comisai 1.0.11 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
- package/node_modules/@comis/agent/package.json +1 -1
- package/node_modules/@comis/channels/package.json +1 -1
- package/node_modules/@comis/cli/package.json +1 -1
- package/node_modules/@comis/core/package.json +1 -1
- package/node_modules/@comis/daemon/package.json +1 -1
- package/node_modules/@comis/gateway/package.json +1 -1
- package/node_modules/@comis/infra/package.json +1 -1
- package/node_modules/@comis/memory/package.json +1 -1
- package/node_modules/@comis/scheduler/package.json +1 -1
- package/node_modules/@comis/shared/package.json +1 -1
- package/node_modules/@comis/skills/package.json +1 -1
- package/package.json +18 -18
- package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
- package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
- package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
- package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
- package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
- package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
- package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
- package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
- package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
- package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
- package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
- package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
- package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
- package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
- package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
- package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
- package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
- package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
- package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
- package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
- package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
- package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
- package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
- package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/context/context.test.js +0 -276
- package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
- package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
- package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
- package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
- package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
- package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
- package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
- package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
- package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/load-env.test.js +0 -21
- package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
- package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
- package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
- package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
- package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
- package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
- package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
- package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
- package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
- package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
- package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
- package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
- package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
- package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
- package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
- package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
- package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
- package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
- package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
- package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
- package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
- package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
- package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
- package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
- package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
- package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
- package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
- package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
- package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
- package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
- package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
- package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/schema.test.js +0 -240
- package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
- package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
- package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
- package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/abort.test.js +0 -71
- package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/result.test.js +0 -178
- package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
- package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
- package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
|
@@ -1,394 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect, beforeEach } from "vitest";
|
|
2
|
-
import { createSecretManager, envSubset, createScopedSecretManager } from "./secret-manager.js";
|
|
3
|
-
import { TypedEventBus } from "../event-bus/index.js";
|
|
4
|
-
describe("SecretManager", () => {
|
|
5
|
-
const testEnv = {
|
|
6
|
-
TEST_KEY: "test-value",
|
|
7
|
-
API_TOKEN: "secret-token-123",
|
|
8
|
-
EMPTY_KEY: "",
|
|
9
|
-
UNDEF_KEY: undefined,
|
|
10
|
-
};
|
|
11
|
-
function makeManager() {
|
|
12
|
-
return createSecretManager(testEnv);
|
|
13
|
-
}
|
|
14
|
-
describe("get()", () => {
|
|
15
|
-
it("returns value when key exists", () => {
|
|
16
|
-
const manager = makeManager();
|
|
17
|
-
expect(manager.get("TEST_KEY")).toBe("test-value");
|
|
18
|
-
});
|
|
19
|
-
it("returns undefined when key does not exist", () => {
|
|
20
|
-
const manager = makeManager();
|
|
21
|
-
expect(manager.get("NONEXISTENT")).toBeUndefined();
|
|
22
|
-
});
|
|
23
|
-
it("treats undefined values as non-existent", () => {
|
|
24
|
-
const manager = makeManager();
|
|
25
|
-
expect(manager.get("UNDEF_KEY")).toBeUndefined();
|
|
26
|
-
});
|
|
27
|
-
});
|
|
28
|
-
describe("has()", () => {
|
|
29
|
-
it("returns true when key exists", () => {
|
|
30
|
-
const manager = makeManager();
|
|
31
|
-
expect(manager.has("TEST_KEY")).toBe(true);
|
|
32
|
-
});
|
|
33
|
-
it("returns false when key does not exist", () => {
|
|
34
|
-
const manager = makeManager();
|
|
35
|
-
expect(manager.has("NONEXISTENT")).toBe(false);
|
|
36
|
-
});
|
|
37
|
-
it("returns false for keys with undefined values", () => {
|
|
38
|
-
const manager = makeManager();
|
|
39
|
-
expect(manager.has("UNDEF_KEY")).toBe(false);
|
|
40
|
-
});
|
|
41
|
-
});
|
|
42
|
-
describe("require()", () => {
|
|
43
|
-
it("returns value when key exists", () => {
|
|
44
|
-
const manager = makeManager();
|
|
45
|
-
expect(manager.require("TEST_KEY")).toBe("test-value");
|
|
46
|
-
});
|
|
47
|
-
it("throws with key name in message when key does not exist", () => {
|
|
48
|
-
const manager = makeManager();
|
|
49
|
-
expect(() => manager.require("NONEXISTENT")).toThrow("NONEXISTENT");
|
|
50
|
-
});
|
|
51
|
-
it("SHR-01: error message does NOT enumerate available key names", () => {
|
|
52
|
-
const manager = createSecretManager({ A: "val-a", B: "val-b" });
|
|
53
|
-
try {
|
|
54
|
-
manager.require("MISSING");
|
|
55
|
-
expect.fail("should have thrown");
|
|
56
|
-
}
|
|
57
|
-
catch (e) {
|
|
58
|
-
const msg = e.message;
|
|
59
|
-
// Must mention the missing key
|
|
60
|
-
expect(msg).toContain("MISSING");
|
|
61
|
-
// Must NOT list other keys
|
|
62
|
-
expect(msg).not.toContain("Available keys");
|
|
63
|
-
expect(msg).not.toContain('"A"');
|
|
64
|
-
expect(msg).not.toContain('"B"');
|
|
65
|
-
expect(msg).not.toContain("A, B");
|
|
66
|
-
expect(msg).not.toContain("B, A");
|
|
67
|
-
// Should contain the new help text
|
|
68
|
-
expect(msg).toContain("Check that this key is defined");
|
|
69
|
-
}
|
|
70
|
-
});
|
|
71
|
-
it("LOG-06: require() error does not leak other key names or values", () => {
|
|
72
|
-
const mgr = createSecretManager({
|
|
73
|
-
KEY_A: "secret-val-1",
|
|
74
|
-
KEY_B: "secret-val-2",
|
|
75
|
-
OPENAI_API_KEY: "sk-realkey",
|
|
76
|
-
});
|
|
77
|
-
expect(() => mgr.require("MISSING")).toThrowError(/Required secret "MISSING"/);
|
|
78
|
-
try {
|
|
79
|
-
mgr.require("MISSING");
|
|
80
|
-
}
|
|
81
|
-
catch (e) {
|
|
82
|
-
const msg = e.message;
|
|
83
|
-
expect(msg).not.toContain("KEY_A");
|
|
84
|
-
expect(msg).not.toContain("KEY_B");
|
|
85
|
-
expect(msg).not.toContain("OPENAI_API_KEY");
|
|
86
|
-
expect(msg).not.toContain("secret-val-1");
|
|
87
|
-
expect(msg).not.toContain("sk-realkey");
|
|
88
|
-
}
|
|
89
|
-
});
|
|
90
|
-
});
|
|
91
|
-
describe("no credential enumeration", () => {
|
|
92
|
-
it("does not expose .env property", () => {
|
|
93
|
-
const manager = makeManager();
|
|
94
|
-
expect(manager["env"]).toBeUndefined();
|
|
95
|
-
});
|
|
96
|
-
it("does not expose .getAll() method", () => {
|
|
97
|
-
const manager = makeManager();
|
|
98
|
-
expect(manager["getAll"]).toBeUndefined();
|
|
99
|
-
});
|
|
100
|
-
});
|
|
101
|
-
describe("createSecretManager() with env overrides", () => {
|
|
102
|
-
it("accepts a controlled record of env vars", () => {
|
|
103
|
-
const manager = createSecretManager({ CUSTOM_KEY: "custom-value" });
|
|
104
|
-
expect(manager.get("CUSTOM_KEY")).toBe("custom-value");
|
|
105
|
-
});
|
|
106
|
-
});
|
|
107
|
-
describe("defensive copy", () => {
|
|
108
|
-
it("modifying original env after creation does not affect manager", () => {
|
|
109
|
-
const env = {
|
|
110
|
-
MUTABLE_KEY: "original",
|
|
111
|
-
};
|
|
112
|
-
const manager = createSecretManager(env);
|
|
113
|
-
// Mutate the original object
|
|
114
|
-
env["MUTABLE_KEY"] = "mutated";
|
|
115
|
-
env["NEW_KEY"] = "new-value";
|
|
116
|
-
expect(manager.get("MUTABLE_KEY")).toBe("original");
|
|
117
|
-
expect(manager.get("NEW_KEY")).toBeUndefined();
|
|
118
|
-
});
|
|
119
|
-
});
|
|
120
|
-
describe("keys()", () => {
|
|
121
|
-
it("returns available key names", () => {
|
|
122
|
-
const manager = makeManager();
|
|
123
|
-
const keys = manager.keys();
|
|
124
|
-
expect(keys).toContain("TEST_KEY");
|
|
125
|
-
expect(keys).toContain("API_TOKEN");
|
|
126
|
-
expect(keys).toContain("EMPTY_KEY");
|
|
127
|
-
// UNDEF_KEY should not be in keys since its value is undefined
|
|
128
|
-
expect(keys).not.toContain("UNDEF_KEY");
|
|
129
|
-
});
|
|
130
|
-
it("returns a defensive copy of keys array", () => {
|
|
131
|
-
const manager = makeManager();
|
|
132
|
-
const keys1 = manager.keys();
|
|
133
|
-
const keys2 = manager.keys();
|
|
134
|
-
expect(keys1).toEqual(keys2);
|
|
135
|
-
expect(keys1).not.toBe(keys2); // Different array instances
|
|
136
|
-
});
|
|
137
|
-
});
|
|
138
|
-
});
|
|
139
|
-
describe("envSubset()", () => {
|
|
140
|
-
it("SHR-05: returns only requested keys from manager", () => {
|
|
141
|
-
const manager = createSecretManager({
|
|
142
|
-
A: "1",
|
|
143
|
-
B: "2",
|
|
144
|
-
C: "3",
|
|
145
|
-
D: "4",
|
|
146
|
-
E: "5",
|
|
147
|
-
});
|
|
148
|
-
const subset = envSubset(manager, ["A", "C"]);
|
|
149
|
-
expect(subset).toEqual({ A: "1", C: "3" });
|
|
150
|
-
expect(Object.keys(subset)).toHaveLength(2);
|
|
151
|
-
});
|
|
152
|
-
it("SHR-05: returns empty for non-existent keys", () => {
|
|
153
|
-
const manager = createSecretManager({ A: "1" });
|
|
154
|
-
const subset = envSubset(manager, ["MISSING_1", "MISSING_2"]);
|
|
155
|
-
expect(subset).toEqual({});
|
|
156
|
-
});
|
|
157
|
-
it("SHR-05: returns a plain object, not a Map", () => {
|
|
158
|
-
const manager = createSecretManager({ X: "val" });
|
|
159
|
-
const subset = envSubset(manager, ["X"]);
|
|
160
|
-
expect(subset).toBeTypeOf("object");
|
|
161
|
-
expect(subset).not.toBeInstanceOf(Map);
|
|
162
|
-
expect(subset.X).toBe("val");
|
|
163
|
-
});
|
|
164
|
-
});
|
|
165
|
-
// ---------------------------------------------------------------------------
|
|
166
|
-
// ScopedSecretManager tests (merged from scoped-secret-manager.test.ts)
|
|
167
|
-
// ---------------------------------------------------------------------------
|
|
168
|
-
describe("ScopedSecretManager", () => {
|
|
169
|
-
const baseSecrets = {
|
|
170
|
-
OPENAI_API_KEY: "sk-test",
|
|
171
|
-
ANTHROPIC_API_KEY: "ak-test",
|
|
172
|
-
STRIPE_KEY: "sk_live_test",
|
|
173
|
-
UNRELATED: "value",
|
|
174
|
-
};
|
|
175
|
-
let base;
|
|
176
|
-
let bus;
|
|
177
|
-
let events;
|
|
178
|
-
beforeEach(() => {
|
|
179
|
-
base = createSecretManager(baseSecrets);
|
|
180
|
-
bus = new TypedEventBus();
|
|
181
|
-
events = [];
|
|
182
|
-
bus.on("secret:accessed", (e) => events.push(e));
|
|
183
|
-
});
|
|
184
|
-
it("get() delegates to base when pattern matches", () => {
|
|
185
|
-
const scoped = createScopedSecretManager(base, {
|
|
186
|
-
agentId: "agent-1",
|
|
187
|
-
allowPatterns: ["openai_*"],
|
|
188
|
-
eventBus: bus,
|
|
189
|
-
});
|
|
190
|
-
const value = scoped.get("OPENAI_API_KEY");
|
|
191
|
-
expect(value).toBe("sk-test");
|
|
192
|
-
expect(events).toHaveLength(1);
|
|
193
|
-
expect(events[0].outcome).toBe("success");
|
|
194
|
-
});
|
|
195
|
-
it("get() returns undefined when pattern denies", () => {
|
|
196
|
-
const scoped = createScopedSecretManager(base, {
|
|
197
|
-
agentId: "agent-1",
|
|
198
|
-
allowPatterns: ["openai_*"],
|
|
199
|
-
eventBus: bus,
|
|
200
|
-
});
|
|
201
|
-
const value = scoped.get("STRIPE_KEY");
|
|
202
|
-
expect(value).toBeUndefined();
|
|
203
|
-
expect(events).toHaveLength(1);
|
|
204
|
-
expect(events[0].outcome).toBe("denied");
|
|
205
|
-
});
|
|
206
|
-
it("get() emits not_found when base has no value", () => {
|
|
207
|
-
const scoped = createScopedSecretManager(base, {
|
|
208
|
-
agentId: "agent-1",
|
|
209
|
-
allowPatterns: ["openai_*"],
|
|
210
|
-
eventBus: bus,
|
|
211
|
-
});
|
|
212
|
-
const value = scoped.get("OPENAI_OTHER");
|
|
213
|
-
expect(value).toBeUndefined();
|
|
214
|
-
expect(events).toHaveLength(1);
|
|
215
|
-
expect(events[0].outcome).toBe("not_found");
|
|
216
|
-
});
|
|
217
|
-
it("has() returns false when pattern denies", () => {
|
|
218
|
-
const scoped = createScopedSecretManager(base, {
|
|
219
|
-
agentId: "agent-1",
|
|
220
|
-
allowPatterns: ["openai_*"],
|
|
221
|
-
eventBus: bus,
|
|
222
|
-
});
|
|
223
|
-
const result = scoped.has("STRIPE_KEY");
|
|
224
|
-
expect(result).toBe(false);
|
|
225
|
-
expect(events).toHaveLength(1);
|
|
226
|
-
expect(events[0].outcome).toBe("denied");
|
|
227
|
-
});
|
|
228
|
-
it("has() delegates when pattern allows", () => {
|
|
229
|
-
const scoped = createScopedSecretManager(base, {
|
|
230
|
-
agentId: "agent-1",
|
|
231
|
-
allowPatterns: ["openai_*"],
|
|
232
|
-
eventBus: bus,
|
|
233
|
-
});
|
|
234
|
-
const result = scoped.has("OPENAI_API_KEY");
|
|
235
|
-
expect(result).toBe(true);
|
|
236
|
-
expect(events).toHaveLength(1);
|
|
237
|
-
expect(events[0].outcome).toBe("success");
|
|
238
|
-
});
|
|
239
|
-
it("require() throws when pattern denies", () => {
|
|
240
|
-
const scoped = createScopedSecretManager(base, {
|
|
241
|
-
agentId: "agent-1",
|
|
242
|
-
allowPatterns: ["openai_*"],
|
|
243
|
-
eventBus: bus,
|
|
244
|
-
});
|
|
245
|
-
expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
|
|
246
|
-
expect(events).toHaveLength(1);
|
|
247
|
-
expect(events[0].outcome).toBe("denied");
|
|
248
|
-
});
|
|
249
|
-
it("require() throws when key not found in base", () => {
|
|
250
|
-
const scoped = createScopedSecretManager(base, {
|
|
251
|
-
agentId: "agent-1",
|
|
252
|
-
allowPatterns: ["openai_*"],
|
|
253
|
-
eventBus: bus,
|
|
254
|
-
});
|
|
255
|
-
expect(() => scoped.require("OPENAI_MISSING")).toThrow("not set");
|
|
256
|
-
expect(events).toHaveLength(1);
|
|
257
|
-
expect(events[0].outcome).toBe("not_found");
|
|
258
|
-
});
|
|
259
|
-
it("require() returns value when allowed and exists", () => {
|
|
260
|
-
const scoped = createScopedSecretManager(base, {
|
|
261
|
-
agentId: "agent-1",
|
|
262
|
-
allowPatterns: ["openai_*"],
|
|
263
|
-
eventBus: bus,
|
|
264
|
-
});
|
|
265
|
-
const value = scoped.require("OPENAI_API_KEY");
|
|
266
|
-
expect(value).toBe("sk-test");
|
|
267
|
-
expect(events).toHaveLength(1);
|
|
268
|
-
expect(events[0].outcome).toBe("success");
|
|
269
|
-
});
|
|
270
|
-
it("keys() filters by allow patterns", () => {
|
|
271
|
-
const scoped = createScopedSecretManager(base, {
|
|
272
|
-
agentId: "agent-1",
|
|
273
|
-
allowPatterns: ["openai_*", "anthropic_*"],
|
|
274
|
-
eventBus: bus,
|
|
275
|
-
});
|
|
276
|
-
const keys = scoped.keys();
|
|
277
|
-
expect(keys).toEqual(["OPENAI_API_KEY", "ANTHROPIC_API_KEY"]);
|
|
278
|
-
// keys() is a listing operation — no events emitted
|
|
279
|
-
expect(events).toHaveLength(0);
|
|
280
|
-
});
|
|
281
|
-
it("empty allow patterns = unrestricted access", () => {
|
|
282
|
-
const scoped = createScopedSecretManager(base, {
|
|
283
|
-
agentId: "agent-1",
|
|
284
|
-
allowPatterns: [],
|
|
285
|
-
eventBus: bus,
|
|
286
|
-
});
|
|
287
|
-
expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
|
|
288
|
-
expect(scoped.get("STRIPE_KEY")).toBe("sk_live_test");
|
|
289
|
-
expect(scoped.has("UNRELATED")).toBe(true);
|
|
290
|
-
expect(scoped.require("ANTHROPIC_API_KEY")).toBe("ak-test");
|
|
291
|
-
expect(scoped.keys()).toEqual(expect.arrayContaining([
|
|
292
|
-
"OPENAI_API_KEY",
|
|
293
|
-
"ANTHROPIC_API_KEY",
|
|
294
|
-
"STRIPE_KEY",
|
|
295
|
-
"UNRELATED",
|
|
296
|
-
]));
|
|
297
|
-
// All access events should be "success"
|
|
298
|
-
expect(events.every((e) => e.outcome === "success")).toBe(true);
|
|
299
|
-
});
|
|
300
|
-
it("works without eventBus (no audit events)", () => {
|
|
301
|
-
const scoped = createScopedSecretManager(base, {
|
|
302
|
-
agentId: "agent-1",
|
|
303
|
-
allowPatterns: ["openai_*"],
|
|
304
|
-
// eventBus intentionally omitted
|
|
305
|
-
});
|
|
306
|
-
// All methods should work without crashing
|
|
307
|
-
expect(scoped.get("OPENAI_API_KEY")).toBe("sk-test");
|
|
308
|
-
expect(scoped.get("STRIPE_KEY")).toBeUndefined();
|
|
309
|
-
expect(scoped.has("OPENAI_API_KEY")).toBe(true);
|
|
310
|
-
expect(scoped.has("STRIPE_KEY")).toBe(false);
|
|
311
|
-
expect(scoped.require("OPENAI_API_KEY")).toBe("sk-test");
|
|
312
|
-
expect(() => scoped.require("STRIPE_KEY")).toThrow("not allowed");
|
|
313
|
-
expect(scoped.keys()).toEqual(["OPENAI_API_KEY"]);
|
|
314
|
-
// No events emitted to the bus we set up separately
|
|
315
|
-
expect(events).toHaveLength(0);
|
|
316
|
-
});
|
|
317
|
-
it("event payload includes agentId and timestamp", () => {
|
|
318
|
-
const scoped = createScopedSecretManager(base, {
|
|
319
|
-
agentId: "agent-audit-test",
|
|
320
|
-
allowPatterns: ["openai_*"],
|
|
321
|
-
eventBus: bus,
|
|
322
|
-
});
|
|
323
|
-
scoped.get("OPENAI_API_KEY");
|
|
324
|
-
expect(events).toHaveLength(1);
|
|
325
|
-
const event = events[0];
|
|
326
|
-
expect(event.agentId).toBe("agent-audit-test");
|
|
327
|
-
expect(event.secretName).toBe("OPENAI_API_KEY");
|
|
328
|
-
expect(event.outcome).toBe("success");
|
|
329
|
-
expect(typeof event.timestamp).toBe("number");
|
|
330
|
-
expect(event.timestamp).toBeGreaterThan(0);
|
|
331
|
-
});
|
|
332
|
-
});
|
|
333
|
-
describe("security:warn for unrestricted access (CORE-02)", () => {
|
|
334
|
-
const baseSecrets = {
|
|
335
|
-
OPENAI_API_KEY: "sk-test",
|
|
336
|
-
ANTHROPIC_API_KEY: "ak-test",
|
|
337
|
-
};
|
|
338
|
-
it("emits security:warn on first access when allowPatterns is empty", () => {
|
|
339
|
-
const base = createSecretManager(baseSecrets);
|
|
340
|
-
const bus = new TypedEventBus();
|
|
341
|
-
const warnEvents = [];
|
|
342
|
-
bus.on("security:warn", (e) => warnEvents.push(e));
|
|
343
|
-
const scoped = createScopedSecretManager(base, {
|
|
344
|
-
agentId: "agent-unrestricted",
|
|
345
|
-
allowPatterns: [],
|
|
346
|
-
eventBus: bus,
|
|
347
|
-
});
|
|
348
|
-
scoped.get("OPENAI_API_KEY");
|
|
349
|
-
expect(warnEvents).toHaveLength(1);
|
|
350
|
-
expect(warnEvents[0].category).toBe("secret_access");
|
|
351
|
-
expect(warnEvents[0].agentId).toBe("agent-unrestricted");
|
|
352
|
-
expect(warnEvents[0].message).toContain("secrets.allow");
|
|
353
|
-
expect(warnEvents[0].message).toContain("agent-unrestricted");
|
|
354
|
-
expect(typeof warnEvents[0].timestamp).toBe("number");
|
|
355
|
-
});
|
|
356
|
-
it("emits security:warn only once (subsequent accesses do not re-emit)", () => {
|
|
357
|
-
const base = createSecretManager(baseSecrets);
|
|
358
|
-
const bus = new TypedEventBus();
|
|
359
|
-
const warnEvents = [];
|
|
360
|
-
bus.on("security:warn", (e) => warnEvents.push(e));
|
|
361
|
-
const scoped = createScopedSecretManager(base, {
|
|
362
|
-
agentId: "agent-once",
|
|
363
|
-
allowPatterns: [],
|
|
364
|
-
eventBus: bus,
|
|
365
|
-
});
|
|
366
|
-
scoped.get("OPENAI_API_KEY");
|
|
367
|
-
scoped.has("ANTHROPIC_API_KEY");
|
|
368
|
-
scoped.require("OPENAI_API_KEY");
|
|
369
|
-
expect(warnEvents).toHaveLength(1);
|
|
370
|
-
});
|
|
371
|
-
it("does NOT emit security:warn when allowPatterns is non-empty", () => {
|
|
372
|
-
const base = createSecretManager(baseSecrets);
|
|
373
|
-
const bus = new TypedEventBus();
|
|
374
|
-
const warnEvents = [];
|
|
375
|
-
bus.on("security:warn", (e) => warnEvents.push(e));
|
|
376
|
-
const scoped = createScopedSecretManager(base, {
|
|
377
|
-
agentId: "agent-restricted",
|
|
378
|
-
allowPatterns: ["OPENAI_*"],
|
|
379
|
-
eventBus: bus,
|
|
380
|
-
});
|
|
381
|
-
scoped.get("OPENAI_API_KEY");
|
|
382
|
-
expect(warnEvents).toHaveLength(0);
|
|
383
|
-
});
|
|
384
|
-
it("does NOT emit security:warn when no eventBus is provided", () => {
|
|
385
|
-
const base = createSecretManager(baseSecrets);
|
|
386
|
-
const scoped = createScopedSecretManager(base, {
|
|
387
|
-
agentId: "agent-no-bus",
|
|
388
|
-
allowPatterns: [],
|
|
389
|
-
// eventBus intentionally omitted
|
|
390
|
-
});
|
|
391
|
-
// Should not throw
|
|
392
|
-
expect(() => scoped.get("OPENAI_API_KEY")).not.toThrow();
|
|
393
|
-
});
|
|
394
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,268 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect, vi } from "vitest";
|
|
2
|
-
import { createSecretManager } from "./secret-manager.js";
|
|
3
|
-
import { resolveSecretRef, resolveConfigSecretRefs } from "./secret-ref-resolver.js";
|
|
4
|
-
// ---------------------------------------------------------------------------
|
|
5
|
-
// Helpers
|
|
6
|
-
// ---------------------------------------------------------------------------
|
|
7
|
-
function makeDeps(env = {}, overrides = {}) {
|
|
8
|
-
return {
|
|
9
|
-
secretManager: createSecretManager(env),
|
|
10
|
-
...overrides,
|
|
11
|
-
};
|
|
12
|
-
}
|
|
13
|
-
// ---------------------------------------------------------------------------
|
|
14
|
-
// resolveSecretRef — env source
|
|
15
|
-
// ---------------------------------------------------------------------------
|
|
16
|
-
describe("resolveSecretRef — env source", () => {
|
|
17
|
-
it("resolves a known env key", () => {
|
|
18
|
-
const deps = makeDeps({ TELEGRAM_BOT_TOKEN: "my-secret-token" });
|
|
19
|
-
const ref = { source: "env", provider: "telegram", id: "TELEGRAM_BOT_TOKEN" };
|
|
20
|
-
const result = resolveSecretRef(ref, deps);
|
|
21
|
-
expect(result.ok).toBe(true);
|
|
22
|
-
if (result.ok)
|
|
23
|
-
expect(result.value).toBe("my-secret-token");
|
|
24
|
-
});
|
|
25
|
-
it("returns error for unknown env key", () => {
|
|
26
|
-
const deps = makeDeps({});
|
|
27
|
-
const ref = { source: "env", provider: "telegram", id: "MISSING_KEY" };
|
|
28
|
-
const result = resolveSecretRef(ref, deps);
|
|
29
|
-
expect(result.ok).toBe(false);
|
|
30
|
-
if (!result.ok)
|
|
31
|
-
expect(result.error.message).toContain("not found in SecretManager");
|
|
32
|
-
});
|
|
33
|
-
});
|
|
34
|
-
// ---------------------------------------------------------------------------
|
|
35
|
-
// resolveSecretRef — file source
|
|
36
|
-
// ---------------------------------------------------------------------------
|
|
37
|
-
describe("resolveSecretRef — file source", () => {
|
|
38
|
-
it("reads a single-value file and trims whitespace", () => {
|
|
39
|
-
const deps = makeDeps({}, {
|
|
40
|
-
statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 20, mode: 0o600 }),
|
|
41
|
-
readFileSync: () => " secret-from-file \n",
|
|
42
|
-
});
|
|
43
|
-
const ref = { source: "file", provider: "vault", id: "/secrets/api.key" };
|
|
44
|
-
const result = resolveSecretRef(ref, deps);
|
|
45
|
-
expect(result.ok).toBe(true);
|
|
46
|
-
if (result.ok)
|
|
47
|
-
expect(result.value).toBe("secret-from-file");
|
|
48
|
-
});
|
|
49
|
-
it("extracts value via JSON Pointer from JSON file", () => {
|
|
50
|
-
const jsonContent = JSON.stringify({
|
|
51
|
-
data: { apiKey: "extracted-key", other: "ignored" },
|
|
52
|
-
});
|
|
53
|
-
const deps = makeDeps({}, {
|
|
54
|
-
statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 100, mode: 0o600 }),
|
|
55
|
-
readFileSync: () => jsonContent,
|
|
56
|
-
});
|
|
57
|
-
const ref = {
|
|
58
|
-
source: "file",
|
|
59
|
-
provider: "vault#/data/apiKey",
|
|
60
|
-
id: "/secrets/vault-response.json",
|
|
61
|
-
};
|
|
62
|
-
const result = resolveSecretRef(ref, deps);
|
|
63
|
-
expect(result.ok).toBe(true);
|
|
64
|
-
if (result.ok)
|
|
65
|
-
expect(result.value).toBe("extracted-key");
|
|
66
|
-
});
|
|
67
|
-
it("rejects relative paths", () => {
|
|
68
|
-
const deps = makeDeps();
|
|
69
|
-
const ref = { source: "file", provider: "vault", id: "relative/path.key" };
|
|
70
|
-
const result = resolveSecretRef(ref, deps);
|
|
71
|
-
expect(result.ok).toBe(false);
|
|
72
|
-
if (!result.ok)
|
|
73
|
-
expect(result.error.message).toContain("absolute path");
|
|
74
|
-
});
|
|
75
|
-
it("rejects paths with traversal segments", () => {
|
|
76
|
-
const deps = makeDeps();
|
|
77
|
-
const ref = { source: "file", provider: "vault", id: "/secrets/../etc/passwd" };
|
|
78
|
-
const result = resolveSecretRef(ref, deps);
|
|
79
|
-
expect(result.ok).toBe(false);
|
|
80
|
-
if (!result.ok)
|
|
81
|
-
expect(result.error.message).toContain("traversal");
|
|
82
|
-
});
|
|
83
|
-
it("rejects files exceeding size limit", () => {
|
|
84
|
-
const deps = makeDeps({}, {
|
|
85
|
-
statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 2_000_000, mode: 0o600 }),
|
|
86
|
-
});
|
|
87
|
-
const ref = { source: "file", provider: "vault", id: "/secrets/big.key" };
|
|
88
|
-
const result = resolveSecretRef(ref, deps);
|
|
89
|
-
expect(result.ok).toBe(false);
|
|
90
|
-
if (!result.ok)
|
|
91
|
-
expect(result.error.message).toContain("exceeds size limit");
|
|
92
|
-
});
|
|
93
|
-
it("returns error for nonexistent file", () => {
|
|
94
|
-
const deps = makeDeps({}, {
|
|
95
|
-
statSync: () => { throw new Error("ENOENT"); },
|
|
96
|
-
});
|
|
97
|
-
const ref = { source: "file", provider: "vault", id: "/secrets/missing.key" };
|
|
98
|
-
const result = resolveSecretRef(ref, deps);
|
|
99
|
-
expect(result.ok).toBe(false);
|
|
100
|
-
if (!result.ok)
|
|
101
|
-
expect(result.error.message).toContain("not found");
|
|
102
|
-
});
|
|
103
|
-
it("rejects non-file (directory)", () => {
|
|
104
|
-
const deps = makeDeps({}, {
|
|
105
|
-
statSync: () => ({ isFile: () => false, isSymbolicLink: () => false, size: 0, mode: 0o755 }),
|
|
106
|
-
});
|
|
107
|
-
const ref = { source: "file", provider: "vault", id: "/secrets" };
|
|
108
|
-
const result = resolveSecretRef(ref, deps);
|
|
109
|
-
expect(result.ok).toBe(false);
|
|
110
|
-
if (!result.ok)
|
|
111
|
-
expect(result.error.message).toContain("not a regular file");
|
|
112
|
-
});
|
|
113
|
-
it("returns error when JSON Pointer target is not a string", () => {
|
|
114
|
-
const jsonContent = JSON.stringify({ data: { nested: { value: 42 } } });
|
|
115
|
-
const deps = makeDeps({}, {
|
|
116
|
-
statSync: () => ({ isFile: () => true, isSymbolicLink: () => false, size: 50, mode: 0o600 }),
|
|
117
|
-
readFileSync: () => jsonContent,
|
|
118
|
-
});
|
|
119
|
-
const ref = {
|
|
120
|
-
source: "file",
|
|
121
|
-
provider: "vault#/data/nested",
|
|
122
|
-
id: "/secrets/vault.json",
|
|
123
|
-
};
|
|
124
|
-
const result = resolveSecretRef(ref, deps);
|
|
125
|
-
expect(result.ok).toBe(false);
|
|
126
|
-
if (!result.ok)
|
|
127
|
-
expect(result.error.message).toContain("expected string");
|
|
128
|
-
});
|
|
129
|
-
});
|
|
130
|
-
// ---------------------------------------------------------------------------
|
|
131
|
-
// resolveSecretRef — exec source
|
|
132
|
-
// ---------------------------------------------------------------------------
|
|
133
|
-
describe("resolveSecretRef — exec source", () => {
|
|
134
|
-
it("resolves value from valid JSON RPC response", () => {
|
|
135
|
-
const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({
|
|
136
|
-
protocolVersion: 1,
|
|
137
|
-
values: { "my-secret-id": "resolved-secret" },
|
|
138
|
-
}));
|
|
139
|
-
const deps = makeDeps({}, { execFileSync: mockExecFileSync });
|
|
140
|
-
const ref = { source: "exec", provider: "op", id: "my-secret-id" };
|
|
141
|
-
const result = resolveSecretRef(ref, deps);
|
|
142
|
-
expect(result.ok).toBe(true);
|
|
143
|
-
if (result.ok)
|
|
144
|
-
expect(result.value).toBe("resolved-secret");
|
|
145
|
-
// Verify protocol: command is ref.provider, args is empty array, input is JSON
|
|
146
|
-
expect(mockExecFileSync).toHaveBeenCalledWith("op", [], expect.objectContaining({
|
|
147
|
-
input: expect.stringContaining('"ids":["my-secret-id"]'),
|
|
148
|
-
encoding: "utf-8",
|
|
149
|
-
}));
|
|
150
|
-
});
|
|
151
|
-
it("returns error when command fails (timeout etc)", () => {
|
|
152
|
-
const mockExecFileSync = vi.fn().mockImplementation(() => {
|
|
153
|
-
throw new Error("ETIMEDOUT");
|
|
154
|
-
});
|
|
155
|
-
const deps = makeDeps({}, { execFileSync: mockExecFileSync });
|
|
156
|
-
const ref = { source: "exec", provider: "slow-helper", id: "key" };
|
|
157
|
-
const result = resolveSecretRef(ref, deps);
|
|
158
|
-
expect(result.ok).toBe(false);
|
|
159
|
-
if (!result.ok)
|
|
160
|
-
expect(result.error.message).toContain("command failed");
|
|
161
|
-
});
|
|
162
|
-
it("returns error for invalid JSON response", () => {
|
|
163
|
-
const mockExecFileSync = vi.fn().mockReturnValue("not-json");
|
|
164
|
-
const deps = makeDeps({}, { execFileSync: mockExecFileSync });
|
|
165
|
-
const ref = { source: "exec", provider: "broken-helper", id: "key" };
|
|
166
|
-
const result = resolveSecretRef(ref, deps);
|
|
167
|
-
expect(result.ok).toBe(false);
|
|
168
|
-
if (!result.ok)
|
|
169
|
-
expect(result.error.message).toContain("invalid JSON");
|
|
170
|
-
});
|
|
171
|
-
it("returns error for wrong protocol version", () => {
|
|
172
|
-
const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({ protocolVersion: 2, values: {} }));
|
|
173
|
-
const deps = makeDeps({}, { execFileSync: mockExecFileSync });
|
|
174
|
-
const ref = { source: "exec", provider: "future-helper", id: "key" };
|
|
175
|
-
const result = resolveSecretRef(ref, deps);
|
|
176
|
-
expect(result.ok).toBe(false);
|
|
177
|
-
if (!result.ok)
|
|
178
|
-
expect(result.error.message).toContain("protocol");
|
|
179
|
-
});
|
|
180
|
-
it("returns error when requested key is missing from response", () => {
|
|
181
|
-
const mockExecFileSync = vi.fn().mockReturnValue(JSON.stringify({ protocolVersion: 1, values: { "other-key": "val" } }));
|
|
182
|
-
const deps = makeDeps({}, { execFileSync: mockExecFileSync });
|
|
183
|
-
const ref = { source: "exec", provider: "op", id: "missing-key" };
|
|
184
|
-
const result = resolveSecretRef(ref, deps);
|
|
185
|
-
expect(result.ok).toBe(false);
|
|
186
|
-
if (!result.ok)
|
|
187
|
-
expect(result.error.message).toContain("not found");
|
|
188
|
-
});
|
|
189
|
-
});
|
|
190
|
-
// ---------------------------------------------------------------------------
|
|
191
|
-
// resolveConfigSecretRefs — deep walk
|
|
192
|
-
// ---------------------------------------------------------------------------
|
|
193
|
-
describe("resolveConfigSecretRefs", () => {
|
|
194
|
-
it("resolves nested SecretRef objects in config", () => {
|
|
195
|
-
const deps = makeDeps({
|
|
196
|
-
TELEGRAM_BOT_TOKEN: "tg-resolved",
|
|
197
|
-
DISCORD_BOT_TOKEN: "dc-resolved",
|
|
198
|
-
});
|
|
199
|
-
const config = {
|
|
200
|
-
channels: {
|
|
201
|
-
telegram: {
|
|
202
|
-
enabled: true,
|
|
203
|
-
botToken: { source: "env", provider: "telegram", id: "TELEGRAM_BOT_TOKEN" },
|
|
204
|
-
},
|
|
205
|
-
discord: {
|
|
206
|
-
enabled: true,
|
|
207
|
-
botToken: { source: "env", provider: "discord", id: "DISCORD_BOT_TOKEN" },
|
|
208
|
-
},
|
|
209
|
-
},
|
|
210
|
-
plainField: "stays-unchanged",
|
|
211
|
-
};
|
|
212
|
-
const result = resolveConfigSecretRefs(config, deps);
|
|
213
|
-
expect(result.ok).toBe(true);
|
|
214
|
-
if (result.ok) {
|
|
215
|
-
const resolved = result.value;
|
|
216
|
-
expect(resolved.channels.telegram.botToken).toBe("tg-resolved");
|
|
217
|
-
expect(resolved.channels.discord.botToken).toBe("dc-resolved");
|
|
218
|
-
expect(resolved.plainField).toBe("stays-unchanged");
|
|
219
|
-
// Original should not be mutated
|
|
220
|
-
expect(config.channels.telegram.botToken).toEqual({
|
|
221
|
-
source: "env",
|
|
222
|
-
provider: "telegram",
|
|
223
|
-
id: "TELEGRAM_BOT_TOKEN",
|
|
224
|
-
});
|
|
225
|
-
}
|
|
226
|
-
});
|
|
227
|
-
it("returns first error when any ref fails", () => {
|
|
228
|
-
const deps = makeDeps({}); // empty — env lookups will fail
|
|
229
|
-
const config = {
|
|
230
|
-
good: "plain-string",
|
|
231
|
-
bad: { source: "env", provider: "x", id: "MISSING" },
|
|
232
|
-
};
|
|
233
|
-
const result = resolveConfigSecretRefs(config, deps);
|
|
234
|
-
expect(result.ok).toBe(false);
|
|
235
|
-
if (!result.ok)
|
|
236
|
-
expect(result.error.message).toContain("not found in SecretManager");
|
|
237
|
-
});
|
|
238
|
-
it("returns clone unchanged when no SecretRefs present", () => {
|
|
239
|
-
const deps = makeDeps();
|
|
240
|
-
const config = {
|
|
241
|
-
channels: { telegram: { enabled: false, botToken: "plain" } },
|
|
242
|
-
nested: { array: [1, 2, 3] },
|
|
243
|
-
};
|
|
244
|
-
const result = resolveConfigSecretRefs(config, deps);
|
|
245
|
-
expect(result.ok).toBe(true);
|
|
246
|
-
if (result.ok) {
|
|
247
|
-
expect(result.value).toEqual(config);
|
|
248
|
-
// Must be a different object (clone)
|
|
249
|
-
expect(result.value).not.toBe(config);
|
|
250
|
-
}
|
|
251
|
-
});
|
|
252
|
-
it("resolves SecretRefs inside arrays", () => {
|
|
253
|
-
const deps = makeDeps({ TOKEN_1: "val-1", TOKEN_2: "val-2" });
|
|
254
|
-
const config = {
|
|
255
|
-
tokens: [
|
|
256
|
-
{ source: "env", provider: "gw", id: "TOKEN_1" },
|
|
257
|
-
"plain-token",
|
|
258
|
-
{ source: "env", provider: "gw", id: "TOKEN_2" },
|
|
259
|
-
],
|
|
260
|
-
};
|
|
261
|
-
const result = resolveConfigSecretRefs(config, deps);
|
|
262
|
-
expect(result.ok).toBe(true);
|
|
263
|
-
if (result.ok) {
|
|
264
|
-
const resolved = result.value;
|
|
265
|
-
expect(resolved.tokens).toEqual(["val-1", "plain-token", "val-2"]);
|
|
266
|
-
}
|
|
267
|
-
});
|
|
268
|
-
});
|