0, mode: 0o755 }),
106
- });
107
- const ref = { source: "file", provider: "vault", id: "/secrets" };
108
- const result = resolveSecretRef(ref, deps);
109
- expect(result.ok).toBe(false);
110
- if (!result.ok)
111
- expect(result.error.message).toContain("not a regular file");
112
- });
113
- it("returns error when JSON Pointer target is not a string", () => {
114
- const jsonContent = JSON.stringify({ data: { nested: { value: 42 } } });
115
- const deps = makeDeps({}, {
116
- statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 50, mode: 0o600 }),
117
- readFileSync: () => jsonContent,
118
- });
119
- const ref = {
120
- source: "file",
121
- provider: "vault#/data/nested",
122
- id: "/secrets/vault.json",
123
- };
124
- const result = resolveSecretRef(ref, deps);
125
- expect(result.ok).toBe(false);
126
- if (!result.ok)
127
- expect(result.error.message).toContain("expected string");
128
- });
129
- });
130
- // ---------------------------------------------------------------------------
131
- // resolveSecretRef — exec source
132
- // ---------------------------------------------------------------------------
133
- describe("resolveSecretRef — exec source", () => {
134
- it("resolves value from valid JSON RPC response", () => {
135
- const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({
136
- protocolVersion: 1,
137
- values: { "my-secret-id": "resolved-secret" },
138
- }));
139
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
140
- const ref = { source: "exec", provider: "op", id: "my-secret-id" };
141
- const result = resolveSecretRef(ref, deps);
142
- expect(result.ok).toBe(true);
143
- if (result.ok)
144
- expect(result.value).toBe("resolved-secret");
145
- // Verify protocol: command is ref.provider, args is empty array, input is JSON
146
- expect(mockExecFileSync).toHaveBeenCalledWith("op", [], expect.objectContaining({
147
- input: expect.stringContaining('"ids":["my-secret-id"]'),
148
- encoding: "utf-8",
149
- }));
150
- });
151
- it("returns error when command fails (timeout etc)", () => {
152
- const mockExecFileSync = vi.fn().mockImplementation(() => {
153
- throw new Error("ETIMEDOUT");
154
- });
155
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
156
- const ref = { source: "exec", provider: "slow-helper", id: "key" };
157
- const result = resolveSecretRef(ref, deps);
158
- expect(result.ok).toBe(false);
159
- if (!result.ok)
160
- expect(result.error.message).toContain("command failed");
161
- });
162
- it("returns error for invalid JSON response", () => {
163
- const mockExecFileSync = vi.fn().mockReturnValue("not-json");
164
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
165
- const ref = { source: "exec", provider: "broken-helper", id: "key" };
166
- const result = resolveSecretRef(ref, deps);
167
- expect(result.ok).toBe(false);
168
- if (!result.ok)
169
- expect(result.error.message).toContain("invalid JSON");
170
- });
171
- it("returns error for wrong protocol version", () => {
172
- const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({ protocolVersion: 2, values: {} }));
173
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
174
- const ref = { source: "exec", provider: "future-helper", id: "key" };
175
- const result = resolveSecretRef(ref, deps);
176
- expect(result.ok).toBe(false);
177
- if (!result.ok)
178
- expect(result.error.message).toContain("protocol");
179
- });
180
- it("returns error when requested key is missing from response", () => {
181
- const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({ protocolVersion: 1, values: { "other-key": "val" } }));
182
- const deps = makeDeps({}, { execFileSync: mockExecFileSync });
183
- const ref = { source: "exec", provider: "op", id: "missing-key" };
184
- const result = resolveSecretRef(ref, deps);
185
- expect(result.ok).toBe(false);
186
- if (!result.ok)
187
- expect(result.error.message).toContain("not found");
188
- });
189
- });
190
- // ---------------------------------------------------------------------------
191
- // resolveConfigSecretRefs — deep walk
192
- // ---------------------------------------------------------------------------
193
- describe("resolveConfigSecretRefs", () => {
194
- it("resolves nested SecretRef objects in config", () => {
195
- const deps = makeDeps({
196
- TELEGRAM_BOT_TOKEN: "tg-resolved",
197
- DISCORD_BOT_TOKEN: "dc-resolved",
198
- });
199
- const config = {
200
- channels: {
201
- telegram: {
202
- enabled: true,
203
- botToken: { source: "env", provider: "telegram", id: "TELEGRAM_BOT_TOKEN" },
204
- },
205
- discord: {
206
- enabled: true,
207
- botToken: { source: "env", provider: "discord", id: "DISCORD_BOT_TOKEN" },
208
- },
209
- },
210
- plainField: "stays-unchanged",
211
- };
212
- const result = resolveConfigSecretRefs(config, deps);
213
- expect(result.ok).toBe(true);
214
- if (result.ok) {
215
- const resolved = result.value;
216
- expect(resolved.channels.telegram.botToken).toBe("tg-resolved");
217
- expect(resolved.channels.discord.botToken).toBe("dc-resolved");
218
- expect(resolved.plainField).toBe("stays-unchanged");
219
- // Original should not be mutated
220
- expect(config.channels.telegram.botToken).toEqual({
221
- source: "env",
222
- provider: "telegram",
223
- id: "TELEGRAM_BOT_TOKEN",
224
- });
225
- }
226
- });
227
- it("returns first error when any ref fails", () => {
228
- const deps = makeDeps({}); // empty — env lookups will fail
229
- const config = {
230
- good: "plain-string",
231
- bad: { source: "env", provider: "x", id: "MISSING" },
232
- };
233
- const result = resolveConfigSecretRefs(config, deps);
234
- expect(result.ok).toBe(false);
235
- if (!result.ok)
236
- expect(result.error.message).toContain("not found in SecretManager");
237
- });
238
- it("returns clone unchanged when no SecretRefs present", () => {
239
- const deps = makeDeps();
240
- const config = {
241
- channels: { telegram: { enabled: false, botToken: "plain" } },
242
- nested: { array: [1, 2, 3] },
243
- };
244
- const result = resolveConfigSecretRefs(config, deps);
245
- expect(result.ok).toBe(true);
246
- if (result.ok) {
247
- expect(result.value).toEqual(config);
248
- // Must be a different object (clone)
249
- expect(result.value).not.toBe(config);
250
- }
251
- });
252
- it("resolves SecretRefs inside arrays", () => {
253
- const deps = makeDeps({ TOKEN_1: "val-1", TOKEN_2: "val-2" });
254
- const config = {
255
- tokens: [
256
- { source: "env", provider: "gw", id: "TOKEN_1" },
257
- "plain-token",
258
- { source: "env", provider: "gw", id: "TOKEN_2" },
259
- ],
260
- };
261
- const result = resolveConfigSecretRefs(config, deps);
262
- expect(result.ok).toBe(true);
263
- if (result.ok) {
264
- const resolved = result.value;
265
- expect(resolved.tokens).toEqual(["val-1", "plain-token", "val-2"]);
266
- }
267
- });
268
- });
@@ -1,10 +0,0 @@
1
- /**
2
- * Unit tests for secrets audit scanner.
3
- *
4
- * Tests scanConfigForSecrets, scanEnvForSecrets, and auditSecrets
5
- * covering config YAML scanning, .env scanning, SecretRef detection,
6
- * and combined audit scenarios.
7
- *
8
- * @module
9
- */
10
- export {};