import { baiduNetdiskAuthHealthGateStatus, baiduNetdiskRuntimeSecretRequirements, runtimeSecretContractFromEnvText, runtimeSecretPresenceFromEnvText, } from "./src/artifact-registry"; function assertCondition(condition: unknown, message: string, detail: unknown = {}): void { if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`); } const secretEnvText = [ "UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000", "UNIDESK_BAIDU_NETDISK_CLIENT_SECRET=\"clientsecret-clientsecret-0001\"", "UNIDESK_BAIDU_NETDISK_TOKEN_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", ].join("\n"); const present = runtimeSecretPresenceFromEnvText(secretEnvText, baiduNetdiskRuntimeSecretRequirements); assertCondition(present.every((item) => item.present), "all baidu-netdisk secrets should be present", present); assertCondition(present.map((item) => item.length).join(",") === "31,30,64", "presence reports only lengths", present); assertCondition(!JSON.stringify(present).includes("0123456789abcdef"), "secret values must not be exposed", present); const presentContract = runtimeSecretContractFromEnvText(secretEnvText, baiduNetdiskRuntimeSecretRequirements, { path: "/root/unidesk/.state/docker-compose.env", exists: true, workDir: "/root/unidesk", composeEnvFile: ".state/docker-compose.env", composeService: "baidu-netdisk", containerName: "baidu-netdisk-backend", }); assertCondition(presentContract.secretSource.kind === "compose-env-file", "secret source should name canonical compose env file", presentContract); assertCondition(presentContract.requiredSecretsPresent === true, "present contract should pass", presentContract); assertCondition(presentContract.missingSecretKeys.length === 0, "present contract should not list missing keys", presentContract); assertCondition(presentContract.recommendedAction === "none", "present contract should recommend no action", presentContract); assertCondition(presentContract.valuesPrinted === false, "present contract must not print values", presentContract); assertCondition(!JSON.stringify(presentContract).includes("clientsecret"), "contract must not expose fake secret values", presentContract); const missing = runtimeSecretPresenceFromEnvText( "UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000\n", baiduNetdiskRuntimeSecretRequirements, ); assertCondition(!missing.every((item) => item.present), "missing env should fail presence contract", missing); assertCondition( missing.filter((item) => !item.present).map((item) => item.sourceEnvName).join(",") === "UNIDESK_BAIDU_NETDISK_CLIENT_SECRET,UNIDESK_BAIDU_NETDISK_TOKEN_KEY", "missing env should identify absent keys without values", missing, ); const missingContract = runtimeSecretContractFromEnvText( "UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000\n", baiduNetdiskRuntimeSecretRequirements, { path: "/root/unidesk/.state/docker-compose.env", exists: true, workDir: "/root/unidesk", composeEnvFile: ".state/docker-compose.env", composeService: "baidu-netdisk", containerName: "baidu-netdisk-backend", }, ); assertCondition(missingContract.requiredSecretsPresent === false, "missing contract should fail", missingContract); assertCondition( missingContract.missingSecretKeys.join(",") === "UNIDESK_BAIDU_NETDISK_CLIENT_SECRET,UNIDESK_BAIDU_NETDISK_TOKEN_KEY", "missing contract should expose missing source keys", missingContract, ); assertCondition( String(missingContract.recommendedAction).includes("canonical Compose env file"), "missing contract should recommend the canonical source", missingContract, ); const healthy = baiduNetdiskAuthHealthGateStatus({ auth: { configured: true, clientIdConfigured: true, clientSecretConfigured: true, tokenKeyConfigured: true, loggedIn: true, }, }); assertCondition(healthy.ok, "healthy auth fields should pass", healthy); const degraded = baiduNetdiskAuthHealthGateStatus({ auth: { configured: false, clientIdConfigured: true, clientSecretConfigured: true, tokenKeyConfigured: false, loggedIn: true, }, }); assertCondition(!degraded.ok, "missing auth fields should fail", degraded); assertCondition( degraded.failedFields.join(",") === "configured,tokenKeyConfigured", "auth gate should report failed boolean fields", degraded, ); process.stdout.write(`${JSON.stringify({ ok: true, checks: [ "runtime secret presence reports booleans and lengths only", "runtime secret contract exposes secretSource/requiredSecretsPresent/missingSecretKeys/recommendedAction without values", "missing Baidu Netdisk env cannot pass the deploy contract", "auth health gate requires configured/clientId/clientSecret/tokenKey/loggedIn", ], present, presentContract, missing: missing.map((item) => ({ ...item, length: item.length })), missingContract, degraded, }, null, 2)}\n`);