@@ -57,39 +57,6 @@ function computeCloudAgentNextPlan(root: string) {
5757 return plan ;
5858}
5959
60- const gitTokenServiceDir = 'services/git-token-service' ;
61- const annotatedCapabilitySecretBinding = `{
62- "binding": "SCM_SESSION_CAPABILITY_ENCRYPTION_KEY",
63- "store_id": "store-id",
64- // @dev-generate base64 32
65- "secret_name": "SCM_SESSION_CAPABILITY_ENCRYPTION_KEY_DEV"
66- }` ;
67-
68- function createGitTokenServiceRepo ( options : {
69- envLocal ?: string ;
70- devSecretBinding ?: string ;
71- rootSecretBinding ?: string ;
72- } ) : TestRepo {
73- const rootSecrets = options . rootSecretBinding
74- ? `"secrets_store_secrets": [${ options . rootSecretBinding } ],`
75- : '' ;
76- return createRepo ( {
77- '.env.local' : options . envLocal ?? '' ,
78- [ `${ gitTokenServiceDir } /package.json` ] : JSON . stringify ( {
79- scripts : { dev : 'wrangler dev --env dev' } ,
80- } ) ,
81- [ `${ gitTokenServiceDir } /.dev.vars.example` ] : '' ,
82- [ `${ gitTokenServiceDir } /wrangler.jsonc` ] : `{
83- ${ rootSecrets }
84- "env": {
85- "dev": {
86- "secrets_store_secrets": [${ options . devSecretBinding ?? annotatedCapabilitySecretBinding } ]
87- }
88- }
89- }` ,
90- } ) ;
91- }
92-
9360function withFakePnpm ( output : string , fn : ( ) => void ) : void {
9461 const binDir = fs . mkdtempSync ( path . join ( os . tmpdir ( ) , 'env-sync-bin-' ) ) ;
9562 const oldPath = process . env . PATH ;
@@ -294,132 +261,6 @@ test('writes example defaults to .dev.vars when they override wrangler vars', ()
294261 }
295262} ) ;
296263
297- test ( 'generates an annotated missing secret directly into the local Secrets Store' , ( ) => {
298- const repo = createGitTokenServiceRepo ( { } ) ;
299- try {
300- withFakePnpm ( '' , ( ) => {
301- const plan = computePlan ( repo . root , new Set ( [ 'cloudflare-git-token-service' ] ) ) ;
302- assert . equal ( plan . missingEnvLocal , false ) ;
303- assert . deepEqual ( plan . devVarsChanges , [ ] ) ;
304- assert . deepEqual ( plan . envLocalAutoCreates , [ ] ) ;
305- assert . deepEqual ( plan . secretStoreWarnings , [ ] ) ;
306- assert . equal ( plan . secretStoreAutoCreates . length , 1 ) ;
307- const [ create ] = plan . secretStoreAutoCreates ;
308- assert . ok ( create ) ;
309- assert . equal ( create . binding . secret_name , 'SCM_SESSION_CAPABILITY_ENCRYPTION_KEY_DEV' ) ;
310- assert . equal ( create . sourceKey , '@dev-generate base64 32' ) ;
311- assert . equal ( Buffer . from ( create . value , 'base64' ) . length , 32 ) ;
312- } ) ;
313- } finally {
314- repo . cleanup ( ) ;
315- }
316- } ) ;
317-
318- test ( 'generates an annotated secret instead of copying a plaintext env source' , ( ) => {
319- const repo = createGitTokenServiceRepo ( {
320- envLocal : 'SCM_SESSION_CAPABILITY_ENCRYPTION_KEY=plaintext-source\n' ,
321- } ) ;
322- try {
323- withFakePnpm ( '' , ( ) => {
324- const plan = computePlan ( repo . root , new Set ( [ 'cloudflare-git-token-service' ] ) ) ;
325- const [ create ] = plan . secretStoreAutoCreates ;
326- assert . ok ( create ) ;
327- assert . equal ( create . sourceKey , '@dev-generate base64 32' ) ;
328- assert . notEqual ( create . value , 'plaintext-source' ) ;
329- assert . equal ( Buffer . from ( create . value , 'base64' ) . length , 32 ) ;
330- } ) ;
331- } finally {
332- repo . cleanup ( ) ;
333- }
334- } ) ;
335-
336- test ( 'applies generation only to the annotated Secrets Store binding' , ( ) => {
337- const repo = createGitTokenServiceRepo ( {
338- rootSecretBinding : `{
339- "binding": "SHARED_SECRET",
340- "store_id": "shared-store",
341- // @dev-generate base64 32
342- "secret_name": "SHARED_SECRET"
343- }` ,
344- devSecretBinding : `{
345- "binding": "SHARED_SECRET",
346- "store_id": "shared-store",
347- "secret_name": "SHARED_SECRET"
348- }` ,
349- } ) ;
350- try {
351- withFakePnpm ( '' , ( ) => {
352- const plan = computePlan ( repo . root , new Set ( [ 'cloudflare-git-token-service' ] ) ) ;
353- assert . deepEqual ( plan . secretStoreAutoCreates , [ ] ) ;
354- assert . deepEqual ( plan . secretStoreWarnings , [
355- {
356- workerDir : 'services/git-token-service' ,
357- bindings : [
358- {
359- binding : 'SHARED_SECRET' ,
360- store_id : 'shared-store' ,
361- secret_name : 'SHARED_SECRET' ,
362- } ,
363- ] ,
364- } ,
365- ] ) ;
366- } ) ;
367- } finally {
368- repo . cleanup ( ) ;
369- }
370- } ) ;
371-
372- test ( 'rejects malformed Secrets Store generation annotations' , ( ) => {
373- const repo = createGitTokenServiceRepo ( {
374- devSecretBinding : `{
375- "binding": "SCM_SESSION_CAPABILITY_ENCRYPTION_KEY",
376- "store_id": "store-id",
377- // @dev-generate base64 nope
378- "secret_name": "SCM_SESSION_CAPABILITY_ENCRYPTION_KEY_DEV"
379- }` ,
380- } ) ;
381- try {
382- assert . throws (
383- ( ) => computePlan ( repo . root , new Set ( [ 'cloudflare-git-token-service' ] ) ) ,
384- / I n v a l i d @ d e v - g e n e r a t e d i r e c t i v e /
385- ) ;
386- } finally {
387- repo . cleanup ( ) ;
388- }
389- } ) ;
390-
391- test ( 'rejects reserved generated-secret metadata in source Wrangler config' , ( ) => {
392- const repo = createGitTokenServiceRepo ( {
393- devSecretBinding : `{
394- "binding": "SCM_SESSION_CAPABILITY_ENCRYPTION_KEY",
395- "store_id": "store-id",
396- "__kilo\\u005fdev_generated_base64_bytes_0": 4096,
397- "secret_name": "SCM_SESSION_CAPABILITY_ENCRYPTION_KEY_DEV"
398- }` ,
399- } ) ;
400- try {
401- assert . throws (
402- ( ) => computePlan ( repo . root , new Set ( [ 'cloudflare-git-token-service' ] ) ) ,
403- / r e s e r v e d f o r g e n e r a t e d - s e c r e t m e t a d a t a /
404- ) ;
405- } finally {
406- repo . cleanup ( ) ;
407- }
408- } ) ;
409-
410- test ( 'preserves an existing annotated local Secrets Store secret' , ( ) => {
411- const repo = createGitTokenServiceRepo ( { } ) ;
412- try {
413- withFakePnpm ( 'SCM_SESSION_CAPABILITY_ENCRYPTION_KEY_DEV\n' , ( ) => {
414- const plan = computePlan ( repo . root , new Set ( [ 'cloudflare-git-token-service' ] ) ) ;
415- assert . deepEqual ( plan . secretStoreAutoCreates , [ ] ) ;
416- assert . deepEqual ( plan . secretStoreWarnings , [ ] ) ;
417- } ) ;
418- } finally {
419- repo . cleanup ( ) ;
420- }
421- } ) ;
422-
423264test ( 'auto-creates event-service NEXTAUTH Secrets Store binding from .env.local' , ( ) => {
424265 const repo = createRepo ( {
425266 '.env.local' : 'NEXTAUTH_SECRET=local-nextauth-secret\n' ,
0 commit comments