fix: vector compat integration tests, vault_env env leak fix

Author: Derek

.gitignore

@@ -23,6 +23,9 @@ out/
 test-results/
 coverage/
 
+# Temporary/cache
+.tmp/
+
 # Rust
 target/
 Cargo.lock

TODO.md

@@ -8,20 +8,14 @@
 
 ## Current Tasks
 
-### High Priority
-
-- [ ] Update downstream consumers to use `transport-grpc` / `transport-grpc-vector-compat`
-  - dfe-loader, dfe-archiver, dfe-receiver
-
-### Medium Priority
-
-- [ ] Fix vault_env integration tests (EnvGuard doesn't clear conflicting VAULT_TOKEN)
-- [ ] Add Vector compat source/sink integration tests (use fetch-vector.sh from dfe-receiver)
+(none)
 
 ---
 
 ## Completed
 
+- [x] Vector compat integration tests — 6 tests using real Vector binary + VectorCompatClient (fetch-vector.sh + YAML)
+- [x] vault_env integration tests fixed — clear_vault_env() prevents VAULT_TOKEN leakage
 - [x] Dependency update sweep — all crates to latest, tonic/prost 0.14 migration (v1.8.4)
 - [x] Stale hs-rustlib removed from JFrog hypersec-cargo-local and hyperi-cargo-local
 - [x] MaskingLayer fixed — writer-based redaction for both JSON and text formats (v1.8.4)

scripts/fetch-vector.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+# Project:   hyperi-rustlib
+# File:      scripts/fetch-vector.sh
+# Purpose:   Download and cache Vector binary for integration tests
+# Language:  Bash
+#
+# License:   FSL-1.1-ALv2
+# Copyright: (c) 2026 HYPERI PTY LIMITED
+#
+# Usage:
+#   ./scripts/fetch-vector.sh              # ensure latest, print binary path
+#   VECTOR_VERSION=0.43.0 ./scripts/fetch-vector.sh  # pin specific version
+#
+# Downloads the latest Vector release only if the cached binary is missing or
+# out of date. Prints the absolute path to the vector binary on stdout (last line).
+# Status messages go to stderr.
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+CACHE_DIR="${REPO_ROOT}/.tmp/vector"
+ARCH="$(uname -m)"
+
+# Check what we have cached (read version from binary)
+cached_version() {
+    local bin="${CACHE_DIR}/bin/vector"
+    if [[ -x "$bin" ]]; then
+        "$bin" --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1
+    fi
+}
+
+# Resolve the desired version
+if [[ -n "${VECTOR_VERSION:-}" ]]; then
+    WANT_VERSION="$VECTOR_VERSION"
+else
+    if command -v gh &>/dev/null; then
+        WANT_VERSION=$(gh release list --repo vectordotdev/vector --limit 30 --json tagName \
+            --jq '[.[] | select(.tagName | test("^v[0-9]"))][0].tagName' | sed 's/^v//')
+    elif command -v jq &>/dev/null; then
+        WANT_VERSION=$(curl -fsSL "https://api.github.com/repos/vectordotdev/vector/releases?per_page=30" \
+            | jq -r '[.[] | select(.tag_name | test("^v[0-9]"))][0].tag_name' | sed 's/^v//')
+    else
+        echo "ERROR: need either 'gh' or 'jq' to resolve latest version" >&2
+        exit 1
+    fi
+fi
+
+if [[ -z "$WANT_VERSION" || "$WANT_VERSION" == "null" ]]; then
+    echo "ERROR: could not resolve Vector version" >&2
+    exit 1
+fi
+
+BINARY="${CACHE_DIR}/bin/vector"
+HAVE_VERSION=$(cached_version || true)
+
+# If cached binary matches desired version, use it
+if [[ "$HAVE_VERSION" == "$WANT_VERSION" ]]; then
+    echo "Vector ${WANT_VERSION} already cached" >&2
+    echo "$BINARY"
+    exit 0
+fi
+
+if [[ -n "$HAVE_VERSION" ]]; then
+    echo "Updating Vector ${HAVE_VERSION} -> ${WANT_VERSION}" >&2
+else
+    echo "Downloading Vector ${WANT_VERSION} for ${ARCH}..." >&2
+fi
+
+# Clean old cache
+rm -rf "${CACHE_DIR:?}/bin"
+
+# Download
+mkdir -p "${CACHE_DIR}"
+TARBALL_NAME="vector-${WANT_VERSION}-${ARCH}-unknown-linux-gnu.tar.gz"
+DOWNLOAD_URL="https://github.com/vectordotdev/vector/releases/download/v${WANT_VERSION}/${TARBALL_NAME}"
+
+curl -fSL --progress-bar -o "${CACHE_DIR}/${TARBALL_NAME}" "$DOWNLOAD_URL"
+
+# Extract — tarball contains vector-{ARCH}-unknown-linux-gnu/bin/vector
+echo "Extracting..." >&2
+tar xzf "${CACHE_DIR}/${TARBALL_NAME}" -C "${CACHE_DIR}"
+
+EXTRACTED_DIR="${CACHE_DIR}/vector-${ARCH}-unknown-linux-gnu"
+if [[ -d "$EXTRACTED_DIR" ]]; then
+    mv "${EXTRACTED_DIR}/bin" "${CACHE_DIR}/bin"
+    rm -rf "$EXTRACTED_DIR"
+fi
+
+# Cleanup tarball
+rm -f "${CACHE_DIR}/${TARBALL_NAME}"
+
+# Verify
+if [[ ! -x "$BINARY" ]]; then
+    echo "ERROR: Vector binary not found at ${BINARY} after extraction" >&2
+    exit 1
+fi
+
+echo "Vector ${WANT_VERSION} cached at ${BINARY}" >&2
+echo "$BINARY"

tests/env_integration.rs

@@ -164,9 +164,35 @@ mod vault_env {
     use super::*;
     use hyperi_rustlib::secrets::{OpenBaoAuth, OpenBaoConfig};
 
+    /// All vault/openbao env vars that could interfere with tests.
+    /// Must be cleared before each test to prevent leakage from the host.
+    const VAULT_ENV_VARS: &[&str] = &[
+        "VAULT_ADDR",
+        "VAULT_TOKEN",
+        "VAULT_SKIP_VERIFY",
+        "VAULT_NAMESPACE",
+        "VAULT_ROLE_ID",
+        "VAULT_SECRET_ID",
+        "VAULT_K8S_ROLE",
+        "VAULT_K8S_MOUNT",
+        "OPENBAO_ADDR",
+        "OPENBAO_TOKEN",
+        "BAO_ADDR",
+        "BAO_TOKEN",
+        "OPENBAO_ROOT_TOKEN",
+    ];
+
+    /// Clear all vault-related env vars so tests start from a clean slate.
+    fn clear_vault_env() {
+        for var in VAULT_ENV_VARS {
+            std::env::remove_var(var);
+        }
+    }
+
     #[test]
     fn test_vault_from_env_token_auth() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault.example.com:8200"),
             ("VAULT_TOKEN", "s.test-token"),
@@ -181,6 +207,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_approle_auth() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault.example.com:8200"),
             ("VAULT_ROLE_ID", "role-123"),
@@ -202,6 +229,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_k8s_auth() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault.example.com:8200"),
             ("VAULT_K8S_ROLE", "my-k8s-role"),
@@ -218,6 +246,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_openbao_fallback() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("OPENBAO_ADDR", "https://openbao:8200"), // Legacy name
             ("OPENBAO_TOKEN", "s.openbao-token"),     // Legacy name
@@ -232,6 +261,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_vault_wins_over_openbao() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault-wins:8200"),
             ("OPENBAO_ADDR", "https://openbao-loses:8200"),
@@ -249,6 +279,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_skip_verify() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault:8200"),
             ("VAULT_TOKEN", "test"),
@@ -263,6 +294,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_namespace() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[
             ("VAULT_ADDR", "https://vault:8200"),
             ("VAULT_TOKEN", "test"),
@@ -277,6 +309,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_missing_addr() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[("VAULT_TOKEN", "test")]); // No VAULT_ADDR
 
         let config = OpenBaoConfig::from_env();
@@ -287,6 +320,7 @@ mod vault_env {
     #[test]
     fn test_vault_from_env_missing_auth() {
         let _lock = ENV_LOCK.lock().unwrap();
+        clear_vault_env();
         let _guard = EnvGuard::new(&[("VAULT_ADDR", "https://vault:8200")]); // No auth
 
         let config = OpenBaoConfig::from_env();