import json from phase_memory.credential_routing import ( CREDENTIAL_ROUTING_ADVISORY_SCHEMA, PHASE_MEMORY_CREDENTIAL_NEEDS, resolve_credentialed_environ, warden_cli_available, warden_credential_routing_advisory, ) def test_warden_credential_routing_advisory_is_secret_free() -> None: environ = { "PHASE_MEMORY_MARKITECT_URL": "https://markitect.example.invalid", "PHASE_MEMORY_MARKITECT_TOKEN": "markitect-secret-token", "PHASE_MEMORY_KONTEXTUAL_URL": "https://kontextual.example.invalid", "PHASE_MEMORY_KONTEXTUAL_TOKEN": "kontextual-secret-token", } advisory = warden_credential_routing_advisory(environ) serialized = json.dumps(advisory, sort_keys=True) assert advisory["schema_version"] == CREDENTIAL_ROUTING_ADVISORY_SCHEMA assert advisory["missing_env"] == [] assert advisory["present_env"] == sorted(PHASE_MEMORY_CREDENTIAL_NEEDS) assert "markitect-secret-token" not in serialized assert "kontextual-secret-token" not in serialized assert "https://markitect.example.invalid" not in serialized assert advisory["operator_guidance"]["anti_pattern"].startswith("Do not message ops-warden") if warden_cli_available(): assert advisory["route_matches"] def test_resolve_credentialed_environ_reports_missing_credentials() -> None: status = resolve_credentialed_environ({}) assert status["ready"] is False assert status["missing_env"] assert status["routing_advisory"]["schema_version"] == CREDENTIAL_ROUTING_ADVISORY_SCHEMA assert "warden access" in status["operator_action"]