vellum 0.2.1 → 0.2.2

package/src/tools/network/__tests__/web-search.test.ts

@@ -0,0 +1,427 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+import { describe, test, expect, beforeEach, afterEach, mock } from 'bun:test';
+
+// Mutable mock state — set per test
+let mockWebSearchProvider: string | undefined = 'perplexity';
+let mockBraveConfigKey: string | undefined;
+let mockPerplexityConfigKey: string | undefined;
+let mockBraveSecureKey: string | undefined;
+let mockPerplexitySecureKey: string | undefined;
+
+// Capture the registered tool
+let capturedTool: any = null;
+
+mock.module('../../registry.js', () => ({
+  registerTool: (tool: any) => { capturedTool = tool; },
+}));
+
+mock.module('../../../config/loader.js', () => ({
+  getConfig: () => ({
+    webSearchProvider: mockWebSearchProvider,
+    apiKeys: { brave: mockBraveConfigKey, perplexity: mockPerplexityConfigKey },
+  }),
+}));
+
+mock.module('../../../security/secure-keys.js', () => ({
+  getSecureKey: (provider: string) => {
+    if (provider === 'brave') return mockBraveSecureKey;
+    if (provider === 'perplexity') return mockPerplexitySecureKey;
+    return undefined;
+  },
+}));
+
+mock.module('../../../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+mock.module('../../../permissions/types.js', () => ({
+  RiskLevel: { Low: 'low', Medium: 'medium', High: 'high' },
+}));
+
+// Force the module to load (triggers registerTool)
+await import('../web-search.js');
+
+describe('web_search tool', () => {
+  let originalFetch: typeof globalThis.fetch;
+  let savedBraveKey: string | undefined;
+  let savedPerplexityKey: string | undefined;
+
+  beforeEach(() => {
+    originalFetch = globalThis.fetch;
+    mockWebSearchProvider = 'perplexity';
+    mockBraveConfigKey = undefined;
+    mockPerplexityConfigKey = undefined;
+    mockBraveSecureKey = undefined;
+    mockPerplexitySecureKey = undefined;
+
+    // Isolate from host env so getApiKey() doesn't short-circuit on real keys
+    savedBraveKey = process.env.BRAVE_API_KEY;
+    savedPerplexityKey = process.env.PERPLEXITY_API_KEY;
+    delete process.env.BRAVE_API_KEY;
+    delete process.env.PERPLEXITY_API_KEY;
+  });
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+
+    if (savedBraveKey !== undefined) process.env.BRAVE_API_KEY = savedBraveKey;
+    else delete process.env.BRAVE_API_KEY;
+
+    if (savedPerplexityKey !== undefined) process.env.PERPLEXITY_API_KEY = savedPerplexityKey;
+    else delete process.env.PERPLEXITY_API_KEY;
+  });
+
+  function execute(input: Record<string, unknown>) {
+    return capturedTool.execute(input, {} as any);
+  }
+
+  // ---- Input validation ---------------------------------------------------
+
+  test('rejects missing query', async () => {
+    const result = await execute({});
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('query is required');
+  });
+
+  test('rejects non-string query', async () => {
+    const result = await execute({ query: 42 });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('query is required');
+  });
+
+  // ---- No API key configured ----------------------------------------------
+
+  test('returns error when no API key is available', async () => {
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('No web search API key configured');
+  });
+
+  // ---- Perplexity provider ------------------------------------------------
+
+  test('executes Perplexity search successfully', async () => {
+    mockPerplexityConfigKey = 'pplx-test-key';
+    globalThis.fetch = (async (_url: string, _init?: RequestInit) => {
+      return new Response(JSON.stringify({
+        choices: [{ message: { content: 'Perplexity answer about TypeScript' } }],
+        citations: ['https://typescriptlang.org', 'https://example.com/ts'],
+      }), { status: 200, headers: { 'content-type': 'application/json' } });
+    }) as any;
+
+    const result = await execute({ query: 'what is TypeScript' });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain('Perplexity answer about TypeScript');
+    expect(result.content).toContain('Sources:');
+    expect(result.content).toContain('typescriptlang.org');
+  });
+
+  test('Perplexity sends correct request format', async () => {
+    mockPerplexityConfigKey = 'pplx-test-key';
+    let capturedUrl = '';
+    let capturedBody: any = null;
+    let capturedHeaders: any = null;
+    globalThis.fetch = (async (url: string, init?: RequestInit) => {
+      capturedUrl = url;
+      capturedBody = JSON.parse(init?.body as string);
+      capturedHeaders = new Headers(init?.headers);
+      return new Response(JSON.stringify({
+        choices: [{ message: { content: 'answer' } }],
+      }), { status: 200, headers: { 'content-type': 'application/json' } });
+    }) as any;
+
+    await execute({ query: 'test query' });
+    expect(capturedUrl).toContain('perplexity.ai');
+    expect(capturedBody.model).toBe('sonar');
+    expect(capturedBody.messages[0].content).toBe('test query');
+    expect(capturedHeaders.get('authorization')).toBe('Bearer pplx-test-key');
+  });
+
+  test('Perplexity returns no results message when response is empty', async () => {
+    mockPerplexityConfigKey = 'pplx-test-key';
+    globalThis.fetch = (async () => {
+      return new Response(JSON.stringify({ choices: [] }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    const result = await execute({ query: 'obscure query' });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain('No results found');
+  });
+
+  test('Perplexity handles 401/403 auth errors', async () => {
+    mockPerplexityConfigKey = 'bad-key';
+    globalThis.fetch = (async () => {
+      return new Response('Unauthorized', { status: 401 });
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('Invalid or expired Perplexity API key');
+  });
+
+  test('Perplexity handles 429 rate limit after max retries', async () => {
+    mockPerplexityConfigKey = 'pplx-key';
+    let callCount = 0;
+    globalThis.fetch = (async () => {
+      callCount++;
+      return new Response('Too Many Requests', {
+        status: 429,
+        headers: { 'retry-after': '0' },
+      });
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('rate limit exceeded');
+    // 1 initial + 3 retries = 4 calls
+    expect(callCount).toBe(4);
+  });
+
+  test('Perplexity handles generic server error', async () => {
+    mockPerplexityConfigKey = 'pplx-key';
+    globalThis.fetch = (async () => {
+      return new Response('Internal Server Error', { status: 500 });
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('status 500');
+  });
+
+  // ---- Brave provider -----------------------------------------------------
+
+  test('executes Brave search successfully', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'brave-test-key';
+    globalThis.fetch = (async (_url: string) => {
+      return new Response(JSON.stringify({
+        web: {
+          results: [
+            { title: 'Result 1', url: 'https://example.com/1', description: 'First result', age: '2 days ago' },
+            { title: 'Result 2', url: 'https://example.com/2', description: 'Second result', extra_snippets: ['Extra info'] },
+          ],
+        },
+      }), { status: 200, headers: { 'content-type': 'application/json' } });
+    }) as any;
+
+    const result = await execute({ query: 'test search' });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain('Result 1');
+    expect(result.content).toContain('https://example.com/1');
+    expect(result.content).toContain('2 days ago');
+    expect(result.content).toContain('Result 2');
+    expect(result.content).toContain('Extra info');
+  });
+
+  test('Brave sends correct query parameters', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'brave-key';
+    let capturedUrl = '';
+    globalThis.fetch = (async (url: string) => {
+      capturedUrl = url;
+      return new Response(JSON.stringify({ web: { results: [] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    await execute({ query: 'test query', count: 5, offset: 2, freshness: 'pw' });
+    const parsed = new URL(capturedUrl);
+    expect(parsed.searchParams.get('q')).toBe('test query');
+    expect(parsed.searchParams.get('count')).toBe('5');
+    expect(parsed.searchParams.get('offset')).toBe('2');
+    expect(parsed.searchParams.get('freshness')).toBe('pw');
+  });
+
+  test('Brave clamps count and offset', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'brave-key';
+    let capturedUrl = '';
+    globalThis.fetch = (async (url: string) => {
+      capturedUrl = url;
+      return new Response(JSON.stringify({ web: { results: [] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    await execute({ query: 'test', count: 100, offset: 50 });
+    const parsed = new URL(capturedUrl);
+    expect(parsed.searchParams.get('count')).toBe('20');
+    expect(parsed.searchParams.get('offset')).toBe('9');
+  });
+
+  test('Brave skips invalid freshness values', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'brave-key';
+    let capturedUrl = '';
+    globalThis.fetch = (async (url: string) => {
+      capturedUrl = url;
+      return new Response(JSON.stringify({ web: { results: [] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    await execute({ query: 'test', freshness: 'invalid' });
+    const parsed = new URL(capturedUrl);
+    expect(parsed.searchParams.has('freshness')).toBe(false);
+  });
+
+  test('Brave handles empty results', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'brave-key';
+    globalThis.fetch = (async () => {
+      return new Response(JSON.stringify({ web: { results: [] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    const result = await execute({ query: 'no results for this' });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain('No results found');
+  });
+
+  test('Brave handles 401 auth error', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'bad-key';
+    globalThis.fetch = (async () => {
+      return new Response('Forbidden', { status: 403 });
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('Invalid or expired Brave Search API key');
+  });
+
+  test('Brave handles 429 rate limit with Retry-After header', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'brave-key';
+    let callCount = 0;
+    globalThis.fetch = (async () => {
+      callCount++;
+      if (callCount <= 3) {
+        return new Response('Rate Limited', {
+          status: 429,
+          headers: { 'retry-after': '0' },
+        });
+      }
+      return new Response(JSON.stringify({ web: { results: [{ title: 'Success', url: 'https://example.com', description: 'Got it' }] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(false);
+    expect(result.content).toContain('Success');
+    expect(callCount).toBe(4);
+  });
+
+  // ---- Provider fallback --------------------------------------------------
+
+  test('falls back from perplexity to brave when perplexity has no key', async () => {
+    mockWebSearchProvider = 'perplexity';
+    mockBraveConfigKey = 'brave-fallback-key';
+    let capturedUrl = '';
+    globalThis.fetch = (async (url: string) => {
+      capturedUrl = url;
+      return new Response(JSON.stringify({ web: { results: [] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    const result = await execute({ query: 'fallback test' });
+    expect(result.isError).toBe(false);
+    expect(capturedUrl).toContain('brave');
+  });
+
+  test('falls back from brave to perplexity when brave has no key', async () => {
+    mockWebSearchProvider = 'brave';
+    mockPerplexityConfigKey = 'pplx-fallback-key';
+    let capturedUrl = '';
+    globalThis.fetch = (async (url: string, _init?: RequestInit) => {
+      capturedUrl = url;
+      return new Response(JSON.stringify({
+        choices: [{ message: { content: 'fallback result' } }],
+      }), { status: 200, headers: { 'content-type': 'application/json' } });
+    }) as any;
+
+    const result = await execute({ query: 'fallback test' });
+    expect(result.isError).toBe(false);
+    expect(capturedUrl).toContain('perplexity');
+  });
+
+  test('maps anthropic-native to perplexity', async () => {
+    mockWebSearchProvider = 'anthropic-native';
+    mockPerplexityConfigKey = 'pplx-key';
+    let capturedUrl = '';
+    globalThis.fetch = (async (url: string) => {
+      capturedUrl = url;
+      return new Response(JSON.stringify({
+        choices: [{ message: { content: 'result' } }],
+      }), { status: 200, headers: { 'content-type': 'application/json' } });
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(false);
+    expect(capturedUrl).toContain('perplexity');
+  });
+
+  // ---- Env var keys -------------------------------------------------------
+
+  test('uses PERPLEXITY_API_KEY env var when available', async () => {
+    const origEnv = process.env.PERPLEXITY_API_KEY;
+    process.env.PERPLEXITY_API_KEY = 'env-pplx-key';
+    try {
+      globalThis.fetch = (async (_url: string, init?: RequestInit) => {
+        const headers = new Headers(init?.headers);
+        expect(headers.get('authorization')).toBe('Bearer env-pplx-key');
+        return new Response(JSON.stringify({
+          choices: [{ message: { content: 'env key works' } }],
+        }), { status: 200, headers: { 'content-type': 'application/json' } });
+      }) as any;
+
+      const result = await execute({ query: 'test' });
+      expect(result.isError).toBe(false);
+    } finally {
+      if (origEnv === undefined) {
+        delete process.env.PERPLEXITY_API_KEY;
+      } else {
+        process.env.PERPLEXITY_API_KEY = origEnv;
+      }
+    }
+  });
+
+  // ---- Network errors -----------------------------------------------------
+
+  test('handles fetch exceptions', async () => {
+    mockPerplexityConfigKey = 'pplx-key';
+    globalThis.fetch = (async () => {
+      throw new Error('Network error: connection refused');
+    }) as any;
+
+    const result = await execute({ query: 'test' });
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('Web search failed');
+    expect(result.content).toContain('connection refused');
+  });
+
+  // ---- Secure key precedence ----------------------------------------------
+
+  test('prefers secure key over config key for brave', async () => {
+    mockWebSearchProvider = 'brave';
+    mockBraveConfigKey = 'config-key';
+    mockBraveSecureKey = 'secure-key';
+    let capturedHeaders: Headers | null = null;
+    globalThis.fetch = (async (_url: string, init?: RequestInit) => {
+      capturedHeaders = new Headers(init?.headers);
+      return new Response(JSON.stringify({ web: { results: [] } }), {
+        status: 200, headers: { 'content-type': 'application/json' },
+      });
+    }) as any;
+
+    await execute({ query: 'test' });
+    // Brave uses X-Subscription-Token header with the secure key
+    expect(capturedHeaders!.get('x-subscription-token')).toBe('secure-key');
+  });
+});

package/src/tools/network/script-proxy/__tests__/logging.test.ts

@@ -0,0 +1,248 @@
+import { describe, test, expect } from 'bun:test';
+import {
+  sanitizeHeaders,
+  sanitizeUrl,
+  createSafeLogEntry,
+  stripQueryString,
+  buildDecisionTrace,
+  buildCredentialRefTrace,
+} from '../logging.js';
+import type { PolicyDecision } from '../types.js';
+import type { CredentialInjectionTemplate } from '../../../credentials/policy-types.js';
+
+// ---------------------------------------------------------------------------
+// sanitizeHeaders
+// ---------------------------------------------------------------------------
+
+describe('sanitizeHeaders', () => {
+  test('redacts sensitive keys', () => {
+    const headers = {
+      'Authorization': 'secret-value',
+      'Content-Type': 'application/json',
+      'X-API-Key': 'another-secret',
+    };
+    const result = sanitizeHeaders(headers, ['authorization', 'x-api-key']);
+    expect(result['Authorization']).toBe('[REDACTED]');
+    expect(result['Content-Type']).toBe('application/json');
+    expect(result['X-API-Key']).toBe('[REDACTED]');
+  });
+
+  test('case-insensitive matching', () => {
+    const headers = { 'authorization': 'bearer xyz' };
+    const result = sanitizeHeaders(headers, ['Authorization']);
+    expect(result['authorization']).toBe('[REDACTED]');
+  });
+
+  test('preserves non-sensitive headers', () => {
+    const headers = { 'Accept': 'text/html', 'Host': 'example.com' };
+    const result = sanitizeHeaders(headers, ['authorization']);
+    expect(result).toEqual(headers);
+  });
+
+  test('handles empty headers', () => {
+    const result = sanitizeHeaders({}, ['authorization']);
+    expect(result).toEqual({});
+  });
+
+  test('handles empty sensitive keys', () => {
+    const headers = { 'Authorization': 'bearer xyz' };
+    const result = sanitizeHeaders(headers, []);
+    expect(result['Authorization']).toBe('bearer xyz');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// sanitizeUrl
+// ---------------------------------------------------------------------------
+
+describe('sanitizeUrl', () => {
+  test('redacts sensitive query params from absolute URL', () => {
+    const result = sanitizeUrl('https://api.example.com/v1?api_key=secret123&format=json', ['api_key']);
+    expect(result).toContain('api_key=%5BREDACTED%5D');
+    expect(result).toContain('format=json');
+    expect(result).not.toContain('secret123');
+  });
+
+  test('redacts sensitive query params from relative path', () => {
+    const result = sanitizeUrl('/v1/search?token=abc&q=hello', ['token']);
+    expect(result).toContain('token=%5BREDACTED%5D');
+    expect(result).toContain('q=hello');
+    expect(result).not.toContain('abc');
+  });
+
+  test('returns URL unchanged when no sensitive params', () => {
+    const url = 'https://api.example.com/v1?format=json';
+    expect(sanitizeUrl(url, ['api_key'])).toBe(url);
+  });
+
+  test('returns URL unchanged when sensitiveParams is empty', () => {
+    const url = 'https://api.example.com/v1?api_key=secret';
+    expect(sanitizeUrl(url, [])).toBe(url);
+  });
+
+  test('returns URL unchanged when no query string', () => {
+    expect(sanitizeUrl('https://api.example.com/v1', ['api_key']))
+      .toBe('https://api.example.com/v1');
+  });
+
+  test('case-insensitive param matching', () => {
+    const result = sanitizeUrl('https://api.example.com/v1?API_KEY=secret', ['api_key']);
+    expect(result).not.toContain('secret');
+  });
+
+  test('strips query string entirely for unparseable URLs', () => {
+    // Malformed URL that URL constructor can't parse
+    const result = sanitizeUrl('http://[invalid:url?key=secret', ['key']);
+    expect(result).not.toContain('secret');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// createSafeLogEntry
+// ---------------------------------------------------------------------------
+
+describe('createSafeLogEntry', () => {
+  test('sanitizes both URL and headers', () => {
+    const req = {
+      method: 'GET',
+      url: '/api?token=secret',
+      headers: { 'Authorization': 'Bearer xyz', 'Accept': 'application/json' },
+    };
+    const result = createSafeLogEntry(req, ['authorization', 'token']);
+    expect(result.method).toBe('GET');
+    expect(result.url).not.toContain('secret');
+    expect(result.headers['Authorization']).toBe('[REDACTED]');
+    expect(result.headers['Accept']).toBe('application/json');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// stripQueryString
+// ---------------------------------------------------------------------------
+
+describe('stripQueryString', () => {
+  test('strips query from path', () => {
+    expect(stripQueryString('/api/v1?key=value')).toBe('/api/v1');
+  });
+
+  test('returns path unchanged when no query', () => {
+    expect(stripQueryString('/api/v1')).toBe('/api/v1');
+  });
+
+  test('handles empty path', () => {
+    expect(stripQueryString('')).toBe('');
+  });
+
+  test('handles query-only', () => {
+    expect(stripQueryString('?key=value')).toBe('');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildDecisionTrace
+// ---------------------------------------------------------------------------
+
+describe('buildDecisionTrace', () => {
+  test('matched decision', () => {
+    const decision: PolicyDecision = {
+      kind: 'matched',
+      credentialId: 'cred-1',
+      template: {
+        hostPattern: '*.example.com',
+        injectionType: 'header',
+        headerName: 'Authorization',
+        valuePrefix: 'Bearer ',
+      },
+    };
+    const trace = buildDecisionTrace('api.example.com', 443, '/api?key=secret', 'https', decision);
+    expect(trace.host).toBe('api.example.com');
+    expect(trace.port).toBe(443);
+    expect(trace.path).toBe('/api');
+    expect(trace.scheme).toBe('https');
+    expect(trace.decisionKind).toBe('matched');
+    expect(trace.candidateCount).toBe(1);
+    expect(trace.selectedPattern).toBe('*.example.com');
+    expect(trace.selectedCredentialId).toBe('cred-1');
+  });
+
+  test('ambiguous decision', () => {
+    const decision: PolicyDecision = {
+      kind: 'ambiguous',
+      candidates: [
+        { credentialId: 'cred-1', template: { hostPattern: '*.example.com', injectionType: 'header' } as CredentialInjectionTemplate },
+        { credentialId: 'cred-2', template: { hostPattern: '*.example.com', injectionType: 'header' } as CredentialInjectionTemplate },
+      ],
+    };
+    const trace = buildDecisionTrace('api.example.com', null, '/', 'https', decision);
+    expect(trace.decisionKind).toBe('ambiguous');
+    expect(trace.candidateCount).toBe(2);
+    expect(trace.selectedPattern).toBeNull();
+    expect(trace.selectedCredentialId).toBeNull();
+  });
+
+  test('missing decision', () => {
+    const decision: PolicyDecision = { kind: 'missing' };
+    const trace = buildDecisionTrace('unknown.com', null, '/', 'https', decision);
+    expect(trace.decisionKind).toBe('missing');
+    expect(trace.candidateCount).toBe(0);
+  });
+
+  test('unauthenticated decision', () => {
+    const decision: PolicyDecision = { kind: 'unauthenticated' };
+    const trace = buildDecisionTrace('example.com', null, '/', 'http', decision);
+    expect(trace.decisionKind).toBe('unauthenticated');
+    expect(trace.candidateCount).toBe(0);
+  });
+
+  test('ask_missing_credential decision', () => {
+    const decision: PolicyDecision = {
+      kind: 'ask_missing_credential',
+      target: { hostname: 'api.example.com', port: null, path: '/', scheme: 'https' },
+      matchingPatterns: ['*.example.com', 'api.example.com'],
+    };
+    const trace = buildDecisionTrace('api.example.com', null, '/', 'https', decision);
+    expect(trace.decisionKind).toBe('ask_missing_credential');
+    expect(trace.candidateCount).toBe(2);
+  });
+
+  test('ask_unauthenticated decision', () => {
+    const decision: PolicyDecision = {
+      kind: 'ask_unauthenticated',
+      target: { hostname: 'unknown.com', port: null, path: '/', scheme: 'https' },
+    };
+    const trace = buildDecisionTrace('unknown.com', null, '/', 'https', decision);
+    expect(trace.decisionKind).toBe('ask_unauthenticated');
+    expect(trace.candidateCount).toBe(0);
+  });
+
+  test('strips query string from path to avoid leaking secrets', () => {
+    const decision: PolicyDecision = { kind: 'unauthenticated' };
+    const trace = buildDecisionTrace('example.com', null, '/api?secret=abc', 'https', decision);
+    expect(trace.path).toBe('/api');
+    expect(trace.path).not.toContain('secret');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildCredentialRefTrace
+// ---------------------------------------------------------------------------
+
+describe('buildCredentialRefTrace', () => {
+  test('builds trace with all fields', () => {
+    const trace = buildCredentialRefTrace(
+      ['my-api-key', 'unknown-ref'],
+      ['uuid-1'],
+      ['unknown-ref'],
+    );
+    expect(trace.rawRefs).toEqual(['my-api-key', 'unknown-ref']);
+    expect(trace.resolvedIds).toEqual(['uuid-1']);
+    expect(trace.unresolvedRefs).toEqual(['unknown-ref']);
+  });
+
+  test('handles empty arrays', () => {
+    const trace = buildCredentialRefTrace([], [], []);
+    expect(trace.rawRefs).toEqual([]);
+    expect(trace.resolvedIds).toEqual([]);
+    expect(trace.unresolvedRefs).toEqual([]);
+  });
+});