feat(link-auth): slice 4 — GIT_* scrubbing, ALLOW_COMMAND opt-out, system test, contributor docs (issue #113)#138
Conversation
Replace three implementation-dense slice entries (covering internal file names, test counts, and design section refs) with one clear entry that answers "what can I do and how do I configure it": built-in github/sharepoint macros, the five LINK_AUTH_* codes and their meanings, per-user CI-safe cache scoping, and the fetchAuthenticated() content-fetch primitive. Also removes the stale "not yet wired" Internal entry for slice 1. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…stem test, contributor docs (issue #113) - Strip GIT_* env vars in defaultRunCommand so `gh auth token` works from inside git pre-commit hooks where GIT_DIR/GIT_WORK_TREE are set - Add allowCommand field to TokenResolutionDeps (default: env var VAT_LINKAUTH_ALLOW_COMMAND !== '0'); command sources are skipped when false — escape hatch for security-sensitive CI environments - Add cross-platform system test exercising real git/gh binaries through resolveToken (covers .cmd shim path on Windows) - Add contributor guide at docs/contributing/vat-linkauth-contributing.md - Bump version to 0.1.40-rc.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #138 +/- ##
==========================================
+ Coverage 83.80% 83.84% +0.03%
==========================================
Files 272 272
Lines 21198 21205 +7
Branches 4393 4400 +7
==========================================
+ Hits 17765 17779 +14
+ Misses 3433 3426 -7
🚀 New features to boost your workflow:
|
No behavior change to shipping features (GIT_* scrubbing, ALLOW_COMMAND opt-out). Quality pass on tests, docs, and CHANGELOG framing after two independent agent review passes plus a duplication check. Key deltas: - System test now behaviorally verifies GIT_* scrubbing (whitebox `node -e` echo of child env) — the previous `git --version` case was a false-positive that would pass even with scrubbing removed. Confirmed by regression run. - Extend scrub test with a mixed-case var (Git_Index_File) to exercise the toUpperCase() branch on Windows. - Add positive-case env-forwarding test — guards against a future over-scrub that would silently pass the scrub tests but break PATH/HOME forwarding. - Case-insensitive GIT_* filter (toUpperCase().startsWith) for Windows defense. - Contributor doc: fix file paths (macros.yaml not provider-macros.ts, transforms.ts not transform-allowlist.ts, integration test location) and switch macro-adding example from TS to YAML to match how macros actually ship. - Delete duplicate `allowCommand: true` unit test — makeDeps defaults it, so every command-source test above already covers the allow-true path. - Rename misleading "resolves a token via real git binary" tests to "dispatches to real git binary (cross-platform smoke)" — git --version returns version text, not a token. - Move contributor-guide CHANGELOG entry from ### Added to ### Internal to match prior 0.1.39 convention for developer-facing docs. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… defaultRunCommand Extracts the case-insensitive GIT_* env filter from defaultRunCommand into an exported pure helper (`scrubGitEnv`). Adds: - Unit tests for scrubGitEnv (5 cases: uppercase strip, mixed-case strip for Windows defense, non-GIT preservation, substring-not-matched guard, empty input) - Unit tests for defaultRunCommand itself via vi.mock on safe-exec (empty-argv short-circuit, main spawn path with env-scrub assertion, Buffer→string stdout coercion) Also removes an accumulated-edit duplicate comment on the case-insensitive filter (was written twice due to earlier edit history). Codecov context: the prior slice-4 patch was flagged at 33% coverage because defaultRunCommand's env-scrub lines were only exercised by system tests (real spawn), which codecov doesn't measure. Extracting the pure helper lets the filter be tested directly; vi.mock covers the remaining spawn composition. No behavior change to shipping features. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Independent review follow-up (post-merge)Reviewed this PR in an isolated worktree after merge, plus a broader look at the linkAuth workstream (#113 slices 1–4) prompted by a downstream bundler report about 1. [Bug, Med]
|



Summary
defaultRunCommand*: strips allGIT_DIR,GIT_WORK_TREE, and related vars before spawning token commands, sogh auth tokenworks correctly from inside git pre-commit hooks (where git pre-sets these vars and confuses nested git calls)VAT_LINKAUTH_ALLOW_COMMAND=0opt-out: newallowCommandfield inTokenResolutionDeps; defaults toprocess.env['VAT_LINKAUTH_ALLOW_COMMAND'] !== '0'; command sources are silently skipped when false — escape hatch for security-sensitive CI environmentspackages/utils/test/system/link-auth-token-dispatch.system.test.ts: exercises realgitandghbinaries throughresolveTokenwith no injected deps; includes a whitebox GIT_DIR scrubbing check and aVAT_LINKAUTH_ALLOW_COMMAND=0real-process-env checkdocs/contributing/vat-linkauth-contributing.md: engine vocabulary, how to add a new provider macro, token resolution mechanics, GIT_* scrubbing rationale, testing requirements, code style notes0.1.40-rc.1Test plan
bun run test:unit— 26 unit tests forresolve-token.ts(6 new forallowCommand)bun run test:system— 6 new system tests inlink-auth-token-dispatch.system.test.ts(all green locally, including GIT_DIR scrubbing whitebox check andVAT_LINKAUTH_ALLOW_COMMAND=0real-env check).cmdshim dispatch throughshouldUseShellinsafe-exec.tsvat resources validateinside a git pre-commit hook on a repo withresources.linkAuth.providers[*].use: githubconfigured;gh auth tokenshould resolve correctlyCloses #113 (slice 4 of 4).
🤖 Generated with Claude Code