latchkey 2.7.3 → 2.9.0

package/dist/tests/cli.test.js

@@ -16,17 +16,18 @@ import { NoCurlCredentialsNotSupportedError, Service } from '../src/services/cor
 import { RegisteredService } from '../src/services/core/registered.js';
 import { GITLAB } from '../src/services/gitlab.js';
 import { GITHUB } from '../src/services/github.js';
+import { derivePermissionsOverrideSigningKey, verifyPermissionsOverrideJwt, } from '../src/gateway/permissionsOverride.js';
 import { TELEGRAM } from '../src/services/telegram.js';
 import { deleteRegisteredService, loadRegisteredServices, saveRegisteredService, } from '../src/configDataStore.js';
 import { loadRegisteredServicesIntoServiceRegistry } from '../src/serviceRegistry.js';
 // Use a fixed test key for deterministic test behavior (32 bytes = 256 bits, base64 encoded)
 const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
-async function writeSecureFile(path, content) {
-    const storage = await EncryptedStorage.create({ encryptionKeyOverride: TEST_ENCRYPTION_KEY });
+function writeSecureFile(path, content) {
+    const storage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
     storage.writeFile(path, content);
 }
-async function readSecureFile(path) {
-    const storage = await EncryptedStorage.create({ encryptionKeyOverride: TEST_ENCRYPTION_KEY });
+function readSecureFile(path) {
+    const storage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
     return storage.readFile(path);
 }
 function getCliPath() {
@@ -290,6 +291,9 @@ describe('CLI commands with dependency injection', () => {
             get permissionsConfigPath() {
                 return overrides.permissionsConfigOverride ?? join(directory, 'permissions.json');
             },
+            get extensionsDirectoryPath() {
+                return join(directory, 'extensions');
+            },
             curlCommand: overrides.curlCommand ?? defaultConfig.curlCommand,
             encryptionKeyOverride: overrides.encryptionKeyOverride ?? TEST_ENCRYPTION_KEY,
             serviceName: overrides.serviceName ?? defaultConfig.serviceName,
@@ -301,6 +305,9 @@ describe('CLI commands with dependency injection', () => {
             gatewayUrl: overrides.gatewayUrl ?? null,
             gatewayListenHost: overrides.gatewayListenHost ?? 'localhost',
             gatewayListenPort: overrides.gatewayListenPort ?? 1989,
+            gatewayPassword: overrides.gatewayPassword ?? null,
+            gatewayListenPassword: overrides.gatewayListenPassword ?? null,
+            gatewayPermissionsOverride: overrides.gatewayPermissionsOverride ?? null,
             checkSensitiveFilePermissions: () => undefined,
             checkSystemPrerequisites: () => undefined,
         };
@@ -403,7 +410,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should include services with stored credentials when using --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
             const deps = createMockDependencies();
@@ -414,7 +421,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should include services with browser auth when using --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             // The default mock slack service has getSession defined, so it supports browser auth
             // Ensure a graphical environment is available so browser auth is considered viable
             const originalDisplay = process.env.DISPLAY;
@@ -437,7 +444,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should exclude services without credentials or browser auth when using --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const noLoginService = {
                 name: 'nologin',
                 displayName: 'No Login Service',
@@ -463,7 +470,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should exclude browser-capable services when browser is disabled and no credentials with --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
                 config: createMockConfig({ browserDisabled: true }),
             });
@@ -474,7 +481,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should exclude browser-capable services when no graphical environment and no credentials with --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const originalPlatform = process.platform;
             const originalDisplay = process.env.DISPLAY;
             const originalWayland = process.env.WAYLAND_DISPLAY;
@@ -506,7 +513,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should include services with credentials even when no graphical environment with --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
             const originalPlatform = process.platform;
@@ -540,7 +547,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should include services with credentials even when browser is disabled with --viable', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
             const deps = createMockDependencies({
@@ -553,7 +560,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should combine --builtin and --viable filters', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 'my-gitlab': {
                     objectType: 'rawCurl',
                     curlArguments: ['-H', 'PRIVATE-TOKEN: token'],
@@ -587,7 +594,7 @@ describe('CLI commands with dependency injection', () => {
     describe('services info command', () => {
         it('should show login options, credentials status, and developer notes', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies();
             await runCommand(['services', 'info', 'slack'], deps);
             expect(logs).toHaveLength(1);
@@ -601,7 +608,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should show auth set only for services without browser login', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const noLoginService = {
                 name: 'nologin',
                 displayName: 'No Login Service',
@@ -626,7 +633,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should not list browser in authOptions when LATCHKEY_DISABLE_BROWSER is in effect', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
                 config: createMockConfig({ browserDisabled: true }),
             });
@@ -636,7 +643,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should show valid credentials status when credentials are valid', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
             const deps = createMockDependencies();
@@ -652,7 +659,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should show type as registered for registered services', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const registeredService = new RegisteredService('my-gitlab', 'https://gitlab.example.com');
             const deps = createMockDependencies();
             deps.registry.addService(registeredService);
@@ -664,12 +671,12 @@ describe('CLI commands with dependency injection', () => {
     describe('clear command', () => {
         it('should delete credentials for a service', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
             const deps = createMockDependencies();
             await runCommand(['auth', 'clear', 'slack'], deps);
-            const storedData = JSON.parse((await readSecureFile(storePath)) ?? '{}');
+            const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.slack).toBeUndefined();
         });
         it('should return error for unknown service', async () => {
@@ -680,13 +687,13 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should preserve other services when clearing one', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'slack-token', dCookie: 'slack-cookie' },
                 discord: { objectType: 'authorizationBare', token: 'discord-token' },
             }));
             const deps = createMockDependencies();
             await runCommand(['auth', 'clear', 'slack'], deps);
-            const storedData = JSON.parse((await readSecureFile(storePath)) ?? '{}');
+            const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.slack).toBeUndefined();
             expect(storedData.discord).toBeDefined();
             expect(storedData.discord?.token).toBe('discord-token');
@@ -694,8 +701,8 @@ describe('CLI commands with dependency injection', () => {
         it('should delete both store and browser state with -y flag', async () => {
             const storePath = join(tempDir, 'credentials.json');
             const browserStatePath = join(tempDir, 'browser_state.json');
-            await writeSecureFile(storePath, JSON.stringify({ slack: { objectType: 'slack', token: 'test', dCookie: 'test' } }));
-            await writeSecureFile(browserStatePath, '{}');
+            writeSecureFile(storePath, JSON.stringify({ slack: { objectType: 'slack', token: 'test', dCookie: 'test' } }));
+            writeSecureFile(browserStatePath, '{}');
             const deps = createMockDependencies();
             await runCommand(['auth', 'clear', '-y'], deps);
             expect(existsSync(storePath)).toBe(false);
@@ -705,7 +712,7 @@ describe('CLI commands with dependency injection', () => {
     describe('auth list command', () => {
         it('should list stored credentials with their status', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
             const deps = createMockDependencies();
@@ -719,7 +726,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should output empty object when no credentials are stored', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies();
             await runCommand(['auth', 'list'], deps);
             expect(logs).toHaveLength(1);
@@ -728,7 +735,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should treat unknown services as valid', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 unknown: { objectType: 'rawCurl', curlArguments: ['-H', 'X-Token: secret'] },
             }));
             const deps = createMockDependencies();
@@ -744,11 +751,11 @@ describe('CLI commands with dependency injection', () => {
     describe('auth set command', () => {
         it('should store raw curl credentials', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'slack', '-H', 'X-Token: secret', '-H', 'X-Other: value'], deps);
             expect(logs).toContain('Credentials stored.');
-            const storedData = JSON.parse((await readSecureFile(storePath)) ?? '{}');
+            const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.slack).toEqual({
                 objectType: 'rawCurl',
                 curlArguments: ['-H', 'X-Token: secret', '-H', 'X-Other: value'],
@@ -771,13 +778,13 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should overwrite existing credentials', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'old-token', dCookie: 'old-cookie' },
             }));
             const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'slack', '-H', 'X-Token: new-secret'], deps);
             expect(logs).toContain('Credentials stored.');
-            const storedData = JSON.parse((await readSecureFile(storePath)) ?? '{}');
+            const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.slack).toEqual({
                 objectType: 'rawCurl',
                 curlArguments: ['-H', 'X-Token: new-secret'],
@@ -787,13 +794,13 @@ describe('CLI commands with dependency injection', () => {
     describe('auth set-nocurl command', () => {
         it('should store telegram bot credentials', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
                 registry: new ServiceRegistry([TELEGRAM]),
             });
             await runCommand(['auth', 'set-nocurl', 'telegram', '123456:ABC-DEF'], deps);
             expect(logs).toContain('Credentials stored.');
-            const storedData = JSON.parse((await readSecureFile(storePath)) ?? '{}');
+            const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.telegram).toEqual({
                 objectType: 'telegramBot',
                 token: '123456:ABC-DEF',
@@ -827,7 +834,7 @@ describe('CLI commands with dependency injection', () => {
     describe('curl command', () => {
         it('should pass arguments to subprocess', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies();
@@ -843,7 +850,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should pass raw curl credentials to subprocess', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'rawCurl', curlArguments: ['-H', 'X-Custom: header'] },
             }));
             const deps = createMockDependencies();
@@ -853,7 +860,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should pass multiple arguments correctly', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies();
@@ -875,7 +882,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should return subprocess exit code', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies({
@@ -905,7 +912,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should pass through missing credentials when passthroughUnknown is enabled', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
                 config: createMockConfig({ passthroughUnknown: true }),
             });
@@ -916,7 +923,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should still inject credentials for known services when passthroughUnknown is enabled', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies({
@@ -928,7 +935,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should read credentials from store and not call login', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const mockLogin = vi.fn();
@@ -957,14 +964,14 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should return error when no credentials in store', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies();
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
             expect(exitCode).toBe(1);
         });
         it('should inject telegram bot token into URL path', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 telegram: { objectType: 'telegramBot', token: '123456:ABC-DEF' },
             }));
             const deps = createMockDependencies({
@@ -976,7 +983,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should work when service does not have getSession but credentials exist', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 nologin: { objectType: 'rawCurl', curlArguments: ['-H', 'X-API-Key: secret'] },
             }));
             const noLoginService = {
@@ -1005,7 +1012,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject request when permission check denies it', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies({
@@ -1018,7 +1025,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should allow request when permission check approves it', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies({
@@ -1030,7 +1037,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should exit with error when permission check fails', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const { PermissionCheckError } = await import('../src/permissions.js');
@@ -1070,7 +1077,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should return error when no graphical environment is available', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const originalPlatform = process.platform;
             const originalDisplay = process.env.DISPLAY;
             const originalWayland = process.env.WAYLAND_DISPLAY;
@@ -1235,7 +1242,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should not expose browser auth without --login-url', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
                 registry: new ServiceRegistry([GITLAB]),
             });
@@ -1338,7 +1345,7 @@ describe('CLI commands with dependency injection', () => {
             ], deps);
             // Now store credentials for it
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             logs = [];
             exitCode = null;
             await runCommand(['auth', 'set', 'my-gitlab', '-H', 'PRIVATE-TOKEN: my-secret-token'], deps);
@@ -1370,7 +1377,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should not expose browser auth for service without family', async () => {
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, '{}');
+            writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
                 registry: new ServiceRegistry([GITLAB]),
             });
@@ -1389,7 +1396,7 @@ describe('CLI commands with dependency injection', () => {
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
             // Store credentials
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 'my-api': {
                     objectType: 'rawCurl',
                     curlArguments: ['-H', 'Authorization: Bearer my-token'],
@@ -1443,7 +1450,7 @@ describe('CLI commands with dependency injection', () => {
             ], deps);
             // Store credentials
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 'my-gitlab': {
                     objectType: 'rawCurl',
                     curlArguments: ['-H', 'PRIVATE-TOKEN: my-secret-token'],
@@ -1526,7 +1533,7 @@ describe('CLI commands with dependency injection', () => {
             ], deps);
             // Store credentials for it
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 'my-gitlab': {
                     objectType: 'rawCurl',
                     curlArguments: ['-H', 'PRIVATE-TOKEN: my-secret-token'],
@@ -1559,7 +1566,7 @@ describe('CLI commands with dependency injection', () => {
             ], deps);
             // Store and then clear credentials
             const storePath = join(tempDir, 'credentials.json');
-            await writeSecureFile(storePath, JSON.stringify({
+            writeSecureFile(storePath, JSON.stringify({
                 'my-gitlab': {
                     objectType: 'rawCurl',
                     curlArguments: ['-H', 'PRIVATE-TOKEN: my-secret-token'],
@@ -1578,6 +1585,44 @@ describe('CLI commands with dependency injection', () => {
             expect(logs).toContain("Service 'my-gitlab' deregistered.");
         });
     });
+    describe('gateway create-jwt command', () => {
+        it('prints a JWT for an existing absolute path', async () => {
+            const permissionsPath = join(tempDir, 'permissions.json');
+            writeFileSync(permissionsPath, '{}');
+            const deps = createMockDependencies();
+            await runCommand(['gateway', 'create-jwt', permissionsPath], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toHaveLength(1);
+            const jwt = logs[0];
+            expect(jwt.split('.')).toHaveLength(3);
+            const signingKey = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+            const payload = verifyPermissionsOverrideJwt(jwt, signingKey);
+            expect(payload.permissionsConfig).toBe(permissionsPath);
+        });
+        it('refuses to issue a JWT when the path does not exist', async () => {
+            const missingPath = join(tempDir, 'missing.json');
+            const deps = createMockDependencies();
+            await runCommand(['gateway', 'create-jwt', missingPath], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs.some((message) => message.includes('does not exist'))).toBe(true);
+        });
+        it('issues a JWT without checking existence when --no-validate is given', async () => {
+            const missingPath = join(tempDir, 'missing.json');
+            const deps = createMockDependencies();
+            await runCommand(['gateway', 'create-jwt', missingPath, '--no-validate'], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toHaveLength(1);
+            const signingKey = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+            const payload = verifyPermissionsOverrideJwt(logs[0], signingKey);
+            expect(payload.permissionsConfig).toBe(missingPath);
+        });
+        it('rejects a non-absolute path', async () => {
+            const deps = createMockDependencies();
+            await runCommand(['gateway', 'create-jwt', 'relative.json', '--no-validate'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs.some((message) => message.includes('absolute'))).toBe(true);
+        });
+    });
     describe('gateway mode (LATCHKEY_GATEWAY)', () => {
         const GATEWAY_URL = 'http://localhost:9000';
         const originalFetch = globalThis.fetch;