envseal 0.3.14

Write-only secret vault with process-level access control — post-agent secret management
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

//! Regression: `custom_ui_cmd` in security config must round-trip for trusted paths
//! (absolute paths under the vault signing story).
use envseal::security_config::SecurityConfig;

/// Security config save/load preserves a valid absolute custom_ui_cmd.
#[test]
fn valid_custom_ui_cmd_survives_save_load() {
    let dir =
        tempfile::tempdir_in(std::env::var("HOME").unwrap_or("/tmp".into())).expect("tempdir");
    let key = [0x11_u8; 32];

    let mut config = SecurityConfig::preset_standard();
    config.custom_ui_cmd = Some("/usr/lib/envseal/custom-ui".to_string());

    envseal::security_config::save_config(dir.path(), &config, &key)
        .expect("save_config with valid custom_ui_cmd");

    let loaded = envseal::security_config::load_config(dir.path(), &key).expect("load_config");

    assert_eq!(
        loaded.custom_ui_cmd.as_deref(),
        Some("/usr/lib/envseal/custom-ui"),
        "valid custom_ui_cmd must survive save/load round-trip"
    );
}

/// SecurityConfig round-trips correctly with no custom_ui_cmd.
#[test]
fn no_custom_ui_cmd_roundtrips() {
    let dir =
        tempfile::tempdir_in(std::env::var("HOME").unwrap_or("/tmp".into())).expect("tempdir");
    let key = [0x22_u8; 32];

    let config = SecurityConfig::preset_lockdown();
    assert!(config.custom_ui_cmd.is_none());

    envseal::security_config::save_config(dir.path(), &config, &key).expect("save_config");
    let loaded = envseal::security_config::load_config(dir.path(), &key).expect("load_config");

    assert!(
        loaded.custom_ui_cmd.is_none(),
        "custom_ui_cmd must remain None when not set"
    );
}