test: credential-store — cover TLS sensitive field detection

claude · claude · commit e02f1a400690 · 2026-04-03T19:25:03.000Z
The ClickHouse driver (#574) added tls_key, tls_cert, tls_ca_cert to SENSITIVE_FIELDS but the isSensitiveField test didn't cover them. Without this, a refactor could silently remove TLS fields from the set, causing ClickHouse TLS credentials to be stored in plaintext in connections.json instead of the OS keychain. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> https://claude.ai/code/session_01XnDpfWC8aJfUm1xrAtWq4E
diff --git a/packages/opencode/test/altimate/connections.test.ts b/packages/opencode/test/altimate/connections.test.ts
@@ -249,13 +249,17 @@ describe("CredentialStore", () => {
   })
 
   // altimate_change start — cover remaining SENSITIVE_FIELDS entries not in the test above
-  test("isSensitiveField covers BigQuery, SSL, and SSH credential fields", () => {
+  test("isSensitiveField covers BigQuery, SSL, SSH, and TLS credential fields", () => {
     expect(CredentialStore.isSensitiveField("credentials_json")).toBe(true)
     expect(CredentialStore.isSensitiveField("keyfile_json")).toBe(true)
     expect(CredentialStore.isSensitiveField("ssl_key")).toBe(true)
     expect(CredentialStore.isSensitiveField("ssl_cert")).toBe(true)
     expect(CredentialStore.isSensitiveField("ssl_ca")).toBe(true)
     expect(CredentialStore.isSensitiveField("ssh_password")).toBe(true)
+    // ClickHouse TLS fields added in #574
+    expect(CredentialStore.isSensitiveField("tls_key")).toBe(true)
+    expect(CredentialStore.isSensitiveField("tls_cert")).toBe(true)
+    expect(CredentialStore.isSensitiveField("tls_ca_cert")).toBe(true)
   })
   // altimate_change end
 
