test: property-check env boolean parsing and policy key/tag contracts

[ndycode]

Summary

• Adds a fast-check property suite for two small parsing contracts: parseBooleanEnv in lib/env-parsing.ts (the helper that unified three divergent local copies across config/refresh-lease/rotation) and the pure identity helpers in lib/account-policy.ts (getAccountPolicyKey, normalizeAccountPolicyTag).

What Changed

New test/property/env-policy-parsing.property.test.ts (4 properties):

1. Boolean literal contract — the six documented literals (1/0, true/false, yes/no) parse under any casing and whitespace padding; this is exactly the agreement the consolidation was for.
2. Negative totality — every other string, and undefined, returns undefined, never a boolean — preserving callers' nullish-coalescing fallbacks.
3. Policy key contract — getAccountPolicyKey always emits a sha256:<64 hex> handle that never leaks the raw identity into the policy file key; accountId wins over email; email matches case-insensitively; no identity degrades to the shared "unknown" bucket.
4. Tag normalization — outputs are idempotent fixpoints in the [a-z0-9._-]{1,64} language, and null occurs exactly for inputs that trim to nothing (disallowed runs are replaced with a dash, not dropped — so non-empty garbage still yields a tag, a subtle corner now pinned).

No SUT bugs found. Validated at FAST_CHECK_NUM_RUNS=1000.

Validation

• npm test -- test/property/env-policy-parsing.property.test.ts test/env-parsing.test.ts test/account-policy.test.ts — 36/36 (new 4 + existing suites untouched)
• npm run typecheck (also via pre-commit hook)
• npx eslint test/property/env-policy-parsing.property.test.ts --max-warnings=0

Docs and Governance Checklist

• Test-only; no behavior or docs surface changed

Risk and Rollback

• Risk level: minimal — additive test file; conventions match the existing test/property/ suites.
• Rollback plan: revert the single commit.

https://claude.ai/code/session_01XNtnkLbBiXZxfQQYLMpucB

---

Generated by Claude Code

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

adds a new property-based test file (test/property/env-policy-parsing.property.test.ts) covering four fast-check invariants for two pure helpers: parseBooleanEnv and the account-policy getAccountPolicyKey/normalizeAccountPolicyTag utilities. no sut code is changed.

• boolean env parsing — pins that the six documented literals parse correctly under any casing and whitespace padding, and that every other input (including undefined) returns undefined.
• policy key contract — verifies sha256:<hex> format, no identity leakage, accountId priority over email, email case-insensitivity, and the "unknown" fallback bucket.
• tag normalization — checks idempotence, the [a-z0-9._-]{1,64} character class, and the bidirectional null ↔ whitespace-only input iff (both directions are now covered, addressing the prior review round).

Confidence Score: 5/5

additive test-only change with no sut modifications; safe to merge.

the change is a single new test file exercising two pure, side-effect-free helpers. both issues flagged in the prior review round are resolved. the remaining observations are minor coverage gaps in the test itself and do not affect any production path.

no files require special attention.

Important Files Changed

Filename	Overview
test/property/env-policy-parsing.property.test.ts	new property suite covering parseBooleanEnv and account-policy key/tag helpers; both previous-round issues resolved; two minor coverage gaps remain

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[env-policy-parsing.property.test.ts] --> B[parseBooleanEnv properties]
    A --> C[account policy key/tag properties]
    B --> B1["prop 1: recognized literals under any casing + padding"]
    B --> B2["prop 2: everything else returns undefined"]
    C --> C1["prop 3: stable sha256 handles, no identity leak"]
    C --> C2["prop 4: idempotent fixpoints or null (bidirectional)"]
    B1 --> SUT1[lib/env-parsing.ts :: parseBooleanEnv]
    B2 --> SUT1
    C1 --> SUT2[lib/account-policy.ts :: getAccountPolicyKey]
    C2 --> SUT3[lib/account-policy.ts :: normalizeAccountPolicyTag]

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
test/property/env-policy-parsing.property.test.ts:11-14
`arbWhitespace` only generates `" "` and `"	"`. `String.prototype.trim()` strips all standard whitespace (`
`, `
`, `\v`, `\f`, `\u00A0`, etc.), so `parseBooleanEnv("
true
")` is a reachable code path the suite never exercises. real-world env values rarely contain newlines, but if the SUT's `.trim()` were ever narrowed (e.g. replaced with a manual strip), this wouldn't be caught.

### Issue 2 of 2
test/property/env-policy-parsing.property.test.ts:55-83
`arbCasing` is generated as the third argument but is only applied in the `else if (email)` branch. the `if (accountId?.trim())` branch never applies a casing transform to `accountId`, so the suite pins that email is case-insensitive but leaves the converse (accountId IS case-sensitive — the SUT uses `accountId?.trim()` without `.toLowerCase()`) unpinned. if the SUT were accidentally changed to lowercase accountId, the suite would not detect it.

_{Reviews (2): Last reviewed commit: "test: generate the whitespace-only accou..." | Re-trigger Greptile}

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[coderabbitai]

Warning

Review limit reached

@ndycode, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 054eaba6-892c-478f-aa16-f0c69229a98f

📥 Commits

Reviewing files that changed from the base of the PR and between dae10cb and f75ecc8.

📒 Files selected for processing (1)

• test/property/env-policy-parsing.property.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/audit-82-env-policy-property

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch claude/audit-82-env-policy-property

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}