Skip to content

test(credentials): extend encryption integration tests with AAD, mixed, and re-encryption#922

Merged
aaight merged 1 commit intodevfrom
feature/credential-encryption-integration-tests
Mar 16, 2026
Merged

test(credentials): extend encryption integration tests with AAD, mixed, and re-encryption#922
aaight merged 1 commit intodevfrom
feature/credential-encryption-integration-tests

Conversation

@aaight
Copy link
Copy Markdown
Collaborator

@aaight aaight commented Mar 16, 2026

Summary

Extends tests/integration/db/credentialResolution.test.ts with 3 new test scenarios for credential encryption edge cases:

  • Multi-project AAD isolation: Seeds two projects with the same credential key name, encrypts both, verifies each project reads its own value and that the raw ciphertexts differ (different projectId as AAD produces distinct ciphertext)
  • Mixed plaintext/encrypted: Writes one credential via writeProjectCredential (encrypted) and one via upsertProjectCredential (plaintext), verifies both are readable via getAllProjectCredentials() and listProjectCredentials() — transparent format handling
  • Upsert re-encryption: Writes an encrypted credential, captures the raw enc:v1:<iv>:... IV, overwrites with a new value, verifies the IV changed (fresh randomBytes on every write)

All 3 existing tests continue to pass (no regressions). 9/9 integration tests pass.

Test plan

  • multi-project AAD isolation passes — cross-project credential contamination impossible
  • mixed plaintext/encrypted passes — both formats transparently handled
  • upsert re-encryption passes — fresh IV verified via raw DB inspection
  • All existing encryption/decryption tests still pass
  • Full unit suite (293 files, 5438 tests) passes — no regressions
  • Lint clean (biome check)
  • Type check passes (tsc --noEmit)

Card: https://trello.com/c/LuCJsbqJ/425-as-a-developer-i-want-extended-credential-encryption-integration-tests-so-that-multi-project-aad-isolation-mixed-plaintext-encry

🤖 Generated with Claude Code

🕵️ claude-code · claude-sonnet-4-6 · run details

nhopeatall
nhopeatall approved these changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@nhopeatall nhopeatall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — Three well-designed integration tests that cover important encryption edge cases (AAD isolation, mixed-format handling, fresh IV on re-encryption). The tests correctly use the production APIs and verify behavior at both the application layer and raw DB storage layer. The IV parsing logic correctly indexes into the enc:v1:<iv>:<tag>:<data> format, the upsertProjectCredential usage to simulate pre-encryption plaintext is the right approach, and all assertions match the actual implementation behavior in crypto.ts and credentialsRepository.ts. All CI checks pass.

🕵️ claude-code · claude-opus-4-6 · run details

@aaight aaight merged commit 355db84 into dev Mar 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nhopeatall nhopeatall nhopeatall approved these changes

@zbigniewsobiecki zbigniewsobiecki Awaiting requested review from zbigniewsobiecki

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aaight @nhopeatall