import { describe, expect, it } from "vitest"; import { INVALID_EXEC_SECRET_REF_IDS, VALID_EXEC_SECRET_REF_IDS, } from "../test-utils/secret-ref-test-vectors.js"; import { isSecretsApplyPlan, resolveValidatedPlanTarget } from "./plan.js"; describe("secrets plan validation", () => { it("accepts legacy provider target types", () => { const resolved = resolveValidatedPlanTarget({ type: "models.providers.apiKey", path: "models.providers.openai.apiKey", pathSegments: ["models", "providers", "openai", "apiKey"], providerId: "openai", }); expect(resolved?.pathSegments).toEqual(["models", "providers", "openai", "apiKey"]); }); it("accepts expanded target types beyond legacy surface", () => { const resolved = resolveValidatedPlanTarget({ type: "channels.telegram.botToken", path: "channels.telegram.botToken", pathSegments: ["channels", "telegram", "botToken"], }); expect(resolved?.pathSegments).toEqual(["channels", "telegram", "botToken"]); }); it("accepts model provider header targets with wildcard-backed paths", () => { const resolved = resolveValidatedPlanTarget({ type: "models.providers.headers", path: "models.providers.openai.headers.x-api-key", pathSegments: ["models", "providers", "openai", "headers", "x-api-key"], providerId: "openai", }); expect(resolved?.pathSegments).toEqual([ "models", "providers", "openai", "headers", "x-api-key", ]); }); it("rejects target paths that do not match the registered shape", () => { const resolved = resolveValidatedPlanTarget({ type: "channels.telegram.botToken", path: "channels.telegram.webhookSecret", pathSegments: ["channels", "telegram", "webhookSecret"], }); expect(resolved).toBeNull(); }); it("validates plan files with non-legacy target types", () => { const isValid = isSecretsApplyPlan({ version: 1, protocolVersion: 1, generatedAt: "2026-02-28T00:00:00.000Z", generatedBy: "manual", targets: [ { type: "talk.apiKey", path: "talk.apiKey", pathSegments: ["talk", "apiKey"], ref: { source: "env", provider: "default", id: "TALK_API_KEY" }, }, ], }); expect(isValid).toBe(true); }); it("requires agentId for auth-profiles plan targets", () => { const withoutAgent = isSecretsApplyPlan({ version: 1, protocolVersion: 1, generatedAt: "2026-02-28T00:00:00.000Z", generatedBy: "manual", targets: [ { type: "auth-profiles.api_key.key", path: "profiles.openai:default.key", pathSegments: ["profiles", "openai:default", "key"], ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, }, ], }); expect(withoutAgent).toBe(false); const withAgent = isSecretsApplyPlan({ version: 1, protocolVersion: 1, generatedAt: "2026-02-28T00:00:00.000Z", generatedBy: "manual", targets: [ { type: "auth-profiles.api_key.key", path: "profiles.openai:default.key", pathSegments: ["profiles", "openai:default", "key"], agentId: "main", ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, }, ], }); expect(withAgent).toBe(true); }); it("accepts valid exec secret ref ids in plans", () => { for (const id of VALID_EXEC_SECRET_REF_IDS) { const isValid = isSecretsApplyPlan({ version: 1, protocolVersion: 1, generatedAt: "2026-03-10T00:00:00.000Z", generatedBy: "manual", targets: [ { type: "talk.apiKey", path: "talk.apiKey", pathSegments: ["talk", "apiKey"], ref: { source: "exec", provider: "vault", id }, }, ], }); expect(isValid, `expected valid plan exec ref id: ${id}`).toBe(true); } }); it("rejects invalid exec secret ref ids in plans", () => { for (const id of INVALID_EXEC_SECRET_REF_IDS) { const isValid = isSecretsApplyPlan({ version: 1, protocolVersion: 1, generatedAt: "2026-03-10T00:00:00.000Z", generatedBy: "manual", targets: [ { type: "talk.apiKey", path: "talk.apiKey", pathSegments: ["talk", "apiKey"], ref: { source: "exec", provider: "vault", id }, }, ], }); expect(isValid, `expected invalid plan exec ref id: ${id}`).toBe(false); } }); });