mirror of https://github.com/garrytan/gstack.git
33 lines
1.3 KiB
TypeScript
33 lines
1.3 KiB
TypeScript
/**
|
|
* Unit tests for scripts/one-way-doors.ts keyword safety net.
|
|
*
|
|
* The keyword layer is the SECONDARY safety net for ad-hoc AskUserQuestion ids
|
|
* with no registry entry. A false negative auto-approves a destructive op, so the
|
|
* credential-rotation patterns must be parallel across revoke/reset/rotate.
|
|
*/
|
|
import { describe, test, expect } from "bun:test";
|
|
import { classifyQuestion } from "../scripts/one-way-doors";
|
|
|
|
describe("one-way-door credential keyword net (#1839)", () => {
|
|
// rotate ... password was missing from the rotate alternation while revoke and
|
|
// reset both had it — the most common phrasing slipped through as two-way.
|
|
test('"rotate the database password" classifies one-way', () => {
|
|
const r = classifyQuestion({ summary: "rotate the database password" });
|
|
expect(r.oneWay).toBe(true);
|
|
expect(r.reason).toBe("keyword");
|
|
});
|
|
|
|
test("revoke/reset/rotate are all parallel for password", () => {
|
|
for (const verb of ["revoke", "reset", "rotate"]) {
|
|
const r = classifyQuestion({ summary: `${verb} the production password` });
|
|
expect(r.oneWay).toBe(true);
|
|
}
|
|
});
|
|
|
|
test("rotate still catches the other credential nouns", () => {
|
|
for (const noun of ["api key", "token", "secret", "credential", "access key"]) {
|
|
expect(classifyQuestion({ summary: `rotate my ${noun}` }).oneWay).toBe(true);
|
|
}
|
|
});
|
|
});
|