passes tests now!

internal/cli/integration_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"git.eeqj.de/sneak/secret/internal/cli"
+	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -50,10 +51,13 @@ func TestMain(m *testing.M) {
 // all functionality of the secret manager using a real filesystem in a temporary directory.
 // This test serves as both validation and documentation of the program's behavior.
 func TestSecretManagerIntegration(t *testing.T) {
-	// Enable debug logging to diagnose test failures
+	// Enable debug logging to diagnose issues
 	os.Setenv("GODEBUG", "berlin.sneak.pkg.secret")
 	defer os.Unsetenv("GODEBUG")
 
+	// Reinitialize debug logging to pick up the environment variable change
+	secret.InitDebugLogging()
+
 	// Test configuration
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	testPassphrase := "test-passphrase-123"
@@ -349,10 +353,18 @@ func test01Initialize(t *testing.T, tempDir, testMnemonic, testPassphrase string
 	currentUnlockerFile := filepath.Join(defaultVaultDir, "current-unlocker")
 	verifyFileExists(t, currentUnlockerFile)
 
-	// Read the current-unlocker file to see what it contains
-	currentUnlockerContent := readFile(t, currentUnlockerFile)
-	// The file likely contains the unlocker ID
-	assert.Contains(t, string(currentUnlockerContent), "passphrase", "current unlocker should be passphrase type")
+	// Read the current-unlocker symlink to see what it points to
+	symlinkTarget, err := os.Readlink(currentUnlockerFile)
+	if err != nil {
+		t.Logf("DEBUG: failed to read symlink %s: %v", currentUnlockerFile, err)
+		// Fallback to reading as file if it's not a symlink
+		currentUnlockerContent := readFile(t, currentUnlockerFile)
+		t.Logf("DEBUG: current-unlocker file content: %q", string(currentUnlockerContent))
+		assert.Contains(t, string(currentUnlockerContent), "passphrase", "current unlocker should be passphrase type")
+	} else {
+		t.Logf("DEBUG: current-unlocker symlink points to: %q", symlinkTarget)
+		assert.Contains(t, symlinkTarget, "passphrase", "current unlocker should be passphrase type")
+	}
 
 	// Verify vault-metadata.json in vault
 	vaultMetadata := filepath.Join(defaultVaultDir, "vault-metadata.json")
@@ -1006,6 +1018,7 @@ func test13UnlockerManagement(t *testing.T, tempDir, testMnemonic string, runSec
 	// List unlockers
 	output, err := runSecret("unlockers", "list")
 	require.NoError(t, err, "unlockers list should succeed")
+	t.Logf("DEBUG: unlockers list output: %q", output)
 
 	// Should have the passphrase unlocker created during init
 	assert.Contains(t, output, "passphrase", "should have passphrase unlocker")
@@ -1034,6 +1047,7 @@ func test13UnlockerManagement(t *testing.T, tempDir, testMnemonic string, runSec
 	}
 	// Note: This might still show 1 if the implementation doesn't support multiple passphrase unlockers
 	// Just verify we have at least 1
+	t.Logf("DEBUG: passphrase count: %d, output lines: %v", passphraseCount, lines)
 	assert.GreaterOrEqual(t, passphraseCount, 1, "should have at least 1 passphrase unlocker")
 
 	// Test JSON output
@@ -1309,6 +1323,7 @@ func test18AgeKeyOperations(t *testing.T, tempDir, secretPath, testMnemonic stri
 		"SB_SECRET_MNEMONIC": testMnemonic,
 	}, "encrypt", "encryption/key", "--input", testFile)
 	require.NoError(t, err, "encrypt to stdout should succeed")
+	t.Logf("DEBUG: encrypt output: %q", output)
 	assert.Contains(t, output, "age-encryption.org", "should output age format")
 
 	// Test that the age key was stored as a secret
@@ -1804,10 +1819,10 @@ func test28VaultMetadata(t *testing.T, tempDir string) {
 	require.NoError(t, err, "default vault metadata should be valid JSON")
 
 	// Verify required fields
-	assert.Equal(t, "default", defaultMetadata["name"])
 	assert.Equal(t, float64(0), defaultMetadata["derivation_index"])
 	assert.Contains(t, defaultMetadata, "createdAt")
 	assert.Contains(t, defaultMetadata, "public_key_hash")
+	assert.Contains(t, defaultMetadata, "mnemonic_family_hash")
 
 	// Check work vault metadata
 	workMetadataPath := filepath.Join(tempDir, "vaults.d", "work", "vault-metadata.json")
@@ -1819,13 +1834,12 @@ func test28VaultMetadata(t *testing.T, tempDir string) {
 	require.NoError(t, err, "work vault metadata should be valid JSON")
 
 	// Work vault should have different derivation index
-	assert.Equal(t, "work", workMetadata["name"])
 	workIndex := workMetadata["derivation_index"].(float64)
 	assert.NotEqual(t, float64(0), workIndex, "work vault should have non-zero derivation index")
 
-	// Both vaults created with same mnemonic should have same public_key_hash
-	assert.Equal(t, defaultMetadata["public_key_hash"], workMetadata["public_key_hash"],
-		"vaults from same mnemonic should have same public_key_hash")
+	// Both vaults created with same mnemonic should have same mnemonic_family_hash
+	assert.Equal(t, defaultMetadata["mnemonic_family_hash"], workMetadata["mnemonic_family_hash"],
+		"vaults from same mnemonic should have same mnemonic_family_hash")
 }
 
 func test29SymlinkHandling(t *testing.T, tempDir, secretPath, testMnemonic string) {
@@ -2025,7 +2039,7 @@ func test31EnvMnemonicUsesVaultDerivationIndex(t *testing.T, tempDir, secretPath
 
 		// This is the expected behavior with the current bug
 		assert.Error(t, err, "get should fail due to wrong derivation index")
-		assert.Contains(t, getOutput, "failed to decrypt", "should indicate decryption failure")
+		assert.Contains(t, getOutput, "derived public key does not match vault", "should indicate key derivation failure")
 
 		// Document what should happen when the bug is fixed
 		t.Log("When the bug is fixed, GetValue should read vault metadata and use derivation index 1")