1package config
2
3import (
4 "fmt"
5 "maps"
6 "os"
7 "path/filepath"
8 "slices"
9 "strings"
10 "testing"
11
12 "github.com/charmbracelet/crush/internal/env"
13 "github.com/stretchr/testify/require"
14)
15
16// These tests exercise the full shell-expansion path (no mocks,
17// no injected Expander) to catch regressions that only surface when
18// internal/shell actually runs the value. Table-level unit tests with
19// fake expanders live in resolve_test.go.
20
21// realShellResolver builds a resolver backed by a shell env that
22// contains PATH + the caller-supplied overrides. Production callers
23// get PATH for free via env.New(); these tests need it so $(cat ...)
24// and similar inner commands can resolve.
25func realShellResolver(vars map[string]string) VariableResolver {
26 m := map[string]string{"PATH": os.Getenv("PATH")}
27 maps.Copy(m, vars)
28 return NewShellVariableResolver(env.NewFromMap(m))
29}
30
31func writeTempFile(t *testing.T, content string) string {
32 t.Helper()
33 dir := t.TempDir()
34 p := filepath.Join(dir, "secret")
35 require.NoError(t, os.WriteFile(p, []byte(content), 0o600))
36 return p
37}
38
39// TestResolvedEnv_RealShell_Success covers the shell constructs the
40// PLAN calls out: $(cat tempfile) with and without trailing newline,
41// ${VAR:-default} for unset vars, literal-space preservation around
42// $(...), nested parens, quoted args inside $(echo ...), and a
43// glob-like literal round-tripping unchanged.
44func TestResolvedEnv_RealShell_Success(t *testing.T) {
45 t.Parallel()
46
47 // filepath.ToSlash so Windows temp paths (C:\Users\...) survive
48 // being injected into a shell command string — the embedded shell
49 // treats backslashes as escapes, forward slashes work on every OS.
50 withNL := filepath.ToSlash(writeTempFile(t, "token-with-nl\n"))
51 noNL := filepath.ToSlash(writeTempFile(t, "token-no-nl"))
52
53 m := MCPConfig{
54 Env: map[string]string{
55 // POSIX strips exactly one trailing newline from $(...)
56 // output, so both forms land on the same value.
57 "TOK_NL": fmt.Sprintf("$(cat %s)", withNL),
58 "TOK_NO": fmt.Sprintf("$(cat %s)", noNL),
59
60 // ${VAR:-default} must not error on unset: this is the
61 // opt-in escape hatch for "empty is fine".
62 "FALLBACK": "${MCP_MISSING:-fallback}",
63
64 // Leading/trailing literal spaces around $(...) must be
65 // preserved — single-value contract, no field splitting.
66 "PADDED": " $(echo v) ",
67
68 // ")" inside a quoted arg to echo is a regression guard
69 // for the old hand-rolled paren matcher.
70 "PAREN": `$(echo ")")`,
71
72 // Embedded space inside a quoted arg must survive
73 // verbatim; no word-splitting side effect.
74 "SPACEY": `$(echo "a b")`,
75
76 // Glob-like literals must not expand.
77 "GLOB": "*.go",
78 },
79 }
80
81 got, err := m.ResolvedEnv(realShellResolver(nil))
82 require.NoError(t, err)
83
84 // ResolvedEnv returns "KEY=value" sorted by key.
85 want := []string{
86 "FALLBACK=fallback",
87 "GLOB=*.go",
88 "PADDED= v ",
89 "PAREN=)",
90 "SPACEY=a b",
91 "TOK_NL=token-with-nl",
92 "TOK_NO=token-no-nl",
93 }
94 require.Equal(t, want, got)
95}
96
97// TestResolvedEnv_RealShell_DoesNotMutate pins that both success and
98// failure paths leave m.Env untouched. Prior behaviour rewrote the
99// value in place on error; that was the exact mechanism that shipped
100// empty credentials to MCP servers.
101func TestResolvedEnv_RealShell_DoesNotMutate(t *testing.T) {
102 t.Parallel()
103
104 t.Run("success path leaves Env untouched", func(t *testing.T) {
105 t.Parallel()
106 m := MCPConfig{Env: map[string]string{"TOKEN": "$(echo shh)"}}
107 orig := maps.Clone(m.Env)
108
109 _, err := m.ResolvedEnv(realShellResolver(nil))
110 require.NoError(t, err)
111 require.Equal(t, orig, m.Env)
112 })
113
114 t.Run("failure path leaves Env untouched", func(t *testing.T) {
115 t.Parallel()
116 m := MCPConfig{Env: map[string]string{"BROKEN": "$(false)"}}
117 orig := maps.Clone(m.Env)
118
119 _, err := m.ResolvedEnv(realShellResolver(nil))
120 require.Error(t, err)
121 require.Equal(t, orig, m.Env, "map must be preserved on error")
122 })
123}
124
125// TestResolvedEnv_RealShell_Idempotent pins the pure-function contract:
126// two calls on the same config return deeply-equal slices.
127func TestResolvedEnv_RealShell_Idempotent(t *testing.T) {
128 t.Parallel()
129
130 m := MCPConfig{
131 Env: map[string]string{
132 "A": "$(echo one)",
133 "B": "$(echo two)",
134 "C": "literal",
135 },
136 }
137 r := realShellResolver(nil)
138
139 first, err := m.ResolvedEnv(r)
140 require.NoError(t, err)
141 second, err := m.ResolvedEnv(r)
142 require.NoError(t, err)
143 require.Equal(t, first, second)
144}
145
146// TestResolvedEnv_RealShell_Deterministic guards against Go's
147// randomized map iteration leaking into the returned slice order.
148func TestResolvedEnv_RealShell_Deterministic(t *testing.T) {
149 t.Parallel()
150
151 m := MCPConfig{Env: map[string]string{
152 "Z": "z",
153 "A": "a",
154 "M": "m",
155 }}
156
157 got, err := m.ResolvedEnv(realShellResolver(nil))
158 require.NoError(t, err)
159 require.True(t, slices.IsSorted(got), "env slice must be sorted; got %v", got)
160}
161
162// TestResolvedEnv_RealShell_UnsetExpandsEmpty pins Phase 2's lenient
163// default: an unset bare $VAR expands to the empty string, matching
164// bash. The silent-empty-credential class of bug that motivated Phase
165// 1's nounset-on default is already prevented by the pure-function
166// error-returning contract of ResolvedEnv, so we no longer rely on
167// nounset to catch typo'd variable names. Users who want strict
168// behaviour for a required credential opt in per-reference with
169// ${VAR:?msg}; see TestResolvedEnv_RealShell_ColonQuestionIsStrict.
170func TestResolvedEnv_RealShell_UnsetExpandsEmpty(t *testing.T) {
171 t.Parallel()
172
173 m := MCPConfig{Env: map[string]string{
174 // Intentional typo: user meant $FORGEJO_TOKEN. Under Phase 2
175 // defaults this expands to "" rather than erroring, matching
176 // bash's behaviour on bare $VAR.
177 "FORGEJO_ACCESS_TOKEN": "$FORGJO_TOKEN",
178 }}
179 got, err := m.ResolvedEnv(realShellResolver(nil))
180 require.NoError(t, err, "unset var must expand to empty, not error")
181 require.Equal(t, []string{"FORGEJO_ACCESS_TOKEN="}, got)
182}
183
184// TestResolvedEnv_RealShell_ColonQuestionIsStrict pins the opt-in
185// strictness contract: ${VAR:?msg} must hard-error when VAR is unset,
186// regardless of the global NoUnset toggle. This is the recommended
187// mechanism for required credentials under the lenient default, so a
188// future refactor that accidentally swallows ${VAR:?...} errors would
189// silently ship empty tokens to MCP servers again.
190func TestResolvedEnv_RealShell_ColonQuestionIsStrict(t *testing.T) {
191 t.Parallel()
192
193 m := MCPConfig{Env: map[string]string{
194 "FORGEJO_ACCESS_TOKEN": "${FORGJO_TOKEN:?set FORGJO_TOKEN}",
195 }}
196 got, err := m.ResolvedEnv(realShellResolver(nil))
197 require.Error(t, err, "${VAR:?msg} must error when VAR is unset")
198 require.Nil(t, got)
199 // The resolver wraps with the env key and the user-written
200 // template; the inner shell error carries the :? message so
201 // users learn which credential is missing and why.
202 msg := err.Error()
203 require.Contains(t, msg, "FORGEJO_ACCESS_TOKEN")
204 require.Contains(t, msg, "${FORGJO_TOKEN:?set FORGJO_TOKEN}")
205 require.Contains(t, msg, "set FORGJO_TOKEN")
206}
207
208// TestResolvedEnv_RealShell_FailureDetail pins that a failing inner
209// command surfaces enough detail (exit code + stderr on POSIX, the
210// underlying OS error on Windows where coreutils runs in-process) to
211// diagnose without forcing the user to re-run the command by hand.
212// Also verifies the template is included so they know which Env
213// entry blew up.
214func TestResolvedEnv_RealShell_FailureDetail(t *testing.T) {
215 t.Parallel()
216
217 // Forward slashes so the path survives shell-string injection on
218 // Windows; see TestResolvedEnv_RealShell_Success for the same note.
219 missing := filepath.ToSlash(filepath.Join(t.TempDir(), "definitely-not-here"))
220 m := MCPConfig{Env: map[string]string{
221 "FORGEJO_ACCESS_TOKEN": fmt.Sprintf("$(cat %s)", missing),
222 }}
223
224 _, err := m.ResolvedEnv(realShellResolver(nil))
225 require.Error(t, err)
226 msg := err.Error()
227 require.Contains(t, msg, "FORGEJO_ACCESS_TOKEN", "must identify the failing env var")
228 require.Contains(t, msg, missing, "must include the template so users see what failed")
229
230 // Inner diagnostic detail must survive. POSIX surfaces "exit
231 // status N" + stderr; Windows' in-process coreutils surfaces the
232 // Go OS error instead. Accept either shape so the test is
233 // portable without weakening the intent.
234 lower := strings.ToLower(msg)
235 hasDetail := strings.Contains(lower, "exit status") ||
236 strings.Contains(lower, "no such file") ||
237 strings.Contains(lower, "cannot find")
238 require.True(t, hasDetail, "must surface inner error detail: %s", msg)
239}
240
241// TestResolvedHeaders_RealShell_FailurePreservesOriginal pins two
242// invariants simultaneously: on failure the returned map is nil (not
243// a partially-populated map) and the receiver's Headers map is
244// unchanged. A test that only asserted on the returned value could
245// hide an in-place mutation regression.
246func TestResolvedHeaders_RealShell_FailurePreservesOriginal(t *testing.T) {
247 t.Parallel()
248
249 m := MCPConfig{Headers: map[string]string{
250 "Authorization": "Bearer $(false)",
251 "X-Static": "kept",
252 }}
253 orig := maps.Clone(m.Headers)
254
255 got, err := m.ResolvedHeaders(realShellResolver(nil))
256 require.Error(t, err)
257 require.Nil(t, got, "headers map must be nil on failure")
258 require.Contains(t, err.Error(), "header Authorization")
259 require.Equal(t, orig, m.Headers, "receiver Headers must be preserved")
260}
261
262// TestResolvedArgs_RealShell exercises both success and failure for
263// m.Args symmetrically with Env. Args are ordered so error messages
264// must identify a positional index, not a key.
265func TestResolvedArgs_RealShell(t *testing.T) {
266 t.Parallel()
267
268 t.Run("success expands each element", func(t *testing.T) {
269 t.Parallel()
270 m := MCPConfig{Args: []string{"--token", "$(echo shh)", "--host", "example.com"}}
271 got, err := m.ResolvedArgs(realShellResolver(nil))
272 require.NoError(t, err)
273 require.Equal(t, []string{"--token", "shh", "--host", "example.com"}, got)
274 })
275
276 t.Run("failure identifies offending index", func(t *testing.T) {
277 t.Parallel()
278 m := MCPConfig{Args: []string{"--token", "$(false)"}}
279 orig := slices.Clone(m.Args)
280
281 got, err := m.ResolvedArgs(realShellResolver(nil))
282 require.Error(t, err)
283 require.Nil(t, got)
284 require.Contains(t, err.Error(), "arg 1")
285 require.Equal(t, orig, m.Args, "receiver Args must be preserved")
286 })
287
288 t.Run("nil args returns nil, no error", func(t *testing.T) {
289 t.Parallel()
290 m := MCPConfig{}
291 got, err := m.ResolvedArgs(realShellResolver(nil))
292 require.NoError(t, err)
293 require.Nil(t, got)
294 })
295}
296
297// TestMCPConfig_IdentityResolver pins the client-mode contract: every
298// Resolved* method round-trips the template verbatim and never errors
299// on unset variables. Local expansion would double-expand when the
300// server does its own — this has to stay a pure pass-through.
301func TestMCPConfig_IdentityResolver(t *testing.T) {
302 t.Parallel()
303
304 m := MCPConfig{
305 Command: "$CMD",
306 Args: []string{"--token", "$MCP_MISSING_TOKEN", "$(vault read -f secret)"},
307 Env: map[string]string{
308 "TOKEN": "$(cat /run/secrets/x)",
309 "HOST": "$MCP_MISSING_HOST",
310 },
311 Headers: map[string]string{
312 "Authorization": "Bearer $(vault read -f token)",
313 },
314 URL: "https://$MCP_HOST/$(vault read -f path)",
315 }
316 r := IdentityResolver()
317
318 args, err := m.ResolvedArgs(r)
319 require.NoError(t, err)
320 require.Equal(t, m.Args, args)
321
322 envs, err := m.ResolvedEnv(r)
323 require.NoError(t, err)
324 // Sorted "KEY=value".
325 require.Equal(t, []string{
326 "HOST=$MCP_MISSING_HOST",
327 "TOKEN=$(cat /run/secrets/x)",
328 }, envs)
329
330 headers, err := m.ResolvedHeaders(r)
331 require.NoError(t, err)
332 require.Equal(t, m.Headers, headers)
333
334 u, err := m.ResolvedURL(r)
335 require.NoError(t, err)
336 require.Equal(t, m.URL, u)
337}