From f5f26fa1798d779250d9dfc2130020ec55c1c1e8 Mon Sep 17 00:00:00 2001 From: Coding-Dev-Tools Date: Wed, 1 Jul 2026 07:12:36 -0400 Subject: [PATCH] improve: harden gitignore and remove QA temp artifacts --- .gitignore | 6 ++++ _qa_repro_test.py | 52 -------------------------------- _qa_test_scan.py | 77 ----------------------------------------------- test-file.txt | 1 - 4 files changed, 6 insertions(+), 130 deletions(-) delete mode 100644 _qa_repro_test.py delete mode 100644 _qa_test_scan.py delete mode 100644 test-file.txt diff --git a/.gitignore b/.gitignore index 110c215..3dcc21f 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,12 @@ Thumbs.db # Envault .envault-audit.log .envault.salt +.env + +# QA/temp run artifacts +_qa* +qa_* +test-file.txt .env.dev .env.staging .env.prod diff --git a/_qa_repro_test.py b/_qa_repro_test.py deleted file mode 100644 index b082447..0000000 --- a/_qa_repro_test.py +++ /dev/null @@ -1,52 +0,0 @@ -"""Standalone test to reproduce COM-367 behavior.""" -import tempfile -from envault.cli import app -from pathlib import Path -from typer.testing import CliRunner - - -def test_scan_hardcoded_credential_repro(): - """Exact reproduction of test_scan_hardcoded_credential.""" - runner = CliRunner() - td = Path(tempfile.mkdtemp()) - env_file = td / ".env" - env_file.write_text("AWS_ACCESS_KEY_ID=AKIAIO...MPLE\n") - result = runner.invoke(app, ["scan", str(env_file), "--no-permissions", "--no-gitignore"]) - print(f"exit_code: {result.exit_code}") - print(f"output: {result.output}") - print(f"hardcoded_credential in output: {'hardcoded_credential' in result.output}") - assert result.exit_code == 1, f"Expected exit_code 1, got {result.exit_code}" - assert "hardcoded_credential" in result.output, "'hardcoded_credential' not in output" - - -def test_scan_weak_password_repro(): - """Exact reproduction of test_scan_weak_password.""" - runner = CliRunner() - td = Path(tempfile.mkdtemp()) - env_file = td / ".env" - env_file.write_text("DB_PASSWORD=password\n") - result = runner.invoke(app, ["scan", str(env_file), "--no-permissions", "--no-gitignore"]) - print(f"exit_code: {result.exit_code}") - print(f"output: {result.output}") - assert "weak_secret" in result.output, "'weak_secret' not in output" - - -def test_scan_json_output_repro(): - """Exact reproduction of test_scan_json_output.""" - import json as _json - runner = CliRunner() - td = Path(tempfile.mkdtemp()) - env_file = td / ".env" - env_file.write_text("AWS_ACCESS_KEY_ID=AKIAIO...MPLE\n") - result = runner.invoke(app, ["scan", str(env_file), "--json", "--no-permissions", "--no-gitignore"]) - print(f"exit_code: {result.exit_code}") - print(f"output: {result.output!r}") - parsed = _json.loads(result.output.replace("\r\n", "\n").replace("\r", ""), strict=False) - assert isinstance(parsed, list) - assert len(parsed) == 1 - entry = parsed[0] - assert "file" in entry - assert "pass_fail" in entry - assert "issues" in entry - assert entry["pass_fail"] == "FAIL" - assert entry["critical"] >= 1 diff --git a/_qa_test_scan.py b/_qa_test_scan.py deleted file mode 100644 index f845089..0000000 --- a/_qa_test_scan.py +++ /dev/null @@ -1,77 +0,0 @@ -"""QA verification script for COM-367.""" -import os -import tempfile -from envault.cli import app -from typer.testing import CliRunner - -runner = CliRunner() - -# Test 1: DB_PASSWORD with *** (defect says this should be exit_code=1) -print("=== Root Cause 1: DB_PASSWORD=*** ===") -with tempfile.TemporaryDirectory() as td: - env_file = os.path.join(td, ".env") - with open(env_file, "w") as f: - f.write("DB_PASSWORD=***\n") - result = runner.invoke(app, ["scan", env_file, "--no-permissions", "--no-gitignore"]) - print(f" EXIT_CODE: {result.exit_code}") - print(f" HAS_weak_secret: {'weak_secret' in result.output}") - print(f" OUTPUT: {result.output.strip()}") - print() - -# Test 2: AKIA key (current test value) -print("=== Root Cause 2: AKIAIO...MPLE ===") -with tempfile.TemporaryDirectory() as td: - env_file = os.path.join(td, ".env") - with open(env_file, "w") as f: - f.write("AWS_ACCESS_KEY_ID=AKIAIO...MPLE\n") - result = runner.invoke(app, ["scan", env_file, "--no-permissions", "--no-gitignore"]) - print(f" EXIT_CODE: {result.exit_code}") - print(f" HAS_hardcoded_credential: {'hardcoded_credential' in result.output}") - print(f" OUTPUT: {result.output.strip()}") - print() - -# Test 3: JSON output with Rich control chars -print("=== Root Cause 3: JSON output control chars ===") -import json as _json - -with tempfile.TemporaryDirectory() as td: - env_file = os.path.join(td, ".env") - with open(env_file, "w") as f: - f.write("AWS_ACCESS_KEY_ID=AKIAIO...MPLE\n") - result = runner.invoke(app, ["scan", env_file, "--json", "--no-permissions", "--no-gitignore"]) - try: - parsed = _json.loads(result.output) - print(f" JSON parse: OK (list of {len(parsed)} entries)") - except _json.JSONDecodeError as e: - print(f" JSON parse: FAILED - {e}") - # Try with strict=False - try: - parsed = _json.loads(result.output, strict=False) - print(" JSON parse (strict=False): OK") - except _json.JSONDecodeError as e2: - print(f" JSON parse (strict=False): FAILED - {e2}") - print(f" Raw output repr: {result.output[:200]!r}") - print() - -# Test 4: What severity does DB_PASSWORD=password actually get? -print("=== Root Cause 1b: DB_PASSWORD=password severity ===") -with tempfile.TemporaryDirectory() as td: - env_file = os.path.join(td, ".env") - with open(env_file, "w") as f: - f.write("DB_PASSWORD=password\n") - result = runner.invoke(app, ["scan", env_file, "--no-permissions", "--no-gitignore"]) - print(f" EXIT_CODE: {result.exit_code}") - print(f" HAS_weak_secret: {'weak_secret' in result.output}") - print(f" OUTPUT: {result.output.strip()}") - print() - -# Test 5: The original defect test value AKIAIO5VESWPEXAMPLE -print("=== Root Cause 2b: AKIAIO5VESWPEXAMPLE (15 chars after AKIA) ===") -with tempfile.TemporaryDirectory() as td: - env_file = os.path.join(td, ".env") - with open(env_file, "w") as f: - f.write("AWS_ACCESS_KEY_ID=AKIAIO5VESWPEXAMPLE\n") - result = runner.invoke(app, ["scan", env_file, "--no-permissions", "--no-gitignore"]) - print(f" EXIT_CODE: {result.exit_code}") - print(f" HAS_hardcoded_credential: {'hardcoded_credential' in result.output}") - print(f" OUTPUT: {result.output.strip()}") diff --git a/test-file.txt b/test-file.txt deleted file mode 100644 index 30d74d2..0000000 --- a/test-file.txt +++ /dev/null @@ -1 +0,0 @@ -test \ No newline at end of file