test(matrix): W3 vault-block integration suite (move exempt→mapped)#252
Merged
Merged
Conversation
Closes the vault routes the done-bar guard
(internal/router/route_donebar_guard_test.go) carried as either the
shallow TestMerged_Vault_RequiresAuth requires-auth probe (GET list, GET
key, PUT key) or as routeCoverageExemptions TODO-rows with no mapped test
(POST rotate, DELETE key, POST copy).
New DB-backed handler-integration suite
(internal/handlers/vault_block_routes_test.go +
vault_block_helpers_test.go) drives every vault route through the
production RequireAuth + PopulateTeamRole + RequireEnvAccess(VaultWrite)
chain (vaultBlockApp mirrors router.New) against a real Postgres:
- happy path: write/read/list/rotate/delete/copy + versioned writes
- encrypt/decrypt-at-rest: ciphertext at rest never contains plaintext;
GET decrypts to the original; list path never returns values
- authz: free=403 not-available, hobby non-prod env=403, env_policy
locks prod vault_write to owner → developer 403 env_policy_denied,
copy on non-multi-env tier=402, missing bearer=401
- cross-team isolation: team B read/delete of team A's secret → 404
(never 403), and team A's secret survives B's delete attempt
- rotate semantics: new version + distinct 'rotate' audit action +
Idempotency-Key replay does not create a duplicate version
- copy semantics: dry_run persists nothing, skip-by-default vs
overwrite, missing-source reporting, encrypted bytes preserved
- input validation: invalid key/env/version, from==to, missing from
Guard: six vault rows move routeCoverageExemptions/shallow-probe →
routeTestMap pointing at TestVaultBlock_*. Both done-bar guards stay
green (TestDoneBar_EveryRouteCovered + TestDoneBar_TestMapPointsAtRealTests).
No handler-source edits — test-only PR.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes the vault routes the api done-bar guard (
internal/router/route_donebar_guard_test.go) carried as either the shallowTestMerged_Vault_RequiresAuthrequires-auth probe (GET /vault/:env,GET /vault/:env/:key,PUT /vault/:env/:key) or asrouteCoverageExemptionsTODO-rows with no mapped test (POST /vault/:env/:key/rotate,DELETE /vault/:env/:key,POST /vault/copy).A new DB-backed handler-integration suite drives every vault route through the production
RequireAuth+PopulateTeamRole+RequireEnvAccess(VaultWrite)chain (vaultBlockAppmirrorsrouter.New, real JWTs, liveSetRoleLookupDB/SetEnvPolicyDB) against a real Postgres (testhelpers.SetupTestDB).Coverage
GET /api/v1/vault/:envTestVaultBlock_ListKeysGET /api/v1/vault/:env/:keyTestVaultBlock_GetSecretPUT /api/v1/vault/:env/:keyTestVaultBlock_PutSecretPOST /api/v1/vault/:env/:key/rotateTestVaultBlock_RotateSecretDELETE /api/v1/vault/:env/:keyTestVaultBlock_DeleteSecretPOST /api/v1/vault/copyTestVaultBlock_CopySecretsAsserts: happy path + versioned writes; encrypt/decrypt-at-rest (ciphertext at rest never contains plaintext, GET decrypts to original, list never returns values); authz (free=403 not-available, hobby non-prod env=403, env_policy locks prod
vault_writeto owner → developer 403env_policy_denied, copy on non-multi-env tier=402, missing bearer=401); cross-team isolation (team B read/delete of team A's secret → 404 never 403, secret survives); rotate semantics (new version + distinctrotateaudit + Idempotency-Key replay = no dup version); copy semantics (dry_run persists nothing, skip-by-default vs overwrite, missing-source, encrypted bytes preserved); input validation.Guard
Six vault rows move
routeCoverageExemptions/shallow-probe →routeTestMappointing atTestVaultBlock_*. Both done-bar guards stay GREEN (TestDoneBar_EveryRouteCovered+TestDoneBar_TestMapPointsAtRealTests).Scope
Test-only — no handler-source edits.
make gategreen locally (only the two documented pre-existing local-env flakes —TestLinkGitHubIDUUID-order ininternal/models,TestQueue_CredIssueError_FallsBackToLegacyOpenNATS 503 ininternal/handlers— both reproduce identically on cleanorigin/master; CI authoritative).🤖 Generated with Claude Code