What would you like?
The export test suite covers buildExportScript as string assertions and the host-side orchestration via injected runners, but nothing actually executes the generated bash against a temp directory containing planted fake secrets. That gap let #3383 ship with a sed delimiter bug that only surfaced at VM runtime (unknown option to 'sed s'). #3384 fixed it, but the gap remains.
Suggested test
In packages/cli/src/__tests__/export.test.ts, add a test that:
- Generates the script with
allowRedact: true.
- Extracts just the "SECRETS SCAN — redact" block (step 9) into a temp
.sh file.
- Creates a temp
git init directory with a file containing a synthetic match for each regex family (e.g. sk-or-v1-00000000000000000000, sk-ant-api0_ + 20 chars, etc.).
- Runs
bash <tempfile> and asserts:
- The file no longer contains the synthetic match.
- It contains
***REDACTED-BY-SPAWN-EXPORT***.
git diff --cached shows the redaction.
Why
bash -n is syntax-only — it doesn't catch runtime quoting/escaping bugs like sed s|…|…|g colliding with | in the pattern.- Redaction is now the last line of defence before a (possibly public)
gh repo create --push. Any regression here ships secrets.
- A happy-path subprocess test is OK per project testing rules — the rule bans subprocess-driven unit tests of cloud behaviour; a purely local
bash <temp.sh> against a sandbox git init is deterministic, fast, and doesn't hit any network.
Related
Filed from Slack by SPA
What would you like?
The export test suite covers
buildExportScriptas string assertions and the host-side orchestration via injected runners, but nothing actually executes the generated bash against a temp directory containing planted fake secrets. That gap let #3383 ship with a sed delimiter bug that only surfaced at VM runtime (unknown option to 'sed s'). #3384 fixed it, but the gap remains.Suggested test
In
packages/cli/src/__tests__/export.test.ts, add a test that:allowRedact: true..shfile.git initdirectory with a file containing a synthetic match for each regex family (e.g.sk-or-v1-00000000000000000000,sk-ant-api0_+ 20 chars, etc.).bash <tempfile>and asserts:***REDACTED-BY-SPAWN-EXPORT***.git diff --cachedshows the redaction.Why
bash -nis syntax-only — it doesn't catch runtime quoting/escaping bugs likesed s|…|…|gcolliding with|in the pattern.gh repo create --push. Any regression here ships secrets.bash <temp.sh>against a sandboxgit initis deterministic, fast, and doesn't hit any network.Related
Filed from Slack by SPA