coulomb/phase-memory
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement credentialed live hardening workplan

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-19 03:51:51 +02:00
parent b85f4c02f4
commit 1ccbab5c04
14 changed files with 906 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
tests/test_credentialed_drills.py
View File

@@ -1,11 +1,16 @@
import os
import json
from datetime import datetime, timezone
import pytest
from phase_memory.credentialed_drills import (
CREDENTIALED_ADAPTER_ENV_VARS,
credentialed_adapter_smoke_report,
credentialed_operator_report,
credentialed_telemetry_retention_drill,
missing_credentialed_adapter_env,
write_credentialed_operator_report,
)
@@ -18,6 +23,43 @@ def test_credentialed_adapter_drill_reports_missing_env_without_secrets() -> Non
assert report["diagnostics"][0]["code"] == "credential_env_missing"
def test_credentialed_operator_report_redacts_values_and_persists(tmp_path) -> None:
environ = {
"PHASE_MEMORY_MARKITECT_URL": "https://markitect.example.invalid",
"PHASE_MEMORY_MARKITECT_TOKEN": "markitect-secret-token",
"PHASE_MEMORY_KONTEXTUAL_URL": "https://kontextual.example.invalid",
"PHASE_MEMORY_KONTEXTUAL_TOKEN": "kontextual-secret-token",
}
report = credentialed_operator_report(environ, run_id="pytest")
written = write_credentialed_operator_report(tmp_path / "operator-report.json", environ, run_id="pytest")
serialized = json.dumps(written, sort_keys=True)
assert report["valid"] is True
assert written["id"] == report["id"]
assert written["redacted_env"]["secrets_redacted"] is True
assert "markitect-secret-token" not in serialized
assert "kontextual-secret-token" not in serialized
assert "https://markitect.example.invalid" not in serialized
assert "https://kontextual.example.invalid" not in serialized
assert (tmp_path / "operator-report.json").exists()
def test_credentialed_telemetry_retention_drill_prunes_fixture_events() -> None:
report = credentialed_telemetry_retention_drill(
{},
operator_approved_fixture=True,
retention_days=30,
now=datetime(2026, 5, 19, tzinfo=timezone.utc),
)
assert report["valid"] is True
assert report["skipped"] is False
assert "op:old" in report["pruned_operation_ids"]
assert "op:new" in report["retained_operation_ids"]
assert "audit.retention.apply" in report["audit_operations"]
@pytest.mark.skipif(
missing_credentialed_adapter_env(os.environ),
reason="requires env vars: " + ", ".join(CREDENTIALED_ADAPTER_ENV_VARS),