test: BATS regression shield for dream-cli secret masking (config show + preset diff)
Consolidated from: #392 + #431
Scope
Add BATS coverage that pins the current behavior of _cmd_config_is_secret and _cmd_config_load_secret_schema from BOTH call sites: dream config show (#392) and dream preset diff (#431). Covers schema-driven masking + keyword-fallback defense in depth.
Coverage matrix
- Keys marked
secret: true in .env.schema.json are masked in config show and preset diff.
- Keyword-fallback masks keys matching
*secret*|*password*|*pass*|*token*|*key*|*salt*|*bearer* even when not schema-flagged.
N8N_USER, LANGFUSE_INIT_USER_EMAIL (flipped to secret:true by PR-3 fixup) stay masked after schema reload.- Unknown non-secret keys render plaintext on both paths.
- When schema file is absent or malformed, keyword-fallback alone still masks correctly.
- Schema cache is correctly loaded before first
_cmd_config_is_secret call in both command paths.
Files
- New:
dream-server/tests/bats-tests/test-config-masking.bats (or extend existing if present)
- May share fixtures with existing dream-cli BATS tests.
Rationale for merge
Both issues test the same _cmd_config_is_secret helper from different call sites. Shared fixtures (fake .env + fake .env.schema.json + fake PRESETS_DIR). Merging avoids duplicate fixture boilerplate and keeps the tests for related call paths in one file where a future refactor of the helper will trip all of them simultaneously (intended signal).
Discovery context
Filed during 23APR audit/fix cycle. PR-3 promoted _cmd_config_is_secret to file scope and added the schema cache; PR-3 fixup extended usage to cmd_preset diff. Both fixes are live in 23APRdevelopments branch; this issue adds regression shields.
Closes #392, #431. Labels: test, bash
test: BATS regression shield for dream-cli secret masking (config show + preset diff)
Consolidated from: #392 + #431
Scope
Add BATS coverage that pins the current behavior of
_cmd_config_is_secretand_cmd_config_load_secret_schemafrom BOTH call sites:dream config show(#392) anddream preset diff(#431). Covers schema-driven masking + keyword-fallback defense in depth.Coverage matrix
secret: truein.env.schema.jsonare masked inconfig showandpreset diff.*secret*|*password*|*pass*|*token*|*key*|*salt*|*bearer*even when not schema-flagged.N8N_USER,LANGFUSE_INIT_USER_EMAIL(flipped tosecret:trueby PR-3 fixup) stay masked after schema reload._cmd_config_is_secretcall in both command paths.Files
dream-server/tests/bats-tests/test-config-masking.bats(or extend existing if present)Rationale for merge
Both issues test the same
_cmd_config_is_secrethelper from different call sites. Shared fixtures (fake.env+ fake.env.schema.json+ fake PRESETS_DIR). Merging avoids duplicate fixture boilerplate and keeps the tests for related call paths in one file where a future refactor of the helper will trip all of them simultaneously (intended signal).Discovery context
Filed during 23APR audit/fix cycle. PR-3 promoted
_cmd_config_is_secretto file scope and added the schema cache; PR-3 fixup extended usage tocmd_preset diff. Both fixes are live in23APRdevelopmentsbranch; this issue adds regression shields.Closes #392, #431. Labels: test, bash