import { describe, expect, test } from "bun:test"; import { githubTokenEnvNameForSecretKey, readGiteaConfig, resolveTarget, } from "./platform-infra-gitea-config"; import { buildGiteaMirrorBootstrapCredentialPreflight, buildMirrorWebhookCredentialBlockedResult, renderManifest } from "./platform-infra-gitea"; import { renderMirrorWebhookCredentialBlocked } from "./platform-infra-gitea-render"; function syntheticMissingSelfmediaCredential(): Record { return { id: "github-upstream:selfmedia-nc01", repository: "pikainc/selfmedia", sourceRef: "pikainc-selfmedia-gh-token.txt", present: false, requiredKeysPresent: false, fingerprint: null, permissionResult: { status: "blocked-missing-credential", permissions: { contents: "read", metadata: "read", webhooks: "read-write" }, error: "credential material is absent", }, valuesPrinted: false, }; } function syntheticBlockedResult(allTargetRepositories = false): Record { const config = readGiteaConfig(); const target = resolveTarget(config, "NC01"); const repositories = config.sourceAuthority.repositories.filter((repo) => repo.targetId === "NC01" && (allTargetRepositories || repo.key === "selfmedia-nc01")); const credential = syntheticMissingSelfmediaCredential(); return buildMirrorWebhookCredentialBlockedResult(config, target, repositories, [credential], [String(credential.id)]); } describe("platform-infra Gitea repository GitHub credentials", () => { test("keeps the global credential and selfmedia override on distinct Secret keys", () => { const config = readGiteaConfig(); const globalCredential = config.sourceAuthority.credentials.github; const selfmedia = config.sourceAuthority.repositories.find((repo) => repo.key === "selfmedia-nc01"); const override = selfmedia?.credentialOverride?.github; expect(override?.sourceRef).toBe("pikainc-selfmedia-gh-token.txt"); expect(override?.permissions).toEqual({ contents: "read", metadata: "read", webhooks: "read-write" }); expect(override?.gitFetchCredential.secretRef.key).not.toBe(globalCredential.gitFetchCredential.secretRef.key); expect(githubTokenEnvNameForSecretKey(override?.gitFetchCredential.secretRef.key ?? "")) .not.toBe(githubTokenEnvNameForSecretKey(globalCredential.gitFetchCredential.secretRef.key)); }); test("normalizes Secret keys to bounded environment variable names", () => { expect(githubTokenEnvNameForSecretKey("github-token-pikainc-selfmedia")) .toBe("UNIDESK_GITEA_GITHUB_TOKEN_GITHUB_TOKEN_PIKAINC_SELFMEDIA"); }); test("keeps repository credential overrides scoped to their configured target", () => { const config = readGiteaConfig(); const jd01Overrides = config.sourceAuthority.repositories .filter((repo) => repo.targetId === "JD01") .flatMap((repo) => repo.credentialOverride?.github ?? []); const nc01Overrides = config.sourceAuthority.repositories .filter((repo) => repo.targetId === "NC01") .flatMap((repo) => repo.credentialOverride?.github ?? []); expect(jd01Overrides).toHaveLength(0); expect(nc01Overrides.map((credential) => credential.sourceRef)).toContain("pikainc-selfmedia-gh-token.txt"); }); test("bootstrap preflight only requires the selected repository effective credential", () => { const config = readGiteaConfig(); const repository = config.sourceAuthority.repositories.find((repo) => repo.key === "selfmedia-nc01"); expect(repository).toBeDefined(); const result = buildGiteaMirrorBootstrapCredentialPreflight(config, [repository!], (credential) => ( credential.sourceRef === "pikainc-selfmedia-gh-token.txt" ? { [credential.sourceKey]: "fixture-token" } : null )); expect(result.blockers).toEqual([]); expect(result.credentials).toHaveLength(1); expect(result.credentials[0]).toMatchObject({ id: "github-upstream:selfmedia-nc01", sourceRef: "pikainc-selfmedia-gh-token.txt", present: true, requiredKeysPresent: true, }); expect(JSON.stringify(result)).not.toContain(config.sourceAuthority.credentials.admin.sourceRef); expect(JSON.stringify(result)).not.toContain(config.sourceAuthority.credentials.github.sourceRef); }); test("does not inject the NC01 selfmedia token into JD01 bridge containers", () => { const config = readGiteaConfig(); const selfmediaTokenEnv = githubTokenEnvNameForSecretKey("github-token-pikainc-selfmedia"); const globalTokenEnv = githubTokenEnvNameForSecretKey(config.sourceAuthority.credentials.github.gitFetchCredential.secretRef.key); const jd01Manifest = renderManifest(config, resolveTarget(config, "JD01")); const nc01Manifest = renderManifest(config, resolveTarget(config, "NC01")); expect(jd01Manifest).toContain(globalTokenEnv); expect(jd01Manifest).not.toContain(selfmediaTokenEnv); expect(nc01Manifest).toContain(globalTokenEnv); expect(nc01Manifest).toContain(selfmediaTokenEnv); expect(nc01Manifest).toContain(`"tokenEnv": "${selfmediaTokenEnv}"`); }); test("keeps missing selfmedia webhook status bounded and stack-free", () => { const payload = syntheticBlockedResult(); const credentials = payload.credentials as Array>; const selfmedia = credentials[0]; const serialized = JSON.stringify(payload); expect((payload.error as Record).code).toBe("github-credential-unavailable"); expect(selfmedia).toMatchObject({ sourceRef: "pikainc-selfmedia-gh-token.txt", present: false, fingerprint: null, valuesPrinted: false, }); expect(selfmedia).not.toHaveProperty("sourcePath"); expect(serialized).not.toContain('"stack"'); expect(serialized).not.toContain("/root/.worktrees/"); }); test("renders missing selfmedia webhook status as compact text by default", () => { const stdout = renderMirrorWebhookCredentialBlocked(syntheticBlockedResult()).renderedText; expect(stdout).toContain("PLATFORM-INFRA GITEA MIRROR WEBHOOK STATUS"); expect(stdout).toContain("SOURCE_REF"); expect(stdout).toContain("pikainc-selfmedia-gh-token.txt"); expect(stdout).toContain("PERMISSION_RESULT"); expect(stdout).toContain("github-upstream:selfmedia-nc01"); expect(stdout.trimStart()).not.toStartWith("{"); expect(stdout).not.toContain('"stack"'); }); test("matches compact blocker rows to their repository without --repo", () => { const stdout = renderMirrorWebhookCredentialBlocked(syntheticBlockedResult(true)).renderedText; expect(stdout).toContain("pikainc/selfmedia"); expect(stdout).toContain("pikainc-selfmedia-gh-token.txt"); expect(stdout).toContain("github-upstream:selfmedia-nc01"); expect(stdout).not.toContain("pikasTech/agentrun"); expect(stdout.trimStart()).not.toStartWith("{"); }); });