mcp-framework/cli/setup_secret_test.go

package cli

import (
	"errors"
	"strings"
	"testing"

	"forge.lclr.dev/AI/mcp-framework/secretstore"
)

func TestWriteSetupSecretVerifiedPersistsAndConfirmsReadability(t *testing.T) {
	store := &setupSecretStore{secrets: map[string]string{}}

	err := WriteSetupSecretVerified(SetupSecretWriteOptions{
		Store:       store,
		SecretName:  "api-token",
		SecretLabel: "API token",
		Value: SetupValue{
			Type:   SetupFieldSecret,
			String: "secret-v1",
			Set:    true,
		},
	})
	if err != nil {
		t.Fatalf("WriteSetupSecretVerified returned error: %v", err)
	}

	if got := store.secrets["api-token"]; got != "secret-v1" {
		t.Fatalf("stored secret = %q, want secret-v1", got)
	}
}

func TestWriteSetupSecretVerifiedReturnsContextForReadOnlyStores(t *testing.T) {
	store := &setupSecretStore{
		secrets: map[string]string{},
		setErr:  secretstore.ErrReadOnly,
	}

	err := WriteSetupSecretVerified(SetupSecretWriteOptions{
		Store:      store,
		SecretName: "api-token",
		TokenEnv:   "GRAYLOG_MCP_API_TOKEN",
		Value: SetupValue{
			Type:   SetupFieldSecret,
			String: "secret-v1",
			Set:    true,
		},
	})
	if err == nil {
		t.Fatal("expected error")
	}
	if !errors.Is(err, secretstore.ErrReadOnly) {
		t.Fatalf("error = %v, want ErrReadOnly", err)
	}
	if !strings.Contains(err.Error(), "GRAYLOG_MCP_API_TOKEN") {
		t.Fatalf("error = %v, want token env remediation", err)
	}
}

func TestWriteSetupSecretVerifiedValidatesKeptStoredSecret(t *testing.T) {
	store := &setupSecretStore{
		secrets: map[string]string{},
		getErr:  secretstore.ErrNotFound,
	}

	err := WriteSetupSecretVerified(SetupSecretWriteOptions{
		Store:      store,
		SecretName: "api-token",
		TokenEnv:   "GRAYLOG_MCP_API_TOKEN",
		Value: SetupValue{
			Type:             SetupFieldSecret,
			String:           "stored-token",
			Set:              true,
			KeptStoredSecret: true,
		},
	})
	if err == nil {
		t.Fatal("expected error")
	}
	if !errors.Is(err, secretstore.ErrNotFound) {
		t.Fatalf("error = %v, want ErrNotFound", err)
	}
	if !strings.Contains(err.Error(), "GRAYLOG_MCP_API_TOKEN") {
		t.Fatalf("error = %v, want token env remediation", err)
	}
}

type setupSecretStore struct {
	secrets map[string]string
	setErr  error
	getErr  error
}

func (s *setupSecretStore) SetSecret(name, label, secret string) error {
	if s.setErr != nil {
		return s.setErr
	}
	s.secrets[name] = secret
	return nil
}

func (s *setupSecretStore) GetSecret(name string) (string, error) {
	if s.getErr != nil {
		return "", s.getErr
	}
	value, ok := s.secrets[name]
	if !ok {
		return "", secretstore.ErrNotFound
	}
	return value, nil
}

func (s *setupSecretStore) DeleteSecret(name string) error {
	delete(s.secrets, name)
	return nil
}
feat: add runtime secretstore diagnostics and setup helpers 2026-04-20 08:56:15 +00:00			`package cli`

			`import (`
			`"errors"`
			`"strings"`
			`"testing"`

chore: update module path to forge 2026-05-05 10:23:14 +00:00			`"forge.lclr.dev/AI/mcp-framework/secretstore"`
feat: add runtime secretstore diagnostics and setup helpers 2026-04-20 08:56:15 +00:00			`)`

			`func TestWriteSetupSecretVerifiedPersistsAndConfirmsReadability(t *testing.T) {`
			`store := &setupSecretStore{secrets: map[string]string{}}`

			`err := WriteSetupSecretVerified(SetupSecretWriteOptions{`
			`Store: store,`
			`SecretName: "api-token",`
			`SecretLabel: "API token",`
			`Value: SetupValue{`
			`Type: SetupFieldSecret,`
			`String: "secret-v1",`
			`Set: true,`
			`},`
			`})`
			`if err != nil {`
			`t.Fatalf("WriteSetupSecretVerified returned error: %v", err)`
			`}`

			`if got := store.secrets["api-token"]; got != "secret-v1" {`
			`t.Fatalf("stored secret = %q, want secret-v1", got)`
			`}`
			`}`

			`func TestWriteSetupSecretVerifiedReturnsContextForReadOnlyStores(t *testing.T) {`
			`store := &setupSecretStore{`
			`secrets: map[string]string{},`
			`setErr: secretstore.ErrReadOnly,`
			`}`

			`err := WriteSetupSecretVerified(SetupSecretWriteOptions{`
			`Store: store,`
			`SecretName: "api-token",`
			`TokenEnv: "GRAYLOG_MCP_API_TOKEN",`
			`Value: SetupValue{`
			`Type: SetupFieldSecret,`
			`String: "secret-v1",`
			`Set: true,`
			`},`
			`})`
			`if err == nil {`
			`t.Fatal("expected error")`
			`}`
			`if !errors.Is(err, secretstore.ErrReadOnly) {`
			`t.Fatalf("error = %v, want ErrReadOnly", err)`
			`}`
			`if !strings.Contains(err.Error(), "GRAYLOG_MCP_API_TOKEN") {`
			`t.Fatalf("error = %v, want token env remediation", err)`
			`}`
			`}`

			`func TestWriteSetupSecretVerifiedValidatesKeptStoredSecret(t *testing.T) {`
			`store := &setupSecretStore{`
			`secrets: map[string]string{},`
			`getErr: secretstore.ErrNotFound,`
			`}`

			`err := WriteSetupSecretVerified(SetupSecretWriteOptions{`
			`Store: store,`
			`SecretName: "api-token",`
			`TokenEnv: "GRAYLOG_MCP_API_TOKEN",`
			`Value: SetupValue{`
			`Type: SetupFieldSecret,`
			`String: "stored-token",`
			`Set: true,`
			`KeptStoredSecret: true,`
			`},`
			`})`
			`if err == nil {`
			`t.Fatal("expected error")`
			`}`
			`if !errors.Is(err, secretstore.ErrNotFound) {`
			`t.Fatalf("error = %v, want ErrNotFound", err)`
			`}`
			`if !strings.Contains(err.Error(), "GRAYLOG_MCP_API_TOKEN") {`
			`t.Fatalf("error = %v, want token env remediation", err)`
			`}`
			`}`

			`type setupSecretStore struct {`
			`secrets map[string]string`
			`setErr error`
			`getErr error`
			`}`

			`func (s *setupSecretStore) SetSecret(name, label, secret string) error {`
			`if s.setErr != nil {`
			`return s.setErr`
			`}`
			`s.secrets[name] = secret`
			`return nil`
			`}`

			`func (s *setupSecretStore) GetSecret(name string) (string, error) {`
			`if s.getErr != nil {`
			`return "", s.getErr`
			`}`
			`value, ok := s.secrets[name]`
			`if !ok {`
			`return "", secretstore.ErrNotFound`
			`}`
			`return value, nil`
			`}`

			`func (s *setupSecretStore) DeleteSecret(name string) error {`
			`delete(s.secrets, name)`
			`return nil`
			`}`