Fix vault creation to require mnemonic and set up initial unlocker

- Vault creation now prompts for mnemonic if not in environment - Automatically creates passphrase unlocker during vault creation - Prevents 'missing public key' error when adding secrets to new vaults - Updates tests to reflect new vault creation flow
2025-07-26 21:58:57 +02:00
parent a6f24e9581
commit 75c3d22b62
9 changed files with 558 additions and 90 deletions
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
@@ -18,6 +18,11 @@ import (
 	"github.com/stretchr/testify/require"
 )

+const (
+	// testMnemonic is a standard BIP39 mnemonic used for testing
+	testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+)
+
 // TestMain runs before all tests and ensures the binary is built
 func TestMain(m *testing.M) {
 	// Get the current working directory
@@ -60,7 +65,6 @@ func TestSecretManagerIntegration(t *testing.T) {
 	}

 	// Test configuration
-	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	testPassphrase := "test-passphrase-123"

 	// Create a temporary directory for our vault
@@ -125,7 +129,8 @@ func TestSecretManagerIntegration(t *testing.T) {
 	//   - work vault has pub.age file
 	//   - work vault has unlockers.d/passphrase directory
 	//   - Unlocker metadata and encrypted keys present
-	test04ImportMnemonic(t, tempDir, testMnemonic, testPassphrase, runSecretWithEnv)
+	// NOTE: Skipped because vault creation now includes mnemonic import
+	// test04ImportMnemonic(t, tempDir, testMnemonic, testPassphrase, runSecretWithEnv)

 	// Test 5: Add secrets with versioning
 	// Command: echo "password123" | secret add database/password
@@ -452,6 +457,12 @@ func test02ListVaults(t *testing.T, runSecret func(...string) (string, error)) {
 }

 func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (string, error)) {
+	// Set environment variables for vault creation
+	os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
+	os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
+	defer os.Unsetenv("SB_SECRET_MNEMONIC")
+	defer os.Unsetenv("SB_UNLOCK_PASSPHRASE")
+
 	// Create work vault
 	output, err := runSecret("vault", "create", "work")
 	require.NoError(t, err, "vault create should succeed")
@@ -480,9 +491,9 @@ func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (
 	secretsDir := filepath.Join(workVaultDir, "secrets.d")
 	verifyFileExists(t, secretsDir)

-	// Verify that work vault does NOT have a long-term key yet (no mnemonic imported)
+	// Verify that work vault has a long-term key (mnemonic was provided)
 	pubKeyFile := filepath.Join(workVaultDir, "pub.age")
-	verifyFileNotExists(t, pubKeyFile)
+	verifyFileExists(t, pubKeyFile)

 	// List vaults to verify both exist
 	output, err = runSecret("vault", "list")