fix: remove committed private key and generate EC key pair dynamically in tests

sharon77242 · claude · sharon77242 · commit 69aa2e01003c · 2026-04-21T13:40:42.000+03:00
- Delete tests/fixtures/dev-private-key.pem (was accidentally committed in 2dba2e0) - Restore .gitignore to *.pem only (no negation exception) - diagnostic-agent-coverage.test.ts: replace readFileSync PEM load with generateKeyPairSync + BUNDLED_PUBLIC_KEYS["dev-k1"] override - license-validator.test.ts: same for the dev-k1 integration describe block; uses test.before/test.after to set and restore the overridden key - public-key.ts: update comment — no longer references the removed fixture BREAKING: git history still contains the key at commit 2dba2e0; a force-push with BFG/filter-branch is needed to fully purge it from history. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,3 @@ coverage/
 .claude/
 plans/
 *.pem
-!packages/agent/tests/fixtures/dev-private-key.pem
diff --git a/packages/agent/src/licensing/public-key.ts b/packages/agent/src/licensing/public-key.ts
@@ -3,7 +3,7 @@
 // The 'kid' claim in the JWT header selects the correct key.
 export const BUNDLED_PUBLIC_KEYS: Record<string, string> = {
   // ── dev key (kid: 'dev-k1') ────────────────────────────────────────────────
-  // Local-development only. The matching private key is in tests/fixtures/dev-private-key.pem.
+  // Local-development only. Tests override this key dynamically via generateKeyPairSync.
   // Replace with production keys via scripts/embed-pubkey.ts before release.
   "dev-k1": [
     "-----BEGIN PUBLIC KEY-----",
diff --git a/packages/agent/tests/diagnostic-agent-coverage.test.ts b/packages/agent/tests/diagnostic-agent-coverage.test.ts
@@ -20,10 +20,9 @@
 import { describe, it, afterEach } from "node:test";
 import assert from "node:assert/strict";
 import { once } from "node:events";
-import { createSign, createPrivateKey } from "node:crypto";
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
+import { createSign, generateKeyPairSync } from "node:crypto";
 import { DiagnosticAgent } from "../src/diagnostic-agent.ts";
+import { BUNDLED_PUBLIC_KEYS } from "../src/licensing/public-key.ts";
 import http from "node:http";
 import { type AddressInfo } from "node:net";
 import fs from "node:fs";
@@ -33,9 +32,12 @@ import os from "node:os";
 const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
 
 // ── Dev-k1 license JWT builder ────────────────────────────────────────────────
-const _devPrivKey = createPrivateKey(
-  readFileSync(resolve(import.meta.dirname, "fixtures/dev-private-key.pem"), "utf8"),
-);
+// Generate a fresh EC P-256 key pair and override the embedded dev-k1 public key so tests
+// are fully self-contained and never depend on a fixture file.
+const { privateKey: _devPrivKey, publicKey: _devPubKeyObj } = generateKeyPairSync("ec", {
+  namedCurve: "P-256",
+});
+BUNDLED_PUBLIC_KEYS["dev-k1"] = _devPubKeyObj.export({ type: "spki", format: "pem" }) as string;
 function b64u(buf: Buffer) {
   return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
diff --git a/packages/agent/tests/licensing/license-validator.test.ts b/packages/agent/tests/licensing/license-validator.test.ts
@@ -1,8 +1,6 @@
 import { test, describe } from "node:test";
 import assert from "node:assert/strict";
-import { createSign, generateKeyPairSync, createPrivateKey } from "node:crypto";
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
+import { createSign, generateKeyPairSync } from "node:crypto";
 import { validateLicense } from "../../src/licensing/license-validator.ts";
 import { BUNDLED_PUBLIC_KEYS } from "../../src/licensing/public-key.ts";
 
@@ -146,15 +144,30 @@ describe("validateLicense", () => {
   });
 });
 
-// ── Integration: embedded dev-k1 key ─────────────────────────────────────────
-// Exercises the full validateLicense() path using the key actually embedded in
-// public-key.ts (kid: 'dev-k1') and its matching private key fixture.
+// ── Integration: dev-k1 key round-trip ───────────────────────────────────────
+// Verifies that validateLicense() correctly resolves the 'dev-k1' key from
+// BUNDLED_PUBLIC_KEYS.  We generate a fresh key pair so no fixture file is needed.
 describe("dev-k1 embedded key integration", () => {
-  const devPrivateKeyPem = readFileSync(
-    resolve(import.meta.dirname, "../fixtures/dev-private-key.pem"),
-    "utf8",
-  );
-  const devPrivateKey = createPrivateKey(devPrivateKeyPem);
+  const { privateKey: devPrivateKey, publicKey: devPublicKeyObj } = generateKeyPairSync("ec", {
+    namedCurve: "P-256",
+  });
+  let originalDevK1: string | undefined;
+
+  test.before(() => {
+    originalDevK1 = BUNDLED_PUBLIC_KEYS["dev-k1"];
+    BUNDLED_PUBLIC_KEYS["dev-k1"] = devPublicKeyObj.export({
+      type: "spki",
+      format: "pem",
+    }) as string;
+  });
+
+  test.after(() => {
+    if (originalDevK1 !== undefined) {
+      BUNDLED_PUBLIC_KEYS["dev-k1"] = originalDevK1;
+    } else {
+      delete BUNDLED_PUBLIC_KEYS["dev-k1"];
+    }
+  });
 
   function buildDevJwt(claims: Record<string, unknown>): string {
     const header = base64UrlEncode(
