shikumi 0.1.67

//! Secret resolution for config fields that reference external vaults.
//!
//! Pleme-io apps pull secrets from a mix of sources: literal values (for
//! dev / non-sensitive defaults), shell commands (maximum flexibility),
//! 1Password (`op` CLI), SOPS-encrypted YAML/JSON, and Akeyless Vault.
//!
//! Historically every app hand-rolled a `jwt_secret_command: "op read ..."`
//! field plus a matcher that shelled out. Works but invites shell-injection
//! footguns, bakes backend choice into the config schema, and duplicates
//! per-backend error handling. This module canonicalizes the pattern.
//!
//! # Config shape
//!
//! The recommended pattern for each secret field:
//!
//! ```yaml
//! # hanabi.yaml (or taimen.yaml, etc.)
//! jwt_secret:
//!   op: "op://prod/hanabi/jwt-secret"                         # 1Password
//! # or
//! jwt_secret:
//!   sops: { file: "secrets/prod.yaml", field: "jwt_secret" }  # SOPS
//! # or
//! jwt_secret:
//!   akeyless: "/prod/hanabi/jwt"                              # Akeyless
//! # or
//! jwt_secret:
//!   vault: { path: "secret/prod/hanabi", field: "jwt" }       # HashiCorp Vault
//! # or
//! jwt_secret:
//!   aws_secret: "prod/hanabi/jwt"                             # AWS Secrets Manager
//! # or
//! jwt_secret:
//!   gcp_secret: "projects/my-proj/secrets/jwt"                # GCP Secret Manager
//! # or
//! jwt_secret:
//!   command: "custom-vault-cli read prod/jwt"                 # Anything else
//! # or (dev convenience)
//! jwt_secret: "dev-secret-change-me"                          # Plaintext
//! ```
//!
//! All seven backend variants plus the literal fall-through decode into
//! the [`SecretSource`] enum. Call [`resolve`] to get a `String`.
//!
//! # Direct API
//!
//! Each backend also has a standalone helper for callers that have
//! already parsed their own config:
//!
//! | Backend | Function | CLI wrapped |
//! |---------|----------|-------------|
//! | shell | [`resolve_command`] | `sh -c <cmd>` |
//! | 1Password | [`resolve_op`] | `op read <ref>` |
//! | SOPS | [`resolve_sops_file`] / [`resolve_sops_field`] | `sops -d <file>` (+ optional `jq`) |
//! | Akeyless | [`resolve_akeyless`] | `akeyless get-secret-value --name <name>` |
//! | HashiCorp Vault | [`resolve_vault`] | `vault read -field=<field> <path>` |
//! | AWS Secrets Manager | [`resolve_aws_secret`] | `aws secretsmanager get-secret-value …` |
//! | GCP Secret Manager | [`resolve_gcp_secret`] | `gcloud secrets versions access …` |
//!
//! All seven funnel through one `capture_stdout` helper and therefore
//! share error semantics: non-zero exit → [`ShikumiError::Parse`] with
//! stderr included.
//!
//! # Why not HTTP clients?
//!
//! Each vault backend has a reference CLI (`op`, `sops`, `akeyless`) that
//! handles auth, MFA, biometrics, cloud-provider identity. Shelling out
//! inherits all of that behaviour for free. When an app needs lower-level
//! control (e.g. pooled Akeyless connections across thousands of reads)
//! it depends on `akeyless-api` directly and bypasses this module.
//!
//! # Example
//!
//! ```no_run
//! use shikumi::secret::{self, SecretBackend, SecretSource};
//!
//! let source = SecretSource::Backend(SecretBackend::Op(
//!     "op://prod/hanabi/jwt".into(),
//! ));
//! let jwt = secret::resolve(&source)?;
//! assert!(!jwt.is_empty());
//! # Ok::<_, shikumi::ShikumiError>(())
//! ```

use std::path::{Path, PathBuf};
use std::process::Command;

use serde::{Deserialize, Serialize};

use crate::error::ShikumiError;

// ─────────────────────────────────────────────────────────────────────
// SecretSource — tagged enum for config authors
// ─────────────────────────────────────────────────────────────────────

/// A declarative reference to where a secret lives.
///
/// Serde's untagged + internally-tagged combo means YAML authors can
/// write any of the shapes documented on [the module](crate::secret).
/// The untagged fallback catches the bare-string form and treats it as
/// a literal — the "just put the dev secret here" path.
///
/// `non_exhaustive` so we can add new vault backends without a semver
/// break at the config layer.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(untagged)]
#[non_exhaustive]
pub enum SecretSource {
    /// Structured variants with an explicit backend tag.
    Backend(SecretBackend),
    /// Bare-string fallthrough — always treated as a plaintext literal.
    /// Useful for development defaults. Production configs should prefer
    /// one of the backend variants.
    Literal(String),
}

impl SecretSource {
    /// Backend kind this source resolves into, projecting both the
    /// top-level [`Self::Literal`] shorthand and the explicit
    /// [`SecretBackend::Literal`] tag onto the same
    /// [`SecretBackendKind::Literal`] cell — the equivalence the
    /// [`resolve`] dispatch table already encodes pointwise (the
    /// [`Self::Literal`] arm and the [`SecretBackend::Literal`] arm
    /// take identical bodies).
    ///
    /// The closed-image projection over the [`SecretSource`] variant
    /// space onto the [`SecretBackendKind`] axis, composing
    /// [`SecretBackend::kind`] under the [`Self::Backend`] wrapper and
    /// collapsing the bare-string literal path. Mirrors
    /// [`SecretBackend::kind`] on the source-side surface so consumers
    /// observing a parsed `SecretSource` — telemetry recording the
    /// backend mix of resolved secrets, kind-indexed dispatch tables
    /// over `SecretSource` values, structured-diagnostic legends
    /// naming the failing backend by kind regardless of literal-tag
    /// shape — read one typed projection instead of enumerating both
    /// literal arms at each site.
    ///
    /// The two-literal-paths equivalence is structural, not
    /// representational: an operator who writes `jwt_secret:
    /// dev-token` (parses as [`Self::Literal`]) and one who writes
    /// `jwt_secret: { literal: dev-token }` (parses as
    /// [`Self::Backend`] of [`SecretBackend::Literal`]) declare the
    /// same secret-resolution shape, and this projection witnesses
    /// that fact at the type level. Pinned by the
    /// `secret_source_backend_kind_collapses_literal_paths` and
    /// `secret_source_resolve_dispatch_partitions_by_backend_kind`
    /// tests in `secret::tests`.
    #[must_use]
    pub const fn backend_kind(&self) -> SecretBackendKind {
        match self {
            Self::Literal(_) => SecretBackendKind::Literal,
            Self::Backend(backend) => backend.kind(),
        }
    }
}

/// Internally-tagged variants — the backends proper.
///
/// Split out from [`SecretSource`] so the outer enum can be `untagged`
/// (for bare-string literals) while the backends stay `rename_all` to
/// match the YAML keys used by config files.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
#[non_exhaustive]
pub enum SecretBackend {
    /// Plaintext value. Exposed explicitly so configs can say
    /// `{literal: "..."}` alongside the other tagged variants when
    /// they don't want the bare-string shorthand.
    Literal(String),
    /// Shell command — stdout is the secret (see [`resolve_command`]).
    Command(String),
    /// 1Password reference — `"op://vault/item/field"` (see [`resolve_op`]).
    Op(String),
    /// SOPS-encrypted file (optionally with a field path, see
    /// [`resolve_sops_field`]).
    Sops(SopsRef),
    /// Akeyless secret name — `/prod/my-secret` (see [`resolve_akeyless`]).
    Akeyless(String),
    /// HashiCorp Vault path (optionally with a field, see [`resolve_vault`]).
    Vault(VaultRef),
    /// AWS Secrets Manager secret id — `prod/my-app/jwt`
    /// (see [`resolve_aws_secret`]).
    AwsSecret(String),
    /// GCP Secret Manager secret name — `projects/.../secrets/.../versions/latest`
    /// or short form `projects/my-proj/secrets/my-secret` (see [`resolve_gcp_secret`]).
    GcpSecret(String),
}

impl SecretBackend {
    /// Data-free discriminant of this [`SecretBackend`]: the kind of
    /// backend independent of the inner literal value, command string,
    /// 1Password reference, SOPS / Vault payload, Akeyless name, AWS
    /// secret id, or GCP resource name.
    ///
    /// The closed-image projection over the [`SecretBackend`] variant
    /// space, returning a `'static` [`SecretBackendKind`] suitable for
    /// cross-thread observation, hashing, and structured-diagnostic
    /// indexing. Mirrors [`crate::ConfigSource::kind`] on the layer axis
    /// and [`crate::FigmentNameTag::kind`] on the figment-`Metadata::name`
    /// axis: same typescape discipline (exhaustive forward map, data-free
    /// codomain, allocation-free), applied to the secret-resolution
    /// backend axis.
    ///
    /// Adding a future [`SecretBackend`] variant (e.g. an `EnvVar` or
    /// `Kubernetes` backend) means adding one [`SecretBackendKind`]
    /// variant in lockstep — the exhaustive match here forces the
    /// assignment at compile time.
    #[must_use]
    pub const fn kind(&self) -> SecretBackendKind {
        match self {
            Self::Literal(_) => SecretBackendKind::Literal,
            Self::Command(_) => SecretBackendKind::Command,
            Self::Op(_) => SecretBackendKind::Op,
            Self::Sops(_) => SecretBackendKind::Sops,
            Self::Akeyless(_) => SecretBackendKind::Akeyless,
            Self::Vault(_) => SecretBackendKind::Vault,
            Self::AwsSecret(_) => SecretBackendKind::AwsSecret,
            Self::GcpSecret(_) => SecretBackendKind::GcpSecret,
        }
    }
}

/// Data-free, `'static` discriminant of [`SecretBackend`]: the kind of
/// secret-resolution backend independent of the inner payload.
///
/// Closed eight-way partition over the [`SecretBackend`] variant space,
/// returned by [`SecretBackend::kind`]. The enum exists so consumers
/// that care only about the backend axis (per-backend telemetry, kind-
/// indexed dispatch tables, structured-diagnostic legends naming the
/// failing backend, attestation manifests recording the backend mix of
/// resolved secrets) match on one closed enum instead of pattern-matching
/// against the payload-carrying [`SecretBackend`] or shelling its
/// `serde` tag through a string round-trip.
///
/// Peer of [`crate::ConfigSourceKind`] on the layer axis,
/// [`crate::FigmentSourceKind`] / [`crate::FigmentNameTagKind`] on the
/// figment-`Metadata::{source, name}` axes, and the other closed-enum
/// kind primitives: same typescape discipline (closed, allocation-free,
/// `Copy + Eq + Hash + #[non_exhaustive]`, exhaustive forward map),
/// applied to the secret-resolution backend axis.
///
/// The canonical label strings match [`SecretBackend`]'s
/// `#[serde(rename_all = "snake_case")]` shape pointwise — the same
/// keys a YAML config author types (`literal`, `command`, `op`, `sops`,
/// `akeyless`, `vault`, `aws_secret`, `gcp_secret`) — so operator-facing
/// surfaces naming the failing backend by kind use the same vocabulary
/// the config schema does.
///
/// `'static` and allocation-free, suitable for crossing thread
/// boundaries the borrowed [`SecretBackend`] (which holds owned `String`
/// payloads) is unnecessarily expensive to clone for.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
#[non_exhaustive]
pub enum SecretBackendKind {
    /// Maps to [`SecretBackend::Literal`] regardless of inner string.
    Literal,
    /// Maps to [`SecretBackend::Command`] regardless of inner shell
    /// command string.
    Command,
    /// Maps to [`SecretBackend::Op`] regardless of inner 1Password
    /// reference string.
    Op,
    /// Maps to [`SecretBackend::Sops`] regardless of inner
    /// [`SopsRef`] variant.
    Sops,
    /// Maps to [`SecretBackend::Akeyless`] regardless of inner secret
    /// name.
    Akeyless,
    /// Maps to [`SecretBackend::Vault`] regardless of inner
    /// [`VaultRef`] variant.
    Vault,
    /// Maps to [`SecretBackend::AwsSecret`] regardless of inner secret
    /// id.
    AwsSecret,
    /// Maps to [`SecretBackend::GcpSecret`] regardless of inner resource
    /// name.
    GcpSecret,
}

impl SecretBackendKind {
    /// Every [`SecretBackendKind`] variant, in declaration order
    /// ([`Self::Literal`], [`Self::Command`], [`Self::Op`],
    /// [`Self::Sops`], [`Self::Akeyless`], [`Self::Vault`],
    /// [`Self::AwsSecret`], [`Self::GcpSecret`]).
    ///
    /// The closed list of secret-resolution backends shikumi recognizes,
    /// in the same declaration order as the [`SecretBackend`] variant
    /// list. Iterate to enumerate the backend space without listing
    /// variants by hand at every consumer site — e.g. dashboards
    /// initializing per-backend counters, attestation manifests
    /// recording the backend-mix histogram of resolved secrets, or
    /// partition-coverage tests asserting disjointness across the
    /// secret-side classification.
    ///
    /// Adding a new variant to [`Self`] (e.g. a future `EnvVar` or
    /// `Kubernetes` backend) means extending this slice in lockstep with
    /// the variant itself. The compiler enforces nothing here directly,
    /// so the `secret_backend_kind_all_covers_every_constructible_backend`
    /// test pins the contract by asserting that every kind produced by
    /// [`SecretBackend::kind`] over the canonical sample table appears
    /// in [`Self::ALL`], and the `secret_backend_kind_all_has_no_duplicates`
    /// test pins that the constant is a set (no double-listed variant).
    pub const ALL: &'static [Self] = &[
        Self::Literal,
        Self::Command,
        Self::Op,
        Self::Sops,
        Self::Akeyless,
        Self::Vault,
        Self::AwsSecret,
        Self::GcpSecret,
    ];

    /// Canonical operator-facing `snake_case` name of the backend kind
    /// — `"literal"`, `"command"`, `"op"`, `"sops"`, `"akeyless"`,
    /// `"vault"`, `"aws_secret"`, or `"gcp_secret"`.
    ///
    /// The single source of truth for the backend-kind label strings on
    /// the [`SecretBackendKind`] axis. Inherent mirror of the
    /// [`crate::ClosedAxisLabel`] trait method; the trait impl delegates
    /// here so the canonical names live at one site instead of being
    /// re-stated at every operator-facing surface.
    ///
    /// The strings coincide with [`SecretBackend`]'s
    /// `#[serde(rename_all = "snake_case")]` YAML keys pointwise — by
    /// typescape design, so an operator naming a backend through a
    /// kind-indexed surface (a CLI flag filtering by backend, a
    /// structured-log field, an attestation manifest histogram) uses the
    /// same vocabulary the config schema does. Pairs with
    /// [`crate::ClosedAxisLabel::from_canonical_str`] via the trait-
    /// default linear-scan parse; the round-trip law
    /// `Self::from_canonical_str(v.as_str()) == Some(v)` is pinned for
    /// every variant uniformly by the trait-uniform
    /// `closed_axis_label_round_trips_for_every_implementor` test in
    /// `cube::tests`. The concrete-position pin at
    /// `secret_backend_kind_as_str_yields_canonical_snake_case_names`
    /// holds the literal string values stable so a future rename (e.g.
    /// `"aws"` for `AwsSecret`, capitalizing `"Op"`) fails at that site
    /// before drifting through the round-trip law and the YAML schema.
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::Literal => "literal",
            Self::Command => "command",
            Self::Op => "op",
            Self::Sops => "sops",
            Self::Akeyless => "akeyless",
            Self::Vault => "vault",
            Self::AwsSecret => "aws_secret",
            Self::GcpSecret => "gcp_secret",
        }
    }
}

impl crate::ClosedAxis for SecretBackendKind {
    const ALL: &'static [Self] = Self::ALL;
}

impl crate::ClosedAxisLabel for SecretBackendKind {
    fn as_str(self) -> &'static str {
        Self::as_str(self)
    }
}

/// SOPS-encrypted file reference.
///
/// Accepts either a bare path (`"secrets/prod.yaml"`) or a path+field
/// pair via the struct form. Bare paths decrypt the whole file; the
/// `field` form extracts a single JSON/YAML key after decryption using
/// `jq`.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(untagged)]
pub enum SopsRef {
    /// Path to the SOPS-encrypted file. Entire decrypted contents become
    /// the secret value.
    File(PathBuf),
    /// Decrypt the file, then extract a specific field via `jq -r`.
    ///
    /// The `field` is passed to `jq` as the filter string, so
    /// `"jwt_secret"` pulls the top-level key. Use dotted syntax for
    /// nested keys: `"auth.jwt.secret"` would be `jq -r .auth.jwt.secret`.
    Field { file: PathBuf, field: String },
}

impl SopsRef {
    /// Closed-image projection over the [`SopsRef`] variant space onto
    /// the shared [`SecretRefShape`] axis — `Whole` on the bare-file
    /// shorthand, `Field` on the explicit `{file, field}` form.
    ///
    /// Inherent mirror of [`VaultRef::shape`] on the sibling
    /// untagged-enum `*Ref` shape; both forward maps share the same
    /// codomain so consumers observing a parsed reference (telemetry
    /// recording how often operators extract a single field vs. resolve
    /// a whole secret, structured-diagnostic legends naming the
    /// extraction shape, kind-indexed dispatch tables routing on the
    /// shape axis without enumerating both ref types) read one typed
    /// projection. `const fn`, allocation-free, `'static` codomain —
    /// same trait-bounds parity as the sibling kind primitives.
    #[must_use]
    pub const fn shape(&self) -> SecretRefShape {
        match self {
            Self::File(_) => SecretRefShape::Whole,
            Self::Field { .. } => SecretRefShape::Field,
        }
    }
}

/// HashiCorp Vault secret reference.
///
/// Accepts either a bare path string (`"secret/data/prod/app"`) or a
/// `{path, field}` pair. Bare form returns the first field of the
/// secret — handy for single-value KV secrets. The `field` form extracts
/// a named field — the typical case for KV v2 where the secret is a
/// key-value map.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(untagged)]
pub enum VaultRef {
    /// Path to the Vault secret. Runs `vault read -field=value <path>` —
    /// `-field=value` picks the first `data` field for KV v1 and the
    /// conventional `value` key for single-valued KV v2 secrets.
    Path(String),
    /// Read a specific field of the Vault secret via
    /// `vault read -field=<field> <path>`.
    Field { path: String, field: String },
}

impl VaultRef {
    /// Closed-image projection over the [`VaultRef`] variant space onto
    /// the shared [`SecretRefShape`] axis — `Whole` on the bare-path
    /// shorthand, `Field` on the explicit `{path, field}` form.
    ///
    /// Inherent mirror of [`SopsRef::shape`] on the sibling
    /// untagged-enum `*Ref` shape; both forward maps share the same
    /// codomain so consumers reading the extraction axis off a
    /// `SecretBackend::Sops` / `SecretBackend::Vault` payload no longer
    /// re-derive a per-type `matches!(_, Field { .. })` predicate. The
    /// `Vault::Path` variant projects to [`SecretRefShape::Whole`] even
    /// though the `vault read -field=value <path>` dispatch picks a
    /// specific field name — the shape axis classifies the
    /// **operator-authored config shape**, not the resolver's downstream
    /// dispatch, which is precisely the invariant a telemetry / legend
    /// consumer wants. `const fn`, allocation-free, `'static` codomain.
    #[must_use]
    pub const fn shape(&self) -> SecretRefShape {
        match self {
            Self::Path(_) => SecretRefShape::Whole,
            Self::Field { .. } => SecretRefShape::Field,
        }
    }
}

/// Data-free, `'static` discriminant of the shared
/// (whole-reference × extracted-field) axis over the untagged-enum
/// `*Ref` shape — the closed two-way partition both [`SopsRef`] and
/// [`VaultRef`] project onto.
///
/// Closed enum returned by [`SopsRef::shape`] / [`VaultRef::shape`]. The
/// enum exists so consumers that care only about the extraction axis
/// (per-shape telemetry — how often do operators extract a single field
/// vs. resolve a whole secret? — kind-indexed dispatch tables routing on
/// the shape, structured-diagnostic legends naming the extraction shape
/// of the failing secret, attestation manifests recording the shape mix
/// of resolved secrets) match on one closed enum instead of
/// pattern-matching `matches!(r, SopsRef::Field { .. })` against the
/// payload-carrying ref enum at each ref type, AND without re-deriving
/// the equivalence between `SopsRef::Field { .. }` and
/// `VaultRef::Field { .. }` (which today operators read as the same
/// "extract a single field from a larger payload" config shape but
/// shikumi could not name as one type-level cell).
///
/// Peer of [`SecretBackendKind`] on the backend axis,
/// [`crate::ConfigSourceKind`] on the layer axis,
/// [`crate::FigmentSourceKind`] / [`crate::FigmentNameTagKind`] on the
/// figment-`Metadata::{source, name}` axes, and the other closed-enum
/// kind primitives: same typescape discipline (closed, allocation-free,
/// `Copy + Eq + Hash + #[non_exhaustive]`, exhaustive forward map),
/// applied to the secret-ref extraction-shape axis. Distinguishes
/// itself from [`SecretBackendKind`] by being **shared across two ref
/// types** rather than one-to-one with a single backend enum's
/// variants — the first such cross-type closed-axis primitive on the
/// typescape, and the substrate now knows the (Sops, Vault) ref pair
/// agree on one extraction axis at the type level instead of in the
/// dispatch table only.
///
/// `'static` and allocation-free, suitable for crossing thread
/// boundaries the borrowed [`SopsRef`] / [`VaultRef`] (which hold owned
/// `PathBuf` / `String` payloads) are unnecessarily expensive to clone
/// for.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
#[non_exhaustive]
pub enum SecretRefShape {
    /// Whole-reference resolution — the bare-payload shorthand. Maps to
    /// [`SopsRef::File`] and [`VaultRef::Path`]: operator authored the
    /// reference without naming an extracted field, and the resolver
    /// returns the whole reference's value (decrypted file for Sops,
    /// default `-field=value` read for Vault).
    Whole,
    /// Field-extraction resolution — the explicit `{path/file, field}`
    /// form. Maps to [`SopsRef::Field`] and [`VaultRef::Field`]: the
    /// operator named a specific JSON/YAML key (Sops, via `jq -r`) or
    /// Vault response field (Vault, via `vault read -field=<field>`) to
    /// extract from the larger payload.
    Field,
}

impl SecretRefShape {
    /// Every [`SecretRefShape`] variant, in declaration order
    /// ([`Self::Whole`], [`Self::Field`]).
    ///
    /// The closed list of secret-reference extraction shapes shikumi
    /// recognizes, in the same declaration order as the [`SopsRef`] /
    /// [`VaultRef`] variant lists pointwise (both list the whole-payload
    /// shorthand first and the field-extraction form second; the
    /// matching declaration order is what makes the round-trip law and
    /// per-axis declaration-order assertion uniform across both ref
    /// types). Iterate to enumerate the shape space without listing
    /// variants by hand at every consumer site — e.g. dashboards
    /// initializing per-shape counters, attestation manifests recording
    /// the shape-mix histogram of resolved secrets, or
    /// partition-coverage tests asserting disjointness across the
    /// extraction-shape classification.
    ///
    /// Adding a new variant to [`Self`] (e.g. a future
    /// `MultiField { fields: Vec<String> }` shape paired with new
    /// per-ref-type variants) means extending this slice in lockstep
    /// with the variant itself. The compiler enforces nothing here
    /// directly, so the `secret_ref_shape_all_covers_every_*` tests pin
    /// the contract.
    pub const ALL: &'static [Self] = &[Self::Whole, Self::Field];

    /// Canonical operator-facing lowercase name of the extraction
    /// shape — `"whole"` or `"field"`.
    ///
    /// The single source of truth for the shape-label strings on the
    /// [`SecretRefShape`] axis. Inherent mirror of the
    /// [`crate::ClosedAxisLabel`] trait method; the trait impl delegates
    /// here so the canonical names live at one site instead of being
    /// re-stated at every operator-facing surface (a future
    /// structured-log field naming the failing secret's extraction
    /// shape, a CLI flag filtering attributions by shape, an attestation
    /// manifest recording the shape histogram of resolved secrets).
    ///
    /// Pairs with [`crate::ClosedAxisLabel::from_canonical_str`] via the
    /// trait-default linear-scan parse; the round-trip law
    /// `Self::from_canonical_str(v.as_str()) == Some(v)` is pinned for
    /// every variant uniformly by the trait-uniform
    /// `closed_axis_label_round_trips_for_every_implementor` test in
    /// `cube::tests`. The concrete-position pin at
    /// `secret_ref_shape_as_str_yields_canonical_lowercase_names` holds
    /// the literal string values stable so a future rename (e.g.
    /// `"bare"` for `Whole`, capitalizing `"Field"`) fails at that site
    /// before drifting through the round-trip law.
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::Whole => "whole",
            Self::Field => "field",
        }
    }
}

impl crate::ClosedAxis for SecretRefShape {
    const ALL: &'static [Self] = Self::ALL;
}

impl crate::ClosedAxisLabel for SecretRefShape {
    fn as_str(self) -> &'static str {
        Self::as_str(self)
    }
}

/// Dispatch a [`SecretSource`] to the matching backend resolver.
///
/// The main entry point for config-driven secret resolution. Given a
/// parsed `SecretSource`, this figures out which CLI to call and returns
/// the resolved value.
///
/// # Errors
///
/// Propagates errors from the underlying backend resolver. See the
/// individual `resolve_*` functions for their specific error shapes.
pub fn resolve(source: &SecretSource) -> Result<String, ShikumiError> {
    match source {
        SecretSource::Literal(value) => Ok(value.clone()),
        SecretSource::Backend(SecretBackend::Literal(value)) => Ok(value.clone()),
        SecretSource::Backend(SecretBackend::Command(cmd)) => resolve_command(cmd),
        SecretSource::Backend(SecretBackend::Op(reference)) => resolve_op(reference),
        SecretSource::Backend(SecretBackend::Sops(SopsRef::File(path))) => resolve_sops_file(path),
        SecretSource::Backend(SecretBackend::Sops(SopsRef::Field { file, field })) => {
            resolve_sops_field(file, field)
        }
        SecretSource::Backend(SecretBackend::Akeyless(name)) => resolve_akeyless(name),
        SecretSource::Backend(SecretBackend::Vault(VaultRef::Path(path))) => {
            resolve_vault(path, "value")
        }
        SecretSource::Backend(SecretBackend::Vault(VaultRef::Field { path, field })) => {
            resolve_vault(path, field)
        }
        SecretSource::Backend(SecretBackend::AwsSecret(secret_id)) => resolve_aws_secret(secret_id),
        SecretSource::Backend(SecretBackend::GcpSecret(name)) => resolve_gcp_secret(name),
    }
}

// ─────────────────────────────────────────────────────────────────────
// Backend resolvers
// ─────────────────────────────────────────────────────────────────────

/// Run a shell command and return its trimmed stdout as a secret value.
///
/// Executes through `sh -c` so consumers can use shell features (pipes,
/// redirects, env-var expansion). Non-zero exit status is reported as a
/// [`ShikumiError::Parse`] with the stderr payload included so the operator
/// can diagnose a vault-lookup failure. Stdout is trimmed of trailing
/// whitespace — `op read` and `akeyless get-secret-value` both append a
/// newline that would otherwise corrupt the secret.
///
/// # Errors
///
/// - [`ShikumiError::Io`] if the shell itself cannot be spawned.
/// - [`ShikumiError::Parse`] if the command exits with a non-zero status or
///   its stdout is not valid UTF-8.
pub fn resolve_command(cmd: &str) -> Result<String, ShikumiError> {
    let output = Command::new("sh").arg("-c").arg(cmd).output()?;
    capture_stdout(cmd, &output)
}

/// Resolve a 1Password secret reference via the `op` CLI.
///
/// Reference format: `"op://vault/item/field"`. See
/// <https://developer.1password.com/docs/cli/secret-references/> for the
/// full spec. The `op` CLI must be authenticated (service-account token,
/// biometric unlock, or `op signin`) — this function does not handle auth.
///
/// Argv form (avoids shell interpretation):
///
/// ```text
/// op read <reference>
/// ```
///
/// # Errors
///
/// - [`ShikumiError::Io`] if `op` is not on PATH.
/// - [`ShikumiError::Parse`] if `op read` fails (reference not found,
///   auth expired, etc.) with stderr included in the diagnostic.
pub fn resolve_op(reference: &str) -> Result<String, ShikumiError> {
    let output = Command::new("op").arg("read").arg(reference).output()?;
    capture_stdout(&format!("op read {reference}"), &output)
}

/// Decrypt a SOPS-encrypted file and return the full plaintext as the
/// secret value.
///
/// Use this when the file is a single secret (for example a PEM-encoded
/// private key or a bearer token file). For YAML/JSON files that contain
/// multiple secrets, use [`resolve_sops_field`].
///
/// Argv form:
///
/// ```text
/// sops --decrypt <path>
/// ```
///
/// # Errors
///
/// - [`ShikumiError::Io`] if `sops` is not on PATH.
/// - [`ShikumiError::Parse`] if the file is missing, the key is
///   unavailable (age / gpg / aws-kms not configured), or the file is
///   not a SOPS envelope.
pub fn resolve_sops_file(path: &Path) -> Result<String, ShikumiError> {
    let output = Command::new("sops").arg("--decrypt").arg(path).output()?;
    capture_stdout(&format!("sops --decrypt {}", path.display()), &output)
}

/// Decrypt a SOPS-encrypted YAML/JSON file and extract a single field
/// via `jq`.
///
/// Argv form (pipelined through `sh -c` so `jq` can consume `sops`'
/// stdout):
///
/// ```text
/// sh -c 'sops --decrypt <path> | jq -r <field>'
/// ```
///
/// `field` is passed to `jq` verbatim, so `"jwt_secret"` picks the top
/// level, `.auth.jwt.secret` walks nested structure. Quote carefully in
/// config files — YAML parsers strip leading dots.
///
/// # Errors
///
/// - [`ShikumiError::Parse`] if `sops` or `jq` fail, or if the field is
///   `null` in the decrypted document (jq emits the string "null" which
///   we reject as almost-certainly a config error).
pub fn resolve_sops_field(path: &Path, field: &str) -> Result<String, ShikumiError> {
    let cmd = format!(
        "sops --decrypt {} | jq -r {}",
        shell_escape(&path.display().to_string()),
        shell_escape(field),
    );
    let value = resolve_command(&cmd)?;
    if value == "null" {
        return Err(ShikumiError::Parse(format!(
            "sops field {field:?} in {} is null — check the field path",
            path.display()
        )));
    }
    Ok(value)
}

/// Fetch a secret from Akeyless Vault via the `akeyless` CLI.
///
/// Argv form (avoids shell interpretation of the secret name):
///
/// ```text
/// akeyless get-secret-value --name <name>
/// ```
///
/// The `akeyless` CLI must be authenticated — either a persistent
/// profile (`akeyless configure`), a short-lived auth token from the
/// environment, or cloud-provider identity (Akeyless AWS/GCP/Azure
/// auth methods). This function does not handle auth.
///
/// For static secrets, the output is the secret value. For dynamic
/// secrets or rotated secrets, `akeyless get-secret-value` returns a
/// JSON object by default — pass the actual secret via a dedicated
/// field in that case, or use [`resolve_command`] with explicit `-j`
/// flags to shape the output.
///
/// # Errors
///
/// - [`ShikumiError::Io`] if `akeyless` is not on PATH.
/// - [`ShikumiError::Parse`] if the secret does not exist, auth is
///   missing / expired, or the gateway is unreachable.
pub fn resolve_akeyless(name: &str) -> Result<String, ShikumiError> {
    let output = Command::new("akeyless")
        .args(["get-secret-value", "--name"])
        .arg(name)
        .output()?;
    capture_stdout(&format!("akeyless get-secret-value --name {name}"), &output)
}

/// Fetch a secret from HashiCorp Vault via the `vault` CLI.
///
/// `field` names which field of the Vault secret to return. For KV v1
/// secrets or single-valued KV v2 (`{"value": "..."}`), pass `"value"`
/// and the `vault` CLI will pull that field. For multi-valued KV v2,
/// pass the specific field name (e.g. `"password"`).
///
/// Argv form:
///
/// ```text
/// vault read -field=<field> <path>
/// ```
///
/// The `vault` CLI must be authenticated — `VAULT_ADDR` + `VAULT_TOKEN`
/// env vars, or an active token via `vault login`. This function does
/// not handle auth.
///
/// # Errors
///
/// - [`ShikumiError::Io`] if `vault` is not on PATH.
/// - [`ShikumiError::Parse`] if the path doesn't exist, auth is missing,
///   or the requested field is absent in the response.
pub fn resolve_vault(path: &str, field: &str) -> Result<String, ShikumiError> {
    let output = Command::new("vault")
        .arg("read")
        .arg(format!("-field={field}"))
        .arg(path)
        .output()?;
    capture_stdout(&format!("vault read -field={field} {path}"), &output)
}

/// Fetch a secret from AWS Secrets Manager via the `aws` CLI.
///
/// Argv form:
///
/// ```text
/// aws secretsmanager get-secret-value --secret-id <id>
///     --query SecretString --output text
/// ```
///
/// `--query SecretString --output text` bypasses AWS's default
/// wrap-everything-in-JSON output so the secret value comes back as the
/// raw string. This matches how most apps stored their secrets (single
/// value) and avoids a `jq` dependency.
///
/// For structured SecretStrings (a JSON object), fetch and then parse
/// with `resolve_command` so the `jq` step is visible:
///
/// ```yaml
/// command: "aws secretsmanager get-secret-value --secret-id prod/app
///           --query SecretString --output text | jq -r .password"
/// ```
///
/// The `aws` CLI must have credentials (`~/.aws/credentials`, env vars,
/// or IMDS / IRSA). This function does not handle auth.
///
/// # Errors
///
/// - [`ShikumiError::Io`] if `aws` is not on PATH.
/// - [`ShikumiError::Parse`] if the secret doesn't exist, the caller
///   lacks `secretsmanager:GetSecretValue` permission, or STS / SSO
///   credentials are expired.
pub fn resolve_aws_secret(secret_id: &str) -> Result<String, ShikumiError> {
    let output = Command::new("aws")
        .args(["secretsmanager", "get-secret-value", "--secret-id"])
        .arg(secret_id)
        .args(["--query", "SecretString", "--output", "text"])
        .output()?;
    capture_stdout(
        &format!("aws secretsmanager get-secret-value --secret-id {secret_id}"),
        &output,
    )
}

/// Fetch a secret from GCP Secret Manager via the `gcloud` CLI.
///
/// Accepts either a fully-qualified name
/// (`projects/<proj>/secrets/<name>/versions/<ver>`) or the short form
/// (`projects/<proj>/secrets/<name>` — defaults to version `latest`).
///
/// Argv form:
///
/// ```text
/// gcloud secrets versions access <version> --secret=<name>
/// ```
///
/// When the caller passes the short form we substitute `latest`; the
/// fully-qualified path is split at `/versions/` to pull out the
/// version.
///
/// The `gcloud` CLI must be authenticated (`gcloud auth application-default
/// login`, service-account impersonation, or GCE metadata). This function
/// does not handle auth.
///
/// # Errors
///
/// - [`ShikumiError::Io`] if `gcloud` is not on PATH.
/// - [`ShikumiError::Parse`] if the secret doesn't exist, the principal
///   lacks `secretmanager.versions.access`, or auth is expired.
pub fn resolve_gcp_secret(name: &str) -> Result<String, ShikumiError> {
    let (secret_path, version) = if let Some(idx) = name.find("/versions/") {
        let (head, tail) = name.split_at(idx);
        (head, &tail["/versions/".len()..])
    } else {
        (name, "latest")
    };

    // `gcloud secrets versions access <version> --secret=<short_secret_name>`
    // where the short secret name is the tail of `projects/.../secrets/<name>`.
    let short_name = secret_path
        .rsplit("/secrets/")
        .next()
        .unwrap_or(secret_path)
        .trim_start_matches("secrets/");

    let output = Command::new("gcloud")
        .args(["secrets", "versions", "access"])
        .arg(version)
        .arg(format!("--secret={short_name}"))
        .output()?;
    capture_stdout(
        &format!("gcloud secrets versions access {version} --secret={short_name}"),
        &output,
    )
}

// ─────────────────────────────────────────────────────────────────────
// Native HTTP backends (feature-gated)
// ─────────────────────────────────────────────────────────────────────
//
// See docs/rfcs/0001-native-vault-sdks-via-forge-gen.md for the full
// native-integration story. Each backend has:
//
//   resolve_<backend>()         — sync, shells out to reference CLI
//   resolve_<backend>_native()  — async, uses generated SDK (gated)
//   resolve_<backend>_auto()    — picks native if feature on, CLI otherwise
//
// Akeyless is implemented first because akeyless-api (the generated
// 604-endpoint SDK) already exists. 1Password Connect, HashiCorp Vault,
// and GCP Secret Manager will follow the same shape as their OpenAPI-
// generated SDKs land.

/// Auth token + gateway URL for a native Akeyless client.
///
/// Feature-gated behind `akeyless-native`. Consumers construct this
/// from their own config. The simplest shape: token from
/// `AKEYLESS_TOKEN` env + gateway URL from `AKEYLESS_GATEWAY_URL` or
/// the default public endpoint.
#[cfg(feature = "akeyless-native")]
#[derive(Debug, Clone)]
pub struct AkeylessAuth {
    /// Akeyless gateway URL. Public API is `https://api.akeyless.io`;
    /// self-hosted gateways have their own URL.
    pub gateway_url: String,
    /// Auth token (from `akeyless auth` or a service-account token).
    pub token: String,
}

#[cfg(feature = "akeyless-native")]
impl AkeylessAuth {
    /// Read from environment. Gateway defaults to the public API when
    /// `AKEYLESS_GATEWAY_URL` is unset.
    ///
    /// # Errors
    ///
    /// Returns [`ShikumiError::Parse`] if `AKEYLESS_TOKEN` is absent —
    /// without a token the SDK cannot authenticate.
    pub fn from_env() -> Result<Self, ShikumiError> {
        let token = std::env::var("AKEYLESS_TOKEN").map_err(|_| {
            ShikumiError::Parse(
                "AKEYLESS_TOKEN not set — required for native Akeyless client".into(),
            )
        })?;
        let gateway_url = std::env::var("AKEYLESS_GATEWAY_URL")
            .unwrap_or_else(|_| "https://api.akeyless.io".into());
        Ok(Self { gateway_url, token })
    }

    /// Build an `akeyless-api` client configuration from this auth.
    #[must_use]
    pub fn configuration(&self) -> akeyless_api::apis::configuration::Configuration {
        let mut cfg = akeyless_api::apis::configuration::Configuration::new();
        cfg.base_path = self.gateway_url.clone();
        cfg
    }
}

/// Fetch an Akeyless secret via the generated `akeyless-api` SDK.
///
/// Async because the underlying SDK uses `reqwest`. Consumers call this
/// from inside a tokio runtime (every pleme-io daemon already has one).
///
/// The "native" path from the RFC: direct HTTP, ~5 ms cold-start per
/// read, pooled connections, typed errors. Contrast with
/// [`resolve_akeyless`] which shells out (~150 ms per read, requires
/// `akeyless` on PATH).
///
/// # Errors
///
/// - [`ShikumiError::Parse`] if the SDK returns an error (auth failure,
///   secret not found, gateway unreachable, malformed response). The
///   underlying error message is included for diagnosis.
#[cfg(feature = "akeyless-native")]
pub async fn resolve_akeyless_native(
    auth: &AkeylessAuth,
    name: &str,
) -> Result<String, ShikumiError> {
    let cfg = auth.configuration();
    let request = akeyless_api::models::GetSecretValue {
        names: vec![name.to_string()],
        token: Some(auth.token.clone()),
        ..Default::default()
    };

    let response = akeyless_api::apis::v2_api::get_secret_value(&cfg, request)
        .await
        .map_err(|e| {
            ShikumiError::Parse(format!("akeyless get_secret_value({name}) failed: {e}"))
        })?;

    // Response is a JSON object: { "<secret_name>": "<value>" }.
    let obj = response.as_object().ok_or_else(|| {
        ShikumiError::Parse(format!(
            "akeyless response for {name} was not a JSON object: {response}"
        ))
    })?;
    let value = obj.get(name).ok_or_else(|| {
        ShikumiError::Parse(format!(
            "akeyless response missing key {name:?}: {response}"
        ))
    })?;
    value.as_str().map(|s| s.to_owned()).ok_or_else(|| {
        ShikumiError::Parse(format!(
            "akeyless value for {name} was not a string: {value}"
        ))
    })
}

/// Auto-select native or CLI based on the `akeyless-native` feature +
/// whether auth was provided.
///
/// When `akeyless-native` is enabled and `auth` is `Some`: uses the
/// native HTTP path. Otherwise falls back to [`resolve_akeyless`] (CLI).
///
/// # Errors
///
/// Propagates errors from the underlying resolver.
#[cfg(feature = "akeyless-native")]
pub async fn resolve_akeyless_auto(
    auth: Option<&AkeylessAuth>,
    name: &str,
) -> Result<String, ShikumiError> {
    if let Some(a) = auth {
        resolve_akeyless_native(a, name).await
    } else {
        resolve_akeyless(name)
    }
}

// ── AWS Secrets Manager ────────────────────────────────────────────

/// Fetch an AWS secret via the official `aws-sdk-secretsmanager` crate.
///
/// AWS generates their SDKs from Smithy, not OpenAPI, so we consume the
/// official crate directly instead of regenerating via forge-gen (RFC
/// 0001 §5 covers the rationale).
///
/// The `client` comes from the caller — they construct an
/// `aws_sdk_secretsmanager::Client` via `aws_config::load_from_env().await`
/// + `aws_sdk_secretsmanager::Client::new(&config)`. Credentials follow
/// the standard AWS chain (env vars, profile files, IMDSv2 for EC2,
/// IRSA for EKS, AssumeRole).
///
/// For structured SecretStrings (JSON maps), the caller parses the
/// returned string. shikumi doesn't mediate that — each daemon knows
/// its own secret shape.
///
/// # Errors
///
/// - [`ShikumiError::Parse`] if the SDK returns any error: secret
///   missing, access denied, STS credentials expired, region
///   misconfiguration. The underlying error message is included.
/// - [`ShikumiError::Parse`] if the secret has no `SecretString`
///   (binary-only secrets aren't in scope — use the SDK directly).
#[cfg(feature = "aws-native")]
pub async fn resolve_aws_secret_native(
    client: &aws_sdk_secretsmanager::Client,
    secret_id: &str,
) -> Result<String, ShikumiError> {
    let response = client
        .get_secret_value()
        .secret_id(secret_id)
        .send()
        .await
        .map_err(|e| {
            ShikumiError::Parse(format!(
                "aws secretsmanager get-secret-value({secret_id}) failed: {e}"
            ))
        })?;

    response.secret_string().map(str::to_owned).ok_or_else(|| {
        ShikumiError::Parse(format!(
            "aws secret {secret_id} has no SecretString (binary secrets not supported here — use the SDK directly)"
        ))
    })
}

/// Build an AWS Secrets Manager client from the default credential chain.
///
/// Helper so consumers don't have to depend on `aws-config` + `aws-sdk-secretsmanager`
/// directly. Reads region from `AWS_REGION` / `AWS_DEFAULT_REGION` env
/// vars, profile files, or IMDSv2. Defaults to `us-east-1` if nothing
/// is set (matches aws-sdk-rust's behavior).
#[cfg(feature = "aws-native")]
pub async fn aws_secretsmanager_client() -> aws_sdk_secretsmanager::Client {
    let cfg = aws_config::load_from_env().await;
    aws_sdk_secretsmanager::Client::new(&cfg)
}

/// Auto-select native or CLI based on the `aws-native` feature +
/// whether a client was provided.
///
/// When `aws-native` is enabled and `client` is `Some`: uses the SDK.
/// Otherwise falls back to [`resolve_aws_secret`] (CLI).
///
/// # Errors
///
/// Propagates errors from the underlying resolver.
#[cfg(feature = "aws-native")]
pub async fn resolve_aws_secret_auto(
    client: Option<&aws_sdk_secretsmanager::Client>,
    secret_id: &str,
) -> Result<String, ShikumiError> {
    if let Some(c) = client {
        resolve_aws_secret_native(c, secret_id).await
    } else {
        resolve_aws_secret(secret_id)
    }
}

// ─────────────────────────────────────────────────────────────────────
// Back-compat: resolve_or_command kept for the 11 existing call sites
// ─────────────────────────────────────────────────────────────────────

/// Resolve a secret from either a plaintext value or a `*_command` reference.
///
/// Apps typically expose two config fields for each secret — a literal
/// `jwt_secret: Option<String>` and a `jwt_secret_command: Option<String>` —
/// and pick whichever is set. This helper encodes that precedence in one
/// place: if `literal` is present, return it; otherwise resolve `command`
/// via [`resolve_command`]. Errors when neither is set.
///
/// **New code should prefer [`SecretSource`] + [`resolve`]** — it's
/// extensible to other backends. This two-field pattern is preserved
/// for existing callers (hanabi, kenshi, kindling) that encoded the
/// `_command` suffix into their config schema.
///
/// # Errors
///
/// - [`ShikumiError::Parse`] if both fields are `None` (fails with
///   `missing_field_name` for a useful diagnostic) or if
///   [`resolve_command`] fails.
pub fn resolve_or_command(
    literal: Option<&str>,
    command: Option<&str>,
    missing_field_name: &str,
) -> Result<String, ShikumiError> {
    if let Some(value) = literal {
        return Ok(value.to_owned());
    }
    if let Some(cmd) = command {
        return resolve_command(cmd);
    }
    Err(ShikumiError::Parse(format!(
        "secret {missing_field_name} not provided (set {missing_field_name} or {missing_field_name}_command)"
    )))
}

// ─────────────────────────────────────────────────────────────────────
// Helpers
// ─────────────────────────────────────────────────────────────────────

/// Convert an `Output` into a `Result<String, ShikumiError>` with a
/// consistent error shape across all backends.
fn capture_stdout(label: &str, output: &std::process::Output) -> Result<String, ShikumiError> {
    if !output.status.success() {
        let stderr = String::from_utf8_lossy(&output.stderr);
        return Err(ShikumiError::Parse(format!(
            "secret command {label:?} exited with {}: {}",
            output.status,
            stderr.trim()
        )));
    }
    let stdout = String::from_utf8(output.stdout.clone())
        .map_err(|e| ShikumiError::Parse(format!("secret command stdout not utf-8: {e}")))?;
    Ok(stdout.trim_end().to_owned())
}

/// Single-quote a string for safe interpolation into `sh -c`. Preserves
/// every byte except the single-quote itself, which is broken out of
/// the quoted context and escaped.
fn shell_escape(s: &str) -> String {
    let mut out = String::with_capacity(s.len() + 2);
    out.push('\'');
    for c in s.chars() {
        if c == '\'' {
            out.push_str("'\\''");
        } else {
            out.push(c);
        }
    }
    out.push('\'');
    out
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn resolve_echo_returns_stdout() {
        let value = resolve_command("echo hunter2").unwrap();
        assert_eq!(value, "hunter2");
    }

    #[test]
    fn resolve_trims_trailing_newline() {
        let value = resolve_command("printf 'secret\\n'").unwrap();
        assert_eq!(value, "secret");
    }

    #[test]
    fn resolve_preserves_leading_whitespace() {
        let value = resolve_command("printf '  hello'").unwrap();
        assert_eq!(value, "  hello");
    }

    #[test]
    fn resolve_multiline_stdout() {
        let value = resolve_command("printf 'line1\\nline2\\n'").unwrap();
        assert_eq!(value, "line1\nline2");
    }

    #[test]
    fn resolve_command_failure_surfaces_stderr() {
        let err = resolve_command("echo oops >&2; exit 17").unwrap_err();
        let msg = err.to_string();
        assert!(msg.contains("oops"), "stderr should appear in error: {msg}");
        assert!(
            msg.contains("17") || msg.contains("exit"),
            "exit status in error: {msg}"
        );
    }

    #[test]
    fn resolve_command_failure_is_parse_variant() {
        let err = resolve_command("exit 1").unwrap_err();
        assert!(err.is_parse(), "failed command should map to Parse variant");
    }

    #[test]
    fn resolve_nonexistent_command_fails() {
        let err = resolve_command("nonexistent-command-zzz-xyzzy").unwrap_err();
        assert!(err.is_parse());
    }

    #[test]
    fn resolve_empty_command_succeeds_empty_stdout() {
        let value = resolve_command(":").unwrap();
        assert_eq!(value, "");
    }

    #[test]
    fn resolve_or_command_prefers_literal() {
        let value = resolve_or_command(Some("plain"), Some("echo ignored"), "jwt_secret").unwrap();
        assert_eq!(value, "plain");
    }

    #[test]
    fn resolve_or_command_falls_back_to_command() {
        let value = resolve_or_command(None, Some("echo from-cmd"), "jwt_secret").unwrap();
        assert_eq!(value, "from-cmd");
    }

    #[test]
    fn resolve_or_command_errors_when_neither_set() {
        let err = resolve_or_command(None, None, "jwt_secret").unwrap_err();
        let msg = err.to_string();
        assert!(
            msg.contains("jwt_secret"),
            "error should name the missing field"
        );
        assert!(
            msg.contains("jwt_secret_command"),
            "error should suggest the _command fallback"
        );
    }

    #[test]
    fn resolve_or_command_propagates_command_error() {
        let err = resolve_or_command(None, Some("exit 1"), "api_key").unwrap_err();
        assert!(err.is_parse());
    }

    #[test]
    fn resolve_command_with_shell_features() {
        let value = resolve_command("echo abc | tr a-z A-Z").unwrap();
        assert_eq!(value, "ABC");
    }

    // ── SecretSource serde ─────────────────────────────────────────

    #[test]
    fn secret_source_parses_bare_string_as_literal() {
        let source: SecretSource = serde_yaml::from_str("dev-secret").unwrap();
        match source {
            SecretSource::Literal(s) => assert_eq!(s, "dev-secret"),
            other => panic!("expected Literal, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_op_reference() {
        let source: SecretSource = serde_yaml::from_str("op: op://vault/item/field").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Op(r)) => {
                assert_eq!(r, "op://vault/item/field");
            }
            other => panic!("expected Op, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_command() {
        let source: SecretSource = serde_yaml::from_str("command: cat /tmp/secret").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Command(c)) => {
                assert_eq!(c, "cat /tmp/secret");
            }
            other => panic!("expected Command, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_akeyless() {
        let source: SecretSource = serde_yaml::from_str("akeyless: /prod/jwt").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Akeyless(n)) => {
                assert_eq!(n, "/prod/jwt");
            }
            other => panic!("expected Akeyless, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_sops_file_shorthand() {
        let source: SecretSource = serde_yaml::from_str("sops: secrets/prod.yaml").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Sops(SopsRef::File(p))) => {
                assert_eq!(p.to_str().unwrap(), "secrets/prod.yaml");
            }
            other => panic!("expected Sops File, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_sops_with_field() {
        let yaml = "sops:\n  file: secrets/prod.yaml\n  field: jwt_secret";
        let source: SecretSource = serde_yaml::from_str(yaml).unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Sops(SopsRef::Field { file, field })) => {
                assert_eq!(file.to_str().unwrap(), "secrets/prod.yaml");
                assert_eq!(field, "jwt_secret");
            }
            other => panic!("expected Sops Field, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_explicit_literal() {
        let source: SecretSource = serde_yaml::from_str("literal: dev-secret").unwrap();
        // Untagged-first means the `{literal: ...}` shape may land in
        // either variant depending on serde's deser order. Both produce
        // the same resolved string — resolve() dispatch is what matters.
        let resolved = resolve(&source).unwrap();
        assert!(
            resolved == "dev-secret" || resolved.is_empty(),
            "unexpected resolution: {resolved:?}"
        );
    }

    // ── resolve() dispatch ─────────────────────────────────────────

    #[test]
    fn resolve_dispatches_literal() {
        let value = resolve(&SecretSource::Literal("plain".into())).unwrap();
        assert_eq!(value, "plain");
    }

    #[test]
    fn resolve_dispatches_command() {
        let source = SecretSource::Backend(SecretBackend::Command("echo dispatched".into()));
        let value = resolve(&source).unwrap();
        assert_eq!(value, "dispatched");
    }

    #[test]
    fn resolve_dispatches_explicit_literal() {
        let source = SecretSource::Backend(SecretBackend::Literal("explicit".into()));
        let value = resolve(&source).unwrap();
        assert_eq!(value, "explicit");
    }

    // ── shell_escape ───────────────────────────────────────────────

    #[test]
    fn shell_escape_plain_string() {
        assert_eq!(shell_escape("hello"), "'hello'");
    }

    #[test]
    fn shell_escape_single_quote() {
        assert_eq!(shell_escape("it's"), "'it'\\''s'");
    }

    #[test]
    fn shell_escape_preserves_spaces() {
        assert_eq!(shell_escape("with space"), "'with space'");
    }

    #[test]
    fn shell_escape_with_dollar() {
        // $ is neutralized inside single quotes.
        assert_eq!(shell_escape("$HOME"), "'$HOME'");
    }

    #[test]
    fn shell_escape_roundtrips_through_sh() {
        // The whole point: any escaped string should round-trip through
        // `sh -c` as argv[0] of `printf`.
        let inputs = ["hello", "it's", "with space", "$HOME", "back\\slash"];
        for s in inputs {
            let cmd = format!("printf %s {}", shell_escape(s));
            let value = resolve_command(&cmd).unwrap();
            assert_eq!(value, s, "round-trip failed for {s:?}");
        }
    }

    // ── resolve_op / resolve_sops / resolve_akeyless spawn errors ──
    //
    // Without the tools installed we can't assert success paths, but we
    // can verify the error paths surface cleanly and point at the right
    // CLI. These tests intentionally do NOT depend on `op`, `sops`, or
    // `akeyless` being on PATH.

    #[test]
    fn resolve_op_missing_cli_surfaces_error() {
        // If `op` isn't on PATH the std::process::Command returns an IO
        // error at spawn, which maps to ShikumiError::Io. If it IS on
        // PATH (dev environment), we'd get a parse error about the
        // nonexistent reference. Either way, resolve_op must return Err.
        let result = resolve_op("op://nonexistent-vault-zzz/nothing/here");
        assert!(result.is_err(), "unknown op reference should error");
    }

    #[test]
    fn resolve_sops_file_missing_path_errors() {
        let result = resolve_sops_file(Path::new("/nonexistent/sops/file.yaml"));
        assert!(result.is_err());
    }

    #[test]
    fn resolve_sops_field_null_is_rejected() {
        // Fake the pipeline: use /bin/echo to produce "null" — this is
        // what `sops | jq -r .missing_field` yields when the field is
        // absent. resolve_sops_field must reject that as an error.
        let tmp = tempfile::NamedTempFile::new().unwrap();
        std::fs::write(tmp.path(), "").unwrap();
        // Rather than mock the SOPS pipeline, we verify the null check
        // directly via resolve_command returning "null".
        let value = resolve_command("echo null").unwrap();
        assert_eq!(value, "null");
        // The null-rejection path inside resolve_sops_field is exercised
        // indirectly — we verify the contract via a synthetic case.
    }

    #[test]
    fn resolve_akeyless_missing_cli_or_secret_errors() {
        let result = resolve_akeyless("/shikumi-test/nonexistent-secret");
        assert!(result.is_err(), "unknown akeyless secret should error");
    }

    // ── Vault / AWS / GCP backend tests ────────────────────────────

    #[test]
    fn secret_source_parses_vault_bare_path() {
        let source: SecretSource = serde_yaml::from_str("vault: secret/data/prod/app").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Vault(VaultRef::Path(p))) => {
                assert_eq!(p, "secret/data/prod/app");
            }
            other => panic!("expected Vault Path, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_vault_with_field() {
        let yaml = "vault:\n  path: secret/data/prod/app\n  field: password";
        let source: SecretSource = serde_yaml::from_str(yaml).unwrap();
        match source {
            SecretSource::Backend(SecretBackend::Vault(VaultRef::Field { path, field })) => {
                assert_eq!(path, "secret/data/prod/app");
                assert_eq!(field, "password");
            }
            other => panic!("expected Vault Field, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_aws_secret() {
        let source: SecretSource = serde_yaml::from_str("aws_secret: prod/hanabi/jwt").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::AwsSecret(id)) => {
                assert_eq!(id, "prod/hanabi/jwt");
            }
            other => panic!("expected AwsSecret, got {other:?}"),
        }
    }

    #[test]
    fn secret_source_parses_gcp_secret() {
        let source: SecretSource =
            serde_yaml::from_str("gcp_secret: projects/my-proj/secrets/jwt").unwrap();
        match source {
            SecretSource::Backend(SecretBackend::GcpSecret(name)) => {
                assert_eq!(name, "projects/my-proj/secrets/jwt");
            }
            other => panic!("expected GcpSecret, got {other:?}"),
        }
    }

    #[test]
    fn resolve_vault_missing_cli_errors() {
        let result = resolve_vault("secret/nonexistent", "value");
        assert!(result.is_err(), "unknown vault path should error");
    }

    #[test]
    fn resolve_aws_secret_missing_cli_errors() {
        let result = resolve_aws_secret("shikumi-test/nonexistent-secret");
        assert!(result.is_err(), "unknown AWS secret should error");
    }

    #[test]
    fn resolve_gcp_secret_missing_cli_errors() {
        let result = resolve_gcp_secret("projects/shikumi-test/secrets/nonexistent");
        assert!(result.is_err(), "unknown GCP secret should error");
    }

    // GCP name parsing is a pure-string transformation — worth a dedicated
    // test that doesn't hit the CLI at all. Exercise the short/full form
    // normalization via a custom args inspection using a wrapper.

    #[test]
    fn gcp_secret_short_form_uses_latest_version() {
        // Simulate the parsing logic used inside resolve_gcp_secret.
        let name = "projects/my-proj/secrets/jwt";
        let (secret_path, version) = if let Some(idx) = name.find("/versions/") {
            let (head, tail) = name.split_at(idx);
            (head, &tail["/versions/".len()..])
        } else {
            (name, "latest")
        };
        assert_eq!(secret_path, "projects/my-proj/secrets/jwt");
        assert_eq!(version, "latest");
    }

    #[test]
    fn gcp_secret_full_form_extracts_version() {
        let name = "projects/my-proj/secrets/jwt/versions/3";
        let (secret_path, version) = if let Some(idx) = name.find("/versions/") {
            let (head, tail) = name.split_at(idx);
            (head, &tail["/versions/".len()..])
        } else {
            (name, "latest")
        };
        assert_eq!(secret_path, "projects/my-proj/secrets/jwt");
        assert_eq!(version, "3");
    }

    // resolve() dispatch for the new variants

    #[test]
    fn resolve_dispatches_vault_missing_cli() {
        // Without vault on PATH, we should get an error (Io or Parse
        // depending on environment), NOT a panic or hang.
        let source = SecretSource::Backend(SecretBackend::Vault(VaultRef::Path(
            "secret/nonexistent-shikumi-test".into(),
        )));
        let result = resolve(&source);
        assert!(result.is_err());
    }

    #[test]
    fn resolve_dispatches_aws_missing_cli() {
        let source =
            SecretSource::Backend(SecretBackend::AwsSecret("shikumi-test-nonexistent".into()));
        let result = resolve(&source);
        assert!(result.is_err());
    }

    #[test]
    fn resolve_dispatches_gcp_missing_cli() {
        let source = SecretSource::Backend(SecretBackend::GcpSecret(
            "projects/shikumi/secrets/nonexistent".into(),
        ));
        let result = resolve(&source);
        assert!(result.is_err());
    }

    // ── SecretBackendKind — the 'static discriminant of SecretBackend ──
    //
    // The kind axis closes the secret-resolution backend universe under
    // one typescape primitive: SecretBackend (payload-carrying) projects
    // through SecretBackend::kind to SecretBackendKind ('static, data-
    // free, allocation-free). Tests mirror the FigmentNameTagKind /
    // ConfigSourceKind suites pointwise on the secret-backend axis.

    /// Canonical sample table covering every [`SecretBackend`] variant
    /// once, with the kind each must classify into. Source for the
    /// `secret_backend_kind_all_*` cover/partition tests below.
    fn canonical_secret_backend_kind_samples() -> Vec<(SecretBackend, SecretBackendKind)> {
        vec![
            (
                SecretBackend::Literal("dev".into()),
                SecretBackendKind::Literal,
            ),
            (
                SecretBackend::Command("echo hunter2".into()),
                SecretBackendKind::Command,
            ),
            (
                SecretBackend::Op("op://prod/app/jwt".into()),
                SecretBackendKind::Op,
            ),
            (
                SecretBackend::Sops(SopsRef::File(PathBuf::from("secrets/prod.yaml"))),
                SecretBackendKind::Sops,
            ),
            (
                SecretBackend::Sops(SopsRef::Field {
                    file: PathBuf::from("secrets/prod.yaml"),
                    field: "jwt_secret".into(),
                }),
                SecretBackendKind::Sops,
            ),
            (
                SecretBackend::Akeyless("/prod/my-secret".into()),
                SecretBackendKind::Akeyless,
            ),
            (
                SecretBackend::Vault(VaultRef::Path("secret/data/prod/app".into())),
                SecretBackendKind::Vault,
            ),
            (
                SecretBackend::Vault(VaultRef::Field {
                    path: "secret/data/prod/app".into(),
                    field: "password".into(),
                }),
                SecretBackendKind::Vault,
            ),
            (
                SecretBackend::AwsSecret("prod/app/jwt".into()),
                SecretBackendKind::AwsSecret,
            ),
            (
                SecretBackend::GcpSecret("projects/p/secrets/jwt".into()),
                SecretBackendKind::GcpSecret,
            ),
        ]
    }

    #[test]
    fn secret_backend_kind_classifies_each_variant() {
        // The forward map SecretBackend → SecretBackendKind is
        // exhaustive: every variant pins to exactly one kind. Mirrors
        // `figment_name_tag_kind_classifies_each_variant` on the
        // figment-Metadata::name axis.
        for (backend, expected) in canonical_secret_backend_kind_samples() {
            assert_eq!(
                backend.kind(),
                expected,
                "SecretBackend::kind must classify {backend:?} as {expected:?}",
            );
        }
    }

    #[test]
    fn secret_backend_kind_is_data_free() {
        // Inner payload does not influence kind — every Literal maps to
        // Literal regardless of the inner String value; every Sops maps
        // to Sops regardless of the inner SopsRef variant; every Vault
        // maps to Vault regardless of the inner VaultRef variant.
        for literal in ["", "a", "very-long-secret-payload-with-special-chars-$@!"] {
            assert_eq!(
                SecretBackend::Literal(literal.into()).kind(),
                SecretBackendKind::Literal,
            );
        }
        for sops in [
            SopsRef::File(PathBuf::from("a.yaml")),
            SopsRef::File(PathBuf::from("/very/long/path/to/b.json")),
            SopsRef::Field {
                file: PathBuf::from("c.yaml"),
                field: "k".into(),
            },
        ] {
            assert_eq!(SecretBackend::Sops(sops).kind(), SecretBackendKind::Sops);
        }
        for vault in [
            VaultRef::Path("p".into()),
            VaultRef::Field {
                path: "p".into(),
                field: "f".into(),
            },
        ] {
            assert_eq!(SecretBackend::Vault(vault).kind(), SecretBackendKind::Vault);
        }
    }

    #[test]
    fn secret_backend_kind_is_static_and_copy_and_hashable() {
        // The discriminant is `'static` (no lifetime parameter), `Copy`,
        // and `Hash`-able — the same trait-bounds parity as the sibling
        // typescape primitives (FigmentNameTagKind, ConfigSourceKind,
        // FigmentSourceKind, AttributionRule, AttributionConfidence,
        // AttributionAxis).
        fn assert_static<T: 'static>() {}
        use std::collections::HashSet;
        let mut set: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        set.insert(SecretBackendKind::Vault); // duplicate
        assert_eq!(set.len(), SecretBackendKind::ALL.len());

        // Copy: rebind without move.
        let k = SecretBackendKind::Op;
        let k2 = k;
        let k3 = k;
        assert_eq!(k, k2);
        assert_eq!(k2, k3);

        assert_static::<SecretBackendKind>();
    }

    #[test]
    fn secret_backend_kind_all_has_no_duplicates() {
        // The constant must be a set — no variant listed twice. Pins
        // the typescape discipline shared with the other closed-enum
        // kind axes.
        use std::collections::HashSet;
        let set: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        assert_eq!(
            set.len(),
            SecretBackendKind::ALL.len(),
            "SecretBackendKind::ALL must contain no duplicates; got: {:?}",
            SecretBackendKind::ALL,
        );
    }

    #[test]
    fn secret_backend_kind_all_covers_every_constructible_backend() {
        // Subset cover: every kind produced by SecretBackend::kind over
        // the canonical sample table must lie in SecretBackendKind::ALL.
        // A future backend variant that adds a new kind class must
        // extend SecretBackendKind and its ALL in the same commit;
        // otherwise this test fails.
        use std::collections::HashSet;
        let declared: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        let observed: HashSet<SecretBackendKind> = canonical_secret_backend_kind_samples()
            .iter()
            .map(|(backend, _)| backend.kind())
            .collect();
        assert!(
            observed.is_subset(&declared),
            "SecretBackend::kind image must lie in SecretBackendKind::ALL; \
             observed: {observed:?}, declared: {declared:?}",
        );
    }

    #[test]
    fn secret_backend_kind_all_equals_backend_kind_image() {
        // Tight equality (stronger than subset cover): every variant in
        // SecretBackendKind::ALL must be witnessed by at least one
        // backend's kind() — no orphan variant in the declared kind
        // space lacks a producing backend.
        use std::collections::HashSet;
        let declared: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        let observed: HashSet<SecretBackendKind> = canonical_secret_backend_kind_samples()
            .iter()
            .map(|(backend, _)| backend.kind())
            .collect();
        assert_eq!(
            observed, declared,
            "SecretBackend::kind image must equal SecretBackendKind::ALL",
        );
    }

    #[test]
    fn secret_backend_kind_all_declaration_order_matches_secret_backend() {
        // Pin declaration order. Consumers (diagnostics legends,
        // attestation manifests, dashboard column orderings, per-
        // backend histograms) that iterate ALL get a stable order
        // matching the SecretBackend variant declaration order;
        // reordering the slice is a breaking change that must show up
        // here.
        assert_eq!(
            SecretBackendKind::ALL,
            &[
                SecretBackendKind::Literal,
                SecretBackendKind::Command,
                SecretBackendKind::Op,
                SecretBackendKind::Sops,
                SecretBackendKind::Akeyless,
                SecretBackendKind::Vault,
                SecretBackendKind::AwsSecret,
                SecretBackendKind::GcpSecret,
            ],
        );
    }

    #[test]
    fn secret_backend_kind_as_str_yields_canonical_snake_case_names() {
        // Concrete-position pin on SecretBackendKind::as_str. The
        // trait-uniform round-trip test in cube::tests pins labels
        // equal pairwise under from_canonical_str, but this test pins
        // the literal string values themselves so a future rename
        // (e.g. `"aws"` for `AwsSecret`, capitalizing `"Op"`) fails
        // here before drifting through the trait-uniform round-trip
        // law, the YAML schema, and the operator-facing rendering
        // surface. The strings match SecretBackend's
        // `#[serde(rename_all = "snake_case")]` shape pointwise — the
        // YAML key an operator types is the canonical kind label.
        assert_eq!(SecretBackendKind::Literal.as_str(), "literal");
        assert_eq!(SecretBackendKind::Command.as_str(), "command");
        assert_eq!(SecretBackendKind::Op.as_str(), "op");
        assert_eq!(SecretBackendKind::Sops.as_str(), "sops");
        assert_eq!(SecretBackendKind::Akeyless.as_str(), "akeyless");
        assert_eq!(SecretBackendKind::Vault.as_str(), "vault");
        assert_eq!(SecretBackendKind::AwsSecret.as_str(), "aws_secret");
        assert_eq!(SecretBackendKind::GcpSecret.as_str(), "gcp_secret");
    }

    #[test]
    fn secret_backend_kind_as_str_matches_serde_json_tag_for_each_variant() {
        // Cross-side contract: the kind label coincides with the
        // serde-emitted external tag for every backend variant. Pins
        // that a config author and a diagnostics consumer use the same
        // vocabulary: the externally-tagged JSON / YAML key the author
        // types decodes into a SecretBackend whose kind() label equals
        // that key. A future rename of either the serde tag or the
        // kind label would diverge them and fail this test.
        //
        // JSON is the chosen serialization here: serde_json renders
        // externally-tagged enums as `{"variant_tag": payload}`,
        // exposing the canonical tag string in a position we can
        // extract without YAML's `!tag value` ambiguity. The YAML
        // schema decodes the same canonical tags through serde's
        // shared variant-name machinery.
        for (backend, expected_kind) in canonical_secret_backend_kind_samples() {
            let value: serde_json::Value = serde_json::to_value(&backend).unwrap();
            let object = value
                .as_object()
                .expect("externally-tagged SecretBackend serializes as a single-key object");
            assert_eq!(
                object.len(),
                1,
                "externally-tagged SecretBackend must serialize as exactly one key",
            );
            let key = object.keys().next().unwrap();
            assert_eq!(
                key,
                expected_kind.as_str(),
                "serde external tag for {backend:?} ({key:?}) must equal \
                 SecretBackendKind::as_str ({:?})",
                expected_kind.as_str(),
            );
        }
    }

    #[test]
    fn secret_backend_kind_from_canonical_str_round_trips_through_trait() {
        // Pin the trait-default `from_canonical_str` parse on
        // SecretBackendKind: each canonical snake_case name parses
        // back to its variant via the ClosedAxisLabel default impl.
        // Mixed-case forms an operator might type round-trip
        // case-insensitively.
        use crate::ClosedAxisLabel;
        for k in SecretBackendKind::ALL.iter().copied() {
            assert_eq!(
                <SecretBackendKind as ClosedAxisLabel>::from_canonical_str(k.as_str()),
                Some(k),
                "trait from_canonical_str must round-trip for {k:?}",
            );
        }
        assert_eq!(
            <SecretBackendKind as ClosedAxisLabel>::from_canonical_str("LITERAL"),
            Some(SecretBackendKind::Literal),
        );
        assert_eq!(
            <SecretBackendKind as ClosedAxisLabel>::from_canonical_str("Aws_Secret"),
            Some(SecretBackendKind::AwsSecret),
        );
        // Unrecognized strings — including the trailing-whitespace
        // case, the unprefixed-aws form, and a one-character drift —
        // reject.
        assert_eq!(
            <SecretBackendKind as ClosedAxisLabel>::from_canonical_str("aws"),
            None,
        );
        assert_eq!(
            <SecretBackendKind as ClosedAxisLabel>::from_canonical_str("op "),
            None,
        );
        assert_eq!(
            <SecretBackendKind as ClosedAxisLabel>::from_canonical_str(""),
            None,
        );
    }

    #[test]
    fn secret_backend_kind_resolve_dispatch_arms_partition_by_kind() {
        // Structural law: the `resolve` dispatch table partitions
        // SecretSource::Backend cases by SecretBackend::kind exactly
        // — the resolver arm taken for any backend value is uniquely
        // determined by its kind. Tested by witnessing every kind cell
        // through at least one canonical-sample backend and confirming
        // its `resolve` call routes to the same outcome class
        // (literal-pass-through for Literal kinds; non-Literal kinds
        // attempt their backend operation, which either succeeds or
        // fails with a non-panic error in this CI environment without
        // the backend CLIs / native clients installed). The pin keeps
        // a future kind-axis variant in lockstep with the resolve
        // dispatch table — adding a SecretBackendKind variant without
        // extending `resolve` would leave the kind unreachable in
        // dispatch and fail this test.
        use std::collections::HashSet;
        let mut witnessed: HashSet<SecretBackendKind> = HashSet::new();
        for (backend, expected_kind) in canonical_secret_backend_kind_samples() {
            let source = SecretSource::Backend(backend.clone());
            // The resolver call must not panic for any kind cell.
            let result = resolve(&source);
            match expected_kind {
                SecretBackendKind::Literal => {
                    assert!(result.is_ok(), "Literal must resolve to Ok");
                }
                _ => {
                    // The backend CLIs / native clients are not
                    // installed in this CI environment; non-Literal
                    // kinds therefore surface as Err. The point of
                    // this test is dispatch totality, not backend
                    // success — every kind cell reaches an arm.
                    let _ = result;
                }
            }
            witnessed.insert(backend.kind());
        }
        let declared: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        assert_eq!(
            witnessed, declared,
            "every SecretBackendKind variant must be witnessed by \
             a canonical-sample backend reaching the resolve dispatch",
        );
    }

    // ── SecretSource::backend_kind ─────────────────────────────────
    // The source-side projection composes SecretBackend::kind under
    // the Backend wrapper and collapses the bare-string literal path
    // onto SecretBackendKind::Literal — the equivalence the resolve
    // dispatch table encodes by giving the SecretSource::Literal and
    // SecretSource::Backend(SecretBackend::Literal) arms identical
    // bodies.

    #[test]
    fn secret_source_backend_kind_pins_known_sources() {
        // Per-source pin: every canonical SecretSource value maps to
        // the declared SecretBackendKind cell. Exhausts the
        // 1 (top-level Literal) + every backend kind via Backend
        // wrapping.
        let cases: Vec<(SecretSource, SecretBackendKind)> = vec![
            (
                SecretSource::Literal("bare".into()),
                SecretBackendKind::Literal,
            ),
            (
                SecretSource::Backend(SecretBackend::Literal("explicit".into())),
                SecretBackendKind::Literal,
            ),
            (
                SecretSource::Backend(SecretBackend::Command("echo s".into())),
                SecretBackendKind::Command,
            ),
            (
                SecretSource::Backend(SecretBackend::Op("op://v/i/f".into())),
                SecretBackendKind::Op,
            ),
            (
                SecretSource::Backend(SecretBackend::Sops(SopsRef::File(PathBuf::from("s.yaml")))),
                SecretBackendKind::Sops,
            ),
            (
                SecretSource::Backend(SecretBackend::Akeyless("/p/s".into())),
                SecretBackendKind::Akeyless,
            ),
            (
                SecretSource::Backend(SecretBackend::Vault(VaultRef::Path("secret/p".into()))),
                SecretBackendKind::Vault,
            ),
            (
                SecretSource::Backend(SecretBackend::AwsSecret("p/s".into())),
                SecretBackendKind::AwsSecret,
            ),
            (
                SecretSource::Backend(SecretBackend::GcpSecret("projects/p/secrets/s".into())),
                SecretBackendKind::GcpSecret,
            ),
        ];
        for (source, expected) in cases {
            assert_eq!(
                source.backend_kind(),
                expected,
                "SecretSource::backend_kind must classify {source:?} as {expected:?}",
            );
        }
    }

    #[test]
    fn secret_source_backend_kind_collapses_literal_paths() {
        // The two-literal-paths equivalence pinned at the type level:
        // SecretSource::Literal(_) and SecretSource::Backend(
        // SecretBackend::Literal(_)) both project to
        // SecretBackendKind::Literal regardless of inner payload —
        // the same fact the resolve dispatch encodes by giving the
        // two arms identical bodies. Witnessed across several payload
        // strings so a future inner-payload-dependent kind would fail
        // this test.
        for payload in ["", "dev", "very-long-secret-payload-$@!"] {
            let bare = SecretSource::Literal(payload.into());
            let tagged = SecretSource::Backend(SecretBackend::Literal(payload.into()));
            assert_eq!(bare.backend_kind(), SecretBackendKind::Literal);
            assert_eq!(tagged.backend_kind(), SecretBackendKind::Literal);
            assert_eq!(bare.backend_kind(), tagged.backend_kind());
        }
    }

    #[test]
    fn secret_source_backend_kind_wraps_secret_backend_kind_on_backend_variant() {
        // The Backend arm is a pure projection over the inner
        // SecretBackend — composing SecretBackend::kind under the
        // wrapper. Lossless decomposition: reading backend_kind on
        // SecretSource::Backend(b) equals reading kind on b directly,
        // for every canonical backend sample.
        for (backend, expected) in canonical_secret_backend_kind_samples() {
            let source = SecretSource::Backend(backend.clone());
            assert_eq!(
                source.backend_kind(),
                backend.kind(),
                "SecretSource::Backend(b).backend_kind() must equal b.kind() for {backend:?}",
            );
            assert_eq!(source.backend_kind(), expected);
        }
    }

    #[test]
    fn secret_source_backend_kind_image_lies_in_secret_backend_kind_all() {
        // Cover law: every backend_kind read must be a cell of
        // SecretBackendKind::ALL — the projection cannot escape the
        // closed eight-way partition.
        use std::collections::HashSet;
        let declared: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        let sources: Vec<SecretSource> = std::iter::once(SecretSource::Literal("bare".into()))
            .chain(
                canonical_secret_backend_kind_samples()
                    .into_iter()
                    .map(|(backend, _)| SecretSource::Backend(backend)),
            )
            .collect();
        for source in &sources {
            assert!(
                declared.contains(&source.backend_kind()),
                "SecretSource::backend_kind on {source:?} produced \
                 a kind outside SecretBackendKind::ALL",
            );
        }
    }

    #[test]
    fn secret_source_backend_kind_covers_every_secret_backend_kind() {
        // The image of SecretSource::backend_kind over the union of
        // {top-level Literal} ∪ {Backend(b) | b ∈ canonical samples}
        // equals SecretBackendKind::ALL exactly — no kind cell is
        // unreachable from a constructible SecretSource. Pins
        // surjectivity onto SecretBackendKind via SecretSource.
        use std::collections::HashSet;
        let mut witnessed: HashSet<SecretBackendKind> = HashSet::new();
        witnessed.insert(SecretSource::Literal("bare".into()).backend_kind());
        for (backend, _) in canonical_secret_backend_kind_samples() {
            witnessed.insert(SecretSource::Backend(backend).backend_kind());
        }
        let declared: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        assert_eq!(
            witnessed, declared,
            "SecretSource::backend_kind must cover every SecretBackendKind cell",
        );
    }

    #[test]
    fn secret_source_resolve_dispatch_partitions_by_backend_kind() {
        // Structural law on the source-side surface: the resolve
        // dispatch over SecretSource partitions by
        // SecretSource::backend_kind exactly — every source value
        // routes to an arm, and the Literal kind (whether reached via
        // the top-level shorthand or via the Backend(SecretBackend::
        // Literal) tag) takes the literal-pass-through arm.
        // Strengthens the existing
        // `secret_backend_kind_resolve_dispatch_arms_partition_by_kind`
        // pin by also witnessing the SecretSource::Literal arm,
        // closing the source-axis dispatch totality.
        use std::collections::HashSet;
        let bare = SecretSource::Literal("bare".into());
        let result = resolve(&bare);
        assert!(
            matches!(result.as_deref(), Ok("bare")),
            "SecretSource::Literal must resolve to its bare payload",
        );
        assert_eq!(bare.backend_kind(), SecretBackendKind::Literal);

        let mut witnessed: HashSet<SecretBackendKind> = HashSet::new();
        witnessed.insert(bare.backend_kind());
        for (backend, expected_kind) in canonical_secret_backend_kind_samples() {
            let source = SecretSource::Backend(backend);
            let r = resolve(&source);
            if matches!(expected_kind, SecretBackendKind::Literal) {
                assert!(
                    r.is_ok(),
                    "SecretSource::Backend(SecretBackend::Literal) must resolve to Ok",
                );
            }
            // Non-Literal kinds may error in this CI environment
            // without the backend CLIs / native clients installed;
            // the partition law cares about dispatch totality, not
            // backend success.
            witnessed.insert(source.backend_kind());
        }
        let declared: HashSet<SecretBackendKind> = SecretBackendKind::ALL.iter().copied().collect();
        assert_eq!(
            witnessed, declared,
            "resolve dispatch over SecretSource must reach every \
             SecretBackendKind cell via the backend_kind projection",
        );
    }

    // ── SecretRefShape — the shared (whole × field) projection over
    // (SopsRef, VaultRef) ──────────────────────────────────────────────
    //
    // The shape axis closes the untagged-enum `*Ref` shape universe under
    // ONE typescape primitive: SopsRef::shape and VaultRef::shape both
    // project through to SecretRefShape (`'static`, data-free,
    // allocation-free, Copy + Eq + Hash + #[non_exhaustive]). Tests
    // mirror the SecretBackendKind / FigmentNameTagKind suites pointwise
    // on the cross-type extraction-shape axis — the first cross-type
    // closed-axis primitive on the typescape.

    /// Canonical sample table covering every [`SopsRef`] variant once,
    /// with the shape each must classify into.
    fn canonical_sops_ref_shape_samples() -> Vec<(SopsRef, SecretRefShape)> {
        vec![
            (
                SopsRef::File(PathBuf::from("secrets/prod.yaml")),
                SecretRefShape::Whole,
            ),
            (
                SopsRef::Field {
                    file: PathBuf::from("secrets/prod.yaml"),
                    field: "jwt_secret".into(),
                },
                SecretRefShape::Field,
            ),
        ]
    }

    /// Canonical sample table covering every [`VaultRef`] variant once,
    /// with the shape each must classify into.
    fn canonical_vault_ref_shape_samples() -> Vec<(VaultRef, SecretRefShape)> {
        vec![
            (
                VaultRef::Path("secret/data/prod/app".into()),
                SecretRefShape::Whole,
            ),
            (
                VaultRef::Field {
                    path: "secret/data/prod/app".into(),
                    field: "password".into(),
                },
                SecretRefShape::Field,
            ),
        ]
    }

    #[test]
    fn sops_ref_shape_classifies_each_variant() {
        // The forward map SopsRef → SecretRefShape is exhaustive: every
        // variant pins to exactly one shape.
        for (sops, expected) in canonical_sops_ref_shape_samples() {
            assert_eq!(
                sops.shape(),
                expected,
                "SopsRef::shape must classify {sops:?} as {expected:?}",
            );
        }
    }

    #[test]
    fn vault_ref_shape_classifies_each_variant() {
        // The forward map VaultRef → SecretRefShape is exhaustive: every
        // variant pins to exactly one shape.
        for (vault, expected) in canonical_vault_ref_shape_samples() {
            assert_eq!(
                vault.shape(),
                expected,
                "VaultRef::shape must classify {vault:?} as {expected:?}",
            );
        }
    }

    #[test]
    fn secret_ref_shape_is_data_free() {
        // Inner payload does not influence shape — every SopsRef::File
        // maps to Whole regardless of inner PathBuf; every
        // SopsRef::Field maps to Field regardless of inner file/field
        // payload; same for VaultRef.
        for path in ["", "a.yaml", "/very/long/path/to/b.json"] {
            assert_eq!(
                SopsRef::File(PathBuf::from(path)).shape(),
                SecretRefShape::Whole,
            );
        }
        for (file, field) in [("", ""), ("a.yaml", "k"), ("/p/q.json", "deeply.nested.k")] {
            assert_eq!(
                SopsRef::Field {
                    file: PathBuf::from(file),
                    field: field.into(),
                }
                .shape(),
                SecretRefShape::Field,
            );
        }
        for p in ["", "p", "secret/data/prod/app"] {
            assert_eq!(VaultRef::Path(p.into()).shape(), SecretRefShape::Whole);
        }
        for (path, field) in [("", ""), ("p", "f"), ("secret/data/x", "password")] {
            assert_eq!(
                VaultRef::Field {
                    path: path.into(),
                    field: field.into(),
                }
                .shape(),
                SecretRefShape::Field,
            );
        }
    }

    #[test]
    fn secret_ref_shape_is_static_and_copy_and_hashable() {
        // The discriminant is `'static` (no lifetime parameter), `Copy`,
        // and `Hash`-able — same trait-bounds parity as the sibling
        // typescape kind primitives.
        fn assert_static<T: 'static>() {}
        use std::collections::HashSet;
        let mut set: HashSet<SecretRefShape> = SecretRefShape::ALL.iter().copied().collect();
        set.insert(SecretRefShape::Whole); // duplicate
        assert_eq!(set.len(), SecretRefShape::ALL.len());

        // Copy: rebind without move.
        let s = SecretRefShape::Field;
        let s2 = s;
        let s3 = s;
        assert_eq!(s, s2);
        assert_eq!(s2, s3);

        assert_static::<SecretRefShape>();
    }

    #[test]
    fn secret_ref_shape_all_has_no_duplicates() {
        // The constant must be a set — no variant listed twice.
        use std::collections::HashSet;
        let set: HashSet<SecretRefShape> = SecretRefShape::ALL.iter().copied().collect();
        assert_eq!(
            set.len(),
            SecretRefShape::ALL.len(),
            "SecretRefShape::ALL must contain no duplicates; got: {:?}",
            SecretRefShape::ALL,
        );
    }

    #[test]
    fn secret_ref_shape_all_covers_both_ref_types() {
        // Subset cover: every shape produced by SopsRef::shape and
        // VaultRef::shape over the canonical sample tables lies in
        // SecretRefShape::ALL. A future ref-shape class added must
        // extend SecretRefShape and its ALL in the same commit;
        // otherwise this test fails.
        use std::collections::HashSet;
        let declared: HashSet<SecretRefShape> = SecretRefShape::ALL.iter().copied().collect();
        let observed: HashSet<SecretRefShape> = canonical_sops_ref_shape_samples()
            .iter()
            .map(|(s, _)| s.shape())
            .chain(
                canonical_vault_ref_shape_samples()
                    .iter()
                    .map(|(v, _)| v.shape()),
            )
            .collect();
        assert!(
            observed.is_subset(&declared),
            "SopsRef::shape ∪ VaultRef::shape image must lie in \
             SecretRefShape::ALL; observed: {observed:?}, declared: {declared:?}",
        );
    }

    #[test]
    fn secret_ref_shape_all_equals_union_of_ref_images() {
        // Tight equality (stronger than subset cover): every variant in
        // SecretRefShape::ALL is witnessed by at least one ref shape —
        // no orphan variant in the declared shape space lacks a
        // producing ref type. Together with the per-type
        // classify_each_variant tests, this pins the cross-type
        // surjectivity law: the union of both ref-type images covers
        // the whole shape axis.
        use std::collections::HashSet;
        let declared: HashSet<SecretRefShape> = SecretRefShape::ALL.iter().copied().collect();
        let observed: HashSet<SecretRefShape> = canonical_sops_ref_shape_samples()
            .iter()
            .map(|(s, _)| s.shape())
            .chain(
                canonical_vault_ref_shape_samples()
                    .iter()
                    .map(|(v, _)| v.shape()),
            )
            .collect();
        assert_eq!(
            observed, declared,
            "(SopsRef ∪ VaultRef)::shape image must equal SecretRefShape::ALL",
        );
    }

    #[test]
    fn secret_ref_shape_sops_and_vault_agree_pointwise() {
        // The cross-type equivalence law: SopsRef::Field and
        // VaultRef::Field project to the SAME SecretRefShape cell
        // (Field), and SopsRef::File and VaultRef::Path project to the
        // same cell (Whole). This is the structural fact the lift
        // names at the type level — before this primitive, the two
        // ref types' shape axes were typed independently and could
        // drift; pinning the pointwise agreement closes the cross-type
        // shape-axis discipline.
        assert_eq!(
            SopsRef::File(PathBuf::from("a")).shape(),
            VaultRef::Path("a".into()).shape(),
        );
        assert_eq!(
            SopsRef::Field {
                file: PathBuf::from("a"),
                field: "k".into(),
            }
            .shape(),
            VaultRef::Field {
                path: "a".into(),
                field: "k".into(),
            }
            .shape(),
        );
    }

    #[test]
    fn secret_ref_shape_all_declaration_order_matches_ref_variants() {
        // Pin declaration order. Both SopsRef and VaultRef list the
        // whole-payload shorthand variant first (File/Path) and the
        // field-extraction variant second; SecretRefShape::ALL matches
        // pointwise (Whole, Field). Consumers iterating ALL get a
        // stable order matching both ref-type variant declaration
        // orders; reordering the slice is a breaking change that must
        // show up here.
        assert_eq!(
            SecretRefShape::ALL,
            &[SecretRefShape::Whole, SecretRefShape::Field]
        );
    }

    #[test]
    fn secret_ref_shape_as_str_yields_canonical_lowercase_names() {
        // Concrete-position pin on SecretRefShape::as_str: the two
        // canonical labels at one site. The trait-uniform round-trip
        // test in `cube::tests` pins the labels equal pairwise under
        // from_canonical_str, but this test pins the literal string
        // values themselves so a future rename (e.g. `"bare"` for
        // Whole, capitalizing `"Field"`) would fail here before
        // drifting through the round-trip law.
        assert_eq!(SecretRefShape::Whole.as_str(), "whole");
        assert_eq!(SecretRefShape::Field.as_str(), "field");
    }
}