kadi-deploy 0.19.0

package/tests/nonce.test.ts

@@ -0,0 +1,34 @@
+/**
+ * Nonce Generation Tests
+ *
+ * Tests for cryptographic nonce generation used in secrets injection.
+ */
+
+import { describe, it, expect } from 'vitest';
+import { generateNonce } from '../src/secrets/nonce.js';
+
+describe('generateNonce', () => {
+  it('generates a hex string of default length', () => {
+    const nonce = generateNonce();
+    expect(nonce).toMatch(/^[0-9a-f]+$/);
+    // 32 bytes = 64 hex chars
+    expect(nonce).toHaveLength(64);
+  });
+
+  it('generates a hex string of custom length', () => {
+    const nonce = generateNonce(16);
+    expect(nonce).toMatch(/^[0-9a-f]+$/);
+    // 16 bytes = 32 hex chars
+    expect(nonce).toHaveLength(32);
+  });
+
+  it('generates unique nonces on each call', () => {
+    const nonces = new Set(Array.from({ length: 100 }, () => generateNonce()));
+    expect(nonces.size).toBe(100);
+  });
+
+  it('generates a 1-byte nonce', () => {
+    const nonce = generateNonce(1);
+    expect(nonce).toHaveLength(2);
+  });
+});

package/tests/normalize.test.ts

@@ -0,0 +1,270 @@
+/**
+ * Secrets Normalization Tests
+ *
+ * Verifies normalizeSecrets() correctly handles legacy single-vault,
+ * multi-vault, and edge-case configurations.
+ */
+
+import { describe, it, expect } from 'vitest';
+import {
+  normalizeSecrets,
+  hasAnySecrets,
+  allRequiredKeys,
+  allOptionalKeys,
+  allSecretKeys,
+  buildVaultSourcesEnv,
+  type NormalizedSecrets,
+  type NormalizedVaultSource,
+  type RawSecretsConfig,
+} from '../src/secrets/normalize.js';
+
+// ─────────────────────────────────────────────────────────
+// normalizeSecrets
+// ─────────────────────────────────────────────────────────
+
+describe('normalizeSecrets', () => {
+  describe('returns null for falsy input', () => {
+    it('returns null for undefined', () => {
+      expect(normalizeSecrets(undefined)).toBeNull();
+    });
+
+    it('returns null for null', () => {
+      expect(normalizeSecrets(null)).toBeNull();
+    });
+  });
+
+  describe('legacy single-vault format', () => {
+    it('normalizes minimal vault-only config', () => {
+      const result = normalizeSecrets({ vault: 'my-app' });
+      expect(result).toEqual({
+        sources: [{ vault: 'my-app', required: [], optional: [] }],
+        delivery: 'env',
+      });
+    });
+
+    it('normalizes with required keys', () => {
+      const result = normalizeSecrets({
+        vault: 'dev',
+        required: ['API_KEY', 'DB_URL'],
+      });
+      expect(result).toEqual({
+        sources: [{ vault: 'dev', required: ['API_KEY', 'DB_URL'], optional: [] }],
+        delivery: 'env',
+      });
+    });
+
+    it('normalizes with optional keys', () => {
+      const result = normalizeSecrets({
+        vault: 'dev',
+        optional: ['DEBUG_KEY'],
+      });
+      expect(result).toEqual({
+        sources: [{ vault: 'dev', required: [], optional: ['DEBUG_KEY'] }],
+        delivery: 'env',
+      });
+    });
+
+    it('normalizes with required, optional, and delivery', () => {
+      const result = normalizeSecrets({
+        vault: 'production',
+        required: ['API_KEY'],
+        optional: ['OBS_KEY'],
+        delivery: 'broker',
+      });
+      expect(result).toEqual({
+        sources: [{
+          vault: 'production',
+          required: ['API_KEY'],
+          optional: ['OBS_KEY'],
+        }],
+        delivery: 'broker',
+      });
+    });
+
+    it('defaults delivery to env', () => {
+      const result = normalizeSecrets({ vault: 'test' });
+      expect(result!.delivery).toBe('env');
+    });
+  });
+
+  describe('multi-vault format', () => {
+    it('normalizes single-element vaults array', () => {
+      const result = normalizeSecrets({
+        vaults: [{ vault: 'app', required: ['KEY'] }],
+      });
+      expect(result).toEqual({
+        sources: [{ vault: 'app', required: ['KEY'], optional: [] }],
+        delivery: 'env',
+      });
+    });
+
+    it('normalizes multiple vaults', () => {
+      const result = normalizeSecrets({
+        vaults: [
+          { vault: 'app', required: ['API_KEY'], optional: ['DEBUG'] },
+          { vault: 'infra', required: ['TUNNEL_TOKEN'] },
+        ],
+      });
+      expect(result).toEqual({
+        sources: [
+          { vault: 'app', required: ['API_KEY'], optional: ['DEBUG'] },
+          { vault: 'infra', required: ['TUNNEL_TOKEN'], optional: [] },
+        ],
+        delivery: 'env',
+      });
+    });
+
+    it('respects broker delivery mode', () => {
+      const result = normalizeSecrets({
+        vaults: [
+          { vault: 'v1', required: ['A'] },
+          { vault: 'v2', required: ['B'] },
+        ],
+        delivery: 'broker',
+      });
+      expect(result!.delivery).toBe('broker');
+    });
+
+    it('defaults optional to empty array', () => {
+      const result = normalizeSecrets({
+        vaults: [{ vault: 'x', required: ['K'] }],
+      });
+      expect(result!.sources[0].optional).toEqual([]);
+    });
+
+    it('defaults required to empty array', () => {
+      const result = normalizeSecrets({
+        vaults: [{ vault: 'x', optional: ['K'] }],
+      });
+      expect(result!.sources[0].required).toEqual([]);
+    });
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// hasAnySecrets
+// ─────────────────────────────────────────────────────────
+
+describe('hasAnySecrets', () => {
+  it('returns false for null', () => {
+    expect(hasAnySecrets(null)).toBe(false);
+  });
+
+  it('returns false when all sources have empty keys', () => {
+    const normalized: NormalizedSecrets = {
+      sources: [
+        { vault: 'a', required: [], optional: [] },
+        { vault: 'b', required: [], optional: [] },
+      ],
+      delivery: 'env',
+    };
+    expect(hasAnySecrets(normalized)).toBe(false);
+  });
+
+  it('returns true when any source has required keys', () => {
+    const normalized: NormalizedSecrets = {
+      sources: [
+        { vault: 'a', required: [], optional: [] },
+        { vault: 'b', required: ['KEY'], optional: [] },
+      ],
+      delivery: 'env',
+    };
+    expect(hasAnySecrets(normalized)).toBe(true);
+  });
+
+  it('returns true when any source has optional keys', () => {
+    const normalized: NormalizedSecrets = {
+      sources: [
+        { vault: 'a', required: [], optional: ['OPT'] },
+      ],
+      delivery: 'env',
+    };
+    expect(hasAnySecrets(normalized)).toBe(true);
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// allRequiredKeys / allOptionalKeys / allSecretKeys
+// ─────────────────────────────────────────────────────────
+
+describe('key aggregation helpers', () => {
+  const normalized: NormalizedSecrets = {
+    sources: [
+      { vault: 'app', required: ['A', 'B'], optional: ['X'] },
+      { vault: 'infra', required: ['C'], optional: ['Y', 'Z'] },
+    ],
+    delivery: 'env',
+  };
+
+  it('allRequiredKeys collects from all sources', () => {
+    expect(allRequiredKeys(normalized)).toEqual(['A', 'B', 'C']);
+  });
+
+  it('allOptionalKeys collects from all sources', () => {
+    expect(allOptionalKeys(normalized)).toEqual(['X', 'Y', 'Z']);
+  });
+
+  it('allSecretKeys returns required + optional', () => {
+    expect(allSecretKeys(normalized)).toEqual(['A', 'B', 'C', 'X', 'Y', 'Z']);
+  });
+
+  it('works for single-source configs', () => {
+    const single: NormalizedSecrets = {
+      sources: [{ vault: 'v', required: ['R'], optional: ['O'] }],
+      delivery: 'env',
+    };
+    expect(allSecretKeys(single)).toEqual(['R', 'O']);
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// buildVaultSourcesEnv
+// ─────────────────────────────────────────────────────────
+
+describe('buildVaultSourcesEnv', () => {
+  it('returns null for single-vault (no KADI_VAULT_SOURCES needed)', () => {
+    const sources: NormalizedVaultSource[] = [
+      { vault: 'app', required: ['KEY'], optional: [] },
+    ];
+    expect(buildVaultSourcesEnv(sources)).toBeNull();
+  });
+
+  it('returns null for empty sources', () => {
+    expect(buildVaultSourcesEnv([])).toBeNull();
+  });
+
+  it('returns JSON string for multi-vault', () => {
+    const sources: NormalizedVaultSource[] = [
+      { vault: 'app', required: ['API_KEY'], optional: [] },
+      { vault: 'infra', required: ['TOKEN'], optional: ['OBS'] },
+    ];
+    const result = buildVaultSourcesEnv(sources);
+    expect(result).not.toBeNull();
+
+    const parsed = JSON.parse(result!);
+    expect(parsed).toEqual([
+      { vault: 'app', keys: ['API_KEY'] },
+      { vault: 'infra', keys: ['TOKEN', 'OBS'] },
+    ]);
+  });
+
+  it('combines required and optional into keys array', () => {
+    const sources: NormalizedVaultSource[] = [
+      { vault: 'a', required: ['R1', 'R2'], optional: ['O1'] },
+      { vault: 'b', required: [], optional: ['O2', 'O3'] },
+    ];
+    const parsed = JSON.parse(buildVaultSourcesEnv(sources)!);
+    expect(parsed[0].keys).toEqual(['R1', 'R2', 'O1']);
+    expect(parsed[1].keys).toEqual(['O2', 'O3']);
+  });
+
+  it('returns valid JSON that can be round-tripped', () => {
+    const sources: NormalizedVaultSource[] = [
+      { vault: 'v1', required: ['A'], optional: [] },
+      { vault: 'v2', required: ['B'], optional: ['C'] },
+    ];
+    const json = buildVaultSourcesEnv(sources)!;
+    expect(() => JSON.parse(json)).not.toThrow();
+    expect(JSON.stringify(JSON.parse(json))).toBe(json);
+  });
+});

package/tests/secrets-schema.test.ts

@@ -0,0 +1,301 @@
+/**
+ * Schema Validation Tests for Multi-Vault Secrets
+ *
+ * Verifies that the SecretsSchema in profiles.ts correctly validates
+ * both legacy single-vault and new multi-vault formats, and rejects
+ * invalid configurations.
+ */
+
+import { describe, it, expect } from 'vitest';
+import { AkashProfileSchema, LocalProfileSchema, validateProfile } from '../src/schemas/profiles.js';
+
+// ─────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────
+
+/** Minimal valid Akash profile (no secrets) */
+function akashBase(secrets?: unknown) {
+  return {
+    target: 'akash' as const,
+    network: 'testnet' as const,
+    services: {
+      app: {
+        image: 'nginx:alpine',
+        expose: [{ port: 80, as: 80, to: [{ global: true }] }],
+        resources: { cpu: 0.5, memory: '512Mi' },
+      },
+    },
+    ...(secrets !== undefined ? { secrets } : {}),
+  };
+}
+
+/** Minimal valid Local profile (no secrets) */
+function localBase(secrets?: unknown) {
+  return {
+    target: 'local' as const,
+    engine: 'docker' as const,
+    services: {
+      app: {
+        image: 'nginx:alpine',
+        expose: [{ port: 80, as: 80 }],
+      },
+    },
+    ...(secrets !== undefined ? { secrets } : {}),
+  };
+}
+
+// ─────────────────────────────────────────────────────────
+// Legacy single-vault format
+// ─────────────────────────────────────────────────────────
+
+describe('SecretsSchema — legacy single-vault', () => {
+  it('accepts vault with required keys', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'my-app', required: ['API_KEY'] })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts vault with optional keys', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'my-app', optional: ['DEBUG_KEY'] })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts vault with both required and optional', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vault: 'my-app',
+        required: ['API_KEY'],
+        optional: ['DEBUG_KEY'],
+        delivery: 'broker',
+      })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts vault-only (no keys)', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'dev' })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts env delivery mode', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'dev', delivery: 'env' })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts broker delivery mode', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'dev', delivery: 'broker' })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects empty vault name', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: '' })
+    );
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects vault name with spaces', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'my app' })
+    );
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects invalid delivery mode', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: 'dev', delivery: 'pigeon' })
+    );
+    expect(result.success).toBe(false);
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// New multi-vault format
+// ─────────────────────────────────────────────────────────
+
+describe('SecretsSchema — multi-vault', () => {
+  it('accepts single-element vaults array', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [{ vault: 'app', required: ['KEY'] }],
+      })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts multiple vaults', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [
+          { vault: 'app', required: ['API_KEY'] },
+          { vault: 'infra', required: ['TUNNEL_TOKEN'], optional: ['OBS_KEY'] },
+        ],
+      })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts multi-vault with broker delivery', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [
+          { vault: 'v1', required: ['A'] },
+          { vault: 'v2', required: ['B'] },
+        ],
+        delivery: 'broker',
+      })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts vault with only optional keys', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [{ vault: 'debug', optional: ['LOG_LEVEL'] }],
+      })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects empty vaults array', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vaults: [] })
+    );
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects vault entry with empty vault name', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [{ vault: '', required: ['KEY'] }],
+      })
+    );
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects vault entry with invalid vault name', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [{ vault: 'has space', required: ['KEY'] }],
+      })
+    );
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects invalid delivery mode in multi-vault', () => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({
+        vaults: [{ vault: 'app', required: ['KEY'] }],
+        delivery: 'carrier-pigeon',
+      })
+    );
+    expect(result.success).toBe(false);
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// Profile works with both local and akash
+// ─────────────────────────────────────────────────────────
+
+describe('SecretsSchema — local profiles', () => {
+  it('accepts legacy format on local profile', () => {
+    const result = LocalProfileSchema.safeParse(
+      localBase({ vault: 'dev', required: ['KEY'] })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts multi-vault format on local profile', () => {
+    const result = LocalProfileSchema.safeParse(
+      localBase({
+        vaults: [
+          { vault: 'app', required: ['API_KEY'] },
+          { vault: 'infra', optional: ['TOKEN'] },
+        ],
+        delivery: 'env',
+      })
+    );
+    expect(result.success).toBe(true);
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// validateProfile integration
+// ─────────────────────────────────────────────────────────
+
+describe('validateProfile — secrets integration', () => {
+  it('validates akash profile with multi-vault secrets', () => {
+    const profile = validateProfile(
+      akashBase({
+        vaults: [
+          { vault: 'my-agent', required: ['API_KEY', 'API_URL'] },
+          { vault: 'infra', required: ['TUNNEL_TOKEN'] },
+        ],
+        delivery: 'broker',
+      }),
+      'production'
+    );
+    expect(profile.target).toBe('akash');
+    expect(profile.secrets).toBeDefined();
+    expect((profile.secrets as any).vaults).toHaveLength(2);
+  });
+
+  it('validates akash profile with legacy secrets', () => {
+    const profile = validateProfile(
+      akashBase({
+        vault: 'my-agent',
+        required: ['API_KEY'],
+        delivery: 'env',
+      }),
+      'production'
+    );
+    expect(profile.secrets).toBeDefined();
+    expect((profile.secrets as any).vault).toBe('my-agent');
+  });
+
+  it('throws on invalid secrets configuration', () => {
+    expect(() =>
+      validateProfile(
+        akashBase({ vaults: [] }),
+        'bad-profile'
+      )
+    ).toThrow(/validation failed/i);
+  });
+
+  it('validates profile without secrets', () => {
+    const profile = validateProfile(akashBase(), 'no-secrets');
+    expect(profile.secrets).toBeUndefined();
+  });
+});
+
+// ─────────────────────────────────────────────────────────
+// Vault name validation
+// ─────────────────────────────────────────────────────────
+
+describe('VaultNameSchema validation', () => {
+  const validNames = ['my-app', 'prod_vault', 'v1', 'ABC123', 'under_score-dash'];
+  const invalidNames = ['', 'has space', 'has.dot', 'has/slash', 'has@symbol'];
+
+  it.each(validNames)('accepts valid vault name: %s', (name) => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: name })
+    );
+    expect(result.success).toBe(true);
+  });
+
+  it.each(invalidNames)('rejects invalid vault name: %s', (name) => {
+    const result = AkashProfileSchema.safeParse(
+      akashBase({ vault: name })
+    );
+    expect(result.success).toBe(false);
+  });
+});