




















@@ -110,7 +110,8 @@ async function seedDefaultApplyFixture(fixture: ApplyFixture): Promise<void> {
110110"openai:default": {
111111type: "api_key",
112112provider: "openai",
113-key: "sk-openai-plaintext", // pragma: allowlist secret
113+key: "sk-ope...text", // pragma: allowlist secret
114+keyRef: OPENAI_API_KEY_ENV_REF,
114115},
115116},
116117});
@@ -290,7 +291,11 @@ describe("secrets apply", () => {
290291profiles: { "openai:default": { key?: string; keyRef?: unknown } };
291292};
292293expect(nextAuthStore.profiles["openai:default"].key).toBeUndefined();
293-expect(nextAuthStore.profiles["openai:default"].keyRef).toBeUndefined();
294+expect(nextAuthStore.profiles["openai:default"].keyRef).toEqual({
295+source: "env",
296+provider: "default",
297+id: "OPENAI_API_KEY",
298+});
294299295300const nextAuthJson = JSON.parse(await fs.readFile(fixture.authJsonPath, "utf8")) as Record<
296301string,
@@ -303,6 +308,58 @@ describe("secrets apply", () => {
303308expect(nextEnv).toContain("UNRELATED=value");
304309});
305310311+it("preserves auth-profile tokenRef during provider scrub", async () => {
312+await writeJsonFile(fixture.authStorePath, {
313+version: 1,
314+profiles: {
315+"openai:bot": {
316+type: "token",
317+provider: "openai",
318+token: "sk-token-plaintext", // pragma: allowlist secret
319+tokenRef: OPENAI_API_KEY_ENV_REF,
320+},
321+},
322+});
323+const plan = createPlan({
324+targets: [createOpenAiProviderTarget()],
325+options: createOneWayScrubOptions(),
326+});
327+328+await runSecretsApply({ plan, env: fixture.env, write: true });
329+330+const nextAuthStore = JSON.parse(await fs.readFile(fixture.authStorePath, "utf8")) as {
331+profiles: { "openai:bot": { token?: string; tokenRef?: unknown } };
332+};
333+expect(nextAuthStore.profiles["openai:bot"].token).toBeUndefined();
334+expect(nextAuthStore.profiles["openai:bot"].tokenRef).toEqual(OPENAI_API_KEY_ENV_REF);
335+});
336+337+it("scrubs malformed auth-profile ref residue during provider scrub", async () => {
338+await writeJsonFile(fixture.authStorePath, {
339+version: 1,
340+profiles: {
341+"openai:default": {
342+type: "api_key",
343+provider: "openai",
344+key: "sk-openai-plaintext", // pragma: allowlist secret
345+keyRef: "secretref-managed", // pragma: allowlist secret
346+},
347+},
348+});
349+const plan = createPlan({
350+targets: [createOpenAiProviderTarget()],
351+options: createOneWayScrubOptions(),
352+});
353+354+await runSecretsApply({ plan, env: fixture.env, write: true });
355+356+const nextAuthStore = JSON.parse(await fs.readFile(fixture.authStorePath, "utf8")) as {
357+profiles: { "openai:default": { key?: string; keyRef?: unknown } };
358+};
359+expect(nextAuthStore.profiles["openai:default"].key).toBeUndefined();
360+expect(nextAuthStore.profiles["openai:default"].keyRef).toBeUndefined();
361+});
362+306363it("skips exec SecretRef checks during dry-run unless explicitly allowed", async () => {
307364if (process.platform === "win32") {
308365return;
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。