fix: expose baidu netdisk secret source contract

This commit is contained in:
Codex
2026-05-21 10:09:22 +00:00
parent 1749897d1a
commit f701eab29d
8 changed files with 245 additions and 30 deletions
@@ -1,6 +1,7 @@
import {
baiduNetdiskAuthHealthGateStatus,
baiduNetdiskRuntimeSecretRequirements,
runtimeSecretContractFromEnvText,
runtimeSecretPresenceFromEnvText,
} from "./src/artifact-registry";
@@ -19,6 +20,21 @@ assertCondition(present.every((item) => item.present), "all baidu-netdisk secret
assertCondition(present.map((item) => item.length).join(",") === "31,30,64", "presence reports only lengths", present);
assertCondition(!JSON.stringify(present).includes("0123456789abcdef"), "secret values must not be exposed", present);
const presentContract = runtimeSecretContractFromEnvText(secretEnvText, baiduNetdiskRuntimeSecretRequirements, {
path: "/root/unidesk/.state/docker-compose.env",
exists: true,
workDir: "/root/unidesk",
composeEnvFile: ".state/docker-compose.env",
composeService: "baidu-netdisk",
containerName: "baidu-netdisk-backend",
});
assertCondition(presentContract.secretSource.kind === "compose-env-file", "secret source should name canonical compose env file", presentContract);
assertCondition(presentContract.requiredSecretsPresent === true, "present contract should pass", presentContract);
assertCondition(presentContract.missingSecretKeys.length === 0, "present contract should not list missing keys", presentContract);
assertCondition(presentContract.recommendedAction === "none", "present contract should recommend no action", presentContract);
assertCondition(presentContract.valuesPrinted === false, "present contract must not print values", presentContract);
assertCondition(!JSON.stringify(presentContract).includes("clientsecret"), "contract must not expose fake secret values", presentContract);
const missing = runtimeSecretPresenceFromEnvText(
"UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000\n",
baiduNetdiskRuntimeSecretRequirements,
@@ -30,6 +46,30 @@ assertCondition(
missing,
);
const missingContract = runtimeSecretContractFromEnvText(
"UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000\n",
baiduNetdiskRuntimeSecretRequirements,
{
path: "/root/unidesk/.state/docker-compose.env",
exists: true,
workDir: "/root/unidesk",
composeEnvFile: ".state/docker-compose.env",
composeService: "baidu-netdisk",
containerName: "baidu-netdisk-backend",
},
);
assertCondition(missingContract.requiredSecretsPresent === false, "missing contract should fail", missingContract);
assertCondition(
missingContract.missingSecretKeys.join(",") === "UNIDESK_BAIDU_NETDISK_CLIENT_SECRET,UNIDESK_BAIDU_NETDISK_TOKEN_KEY",
"missing contract should expose missing source keys",
missingContract,
);
assertCondition(
String(missingContract.recommendedAction).includes("canonical Compose env file"),
"missing contract should recommend the canonical source",
missingContract,
);
const healthy = baiduNetdiskAuthHealthGateStatus({
auth: {
configured: true,
@@ -61,10 +101,13 @@ process.stdout.write(`${JSON.stringify({
ok: true,
checks: [
"runtime secret presence reports booleans and lengths only",
"runtime secret contract exposes secretSource/requiredSecretsPresent/missingSecretKeys/recommendedAction without values",
"missing Baidu Netdisk env cannot pass the deploy contract",
"auth health gate requires configured/clientId/clientSecret/tokenKey/loggedIn",
],
present,
presentContract,
missing: missing.map((item) => ({ ...item, length: item.length })),
missingContract,
degraded,
}, null, 2)}\n`);