Skip to content

Add a security test that the generated config doc contains no env-var values #12

Description

@ivklgn

Problem

The init config-detection step is required to record environment-variable names and purpose only, never values, so secrets never land in Git. But the current test (test/structure/init-skill.bats) only greps detect-config.md for the literal authoring rule "NEVER VALUES" — it never runs the flow and never inspects a produced config document, so an actual leak would pass CI.

Expected result

A runtime test that runs the config-detection path against a fixture with a populated .env.example and asserts the produced config document contains variable names/purpose only, with no environment-variable values.

Impact

Turns a documented authoring rule into an enforced guarantee, protecting users from .env values leaking into version control through onboarding.

Proposed approach

  • Add a fixture with a populated .env.example (reuse the init fixtures where possible).
  • Assert the generated config doc contains no values.

Acceptance criteria

  • A config document generated from a populated .env.example contains no values; the test fails if any value appears.

References

Design rationale: .archcore/plugin/magic-first-day-init.plan.md (M6, acceptance criterion 5). Code: plugins/archcore/skills/init/lib/detect-config.md. Depends on a config fixture (see the init fixtures issue).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:onboarding/archcore:init and first-run experiencearea:testsTest suite (bats fixtures/harness)good first issueGood for newcomerspriority:P2Valuable follow-upsize:SA few hours

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions